SlideShare ist ein Scribd-Unternehmen logo

A recipe for standards-based Cloud IdM

•Als PPTX, PDF herunterladen•
•
Paul Madsen
Paul Madsen

I already regret the analogy

TechnologieBusiness
1 von 40
A recipe for standards-based Cloud IdM Paul Madsen @paulmadsen
2
3
4
5
Ingredients SAML OAuth SCIM JWT 6
Ingredients • Small number of ingredients can be composed to create useful & tasty dishes • SCIM, SAML, OAuth, and JWT provide a standards based framework for cloud identity recipes
(Gross) Oversimplications • SAML – SSO for enterprise & cloud web apps • OAuth – authn & authz for RESTful APIs • SCIM – RESTful (and viable!) user provisioning • JWT – JSON-based SAML assertions
SAML SCIM OAuth JWT
SAML SCIM OAuth JWT
SCIM & SAML • SCIM API messages to provision accounts for subsequent SAML SSO • SAML binding for SCIM • Carry SCIM instance as attributes in SAML SSO message • Alternaitve to a distinct CRUD operation using the SCIM RESTful protocol • Enables JIT provisioning
SCIM & SAML <saml:AttributeStatementxmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:scim="http://placeholder.scim.org/2011/schema/extension"> <saml:AttributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname- format:unspecified" Name="SCIM.userName"> <saml:AttributeValuexmlns:xsi="http://www.w3.org/2001/XMLSchema- instance" xsi:type="xs:string">bjensen@example.com </saml:AttributeValue> </saml:Attribute> <saml:AttributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname- format:unspecified" Name="SCIM.name.formatted"> <saml:AttributeValuexmlns:xsi="http://www.w3.org/2001/XMLSchema- instance" xsi:type="xs:string">Ms. Babs J Jensen III </saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement>
Challenges • Non-trivial to map SCIM attribute schema into SAML's attribute model • SCIM schema allows for • Complex structures • Multi-valued attributes • Which is why I've been negligent in the work
SAML SCIM OAuth JWT
SCIM & OAuth 1. Use SCIM to provision account for subsequent OAuth-based mobile access to SaaS APIs 1. Use OAuth to secure SCIM API calls
SCIM & OAuth POST /User HTTP/1.1 Host: example.com Accept: application/xml OAuth access token issued Authorization: Bearer h480djs93hd8 by the SaaS to the enterprise to use on subsequent SCIM <?xml version="1.0" encoding="UTF-8"?> calls <scim:User xmlns:scim="urn:scim:schemas:core:1.0"> <userName>bjensen@example.com</userName> Note difference from <externalId>701984</externalId> archetypical OAuth <emails> delegated authz use case <email> <value>bjensen@example.com</value> <primary>true</primary> <type>work</type> </email> </emails> </scim:User>
SAML SCIM OAuth JWT
SAML & OAuth SAML 'Hybrid' – carry OAuth token OAuth in SAML SSO messages 'Assertion profile' - use OAuth SAML assertions within SAML OAuth flow. Trade assertion for token SAML OAuth 'Sequencing' – use SAML SSO in order to authenticate user to AS
OAuth SAML OAuth
Demo 20 Copyright Š 2011. Cloud Identity Summit. All Rights Reserved.
Demo 21 Copyright Š 2011. Cloud Identity Summit. All Rights Reserved.
Demo 22 Copyright Š 2011. Cloud Identity Summit. All Rights Reserved.
Demo 23 Copyright Š 2011. Cloud Identity Summit. All Rights Reserved.
SAML SCIM OAuth JWT
25
SAML & JWT & OAuth SAML JWT Profiles assertion profile For specific assertion formats Assertion profile How to use assertions for client authentication and as a grant type OAuth Core protocol
SAML & JWT & OAuth • Use SAML assertion or JWT for OAuth client authentication and/or OAuth grant type POST /token HTTP/1.1 Host: server.example.com Content-Type: application/x-www-form-urlencoded grant_type=authorization_code& code=i1WsRn1uB1& client_id=s6BhdRkqt3& client_assertion_type=urn%3Aoasis%3Anames%sAtc%3ASAML%3A2.0%3Aassert ion& client_assertion=PHNhbWxwOl…...ZT Client authenticating to AS token endpoint using assertion rather than secret
SAML OpenID SCIM OAuth Connect JWT
OpenID Connect == JWT & OAuth & identity •OAuth is a general mechanism to authorize API access, OpenID Connect profiles the generic for purposes of sharing profile information & enabling a SSO protocol •Uses the authz code & implicit grant types – the pieces of OAuth optimized for user-consent scenarios •Leverages the authorization & token endpoints & adds identity-based params to core OAuth messages
OpenID Connect • OpenID Provider – Adds to OAuth 2.0 Authorization Service • Issues id_token in addition to access_token – Codifies a standardized Resource Services • UserInfo Endpoint • Relying Party – OAuth client to the endpoints exposed by the OpenID Provider • Implicit Grant or Authorization Code Flows
Ignoring the distinction as to whether the tokens actually flow front-channel, or instead User Agent back-channel after a front- channel step 1) GET A TOKEN AS Client RS 2) USE A TOKEN Base OAuth
Ignoring the distinction as to whether the tokens actually flow front-channel, or instead User Agent back-channel after a front- channel step 1) GET A TOKEN AS Client 2) READ A TOKEN RS 3) USE A TOKEN UserInfo OpenID Connect Base OAuth
SAML SCIM UMA OAuth JWT
UMA == OAuth + centralized authz 1. OAuth allows for pairwise app-to-app connections. UMA, in addition, defines a hub from which many pairwise sharing connections can be managed, controlled, and revoked. 2. OAuth solves for person-to-self sharing. UMA, in addition, solves for secure person-to-person sharing and person-to-organization sharing. 3. OAuth leaves unstated how its "authorization server" and "resource server" components interact. UMA fully defines a standard interface between its enhanced versions of these two components, the authorization manager and host. From UMA FAQ
SAML SCIM XACML? OAuth JWT
XACML?
Speculative •XACML policy (a TBD JSON binding) inside a JWT??? •Extends simple scope model •Interplay between SCIM-provisioned attributes & SaaS XACML policies? •RESTful authz query for XACML? •PEP sends an access token to PDP (along with scopes) PDP resolves token as necessary, returns yes/no to PEP
AS Issuance PDP y/n Client PEP RS 39
Questions

Empfohlen

Saml v2-OpenAM
Saml v2-OpenAMSaml v2-OpenAM
Saml v2-OpenAM
Pascal Flamand
 
Making Sense of API Access Control
Making Sense of API Access ControlMaking Sense of API Access Control
Making Sense of API Access Control
CA API Management
 
Azure Service Bus Performance Checklist
Azure Service Bus Performance ChecklistAzure Service Bus Performance Checklist
Azure Service Bus Performance Checklist
Salim M Bhonhariya
 
SCIM in the Real World: Adoption is Growing
SCIM in the Real World: Adoption is GrowingSCIM in the Real World: Adoption is Growing
SCIM in the Real World: Adoption is Growing
Kelly Grizzle
 
SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014
SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014
SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014
Kelly Grizzle
 
SCIM 2.0 - Choose your own identity adventure
SCIM 2.0 - Choose your own identity adventureSCIM 2.0 - Choose your own identity adventure
SCIM 2.0 - Choose your own identity adventure
Kelly Grizzle
 
Lessons learned from the design of the SCIM API
Lessons learned from the design of the SCIM APILessons learned from the design of the SCIM API
Lessons learned from the design of the SCIM API
Erik WahlstrĂśm
 
Scim overview
Scim overviewScim overview
Scim overview
Morteza Ansari
 

Empfohlen

Saml v2-OpenAM
Saml v2-OpenAMSaml v2-OpenAM
Saml v2-OpenAM
Pascal Flamand
 
Making Sense of API Access Control
Making Sense of API Access ControlMaking Sense of API Access Control
Making Sense of API Access Control
CA API Management
 
Azure Service Bus Performance Checklist
Azure Service Bus Performance ChecklistAzure Service Bus Performance Checklist
Azure Service Bus Performance Checklist
Salim M Bhonhariya
 
SCIM in the Real World: Adoption is Growing
SCIM in the Real World: Adoption is GrowingSCIM in the Real World: Adoption is Growing
SCIM in the Real World: Adoption is Growing
Kelly Grizzle
 
SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014
SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014
SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014
Kelly Grizzle
 
SCIM 2.0 - Choose your own identity adventure
SCIM 2.0 - Choose your own identity adventureSCIM 2.0 - Choose your own identity adventure
SCIM 2.0 - Choose your own identity adventure
Kelly Grizzle
 
Lessons learned from the design of the SCIM API
Lessons learned from the design of the SCIM APILessons learned from the design of the SCIM API
Lessons learned from the design of the SCIM API
Erik WahlstrĂśm
 
Scim overview
Scim overviewScim overview
Scim overview
Morteza Ansari
 
Seasonal Burst Handling Using Hybrid Cloud Infrastructure from Cloud Security...
Seasonal Burst Handling Using Hybrid Cloud Infrastructure from Cloud Security...Seasonal Burst Handling Using Hybrid Cloud Infrastructure from Cloud Security...
Seasonal Burst Handling Using Hybrid Cloud Infrastructure from Cloud Security...
CA API Management
 
SAML Smackdown
SAML SmackdownSAML Smackdown
SAML Smackdown
Pat Patterson
 
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectDemystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Vinay Manglani
 
DIWD Concordia
DIWD ConcordiaDIWD Concordia
DIWD Concordia
Paul Madsen
 
WSO2Con USA 2014 - Identity Server Tutorial
WSO2Con USA 2014 - Identity Server TutorialWSO2Con USA 2014 - Identity Server Tutorial
WSO2Con USA 2014 - Identity Server Tutorial
Prabath Siriwardena
 
Microservice with OAuth2
Microservice with OAuth2Microservice with OAuth2
Microservice with OAuth2
◄ vaquar khan ► ★✔
 
When and Why Would I use Oauth2?
When and Why Would I use Oauth2?When and Why Would I use Oauth2?
When and Why Would I use Oauth2?
Dave Syer
 
Open sso fisl9.0
Open sso fisl9.0Open sso fisl9.0
Open sso fisl9.0
Startup Cursos
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices World
VMware Tanzu
 
Security Avalanche
Security AvalancheSecurity Avalanche
Security Avalanche
Michele Leroux Bustamante
 
OpenSSO Tech Overview Aquarium
OpenSSO Tech Overview AquariumOpenSSO Tech Overview Aquarium
OpenSSO Tech Overview Aquarium
Eduardo Pelegri-Llopart
 
GSoC Mideterm-OAuth2 Module
GSoC Mideterm-OAuth2 ModuleGSoC Mideterm-OAuth2 Module
GSoC Mideterm-OAuth2 Module
Mayank Sharma
 
SAML 2
SAML 2SAML 2
SAML 2
Steward_John
 
SAML
SAMLSAML
SAML
LĂŠopold Gault
 
Authentication in microservice systems - fsto 2017
Authentication in microservice systems - fsto 2017Authentication in microservice systems - fsto 2017
Authentication in microservice systems - fsto 2017
Dejan Glozic
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
Igor Bossenko
 
Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Keystone - Openstack Identity Service
Keystone - Openstack Identity Service
Prasad Mukhedkar
 
SAML Protocol Overview
SAML Protocol OverviewSAML Protocol Overview
SAML Protocol Overview
Mike Schwartz
 
WSO2 Identity Server - Product Overview
WSO2 Identity Server - Product OverviewWSO2 Identity Server - Product Overview
WSO2 Identity Server - Product Overview
WSO2
 
Identity 2.0 and User-Centric Identity
Identity 2.0 and User-Centric IdentityIdentity 2.0 and User-Centric Identity
Identity 2.0 and User-Centric Identity
Oliver Pfaff
 
Onboarding in the IoT
Onboarding in the IoTOnboarding in the IoT
Onboarding in the IoT
Paul Madsen
 
Native application Single SignOn
Native application Single SignOnNative application Single SignOn
Native application Single SignOn
Paul Madsen
 

Weitere ähnliche Inhalte

Ähnlich wie A recipe for standards-based Cloud IdM

GSoC Mideterm-OAuth2 Module
GSoC Mideterm-OAuth2 ModuleGSoC Mideterm-OAuth2 Module
GSoC Mideterm-OAuth2 Module
Mayank Sharma
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
Igor Bossenko
 
Identity 2.0 and User-Centric Identity
Identity 2.0 and User-Centric IdentityIdentity 2.0 and User-Centric Identity
Identity 2.0 and User-Centric Identity
Oliver Pfaff
 

Ähnlich wie A recipe for standards-based Cloud IdM (20)

Seasonal Burst Handling Using Hybrid Cloud Infrastructure from Cloud Security...
Seasonal Burst Handling Using Hybrid Cloud Infrastructure from Cloud Security...Seasonal Burst Handling Using Hybrid Cloud Infrastructure from Cloud Security...
Seasonal Burst Handling Using Hybrid Cloud Infrastructure from Cloud Security...
 
SAML Smackdown
SAML SmackdownSAML Smackdown
SAML Smackdown
 
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectDemystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
 
DIWD Concordia
DIWD ConcordiaDIWD Concordia
DIWD Concordia
 
WSO2Con USA 2014 - Identity Server Tutorial
WSO2Con USA 2014 - Identity Server TutorialWSO2Con USA 2014 - Identity Server Tutorial
WSO2Con USA 2014 - Identity Server Tutorial
 
Microservice with OAuth2
Microservice with OAuth2Microservice with OAuth2
Microservice with OAuth2
 
When and Why Would I use Oauth2?
When and Why Would I use Oauth2?When and Why Would I use Oauth2?
When and Why Would I use Oauth2?
 
Open sso fisl9.0
Open sso fisl9.0Open sso fisl9.0
Open sso fisl9.0
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices World
 
Security Avalanche
Security AvalancheSecurity Avalanche
Security Avalanche
 
OpenSSO Tech Overview Aquarium
OpenSSO Tech Overview AquariumOpenSSO Tech Overview Aquarium
OpenSSO Tech Overview Aquarium
 
GSoC Mideterm-OAuth2 Module
GSoC Mideterm-OAuth2 ModuleGSoC Mideterm-OAuth2 Module
GSoC Mideterm-OAuth2 Module
 
SAML 2
SAML 2SAML 2
SAML 2
 
SAML
SAMLSAML
SAML
 
Authentication in microservice systems - fsto 2017
Authentication in microservice systems - fsto 2017Authentication in microservice systems - fsto 2017
Authentication in microservice systems - fsto 2017
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
 
Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Keystone - Openstack Identity Service
Keystone - Openstack Identity Service
 
SAML Protocol Overview
SAML Protocol OverviewSAML Protocol Overview
SAML Protocol Overview
 
WSO2 Identity Server - Product Overview
WSO2 Identity Server - Product OverviewWSO2 Identity Server - Product Overview
WSO2 Identity Server - Product Overview
 
Identity 2.0 and User-Centric Identity
Identity 2.0 and User-Centric IdentityIdentity 2.0 and User-Centric Identity
Identity 2.0 and User-Centric Identity
 

Mehr von Paul Madsen

Native application Single SignOn
Native application Single SignOnNative application Single SignOn
Native application Single SignOn
Paul Madsen
 
Saas webinar-dec6-01
Saas webinar-dec6-01Saas webinar-dec6-01
Saas webinar-dec6-01
Paul Madsen
 
Gluecon oauth-03
Gluecon oauth-03Gluecon oauth-03
Gluecon oauth-03
Paul Madsen
 
Proxying Assurance between OpenID & SAML
Proxying Assurance between OpenID & SAMLProxying Assurance between OpenID & SAML
Proxying Assurance between OpenID & SAML
Paul Madsen
 

Mehr von Paul Madsen (11)

Onboarding in the IoT
Onboarding in the IoTOnboarding in the IoT
Onboarding in the IoT
 
Native application Single SignOn
Native application Single SignOnNative application Single SignOn
Native application Single SignOn
 
BYOD - it's an identity thing
BYOD - it's an identity thingBYOD - it's an identity thing
BYOD - it's an identity thing
 
Madsen byod-csa-02
Madsen byod-csa-02Madsen byod-csa-02
Madsen byod-csa-02
 
Saas webinar-dec6-01
Saas webinar-dec6-01Saas webinar-dec6-01
Saas webinar-dec6-01
 
Jan19 scim webinar-04
Jan19 scim webinar-04Jan19 scim webinar-04
Jan19 scim webinar-04
 
Mobile Native OAuth Decision Framework
Mobile Native OAuth Decision FrameworkMobile Native OAuth Decision Framework
Mobile Native OAuth Decision Framework
 
Gluecon oauth-03
Gluecon oauth-03Gluecon oauth-03
Gluecon oauth-03
 
Proxying Assurance between OpenID & SAML
Proxying Assurance between OpenID & SAMLProxying Assurance between OpenID & SAML
Proxying Assurance between OpenID & SAML
 
Oauth 01
Oauth 01Oauth 01
Oauth 01
 
Iiw2007b Madsen 01
Iiw2007b Madsen 01Iiw2007b Madsen 01
Iiw2007b Madsen 01
 

KĂźrzlich hochgeladen

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

KĂźrzlich hochgeladen (20)

Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 

A recipe for standards-based Cloud IdM

  • 1. A recipe for standards-based Cloud IdM Paul Madsen @paulmadsen
  • 2. 2
  • 3. 3
  • 4. 4
  • 5. 5
  • 6. Ingredients SAML OAuth SCIM JWT 6
  • 7. Ingredients • Small number of ingredients can be composed to create useful & tasty dishes • SCIM, SAML, OAuth, and JWT provide a standards based framework for cloud identity recipes
  • 8. (Gross) Oversimplications • SAML – SSO for enterprise & cloud web apps • OAuth – authn & authz for RESTful APIs • SCIM – RESTful (and viable!) user provisioning • JWT – JSON-based SAML assertions
  • 9. SAML SCIM OAuth JWT
  • 10. SAML SCIM OAuth JWT
  • 11. SCIM & SAML • SCIM API messages to provision accounts for subsequent SAML SSO • SAML binding for SCIM • Carry SCIM instance as attributes in SAML SSO message • Alternaitve to a distinct CRUD operation using the SCIM RESTful protocol • Enables JIT provisioning
  • 12. SCIM & SAML <saml:AttributeStatementxmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:scim="http://placeholder.scim.org/2011/schema/extension"> <saml:AttributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname- format:unspecified" Name="SCIM.userName"> <saml:AttributeValuexmlns:xsi="http://www.w3.org/2001/XMLSchema- instance" xsi:type="xs:string">bjensen@example.com </saml:AttributeValue> </saml:Attribute> <saml:AttributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname- format:unspecified" Name="SCIM.name.formatted"> <saml:AttributeValuexmlns:xsi="http://www.w3.org/2001/XMLSchema- instance" xsi:type="xs:string">Ms. Babs J Jensen III </saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement>
  • 13. Challenges • Non-trivial to map SCIM attribute schema into SAML's attribute model • SCIM schema allows for • Complex structures • Multi-valued attributes • Which is why I've been negligent in the work
  • 14. SAML SCIM OAuth JWT
  • 15. SCIM & OAuth 1. Use SCIM to provision account for subsequent OAuth-based mobile access to SaaS APIs 1. Use OAuth to secure SCIM API calls
  • 16. SCIM & OAuth POST /User HTTP/1.1 Host: example.com Accept: application/xml OAuth access token issued Authorization: Bearer h480djs93hd8 by the SaaS to the enterprise to use on subsequent SCIM <?xml version="1.0" encoding="UTF-8"?> calls <scim:User xmlns:scim="urn:scim:schemas:core:1.0"> <userName>bjensen@example.com</userName> Note difference from <externalId>701984</externalId> archetypical OAuth <emails> delegated authz use case <email> <value>bjensen@example.com</value> <primary>true</primary> <type>work</type> </email> </emails> </scim:User>
  • 17. SAML SCIM OAuth JWT
  • 18. SAML & OAuth SAML 'Hybrid' – carry OAuth token OAuth in SAML SSO messages 'Assertion profile' - use OAuth SAML assertions within SAML OAuth flow. Trade assertion for token SAML OAuth 'Sequencing' – use SAML SSO in order to authenticate user to AS
  • 19. OAuth SAML OAuth
  • 20. Demo 20 Copyright Š 2011. Cloud Identity Summit. All Rights Reserved.
  • 21. Demo 21 Copyright Š 2011. Cloud Identity Summit. All Rights Reserved.
  • 22. Demo 22 Copyright Š 2011. Cloud Identity Summit. All Rights Reserved.
  • 23. Demo 23 Copyright Š 2011. Cloud Identity Summit. All Rights Reserved.
  • 24. SAML SCIM OAuth JWT
  • 25. 25
  • 26. SAML & JWT & OAuth SAML JWT Profiles assertion profile For specific assertion formats Assertion profile How to use assertions for client authentication and as a grant type OAuth Core protocol
  • 27. SAML & JWT & OAuth • Use SAML assertion or JWT for OAuth client authentication and/or OAuth grant type POST /token HTTP/1.1 Host: server.example.com Content-Type: application/x-www-form-urlencoded grant_type=authorization_code& code=i1WsRn1uB1& client_id=s6BhdRkqt3& client_assertion_type=urn%3Aoasis%3Anames%sAtc%3ASAML%3A2.0%3Aassert ion& client_assertion=PHNhbWxwOl…...ZT Client authenticating to AS token endpoint using assertion rather than secret
  • 28. SAML OpenID SCIM OAuth Connect JWT
  • 29. OpenID Connect == JWT & OAuth & identity •OAuth is a general mechanism to authorize API access, OpenID Connect profiles the generic for purposes of sharing profile information & enabling a SSO protocol •Uses the authz code & implicit grant types – the pieces of OAuth optimized for user-consent scenarios •Leverages the authorization & token endpoints & adds identity-based params to core OAuth messages
  • 30. OpenID Connect • OpenID Provider – Adds to OAuth 2.0 Authorization Service • Issues id_token in addition to access_token – Codifies a standardized Resource Services • UserInfo Endpoint • Relying Party – OAuth client to the endpoints exposed by the OpenID Provider • Implicit Grant or Authorization Code Flows
  • 31. Ignoring the distinction as to whether the tokens actually flow front-channel, or instead User Agent back-channel after a front- channel step 1) GET A TOKEN AS Client RS 2) USE A TOKEN Base OAuth
  • 32. Ignoring the distinction as to whether the tokens actually flow front-channel, or instead User Agent back-channel after a front- channel step 1) GET A TOKEN AS Client 2) READ A TOKEN RS 3) USE A TOKEN UserInfo OpenID Connect Base OAuth
  • 33. SAML SCIM UMA OAuth JWT
  • 34. UMA == OAuth + centralized authz 1. OAuth allows for pairwise app-to-app connections. UMA, in addition, defines a hub from which many pairwise sharing connections can be managed, controlled, and revoked. 2. OAuth solves for person-to-self sharing. UMA, in addition, solves for secure person-to-person sharing and person-to-organization sharing. 3. OAuth leaves unstated how its "authorization server" and "resource server" components interact. UMA fully defines a standard interface between its enhanced versions of these two components, the authorization manager and host. From UMA FAQ
  • 35.
  • 36. SAML SCIM XACML? OAuth JWT
  • 38. Speculative •XACML policy (a TBD JSON binding) inside a JWT??? •Extends simple scope model •Interplay between SCIM-provisioned attributes & SaaS XACML policies? •RESTful authz query for XACML? •PEP sends an access token to PDP (along with scopes) PDP resolves token as necessary, returns yes/no to PEP
  • 39. AS Issuance PDP y/n Client PEP RS 39

Hinweis der Redaktion

  1. Fly in the ointment is XACML
  2. Acknowledge that there is a SAML/XACML profile – but nobody uses it. What of composing XACML with OAuth – both nominally focussed on authz. What about carrying XACML in JWT etc etc