5. Cloud Identity
• Identity Management as a Service (IDaaS)
– Externally hosted, turnkey SaaS applications that
perform identity management
• Users and applications may be on-premises or hosted
– OPEX, flexible with changes in economies of scale
• Identity bridge
– On-premises component to connect on-premises
and externally hosted environments
– Supports multiple identity services
7. Hosted
On-Premises
Sync (API)
Federation SSO
To The Cloud (SSO + Provisioning)
Identity bridge
s
ero
b
Ker
Employee
Dire
ctor
y
SSO
syn
c
Federation IdP
Directory synchronization
Active
Directory
8. To The Cloud (Mobile Identity)
MDM cloud
service
Private key
Profile/policy
Credential
provisioning
Group
A
App distro
Externally Hosted
On-Premises
Group
Microsoft
Certificate
Services
Identity Bridge
MDM
Active Directory
MMC
9. From The Cloud (SSO)
Partner
SAML, OAuth,
Password, X.509
Hosted
On-Premises
OAuth relying party
OAuth authorization service
Federation SP
Federation IDP
OAuth resource server
HTTP
cookie
uth
OA
Identity bridge
WAM-protected application
SAM
L
SAML-enabled application
10. From the Cloud (Provisioning)
Provisioning
IDaaS
Externally Hosted
ERP
Reconciliation
Active Directory
Europe
Identity
bridge
North America
On-Premises
Identity
bridge
Manufacturing
Reconciliation
Active Directory
11. In The Cloud (SSO + Provisioning)
IDaaS
Provisioning
Provisioning
Federation IdP
Authentication
Federated SSO
User
Hosted
On-Premises
13. Modern Building Blocks
• REST (Representational State Transfer)
– Adopted in response to the complexity of SOAP
– Uses HTTP for its request/response
– Objects are represented as URLs
– Example HTTP verbs
• GET: retrieve object attributes
• POST: create object with new attributes
• DELETE: delete object
14. Modern Building Blocks
• JSON (JavaScript Object Notation)
– Adopted in response to the complexity of XML
– Data format representing name value pairs
15. Modern Building Blocks
• Most modern identity standards leverage
JSON over REST
– Peanut butter and jelly
– OAuth (authorization), SCIM (provisioning), FIDO
(authentication), OpenID Connect (multi-protocol)
• Some notable exceptions are SAML and
XACML
16. Modern Building Blocks
POST https://pingidentity.com:8443/Users
Authorization: Basic Y249RGlyZWN0b3J5IE1...
Content-Type: application/json
{
"userType":"spy",
"externalId":“tstark86753",
REST HTTP verb (add user in
"pacsSerial":"87654321",
"active":true,
SCIM)
"otpSerial":"12345678",
"email":“tony.stark@pingidentity.com",
"userName":"lcarroll",
"givenName":“Tony",
"familyName":“Stark“
}
17. Modern Building Blocks
POST https://pingidentity.com:8443/Users
Authorization: Basic Y249RGlyZWN0b3J5IE1...
Content-Type: application/json
{
"userType":"spy",
"externalId":“tstark86753",
"pacsSerial":"87654321",
In REST, objects and
"active":true,
endpoints have
"otpSerial":"12345678",
"email":“tony.stark@pingidentity.com",
unique URLs
"userName":"lcarroll",
"givenName":“Tony",
"familyName":“Stark“
}
18. Modern Building Blocks
JSON data representation
POST https://pingidentity.com:8443/Users
Authorization: Basic Y249RGlyZWN0b3J5IE1...
Content-Type: application/json
{
"userType":“superhero",
"externalId":"tstark86753",
"pacsSerial":"87654321",
"active":true,
"otpSerial":"12345678",
"email":"tony.stark@pingidentity.com",
"userName":"tstark",
"givenName":"Tony",
"familyName":"Stark"
}
19. Modern Building Blocks
POST https://pingidentity.com:8443/Users
Authorization: Basic Y249RGlyZWN0b3J5IE1...
Content-Type: application/json
{
"userType":"spy",
"externalId":"tstark86753",
"pacsSerial":"87654321",
"active":true,
"otpSerial":"12345678",
"email":"tony.stark@pingidentity.com",
"userName":"tstark",
"givenName":"Tony",
"familyName":"Stark"
}
21. OAuth
• Increasingly popular protocol for session
management in rich mobile applications
• Mobile web applications function well with
traditional enterprise authentication
• Rich mobile applications may break existing
infrastructure like authentication and Web
access management
22. OAuth Components and Flow
OAuth
resource server
OAuth
authorization server
OAuth
client/relying party
A
Native application
R
A
refresh
token
access
token
ded
loa
ion
wn
icat
do
ent
ens + auth
ok
6. T e code
nc
fere
e
5. R
2.
Us
er
au
3.
the
To
ke
n/
nr
co
efe
ns
en
ren
t
ce
ret
urn
co
de
rce
ou
es n
n r atio
t
tio
ca sen
pli
e
ap
pr
n
to
ke
ss
to
ce
Ac
ss
8.
ce
Ac
7.
A
1. Browser instantiated
4. Code delivery
Web browser
23. Why Not Just Use OAuth?
• OAuth is:
– Valuable as an access delegation protocol
– A good fit for native mobile applications
– Friendly for developers
• OAuth is not:
– A user identity protocol
– An “identity at scale” protocol
24. OAuth
resource server
OpenID Connect Flow
authorization server
user information endpoint
n
s
en atio
k
To form
in
er
Us
A
AP
IA
cce
ss
A
OAuth
client/relying party
ID
R
A
ID
token
refresh
token
access
token
OpenID
Provider
25. OIDC Multliple Provider Flow
OpenID
OpenID
Provider #1
Provider
OAuth
resource server
authorization server
authorization server
user information endpoint
user information endpoint
n
ns kens ionatio
t
ke o a
To1. Tormform
f n
r in er i
e
Us2. Us
AP3. A A A
I A PI
cce Ac
ss ces
s
A
A
OAuth
OAuth
client/relying party
client/relying party
ID ID
R R
A A
access
refresh access
ID refresh
token
token token
token token
ID
ID
OpenID
OpenID
Provider #2
Provider
4. ID token
5. Access, Refresh tokens
R R
A A
30. OpenID Connect Under The Covers
• OAuth 2.0 specifications
• JSON Web Token (JWT)
• JOSE
– JSON Web Signature (JWS)
– JSON Web Encryption (JWE)
– JSON Web Algorithms (JWA)
– JSON Web Key (JWK)
32. FIDO—A Tale of Two Protocols
• FIDO Unified Authentication Framework (UAF)
– Local mobile biometrics
– Initially proposed by Lenovo, Nok Nok, PayPal,
others
– Also supports non-biometric authentication
• Universal Second Factor (U2F)
– “Smart” smart card
• Initially proposed by Google and Yubikey (first to
partner)
33. FIDO UAF
(2) FIDO handshake
FIDO
Server
F
device attestation
(3) Asymmetrci key authn
web site/RP
Binding of user info and public key
ID Proofing
(1) user authentication
to FIDO client
FIDO Client
authenticator(s)
F
device key pair
site-specific key pairs
FIDO
Attestation
Service
F
34. UAF to OpenID Connect
Binding of user info and public key
OpenID Provider
(1) user authentication
to FIDO client
F A
(5
)A
PI
re
qu
es
t/
re
sp
on
se
(4) Token information
(2) FIDO handshake
FIDO client
(3) asymmetric key authn
F
FIDO authentication
module
A
mobile application
(relying party)
ID
A
tokens
R
35. User info, public key and
Key Handle
ord auth
ser passw
(1) u
site
authn
service
activation button
(activation required during
enrollment and optional at
runtime)
U2F
authn
service
device attestation
(2) Challenge
response,
with Key Han
dle
web site/RP
FIDO U2F
site-specific key pairs
(with Key Handles)
device key pair (per batch)
attestation
service
36. U2F to Federation
User info, public key and
Key Handle
Federation IDP
U2F
authn
service
Federation SP
(2) Challe
nge respo
nse,
with Key
Handle
(3)
SAM
L cr
ede
ntia
ls
(1) user password auth
primary
authn
service
(4)
L
AM
S
als
nti
de
cre
37. SCEP Certificate Enrollment
iPhone Configuration
Utility
Certificate
authority
Profile service
SCEP.mobileconfig
CE
ex
ec
ut
es
S
iO
S
(4)
ticates
(3) Profile is downloaded
n
(2) User authe
User
Pe
nr
oll
me
nt
(1) Utility publishes
enrollment profile
)
(5
te
ca
fi
rti
Ce
in
is
ed
all
st
in
S
iO
re
to
s
38. SCEP Enrollment Vulnerability
Certificate authority
Profile service
(1) Can I have a SCEP secret?
e.
cat
tifi
cer 9”.
r a 7530
l fo
rol “86
en et is
r
rk,
Sta sec
n y CE P
S
To
(3 ) Y o u r
SCEP.mobileconfig
(
M 4) M
yS y
CE n a
Ps m
ec e is
re “N
ti
Yo
s “ ick
ur
86 Fu
ce (5)
75 ry
rti
fic Here
30 ”.
ate y
9”
.
na ou g
me o!
is N
ick
Fu
ry.
(2) Sure!
Your SCEP secret is “8675309”.
Certificate
Private Key
39. Enhanced Enrollment
MDM service
Certificate authority
(1) Here is public key for user Tony Stark
(2) Sure! Here is the certificate
(3)
He
re
an is y
d p ou
riv r c
ate ert
ke ifica
y!
te
Private key
Certificate