Copyright ©2012 Ping Identity Corporation. All rights reserved.1SAML, OAuth 2,and OpenID ConnectOverviewDavid WaitePing Id...
Copyright ©2012 Ping Identity Corporation. All rights reserved.CLAIMS-BASED ANDFEDERATED IDENTITY2
Copyright ©2012 Ping Identity Corporation. All rights reserved.Claims-based Identity• Primarily a Microsoft-Pushed Concept...
Copyright ©2012 Ping Identity Corporation. All rights reserved.Claims-based Identity• Could support multiple trusted issue...
Copyright ©2012 Ping Identity Corporation. All rights reserved.Claims-based Identity• Policy decisions based on issuer, cl...
Copyright ©2012 Ping Identity Corporation. All rights reserved.Federated Identity• Making local decisions from remotetrust...
Copyright ©2012 Ping Identity Corporation. All rights reserved.Web SSO vs API SSO• Web Browser SSO–cross domain interactio...
Copyright ©2012 Ping Identity Corporation. All rights reserved.SECURITY ASSERTION MARKUPLANGUAGE (SAML)8
Copyright ©2012 Ping Identity Corporation. All rights reserved.SAML• Security Assertion Markup Language–A.K.A, a format fo...
Copyright ©2012 Ping Identity Corporation. All rights reserved.Web SSO Problem• How to talk about a user (entity)• Between...
Copyright ©2012 Ping Identity Corporation. All rights reserved.SAML Details• SAML is an XML format–With XML schema–Integri...
Copyright ©2012 Ping Identity Corporation. All rights reserved.SAML Roles• Identity Provider–Authenticates the user direct...
Copyright ©2012 Ping Identity Corporation. All rights reserved.SAML Anatomy• SAML Assertion–describes the entity• SAML Pro...
Copyright ©2012 Ping Identity Corporation. All rights reserved.SAML Anatomy• Interesting Bits–SAML Assertion• token used b...
Copyright ©2012 Ping Identity Corporation. All rights reserved.Subset of SAML in wide use• Web Browser SSO• Assertions–sub...
Copyright ©2012 Ping Identity Corporation. All rights reserved.SAML Limitations• XML digital signatures are difficult–to i...
Copyright ©2012 Ping Identity Corporation. All rights reserved.OAUTH 2.017
Copyright ©2012 Ping Identity Corporation. All rights reserved.OAuth 2.0• Provides Authorization for API access–3rd party ...
Copyright ©2012 Ping Identity Corporation. All rights reserved.Existing Problem to Solve*19
Copyright ©2012 Ping Identity Corporation. All rights reserved.OAuth 2.0 Fundamentals• Four parties defined–The User–The C...
Copyright ©2012 Ping Identity Corporation. All rights reserved.OAuth 2.0 Fundamentals• Access tokens–message to resource f...
Copyright ©2012 Ping Identity Corporation. All rights reserved.OAuth 2.0 fundamentals• Scopes–Clients request scope of usa...
Copyright ©2012 Ping Identity Corporation. All rights reserved.OAuth 2.0 Fundamentals• Access token validation is often ca...
Copyright ©2012 Ping Identity Corporation. All rights reserved.OAuth 2.0 Benefits• Splits token acquisition from token usa...
Copyright ©2012 Ping Identity Corporation. All rights reserved.Grant Types• A few interesting grant_types:–username / pass...
Copyright ©2012 Ping Identity Corporation. All rights reserved.OAuth 2.0 Concerns• OAuth 2 is not a protocol, but a framew...
Copyright ©2012 Ping Identity Corporation. All rights reserved.OAuth 2.0 Concerns• OAuth 1 had message signing–for integri...
Copyright ©2012 Ping Identity Corporation. All rights reserved.OAuth 2.0 Concerns• But, OAuth 1 signing was–Request only–O...
Copyright ©2012 Ping Identity Corporation. All rights reserved.OAuth 2.0 Concerns• OAuth requires client registration–limi...
Copyright ©2012 Ping Identity Corporation. All rights reserved.JSON WEB TOKEN (JWT)30
Copyright ©2012 Ping Identity Corporation. All rights reserved.JSON Web Token• Abbreviated JWT, pronounced “Jot”• Standard...
Copyright ©2012 Ping Identity Corporation. All rights reserved.JWT Overview• Fills in some missing pieces–What is a good O...
Copyright ©2012 Ping Identity Corporation. All rights reserved.JWT Features• “Issuer” allows you to support multipleAuthor...
Copyright ©2012 Ping Identity Corporation. All rights reserved.JWT Format• Format is simple–URL-safe Base64-encoded data c...
Copyright ©2012 Ping Identity Corporation. All rights reserved.JWT Proposed usage• Eventual token form for APIs to support...
Copyright ©2012 Ping Identity Corporation. All rights reserved.OPENID CONNECT36
Copyright ©2012 Ping Identity Corporation. All rights reserved.OAuth 2.0 Caveat• Not an Authentication Protocol on its own...
Copyright ©2012 Ping Identity Corporation. All rights reserved.OpenID Connect• Completely New Protocol• Extends AS with Op...
Copyright ©2012 Ping Identity Corporation. All rights reserved.OpenID Connect• Adds Dynamic Registration of clients• Adds ...
Próxima SlideShare
Cargando en…5
×

Openstack identity protocols unconference

971 visualizaciones

Publicado el

Publicado en: Tecnología
  • Sé el primero en comentar

Openstack identity protocols unconference

  1. 1. Copyright ©2012 Ping Identity Corporation. All rights reserved.1SAML, OAuth 2,and OpenID ConnectOverviewDavid WaitePing Identity Corporation
  2. 2. Copyright ©2012 Ping Identity Corporation. All rights reserved.CLAIMS-BASED ANDFEDERATED IDENTITY2
  3. 3. Copyright ©2012 Ping Identity Corporation. All rights reserved.Claims-based Identity• Primarily a Microsoft-Pushed Concept–Unfortunate, less attention outside MS shops• Trusted-party message w/ user attributes–Alternative to directory lookup off account name• Authentication is an external concern–vs each mechanism implemented in each app3
  4. 4. Copyright ©2012 Ping Identity Corporation. All rights reserved.Claims-based Identity• Could support multiple trusted issuers• Different levels of trust–Can this issuer assert for this user?–Can this issuer assert the user has this role?• A local trusted party may serve asintermediary/multiplexer–The Security Token Service (STS) Role4
  5. 5. Copyright ©2012 Ping Identity Corporation. All rights reserved.Claims-based Identity• Policy decisions based on issuer, claims–vs group-based policy, local directory lookup–claims may map directly to policy decisions• Local trusted issuer can centralize, pushpolicy decisions in tokens5
  6. 6. Copyright ©2012 Ping Identity Corporation. All rights reserved.Federated Identity• Making local decisions from remotetrusted entities is distributed identity• Since there is no global entity to trust, wecall this “Federated Identity”• In the consumer space, this is–Social Logins–Windows Live ID–OpenID systems6
  7. 7. Copyright ©2012 Ping Identity Corporation. All rights reserved.Web SSO vs API SSO• Web Browser SSO–cross domain interactions–requires no browser extensions–query params or javascript form-post transport–form login, cookies for authentication• API SSO–client logic to acquire tokens via authentication–cache/use tokens for API access7
  8. 8. Copyright ©2012 Ping Identity Corporation. All rights reserved.SECURITY ASSERTION MARKUPLANGUAGE (SAML)8
  9. 9. Copyright ©2012 Ping Identity Corporation. All rights reserved.SAML• Security Assertion Markup Language–A.K.A, a format for Securely AssertingIdentity Information• Includes Web Single Sign-On (Web SSO)• Pieces leveraged by WS-Federation, WS-Security, OAuth 2.09
  10. 10. Copyright ©2012 Ping Identity Corporation. All rights reserved.Web SSO Problem• How to talk about a user (entity)• Between multiple security domains• Where that entity has different identityrepresentations in each domain• Such that the entity can request resources• And not have to re-authenticate10
  11. 11. Copyright ©2012 Ping Identity Corporation. All rights reserved.SAML Details• SAML is an XML format–With XML schema–Integrity, confidentiality protection via xmlsec–Almost always signed, encrypted with X.509–Often self-issued X.509 certs• trust is established out-of-band• Only a subset of features supported bymajority of implementations11
  12. 12. Copyright ©2012 Ping Identity Corporation. All rights reserved.SAML Roles• Identity Provider–Authenticates the user directly–Asserts identity to other services• Service Provider–Requests, consumes identity to authenticatethe user12
  13. 13. Copyright ©2012 Ping Identity Corporation. All rights reserved.SAML Anatomy• SAML Assertion–describes the entity• SAML Protocol–request/response messages• SAML Binding–how messages are sent• SAML Profile–bindings and profiles used for a use case13
  14. 14. Copyright ©2012 Ping Identity Corporation. All rights reserved.SAML Anatomy• Interesting Bits–SAML Assertion• token used by other specs–SAML Web Browser SSO Profile• describes how to send browsers cross domains toauthenticate users14
  15. 15. Copyright ©2012 Ping Identity Corporation. All rights reserved.Subset of SAML in wide use• Web Browser SSO• Assertions–subject - unique identifier in system• email, DN, employee ID–attributes• personalization items like first/last name• groups, other information for policy decisions15
  16. 16. Copyright ©2012 Ping Identity Corporation. All rights reserved.SAML Limitations• XML digital signatures are difficult–to implement–to reason about• Majority of implementations only handleWeb SSO• Most API usage is WS-Security (SOAP)–OAuth 2.0 profile is in draft16
  17. 17. Copyright ©2012 Ping Identity Corporation. All rights reserved.OAUTH 2.017
  18. 18. Copyright ©2012 Ping Identity Corporation. All rights reserved.OAuth 2.0• Provides Authorization for API access–3rd party makes API calls on user’s behalf–Without asking for/caching user password–User can revoke client access individually–Changing password doesn’t break access18
  19. 19. Copyright ©2012 Ping Identity Corporation. All rights reserved.Existing Problem to Solve*19
  20. 20. Copyright ©2012 Ping Identity Corporation. All rights reserved.OAuth 2.0 Fundamentals• Four parties defined–The User–The Client application–A Protected Resource requiring authorization–An Authorization Service20
  21. 21. Copyright ©2012 Ping Identity Corporation. All rights reserved.OAuth 2.0 Fundamentals• Access tokens–message to resource from AS about client• what they are allowed to do• who they represent–usually opaque to the client–validation of token is not part of core spec• local crypto check, or remote call–Requires secure transport (TLS)21
  22. 22. Copyright ©2012 Ping Identity Corporation. All rights reserved.OAuth 2.0 fundamentals• Scopes–Clients request scope of usage for token• API-specific strings or URIs–AS logic determines what scopes you get• internal policy• user consent–Good for pre-computing broad policy decisions22
  23. 23. Copyright ©2012 Ping Identity Corporation. All rights reserved.OAuth 2.0 Fundamentals• Access token validation is often cached• Access tokens expire• Refresh token–given to client alongside access token–can be used to request new access token–usually what is revoked by user–only shared between client and AS23
  24. 24. Copyright ©2012 Ping Identity Corporation. All rights reserved.OAuth 2.0 Benefits• Splits token acquisition from token usage• AcquisitionPOST /authsvcAuthorization: Basic dXNlcm5hbWU6cGFzc3dvcmQKgrant_type=password&username=jdoe&password=A3ddj3• Usage:Authorization: Bearer YWNjZXNzdGtuCg==24
  25. 25. Copyright ©2012 Ping Identity Corporation. All rights reserved.Grant Types• A few interesting grant_types:–username / password user auth–browser-based authentication and consent• returning temporary code to exchange for token• returning token directly to be consumed by code–client authentication w/o user–SAML (separate draft spec)–JWT (to discuss later)25
  26. 26. Copyright ©2012 Ping Identity Corporation. All rights reserved.OAuth 2.0 Concerns• OAuth 2 is not a protocol, but a framework• No profiles for interoperability–No Mandatory to Implement grant types–AS extends return value• Token–Token might not be opaque to client–Resource → AS Token Validation• Client → Resource token usage is solid26
  27. 27. Copyright ©2012 Ping Identity Corporation. All rights reserved.OAuth 2.0 Concerns• OAuth 1 had message signing–for integrity protection• Protect integrity/confidentiality with TLS27
  28. 28. Copyright ©2012 Ping Identity Corporation. All rights reserved.OAuth 2.0 Concerns• But, OAuth 1 signing was–Request only–Only for URLEncoded request (no XML, JSON)–No existing support, had to be implemented–Home-grown impls broke on API changes–X.509-based signing often unimplemented–Confidentiality still required TLS• OAuth 2 has work toward MAC signing28
  29. 29. Copyright ©2012 Ping Identity Corporation. All rights reserved.OAuth 2.0 Concerns• OAuth requires client registration–limits API usage to registered clients• except some username/password deployments• Does not protect from malicious orphishing clients–but would support user authenticationmechanisms which would support this29
  30. 30. Copyright ©2012 Ping Identity Corporation. All rights reserved.JSON WEB TOKEN (JWT)30
  31. 31. Copyright ©2012 Ping Identity Corporation. All rights reserved.JSON Web Token• Abbreviated JWT, pronounced “Jot”• Standard token format–containing JSON data–supporting integrity, confidentiality• Overly broad/bad definition–“SAML Assertions in JSON instead of XML”31
  32. 32. Copyright ©2012 Ping Identity Corporation. All rights reserved.JWT Overview• Fills in some missing pieces–What is a good OAuth access token format?–What “standard” attributes should I care about?• subject• “issued at” time• “not before”, “expiry” to provide validity window• “issuer”, “audience”• unique token identifier32
  33. 33. Copyright ©2012 Ping Identity Corporation. All rights reserved.JWT Features• “Issuer” allows you to support multipleAuthorization Servers• Allow resources to consume token directly–without talking to AS• OAuth 2 grant proposed to exchangeremote JWT for local access token–federation33
  34. 34. Copyright ©2012 Ping Identity Corporation. All rights reserved.JWT Format• Format is simple–URL-safe Base64-encoded data chunks,separated by dots• crypto object defining integrity/confidentiality checks• data object with some reserved keys–possibly encrypted• optionally, signature block34
  35. 35. Copyright ©2012 Ping Identity Corporation. All rights reserved.JWT Proposed usage• Eventual token form for APIs to support–network optimization• Alternative to SAML for API access fromother domains35
  36. 36. Copyright ©2012 Ping Identity Corporation. All rights reserved.OPENID CONNECT36
  37. 37. Copyright ©2012 Ping Identity Corporation. All rights reserved.OAuth 2.0 Caveat• Not an Authentication Protocol on its own–Do not treat OAuth access tokens as• proof authentication was performed recently• proof the party giving you this token is the user• that this token is meant for your client–Generally, do not treat the token as a messageto a client about the user37
  38. 38. Copyright ©2012 Ping Identity Corporation. All rights reserved.OpenID Connect• Completely New Protocol• Extends AS with OpenID Provider Role• Adds Identity Token (id_token) for SSO–JSON Web Token–Message to client about user• Adds UserInfo endpoint• Adds hybrid flows–client is split between local and hosted pieces38
  39. 39. Copyright ©2012 Ping Identity Corporation. All rights reserved.OpenID Connect• Adds Dynamic Registration of clients• Adds Discovery of OpenID Providermetadata on domain– via /.well-known/39

×