Hope or Hype: A Look at the Next Generation of Identity Standards
•Download as PPTX, PDF•
5 likes•2,213 views
OpenID Connect, OAuth, JOSE and JWT may be the new kids on the block, but many experts and visionaries have already anointed them to replace SAML. Is the wheel being needlessly reinvented or is genuine progress on the horizon? Brian Campbell, Portfolio Architect, Ping Identity
Recommended
Recommended
More Related Content
More from Brian Campbell
More from Brian Campbell (15)
Recently uploaded
Recently uploaded (20)
Hope or Hype: A Look at the Next Generation of Identity Standards
- 1. Brian Campbell CIS Napa July 2013 @__b_cbackground and layout of slides specially designed for @lpeterman & @NishantK
- 5. WTF “SAML is dead”? I‟ve got a mortgage to pay… *Disclaimer: I work with these guys at Ping But I just started this job! @paulmadsen @ian13550
- 7. • OpenID Connect • simple JSON/REST-based interoperable identity protocol built on top of the OAuth 2.0 family of specifications. • design philosophy: “make simple things simple and make complicated things possible.” • Wins 2012 European Identity and Cloud Award • “OpenID Connect the award[ed] Best Innovation/New Standard this year. What‟s most impressive is that this elegantly simple design resulted from the cooperation of such a diverse global set of contributors. I expect OpenID Connect to have a substantial positive impact on usable, secure identity solutions both for traditional computing platforms and mobile devices. My congratulations to the OpenID Foundation!” - Dave Kearns • “spurs global economic growth by enabling simple and secure exchange of verified attributes from multiple sources at Internet scale.” http://openid.net/2012/04/18/openid-connect-wins-2012-european-identity-and-cloud-award/
- 8. May, 2010: Conceptual Debut of Connect time elapses February, 2012: 1st Implementer‟s Drafts March 2012 time elapses May, 2013: 2nd Implementer‟s Drafts …? https://twitter.com/__b_c/status/181884679513833473 three nerds holding a blurry piece of paper... *Disclaimer: this guy also „works‟ for Ping And I know these guys reasonably well from various initiatives http://www.thread-safe.com/2012/04/openid-connect-wins-2012-european.html “The OpenID Connect specifications are expected to be completed in the second half of 2012.” @selfissued @_nat_en @ve7jtb
- 10. *I did actually receive permission to use this photo @JasonABonds
- 14. Discovery Client Relying Party Resource Server Authorization Server Identity Provider or IDP or OpenID Provider or OP Authorization Endpoint Token Endpoint Important Stuff Userinfo Endpoint Registration Endpoint JWKS Endpoint JWKS Endpoint Validate (JWT) ID Token /.well-known /webfinger /openid-configuration Check Session IFrame End Session Endpoint
- 15. The JWT eyJraWQiOiI1IiwiYWxnIjoiRVMyNTYifQ.eyJpc3MiOiJodHRwczpcL1wvaWRwLmV4YW1wbGUuY29tIiwKIm V4cCI6MTM1NzI1NTc4OCwKImF1ZCI6Imh0dHBzOlwvXC9zcC5leGFtcGxlLm9yZyIsCiJqdGkiOiJ0bVl2WVZ VMng4THZONzJCNVFfRWFjSC5fNUEiLAoiYWNyIjoiMiIsCiJzdWIiOiJCcmlhbiJ9.SbPJIx_JSRM1wluioY0 SvfykKWK_yK4LO0BKBiESHu0GUGwikgC8iPrv8qnVkIK1aljVMXcbgYnZixZJ5UOArg The Header {"kid":"5","alg":"ES256"} The Payload {"iss":"https://idp.example.com", "exp":1357255788, "aud":"https://sp.example.org", "jti":"tmYvYVU2x8LvN72B5Q_EacH._5A", "acr":"2", "sub":"Brian"} The Signature [computery junk]
- 16. eyJraWQiOiI1IiwiYWxnIjoiRVMyNTYifQ.eyJpc3MiOiJodHRwczpcL1wvaWRwLmV4YW1wbGUuY29tIiwKImV4cCI6MTM1NzI1NTc4OCwKImF1ZCI6Imh0dHBzOlwvXC9zcC 5leGFtcGxlLm9yZyIsCiJqdGkiOiJ0bVl2WVZVMng4THZONzJCNVFfRWFjSC5fNUEiLAoiYWNyIjoiMiIsCiJzdWIiOiJCcmlhbiJ9.SbPJIx_JSRM1wluioY0SvfykKWK_yK 4LO0BKBiESHu0GUGwikgC8iPrv8qnVkIK1aljVMXcbgYnZixZJ5UOArg <Assertion Version="2.0" IssueInstant="2013-01-03T23:34:38.546Z” ID="oPm.DxOqT3ZZi83IwuVr3x83xlr" xmlns="urn:oasis:names:tc:SAML:2.0:assertion” xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <Issuer>https://idp.example.com</Issuer> <ds:Signature> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/> <ds:Reference URI="#oPm.DxOqT3ZZi83IwuVr3x83xlr"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> <ds:DigestValue>8JT03jjlsqBgXhStxmDhs2zlCPsgMkMTC1lIK9g7e0o=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>SAXf8eCmTjuhV742blyvLvVumZJ+TqiG3eMsRDUQU8RnNSspZzNJ8MOUwffkT6kvAR3BXeVzob5p08jsb99UJQ==</ds:SignatureValue> </ds:Signature> <Subject> <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">Brian</NameID> <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <SubjectConfirmationData NotOnOrAfter="2013-01-03T23:39:38.552Z" Recipient="https://sp.example.org"/> </SubjectConfirmation> </Subject> <Conditions NotOnOrAfter="2013-01-03T23:39:38.552Z" NotBefore="2013-01-03T23:29:38.552Z"> <AudienceRestriction> <Audience>https://sp.example.org</Audience> </AudienceRestriction> </Conditions> <AuthnStatement AuthnInstant="2013-01-03T23:34:38.483Z" SessionIndex="oPm.DxOqT3ZZi83IwuVr3x83xlr"> <AuthnContext> <AuthnContextClassRef>2</AuthnContextClassRef> </AuthnContext> </AuthnStatement> </Assertion>
- 21. Brian Campbell CIS Napa July 2013 @__b_c
- 22. SAML Any Questions? Brian Campbell CIS Napa July 2013 @__b_c
Editor's Notes
- Last year in Vail, CO…
- I wrote some SAML code 2 weeks ago"at the end of the day, if you want to talk to me, you need to talk SAML” - a Fortune 100 financial services organization
- Lots of hype
- My first look in March 2012Too big & unwieldy. Too much duplication.A review takes days. Inconsistencies arise.Long and drawn out process. Drafts spanning 4 WGs and 2 standards bodies.Attention of various participants comes and goes. Number of day to day participants isn’t huge. These 3 accepting the award.No HTTP POST.No IDP init until very recently (and maybe hasn’t been well vetted).
- Often asked What makes Connect Better than SAML? Why would you chose one over the other? Struggled to answer.
- Despite all that, there are some things that really I’m encouraged by. An opportunity to do some things better.
- A year later…
- Fighting the password sharing anti-patternGet a token, use a token
- “a simple identity layer on top of the OAuth 2.0 protocol”
- Talk though example: claims then header (dot concatenated base64url segments)Can also be OAuth access tokens (among other things)JWT & JWS are some of the underpinnings of connectThere’s also JWE -> Header.EncryptedKey.InitializationVector.Ciphertext.AuthenticationTag (Authenticated Encryption only, which is nice)
- TheJWT from previous slide alongside a roughlycomparable SAML Assertion (which usually still needs to be encoded and or wrapped in a Response)
- (among others) Brad Hill shown @ CIS2011 is smaht
- Basically bare keys in JSON Can be-published at an HTTPS endpoint-saved in a file, sent in an email-used in place of self signed certificatesThe kid field/header can be the linkPotential for well defined and interoperable key roll over (I even wrote this into connect)