Delivering Identity at Internet Scale
-
Upload
forgerock-identity-tech-talks -
Category
Technology
-
view
102 -
download
0
Transcript of Delivering Identity at Internet Scale
![Page 1: Delivering Identity at Internet Scale](https://reader033.fdocuments.in/reader033/viewer/2022052706/5a676c057f8b9a656a8b5051/html5/thumbnails/1.jpg)
© 2016 ForgeRock. All rights reserved.
Delivering Identity at Internet Scale
Andy Hall
![Page 2: Delivering Identity at Internet Scale](https://reader033.fdocuments.in/reader033/viewer/2022052706/5a676c057f8b9a656a8b5051/html5/thumbnails/2.jpg)
© 2016 ForgeRock. All rights reserved.
Session Contents• Identity Services• Why Internet Scale• How scale creates problems• Approaches to address the issues
2
![Page 3: Delivering Identity at Internet Scale](https://reader033.fdocuments.in/reader033/viewer/2022052706/5a676c057f8b9a656a8b5051/html5/thumbnails/3.jpg)
© 2016 ForgeRock. All rights reserved.
Identity Services• Authentication
App1 App2 App3
Identity
![Page 4: Delivering Identity at Internet Scale](https://reader033.fdocuments.in/reader033/viewer/2022052706/5a676c057f8b9a656a8b5051/html5/thumbnails/4.jpg)
© 2016 ForgeRock. All rights reserved.
Identity Services• Authentication• SSO
Identity
App1 App2 App3
![Page 5: Delivering Identity at Internet Scale](https://reader033.fdocuments.in/reader033/viewer/2022052706/5a676c057f8b9a656a8b5051/html5/thumbnails/5.jpg)
© 2016 ForgeRock. All rights reserved.
Identity Services• Authentication• SSO• Federated Identity
Identity
App1 App2 App3
Identity
App1 App2 App3
![Page 6: Delivering Identity at Internet Scale](https://reader033.fdocuments.in/reader033/viewer/2022052706/5a676c057f8b9a656a8b5051/html5/thumbnails/6.jpg)
© 2016 ForgeRock. All rights reserved.
Identity
App1 App2 App3
Identity Services• Authentication• SSO• Federated Identity• Authorization
Identity
App1 App2 App3
![Page 7: Delivering Identity at Internet Scale](https://reader033.fdocuments.in/reader033/viewer/2022052706/5a676c057f8b9a656a8b5051/html5/thumbnails/7.jpg)
© 2016 ForgeRock. All rights reserved.
Identity
App1 App2 App3
Identity Services• Authentication• SSO• Federated Identity• Authorization• Self-service
Identity
App1 App2 App3
![Page 8: Delivering Identity at Internet Scale](https://reader033.fdocuments.in/reader033/viewer/2022052706/5a676c057f8b9a656a8b5051/html5/thumbnails/8.jpg)
© 2016 ForgeRock. All rights reserved.
Internet Scale
Mobile devices: 7.5 billionIoT Devices: 4.9 billion
Analysts predict rapid growth
Identity will be at the center
Estimated 4 connected devices per person by 2020 (source: Strategy Analytics)
![Page 9: Delivering Identity at Internet Scale](https://reader033.fdocuments.in/reader033/viewer/2022052706/5a676c057f8b9a656a8b5051/html5/thumbnails/9.jpg)
© 2016 ForgeRock. All rights reserved.
So what’s the problem?
![Page 10: Delivering Identity at Internet Scale](https://reader033.fdocuments.in/reader033/viewer/2022052706/5a676c057f8b9a656a8b5051/html5/thumbnails/10.jpg)
© 2016 ForgeRock. All rights reserved.
Internet Scale
• Scale • Elasticity• Geographically dispersed• Consistency• Security
Internet
Elastic Load Balancer
![Page 11: Delivering Identity at Internet Scale](https://reader033.fdocuments.in/reader033/viewer/2022052706/5a676c057f8b9a656a8b5051/html5/thumbnails/11.jpg)
© 2016 ForgeRock. All rights reserved.
Session Management
• Cluster load balancing• Failover Storage• Session held in server memory• Session persisted for failover
Stateful deployment
![Page 12: Delivering Identity at Internet Scale](https://reader033.fdocuments.in/reader033/viewer/2022052706/5a676c057f8b9a656a8b5051/html5/thumbnails/12.jpg)
© 2016 ForgeRock. All rights reserved.
Microservices and OAuth2/OIDC• Distributed OAuth architecture• Datacenters in geographically separate locations
• Client can obtain token from any server
• Client must validate token on any server
12
Identity Identity Identity
Microservice
IrelandAWS
GermanyAWS
GermanyOn-prem
Microservice
![Page 13: Delivering Identity at Internet Scale](https://reader033.fdocuments.in/reader033/viewer/2022052706/5a676c057f8b9a656a8b5051/html5/thumbnails/13.jpg)
© 2016 ForgeRock. All rights reserved.
So what’s the solution?
![Page 14: Delivering Identity at Internet Scale](https://reader033.fdocuments.in/reader033/viewer/2022052706/5a676c057f8b9a656a8b5051/html5/thumbnails/14.jpg)
© 2016 ForgeRock. All rights reserved.
Session Management: Stateful
• Cluster load balancing• Failover Storage• Session held in server memory• Session persisted for failover
Stateful deployment
![Page 15: Delivering Identity at Internet Scale](https://reader033.fdocuments.in/reader033/viewer/2022052706/5a676c057f8b9a656a8b5051/html5/thumbnails/15.jpg)
© 2016 ForgeRock. All rights reserved.
Session Management: Stateless
• Simplified load balancing• No failover storage required• No in-memory Session• Session stored in client
Stateless deployment
![Page 16: Delivering Identity at Internet Scale](https://reader033.fdocuments.in/reader033/viewer/2022052706/5a676c057f8b9a656a8b5051/html5/thumbnails/16.jpg)
© 2016 ForgeRock. All rights reserved.
How do Stateless Sessions Work?
• Uses JSON Web Token (JWT)• Session is Signed
•HMAC Shared Secret•Session can be Encrypted
•RSA 256
Comparison of Stateful and Stateless
![Page 17: Delivering Identity at Internet Scale](https://reader033.fdocuments.in/reader033/viewer/2022052706/5a676c057f8b9a656a8b5051/html5/thumbnails/17.jpg)
© 2016 ForgeRock. All rights reserved.
Example: Stateful vs Stateless
Stateful communication: global replication Stateless communication: no replication
![Page 18: Delivering Identity at Internet Scale](https://reader033.fdocuments.in/reader033/viewer/2022052706/5a676c057f8b9a656a8b5051/html5/thumbnails/18.jpg)
© 2016 ForgeRock. All rights reserved.
Demo
18
![Page 19: Delivering Identity at Internet Scale](https://reader033.fdocuments.in/reader033/viewer/2022052706/5a676c057f8b9a656a8b5051/html5/thumbnails/19.jpg)
© 2016 ForgeRock. All rights reserved.
Deployment CharacteristicsStateful Sessions Stateless Sessions
Memory: Stored in Server memory CPU: Decrypt/Verify Signature
Session persists in Database Session persists in Client
Vertical Scalability Horizontal Scalability
Load Balancer: Sticky Load Balancer: Round Robin
![Page 20: Delivering Identity at Internet Scale](https://reader033.fdocuments.in/reader033/viewer/2022052706/5a676c057f8b9a656a8b5051/html5/thumbnails/20.jpg)
© 2016 ForgeRock. All rights reserved.
Performance ComparisonTest Setup: Stateful• 2 OpenAM servers• 2 OpenDJ servers• Standard failover• External Load Balancer
Test Setup: Stateless• 2 OpenAM servers• No failover• Session Signing• External Load Balancer
Dell PowerEdge R620
![Page 21: Delivering Identity at Internet Scale](https://reader033.fdocuments.in/reader033/viewer/2022052706/5a676c057f8b9a656a8b5051/html5/thumbnails/21.jpg)
© 2016 ForgeRock. All rights reserved.
Performance Test ObjectiveSession Management performance comparison
• Sustained duration• 5,000 concurrent users• Login, validate, logout• Basic Stateless
• Signing• No blacklist
Gatling (http://gatling.io)
![Page 22: Delivering Identity at Internet Scale](https://reader033.fdocuments.in/reader033/viewer/2022052706/5a676c057f8b9a656a8b5051/html5/thumbnails/22.jpg)
© 2016 ForgeRock. All rights reserved.
Performance Graphs
Stateful Sessions3,000 Login/Second
Stateless Session5,000 Login/Second
![Page 23: Delivering Identity at Internet Scale](https://reader033.fdocuments.in/reader033/viewer/2022052706/5a676c057f8b9a656a8b5051/html5/thumbnails/23.jpg)
© 2016 ForgeRock. All rights reserved.
Performance AnalysisExpectations:Stateful faster, in memory SessionsStateless processing time slower
Actual Result:Process Stateless Session quickStateful code path obvious factor
Comparison of path through code base
![Page 24: Delivering Identity at Internet Scale](https://reader033.fdocuments.in/reader033/viewer/2022052706/5a676c057f8b9a656a8b5051/html5/thumbnails/24.jpg)
© 2016 ForgeRock. All rights reserved.
Microservices
24
![Page 25: Delivering Identity at Internet Scale](https://reader033.fdocuments.in/reader033/viewer/2022052706/5a676c057f8b9a656a8b5051/html5/thumbnails/25.jpg)
© 2016 ForgeRock. All rights reserved.
Microservices and OAuth2/OIDC• Distributed OAuth architecture• Datacenters in geographically separate locations
• Client can obtain token from any server
• Client must validate token on any server
25
Identity Identity Identity
Microservice
IrelandAWS
GermanyAWS
GermanyOn-prem
Microservice
![Page 26: Delivering Identity at Internet Scale](https://reader033.fdocuments.in/reader033/viewer/2022052706/5a676c057f8b9a656a8b5051/html5/thumbnails/26.jpg)
© 2016 ForgeRock. All rights reserved.
Stateless OAuth2/OIDC• Use an OIDC token• Embed extra claims in OIDC token
• New token validation endpoint• /idtokeninfo
• Validates token• Returns claims as json
26
Identity Identity Identity
Microservice
IrelandAWS
GermanyAWS
GermanyOn-prem
Microservice
![Page 27: Delivering Identity at Internet Scale](https://reader033.fdocuments.in/reader033/viewer/2022052706/5a676c057f8b9a656a8b5051/html5/thumbnails/27.jpg)
© 2016 ForgeRock. All rights reserved.
However…
27
![Page 28: Delivering Identity at Internet Scale](https://reader033.fdocuments.in/reader033/viewer/2022052706/5a676c057f8b9a656a8b5051/html5/thumbnails/28.jpg)
© 2016 ForgeRock. All rights reserved.
Session Logout• Purpose of logging out:
• Reduce time window to exploit session (stolen or CSRF)
• Remove cookies from client• Destroy/invalidate session state
• But how if the state is on the client??
![Page 29: Delivering Identity at Internet Scale](https://reader033.fdocuments.in/reader033/viewer/2022052706/5a676c057f8b9a656a8b5051/html5/thumbnails/29.jpg)
© 2016 ForgeRock. All rights reserved.
Approaches• Blacklist
• On logout add session to blacklist• Only store unexpired sessions on blacklist• Requires some state on server• Needs to be checked on every request• Needs to be replicated
• Blacklist cache• Bloom filters
![Page 30: Delivering Identity at Internet Scale](https://reader033.fdocuments.in/reader033/viewer/2022052706/5a676c057f8b9a656a8b5051/html5/thumbnails/30.jpg)
© 2016 ForgeRock. All rights reserved.
Bloom Filters!• Exciting data structure of the decade!• Represent very large sets, using only a few bits per element• Probabilistic answers to “is x in the set”:
• Definitely not, or• Maybe (with some probability of false positives)
![Page 31: Delivering Identity at Internet Scale](https://reader033.fdocuments.in/reader033/viewer/2022052706/5a676c057f8b9a656a8b5051/html5/thumbnails/31.jpg)
© 2016 ForgeRock. All rights reserved.
![Page 32: Delivering Identity at Internet Scale](https://reader033.fdocuments.in/reader033/viewer/2022052706/5a676c057f8b9a656a8b5051/html5/thumbnails/32.jpg)
© 2016 ForgeRock. All rights reserved.
Usage• To check if session has been logged out:
• Check Bloom Filter first - if answer is ‘no’ then session is definitely still valid
• Otherwise, delegate to blacklist to check for sure• Can still cache (much smaller) set of requests to Blacklist: BF -> LRU -
> Blacklist
![Page 33: Delivering Identity at Internet Scale](https://reader033.fdocuments.in/reader033/viewer/2022052706/5a676c057f8b9a656a8b5051/html5/thumbnails/33.jpg)
© 2016 ForgeRock. All rights reserved.
Tuning• Bloom Filters never produce false negatives, but can produce false positives
• Can tune the probability of false positives to any desired probability!
• Two parameters to tweak:• Size of the BitSet (# bits per element)• Number of hash functions
![Page 34: Delivering Identity at Internet Scale](https://reader033.fdocuments.in/reader033/viewer/2022052706/5a676c057f8b9a656a8b5051/html5/thumbnails/34.jpg)
© 2016 ForgeRock. All rights reserved.
False Positive ProbabilityGiven a maximum number of items to insert, n, and a maximum false positive probability, p, can compute optimal size of bit set (m) and number of hash functions, k:
NB: lots of independence assumptions!
![Page 35: Delivering Identity at Internet Scale](https://reader033.fdocuments.in/reader033/viewer/2022052706/5a676c057f8b9a656a8b5051/html5/thumbnails/35.jpg)
© 2016 ForgeRock. All rights reserved.
ExampleTo allow 10,000 elements with a 1% (expected) chance of false positives:
![Page 36: Delivering Identity at Internet Scale](https://reader033.fdocuments.in/reader033/viewer/2022052706/5a676c057f8b9a656a8b5051/html5/thumbnails/36.jpg)
© 2016 ForgeRock. All rights reserved.
Examples# BLACKLISTED SESSIONS SIZE (1% FPP) SIZE (0.1% FPP) SIZE (0.01%
FPP)
10,000 11.7kB 17.6kB 23.4kB
100,000 117kB 176kB 234kB
24,000,000 27.4MB 41.1MB 54.8MB
1,000,000,000 1.12GB 1.67GB 2.23GB
![Page 37: Delivering Identity at Internet Scale](https://reader033.fdocuments.in/reader033/viewer/2022052706/5a676c057f8b9a656a8b5051/html5/thumbnails/37.jpg)
© 2016 ForgeRock. All rights reserved.
Scalable Bloom Filters• Size of BF scales linearly (for given FPP) with number of elements to store
• But what if we don’t know how many elements needed?
• Scalable Bloom Filters:• Chain bloom filters together• When one is saturated create a new
one• Always insert at end, check all in list
for maybeContains
![Page 38: Delivering Identity at Internet Scale](https://reader033.fdocuments.in/reader033/viewer/2022052706/5a676c057f8b9a656a8b5051/html5/thumbnails/38.jpg)
© 2016 ForgeRock. All rights reserved.
Scalable Bloom Filters• Problem: FPP for chain of Bloom Filters is (bounded by) sum of FPPs for each filter
• Solution: decrease FPP for each successive filter by geometric series:
• e.g., with r = 1/2, P0 = P/2, P1 = P/4, P2 = P/8, …
• Also increase size of each bucket by another geometric progression (e.g., doubling)
![Page 39: Delivering Identity at Internet Scale](https://reader033.fdocuments.in/reader033/viewer/2022052706/5a676c057f8b9a656a8b5051/html5/thumbnails/39.jpg)
© 2016 ForgeRock. All rights reserved.
Removing Expired Sessions• Only need to blacklist sessions until
they have expired• Then remove them to reclaim space• Counting Bloom Filters - increment
counter instead of setting a single bit, can decrement to remove (more complex, more space)
• Alternative: record last expiry time of all elements with each bucket in Scalable BF
• Destroy bucket when all sessions inside have expired
![Page 40: Delivering Identity at Internet Scale](https://reader033.fdocuments.in/reader033/viewer/2022052706/5a676c057f8b9a656a8b5051/html5/thumbnails/40.jpg)
© 2016 ForgeRock. All rights reserved.
Summary• Delivering Identity at Scale
• Scale equates to a dynamic, elastic environment
• Dynamism introduces consistency challenges
• Consistency required for security• Deviously difficult to do well
• Good news• Most of the challenges can be
addressed with good Computer Science