The story of MITREid

Justin RicherThe MITRE Corporation

© 2014 The MITRE Corporation. All rights reserved.

Approved for Public Release: Distribution Unlimited (Case Number: 14-

1639)

The plight of a software developer• I build things that people use• I want to know who’s there

• What can I do?

1. Make local accounts

1. Make local accounts

1. Make local accounts

2. Use LDAP

2. Use LDAP

3. Use Enterprise SSO

3. Use Enterprise SSO

3. Use Enterprise SSO

Firew

all

Intranet

Internet

What to do?

Give people a digital identity

Let’s build something• OpenID 2.0 Server• Running on corporate IT hardware in

corporate IT environment• Backed by corporate SSO and user profile

information• “We do SSO so you don’t have to”

Why OpenID?• Open standard protocol• Network-based federation• User-driven trust model• Simple to use and develop

Make it easy for developers:Platform support

• Libraries:– Java– PHP– Python– Javascript– Ruby– Perl– …

• Platforms & Plugins:– Spring Security– Elgg– Wordpress– Mediawiki– Omniauth– Drupal– …

Usage Profile: The prototype

Firew

all

Intranet

Internet

OpenID ServerSSO

Usage Profile: The external service

Firew

all

Intranet

Internet

OpenID Server

SSO

User Profiles: The mobile user

Firew

all

Intranet

Internet

OpenID Server 2FA

The architecture

Firew

allUser Profiles

SharedDatabase

Internal OP External OP

Intranet

Internet

Two-Factor AuthnCorporate SSO

Runtime security decisions

Adoption by the extended enterprise

The Long Tail

1

10

100

1000

10000

We didn’t even plan this

Multiple types of user

Moving on from OpenID 2.0

Let’s build it (again)!• OAuth 2.0 and OpenID Connect server• OpenID Connect client library• Enterprise-friendly features and platform• Flexible deployment

and...

Open Source

We’re running it ourselves

Building the specifications

Moving toward federation across the extended enterprise

Better security: Separation

OpenID Provider

Delegating services: OAuth

OpenID Provider

Better security: Revocation

Easier integration by developers

OpenID Provider• Standard

• Agile• Flexible• Distributed

• Proprietary• Fragile• Rigid• Centralized

Better administration: An abstraction layer

OpenID Provider

Scalable security decisionsWhitelist

Trusted partners, business contracts, customer organizations, trust frameworks

GraylistUser-based trust decisions

Follow Trust on First Use model, keep logs

BlacklistVery bad sites we don’t want to deal with, ever

Org

aniz

ation

s de

cide

thes

e End-users decide these

Conclusions• Use open standards• Give your people digital identities and let

them decide where to use them• Use federation where possible

Questions?

jricher@mitre.org