Slide deck from Mike Schwartz's keynote address at ID Next 2013 in The Hague, Netherlands. His speech discussed what tools and rules are needed for scaling federations to include networks of trusted Identity Providers (IDP's) and Service Providers (SP's).
1. OAuth2 Federation
Michael Schwarz, Founder / CEO Gluu
Idnet’13 event – 19-20 November 2013
#idn13
IDentity.next’11 – What’s next
www.everett.nl
www.everett.nl
on Identity?
7. Access by affiliation
Access by attribute
Access by individual
…some of the original goals of InCommon
IDentity.next’13 – What’ is the value of your
Identity? 7
8. Level Of Assurance
Level Of Protection
Level Of Control
IDentity.next’13 – What’ is the value of your
Identity? 8
Federation is not a protocol! It is not SSO with an external web site. It’s a group of autonomous parties cooperating via a central authority.
People are empowered by associating with an organization. An organization is empowered by joining a federation. Federations are empowered by joining inter-federations! No one knows more about federations than the Dutch.
The goal of online federations is to build trust… trust enables collaboration between autonomous domains.
The Internet is probably the world’s biggest federation… but there isn’t much trust
Smaller groups of domains can create more trust. However, trust can also be expensive, so more efficient frameworks were sought.
InCommon is a good example of a multi-party federation
The federations I’m interested in built a framework for security. Still true today, these goals were articulated by RL Bob more than a decade ago. But the goals have expanded.
Federations provide the contractual rules… Level of Assurance, Level of Protection, Level of Control
Federations also provide the tools : Choose standard protocols, define standard jargon, certify software, publish websites…
Federations are based on public key – private key cryptology… how are the public keys distributed? This is the trust model!
The metadata is just a big list of the certificates for all the IDPs and SPs. It’s a handy place to publish other information about the participants.
Only one problem… SAML is not going to be ubiquitous on the Internet… October 2012 – Final RFC OAuth2 … proliferation of Oauth2 APIs for authentication
Enter OpenID Connect : one OAuth2 API so developers won’t have to learn one API for FB and one API for Google
Connect defines more than authentication: discovery and client registration…
Connect is not the only profile of OAuth2: UMA provides a profile for authorization : defining who can get to what web sites or API’s
How to use OAuth2 for federations? Building the first bridge…
Federations are a journey… the hardest part of the journey is the first step.