oidc how it solves your problems
TRANSCRIPT
![Page 1: Oidc how it solves your problems](https://reader035.vdocuments.mx/reader035/viewer/2022062513/556615a3d8b42a7d608b49a9/html5/thumbnails/1.jpg)
Cloud Identity Summit 2013 報告
OpenID Connect は、あなたの課題をどう解いてくれるか?
2013/9/4
Nat SakimuraNomura Research InstituteChairman, The OpenID Foundation@_nat_enhttp://nat.sakimura.org/
![Page 2: Oidc how it solves your problems](https://reader035.vdocuments.mx/reader035/viewer/2022062513/556615a3d8b42a7d608b49a9/html5/thumbnails/2.jpg)
© 2013 by Nomura Research Institute. All rights reserved.
B2E Identity
B2C IdentityG2C Identity
(source of pictures)Microsoft Office Online
G2E Identity
![Page 3: Oidc how it solves your problems](https://reader035.vdocuments.mx/reader035/viewer/2022062513/556615a3d8b42a7d608b49a9/html5/thumbnails/3.jpg)
© 2013 by Nomura Research Institute. All rights reserved.
?「エンプラに OpenID Connect
って関係あるの?
コンシューマ向け技術じゃないの?」
![Page 4: Oidc how it solves your problems](https://reader035.vdocuments.mx/reader035/viewer/2022062513/556615a3d8b42a7d608b49a9/html5/thumbnails/4.jpg)
© 2013 by Nomura Research Institute. All rights reserved.
Not quite.
because I have very enterprizy background…
![Page 5: Oidc how it solves your problems](https://reader035.vdocuments.mx/reader035/viewer/2022062513/556615a3d8b42a7d608b49a9/html5/thumbnails/5.jpg)
© 2013 by Nomura Research Institute. All rights reserved.
OpenID Connect
は、エンプラ利用を念頭において作られました。(コンシューマもだけど)
クラウドサービスにアクセスガバナンスを作るのに有効です。
![Page 6: Oidc how it solves your problems](https://reader035.vdocuments.mx/reader035/viewer/2022062513/556615a3d8b42a7d608b49a9/html5/thumbnails/6.jpg)
© 2013 by Nomura Research Institute. All rights reserved.
Qデファクトのフェデレーションとアクセスプロビジョニングプロト
コルは何?
![Page 7: Oidc how it solves your problems](https://reader035.vdocuments.mx/reader035/viewer/2022062513/556615a3d8b42a7d608b49a9/html5/thumbnails/7.jpg)
© 2013 by Nomura Research Institute. All rights reserved.
Identity Federation
•SAML?
Account Provisionin
g•SPML?
![Page 8: Oidc how it solves your problems](https://reader035.vdocuments.mx/reader035/viewer/2022062513/556615a3d8b42a7d608b49a9/html5/thumbnails/8.jpg)
© 2013 by Nomura Research Institute. All rights reserved.
No!
![Page 9: Oidc how it solves your problems](https://reader035.vdocuments.mx/reader035/viewer/2022062513/556615a3d8b42a7d608b49a9/html5/thumbnails/9.jpg)
© 2013 by Nomura Research Institute. All rights reserved.
Identity Federation
•パスワード共有
Account Provisionin
g•カスタムCSV
![Page 10: Oidc how it solves your problems](https://reader035.vdocuments.mx/reader035/viewer/2022062513/556615a3d8b42a7d608b49a9/html5/thumbnails/10.jpg)
© 2013 by Nomura Research Institute. All rights reserved.
?なぜ失敗したか?
![Page 11: Oidc how it solves your problems](https://reader035.vdocuments.mx/reader035/viewer/2022062513/556615a3d8b42a7d608b49a9/html5/thumbnails/11.jpg)
© 2013 by Nomura Research Institute. All rights reserved.
理解するのに難しすぎ。 認知上の困難さ -> 実装の困難さ
プロダクト間の互換性の低さ
ある大規模製造業: ▪ > 3000 partners all around the world▪Many of them were working with multiple companies▪Tried to create a SAML federation but failed.
![Page 12: Oidc how it solves your problems](https://reader035.vdocuments.mx/reader035/viewer/2022062513/556615a3d8b42a7d608b49a9/html5/thumbnails/12.jpg)
© 2013 by Nomura Research Institute. All rights reserved.
CSV は簡単 .
• Excel あればOK!
• それに手動で編集できるよ!
パスワード共有も簡単 .
• パスワードをサポートしている全アプリケーションで使えるよ!
![Page 13: Oidc how it solves your problems](https://reader035.vdocuments.mx/reader035/viewer/2022062513/556615a3d8b42a7d608b49a9/html5/thumbnails/13.jpg)
© 2013 by Nomura Research Institute. All rights reserved.
やったね!
![Page 14: Oidc how it solves your problems](https://reader035.vdocuments.mx/reader035/viewer/2022062513/556615a3d8b42a7d608b49a9/html5/thumbnails/14.jpg)
© 2013 by Nomura Research Institute. All rights reserved.
?やったね???
![Page 15: Oidc how it solves your problems](https://reader035.vdocuments.mx/reader035/viewer/2022062513/556615a3d8b42a7d608b49a9/html5/thumbnails/15.jpg)
© 2013 by Nomura Research Institute. All rights reserved.
3人以上が知っているものは秘密じゃない!
同期が崩れやすい。手動編集はリスクだ。De-provisioning? Archiving? 監査証跡は? etc…
![Page 16: Oidc how it solves your problems](https://reader035.vdocuments.mx/reader035/viewer/2022062513/556615a3d8b42a7d608b49a9/html5/thumbnails/16.jpg)
© 2013 by Nomura Research Institute. All rights reserved.
#fail
![Page 17: Oidc how it solves your problems](https://reader035.vdocuments.mx/reader035/viewer/2022062513/556615a3d8b42a7d608b49a9/html5/thumbnails/17.jpg)
© 2013 by Nomura Research Institute. All rights reserved.
やりなおしだ!今回は、死ぬほど簡単に!
車輪の再発明?そうだ。だけど、今回の車輪はもうちょっと丸い。
![Page 18: Oidc how it solves your problems](https://reader035.vdocuments.mx/reader035/viewer/2022062513/556615a3d8b42a7d608b49a9/html5/thumbnails/18.jpg)
© 2013 by Nomura Research Institute. All rights reserved.
OpenID Connect& SCIM
![Page 19: Oidc how it solves your problems](https://reader035.vdocuments.mx/reader035/viewer/2022062513/556615a3d8b42a7d608b49a9/html5/thumbnails/19.jpg)
© 2013 by Nomura Research Institute. All rights reserved.
SAML v.s. OpenID Connect
SAML Web SSO OpenID ConnectXML JSONXML Dsig JSON Web Signature
(JWS)XML Encryption JSON Web Encryption
(JWE)SAML JSON Web TokenSAML Assertion ID Token (OIDC)SOAP (mostly…) RESTSAML Web SSO Profile Standard (=OAuth 2.0
binding)SPML SCIM
![Page 20: Oidc how it solves your problems](https://reader035.vdocuments.mx/reader035/viewer/2022062513/556615a3d8b42a7d608b49a9/html5/thumbnails/20.jpg)
© 2013 by Nomura Research Institute. All rights reserved.
identity 実体に関連する属性の集合
ISO/IEC 29115 | ITU-T X.1254
Note: distinguish identity and identifier carefully.
![Page 21: Oidc how it solves your problems](https://reader035.vdocuments.mx/reader035/viewer/2022062513/556615a3d8b42a7d608b49a9/html5/thumbnails/21.jpg)
© 2013 by Nomura Research Institute. All rights reserved.
“identity” の例
社員番号 : A12349898
氏名 : 山田太郎役職 : 部長部署 : 財務部会社 : ABCD ホールディング場所 : NYHQ
日時 : 29130809T12:34:11Z
![Page 22: Oidc how it solves your problems](https://reader035.vdocuments.mx/reader035/viewer/2022062513/556615a3d8b42a7d608b49a9/html5/thumbnails/22.jpg)
© 2013 by Nomura Research Institute. All rights reserved.
社員番号 : A12349898
氏名 : 山田太郎役職 : 部長部署 : 財務部会社 : ABCD ホールディング場所 : NYHQ
日時 : 29130809T12:34:11Z
logging
User interface
Access Controlinfo
![Page 23: Oidc how it solves your problems](https://reader035.vdocuments.mx/reader035/viewer/2022062513/556615a3d8b42a7d608b49a9/html5/thumbnails/23.jpg)
© 2013 by Nomura Research Institute. All rights reserved.
Real Name
Professionalqualification
department
Geo-location
Employee number
Entity Identity Resource
Authentication
Policy Enforcement
Rules
![Page 24: Oidc how it solves your problems](https://reader035.vdocuments.mx/reader035/viewer/2022062513/556615a3d8b42a7d608b49a9/html5/thumbnails/24.jpg)
© 2013 by Nomura Research Institute. All rights reserved.
ABAC
Based on SP800-162 figure on page viii
identityResource
Rules
entity
![Page 25: Oidc how it solves your problems](https://reader035.vdocuments.mx/reader035/viewer/2022062513/556615a3d8b42a7d608b49a9/html5/thumbnails/25.jpg)
© 2013 by Nomura Research Institute. All rights reserved.
要件
R1
•Access Control MUST be done with the dynamic attributes
R2
•Identity MUST be provided from the authoritative source
R3
•Need to be able to provide flexible security.
R4
•Need to be dead simple.
R5
•Interoperability is the king.
R6
•Limited connection (esp. mobile) ready.
R7
•Unified technology for enterprise and consumer.
![Page 26: Oidc how it solves your problems](https://reader035.vdocuments.mx/reader035/viewer/2022062513/556615a3d8b42a7d608b49a9/html5/thumbnails/26.jpg)
© 2013 by Nomura Research Institute. All rights reserved.
氏名
資格
部署
位置情報
社員番号
役職
Entity IdentityResource
Authentication PEP
PDP
PAP / PIP
Boss Metadata
Log Log
ApplicationAccounts
アカウント・プロビジョニング
認証e.g., OpenID/SAML
e.g., SCIM / SPML
アクセス制御(認可)e.g., XACML/ JACML?
![Page 27: Oidc how it solves your problems](https://reader035.vdocuments.mx/reader035/viewer/2022062513/556615a3d8b42a7d608b49a9/html5/thumbnails/27.jpg)
© 2013 by Nomura Research Institute. All rights reserved.
OpenID Connect の実装経験より
![Page 28: Oidc how it solves your problems](https://reader035.vdocuments.mx/reader035/viewer/2022062513/556615a3d8b42a7d608b49a9/html5/thumbnails/28.jpg)
© 2013 by Nomura Research Institute. All rights reserved.
ちゃんと MUST は守りましょう。
• いくつかの実装は MUST を実装せずにセキュリティ・ホールを生んでいました。 .
アクセストークンを、 ID トークン抜きで他のクライアントや機械に送らないように。• トークン置換え攻撃に脆弱になります。 • http://www.thread-safe.com/2012/01/problem-with-oauth-for-a
uthentication.html
“code” や “ token” のサーバーサイドでの処理の負荷には十分気をつけること。• ある実装では、 2000 tr/ 秒 処理しているが、このようなときには、
署名処理・暗号化処理の負荷を十分気をつける必要あり。
![Page 29: Oidc how it solves your problems](https://reader035.vdocuments.mx/reader035/viewer/2022062513/556615a3d8b42a7d608b49a9/html5/thumbnails/29.jpg)
© 2013 by Nomura Research Institute. All rights reserved. 30