Presentation is loading. Please wait.

Presentation is loading. Please wait.

  Vikas Jain, Director, Product Management

Similar presentations


Presentation on theme: "  Vikas Jain, Director, Product Management"— Presentation transcript:

1 OAuth, OpenID, SAML Making Sense of the Alphabet Soup for Cloud Identities
Vikas Jain, Director, Product Management Application Security and Identity Products Intel Corporation Blog: blogs.intel.com/cloud-access-security

2 Topic Agenda SAML OAUTH OpenID Key Takeaways Intel/McAfee Products
Cloud Identities

3

4 Cloud Identity Alphabet Soup
SCIM UMA OAUTH SAML OpenID JWT Portable Contacts

5 Why were these Standards created?
Drivers SAML Enterprise User Federation OAUTH API Authorization Allow sharing of user data with user’s consent OpenID Consumer Authentication Widely adopted in Enterprises, weak adoption in consumers Started for consumer use cases (Twitter, Facebook, etc.), moving into the Enterprise Started for consumer use cases (Google, Yahoo, etc.), moving into the Enterprise

6

7 SAML - Security Assertion Markup Language
OASIS TC formed 2001 V1.0 2002 V1.1 2003 V2.0 2005 Mature standard … but carries the legacy of XML

8 (Portable Identity Container)
SAML Assertion SAML Assertion (Portable Identity Container) Subject User Identifier Attribute Stmts XML User Attributes Authentication Stmt Info about authentication context Describes user identity in XML format for exchange across domain boundaries

9 SAML Assertion Example
<ns2:Assertion ID=“RbefeiCOM4ztlN2RHr9unkpQ” IssueInstant=" T13:59: :00" Version="2.0” xmlns:ns2="urn:oasis:names:tc:SAML:2.0:assertion”> <ns2:Issuer Format=“urn:oasis:names:tc:SAML:2.0:nameid format:entity”>ServerXYZ</ns2:Issuer> <ns2:Subject> <ns2:NameID Format=”- - -”>NameIdStatic</ns2:NameID> <ns2:SubjectConfirmation OptionalInformationHere> <ns2:SubjectConfirmationData OptionalInformationHere/> </ns2:SubjectConfirmation> </ns2:Subject> <ns2:Conditions NotBefore=" T13:58: :00” NotOnOrAfter=" T14:01: :00"> <ns2:AudienceRestriction>OptionalInformationHere</ns2:AudienceRestriction> </ns2:Conditions> <ns2:AuthnStatement AuthnInstant=" T13:59: :00" SessionIndex="c+dWjVJ24DMVNNo1U/cr+hgfywg=PWUYaQ==" SessionNotOnOrAfter=" T14:01: :00"> <ns2:AuthnContext> </ns2:AuthnContext> </ns2:AuthnStatement> <ns2:AttributeStatement> <ns2:Attribute Name=“Attr1” NameFormat=“urn:oasis:names:tc:SAML2.0:profiles:attributes:basic”> <ns2:AttributeValue>Attr1value</ns2:AttributeValue> </ns2:Attribute> </ns2:AttributeStatement> </ns2:Assertion>

10 SAML Protocols, Bindings, and Profiles
Web SSO Single Logout WS-Security, etc. Bindings HTTP Post HTTP Redirect Artifact, etc. Protocols AuthN request Assertion query, etc. Use case flows (combination of assertion, protocol, binding) Maps Protocols to std messaging (combines Assertion, protocol, binding ) Get Assertions (request/response) Defines how SAML Assertions are used

11 SAML Use Case #1: Web Federated SSO For Cloud and Partner Apps
Identity Provider (IdP) Service Provider (SP) App SAML Server SAML Server Browser SAML Authenticate Verify Identity User Store User Store Login Users redirected to IdP for authentication Use Web Browser SSO SAML Profile Logout Logout from both IdP or SP sessions Use Single Logout SAML Profile

12 SAML Use Case #2: Web Service Access Control
Web Service Consumer Web Service Provider Client App Web Service SOAP Message XML Gateway XML Gateway Insert SAML Token SAML (in WS-Security header) Verify SAML Token User Store User Store Authentication Client app adds user info as SAML token in the message Use WS-Security SAML profile Authorization Achieve fine grained authorization at web service by requesting clients to send add’l attributes in the SAML token

13 SAML Use Case #3: API Access Control
API Consumer API Provider Client App API XML Gateway XML Gateway Insert SAML Token SAML (in HTTP header) Verify SAML Token User Store User Store Authentication Client app adds user info as SAML token in the HTTP Authorization header No standard profile exist Authorization Achieve fine grained authorization at API by requesting clients to send add’l attributes in the SAML token

14

15 1.0 1.0a 2.0 OAUTH 2007 2009 2012 Provides API Authorization
(draft 26) Before OAUTH, HTTP Basic was primarily used by API providers to authenticate clients using username/password. Scoped access wasn’t possible.

16 OAUTH 2 Protocol Flow (Abstract version)
Client User / Resource Owner 1. Authorization Request 2. Authorization Grant 3. Authorization Grant and Client Credentials Authorization Server 4. Access Token Resource Server 5. Access Token 6. Resource Access Token allows the client to access resource on behalf of the user

17 Simplified Signatures
What’s new in OAUTH 2? Simplified Signatures Signature made optional, SSL made mandatory No need for special parsing, encoding, and sorting of parameters More Flows User-Agent Flow, Web Server Flow, Device Flow, Username and Password Flow, Client Credentials Flow, Assertion Flow Separation of Roles Authorization Server – user authorization and issue access token Resource Server – handles API calls Token Enhancements Short-lived Access tokens and Refresh tokens Bearer Tokens

18 OAUTH 2 Flows User-Agent Flow Server-Side Flow
For clients running inside a user-agent that can’t maintain state over time e.g. JavaScript based client apps Server-Side Flow For clients that are part of a server-side web application e.g. Java/PHP client app Native App Flow (not part of spec, but vendors implementing it) For mobile and desktop apps. Same as server-side flow with one exception: a special redirect_uri (=oob) e.g. Native mobile client app Client Credentials Flow For clients using application identity instead of end user identity to authenticate with authorization server e.g. App to App connectivity Assertion Flow Client presents assertion (such as SAML) to authenticate with authorization server e.g. Mobile app of SaaS app authenticating user with Enterprise credentials over SAML Device Flow For clients running on limited devices e.g. TV and other SFF clients Username and Password Flow Client sends user’s username/password to authenticate with the authorization server. User trusts the client to maintain security of it’s password e.g. clients leveraging password managers

19 OAUTH Consumer Use Cases
With user’s consent, grant my app to access user’s FB/Twitter account Access granted for limited scope (posting status updates) Post to FB/Twitter from my App Login to my app using FB login Achieved implicitly by user authenticating to FB to request access token Social Login Mobile Native apps retrieve/post data over APIs APIs are protected using OAUTH Mobile Apps

20 OAUTH Enterprise Use Case #1: Mobile App for Enterprise Apps
Mobile App accesses Enterprise App using OAUTH authenticating the user (with OAUTH AS) using Enterprise credentials Benefits Enable Mobile access for Employees Authenticated by the Enterprise Enterprise user passwords not stored in Mobile Source: Sep 29, 2011, “Enterprise Use Cases for Open Identity: OpenID and OAuth” Gartner report by Bob Blakley

21 OAUTH Enterprise Use Case #2: Mobile App for SaaS Apps
Mobile App accesses SaaS App using OAUTH authenticating the user (with OAUTH AS) using SAML assertion from the Enterprise Benefits Enable Employee access to SaaS app via Mobile Authenticated by the Enterprise Enterprise user passwords not stored in mobile or SaaS App Source: Sep 29, 2011, “Enterprise Use Cases for Open Identity: OpenID and OAuth” Gartner report by Bob Blakley

22 OAUTH Enterprise Use Case #3: Enterprise User accesses Partner REST app
Enterprise App accesses Partner REST App over OAUTH authenticating the user (with Partner OAUTH AS) using SAML assertion from the Enterprise Benefits Access data in partner app under user’s identity Allows Enterprise App to make API calls on user’s behalf Enterprise user passwords not shared with Partner Source: Sep 29, 2011, “Enterprise Use Cases for Open Identity: OpenID and OAuth” Gartner report by Bob Blakley

23 OAUTH Enterprise Use Case #4: Partner App accesses Enterprise REST app
Partner App accesses Enterprise REST App over OAUTH authenticating itself (with Partner OAUTH AS) using Application password Benefits Enterprise exposes REST interface to partner Quick adoption: Partner doesn’t need to implement SAML server Partner app authentication secrets not exposed Source: Sep 29, 2011, “Enterprise Use Cases for Open Identity: OpenID and OAuth” Gartner report by Bob Blakley

24 OAUTH Enterprise Use Case #5: Temp Workers access Enterprise App using FB Login
Contract workers/Affiliates accesses Enterprise App authenticating themselves using Facebook login (with Facebook OAUTH AS) and Enterprise OTP Benefits Enterprise doesn’t have to manage temp identities OTP provides additional security Temp workers don’t have to remember another password Enterprise Enteprise AS & OTP Application Temp Worker

25

26 1.1 2.0 OpenID 2006 2007 2012 Provides Federated Login (draft 10)
Connect 1.0 2012 (draft 10) Originally developed to prevent anonymous users from posting spam to blog comment fields … User Identifier used is a URI that’s unique across all users. Based on key-value pairs. Carry some similarities with SAML.

27 OpenID Connect Protocol Suite
Combines OAUTH 2 and OpenID 2 to make OpenID API friendly

28 OpenID Consumer Use Cases
Social Login Login to my app using Google login User Registration Pull user attributes from OpenID provider during registration process

29 OpenID Enterprise Use Cases
BYOI Bring Your Own Identity – Employee bring their own OpenID to access Enterprise Apps One password to unlock Enterprise and Personal Apps Enterprise app access to partners & contractors Partner orgs don’t need to stand up SAML IdP Enterprise don’t have to manage external identities Add multi-factor authN to OpenID Enterprises can add an extra layer of OTP for enhanced security OpenID has the potential to accelerate the BYOI (Bring Your Own Identity) movement into the Enterprise

30 SAML OAUTH OpenID Key Takeaways Protocol Built for Use Cases
Enterprise Authentication Sharing app with partners OAUTH REST API Authorization Building or consuming mobile / REST app OpenID Authentication Social login for consumer websites

31

32 McAfee Cloud Security Platform
Partners Cloud Vendors Applications Customers Cloud Ecosystem SaaS or Appliance Unified Management, Policy and Reporting, ePO Integration Services Gateway Identity Manager Web Authentication Modules Security Data Loss Prevention Web Security Global Threat Intelligence Federation gateways like ECA 360 are used to initiate the standards based SAML or Open Id protocol that securely transfers the users identity. Prior to the SSO event the user’s account may need to be provisioned to the saas providers app. Additionaly, federation commonly uses basic user name and password to authenticate the user prior to SSO- now sensitive apps require stronger 2nd factor authentication prior to sso to increase security. During Internet SSO, the user clicks on a link to go to another domain, the user is authenticated against his home id store and a SAML token is sent to the relying party that owns the destination app. When they receive this token they start a valid user session without requiring the user to re-authenticate. They are relying on the user’s home identity provider domain to authenticate their access. Cloud Security Platform Enterprise Mobile Users Enterprise Users Private Cloud Applications

33 Intel Expressway Service Gateway – for REST APIs
FIPS Level 3 Crypto Common Criteria EAL4+ DoD STIG Ready & PKI Certified HSM PKI key storage Cavium crypto acceleration Form factors: software, virtual, and tamper resistant REST.,SOAP XML, Non-XML HTTP, FTP, TCP Protocol Agnostic 2x hard appliances Tie-in to chip roadmap Efficient XML parsing at machine level Performance Simple visual environment No Programming CODING Routing Transform Validation Service Call-outs Firewall rules Flexible

34 Intel Expressway Cloud Access 360 – for Cloud SSO
Enterprise to Cloud SSO Securing Custom or SaaS Apps To the Cloud In the Cloud AD SAML Apps Enterprise Combining Enterprise Class Strong Auth with SSO Provision Access Adaptive Strong Auth Federate windows/AD log in To popular SaaS like Salesforce & Google Apps Secure SSO Regulatory Compliance Selectively apply 2nd factor OTP AuthN Variety of software AuthN methods & devices- mobile devices, SMS, Rich audit trail of user login showing AuthN level De-provision & orphan account reports Provision/de-provision user accounts AD integration Sync Id Profiles Available as McAfee Identity Manager

35 Intel Cloud SSO - IAM-as-a-service
My Apps Enterprise Laptop Account Provisioning One Time Password SSO Portal iPad Force.com Apps Mobile Access 100s of External SaaS Apps Browser IntelSSO.com is a Multi-tenant offering hosted on Force.com with worldclass support from Salesforce. A user can now login with a Single credential to access custom force.com apps or 100s of External SaaS apps like Web X, Success factors, Silk Road. We go beyond just SSO to provide the same level of enterprise- class, compliant controls that administrators mandate across internal applications and Identity system today. We deliver a range of standards based federation standards such as SAML, Oauth, and open id, we package full identity lifecycle management with account provisioning, & deprovisioning, and as needed administrators can create policies to invoke strong authentication as needed. For an existing Salesforce user or any user in general, it is simple yet powerful service to enhance productivity, reduce costs and provide security controls for compliance. Let’s see how it works. Delivers same level of control as on-prem IAM Leverage Salesforce or enterprise accounts for SSO Trigger mobile & hardware assisted authentication

36 Growing Influence on Identity Community
Visit: Tutorials Demos Thought Leadership Papers


Download ppt "  Vikas Jain, Director, Product Management"

Similar presentations


Ads by Google