Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Presented by: OAuth, OpenID, SAML Making Sense of the Alphabet Soup for Cloud Identities Vikas Jain, Director, Product Management Application Security.

Similar presentations


Presentation on theme: "1 Presented by: OAuth, OpenID, SAML Making Sense of the Alphabet Soup for Cloud Identities Vikas Jain, Director, Product Management Application Security."— Presentation transcript:

1 1 Presented by: OAuth, OpenID, SAML Making Sense of the Alphabet Soup for Cloud Identities Vikas Jain, Director, Product Management Application Security and Identity Products Intel Corporation Blog: blogs.intel.com/cloud-access-security

2 2 Topic Agenda SAML OAUTH OpenID Key Takeaways Intel/McAfee Products Cloud Identities

3 3

4 4 Cloud Identity Alphabet Soup

5 5 Why were these Standards created? Enterprise User Federation SAML API Authorization Allow sharing of user data with user’s consent OAUTH Consumer Authentication OpenID Widely adopted in Enterprises, weak adoption in consumers Drivers Started for consumer use cases (Twitter, Facebook, etc.), moving into the Enterprise Started for consumer use cases (Google, Yahoo, etc.), moving into the Enterprise

6 6

7 7 SAML - Security Assertion Markup Language OASIS TC formed 2001 V V V Mature standard … but carries the legacy of XML

8 8 SAML Assertion (Portable Identity Container) Subject Attribute Stmts User Identifier User Attributes Authentication Stmt Info about authentication context … XML Describes user identity in XML format for exchange across domain boundaries

9 9 SAML Assertion Example ServerXYZ NameIdStatic OptionalInformationHere Attr1value

10 10 SAML Protocols, Bindings, and Profiles Profiles Web SSO Single Logout WS- Security, etc. Bindings HTTP Post HTTP Redirect Artifact, etc. Protocols AuthN request Single Logout Assertion query, etc. Use case flows (combination of assertion, protocol, binding) Maps Protocols to std messaging (combines Assertion, protocol, binding ) Get Assertions (request/response) Defines how SAML Assertions are used

11 11 SAML Use Case #1: Web Federated SSO For Cloud and Partner Apps Browser SAML Server Identity Provider (IdP) Service Provider (SP) SAML Server User Store Authenticate Verify Identity SAML Users redirected to IdP for authentication Use Web Browser SSO SAML Profile Login Logout from both IdP or SP sessions Use Single Logout SAML Profile Logout App

12 12 SAML Use Case #2: Web Service Access Control XML Gateway Web Service Consumer Web Service Provider Web Service XML Gateway User Store Insert SAML Token Verify SAML Token SAML (in WS-Security header) Client app adds user info as SAML token in the message Use WS-Security SAML profile Authentication Achieve fine grained authorization at web service by requesting clients to send add’l attributes in the SAML token Authorization Client App SOAP Message

13 13 SAML Use Case #3: API Access Control XML Gateway API Consumer API Provider API XML Gateway User Store Insert SAML Token Verify SAML Token SAML (in HTTP header) Client app adds user info as SAML token in the HTTP Authorization header No standard profile exist Authentication Achieve fine grained authorization at API by requesting clients to send add’l attributes in the SAML token Authorization Client App

14 14

15 15 OAUTH a (draft 26) Provides API Authorization Before OAUTH, HTTP Basic was primarily used by API providers to authenticate clients using username/password. Scoped access wasn’t possible.

16 16 OAUTH 2 Protocol Flow (Abstract version) Client User / Resource Owner Authorization Server Resource Server 1. Authorization Request 2. Authorization Grant 3. Authorization Grant and Client Credentials 4. Access Token 5. Access Token 6. Resource Access Token allows the client to access resource on behalf of the user

17 17 What’s new in OAUTH 2? Signature made optional, SSL made mandatory No need for special parsing, encoding, and sorting of parameters Simplified Signatures User-Agent Flow, Web Server Flow, Device Flow, Username and Password Flow, Client Credentials Flow, Assertion Flow More Flows Authorization Server – user authorization and issue access token Resource Server – handles API calls Separation of Roles Short-lived Access tokens and Refresh tokens Bearer Tokens Token Enhancements

18 18 OAUTH 2 Flows User-Agent Flow For clients running inside a user-agent that can’t maintain state over time e.g. JavaScript based client apps Server-Side Flow For clients that are part of a server-side web application e.g. Java/PHP client app Native App Flow (not part of spec, but vendors implementing it) For mobile and desktop apps. Same as server-side flow with one exception: a special redirect_uri (=oob) e.g. Native mobile client app Client Credentials Flow For clients using application identity instead of end user identity to authenticate with authorization server e.g. App to App connectivity Assertion Flow Client presents assertion (such as SAML) to authenticate with authorization server e.g. Mobile app of SaaS app authenticating user with Enterprise credentials over SAML Device Flow For clients running on limited devices e.g. TV and other SFF clients Username and Password Flow Client sends user’s username/password to authenticate with the authorization server. User trusts the client to maintain security of it’s password e.g. clients leveraging password managers

19 19 OAUTH Consumer Use Cases With user’s consent, grant my app to access user’s FB/Twitter account Access granted for limited scope (posting status updates) Post to FB/Twitter from my App Login to my app using FB login Achieved implicitly by user authenticating to FB to request access token Social Login Mobile Native apps retrieve/post data over APIs APIs are protected using OAUTH Mobile Apps

20 20 OAUTH Enterprise Use Case #1: Mobile App for Enterprise Apps Mobile App accesses Enterprise App using OAUTH authenticating the user (with OAUTH AS) using Enterprise credentials Benefits Enable Mobile access for Employees Authenticated by the Enterprise Enterprise user passwords not stored in Mobile Benefits Enable Mobile access for Employees Authenticated by the Enterprise Enterprise user passwords not stored in Mobile Source: Sep 29, 2011, “Enterprise Use Cases for Open Identity: OpenID and OAuth” Gartner report by Bob Blakley

21 21 OAUTH Enterprise Use Case #2: Mobile App for SaaS Apps Mobile App accesses SaaS App using OAUTH authenticating the user (with OAUTH AS) using SAML assertion from the Enterprise Benefits Enable Employee access to SaaS app via Mobile Authenticated by the Enterprise Enterprise user passwords not stored in mobile or SaaS App Benefits Enable Employee access to SaaS app via Mobile Authenticated by the Enterprise Enterprise user passwords not stored in mobile or SaaS App Source: Sep 29, 2011, “Enterprise Use Cases for Open Identity: OpenID and OAuth” Gartner report by Bob Blakley

22 22 OAUTH Enterprise Use Case #3: Enterprise User accesses Partner REST app Enterprise App accesses Partner REST App over OAUTH authenticating the user (with Partner OAUTH AS) using SAML assertion from the Enterprise Benefits Access data in partner app under user’s identity Allows Enterprise App to make API calls on user’s behalf Enterprise user passwords not shared with Partner Benefits Access data in partner app under user’s identity Allows Enterprise App to make API calls on user’s behalf Enterprise user passwords not shared with Partner Source: Sep 29, 2011, “Enterprise Use Cases for Open Identity: OpenID and OAuth” Gartner report by Bob Blakley

23 23 OAUTH Enterprise Use Case #4: Partner App accesses Enterprise REST app Partner App accesses Enterprise REST App over OAUTH authenticating itself (with Partner OAUTH AS) using Application password Benefits Enterprise exposes REST interface to partner Quick adoption: Partner doesn’t need to implement SAML server Partner app authentication secrets not exposed Benefits Enterprise exposes REST interface to partner Quick adoption: Partner doesn’t need to implement SAML server Partner app authentication secrets not exposed Source: Sep 29, 2011, “Enterprise Use Cases for Open Identity: OpenID and OAuth” Gartner report by Bob Blakley

24 24 OAUTH Enterprise Use Case #5: Temp Workers access Enterprise App using FB Login Contract workers/Affiliates accesses Enterprise App authenticating themselves using Facebook login (with Facebook OAUTH AS) and Enterprise OTP Benefits Enterprise doesn’t have to manage temp identities OTP provides additional security Temp workers don’t have to remember another password Benefits Enterprise doesn’t have to manage temp identities OTP provides additional security Temp workers don’t have to remember another password Temp Worker Enterprise ApplicationEnteprise AS & OTP

25 25

26 26 OpenID Connect (draft 10) Provides Federated Login User Identifier used is a URI that’s unique across all users. Based on key-value pairs. Carry some similarities with SAML. Originally developed to prevent anonymous users from posting spam to blog comment fields …

27 27 OpenID Connect Protocol Suite Combines OAUTH 2 and OpenID 2 to make OpenID API friendly

28 28 OpenID Consumer Use Cases Login to my app using Google login Social Login Pull user attributes from OpenID provider during registration process User Registration

29 29 OpenID Enterprise Use Cases Bring Your Own Identity – Employee bring their own OpenID to access Enterprise Apps One password to unlock Enterprise and Personal Apps BYOI Partner orgs don’t need to stand up SAML IdP Enterprise don’t have to manage external identities Enterprise app access to partners & contractors Enterprises can add an extra layer of OTP for enhanced security Add multi-factor authN to OpenID OpenID has the potential to accelerate the BYOI (Bring Your Own Identity) movement into the Enterprise

30 30 Key Takeaways SAML Enterprise Authentication Sharing app with partners OAUTH REST API Authorization Building or consuming mobile / REST app OpenID Authentication Social login for consumer websites ProtocolBuilt forUse Cases

31 31

32 32 McAfee Cloud Security Platform Web Authentication Enterprise Mobile Users Enterprise Users Private Cloud Applications Cloud Security PlatformGlobal Threat Intelligence SaaS or Appliance Services GatewayIdentity Manager Web Security Data Loss Prevention Security Modules Unified Management, Policy and Reporting, ePO Integration Partners Cloud Vendors ApplicationsCustomers Cloud Ecosystem

33 33 Intel Expressway Service Gateway – for REST APIs REST.,SOAP XML, Non-XML HTTP, FTP, TCP Protocol Agnostic 2x hard appliances Tie-in to chip roadmap Efficient XML parsing at machine level Performance Simple visual environment No Programming CODING Routing Transform Validation Service Call-outs Firewall rules Flexible FIPS Level 3 Crypto Common Criteria EAL4+ DoD STIG Ready & PKI Certified HSM PKI key storage Cavium crypto acceleration Form factors: software, virtual, and tamper resistant

34 34 Provision Access Secure SSO Regulatory Compliance Provision/de-provision user accounts AD integration Sync Id Profiles Rich audit trail of user login showing AuthN level De-provision & orphan account reports Federate windows/AD log in To popular SaaS like Salesforce & Google Apps Adaptive Strong Auth Selectively apply 2nd factor OTP AuthN Variety of software AuthN methods & devices- mobile devices, SMS, Enterprise to Cloud SSOSecuring Custom or SaaS Apps Apps SAML Combining Enterprise Class Strong Auth with SSO Intel Expressway Cloud Access 360 – for Cloud SSO In the CloudTo the Cloud AD Enterprise Available as McAfee Identity Manager

35 35 Intel Cloud SSO - IAM-as-a-service Browser SSO Portal Account Provisioning Mobile Laptop iPad Enterprise My Apps One Time Password Delivers same level of control as on-prem IAM Leverage Salesforce or enterprise accounts for SSO Trigger mobile & hardware assisted authentication Force.com Apps Access 100s of External SaaS Apps

36 36 Growing Influence on Identity Community Visit: Tutorials Demos Thought Leadership Papers


Download ppt "1 Presented by: OAuth, OpenID, SAML Making Sense of the Alphabet Soup for Cloud Identities Vikas Jain, Director, Product Management Application Security."

Similar presentations


Ads by Google