CIS13: OpenID Connect: How it Solves your Problems

transcript

Nomura Research Institute

Cloud Identity Summit 2013

OpenID Connect: How it solves your problems

July 10, 2013 Nat Sakimura Nomura Research Institute Chairman, The OpenID Foundation

B2E Identity

B2C Identity G2C Identity

(source of pictures)Microsoft Office Online

G2E Identity

? "Why OpenID Connect is relevant for us enterprise?

It's a consumer technology, is it not?"

Not quite.

OpenID Connect was

built Enterprise use in mind (as

well as consumer use);

OpenID Connect helps

you build effective access

governance over cloud services

Q What are the de facto federation and account provisioning

protocols?

Identity Federation

• agreement between two or more domains (3.2.3) specifying how identity information (3.2.4) will be exchanged and managed for cross-domain identification (3.2.1) purposes [iSO/IEC 24760-1]

Account Provisioning

• process of creating an account at the service for the user

Identity Federation

• SAML?

• SPML?

Identity Federation

• Password Sharing

• Custom CSV

Q Why did we fail?

n Too complex to understand. l cognitive difficulty -> Support difficulty

n Different products do not interoperate.

n A large Japanese manufacturer: l  > 3000 partners all around the world l Some are quite small l Tried to do SAML

CSV is easy.

• Hey, you just need Excel! And you can manually edit them!

Password Sharing is easy.

• Hey, it works on any application that supports password!

Lots of (hidden) problems…

n Anything that more than 3 people knows is not a secret! n Can easily get out of sync. n De-provisioning? Archiving? n Are you getting audit trailing the access to those systems? n Etc.

Let’s re-do. This time, dead simple.

OpenID Connect & SCIM

identity set of attributes related to an entity

ISO/IEC 29115 | ITU-T X.1254

Note: distinguish identity and identifier carefully.

An example of simplistic enterprise “identity”

Employee number: A12349898 Name: John Smith Position: General Manager Department: Finance Company: ABCD Holding Location: NYHQ Datetime: 29130809T12:34:11Z

logging

User interface

Access Control info

Account Role PEP Resource

Identity PEP Resource

Based on SP800-162 figure on page viii

identity Resource

R1 • Access Control MUST be done with the dynamic attributes

R2 • Identity MUST be provided from the authoritative source

R3 • Need to be able to provide flexible security.

R4 • Need to be dead simple.

R5 • Interoperability is the king.

R6 • Limited connection (esp. mobile) ready.

R7 • Unified technology for enterprise and consumer.

R8 • Privacy Enhancing and voluntary

Let’s re-do. This time, dead simple.

Yes, we are reinventing a wheel, but This time, it will be a little rounder.

SAML v.s. OpenID Connect

SAML Web SSO OpenID Connect XML JSON XML Dsig JSON Web Signature (JWS) XML Encryption JSON Web Encryption (JWE) SAML JSON Web Token SAML Assertion ID Token (OIDC) SOAP (mostly…) REST SAML Web SSO Profile Standard (=OAuth 2.0

binding) SPML SCIM

OpenID Foundation Japan’s Enterprise Identity WG

Egawa-san!

Deployment Experiences of OpenID Connect

Easy to implement

• Good!

Nice user experience for enterprise users • No login dialogues – just depend on AD. • NRI has built an IIS plugin that works as OIDC

server over implicit flow.

Make sure to follow verification rules

• Some implementation were bitten by not following MUSTs.

Never send an access token without accompanying ID Token to any other clients.

Care should be taken for “code” and “token” server-side verification • It will be bottlenecks in performance. • Make them as stateless as possible.

• Depending on the risk profile, it may not need to re-check and just verify them locally.

• Use memory db for revocation list.

Big Picture ~ Transient Situation

AD Etc.

Connect Server

Access Log

Service

CIS13: OpenID Connect: How it Solves your Problems

Technology