Are you ready for OpenID Connect? - schd.ws 2017... · About Tufin •Market Leader in Security...
Transcript of Are you ready for OpenID Connect? - schd.ws 2017... · About Tufin •Market Leader in Security...
![Page 1: Are you ready for OpenID Connect? - schd.ws 2017... · About Tufin •Market Leader in Security Policy Orchestration –Established in 2005 –Main offices in Ramat-Gan and Boston](https://reader031.fdocuments.in/reader031/viewer/2022022500/5aa063847f8b9a62178e10fc/html5/thumbnails/1.jpg)
Are you ready for OpenID Connect?
Michael Furman
Security Architect
![Page 2: Are you ready for OpenID Connect? - schd.ws 2017... · About Tufin •Market Leader in Security Policy Orchestration –Established in 2005 –Main offices in Ramat-Gan and Boston](https://reader031.fdocuments.in/reader031/viewer/2022022500/5aa063847f8b9a62178e10fc/html5/thumbnails/2.jpg)
What will we see today?
• OpenID Connect Overview
• OpenID Connect Implementation
• Keycloak Overview
• Keycloak Advanced Features
![Page 3: Are you ready for OpenID Connect? - schd.ws 2017... · About Tufin •Market Leader in Security Policy Orchestration –Established in 2005 –Main offices in Ramat-Gan and Boston](https://reader031.fdocuments.in/reader031/viewer/2022022500/5aa063847f8b9a62178e10fc/html5/thumbnails/3.jpg)
About Me
• 20+ years in software engineering
• 10+ years in application security
• 3+ years Tufin Lead Security Architect
• www.linkedin.com/in/furmanmichael/
• I like to travel, read books and listen to music.
![Page 4: Are you ready for OpenID Connect? - schd.ws 2017... · About Tufin •Market Leader in Security Policy Orchestration –Established in 2005 –Main offices in Ramat-Gan and Boston](https://reader031.fdocuments.in/reader031/viewer/2022022500/5aa063847f8b9a62178e10fc/html5/thumbnails/4.jpg)
About Tufin
• Market Leader in Security Policy Orchestration
– Established in 2005
– Main offices in Ramat-Gan and Boston
• Used by over 2,000 enterprises, including 40 Fortune 100 companies
• We are constantly growing!
www.tufin.com/careers/
![Page 5: Are you ready for OpenID Connect? - schd.ws 2017... · About Tufin •Market Leader in Security Policy Orchestration –Established in 2005 –Main offices in Ramat-Gan and Boston](https://reader031.fdocuments.in/reader031/viewer/2022022500/5aa063847f8b9a62178e10fc/html5/thumbnails/5.jpg)
OpenID Connect Protocol
• Interoperable authentication protocol
• Based on OAuth 2.0 family of specifications
• Uses REST/JSON message flows
• Design goal is “making simple things simple and complicated things possible”
http://openid.net/connect/faq/
![Page 6: Are you ready for OpenID Connect? - schd.ws 2017... · About Tufin •Market Leader in Security Policy Orchestration –Established in 2005 –Main offices in Ramat-Gan and Boston](https://reader031.fdocuments.in/reader031/viewer/2022022500/5aa063847f8b9a62178e10fc/html5/thumbnails/6.jpg)
OpenID Connect Providers
https://developers.google.com/identity/protocols/OpenIDConnect#authenticatingtheuser
• Microsoft
https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-openid-connect-code
![Page 7: Are you ready for OpenID Connect? - schd.ws 2017... · About Tufin •Market Leader in Security Policy Orchestration –Established in 2005 –Main offices in Ramat-Gan and Boston](https://reader031.fdocuments.in/reader031/viewer/2022022500/5aa063847f8b9a62178e10fc/html5/thumbnails/7.jpg)
OpenID Connect Providers
• Yahoohttps://developer.yahoo.com/oauth2/guide/openid_connect/
• PayPalhttps://developer.paypal.com/docs/integration/direct/identity/log-in-with-paypal/
• SalesForcehttps://developer.salesforce.com/page/Inside_OpenID_Connect_on_Force.com
![Page 8: Are you ready for OpenID Connect? - schd.ws 2017... · About Tufin •Market Leader in Security Policy Orchestration –Established in 2005 –Main offices in Ramat-Gan and Boston](https://reader031.fdocuments.in/reader031/viewer/2022022500/5aa063847f8b9a62178e10fc/html5/thumbnails/8.jpg)
OpenID Connect Components
• Identity Provider (IDP) - offers user authentication as a service
• Relying Party (RP) - outsources its user authentication function to an IDP
• Web site
• Application
![Page 9: Are you ready for OpenID Connect? - schd.ws 2017... · About Tufin •Market Leader in Security Policy Orchestration –Established in 2005 –Main offices in Ramat-Gan and Boston](https://reader031.fdocuments.in/reader031/viewer/2022022500/5aa063847f8b9a62178e10fc/html5/thumbnails/9.jpg)
OpenID Connect Components
End User
Relying Party (RP)
Identity Provider (IDP)
![Page 10: Are you ready for OpenID Connect? - schd.ws 2017... · About Tufin •Market Leader in Security Policy Orchestration –Established in 2005 –Main offices in Ramat-Gan and Boston](https://reader031.fdocuments.in/reader031/viewer/2022022500/5aa063847f8b9a62178e10fc/html5/thumbnails/10.jpg)
OpenID Connect Authentication Flow
Relying Party (RP)
Identity Provider (IDP)
1. Request a resource
End User
![Page 11: Are you ready for OpenID Connect? - schd.ws 2017... · About Tufin •Market Leader in Security Policy Orchestration –Established in 2005 –Main offices in Ramat-Gan and Boston](https://reader031.fdocuments.in/reader031/viewer/2022022500/5aa063847f8b9a62178e10fc/html5/thumbnails/11.jpg)
OpenID Connect Authentication Flow
Relying Party (RP)
Identity Provider (IDP)
2. Redirected to IDP
End User
![Page 12: Are you ready for OpenID Connect? - schd.ws 2017... · About Tufin •Market Leader in Security Policy Orchestration –Established in 2005 –Main offices in Ramat-Gan and Boston](https://reader031.fdocuments.in/reader031/viewer/2022022500/5aa063847f8b9a62178e10fc/html5/thumbnails/12.jpg)
OpenID Connect Authentication Flow
Relying Party (RP)
Identity Provider (IDP)
3. IDP provides a login page
End User
![Page 13: Are you ready for OpenID Connect? - schd.ws 2017... · About Tufin •Market Leader in Security Policy Orchestration –Established in 2005 –Main offices in Ramat-Gan and Boston](https://reader031.fdocuments.in/reader031/viewer/2022022500/5aa063847f8b9a62178e10fc/html5/thumbnails/13.jpg)
OpenID Connect Authentication Flow
Relying Party (RP)
Identity Provider (IDP)
4. User provides credentials.
End User
![Page 14: Are you ready for OpenID Connect? - schd.ws 2017... · About Tufin •Market Leader in Security Policy Orchestration –Established in 2005 –Main offices in Ramat-Gan and Boston](https://reader031.fdocuments.in/reader031/viewer/2022022500/5aa063847f8b9a62178e10fc/html5/thumbnails/14.jpg)
OpenID Connect Authentication Flow
Relying Party (RP)
Identity Provider (IDP)
5. IDP authenticates a user
End User
![Page 15: Are you ready for OpenID Connect? - schd.ws 2017... · About Tufin •Market Leader in Security Policy Orchestration –Established in 2005 –Main offices in Ramat-Gan and Boston](https://reader031.fdocuments.in/reader031/viewer/2022022500/5aa063847f8b9a62178e10fc/html5/thumbnails/15.jpg)
OpenID Connect Authentication Flow
Relying Party (RP)
Identity Provider (IDP)
6. Redirected to RP with a token ID
End User
![Page 16: Are you ready for OpenID Connect? - schd.ws 2017... · About Tufin •Market Leader in Security Policy Orchestration –Established in 2005 –Main offices in Ramat-Gan and Boston](https://reader031.fdocuments.in/reader031/viewer/2022022500/5aa063847f8b9a62178e10fc/html5/thumbnails/16.jpg)
OpenID Connect Authentication Flow
Relying Party (RP)
Identity Provider (IDP)
7. RP accesses IDP toget user information(via REST API)
End User
![Page 17: Are you ready for OpenID Connect? - schd.ws 2017... · About Tufin •Market Leader in Security Policy Orchestration –Established in 2005 –Main offices in Ramat-Gan and Boston](https://reader031.fdocuments.in/reader031/viewer/2022022500/5aa063847f8b9a62178e10fc/html5/thumbnails/17.jpg)
OpenID Connect Authentication Flow
Relying Party (RP)
Identity Provider (IDP)
8. RP creates a usersession and providers the resource
End User
![Page 18: Are you ready for OpenID Connect? - schd.ws 2017... · About Tufin •Market Leader in Security Policy Orchestration –Established in 2005 –Main offices in Ramat-Gan and Boston](https://reader031.fdocuments.in/reader031/viewer/2022022500/5aa063847f8b9a62178e10fc/html5/thumbnails/18.jpg)
Is OpenID Connect similar to SAML2?
Diagram from http://docs.oasis-open.org/
![Page 19: Are you ready for OpenID Connect? - schd.ws 2017... · About Tufin •Market Leader in Security Policy Orchestration –Established in 2005 –Main offices in Ramat-Gan and Boston](https://reader031.fdocuments.in/reader031/viewer/2022022500/5aa063847f8b9a62178e10fc/html5/thumbnails/19.jpg)
SAML vs OpenID Connect
• Security Assertion Markup Language (SAML)– XML-based protocol– Older protocol: 2005 (SAML2)– High rate of adoption– Designed only for Web-based applications
• OpenID Connect – JSON/REST based protocol– Newer protocol: 2014– Designed to support native apps and mobile
applications
![Page 20: Are you ready for OpenID Connect? - schd.ws 2017... · About Tufin •Market Leader in Security Policy Orchestration –Established in 2005 –Main offices in Ramat-Gan and Boston](https://reader031.fdocuments.in/reader031/viewer/2022022500/5aa063847f8b9a62178e10fc/html5/thumbnails/20.jpg)
OpenID vs OpenID Connect
• OpenID 2.0
– Uses XML and a custom message signature scheme
– Difficult to create interoperable applications
• OpenID Connect
– Uses standard JSON Web Token (JWT) data structures
– Better interoperability
![Page 21: Are you ready for OpenID Connect? - schd.ws 2017... · About Tufin •Market Leader in Security Policy Orchestration –Established in 2005 –Main offices in Ramat-Gan and Boston](https://reader031.fdocuments.in/reader031/viewer/2022022500/5aa063847f8b9a62178e10fc/html5/thumbnails/21.jpg)
OAuth 2.0 vs OpenID Connect
• OAuth 2.0 is an authorization framework– Provides message flows based on JSON and HTTP
https://oauth.net/articles/authentication/
• OpenID Connect is an authentication protocol– Uses OAuth 2.0 flows and services
– (Identity, Authentication) + OAuth 2.0 = OpenID Connect
![Page 22: Are you ready for OpenID Connect? - schd.ws 2017... · About Tufin •Market Leader in Security Policy Orchestration –Established in 2005 –Main offices in Ramat-Gan and Boston](https://reader031.fdocuments.in/reader031/viewer/2022022500/5aa063847f8b9a62178e10fc/html5/thumbnails/22.jpg)
OpenID Connect Implementation
• Certified Relying Party (RP) Libraries– Apache HTTPd server– .NET Nuget Package – Erlang– JavaScript – PHP– Python – …
http://openid.net/developers/certified/
![Page 23: Are you ready for OpenID Connect? - schd.ws 2017... · About Tufin •Market Leader in Security Policy Orchestration –Established in 2005 –Main offices in Ramat-Gan and Boston](https://reader031.fdocuments.in/reader031/viewer/2022022500/5aa063847f8b9a62178e10fc/html5/thumbnails/23.jpg)
OpenID Connect Implementation
• Certified Identity Provider (IDP) Libraries
– Gluu Server
– MITREid Connect
– Keycloak
– …
http://openid.net/developers/certified/
![Page 24: Are you ready for OpenID Connect? - schd.ws 2017... · About Tufin •Market Leader in Security Policy Orchestration –Established in 2005 –Main offices in Ramat-Gan and Boston](https://reader031.fdocuments.in/reader031/viewer/2022022500/5aa063847f8b9a62178e10fc/html5/thumbnails/24.jpg)
Keycloak
• Open source Identity and Access Management solution
http://www.keycloak.org/about.html
• Provides Single-Sign On (SSO)
• RedHat SSO is based on Keycloak
https://access.redhat.com/solutions/1472293
![Page 25: Are you ready for OpenID Connect? - schd.ws 2017... · About Tufin •Market Leader in Security Policy Orchestration –Established in 2005 –Main offices in Ramat-Gan and Boston](https://reader031.fdocuments.in/reader031/viewer/2022022500/5aa063847f8b9a62178e10fc/html5/thumbnails/25.jpg)
Keycloak IDP
• Based on WildFly server
– Server Administration
– Clustering
• Supports custom look and feel (themes)
• Supports custom authentication (providers)
• Can authenticate users with external OpenID Connect or SAML 2.0 Identity Providers
![Page 26: Are you ready for OpenID Connect? - schd.ws 2017... · About Tufin •Market Leader in Security Policy Orchestration –Established in 2005 –Main offices in Ramat-Gan and Boston](https://reader031.fdocuments.in/reader031/viewer/2022022500/5aa063847f8b9a62178e10fc/html5/thumbnails/26.jpg)
Keycloak Relying Party (RP)
• Keycloak calls them adapters• Out-of-the-box support includes
– Spring Boot– Spring Security– Node.js– …
http://www.keycloak.org/docs/3.2/securing_apps/topics/oidc/java/java-adapters.html
![Page 27: Are you ready for OpenID Connect? - schd.ws 2017... · About Tufin •Market Leader in Security Policy Orchestration –Established in 2005 –Main offices in Ramat-Gan and Boston](https://reader031.fdocuments.in/reader031/viewer/2022022500/5aa063847f8b9a62178e10fc/html5/thumbnails/27.jpg)
Keycloak Brute Force Protection
What is a brute force attack?
“A brute-force attack is an attempt to discover a password by systematically trying every possible combination of letters, numbers, and symbols until you discover the one correct combination that works”
https://www.owasp.org/index.php/Blocking_Brute_Force_Attacks
![Page 28: Are you ready for OpenID Connect? - schd.ws 2017... · About Tufin •Market Leader in Security Policy Orchestration –Established in 2005 –Main offices in Ramat-Gan and Boston](https://reader031.fdocuments.in/reader031/viewer/2022022500/5aa063847f8b9a62178e10fc/html5/thumbnails/28.jpg)
Keycloak Brute Force Protection
• Preventing automated attacks:– Lock after 2 subsequent login failures
– 1 second between failures (too quick for a human)
– Lock remains active for ~5 min
• Preventing manual attacks:– Lock after 30 subsequent login failures
– Sliding window of 12 hours
– Lock remains active for ~ 45 min
![Page 29: Are you ready for OpenID Connect? - schd.ws 2017... · About Tufin •Market Leader in Security Policy Orchestration –Established in 2005 –Main offices in Ramat-Gan and Boston](https://reader031.fdocuments.in/reader031/viewer/2022022500/5aa063847f8b9a62178e10fc/html5/thumbnails/29.jpg)
Keycloak Password Policy
What is a password policy?
A Password Policy is the set of restrictions and/or requirements that a user must follow to ensure that their password is strong.
![Page 30: Are you ready for OpenID Connect? - schd.ws 2017... · About Tufin •Market Leader in Security Policy Orchestration –Established in 2005 –Main offices in Ramat-Gan and Boston](https://reader031.fdocuments.in/reader031/viewer/2022022500/5aa063847f8b9a62178e10fc/html5/thumbnails/30.jpg)
Keycloak Password Policy
Keycloak policy types include:• Digits – minimum number of digits required• Special Characters - minimum number of special
characters required• Expire Password – password expires after n days• …
http://www.keycloak.org/docs/3.2/server_admin/topics/authentication/password-policies.html
![Page 31: Are you ready for OpenID Connect? - schd.ws 2017... · About Tufin •Market Leader in Security Policy Orchestration –Established in 2005 –Main offices in Ramat-Gan and Boston](https://reader031.fdocuments.in/reader031/viewer/2022022500/5aa063847f8b9a62178e10fc/html5/thumbnails/31.jpg)
Summary
• Enforce a strong authentication scheme
• Immediate support for advanced security features
• Brute force protection
• Password policy
• Leverage future IDP enhancements
![Page 32: Are you ready for OpenID Connect? - schd.ws 2017... · About Tufin •Market Leader in Security Policy Orchestration –Established in 2005 –Main offices in Ramat-Gan and Boston](https://reader031.fdocuments.in/reader031/viewer/2022022500/5aa063847f8b9a62178e10fc/html5/thumbnails/32.jpg)
Thank you!
• Contact me
– www.linkedin.com/in/furmanmichael/