5 © 2014 CA. ALL RIGHTS RESERVED.
Here Is The Tradi8onal Approach For Providing Iden8ty and Access Management (IAM) Classic Centralized Control
Identity is managed centrally
Ø Formal and hierarchal
Ø Geared toward employees
Enterprise Network
…
Firewall
Employee
Directory
Applications and Data
ß
IAM
6 © 2014 CA. ALL RIGHTS RESERVED.
This Extends Naturally To SSO
Identity is still managed centrally
Ø Formal and hierarchal
Ø Administration of trust
Enterprise Network
…
Firewall
Applications and Data
ß
IdP IAM
ß
Employee
Trust
7 © 2014 CA. ALL RIGHTS RESERVED.
Enterprise Internal Network
Classic Federa8on
Principal
Message + Security Token
Trading Partner
8 © 2014 CA. ALL RIGHTS RESERVED.
PaOern #1: SAML-‐based Federa6on
IdP
Service Provider
Data
Authen*cate Acquire SAML token
1)
Note that this demonstrates SAML browser POST profile. The ar8fact profile is harder to do through corporate firewalls
Message + SAML
2)
Principal
9 © 2014 CA. ALL RIGHTS RESERVED.
What Does It Mean To Have An Account?
Directory
Data & Objects
App Server
There is always something associated with an ID
10 © 2014 CA. ALL RIGHTS RESERVED.
Trading Partner
Firewall
What We Really Have Is A Synchroniza8on Problem
Objects
Partner Identities
Enterprise Directory
11 © 2014 CA. ALL RIGHTS RESERVED.
High Administra8ve Burden
Trading Partner
Principal
Admin
Directory
Very Centralized Control ü Lots of ceremony
ü Hard to set up
ü Hard to maintain
ü Self-service is tricky and implementation specific
IDP
Relying Party
13 © 2014 CA. ALL RIGHTS RESERVED.
The Channel Explosion in Modern Business Tradi*onal IAM struggles to meet this challenge
No Unified Access Model ü For employees
ü For contractors
ü For partners
ü For apps, devices & machines
ü For ?
Enterprise Network
Applications and Data
…
Partners
Mobile Devices
Cloud
API/Service Client
Laptop
14 © 2014 CA. ALL RIGHTS RESERVED.
Iden*ty Is Approaching Cri*cal Mass Average Number
Of Online IDs 26
Ave Number of Facebook Friends 336
Toda
y
Internet Users 2.4B “People Have Iden3ty”
Things 2020
Phones, Tablets and Laptops 7.3B
“Things Have Iden3ty”
26.0 B Internet users Internet World Stats Q1 2012: h9p://www.internetworldstats.com/stats.htm Internet accounts Experian July 2012: h9p://www.bbc.com/news/technology-‐18866347 Facebook Pew Research: h9p://www.pewresearch.org/fact-‐tank/2014/02/03/6-‐new-‐facts-‐about-‐facebook/
18 © 2014 CA. ALL RIGHTS RESERVED.
Conceptually Here Is What Happens
1. User posts new tweet 2. Twi>er posts tweet
to Facebook on user’s behalf
User ScoO
TwiOer
19 © 2014 CA. ALL RIGHTS RESERVED.
This is the “password an*-‐pa9ern” A Bad First AOempt: Stored Passwords
User ScoO
Send in Facebook Password
Twi9er uses Facebook Password
20 © 2014 CA. ALL RIGHTS RESERVED.
OK, So Let’s Try SAML
User ScoO
Sco9 authen*cates using his Twi9er
Password
Twi9er vouches it authen*cated Sco9
21 © 2014 CA. ALL RIGHTS RESERVED.
But There Are Problems…
User ScoO
How can we associate these different representa*ons of
Sco9?
Where are the limits on what Twi9er can do?
25 © 2014 CA. ALL RIGHTS RESERVED.
ID Token (From OpenID Connect)
eyJhbGciOiJSUzI1NiIsImtpZCI6IjQ4OWRmMzE3YzIyYzY3NTZkOTUyMTVk!YjQ1NTA5MjY0N2RmNWIxNmEifQ.eyJpc3MiOiJhY2NvdW50cy5nb29nbGUuY!29tIiwiZW1haWwiOiJ0aW1icmF5QGdtYWlsLmNvbSIsImVtYWlsX3Zlcmlma!WVkIjoidHJ1ZSIsInN1YiI6IjEwNzYwNjcwMzU1ODE2MTUwNzk0NiIsImF1Z!CI6IjQwNzQwODcxODE5Mi5hcHBzLmdvb2dsZXVzZXJjb250ZW50LmNvbSIsI!mF0X2hhc2giOiJyTC1jVml3OTJtYW5EUU1MdU1tTEt3IiwiYXpwIjoiNDA3N!DA4NzE4MTkyLmFwcHMuZ29vZ2xldXNlcmNvbnRlbnQuY29tIiwiaWF0IjoxM!zY1MDk5MTUxLCJleHAiOjEzNjUxMDMwNTF9.GeqJOTJSMaQjo33wxM-3f5k5!FIEADqxd3K4zS0pWgWjtqwDldbpGgmxwTytgvtXKjFu7dtZx6TUXPnDhLBti!MjtkTyPGZbm65RwG0arSLqH-iDelceDR5HDABhOBqXjsi19rdnC3TAWf5Dpe!
QYZt9uSSgPseGW2wh6OO5izat48!!
Source: Tim Bray, Ongoing h9ps://www.tbray.org/ongoing/When/201x/2013/04/04/ID-‐Tokens
26 © 2014 CA. ALL RIGHTS RESERVED.
ID Token (cont.) It’s Just A JSON Web Token (JWT)
{! "issuer": "accounts.google.com",! "issued_to": "407408718192.apps.googleusercontent.com",! "audience": "407408718192.apps.googleusercontent.com",! "user_id": "10315112535234507946",! "expires_in": 3089,! "issued_at": 1365099151,! "email": "[email protected]",! "email_verified": true!}!
Source: Tim Bray, Ongoing h9ps://www.tbray.org/ongoing/When/201x/2013/04/04/ID-‐Tokens
27 © 2014 CA. ALL RIGHTS RESERVED.
Here’s How 3-‐Legged OAuth Works
User ScoO
OAuth Client
OAuth Authoriza8on & Resource Servers
2. Sco9 authen*cates using his Facebook
Password
4. Twi9er uses code to acquire access token to post tweets to
1. Sco9 authen*cates using his Twi9er
Password
3. Sco9 grants Twi9er limited capabili*es on
0A3DB28…!
0A3DB28…!
28 © 2014 CA. ALL RIGHTS RESERVED.
Here’s What It Looks Like When We’re Done
User ScoO
Sco9 posts tweet
Tweet plus access token authorizing Twi9er to post for
Sco9
OAuth Client
OAuth Authoriza8on & Resource Servers
I’m in Las Vegas at Gartner AADI
I’m in Las Vegas at Gartner AADI
29 © 2014 CA. ALL RIGHTS RESERVED.
But OAuth Also Enables NASCAR-‐style Sign On
Taken from sears.com
30 © 2014 CA. ALL RIGHTS RESERVED.
Data
Let’s Call This PaOern #2: Social Sign-‐On
OAuth Authoriza8on
Server
OAuth Client
User
Authen*cate Get Code
Validate Code Get Access Token
1)
3)
Pass code to client 2)
This demonstrates:
grant-type=authorization_code! !Note the user never sees the access token, only the client sees it. The user’s session must be managed using other means (eg: session cookie, etc)
31 © 2014 CA. ALL RIGHTS RESERVED.
This Is Actually A Profound Shib In Iden8ty Mgmt
The Old Enterprise The New Hybrid Enterprise
This is the secret to achieving scale and agile federa3on
32 © 2014 CA. ALL RIGHTS RESERVED.
What is Really Different Here?
• Integra8on with simple RESTful APIs
• Very loose coupling • Very low ceremony
• Very loose rela8onships driven by caller • Client to authoriza*on server • User to client
This all adds up to a distribu3on of responsibility that scales with the number of users
33 © 2014 CA. ALL RIGHTS RESERVED.
But We’re Not Quite At Federa8on
• We have simple Single Sign-‐On
• But what about aOributes?
<saml:AttributeStatement> ! <saml:Attribute FriendlyName="fooAttrib" Name="SFDC_USERNAME" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> ! <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string"> [email protected] </saml:AttributeValue> ! </saml:Attribute> !</saml:AttributeStatement>!
From: h9p://login.salesforce.com/help/doc/en/sso_saml_asser*on_examples.htm
34 © 2014 CA. ALL RIGHTS RESERVED.
This Is The Job Of OpenID Connect
OpenID Connect Endpoint
OAuth Client
User
Call to UserInfo endpoint for specific scope
JSON structured a9ribute list of
claims Eg: User’s email, First name, Last name,
etc
35 © 2014 CA. ALL RIGHTS RESERVED.
But we s*ll have a registra*on problem We’re Almost There
Authoriza8on Server
Client
Provisioning of new users
This is obviously an enterprise problem, not an individual problem
They may already exist here
Remember our earlier point about what cons*tutes an
“account”
36 © 2014 CA. ALL RIGHTS RESERVED.
API for user management This Is The What SCIM Is For
Authoriza8on Server
Client
Create New Users
SCIM defines user/group schema and REST endpoints for CRUD
SCIM stands for: System for Cross-‐domain Iden3ty Management
Enterprise Administrator
37 © 2014 CA. ALL RIGHTS RESERVED.
Choose SAML or OAuth based on opera*onal goals Each Approach Has Its Merits
• SAML support is widespread • Dominant for enterprise SSO and federa*on
• Strong in passive (browser) profiles
• Less strong in ac*ve (classic SOAP or newer RESTful APIs) profiles
• Lots of central administra*on and federa*on ceremony
• OAuth/OpenID Connect is growing very fast • OAuth owns RESTful APIs
• The world is not just about browsers any longer • Think about rise of mobile apps
• Fast to integrate, with no need to engage par*es
• Irresis*ble delega*on model
• Poten*al brand, regulatory, or organiza*onal issues with social login
38 © 2014 CA. ALL RIGHTS RESERVED.
Summary
• SAML is not going away • Your exis*ng investment is safe
• It will con*nue to play a huge role in web-‐based federa*on
• But OAuth+OpenID Connect+SCIM is coming on very strong • Driven by rise of APIs and mobile devices
• Don’t let anyone tell you OAuth is just another auth token scheme
• It really represents a ship in power and authority
SVP & Dis*nguished Engineer
@KSco9Morrison
slideshare.net/CAinc
linkedin.com/KSco9Morrison
ca.com
K. ScoO Morrison
Top Related