360 likes | 373 Views
Vikas Jain, Director, Product Management Application Security and Identity Products Intel Corporation Twitter: @ VikasJainTweet Blog: blogs.intel.com/cloud-access-security. OAuth , OpenID, SAML Making Sense of the Alphabet Soup for Cloud Identities. Topic Agenda. Cloud Identities. SAML
E N D
Vikas Jain, Director, Product Management Application Security and Identity Products Intel Corporation Twitter: @VikasJainTweet Blog: blogs.intel.com/cloud-access-security OAuth, OpenID, SAMLMaking Sense of the Alphabet Soup for Cloud Identities
Topic Agenda Cloud Identities SAML OAUTH OpenID Key Takeaways Intel/McAfee Products
Cloud Identity Alphabet Soup SCIM UMA OAUTH SAML OpenID JWT Portable Contacts
Why were these Standards created? Drivers • Widely adopted in Enterprises, weak adoption in consumers • Started for consumer use cases (Twitter, Facebook, etc.), moving into the Enterprise • Started for consumer use cases (Google, Yahoo, etc.), moving into the Enterprise
SAML - Security Assertion Markup Language Mature standard … but carries the legacy of XML
SAML Assertion SAML Assertion (Portable Identity Container) Subject User Identifier Attribute Stmts XML User Attributes Authentication Stmt Info about authentication context … Describes user identity in XML format for exchange across domain boundaries
SAML Assertion Example <ns2:Assertion ID=“RbefeiCOM4ztlN2RHr9unkpQ” IssueInstant="2010-10-21T13:59:07.953-04:00" Version="2.0” xmlns:ns2="urn:oasis:names:tc:SAML:2.0:assertion”> <ns2:Issuer Format=“urn:oasis:names:tc:SAML:2.0:nameid format:entity”>ServerXYZ</ns2:Issuer> <ns2:Subject> <ns2:NameID Format=”- - -”>NameIdStatic</ns2:NameID> <ns2:SubjectConfirmation OptionalInformationHere> <ns2:SubjectConfirmationData OptionalInformationHere/> </ns2:SubjectConfirmation> </ns2:Subject> <ns2:Conditions NotBefore="2010-10-21T13:58:57.953-04:00” NotOnOrAfter="2010-10-21T14:01:01.265-04:00"> <ns2:AudienceRestriction>OptionalInformationHere</ns2:AudienceRestriction> </ns2:Conditions> <ns2:AuthnStatement AuthnInstant="2010-10-21T13:59:07.953-04:00" SessionIndex="c+dWjVJ24DMVNNo1U/cr+hgfywg=PWUYaQ==" SessionNotOnOrAfter="2010-10-21T14:01:01.328-04:00"> <ns2:AuthnContext> - - - </ns2:AuthnContext> </ns2:AuthnStatement> <ns2:AttributeStatement> <ns2:Attribute Name=“Attr1” NameFormat=“urn:oasis:names:tc:SAML2.0:profiles:attributes:basic”> <ns2:AttributeValue>Attr1value</ns2:AttributeValue> </ns2:Attribute> </ns2:AttributeStatement> </ns2:Assertion>
SAML Protocols, Bindings, and Profiles Use case flows (combination of assertion, protocol, binding) Maps Protocols to std messaging(combines Assertion, protocol, binding ) Get Assertions (request/response) Defines how SAML Assertions are used
SAML Use Case #1: Web Federated SSO For Cloud and Partner Apps Identity Provider (IdP) Service Provider (SP) SAML Server SAML Server Browser SAML App Authenticate Verify Identity User Store User Store
SAML Use Case #2: Web Service Access Control Web Service Consumer Web Service Provider SOAP Message XML Gateway XML Gateway SAML (in WS-Security header) Insert SAML Token Verify SAML Token Web Service Client App User Store User Store
SAML Use Case #3: API Access Control API Consumer API Provider XML Gateway XML Gateway SAML (in HTTP header) Insert SAML Token Verify SAML Token API Client App User Store User Store
OAUTH Provides API Authorization (draft 26) Before OAUTH, HTTP Basic was primarily used by API providers to authenticate clients using username/password. Scoped access wasn’t possible.
OAUTH 2 Protocol Flow (Abstract version) User / Resource Owner Client 1. Authorization Request 2. Authorization Grant 3. Authorization Grant and Client Credentials Authorization Server 4. Access Token Resource Server 5. Access Token 6. Resource Access Token allows the client to access resource on behalf of the user
OAUTH Enterprise Use Case #1:Mobile App for Enterprise Apps Mobile App accesses Enterprise App using OAUTH authenticating the user (with OAUTH AS) using Enterprise credentials • Benefits • Enable Mobile access for Employees • Authenticated by the Enterprise • Enterprise user passwords not stored in Mobile Source: Sep 29, 2011, “Enterprise Use Cases for Open Identity: OpenID and OAuth” Gartner report by Bob Blakley
OAUTH Enterprise Use Case #2:Mobile App for SaaS Apps Mobile App accesses SaaS App using OAUTH authenticating the user (with OAUTH AS) using SAML assertion from the Enterprise • Benefits • Enable Employee access to SaaS app via Mobile • Authenticated by the Enterprise • Enterprise user passwords not stored in mobile or SaaS App Source: Sep 29, 2011, “Enterprise Use Cases for Open Identity: OpenID and OAuth” Gartner report by Bob Blakley
OAUTH Enterprise Use Case #3:Enterprise User accesses Partner REST app Enterprise App accesses Partner REST App over OAUTH authenticating the user (with Partner OAUTH AS) using SAML assertion from the Enterprise • Benefits • Access data in partner app under user’s identity • Allows Enterprise App to make API calls on user’s behalf • Enterprise user passwords not shared with Partner Source: Sep 29, 2011, “Enterprise Use Cases for Open Identity: OpenID and OAuth” Gartner report by Bob Blakley
OAUTH Enterprise Use Case #4:Partner App accesses Enterprise REST app Partner App accesses Enterprise REST App over OAUTH authenticating itself (with Partner OAUTH AS) using Application password • Benefits • Enterprise exposes REST interface to partner • Quick adoption: Partner doesn’t need to implement SAML server • Partner app authentication secrets not exposed Source: Sep 29, 2011, “Enterprise Use Cases for Open Identity: OpenID and OAuth” Gartner report by Bob Blakley
OAUTH Enterprise Use Case #5:Temp Workers access Enterprise App using FB Login Contract workers/Affiliates accesses Enterprise App authenticating themselves using Facebook login (with Facebook OAUTH AS) and Enterprise OTP • Benefits • Enterprise doesn’t have to manage temp identities • OTP provides additional security • Temp workers don’t have to remember another password Application Enteprise AS & OTP Enterprise Temp Worker
OpenID Provides Federated Login (draft 10) Originally developed to prevent anonymous users from posting spam to blog comment fields … User Identifierused is a URI that’s unique across all users. Based on key-value pairs. Carry some similarities with SAML.
OpenID Connect Protocol Suite Combines OAUTH 2 and OpenID 2 to make OpenID API friendly
OpenID Enterprise Use Cases OpenID has the potential to accelerate the BYOI (Bring Your Own Identity) movement into the Enterprise
Key Takeaways Protocol Built for Use Cases
McAfee Cloud Security Platform Cloud Ecosystem Unified Management, Policy and Reporting, ePO Integration Cloud Vendors Services Gateway Identity Manager Partners Applications Customers Modules Email Security Data Loss Prevention Web Security Web Authentication Email SaaS or Appliance Global Threat Intelligence Cloud Security Platform Enterprise Mobile Users Enterprise Users Private Cloud Applications www.mcafee.com/cloudsecurity
Intel Expressway Service Gateway – for REST APIs • FIPS 140-2 Level 3 Crypto • Common Criteria EAL4+ • DoD STIG Ready & PKI Certified • HSM PKI key storage • Cavium crypto acceleration • Form factors: software, virtual, and tamper resistant CODING Protocol Agnostic Performance No Programming Flexible • 2x hard appliances • Tie-in to chip roadmap • Efficient XMLparsing at machine level • Routing • Transform • Validation • Service Call-outs • Firewall rules • Simple visualenvironment • REST.,SOAP • XML, Non-XML • HTTP, FTP, TCP
Intel Expressway Cloud Access 360 – for Cloud SSO Enterprise to Cloud SSO Securing Custom or SaaS Apps To the Cloud In the Cloud AD SAML Apps Enterprise Combining Enterprise Class Strong Auth with SSO Adaptive Strong Auth Regulatory Compliance Secure SSO Provision Access • Federate windows/AD log in • To popular SaaS like Salesforce & Google Apps • Selectively apply 2nd factor OTP AuthN • Variety of software AuthN methods & devices- mobile devices, SMS, email • Rich audit trail of user login showing AuthN level • De-provision & orphan account reports • Provision/de-provision user accounts • AD integration • Sync Id Profiles Available as McAfee Identity Manager
Intel Cloud SSO - IAM-as-a-service My Apps Enterprise Account Provisioning One Time Password SSO Portal Laptop Force.com Apps iPad Access 100s of External SaaS Apps Browser Mobile • Delivers same level of control as on-prem IAM • Leverage Salesforce or enterprise accounts for SSO • Trigger mobile & hardware assisted authentication
Growing Influence on Identity Community • Visit: www.intel.com/go/identity Tutorials Demos Thought Leadership Papers