Mobile Cloud Identity
Mark Diodati Technical Director—CTO Office
@mark_diodati
Thurs 13-12-05
Agenda
• Cloud Identity
• Modern Identity’s Building Blocks
• OpenID Connect
• FIDO
• NFC
CLOUD IDENTITY
Mobile Cloud Identity
On-Premises, Hybrid, Cloud
on-premises
cloud
hybrid
Cloud Identity
• Identity Management as a Service (IDaaS)
– Externally hosted, turnkey SaaS applications that perform identity management
• Users and applications may be on-premises or hosted
– OPEX, flexible with changes in economies of scale
• Identity bridge
– On-premises component to connect on-premises and externally hosted environments
– Supports multiple identity services
Cloud Orientation
to
from
in
To The Cloud (SSO + Provisioning)
Hosted
On-Premises
Active Directory
Employee
Kerberos SSO
Fed
erat
ion
SSO Syn
c (AP
I)
Directory sync
Federation IdPDirectory synchronization
Identity bridge
To The Cloud (Mobile Identity)
Externally Hosted
On-Premises
Active DirectoryMicrosoft Certificate
Services
MDM cloud service
MMC
Private key
Identity BridgeMDM
Profile/policy
Group
Group
A
Credential provisioning
App distro
From The Cloud (SSO)
OAuth relying partyOAuth authorization service
Federation SPFederation IDP
SAML-enabled applicationWAM-protected application
SAML
OAuth resource server
HTTP
co
okie
OAuth
Partner
Identity bridge
SAML, OAuth, Password, X.509
Hosted
On-Premises
From the Cloud (Provisioning)
Externally Hosted
On-Premises
Provisioning IDaaS
Active Directory
Identitybridge
Reconciliation
Manufacturing
No
rth
Am
eric
a
Euro
pe
Identitybridge
Reconciliation
Active DirectoryERP
In The Cloud (SSO + Provisioning) Provisioning
Federation IdP
HostedOn-Premises
Federated SSO
Provisioning
IDaaS
Au
the
nti
cati
on
User
MODERN BUILDING BLOCKS
Mobile Cloud Identity
Modern Building Blocks
• REST (Representational State Transfer)
– Adopted in response to the complexity of SOAP
– Uses HTTP for its request/response
– Objects are represented as URLs
– Example HTTP verbs
• GET: retrieve object attributes
• POST: create object with new attributes
• DELETE: delete object
Modern Building Blocks
• JSON (JavaScript Object Notation)
– Adopted in response to the complexity of XML
– Data format representing name value pairs
Modern Building Blocks
• Most modern identity standards leverage JSON over REST
– Peanut butter and jelly
– OAuth (authorization), SCIM (provisioning), FIDO (authentication), OpenID Connect (multi-protocol)
• Some notable exceptions are SAML and XACML
Modern Building Blocks
POST https://pingidentity.com:8443/Users
Authorization: Basic Y249RGlyZWN0b3J5IE1...
Content-Type: application/json
{
"userType":"spy",
"externalId":“tstark86753",
"pacsSerial":"87654321",
"active":true,
"otpSerial":"12345678",
"email":“[email protected]",
"userName":"lcarroll",
"givenName":“Tony",
"familyName":“Stark“
}
REST HTTP verb (add user in SCIM)
Modern Building Blocks
POST https://pingidentity.com:8443/Users
Authorization: Basic Y249RGlyZWN0b3J5IE1...
Content-Type: application/json
{
"userType":"spy",
"externalId":“tstark86753",
"pacsSerial":"87654321",
"active":true,
"otpSerial":"12345678",
"email":“[email protected]",
"userName":"lcarroll",
"givenName":“Tony",
"familyName":“Stark“
}
In REST, objects and endpoints have
unique URLs
Modern Building Blocks
POST https://pingidentity.com:8443/Users
Authorization: Basic Y249RGlyZWN0b3J5IE1...
Content-Type: application/json
{
"userType":“superhero",
"externalId":"tstark86753",
"pacsSerial":"87654321",
"active":true,
"otpSerial":"12345678",
"email":"[email protected]",
"userName":"tstark",
"givenName":"Tony",
"familyName":"Stark"
}
JSON data representation
Modern Building Blocks
POST https://pingidentity.com:8443/Users
Authorization: Basic Y249RGlyZWN0b3J5IE1...
Content-Type: application/json
{
"userType":"spy",
"externalId":"tstark86753",
"pacsSerial":"87654321",
"active":true,
"otpSerial":"12345678",
"email":"[email protected]",
"userName":"tstark",
"givenName":"Tony",
"familyName":"Stark"
}
OPENID CONNECT
Mobile Cloud Identity
OAuth
• Increasingly popular protocol for session management in rich mobile applications
• Mobile web applications function well with traditional enterprise authentication
• Rich mobile applications may break existing infrastructure like authentication and Web access management
OAuth Components and Flow OAuth
authorization serverOAuth
resource server
Web browserNative application
1. Browser instantiated
3. T
oken
refe
renc
e re
turn
cod
e
4. Code delivery
2. U
ser a
uthe
n/co
nsen
t7. Access token presentation
6. Tokens downloaded
8. Access to application resource
A
accesstoken
R
refreshtoken
AOAuthclient/relying party
5. Reference code + authenticationA
Why Not Just Use OAuth?
• OAuth is:
– Valuable as an access delegation protocol
– A good fit for native mobile applications
– Friendly for developers
• OAuth is not:
– A user identity protocol
– An “identity at scale” protocol
OpenID Connect Flow OpenIDProvider
OAuthresource server
API AccessUser in
formatio
n
OAuthclient/relying party
A
accesstoken
R
refreshtoken
ID
IDtoken
A
authorization serveruser information endpoint
A
Tokens
OpenIDProvider
API AccessUser in
formatio
n
OAuthclient/relying party
A
accesstoken
R
refreshtoken
ID
A
authorization serveruser information endpoint
A
Tokens
OpenIDProvider
ID
AR
OIDC Multliple Provider Flow OpenID
Provider #1OAuth
resource server
3. API Access 2. User in
formatio
n
OAuthclient/relying party
A
accesstoken
R
refreshtoken
ID
IDtoken
A
authorization serveruser information endpoint
A
1. Tokens
OpenIDProvider #2
4. ID token
ID
AR
5. Access, Refresh tokens
OpenID Connect Protocols
Protocol for clients that support additional security
OpenID Connect Protocols
Protocol for simpler clients
OpenID Connect Protocols
Optional discovery of OpenID providers
OpenID Connect Protocols
Optional automated registration of clients (e.g., server applications, mobile devices)
OpenID Connect Under The Covers
• OAuth 2.0 specifications
• JSON Web Token (JWT)
• JOSE
– JSON Web Signature (JWS)
– JSON Web Encryption (JWE)
– JSON Web Algorithms (JWA)
– JSON Web Key (JWK)
FIDO
Mobile Cloud Identity
FIDO—A Tale of Two Protocols
• FIDO Unified Authentication Framework (UAF)
– Local mobile biometrics
– Initially proposed by Lenovo, Nok Nok, PayPal, others
– Also supports non-biometric authentication
• Universal Second Factor (U2F)
– “Smart” smart card
• Initially proposed by Google and Yubikey (first to partner)
FIDO UAF
F
authenticator(s)
(2)
FID
O h
and
shak
e
FIDO Client
FFIDOServer
device attestation F
device key pair
site-specific key pairs
(1) user authenticationto FIDO client
Binding of user info and public key
(3)
Asy
mm
etrc
i key
au
thn
FIDOAttestation
Service
web site/RP
ID Proofing
UAF to OpenID Connect
F
(2)
FID
O h
and
shak
e
FIDO client
F
OpenID Provider
(1) user authenticationto FIDO client
(3)
asym
met
ric
key
auth
n
FIDO authenticationmodule
A mobile application (relying party)
Binding of user info and public key
(4)
Toke
n in
form
atio
n
(5) A
PI re
quest/
resp
onseID A R
A
tokens
FIDO U2F web site/RP
device key pair (per batch)
site-specific key pairs(with Key Handles)activation button
siteauthn service
(activation required during enrollment and optional at
runtime)
U2Fauthn service
(1)
use
r p
assw
ord
au
th
(2)
Ch
alle
nge
res
po
nse
, w
ith
Key
Han
dle
User info, public key and Key Handle
device attestationattestation
service
U2F to Federation Federation IDP
primaryauthn service
U2Fauthn service
(1)
use
r p
assw
ord
au
th
(2)
Ch
alle
nge
res
po
nse
, w
ith
Key
Han
dle
User info, public key and Key Handle
(3) S
AM
L cr
eden
tial
s
Federation SP
(4) SAML credentia
ls
SCEP Certificate Enrollment
Profile serviceCertificate authority
User
SCEP.mobileconfig
iPhone Configuration Utility
(1) Utility publishesenrollment profile
(2) U
ser auth
enticates
(3) P
rofile is d
ow
nlo
aded (4
) iO
S ex
ecut
es S
CEP
enro
llmen
t
(5) C
ertific
ate is
inst
alled in
iOS s
tore
SCEP Enrollment Vulnerability Profile service Certificate authority
(1) Can I have a SCEP secret?
(2) Sure!Your SCEP secret is “8675309”.
(3) Tony Stark, enroll for a certificate.
Your SCEP secret is “8675309”.
(4) M
y nam
e is
“Nick
Fury
”.
My
SCEP
secr
et is
“8675309”.
(5) H
ere
you
go!
Your
cer
tific
ate
nam
e is
Nic
k Fu
ry.
Private Key
CertificateSCEP.mobileconfig
Enhanced Enrollment
Certificate
Private key
MDM service Certificate authority
(1) Here is public key for user Tony Stark
(2) Sure! Here is the certificate
(3) Here is your certificate
and private key!
MDM - Email Proxy
Exchange ServerMDM
Identity Bridge
Certificate
Private key
X.509 authenticationS4U Kerberosimpersonation
Kerberos tickets
Active Directory
NFC
Mobile Cloud Identity
Secure elementNFC controller
Antenna
NFC system
NFC on Mobile Device
NFC for Converged Authentication
NFC
IT access
Building access
NFC for Tablet Authentication
TabletNFC
Web application
Contactless smart card
Certificate
Private key
SSL
Smartphone
NFC Provisioning
PACS HostCertificate Authority
Active Directory
Externally Hosted
On-Premises
IdentityBridge
Mobile Credential Management Service
(MCM)
A AApplication Application
PACS Credential
PKI Certificate
Mobile Credential Management Service
Mobile Credential
Management Service (MCM)
A
NFC Secure Element
MDM
Mobile Network
Operators
Trusted Service
Manager
NFC Authorization
PKI Certificate
Authorization Policy
PKI Authentication
Policy Delivery
Copy right ©2013 Ping Identity Corporation. All rights reserv ed. 48