7. Ingredients
⢠Small number of ingredients can
be composed to create useful &
tasty dishes
⢠SCIM, SAML, OAuth, and JWT
provide a standards based
framework for cloud identity
recipes
8. (Gross) Oversimplications
⢠SAML â SSO for enterprise & cloud
web apps
⢠OAuth â authn & authz for RESTful
APIs
⢠SCIM â RESTful (and viable!) user
provisioning
⢠JWT â JSON-based SAML
assertions
11. SCIM & SAML
⢠SCIM API messages to provision accounts for
subsequent SAML SSO
⢠SAML binding for SCIM
⢠Carry SCIM instance as attributes in SAML SSO
message
⢠Alternaitve to a distinct CRUD operation using the
SCIM RESTful protocol
⢠Enables JIT provisioning
13. Challenges
⢠Non-trivial to map SCIM attribute
schema into SAML's attribute model
⢠SCIM schema allows for
⢠Complex structures
⢠Multi-valued attributes
⢠Which is why I've been negligent in
the work
15. SCIM & OAuth
1. Use SCIM to provision
account for subsequent
OAuth-based mobile access
to SaaS APIs
1. Use OAuth to secure SCIM
API calls
16. SCIM & OAuth
POST /User HTTP/1.1
Host: example.com
Accept: application/xml OAuth access token issued
Authorization: Bearer h480djs93hd8 by the SaaS to the enterprise
to use on subsequent SCIM
<?xml version="1.0" encoding="UTF-8"?> calls
<scim:User xmlns:scim="urn:scim:schemas:core:1.0">
<userName>bjensen@example.com</userName> Note difference from
<externalId>701984</externalId> archetypical OAuth
<emails> delegated authz use case
<email>
<value>bjensen@example.com</value>
<primary>true</primary>
<type>work</type>
</email>
</emails>
</scim:User>
18. SAML & OAuth
SAML 'Hybrid' â carry OAuth token
OAuth
in SAML SSO messages
'Assertion profile' - use
OAuth SAML assertions within
SAML
OAuth flow. Trade assertion for
token
SAML OAuth 'Sequencing' â use SAML SSO in
order to authenticate user to AS
26. SAML & JWT & OAuth
SAML JWT Profiles assertion profile
For specific assertion
formats
Assertion profile How to use assertions
for client authentication
and as a grant type
OAuth Core protocol
27. SAML & JWT & OAuth
⢠Use SAML assertion or JWT for
OAuth client authentication and/or OAuth grant type
POST /token HTTP/1.1
Host: server.example.com
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code& code=i1WsRn1uB1& client_id=s6BhdRkqt3&
client_assertion_type=urn%3Aoasis%3Anames%sAtc%3ASAML%3A2.0%3Aassert
ion& client_assertion=PHNhbWxwOlâŚ...ZT
Client authenticating to AS
token endpoint using assertion
rather than secret
29. OpenID Connect == JWT & OAuth & identity
â˘OAuth is a general mechanism to authorize API
access, OpenID Connect profiles the generic for
purposes of sharing profile information & enabling
a SSO protocol
â˘Uses the authz code & implicit grant types â the
pieces of OAuth optimized for user-consent
scenarios
â˘Leverages the authorization & token endpoints &
adds identity-based params to core OAuth
messages
30. OpenID Connect
⢠OpenID Provider
â Adds to OAuth 2.0 Authorization Service
⢠Issues id_token in addition to access_token
â Codifies a standardized Resource Services
⢠UserInfo Endpoint
⢠Relying Party
â OAuth client to the endpoints exposed by the
OpenID Provider
⢠Implicit Grant or Authorization Code Flows
31. Ignoring the distinction as to
whether the tokens actually
flow front-channel, or instead User Agent
back-channel after a front-
channel step
1) GET A TOKEN
AS
Client
RS
2) USE A TOKEN
Base OAuth
32. Ignoring the distinction as to
whether the tokens actually
flow front-channel, or instead User Agent
back-channel after a front-
channel step
1) GET A TOKEN
AS
Client
2) READ A TOKEN RS
3) USE A TOKEN
UserInfo
OpenID Connect
Base OAuth
34. UMA == OAuth + centralized authz
1. OAuth allows for pairwise app-to-app connections. UMA, in
addition, defines a hub from which many pairwise sharing
connections can be managed, controlled, and revoked.
2. OAuth solves for person-to-self sharing. UMA, in addition, solves
for secure person-to-person sharing and person-to-organization
sharing.
3. OAuth leaves unstated how its "authorization server" and
"resource server" components interact. UMA fully defines a
standard interface between its enhanced versions of these two
components, the authorization manager and host.
From UMA FAQ
38. Speculative
â˘XACML policy (a TBD JSON binding) inside a JWT???
â˘Extends simple scope model
â˘Interplay between SCIM-provisioned attributes & SaaS
XACML policies?
â˘RESTful authz query for XACML?
â˘PEP sends an access token to PDP (along with
scopes) PDP resolves token as necessary, returns
yes/no to PEP
Acknowledge that there is a SAML/XACML profile â but nobody uses it. What of composing XACML with OAuth â both nominally focussed on authz. What about carrying XACML in JWT etc etc