a recipe for standards-based cloud idm
Post on 08-May-2015
1.597 Views
Preview:
DESCRIPTION
TRANSCRIPT
A recipe for standards-based Cloud IdM
Paul Madsen
@paulmadsen
2
3
4
5
6
Ingredients
SAML
OAuth
SCIM
JWT
Paul
• Small number of ingredients can be composed to create useful & tasty dishes
• SCIM, SAML, OAuth, and JWT provide a standards based framework for cloud identity recipes
Ingredients
• SAML – SSO for enterprise & cloud web apps
• OAuth – authn & authz for RESTful APIs
• SCIM – RESTful (and viable!) user provisioning
• JWT – JSON-based SAML assertions
(Gross) Oversimplications
SAML
JWT
SCIM OAuth
SAML
JWT
SCIM OAuth
• SCIM API messages to provision accounts for subsequent SAML SSO
• SAML binding for SCIM• Carry SCIM instance as attributes in SAML
SSO message• Alternaitve to a distinct CRUD operation
using the SCIM RESTful protocol• Enables JIT provisioning
SCIM & SAML
<saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:scim="http://placeholder.scim.org/2011/schema/extension"><saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" Name="SCIM.userName">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema- instance" xsi:type="xs:string">bjensen@example.com
</saml:AttributeValue> </saml:Attribute>
<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" Name="SCIM.name.formatted">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema- instance" xsi:type="xs:string">Ms. Babs J Jensen III
</saml:AttributeValue> </saml:Attribute>
</saml:AttributeStatement>
SCIM & SAML
• Non-trivial to map SCIM attribute schema into SAML's attribute model
• SCIM schema allows for• Complex structures• Multi-valued attributes
• Which is why I've been negligent in the work
Challenges
SAML
JWT
SCIM OAuth
SCIM & OAuth
1. Use SCIM to provision account for subsequent OAuth-based mobile access to SaaS APIs
2. Use OAuth to secure SCIM API calls
SCIM & OAuthPOST /User HTTP/1.1Host: example.com Accept: application/xml Authorization: Bearer h480djs93hd8
<?xml version="1.0" encoding="UTF-8"?><scim:User xmlns:scim="urn:scim:schemas:core:1.0">
<userName>bjensen@example.com</userName><externalId>701984</externalId><emails>
<email><value>bjensen@example.com</value><primary>true</primary><type>work</type></email>
</emails></scim:User>
OAuth access token issued by the SaaS to the enterprise to use on subsequent SCIM calls
Note difference from archetypical OAuth delegated authz use case
SAML
JWT
SCIM OAuth
SAML & OAuth
SAML OAuth
OAuth SAML
SAML OAuth
'Hybrid' – carry OAuth tokenin SAML SSO messages
'Assertion profile' - useSAML assertions within OAuth flow. Trade assertion for token
'Sequencing' – use SAML SSO inorder to authenticate user to AS
SAML
OAuth
OAuth
Copyright © 2011. Cloud Identity Summit. All Rights Reserved.20
Demo
Copyright © 2011. Cloud Identity Summit. All Rights Reserved.21
Demo
Copyright © 2011. Cloud Identity Summit. All Rights Reserved.22
Demo
Copyright © 2011. Cloud Identity Summit. All Rights Reserved.23
Demo
SAML
JWT
SCIM OAuth
25
SAML & JWT & OAuth
OAuth
Assertion profile
SAML JWT
Core protocol
How to use assertions for client authentication and as a grant type
Profiles assertion profileFor specific assertionformats
SAML & JWT & OAuth
• Use SAML assertion or JWT forOAuth client authentication and/or OAuth grant type
POST /token HTTP/1.1Host: server.example.comContent-Type: application/x-www-form-urlencoded
grant_type=authorization_code& code=i1WsRn1uB1& client_id=s6BhdRkqt3& client_assertion_type=urn%3Aoasis%3Anames%sAtc%3ASAML%3A2.0%3Aassertion& client_assertion=PHNhbWxwOl…...ZT
Client authenticating to AS token endpoint using assertion rather than secret
OpenIDConnect
SAML
JWT
SCIM OAuth
OpenID Connect == JWT & OAuth & identity
•OAuth is a general mechanism to authorize API access, OpenID Connect profiles the generic for purposes of sharing profile information & enabling a SSO protocol•Uses the authz code & implicit grant types – the pieces of OAuth optimized for user-consent scenarios•Leverages the authorization & token endpoints & adds identity-based params to core OAuth messages
• OpenID Provider– Adds to OAuth 2.0 Authorization Service
• Issues id_token in addition to access_token
– Codifies a standardized Resource Services• UserInfo Endpoint
• Relying Party– OAuth client to the endpoints exposed by the
OpenID Provider• Implicit Grant or Authorization Code Flows
OpenID Connect
AS
RS
Client
User AgentIgnoring the distinction as to
whether the tokens actually flow front-channel, or instead back-channel after a front-channel step
1) GET A TOKEN
2) USE A TOKEN
Base OAuth
UserInfoOpenID Connect
Ignoring the distinction as to whether the tokens actually flow front-channel, or instead back-channel after a front-channel step
3) USE A TOKEN2) READ A TOKEN
AS
RS
Client
Base OAuth
User AgentIgnoring the distinction as to
whether the tokens actually flow front-channel, or instead back-channel after a front-channel step
1) GET A TOKEN
UMA
SAML
JWT
SCIM OAuth
UMA == OAuth + centralized authz1. OAuth allows for pairwise app-to-app connections. UMA, in
addition, defines a hub from which many pairwise sharing connections can be managed, controlled, and revoked.
2. OAuth solves for person-to-self sharing. UMA, in addition, solves for secure person-to-person sharing and person-to-organization sharing.
3. OAuth leaves unstated how its "authorization server" and "resource server" components interact. UMA fully defines a standard interface between its enhanced versions of these two components, the authorization manager and host.
From UMA FAQ
XACML?
SAML
JWT
SCIM OAuth
XACML?
Compose
Speculative
•XACML policy (a TBD JSON binding) inside a JWT???• Extends simple scope model
•Interplay between SCIM-provisioned attributes & SaaS XACML policies?
•RESTful authz query for XACML?• PEP sends an access token to PDP (along with
scopes) PDP resolves token as necessary, returns yes/no to PEP
39
Client
AS
PEP RS
PDP
y/n
Issuance
Questions
top related