This document discusses best practices for cloud identity in a JavaEE enabled PaaS environment. It covers topics like user registration, identity management, authentication, authorization, identity providers, and API access. It also demonstrates an Aerogear TODO application deployed on OpenShift that implements some of these practices. Relevant standards like JSR 351 and work from Oasis on cloud identity and authorization are also mentioned.
1. Best Practices
for Cloud Identity
In
JavaEE Enabled PaaS
Anil Saldhana
Red Hat Inc.
2. Agenda
• Introduction To Cloud Identity
– Concept of Identity and Trust
• JavaEE Enabled PaaS
– OpenShift
• What Identity Standard should I adopt?
– SAML, OpenID, OAuth, WS-Trust,Kerberos
– NIST 800-63 Levels of Assurance
2
3. Agenda
• Best Practices
– User Registration
– Identity Management
• Cloud Directories and Corporate Directories
– Authentication
– Authorization
– Mobile Devices
– Identity Providers
– API Access
3
10. OpenShift
• OpenShift by RedHat is a polyglot PaaS
• Run Java,Ruby,Perl,Python,PHP and
Node.js in the Cloud
• JavaEE Full Profile support via JBoss
Application Server v7.x as well as
JBoss Enterprise Application Platform.
• Free
10
12. Levels of Assurance
• NIST 800-63 Special Publication
• Four Levels of Assurance
– Level 1:
• Little or no confidence in asserted identity.
• OpenID, Oauth.
– Level 2:
• Some confidence in the asserted identity.
• Passwords and SAML Password Auth Mech.
12
13. Levels of Assurance
• Four Levels of Assurance
– Level 3:
• High Confidence.
• Soft/Hard Crypto Tokens and OTP.
– Level 4:
• Very High Confidence.
• PKI and Smart Cards.
13
14. Which standard is relevant?
• Community Type Environment
– Forums, Blogs etc.
– Level 1 Assurance.
– Decentralized setup; Internet Scale
– OpenID and Oauth.
14
15. Which standard is relevant?
• Enterprise Type Environment
– Need Level 2 assurance level.
• SAML Assertions (Password based authentication)
– Need Level 3 or 4 assurance of identity.
• SAML Assertions (PKI/x509 Certificates)
15
17. User Registration
• All Security Systems need users.
• Users can come from corporate identity
stores or need to be dynamically
registered.
• Dynamic Registration
– CAPTCHA technology.
• Password Strength Meters/Indicators.
• Important to understand Cloud Directories.
17
18. User Registration
• Password Management
– Salt and Hash each password
– Just hashing
• Susceptible to Dictionary or Brute Force Attacks.
– Password Reset
• Send 15 min validity single use tokens to user
email.
18
19. Identity Management
• Directories of Users/Applications
– Cloud based.
– Corporate based.
– Hybrid (Both Cloud and Corporate).
• Synching Issues.
• Legal and Compliance Issues.
19
21. Authentication
• Classic Username/Password
• Two Factor Authentication
– Additional factor : One Time Password.
• Kerberos Based Login for API
• External Authentication
– Sign In using Facebook, Twitter, Google..
• Eliminates Password Management Headaches.
21
22. Authorization
• Coarse Grained Authorization
– Role Based Access Control.
• Fine Grained Authorization
– ACL, XACML
• OAuth Style Authorization.
22
23. Mobile Devices
• Device Registration
– UDID, SIM ID, Chip ID can all be Identifiers for
the same device.
• Mobile devices may need token based
security.
23
24. Identity Providers
• Central Identity Provider for the entire
PaaS system.
– Global directory service for all tenants.
• Identity Provider for the applications of a
single tenant.
– Tenant deploys IDP application.
• Delegated Identity Providers to Corporate
Identity Providers.
– Salesforce to corporate Identity services.
24
26. Cloud API Access
• Majority of Cloud Access may be via API
– (Salesforce, Twitter, Facebook) 3rd party apps.
• Token based REST system
– OAuth2 is a good candidate.
• Various drafts and flavors in the industry.
– User has control over approval/revocation of
access.
26
27. Cloud API Access
• OAuth2 Interactions
– Register Application with server
• Obtain Client Identifier and Client Secret
– Resource owner (User) authorizes application
with server, for various scopes
• Obtain Authorization Code
27
28. Cloud API Access
• OAuth2 Interactions
– Application uses authorization code to obtain
access token and refresh token
• Refresh token helps obtain new access token on
expiry
– Application provides token to resource server
• Access to resource
28
33. JSR 351
• Java Identity JSR
• http://jcp.org/en/jsr/detail?id=351
• http://java.net/projects/identity-api-spec/
pages/Home
• Define API and identity interaction models
for applications and in access control
decisions.
33
34. Oasis IDCloud TC
• Oasis Identity In The Cloud TC
– Use Cases for Identity Management in the
Cloud Ecosystem.
– http://docs.oasis-open.org/id-cloud/IDCloud-
usecases/v1.0/cn01/IDCloud-usecases-v1.0-
cn01.html
– Gap Analysis in existing standards
34
35. Oasis Cloud Authorization TC
• Oasis Cloud Authorization TC
– Brand new TC at Oasis.
– Build Profiles for Cloud Authorization using
XACML and Oauth.
• SaaS, PaaS and IaaS models.
– Build Profiles for Cloud Entitlements.
35
36. Resources
• OpenShift PaaS.
– http://openshift.com
• Project PicketLink
– http://jboss.org/picketlink
• My Blog
– http://anil-identity.blogspot.com
36