Best Practices for Cloud Identity

In JavaEE Enabled PaaS

Anil Saldhana Red Hat Inc.

Agenda •  Introduction To Cloud Identity

– Concept of Identity and Trust •  JavaEE Enabled PaaS

– OpenShift •  What Identity Standard should I adopt?

– SAML, OpenID, OAuth, WS-Trust,Kerberos – NIST 800-63 Levels of Assurance

2

Agenda •  Best Practices

– User Registration –  Identity Management

•  Cloud Directories and Corporate Directories – Authentication – Authorization – Mobile Devices –  Identity Providers – API Access

3

Agenda

•  Demo •  Other Relevant Standards Work

– JSR 351 •  Resources

4

Concept of Identity and

Trust

5

Concept of Trust

•  Twitter Verified Accounts

6

Concept of Trust •  Twitter Verified Accounts

– President Obama (Identity) – Blue Check Sign (Trust)

7

Concept of Trust •  Twitter Verified Accounts

– Tim Oreilly (Identity) – Blue Check Sign (Trust)

8

JavaEE Enabled PaaS

(OpenShift) http://openshift.com

9

OpenShift •  OpenShift by RedHat is a polyglot PaaS •  Run Java,Ruby,Perl,Python,PHP and

Node.js in the Cloud •  JavaEE Full Profile support via JBoss

Application Server v7.x as well as JBoss Enterprise Application Platform.

•  Free

10

Which Identity Management Standard is relevant?

(SAML, OpenID, OAuth,WS-Trust,

Kerberos)?

11

Levels of Assurance •  NIST 800-63 Special Publication •  Four Levels of Assurance

– Level 1: •  Little or no confidence in asserted identity. •  OpenID, Oauth.

– Level 2: •  Some confidence in the asserted identity. •  Passwords and SAML Password Auth Mech.

12

Levels of Assurance •  Four Levels of Assurance

– Level 3: •  High Confidence. •  Soft/Hard Crypto Tokens and OTP.

– Level 4: •  Very High Confidence. •  PKI and Smart Cards.

13

Which standard is relevant?

•  Community Type Environment – Forums, Blogs etc. – Level 1 Assurance. – Decentralized setup; Internet Scale – OpenID and Oauth.

14

Which standard is relevant?

•  Enterprise Type Environment – Need Level 2 assurance level.

•  SAML Assertions (Password based authentication)

– Need Level 3 or 4 assurance of identity. •  SAML Assertions (PKI/x509 Certificates)

15

Best Practices

16

User Registration •  All Security Systems need users. •  Users can come from corporate identity

stores or need to be dynamically registered.

•  Dynamic Registration – CAPTCHA technology.

•  Password Strength Meters/Indicators. •  Important to understand Cloud Directories.

17

User Registration •  Password Management

– Salt and Hash each password – Just hashing

•  Susceptible to Dictionary or Brute Force Attacks. – Password Reset

•  Send 15 min validity single use tokens to user email.

18

Identity Management •  Directories of Users/Applications

– Cloud based. – Corporate based. – Hybrid (Both Cloud and Corporate).

•  Synching Issues. •  Legal and Compliance Issues.

19

Identity Management

20

Authentication •  Classic Username/Password •  Two Factor Authentication

– Additional factor : One Time Password. •  Kerberos Based Login for API •  External Authentication

– Sign In using Facebook, Twitter, Google.. •  Eliminates Password Management Headaches.

21

Authorization •  Coarse Grained Authorization

– Role Based Access Control. •  Fine Grained Authorization

– ACL, XACML •  OAuth Style Authorization.

22

Mobile Devices •  Device Registration

– UDID, SIM ID, Chip ID can all be Identifiers for the same device.

•  Mobile devices may need token based security.

23

Identity Providers •  Central Identity Provider for the entire

PaaS system. – Global directory service for all tenants.

•  Identity Provider for the applications of a single tenant. – Tenant deploys IDP application.

•  Delegated Identity Providers to Corporate Identity Providers. – Salesforce to corporate Identity services.

24

Identity Providers

25

Cloud API Access •  Majority of Cloud Access may be via API

–  (Salesforce, Twitter, Facebook) 3rd party apps. •  Token based REST system

– OAuth2 is a good candidate. •  Various drafts and flavors in the industry.

– User has control over approval/revocation of access.

26

Cloud API Access •  OAuth2 Interactions

– Register Application with server •  Obtain Client Identifier and Client Secret

– Resource owner (User) authorizes application with server, for various scopes

•  Obtain Authorization Code

27

Cloud API Access •  OAuth2 Interactions

– Application uses authorization code to obtain access token and refresh token

•  Refresh token helps obtain new access token on expiry

– Application provides token to resource server •  Access to resource

28

Demo

29

Aerogear TODO Application

•  Typical JavaEE6 application – HTML5 – CDI Application Programming – Jax-RS Endpoints – JPA

30

Aerogear TODO Application

•  Deployed on OpenShift PaaS. –  Identity User Registration Pattern –  Identity Authentication Pattern

•  Username/Password •  Facebook Authentication •  Google Authentication

– Role Based Authorization

31

Relevant Standards

32

JSR 351 •  Java Identity JSR •  http://jcp.org/en/jsr/detail?id=351 •  http://java.net/projects/identity-api-spec/

pages/Home •  Define API and identity interaction models

for applications and in access control decisions.

33

Oasis IDCloud TC •  Oasis Identity In The Cloud TC

– Use Cases for Identity Management in the Cloud Ecosystem.

– http://docs.oasis-open.org/id-cloud/IDCloud-usecases/v1.0/cn01/IDCloud-usecases-v1.0-cn01.html

– Gap Analysis in existing standards

34

Oasis Cloud Authorization TC

•  Oasis Cloud Authorization TC – Brand new TC at Oasis. – Build Profiles for Cloud Authorization using

XACML and Oauth. •  SaaS, PaaS and IaaS models.

– Build Profiles for Cloud Entitlements.

35

Resources •  OpenShift PaaS.

– http://openshift.com •  Project PicketLink

– http://jboss.org/picketlink •  My Blog

– http://anil-identity.blogspot.com

36