SlideShare ist ein Scribd-Unternehmen logo

User-Centric Identity and Web Services Evolution

Oliver Pfaff
Oliver Pfaff
Technologie
1 von 18
Copyright © Siemens AG 2008 All Rights Reserved Identity 2.0 and User-Centric Identity Dr. Oliver Pfaff, Siemens AG ZKI AK Verzeichnisdienste, Berlin 2008-03-10
page 2 March 2008 Copyright © Siemens AG 2008 All Rights Reserved Agenda  Identity 2.0 What Is Changing and Why?  Web Services How Do They Change the Landscape?  User-Centric Identity How Does It Work?  Example: eFA How Does It Classify?  Conclusions
page 3 March 2008 Copyright © Siemens AG 2008 All Rights Reserved Service Authz subsystem Consumes Service Authn subject: id=John Doe cakePref=Streusel authnMethod=SSL Identity 2.0 Assets and Liabilities Authz subsystem Initial authn endpoint Initial authn protocol: Cert=MI… PoP=SSLSign(SrvNonce) Consumes Authn subject: Produces id=John Doe cakePref=Streusel authnMethod=SSL Traditional approach: piggybacked Causes identity enclaves Mandates RPs to be IdPs … User account: id=John Doe altSubjectId=MI… cakePref=Streusel … Initial authn endpoint Initial authn protocol User account: id=John Doe altSubjectId=MI… cakePref=Streusel … Initial authn endpoint Initial authn protocol: Cert=MI… PoP=SSLSign(SrvNonce) Produces User account: id=John Doe altSubjectId=MI… cakePref=Streusel … Federated approach: split work Federated authn protocol: Assertion=<id=John Doe, prefCake=Streusel> PoP=WSSESign(SrvNonce) Fed. authn endpoint Produces prefCake::= cakePref Attr mapping:
page 4 March 2008 Copyright © Siemens AG 2008 All Rights Reserved Identity provider Resource provider Identity 2.0 Pattern Update Animated User Initial authn User repository Resources Authz Federation endpoint Federation endpoint Federated authenticationIdentity federation Tight coupling
page 5 March 2008 Copyright © Siemens AG 2008 All Rights Reserved Identity 2.0 On the Evolution of Identity User data App Authn Resources App Authz Transient, authenticated subject data Local matter Persisted, unauthenticated user data Joint matter Perception of identity Resources User data App Authn Authz Resources User data App Authn Authz Transient, authenticated subject data Joint matter Persisted, unauthenticated user data Local matter Perception of identity Resources User data App Authn Authz Transient, authenticated subject data N.a. Persisted, unauthenticated user data N.a. Perception of identity
page 6 March 2008 Copyright © Siemens AG 2008 All Rights Reserved Web Services Needs Shared With Web Applications  Traditional Web application environments (HTTP/HTML) and Web services (HTTP/SOAP) share needs regarding an Identity 2.0 support:  Express authenticated subject information and related meta-data  Support multiple concepts for identifier abstractions  Support arbitrary subject attributes (to decouple consumers from a need to perform look-ups)  Support a variety of authentication schemes (to obtain a statement on authenticated subject identity, to protect such statements and bind them to subjects)  SAML assertions provide the best-practice approach to address these shared needs. They are used in Identity 2.0-enabling traditional Web application environments as well as Web services.
page 7 March 2008 Copyright © Siemens AG 2008 All Rights Reserved Web Services Deviations from Web Applications  The tricky part is the acquisition and exchange of SAML assertions:  How to tell that there is a need to present a SAML assertion  How to express expectations on SAML assertion issuer and contained information  Traditional Web application environments and Web services differ significantly:  Web applications:  Tedious to design and realize the piggybacking of SAML assertions and their acquisition/exchange protocol with HTTP/HTML-based communications  Several approaches emerged over time:  First generation:  First wave (2001-2003): SAML 1.x, Shibboleth, Liberty-Alliance  Second wave (2004-2005): SAML 2.0, WS-Federation (for passive requestors)  Second generation (2006):  Microsoft CardSpace (for passive requestors), OpenID  Web services:  Simple to design and realize the piggybacking of SAML assertions and their acquisition/exchange protocol with HTTP/SOAP-based communications
page 8 March 2008 Copyright © Siemens AG 2008 All Rights Reserved Web Services Architectural Abstractions  Following standard Web services concepts and components support the Identity 2.0-enabling of Web services:  Request SAML assertions  Require e.g. ProtectionToken in WS-SecurityPolicy section in WSDL. This also allows to specify the expected properties (attributes, claims) of SAML assertions which need to be presented and the protection scheme for them (PoP)  There is no equivalent concept for traditional Web application environments (requires specifically designed vocabulary transferred with HTTP messages)  Issue SAML assertions  Addressed by WS-Trust STSs as a dedicated service for SAML assertion issuance (notes: SAML assertions can also be issued by non-STSs; STSs can also issue non-SAML assertions)  There is no equivalent concept for traditional Web application environments  Transfer SAML assertions  Addressed by the SAML token profile in WSSE  There is no equivalent concept for traditional Web application environments (embedding of SAML assertions is outside HTTP headers)
page 10 March 2008 Copyright © Siemens AG 2008 All Rights Reserved Facilitate user-centric identity User-Centric Identity Types of Identity 2.0 Solutions Examples: SAML Web-SSO, Shibboleth, Liberty-Alliance ID-FF, WS-Federation Example: OpenID Example: CardSpace Transparent to users Information card-based Identifier- based Federated authentication
page 11 March 2008 Copyright © Siemens AG 2008 All Rights Reserved User-Centric Identity What Is OpenID?  OpenID is a decentralized, open-source framework for user-centric digital identity  Identity perception: transient, authenticated subject data  Based on following concept:  Users have network authentication services dedicated to them individually (e.g. johndoe.myopenid.com)  URLs of these authentication services serve to claim an identity (I am johndoe.myopenid.com)  Transfer of authenticated information to RP from IdP is subject to user approval  More information: http://openid.net/
page 12 March 2008 Copyright © Siemens AG 2008 All Rights Reserved User-Centric Identity Brief OpenID Assessment  What’s new – one thing is cool in OpenID:  OpenID introduces network authentication services that are dedicated to individuals  Lifts the joint identity perception from persisted, unauthenticated user data to transient, authenticated subject information  Provides means for individuals to control the sharing of personal information and establishment of relationships with other parties at the authentication service  What strikes – several things are over-simplified in OpenID:  From a structural perspective, OpenID resembles a SAML post profile exchange but OpenID replaces structured data that is expressed in XML in traditional federation protocols by ad-hoc encodings directly transferred as keyword/string value–pairs  Keying association establishment avoids PKI concepts and uses anonymous Diffie-Hellman for an ad-hoc association establishment. This exposes OpenID systems to impersonation and man-in-the-middle attacks.
page 13 March 2008 Copyright © Siemens AG 2008 All Rights Reserved User-Centric Identity What Is Windows CardSpace?  CardSpace is a Microsoft client application helping users to manage and use their digital identities.  Identity perception: transient, authenticated subject data  Provides a part of novel user authentication and identity federation systems; represents their identity selector artifact.  Is a milestone towards an identity metasystem:  An identity metasystem integrates islands of identity with their “local” identity technologies  Analogy: IP provides a communication metasystem for integrating islands of LANs with their “local” communication technologies.  Allows arbitrary parties to become resource and identity providers  Is standards-based
page 14 March 2008 Copyright © Siemens AG 2008 All Rights Reserved User-Centric Identity Windows CardSpace: Fundamental to Differentiate XML Document  Identity metadata: templates for identity data plus references to identity providers  E.g. Authenticated subjects will be represented by RFC 822 name, organizational affiliation and role values; actual data can be obtained at these endpoints…  Consists of attributes without their values e.g. name, affiliation, roles  Represented as long-lived objects called information cards in CardSpace  Sample: XML Document  Identity data: concrete information about authenticated subjects  E.g. This is ‘John Doe’, an employee of ‘Acme’ with the role ‘manager’  Consists of attributes with their authenticated values e.g. name=john.doe@acme.example, affiliation=Acme, roles=Manager  Represented as short-lived objects called security tokens in CardSpace (aka: transient, authenticated subject data)  Sample:
page 15 March 2008 Copyright © Siemens AG 2008 All Rights Reserved Identity metadata sharing User-Centric Identity CardSpace High-Level Architecture 1. Security policy 2. Information card selection Resource provider (consumes identity data) Authz Resources Identity provider (produces identity data Initial authn User data 3. Security token WS- Trust STS User agent 0. Information card and identity metadata) Identity selector (consumes identity metadata)
page 16 March 2008 Copyright © Siemens AG 2008 All Rights Reserved eFA Project Characteristics  A national project to introduce federation in accessing patients’ MDOs  According medical cases  Across health providers  Project goal: specify and pilot a solution architecture  Project participants:  German hospitals (project owner, solution users) incl. Rhön Klinikum AG  Suppliers of IT solutions (technical realization) incl. Siemens Med  Fraunhofer ISST (specification lead)  Piloting will done between pairs of recognized hospitals which each have an industry partner for the technical realization.  More information: www.fallakte.de
page 18 March 2008 Copyright © Siemens AG 2008 All Rights Reserved Web service clients Web services Data objects Actual MDOs MDO folders ECRs ECRRecordRegistry client ECRDocument Registry client ECRDocument Repository client getInformationObject, … getInformationObject List, … getFolderList, … ECRDocumentRepository ECRDocumentRegistry ECRRecordRegistry Authz policies (DAC) ECRRecordRegistry Security client ECRRecordRegistrySecurityrequestAccess, … Authz policies (RBAC) ECRAdmissionToken Provider client ECRAdmissionTokenProviderrequestAdmissionToken Collection, … Attrs esp. role, memberOf AttributeProvider STS client AttributeService STSgetAttributes X.509 certs IdentityProvider STS client IdentityProvider STSauthenticate, … Inter- ceptor Inter- ceptor Inter- ceptor eFA Architectural Approach (v0.16 WSDLs/XSDs)
page 19 March 2008 Copyright © Siemens AG 2008 All Rights Reserved Conclusions  Identity 2.0 and user-centric identity will change the identity management agenda:  Identity 2.0 shifts the perception of user identity from persisted, unauthenticated data to transient, authenticated information. It is a reaction for limitations of traditional security architectures with their rigid coupling between authorization and authentication  User-centric identity puts self-determination of individual users into the identity management focus. It is a re-percussion to Web 2.0 approaches around user participation.  Web services change the technology landscape. They especially simplify federation. Federation solutions for traditional Web application environments and Web services should be regarded as different generations.  A short taxonomy of federation solutions with the dimensions of Web services / Identity 2.0 / user-centric identity: Initiative Identity 2.0 User-centric Web service-aware SAML Web-SSO, Shibboleth, Liberty-Alliance ID-FF Yes No No OpenID Yes Yes No CardSpace Yes Yes Yes eFA Yes No Yes
page 20 March 2008 Copyright © Siemens AG 2008 All Rights Reserved Author Dr. Oliver Pfaff Siemens AG Med GS SEC DI 1 E-Mail: oliver.pfaff@siemens.com

Empfohlen

Self-issued OpenID Provider_OpenID Foundation Virtual Workshop
Self-issued OpenID Provider_OpenID Foundation Virtual Workshop Self-issued OpenID Provider_OpenID Foundation Virtual Workshop
Self-issued OpenID Provider_OpenID Foundation Virtual Workshop Kristina Yasuda
 
OpenID Connect for W3C Verifiable Credential Objects
OpenID Connect for W3C Verifiable Credential ObjectsOpenID Connect for W3C Verifiable Credential Objects
OpenID Connect for W3C Verifiable Credential ObjectsTorsten Lodderstedt
 
OpenID Connect 4 SSI (at EIC 2021)
OpenID Connect 4 SSI (at EIC 2021)OpenID Connect 4 SSI (at EIC 2021)
OpenID Connect 4 SSI (at EIC 2021)Torsten Lodderstedt
 
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect for Identity As...
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect for Identity As...OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect for Identity As...
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect for Identity As...OpenIDFoundation
 
OpenID Connect 4 SSI
OpenID Connect 4 SSIOpenID Connect 4 SSI
OpenID Connect 4 SSITorsten Lodderstedt
 
OIDC4VP for AB/C WG
OIDC4VP for AB/C WGOIDC4VP for AB/C WG
OIDC4VP for AB/C WGTorsten Lodderstedt
 
OpenID Connect "101" Introduction -- October 23, 2018
OpenID Connect "101" Introduction -- October 23, 2018OpenID Connect "101" Introduction -- October 23, 2018
OpenID Connect "101" Introduction -- October 23, 2018OpenIDFoundation
 
OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)Torsten Lodderstedt
 

Empfohlen

Self-issued OpenID Provider_OpenID Foundation Virtual Workshop
Self-issued OpenID Provider_OpenID Foundation Virtual Workshop Self-issued OpenID Provider_OpenID Foundation Virtual Workshop
Self-issued OpenID Provider_OpenID Foundation Virtual Workshop Kristina Yasuda
 
OpenID Connect for W3C Verifiable Credential Objects
OpenID Connect for W3C Verifiable Credential ObjectsOpenID Connect for W3C Verifiable Credential Objects
OpenID Connect for W3C Verifiable Credential ObjectsTorsten Lodderstedt
 
OpenID Connect 4 SSI (at EIC 2021)
OpenID Connect 4 SSI (at EIC 2021)OpenID Connect 4 SSI (at EIC 2021)
OpenID Connect 4 SSI (at EIC 2021)Torsten Lodderstedt
 
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect for Identity As...
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect for Identity As...OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect for Identity As...
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect for Identity As...OpenIDFoundation
 
OpenID Connect 4 SSI
OpenID Connect 4 SSIOpenID Connect 4 SSI
OpenID Connect 4 SSITorsten Lodderstedt
 
OIDC4VP for AB/C WG
OIDC4VP for AB/C WGOIDC4VP for AB/C WG
OIDC4VP for AB/C WGTorsten Lodderstedt
 
OpenID Connect "101" Introduction -- October 23, 2018
OpenID Connect "101" Introduction -- October 23, 2018OpenID Connect "101" Introduction -- October 23, 2018
OpenID Connect "101" Introduction -- October 23, 2018OpenIDFoundation
 
OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)Torsten Lodderstedt
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An OverviewPat Patterson
 
NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations Torsten Lodderstedt
 
Understanding OpenID
Understanding OpenIDUnderstanding OpenID
Understanding OpenIDPrabath Siriwardena
 
OpenID Connect vs. OpenID 1 & 2
OpenID Connect vs. OpenID 1 & 2OpenID Connect vs. OpenID 1 & 2
OpenID Connect vs. OpenID 1 & 2Mike Schwartz
 
Cordacon 2018 - Cordentity - Hyperledger Indy + Corda
Cordacon 2018 - Cordentity - Hyperledger Indy + CordaCordacon 2018 - Cordentity - Hyperledger Indy + Corda
Cordacon 2018 - Cordentity - Hyperledger Indy + CordaVasiliy Suvorov
 
Single SignOn with Federation using Claims
Single SignOn with Federation using ClaimsSingle SignOn with Federation using Claims
Single SignOn with Federation using ClaimsVolkan Uzun
 
OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?Oliver Pfaff
 
Identity Management for Web Application Developers
Identity Management for Web Application DevelopersIdentity Management for Web Application Developers
Identity Management for Web Application DevelopersWSO2
 
Trust, Blockchains, and Self-Soveriegn Identity
Trust, Blockchains, and Self-Soveriegn IdentityTrust, Blockchains, and Self-Soveriegn Identity
Trust, Blockchains, and Self-Soveriegn IdentityPhil Windley
 
What are Decentralized Identifiers (DIDs)?
What are Decentralized Identifiers (DIDs)?What are Decentralized Identifiers (DIDs)?
What are Decentralized Identifiers (DIDs)?Evernym
 
OpenID Connect 1.0 Explained
OpenID Connect 1.0 ExplainedOpenID Connect 1.0 Explained
OpenID Connect 1.0 ExplainedEugene Siow
 
CIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCloudIDSummit
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Justin Richer
 
OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...Salesforce Developers
 
Towards Self Sovereign Identity 20180508
Towards Self Sovereign Identity 20180508Towards Self Sovereign Identity 20180508
Towards Self Sovereign Identity 20180508Arnaud Le Hors
 
Hyperledger Indy Platform - Privacy, Security and Power for Digital Identity ...
Hyperledger Indy Platform - Privacy, Security and Power for Digital Identity ...Hyperledger Indy Platform - Privacy, Security and Power for Digital Identity ...
Hyperledger Indy Platform - Privacy, Security and Power for Digital Identity ...Gokul Alex
 
Patterns and Antipatterns in Enterprise Security
Patterns and Antipatterns in Enterprise SecurityPatterns and Antipatterns in Enterprise Security
Patterns and Antipatterns in Enterprise SecurityWSO2
 
SWID Tag Creation Tool
SWID Tag Creation Tool SWID Tag Creation Tool
SWID Tag Creation Tool Dj Das
 
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NGWorteks
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak Abhishek Koserwal
 
FAM The Basics 13 Feb08
FAM The Basics 13 Feb08FAM The Basics 13 Feb08
FAM The Basics 13 Feb08Mike Moran
 
Context Automation (with video demos)
Context Automation (with video demos)Context Automation (with video demos)
Context Automation (with video demos)Phil Windley
 

Weitere ähnliche Inhalte

Was ist angesagt?

OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An OverviewPat Patterson
 
NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations Torsten Lodderstedt
 
OpenID Connect vs. OpenID 1 & 2
OpenID Connect vs. OpenID 1 & 2OpenID Connect vs. OpenID 1 & 2
OpenID Connect vs. OpenID 1 & 2Mike Schwartz
 
Cordacon 2018 - Cordentity - Hyperledger Indy + Corda
Cordacon 2018 - Cordentity - Hyperledger Indy + CordaCordacon 2018 - Cordentity - Hyperledger Indy + Corda
Cordacon 2018 - Cordentity - Hyperledger Indy + CordaVasiliy Suvorov
 
Single SignOn with Federation using Claims
Single SignOn with Federation using ClaimsSingle SignOn with Federation using Claims
Single SignOn with Federation using ClaimsVolkan Uzun
 
OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?Oliver Pfaff
 
Identity Management for Web Application Developers
Identity Management for Web Application DevelopersIdentity Management for Web Application Developers
Identity Management for Web Application DevelopersWSO2
 
Trust, Blockchains, and Self-Soveriegn Identity
Trust, Blockchains, and Self-Soveriegn IdentityTrust, Blockchains, and Self-Soveriegn Identity
Trust, Blockchains, and Self-Soveriegn IdentityPhil Windley
 
What are Decentralized Identifiers (DIDs)?
What are Decentralized Identifiers (DIDs)?What are Decentralized Identifiers (DIDs)?
What are Decentralized Identifiers (DIDs)?Evernym
 
OpenID Connect 1.0 Explained
OpenID Connect 1.0 ExplainedOpenID Connect 1.0 Explained
OpenID Connect 1.0 ExplainedEugene Siow
 
CIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCloudIDSummit
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Justin Richer
 
OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...Salesforce Developers
 
Towards Self Sovereign Identity 20180508
Towards Self Sovereign Identity 20180508Towards Self Sovereign Identity 20180508
Towards Self Sovereign Identity 20180508Arnaud Le Hors
 
Hyperledger Indy Platform - Privacy, Security and Power for Digital Identity ...
Hyperledger Indy Platform - Privacy, Security and Power for Digital Identity ...Hyperledger Indy Platform - Privacy, Security and Power for Digital Identity ...
Hyperledger Indy Platform - Privacy, Security and Power for Digital Identity ...Gokul Alex
 
Patterns and Antipatterns in Enterprise Security
Patterns and Antipatterns in Enterprise SecurityPatterns and Antipatterns in Enterprise Security
Patterns and Antipatterns in Enterprise SecurityWSO2
 
SWID Tag Creation Tool
SWID Tag Creation Tool SWID Tag Creation Tool
SWID Tag Creation Tool Dj Das
 
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NGWorteks
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak Abhishek Koserwal
 

Was ist angesagt? (20)

OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
 
NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations
 
Understanding OpenID
Understanding OpenIDUnderstanding OpenID
Understanding OpenID
 
OpenID Connect vs. OpenID 1 & 2
OpenID Connect vs. OpenID 1 & 2OpenID Connect vs. OpenID 1 & 2
OpenID Connect vs. OpenID 1 & 2
 
Cordacon 2018 - Cordentity - Hyperledger Indy + Corda
Cordacon 2018 - Cordentity - Hyperledger Indy + CordaCordacon 2018 - Cordentity - Hyperledger Indy + Corda
Cordacon 2018 - Cordentity - Hyperledger Indy + Corda
 
Single SignOn with Federation using Claims
Single SignOn with Federation using ClaimsSingle SignOn with Federation using Claims
Single SignOn with Federation using Claims
 
OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?
 
Identity Management for Web Application Developers
Identity Management for Web Application DevelopersIdentity Management for Web Application Developers
Identity Management for Web Application Developers
 
Trust, Blockchains, and Self-Soveriegn Identity
Trust, Blockchains, and Self-Soveriegn IdentityTrust, Blockchains, and Self-Soveriegn Identity
Trust, Blockchains, and Self-Soveriegn Identity
 
What are Decentralized Identifiers (DIDs)?
What are Decentralized Identifiers (DIDs)?What are Decentralized Identifiers (DIDs)?
What are Decentralized Identifiers (DIDs)?
 
OpenID Connect 1.0 Explained
OpenID Connect 1.0 ExplainedOpenID Connect 1.0 Explained
OpenID Connect 1.0 Explained
 
CIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID Connect
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2
 
OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...
 
Towards Self Sovereign Identity 20180508
Towards Self Sovereign Identity 20180508Towards Self Sovereign Identity 20180508
Towards Self Sovereign Identity 20180508
 
Hyperledger Indy Platform - Privacy, Security and Power for Digital Identity ...
Hyperledger Indy Platform - Privacy, Security and Power for Digital Identity ...Hyperledger Indy Platform - Privacy, Security and Power for Digital Identity ...
Hyperledger Indy Platform - Privacy, Security and Power for Digital Identity ...
 
Patterns and Antipatterns in Enterprise Security
Patterns and Antipatterns in Enterprise SecurityPatterns and Antipatterns in Enterprise Security
Patterns and Antipatterns in Enterprise Security
 
SWID Tag Creation Tool
SWID Tag Creation Tool SWID Tag Creation Tool
SWID Tag Creation Tool
 
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak
 

Andere mochten auch

FAM The Basics 13 Feb08
FAM The Basics 13 Feb08FAM The Basics 13 Feb08
FAM The Basics 13 Feb08Mike Moran
 
Context Automation (with video demos)
Context Automation (with video demos)Context Automation (with video demos)
Context Automation (with video demos)Phil Windley
 
IT-Security@Contemporary Life
IT-Security@Contemporary LifeIT-Security@Contemporary Life
IT-Security@Contemporary LifeOliver Pfaff
 
Deciphering 'Claims-based Identity'
Deciphering 'Claims-based Identity'Deciphering 'Claims-based Identity'
Deciphering 'Claims-based Identity'Oliver Pfaff
 
FRACTAL GEOMETRY AND ITS APPLICATIONS BY MILAN A JOSHI
FRACTAL GEOMETRY AND ITS APPLICATIONS BY MILAN A JOSHIFRACTAL GEOMETRY AND ITS APPLICATIONS BY MILAN A JOSHI
FRACTAL GEOMETRY AND ITS APPLICATIONS BY MILAN A JOSHIMILANJOSHIJI
 
Web-of-Things and Services Security
Web-of-Things and Services SecurityWeb-of-Things and Services Security
Web-of-Things and Services SecurityOliver Pfaff
 

Andere mochten auch (7)

FAM The Basics 13 Feb08
FAM The Basics 13 Feb08FAM The Basics 13 Feb08
FAM The Basics 13 Feb08
 
Context Automation (with video demos)
Context Automation (with video demos)Context Automation (with video demos)
Context Automation (with video demos)
 
IT-Security@Contemporary Life
IT-Security@Contemporary LifeIT-Security@Contemporary Life
IT-Security@Contemporary Life
 
Deciphering 'Claims-based Identity'
Deciphering 'Claims-based Identity'Deciphering 'Claims-based Identity'
Deciphering 'Claims-based Identity'
 
Mining taxation and regulations, Philippines
Mining taxation and regulations, PhilippinesMining taxation and regulations, Philippines
Mining taxation and regulations, Philippines
 
FRACTAL GEOMETRY AND ITS APPLICATIONS BY MILAN A JOSHI
FRACTAL GEOMETRY AND ITS APPLICATIONS BY MILAN A JOSHIFRACTAL GEOMETRY AND ITS APPLICATIONS BY MILAN A JOSHI
FRACTAL GEOMETRY AND ITS APPLICATIONS BY MILAN A JOSHI
 
Web-of-Things and Services Security
Web-of-Things and Services SecurityWeb-of-Things and Services Security
Web-of-Things and Services Security
 

Ähnlich wie User-Centric Identity and Web Services Evolution

Identity Federation on JBossAS
Identity Federation on JBossASIdentity Federation on JBossAS
Identity Federation on JBossASRoger CARHUATOCTO
 
Early Adopting Java WSIT-Experiences with Windows CardSpace
Early Adopting Java WSIT-Experiences with Windows CardSpaceEarly Adopting Java WSIT-Experiences with Windows CardSpace
Early Adopting Java WSIT-Experiences with Windows CardSpaceOliver Pfaff
 
State-of-the-Art in Web Services Federation
State-of-the-Art in Web Services FederationState-of-the-Art in Web Services Federation
State-of-the-Art in Web Services FederationOliver Pfaff
 
Security and information assurance
Security and information assuranceSecurity and information assurance
Security and information assurancebdemchak
 
Authentication and strong authentication for Web Application
Authentication and strong authentication for Web ApplicationAuthentication and strong authentication for Web Application
Authentication and strong authentication for Web ApplicationSylvain Maret
 
Azure Active Directory by Nikolay Mozgovoy
Azure Active Directory by Nikolay MozgovoyAzure Active Directory by Nikolay Mozgovoy
Azure Active Directory by Nikolay MozgovoySigma Software
 
Up 2011-ken huang
Up 2011-ken huangUp 2011-ken huang
Up 2011-ken huangKen Huang
 
Single Sign-On security issue in Cloud Computing
Single Sign-On security issue in Cloud ComputingSingle Sign-On security issue in Cloud Computing
Single Sign-On security issue in Cloud ComputingRahul Roshan
 
Linked Data Spaces, Data Portability & Access
Linked Data Spaces, Data Portability & AccessLinked Data Spaces, Data Portability & Access
Linked Data Spaces, Data Portability & AccessKingsley Uyi Idehen
 
Adobe PDF and LiveCycle ES Security
Adobe PDF and LiveCycle ES SecurityAdobe PDF and LiveCycle ES Security
Adobe PDF and LiveCycle ES Securityguest2a5a03
 
SAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your EnterpriseSAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your EnterpriseDenis Gundarev
 
Shibboleth Guided Tour Webinar
Shibboleth Guided Tour WebinarShibboleth Guided Tour Webinar
Shibboleth Guided Tour WebinarJohn Lewis
 
Identity, Security and XML Web Services
Identity, Security and XML Web ServicesIdentity, Security and XML Web Services
Identity, Security and XML Web ServicesJorgen Thelin
 
Trends in IIoT and OT Security
Trends in IIoT and OT SecurityTrends in IIoT and OT Security
Trends in IIoT and OT SecurityOliver Pfaff
 
How to deploy SharePoint 2010 to external users?
How to deploy SharePoint 2010 to external users?How to deploy SharePoint 2010 to external users?
How to deploy SharePoint 2010 to external users?rlsoft
 
The Future of Identity in the Cloud: Requirements, Risks and Opportunities - ...
The Future of Identity in the Cloud: Requirements, Risks and Opportunities - ...The Future of Identity in the Cloud: Requirements, Risks and Opportunities - ...
The Future of Identity in the Cloud: Requirements, Risks and Opportunities - ...gueste4e93e3
 
Secure cross cloud single sign-on (sso) using eid's
Secure cross cloud single sign-on (sso) using eid'sSecure cross cloud single sign-on (sso) using eid's
Secure cross cloud single sign-on (sso) using eid'sSwathi Rampur
 

Ähnlich wie User-Centric Identity and Web Services Evolution (20)

Identity Federation on JBossAS
Identity Federation on JBossASIdentity Federation on JBossAS
Identity Federation on JBossAS
 
Web-services
Web-services Web-services
Web-services
 
Early Adopting Java WSIT-Experiences with Windows CardSpace
Early Adopting Java WSIT-Experiences with Windows CardSpaceEarly Adopting Java WSIT-Experiences with Windows CardSpace
Early Adopting Java WSIT-Experiences with Windows CardSpace
 
State-of-the-Art in Web Services Federation
State-of-the-Art in Web Services FederationState-of-the-Art in Web Services Federation
State-of-the-Art in Web Services Federation
 
Security and information assurance
Security and information assuranceSecurity and information assurance
Security and information assurance
 
Federated and fabulous identity
Federated and fabulous identityFederated and fabulous identity
Federated and fabulous identity
 
DIWD Concordia
DIWD ConcordiaDIWD Concordia
DIWD Concordia
 
Authentication and strong authentication for Web Application
Authentication and strong authentication for Web ApplicationAuthentication and strong authentication for Web Application
Authentication and strong authentication for Web Application
 
Azure Active Directory by Nikolay Mozgovoy
Azure Active Directory by Nikolay MozgovoyAzure Active Directory by Nikolay Mozgovoy
Azure Active Directory by Nikolay Mozgovoy
 
Up 2011-ken huang
Up 2011-ken huangUp 2011-ken huang
Up 2011-ken huang
 
Single Sign-On security issue in Cloud Computing
Single Sign-On security issue in Cloud ComputingSingle Sign-On security issue in Cloud Computing
Single Sign-On security issue in Cloud Computing
 
Linked Data Spaces, Data Portability & Access
Linked Data Spaces, Data Portability & AccessLinked Data Spaces, Data Portability & Access
Linked Data Spaces, Data Portability & Access
 
Adobe PDF and LiveCycle ES Security
Adobe PDF and LiveCycle ES SecurityAdobe PDF and LiveCycle ES Security
Adobe PDF and LiveCycle ES Security
 
SAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your EnterpriseSAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your Enterprise
 
Shibboleth Guided Tour Webinar
Shibboleth Guided Tour WebinarShibboleth Guided Tour Webinar
Shibboleth Guided Tour Webinar
 
Identity, Security and XML Web Services
Identity, Security and XML Web ServicesIdentity, Security and XML Web Services
Identity, Security and XML Web Services
 
Trends in IIoT and OT Security
Trends in IIoT and OT SecurityTrends in IIoT and OT Security
Trends in IIoT and OT Security
 
How to deploy SharePoint 2010 to external users?
How to deploy SharePoint 2010 to external users?How to deploy SharePoint 2010 to external users?
How to deploy SharePoint 2010 to external users?
 
The Future of Identity in the Cloud: Requirements, Risks and Opportunities - ...
The Future of Identity in the Cloud: Requirements, Risks and Opportunities - ...The Future of Identity in the Cloud: Requirements, Risks and Opportunities - ...
The Future of Identity in the Cloud: Requirements, Risks and Opportunities - ...
 
Secure cross cloud single sign-on (sso) using eid's
Secure cross cloud single sign-on (sso) using eid'sSecure cross cloud single sign-on (sso) using eid's
Secure cross cloud single sign-on (sso) using eid's
 

Mehr von Oliver Pfaff

New Trends in Web Security
New Trends in Web SecurityNew Trends in Web Security
New Trends in Web SecurityOliver Pfaff
 
Does REST Change the Game for IAM?
Does REST Change the Game for IAM?Does REST Change the Game for IAM?
Does REST Change the Game for IAM?Oliver Pfaff
 
Trust in E- and M-Business - Advances Through IT-Security
Trust in E- and M-Business - Advances Through IT-SecurityTrust in E- and M-Business - Advances Through IT-Security
Trust in E- and M-Business - Advances Through IT-SecurityOliver Pfaff
 
Identifying How WAP Can Be Used For Secure mBusiness
Identifying How WAP Can Be Used For Secure mBusinessIdentifying How WAP Can Be Used For Secure mBusiness
Identifying How WAP Can Be Used For Secure mBusinessOliver Pfaff
 
Implementing Public-Key-Infrastructures
Implementing Public-Key-InfrastructuresImplementing Public-Key-Infrastructures
Implementing Public-Key-InfrastructuresOliver Pfaff
 
Unified Security Architectures for Web and WAP
Unified Security Architectures for Web and WAPUnified Security Architectures for Web and WAP
Unified Security Architectures for Web and WAPOliver Pfaff
 
Real-Time-Communications Security-How to Deploy Presence and Instant Messagin...
Real-Time-Communications Security-How to Deploy Presence and Instant Messagin...Real-Time-Communications Security-How to Deploy Presence and Instant Messagin...
Real-Time-Communications Security-How to Deploy Presence and Instant Messagin...Oliver Pfaff
 
Identity 2.0, Web services and SOA in Health Care
Identity 2.0, Web services and SOA in Health CareIdentity 2.0, Web services and SOA in Health Care
Identity 2.0, Web services and SOA in Health CareOliver Pfaff
 
SOA Security - So What?
SOA Security - So What?SOA Security - So What?
SOA Security - So What?Oliver Pfaff
 

Mehr von Oliver Pfaff (11)

OAuth Base Camp
OAuth Base CampOAuth Base Camp
OAuth Base Camp
 
New Trends in Web Security
New Trends in Web SecurityNew Trends in Web Security
New Trends in Web Security
 
Does REST Change the Game for IAM?
Does REST Change the Game for IAM?Does REST Change the Game for IAM?
Does REST Change the Game for IAM?
 
Analyzing OAuth
Analyzing OAuthAnalyzing OAuth
Analyzing OAuth
 
Trust in E- and M-Business - Advances Through IT-Security
Trust in E- and M-Business - Advances Through IT-SecurityTrust in E- and M-Business - Advances Through IT-Security
Trust in E- and M-Business - Advances Through IT-Security
 
Identifying How WAP Can Be Used For Secure mBusiness
Identifying How WAP Can Be Used For Secure mBusinessIdentifying How WAP Can Be Used For Secure mBusiness
Identifying How WAP Can Be Used For Secure mBusiness
 
Implementing Public-Key-Infrastructures
Implementing Public-Key-InfrastructuresImplementing Public-Key-Infrastructures
Implementing Public-Key-Infrastructures
 
Unified Security Architectures for Web and WAP
Unified Security Architectures for Web and WAPUnified Security Architectures for Web and WAP
Unified Security Architectures for Web and WAP
 
Real-Time-Communications Security-How to Deploy Presence and Instant Messagin...
Real-Time-Communications Security-How to Deploy Presence and Instant Messagin...Real-Time-Communications Security-How to Deploy Presence and Instant Messagin...
Real-Time-Communications Security-How to Deploy Presence and Instant Messagin...
 
Identity 2.0, Web services and SOA in Health Care
Identity 2.0, Web services and SOA in Health CareIdentity 2.0, Web services and SOA in Health Care
Identity 2.0, Web services and SOA in Health Care
 
SOA Security - So What?
SOA Security - So What?SOA Security - So What?
SOA Security - So What?
 

Kürzlich hochgeladen

unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 

Kürzlich hochgeladen (20)

unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 

User-Centric Identity and Web Services Evolution

  • 1. Copyright © Siemens AG 2008 All Rights Reserved Identity 2.0 and User-Centric Identity Dr. Oliver Pfaff, Siemens AG ZKI AK Verzeichnisdienste, Berlin 2008-03-10
  • 2. page 2 March 2008 Copyright © Siemens AG 2008 All Rights Reserved Agenda  Identity 2.0 What Is Changing and Why?  Web Services How Do They Change the Landscape?  User-Centric Identity How Does It Work?  Example: eFA How Does It Classify?  Conclusions
  • 3. page 3 March 2008 Copyright © Siemens AG 2008 All Rights Reserved Service Authz subsystem Consumes Service Authn subject: id=John Doe cakePref=Streusel authnMethod=SSL Identity 2.0 Assets and Liabilities Authz subsystem Initial authn endpoint Initial authn protocol: Cert=MI… PoP=SSLSign(SrvNonce) Consumes Authn subject: Produces id=John Doe cakePref=Streusel authnMethod=SSL Traditional approach: piggybacked Causes identity enclaves Mandates RPs to be IdPs … User account: id=John Doe altSubjectId=MI… cakePref=Streusel … Initial authn endpoint Initial authn protocol User account: id=John Doe altSubjectId=MI… cakePref=Streusel … Initial authn endpoint Initial authn protocol: Cert=MI… PoP=SSLSign(SrvNonce) Produces User account: id=John Doe altSubjectId=MI… cakePref=Streusel … Federated approach: split work Federated authn protocol: Assertion=<id=John Doe, prefCake=Streusel> PoP=WSSESign(SrvNonce) Fed. authn endpoint Produces prefCake::= cakePref Attr mapping:
  • 4. page 4 March 2008 Copyright © Siemens AG 2008 All Rights Reserved Identity provider Resource provider Identity 2.0 Pattern Update Animated User Initial authn User repository Resources Authz Federation endpoint Federation endpoint Federated authenticationIdentity federation Tight coupling
  • 5. page 5 March 2008 Copyright © Siemens AG 2008 All Rights Reserved Identity 2.0 On the Evolution of Identity User data App Authn Resources App Authz Transient, authenticated subject data Local matter Persisted, unauthenticated user data Joint matter Perception of identity Resources User data App Authn Authz Resources User data App Authn Authz Transient, authenticated subject data Joint matter Persisted, unauthenticated user data Local matter Perception of identity Resources User data App Authn Authz Transient, authenticated subject data N.a. Persisted, unauthenticated user data N.a. Perception of identity
  • 6. page 6 March 2008 Copyright © Siemens AG 2008 All Rights Reserved Web Services Needs Shared With Web Applications  Traditional Web application environments (HTTP/HTML) and Web services (HTTP/SOAP) share needs regarding an Identity 2.0 support:  Express authenticated subject information and related meta-data  Support multiple concepts for identifier abstractions  Support arbitrary subject attributes (to decouple consumers from a need to perform look-ups)  Support a variety of authentication schemes (to obtain a statement on authenticated subject identity, to protect such statements and bind them to subjects)  SAML assertions provide the best-practice approach to address these shared needs. They are used in Identity 2.0-enabling traditional Web application environments as well as Web services.
  • 7. page 7 March 2008 Copyright © Siemens AG 2008 All Rights Reserved Web Services Deviations from Web Applications  The tricky part is the acquisition and exchange of SAML assertions:  How to tell that there is a need to present a SAML assertion  How to express expectations on SAML assertion issuer and contained information  Traditional Web application environments and Web services differ significantly:  Web applications:  Tedious to design and realize the piggybacking of SAML assertions and their acquisition/exchange protocol with HTTP/HTML-based communications  Several approaches emerged over time:  First generation:  First wave (2001-2003): SAML 1.x, Shibboleth, Liberty-Alliance  Second wave (2004-2005): SAML 2.0, WS-Federation (for passive requestors)  Second generation (2006):  Microsoft CardSpace (for passive requestors), OpenID  Web services:  Simple to design and realize the piggybacking of SAML assertions and their acquisition/exchange protocol with HTTP/SOAP-based communications
  • 8. page 8 March 2008 Copyright © Siemens AG 2008 All Rights Reserved Web Services Architectural Abstractions  Following standard Web services concepts and components support the Identity 2.0-enabling of Web services:  Request SAML assertions  Require e.g. ProtectionToken in WS-SecurityPolicy section in WSDL. This also allows to specify the expected properties (attributes, claims) of SAML assertions which need to be presented and the protection scheme for them (PoP)  There is no equivalent concept for traditional Web application environments (requires specifically designed vocabulary transferred with HTTP messages)  Issue SAML assertions  Addressed by WS-Trust STSs as a dedicated service for SAML assertion issuance (notes: SAML assertions can also be issued by non-STSs; STSs can also issue non-SAML assertions)  There is no equivalent concept for traditional Web application environments  Transfer SAML assertions  Addressed by the SAML token profile in WSSE  There is no equivalent concept for traditional Web application environments (embedding of SAML assertions is outside HTTP headers)
  • 9. page 10 March 2008 Copyright © Siemens AG 2008 All Rights Reserved Facilitate user-centric identity User-Centric Identity Types of Identity 2.0 Solutions Examples: SAML Web-SSO, Shibboleth, Liberty-Alliance ID-FF, WS-Federation Example: OpenID Example: CardSpace Transparent to users Information card-based Identifier- based Federated authentication
  • 10. page 11 March 2008 Copyright © Siemens AG 2008 All Rights Reserved User-Centric Identity What Is OpenID?  OpenID is a decentralized, open-source framework for user-centric digital identity  Identity perception: transient, authenticated subject data  Based on following concept:  Users have network authentication services dedicated to them individually (e.g. johndoe.myopenid.com)  URLs of these authentication services serve to claim an identity (I am johndoe.myopenid.com)  Transfer of authenticated information to RP from IdP is subject to user approval  More information: http://openid.net/
  • 11. page 12 March 2008 Copyright © Siemens AG 2008 All Rights Reserved User-Centric Identity Brief OpenID Assessment  What’s new – one thing is cool in OpenID:  OpenID introduces network authentication services that are dedicated to individuals  Lifts the joint identity perception from persisted, unauthenticated user data to transient, authenticated subject information  Provides means for individuals to control the sharing of personal information and establishment of relationships with other parties at the authentication service  What strikes – several things are over-simplified in OpenID:  From a structural perspective, OpenID resembles a SAML post profile exchange but OpenID replaces structured data that is expressed in XML in traditional federation protocols by ad-hoc encodings directly transferred as keyword/string value–pairs  Keying association establishment avoids PKI concepts and uses anonymous Diffie-Hellman for an ad-hoc association establishment. This exposes OpenID systems to impersonation and man-in-the-middle attacks.
  • 12. page 13 March 2008 Copyright © Siemens AG 2008 All Rights Reserved User-Centric Identity What Is Windows CardSpace?  CardSpace is a Microsoft client application helping users to manage and use their digital identities.  Identity perception: transient, authenticated subject data  Provides a part of novel user authentication and identity federation systems; represents their identity selector artifact.  Is a milestone towards an identity metasystem:  An identity metasystem integrates islands of identity with their “local” identity technologies  Analogy: IP provides a communication metasystem for integrating islands of LANs with their “local” communication technologies.  Allows arbitrary parties to become resource and identity providers  Is standards-based
  • 13. page 14 March 2008 Copyright © Siemens AG 2008 All Rights Reserved User-Centric Identity Windows CardSpace: Fundamental to Differentiate XML Document  Identity metadata: templates for identity data plus references to identity providers  E.g. Authenticated subjects will be represented by RFC 822 name, organizational affiliation and role values; actual data can be obtained at these endpoints…  Consists of attributes without their values e.g. name, affiliation, roles  Represented as long-lived objects called information cards in CardSpace  Sample: XML Document  Identity data: concrete information about authenticated subjects  E.g. This is ‘John Doe’, an employee of ‘Acme’ with the role ‘manager’  Consists of attributes with their authenticated values e.g. name=john.doe@acme.example, affiliation=Acme, roles=Manager  Represented as short-lived objects called security tokens in CardSpace (aka: transient, authenticated subject data)  Sample:
  • 14. page 15 March 2008 Copyright © Siemens AG 2008 All Rights Reserved Identity metadata sharing User-Centric Identity CardSpace High-Level Architecture 1. Security policy 2. Information card selection Resource provider (consumes identity data) Authz Resources Identity provider (produces identity data Initial authn User data 3. Security token WS- Trust STS User agent 0. Information card and identity metadata) Identity selector (consumes identity metadata)
  • 15. page 16 March 2008 Copyright © Siemens AG 2008 All Rights Reserved eFA Project Characteristics  A national project to introduce federation in accessing patients’ MDOs  According medical cases  Across health providers  Project goal: specify and pilot a solution architecture  Project participants:  German hospitals (project owner, solution users) incl. Rhön Klinikum AG  Suppliers of IT solutions (technical realization) incl. Siemens Med  Fraunhofer ISST (specification lead)  Piloting will done between pairs of recognized hospitals which each have an industry partner for the technical realization.  More information: www.fallakte.de
  • 16. page 18 March 2008 Copyright © Siemens AG 2008 All Rights Reserved Web service clients Web services Data objects Actual MDOs MDO folders ECRs ECRRecordRegistry client ECRDocument Registry client ECRDocument Repository client getInformationObject, … getInformationObject List, … getFolderList, … ECRDocumentRepository ECRDocumentRegistry ECRRecordRegistry Authz policies (DAC) ECRRecordRegistry Security client ECRRecordRegistrySecurityrequestAccess, … Authz policies (RBAC) ECRAdmissionToken Provider client ECRAdmissionTokenProviderrequestAdmissionToken Collection, … Attrs esp. role, memberOf AttributeProvider STS client AttributeService STSgetAttributes X.509 certs IdentityProvider STS client IdentityProvider STSauthenticate, … Inter- ceptor Inter- ceptor Inter- ceptor eFA Architectural Approach (v0.16 WSDLs/XSDs)
  • 17. page 19 March 2008 Copyright © Siemens AG 2008 All Rights Reserved Conclusions  Identity 2.0 and user-centric identity will change the identity management agenda:  Identity 2.0 shifts the perception of user identity from persisted, unauthenticated data to transient, authenticated information. It is a reaction for limitations of traditional security architectures with their rigid coupling between authorization and authentication  User-centric identity puts self-determination of individual users into the identity management focus. It is a re-percussion to Web 2.0 approaches around user participation.  Web services change the technology landscape. They especially simplify federation. Federation solutions for traditional Web application environments and Web services should be regarded as different generations.  A short taxonomy of federation solutions with the dimensions of Web services / Identity 2.0 / user-centric identity: Initiative Identity 2.0 User-centric Web service-aware SAML Web-SSO, Shibboleth, Liberty-Alliance ID-FF Yes No No OpenID Yes Yes No CardSpace Yes Yes Yes eFA Yes No Yes
  • 18. page 20 March 2008 Copyright © Siemens AG 2008 All Rights Reserved Author Dr. Oliver Pfaff Siemens AG Med GS SEC DI 1 E-Mail: oliver.pfaff@siemens.com

Hinweis der Redaktion

  1. This presentation discusses new concepts, patterns and technologies emerging around the notions of “Identity 2.0” and “User-Centric Identity”: It emphasizes their relationship with directory systems (Identity 2.0 = Directory 2.0?) It presents a vendor’s view upon these initiatives It not meant to be a product marketing presentation
  2. The overall work tasks are (looking at the side of consuming authentication): Verify identifiers, credentials and PoP. Details depend on the employed authentication protocol. Mechanics are largely handled by WS-stacks. Enrich authn information to please application needs (don’t mandate the authentication infrastructure to address subject information-needs of all applications) Propagate this information to applications (for use in e.g. authz or other purposes such as application personalization) The federated approach does not change the list of overall work tasks. It changes the allocation of these work tasks: Task 1 (with different kind of credentials as on the left) and task 3 remain to be done at RP side. Task 2 can be outsourced within a federated environment This obviously addresses the use case of serving foreign user populations better than the traditional approach. However, it is also represents an important architectural trick when serving own user populations. This means that a federation-enabled SOA security system would: Assign an RP-only role to services Rely on internal (for an own user population) or external (for external user populations) IdPs
  3. CardSpace information cards: Issued by identity providers Consumed by identity selectors i.e. on user-side Support users in selecting and interacting with identity providers CardSpace security tokens: Issued by identity providers - based on user authentication Consumed by resource providers Support resource providers in authorizing access requests