1 / 36

OAuth , OpenID, SAML Making Sense of the Alphabet Soup for Cloud Identities

Vikas Jain, Director, Product Management Application Security and Identity Products Intel Corporation Twitter: @ VikasJainTweet Blog: blogs.intel.com/cloud-access-security. OAuth , OpenID, SAML Making Sense of the Alphabet Soup for Cloud Identities. Topic Agenda. Cloud Identities. SAML

rae
Download Presentation

OAuth , OpenID, SAML Making Sense of the Alphabet Soup for Cloud Identities

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Vikas Jain, Director, Product Management Application Security and Identity Products Intel Corporation Twitter: @VikasJainTweet Blog: blogs.intel.com/cloud-access-security OAuth, OpenID, SAMLMaking Sense of the Alphabet Soup for Cloud Identities

  2. Topic Agenda Cloud Identities SAML OAUTH OpenID Key Takeaways Intel/McAfee Products

  3. Cloud Identity Alphabet Soup SCIM UMA OAUTH SAML OpenID JWT Portable Contacts

  4. Why were these Standards created? Drivers • Widely adopted in Enterprises, weak adoption in consumers • Started for consumer use cases (Twitter, Facebook, etc.), moving into the Enterprise • Started for consumer use cases (Google, Yahoo, etc.), moving into the Enterprise

  5. SAML - Security Assertion Markup Language Mature standard … but carries the legacy of XML

  6. SAML Assertion SAML Assertion (Portable Identity Container) Subject User Identifier Attribute Stmts XML User Attributes Authentication Stmt Info about authentication context … Describes user identity in XML format for exchange across domain boundaries

  7. SAML Assertion Example <ns2:Assertion ID=“RbefeiCOM4ztlN2RHr9unkpQ” IssueInstant="2010-10-21T13:59:07.953-04:00" Version="2.0” xmlns:ns2="urn:oasis:names:tc:SAML:2.0:assertion”> <ns2:Issuer Format=“urn:oasis:names:tc:SAML:2.0:nameid format:entity”>ServerXYZ</ns2:Issuer> <ns2:Subject> <ns2:NameID Format=”- - -”>NameIdStatic</ns2:NameID> <ns2:SubjectConfirmation OptionalInformationHere> <ns2:SubjectConfirmationData OptionalInformationHere/> </ns2:SubjectConfirmation> </ns2:Subject> <ns2:Conditions NotBefore="2010-10-21T13:58:57.953-04:00” NotOnOrAfter="2010-10-21T14:01:01.265-04:00"> <ns2:AudienceRestriction>OptionalInformationHere</ns2:AudienceRestriction> </ns2:Conditions> <ns2:AuthnStatement AuthnInstant="2010-10-21T13:59:07.953-04:00" SessionIndex="c+dWjVJ24DMVNNo1U/cr+hgfywg=PWUYaQ==" SessionNotOnOrAfter="2010-10-21T14:01:01.328-04:00"> <ns2:AuthnContext> - - - </ns2:AuthnContext> </ns2:AuthnStatement> <ns2:AttributeStatement> <ns2:Attribute Name=“Attr1” NameFormat=“urn:oasis:names:tc:SAML2.0:profiles:attributes:basic”> <ns2:AttributeValue>Attr1value</ns2:AttributeValue> </ns2:Attribute> </ns2:AttributeStatement> </ns2:Assertion>

  8. SAML Protocols, Bindings, and Profiles Use case flows (combination of assertion, protocol, binding) Maps Protocols to std messaging(combines Assertion, protocol, binding ) Get Assertions (request/response) Defines how SAML Assertions are used

  9. SAML Use Case #1: Web Federated SSO For Cloud and Partner Apps Identity Provider (IdP) Service Provider (SP) SAML Server SAML Server Browser SAML App Authenticate Verify Identity User Store User Store

  10. SAML Use Case #2: Web Service Access Control Web Service Consumer Web Service Provider SOAP Message XML Gateway XML Gateway SAML (in WS-Security header) Insert SAML Token Verify SAML Token Web Service Client App User Store User Store

  11. SAML Use Case #3: API Access Control API Consumer API Provider XML Gateway XML Gateway SAML (in HTTP header) Insert SAML Token Verify SAML Token API Client App User Store User Store

  12. OAUTH Provides API Authorization (draft 26) Before OAUTH, HTTP Basic was primarily used by API providers to authenticate clients using username/password. Scoped access wasn’t possible.

  13. OAUTH 2 Protocol Flow (Abstract version) User / Resource Owner Client 1. Authorization Request 2. Authorization Grant 3. Authorization Grant and Client Credentials Authorization Server 4. Access Token Resource Server 5. Access Token 6. Resource Access Token allows the client to access resource on behalf of the user

  14. What’s new in OAUTH 2?

  15. OAUTH 2 Flows

  16. OAUTH Consumer Use Cases

  17. OAUTH Enterprise Use Case #1:Mobile App for Enterprise Apps Mobile App accesses Enterprise App using OAUTH authenticating the user (with OAUTH AS) using Enterprise credentials • Benefits • Enable Mobile access for Employees • Authenticated by the Enterprise • Enterprise user passwords not stored in Mobile Source: Sep 29, 2011, “Enterprise Use Cases for Open Identity: OpenID and OAuth” Gartner report by Bob Blakley

  18. OAUTH Enterprise Use Case #2:Mobile App for SaaS Apps Mobile App accesses SaaS App using OAUTH authenticating the user (with OAUTH AS) using SAML assertion from the Enterprise • Benefits • Enable Employee access to SaaS app via Mobile • Authenticated by the Enterprise • Enterprise user passwords not stored in mobile or SaaS App Source: Sep 29, 2011, “Enterprise Use Cases for Open Identity: OpenID and OAuth” Gartner report by Bob Blakley

  19. OAUTH Enterprise Use Case #3:Enterprise User accesses Partner REST app Enterprise App accesses Partner REST App over OAUTH authenticating the user (with Partner OAUTH AS) using SAML assertion from the Enterprise • Benefits • Access data in partner app under user’s identity • Allows Enterprise App to make API calls on user’s behalf • Enterprise user passwords not shared with Partner Source: Sep 29, 2011, “Enterprise Use Cases for Open Identity: OpenID and OAuth” Gartner report by Bob Blakley

  20. OAUTH Enterprise Use Case #4:Partner App accesses Enterprise REST app Partner App accesses Enterprise REST App over OAUTH authenticating itself (with Partner OAUTH AS) using Application password • Benefits • Enterprise exposes REST interface to partner • Quick adoption: Partner doesn’t need to implement SAML server • Partner app authentication secrets not exposed Source: Sep 29, 2011, “Enterprise Use Cases for Open Identity: OpenID and OAuth” Gartner report by Bob Blakley

  21. OAUTH Enterprise Use Case #5:Temp Workers access Enterprise App using FB Login Contract workers/Affiliates accesses Enterprise App authenticating themselves using Facebook login (with Facebook OAUTH AS) and Enterprise OTP • Benefits • Enterprise doesn’t have to manage temp identities • OTP provides additional security • Temp workers don’t have to remember another password Application Enteprise AS & OTP Enterprise Temp Worker

  22. OpenID Provides Federated Login (draft 10) Originally developed to prevent anonymous users from posting spam to blog comment fields … User Identifierused is a URI that’s unique across all users. Based on key-value pairs. Carry some similarities with SAML.

  23. OpenID Connect Protocol Suite Combines OAUTH 2 and OpenID 2 to make OpenID API friendly

  24. OpenID Consumer Use Cases

  25. OpenID Enterprise Use Cases OpenID has the potential to accelerate the BYOI (Bring Your Own Identity) movement into the Enterprise

  26. Key Takeaways Protocol Built for Use Cases

  27. McAfee Cloud Security Platform Cloud Ecosystem Unified Management, Policy and Reporting, ePO Integration Cloud Vendors Services Gateway Identity Manager Partners Applications Customers Modules Email Security Data Loss Prevention Web Security Web Authentication Email SaaS or Appliance Global Threat Intelligence Cloud Security Platform Enterprise Mobile Users Enterprise Users Private Cloud Applications www.mcafee.com/cloudsecurity

  28. Intel Expressway Service Gateway – for REST APIs • FIPS 140-2 Level 3 Crypto • Common Criteria EAL4+ • DoD STIG Ready & PKI Certified • HSM PKI key storage • Cavium crypto acceleration • Form factors: software, virtual, and tamper resistant CODING Protocol Agnostic Performance No Programming Flexible • 2x hard appliances • Tie-in to chip roadmap • Efficient XMLparsing at machine level • Routing • Transform • Validation • Service Call-outs • Firewall rules • Simple visualenvironment • REST.,SOAP • XML, Non-XML • HTTP, FTP, TCP

  29. Intel Expressway Cloud Access 360 – for Cloud SSO Enterprise to Cloud SSO Securing Custom or SaaS Apps To the Cloud In the Cloud AD SAML Apps Enterprise Combining Enterprise Class Strong Auth with SSO Adaptive Strong Auth Regulatory Compliance Secure SSO Provision Access • Federate windows/AD log in • To popular SaaS like Salesforce & Google Apps • Selectively apply 2nd factor OTP AuthN • Variety of software AuthN methods & devices- mobile devices, SMS, email • Rich audit trail of user login showing AuthN level • De-provision & orphan account reports • Provision/de-provision user accounts • AD integration • Sync Id Profiles Available as McAfee Identity Manager

  30. Intel Cloud SSO - IAM-as-a-service My Apps Enterprise Account Provisioning One Time Password SSO Portal Laptop Force.com Apps iPad Access 100s of External SaaS Apps Browser Mobile • Delivers same level of control as on-prem IAM • Leverage Salesforce or enterprise accounts for SSO • Trigger mobile & hardware assisted authentication

  31. Growing Influence on Identity Community • Visit: www.intel.com/go/identity Tutorials Demos Thought Leadership Papers

More Related