OpenID Connect, OAuth, JOSE and JWT may be the new kids on the block, but many experts and visionaries have already anointed them to replace SAML. Is the wheel being needlessly reinvented or is genuine progress on the horizon?
Brian Campbell, Portfolio Architect, Ping Identity
7. • OpenID Connect
• simple JSON/REST-based interoperable identity protocol built on top of the OAuth
2.0 family of specifications.
• design philosophy: “make simple things simple and make complicated things
possible.”
• Wins 2012 European Identity and Cloud Award
• “OpenID Connect the award[ed] Best Innovation/New Standard this year. What‟s
most impressive is that this elegantly simple design resulted from the cooperation
of such a diverse global set of contributors. I expect OpenID Connect to have a
substantial positive impact on usable, secure identity solutions both for traditional
computing platforms and mobile devices. My congratulations to the OpenID
Foundation!” - Dave Kearns
• “spurs global economic growth by enabling simple and secure exchange of verified
attributes from multiple sources at Internet scale.”
http://openid.net/2012/04/18/openid-connect-wins-2012-european-identity-and-cloud-award/
8. May, 2010:
Conceptual
Debut of
Connect
time elapses
February,
2012: 1st
Implementer‟s
Drafts
March 2012 time elapses
May, 2013: 2nd
Implementer‟s
Drafts
…?
https://twitter.com/__b_c/status/181884679513833473
three nerds holding a blurry piece of paper...
*Disclaimer: this
guy also „works‟ for
Ping
And I know these guys reasonably
well from various initiatives
http://www.thread-safe.com/2012/04/openid-connect-wins-2012-european.html
“The OpenID Connect
specifications are
expected to be
completed in the second
half of 2012.”
@selfissued
@_nat_en @ve7jtb
14. Discovery
Client
Relying Party
Resource
Server
Authorization
Server
Identity Provider or
IDP or
OpenID Provider or
OP
Authorization
Endpoint
Token
Endpoint
Important Stuff
Userinfo
Endpoint
Registration
Endpoint
JWKS
Endpoint
JWKS
Endpoint
Validate
(JWT)
ID Token
/.well-known
/webfinger
/openid-configuration
Check Session IFrame
End Session Endpoint
I wrote some SAML code 2 weeks ago"at the end of the day, if you want to talk to me, you need to talk SAML” - a Fortune 100 financial services organization
Lots of hype
My first look in March 2012Too big & unwieldy. Too much duplication.A review takes days. Inconsistencies arise.Long and drawn out process. Drafts spanning 4 WGs and 2 standards bodies.Attention of various participants comes and goes. Number of day to day participants isn’t huge. These 3 accepting the award.No HTTP POST.No IDP init until very recently (and maybe hasn’t been well vetted).
Often asked What makes Connect Better than SAML? Why would you chose one over the other? Struggled to answer.
Despite all that, there are some things that really I’m encouraged by. An opportunity to do some things better.
A year later…
Fighting the password sharing anti-patternGet a token, use a token
“a simple identity layer on top of the OAuth 2.0 protocol”
Talk though example: claims then header (dot concatenated base64url segments)Can also be OAuth access tokens (among other things)JWT & JWS are some of the underpinnings of connectThere’s also JWE -> Header.EncryptedKey.InitializationVector.Ciphertext.AuthenticationTag (Authenticated Encryption only, which is nice)
TheJWT from previous slide alongside a roughlycomparable SAML Assertion (which usually still needs to be encoded and or wrapped in a Response)
(among others) Brad Hill shown @ CIS2011 is smaht
Basically bare keys in JSON Can be-published at an HTTPS endpoint-saved in a file, sent in an email-used in place of self signed certificatesThe kid field/header can be the linkPotential for well defined and interoperable key roll over (I even wrote this into connect)