Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished Engineer, CA Technologies @ Gartner AADI

Managing Iden*ty By Giving Up Control

K Sco9 Morrison Dis*nguished Engineer

December 2014

How Many Passwords Do You Have?

3 © 2014 CA. ALL RIGHTS RESERVED.

The Italian Solu*on


How Do We Cope With Iden8ty Prolifera8on?


Here Is The Tradi8onal Approach For Providing Iden8ty and Access Management (IAM) Classic Centralized Control

Identity is managed centrally

Ø  Formal and hierarchal

Ø  Geared toward employees

Enterprise Network

…

Firewall

Employee

Directory

Applications and Data

ß

IAM


This Extends Naturally To SSO

Identity is still managed centrally

Ø  Formal and hierarchal

Ø  Administration of trust

Enterprise Network

…

Firewall


ß

IdP IAM

ß

Employee

Trust


Enterprise Internal Network

Classic Federa8on

Principal

Message + Security Token

Trading Partner


PaOern #1: SAML-‐based Federa6on

IdP

Service Provider

Data

Authen*cate Acquire SAML token

1)

Note that this demonstrates SAML browser POST profile. The ar8fact profile is harder to do through corporate firewalls

Message + SAML

2)

Principal


What Does It Mean To Have An Account?

Directory

Data & Objects

App Server

There is always something associated with an ID


Trading Partner

Firewall

What We Really Have Is A Synchroniza8on Problem

Objects

Partner Identities

Enterprise Directory


High Administra8ve Burden

Trading Partner

Principal

Admin

Directory

Very Centralized Control ü  Lots of ceremony

ü  Hard to set up

ü  Hard to maintain

ü  Self-service is tricky and implementation specific

IDP

Relying Party

It is 2014.

And We Have A Problem…


The Channel Explosion in Modern Business Tradi*onal IAM struggles to meet this challenge

No Unified Access Model ü  For employees

ü  For contractors

ü  For partners

ü  For apps, devices & machines

ü  For ?

Enterprise Network


…

Partners

Mobile Devices

Cloud

API/Service Client

Laptop


Iden*ty Is Approaching Cri*cal Mass Average Number

Of Online IDs 26

Ave Number of Facebook Friends 336

Toda

y

Internet Users 2.4B “People Have Iden3ty”

Things 2020

Phones, Tablets and Laptops 7.3B

“Things Have Iden3ty”

26.0 B Internet users Internet World Stats Q1 2012: h9p://www.internetworldstats.com/stats.htm Internet accounts Experian July 2012: h9p://www.bbc.com/news/technology-‐18866347 Facebook Pew Research: h9p://www.pewresearch.org/fact-‐tank/2014/02/03/6-‐new-‐facts-‐about-‐facebook/

Diversity!

Speed!


Look To Social Networking For Inspira8on


Conceptually Here Is What Happens

1. User posts new tweet 2. Twi>er posts tweet

to Facebook on user’s behalf

User ScoO

TwiOer

Facebook


This is the “password an*-‐pa9ern” A Bad First AOempt: Stored Passwords

User ScoO

Send in Facebook Password

Twi9er uses Facebook Password


OK, So Let’s Try SAML

User ScoO

Sco9 authen*cates using his Twi9er

Password

Twi9er vouches it authen*cated Sco9


But There Are Problems…

User ScoO

How can we associate these different representa*ons of

Sco9?

Where are the limits on what Twi9er can do?


Here’s A Smarter Approach


Security Asser8on Markup Language (SAML)


OAuth

"access_token":"2YotnFZFEjr1zCsicMWpAA"!


ID Token (From OpenID Connect)

eyJhbGciOiJSUzI1NiIsImtpZCI6IjQ4OWRmMzE3YzIyYzY3NTZkOTUyMTVk!YjQ1NTA5MjY0N2RmNWIxNmEifQ.eyJpc3MiOiJhY2NvdW50cy5nb29nbGUuY!29tIiwiZW1haWwiOiJ0aW1icmF5QGdtYWlsLmNvbSIsImVtYWlsX3Zlcmlma!WVkIjoidHJ1ZSIsInN1YiI6IjEwNzYwNjcwMzU1ODE2MTUwNzk0NiIsImF1Z!CI6IjQwNzQwODcxODE5Mi5hcHBzLmdvb2dsZXVzZXJjb250ZW50LmNvbSIsI!mF0X2hhc2giOiJyTC1jVml3OTJtYW5EUU1MdU1tTEt3IiwiYXpwIjoiNDA3N!DA4NzE4MTkyLmFwcHMuZ29vZ2xldXNlcmNvbnRlbnQuY29tIiwiaWF0IjoxM!zY1MDk5MTUxLCJleHAiOjEzNjUxMDMwNTF9.GeqJOTJSMaQjo33wxM-3f5k5!FIEADqxd3K4zS0pWgWjtqwDldbpGgmxwTytgvtXKjFu7dtZx6TUXPnDhLBti!MjtkTyPGZbm65RwG0arSLqH-iDelceDR5HDABhOBqXjsi19rdnC3TAWf5Dpe!

QYZt9uSSgPseGW2wh6OO5izat48!!

Source: Tim Bray, Ongoing h9ps://www.tbray.org/ongoing/When/201x/2013/04/04/ID-‐Tokens


ID Token (cont.) It’s Just A JSON Web Token (JWT)

{! "issuer": "accounts.google.com",! "issued_to": "407408718192.apps.googleusercontent.com",! "audience": "407408718192.apps.googleusercontent.com",! "user_id": "10315112535234507946",! "expires_in": 3089,! "issued_at": 1365099151,! "email": "[email protected]",! "email_verified": true!}!

Source: Tim Bray, Ongoing h9ps://www.tbray.org/ongoing/When/201x/2013/04/04/ID-‐Tokens


Here’s How 3-‐Legged OAuth Works

User ScoO

OAuth Client

OAuth Authoriza8on & Resource Servers

2. Sco9 authen*cates using his Facebook

Password

4. Twi9er uses code to acquire access token to post tweets to

Facebook

1. Sco9 authen*cates using his Twi9er

Password

3. Sco9 grants Twi9er limited capabili*es on

Facebook

0A3DB28…!

0A3DB28…!


Here’s What It Looks Like When We’re Done

User ScoO

Sco9 posts tweet

Tweet plus access token authorizing Twi9er to post for

Sco9

OAuth Client

OAuth Authoriza8on & Resource Servers

I’m in Las Vegas at Gartner AADI

I’m in Las Vegas at Gartner AADI


But OAuth Also Enables NASCAR-‐style Sign On

Taken from sears.com


Data

Let’s Call This PaOern #2: Social Sign-‐On

OAuth Authoriza8on

Server

OAuth Client

User

Authen*cate Get Code

Validate Code Get Access Token

1)

3)

Pass code to client 2)

This demonstrates:

grant-type=authorization_code! !Note the user never sees the access token, only the client sees it. The user’s session must be managed using other means (eg: session cookie, etc)


This Is Actually A Profound Shib In Iden8ty Mgmt

The Old Enterprise The New Hybrid Enterprise

This is the secret to achieving scale and agile federa3on


What is Really Different Here?

•  Integra8on with simple RESTful APIs

•  Very loose coupling •  Very low ceremony

•  Very loose rela8onships driven by caller •  Client to authoriza*on server •  User to client

This all adds up to a distribu3on of responsibility that scales with the number of users


But We’re Not Quite At Federa8on

•  We have simple Single Sign-‐On

•  But what about aOributes?

<saml:AttributeStatement> ! <saml:Attribute FriendlyName="fooAttrib" Name="SFDC_USERNAME" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> ! <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string"> [email protected] </saml:AttributeValue> ! </saml:Attribute> !</saml:AttributeStatement>!

From: h9p://login.salesforce.com/help/doc/en/sso_saml_asser*on_examples.htm


This Is The Job Of OpenID Connect

OpenID Connect Endpoint

OAuth Client

User

Call to UserInfo endpoint for specific scope

JSON structured a9ribute list of

claims Eg: User’s email, First name, Last name,

etc


But we s*ll have a registra*on problem We’re Almost There

Authoriza8on Server

Client

Provisioning of new users

This is obviously an enterprise problem, not an individual problem

They may already exist here

Remember our earlier point about what cons*tutes an

“account”


API for user management This Is The What SCIM Is For

Authoriza8on Server

Client

Create New Users

SCIM defines user/group schema and REST endpoints for CRUD

SCIM stands for: System for Cross-‐domain Iden3ty Management

Enterprise Administrator


Choose SAML or OAuth based on opera*onal goals Each Approach Has Its Merits

•  SAML support is widespread •  Dominant for enterprise SSO and federa*on

•  Strong in passive (browser) profiles

•  Less strong in ac*ve (classic SOAP or newer RESTful APIs) profiles

•  Lots of central administra*on and federa*on ceremony

•  OAuth/OpenID Connect is growing very fast •  OAuth owns RESTful APIs

•  The world is not just about browsers any longer •  Think about rise of mobile apps

•  Fast to integrate, with no need to engage par*es

•  Irresis*ble delega*on model

•  Poten*al brand, regulatory, or organiza*onal issues with social login


Summary

•  SAML is not going away •  Your exis*ng investment is safe

•  It will con*nue to play a huge role in web-‐based federa*on

•  But OAuth+OpenID Connect+SCIM is coming on very strong •  Driven by rise of APIs and mobile devices

•  Don’t let anyone tell you OAuth is just another auth token scheme

•  It really represents a ship in power and authority

SVP & Dis*nguished Engineer

[email protected]

@KSco9Morrison

slideshare.net/CAinc

linkedin.com/KSco9Morrison

ca.com

K. ScoO Morrison

Documents

Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished Engineer, CA Technologies @ Gartner AADI