SlideShare a Scribd company logo

Identity and Access Management - RSA 2017 Security Foundations Seminar

Download as PPTX, PDF
Brian Campbell, profile picture
Brian Campbell

The document discusses identity and access management trends from the past to present to future. It covers the history of passwords and early single sign-on systems. It then summarizes key standards and protocols like SAML, OAuth, OpenID Connect, and FIDO. It discusses how these have enabled single sign-on to SaaS applications and stronger authentication. Emerging trends discussed include biometrics, token binding, and mobile devices playing a role in authentication.

Software
1 of 43
Downloaded 41 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
SESSION ID:SESSION ID: #RSAC Brian Campbell Identity and Access Management: Past/Present/Future, SAML, OAuth, FIDO, OIDC, other acronyms, and emerging trends SEM-M04 Distinguished Engineer Ping Identity @__b_c
#RSAC I am going to talk about IAM Identity and Access Management
let the right people access what they need
keep the wrong people out
1961: Password Invented
#RSAC Back Where It All Begins 6 Okay, passwords are ancient But first known computer use was in ‘61 at MIT for the Compatible Time-Sharing System — each user had a private set of files and allotment of computing time Even back then IAM was about the right people having access to the right things at the right time System defeated just one year later request to print the password file offline
Sixteen years later I was born (not actually me)
And I’m a little hazy on what happened in that time
#RSAC Twenty-Some Years Later The World Wide Web is Now a Thing HTTP Basic Authentication Per application credentials Centralized LDAP credentials sent & checked on every request HTML form based login Cookie based session established from login Typically opaque value referencing server side memory Around this time I’d write my first single sign-on system…
(blindly trusting a user id value in a site-wide cookie, what could possibly go wrong?)
#RSAC Luckily, competent people were also working on it Web Access Management (WAM) Products/Solutions Single sign-on, authorization policy, and authentication management Web sever agent (but sometimes also proxies) Domain-wide cookie (but secured unlike mine) Centralized policy server Typically deployed in — Large consumer web sites — Enterprise applications behind the firewall Cross-domain solutions existed but proprietary & non-interoperable
Cross Domain Standardization Efforts Also Underway SAML 1.0, 1.1 & 2.0 ID-FF 1.0, 1.1 & 1.2
Identity and Access Management - RSA 2017 Security Foundations Seminar
It's a SaaS world after all
It's a SaaS world after all
It's a SaaS world after all
How does that make you feel?
Too many damn Passwords Inconsistent policies Stronger authentication, if any, is per SaaS.
SAML Single Sign-On to SaaS AuthnRequest
SAML Single Sign-On to SaaS UserAuthenticates
SAML Single Sign-On to SaaS SAMLAssertion &SessionCookie
SAML Single Sign-On to SaaS AuthnRequest& SessionCookie
SAML Single Sign-On to SaaS SAMLAssertion
SAML Single Sign-On to SaaS et cetera, et cetera, et cetera, etc.
<saml:Assertion ID="y2bvAdFrnRNvnm103yjiimgjhw7" IssueInstant="2016-12-05T21:38:44.771Z” Version="2.0” xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> <saml:Issuer>https://pongidentity.com</saml:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> <ds:Reference URI="#y2bvAdFrnRNvnm103yjiimgjhw7"><ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> <ds:DigestValue>zsB4Oo4ebepuGBJ3FC7z6qRei5d4DWjQlEqhJhEu/+4=</ds:DigestValue> </ds:Reference></ds:SignedInfo><ds:SignatureValue>gZbkpGU[...omitted...]o2riMFGnTraY=</ds:SignatureValue></ds:Signature> <saml:Subject> <saml:NameID Format="rn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">bcampbell</saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData Recipient="https://workplace247.com/ACS" NotOnOrAfter="2016-12-05T21:48:44.771Z"/> </saml:SubjectConfirmation></saml:Subject> <saml:Conditions NotBefore="2016-12-05T21:33:44.771Z" NotOnOrAfter="2016-12-05T21:48:44.771Z"> <saml:AudienceRestriction><saml:Audience>urn:federation:workplace-24-7</saml:Audience></saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement SessionIndex="y2bvAdFrnRNvnm103yjiimgjhw7" AuthnInstant="2016-12-05T21:27:35.000Z"> <saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext> </saml:AuthnStatement> <saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <saml:Attribute Name="fname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml:AttributeValue xsi:type="xs:string">Brian</saml:AttributeValue></saml:Attribute> <saml:Attribute Name="lname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml:AttributeValue xsi:type="xs:string">Campbell</saml:AttributeValue></saml:Attribute> <saml:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml:AttributeValue xsi:type="xs:string">bcampbell@pongidentity.com</saml:AttributeValue></saml:Attribute> </saml:AttributeStatement></saml:Assertion> SAML: XML standard for exchanging security & identity information From To (also a constraint) Signatur e Who Constraints More Constraints Authentication info More user info
#RSAC OAuth Drivers: Password Sharing is Bad Other sites asks YOU for your <redacted> password so it can access your <redacted> stuff.
#RSAC OAuth Drivers: SOAP -> REST & JSON but there were no comparable authentication & authorization standards to WS-*
#RSAC OAuth 2.0 In A Nutshell Client Resource Server Authorization Server
#RSAC OpenID Connect: SSO built on OAuth 2.0 “OpenID Connect is a simple identity layer on top of the OAuth 2.0 protocol.” Simple is in the eye of the beholder But complexity burden shifted to the identity provider Adds a lot to OAuth But the main thing is the JSON Web Token (JWT) based ID Token Client Resource Server Authorization Server
#RSAC jot or not? The JWT eyJraWQiOiI1IiwiYWxnIjoiRVMyNTYifQ.eyJpc3MiOiJodHRwczpcL1wvaWRwLmV4YW1wbGUuY29tIiwKIm V4cCI6MTM1NzI1NTc4OCwKImF1ZCI6Imh0dHBzOlwvXC9zcC5leGFtcGxlLm9yZyIsCiJqdGkiOiJ0bVl2WVZ VMng4THZONzJCNVFfRWFjSC5fNUEiLAoiYWNyIjoiMiIsCiJzdWIiOiJCcmlhbiJ9. The Header {"kid":"5","alg":"ES256"} The Payload {"iss":"https://idp.example.com", "exp":1357255788, "aud":"https://sp.example.org", "jti":"tmYvYVU2x8LvN72B5Q_EacH._5A", "acr":"2", "sub":"Brian"}
#RSAC it’s not the size of your token… eyJraWQiOiI1IiwiYWxnIjoiRVMyNTYifQ.eyJpc3MiOiJodHRwczpcL1wvaWRwLmV4YW1wbGUuY29tIiwKImV4cCI6MTM1NzI1NTc4OCwKImF1ZCI6Imh0dHBzOlwvXC9zcC5leGFtcG xlLm9yZyIsCiJqdGkiOiJ0bVl2WVZVMng4THZONzJCNVFfRWFjSC5fNUEiLAoiYWNyIjoiMiIsCiJzdWIiOiJCcmlhbiJ9.SbPJIx_JSRM1wluioY0SvfykKWK_yK4LO0BKBiESHu0GUG wikgC8iPrv8qnVkIK1aljVMXcbgYnZixZJ5UOArg <Assertion Version="2.0" IssueInstant="2013-01-03T23:34:38.546Z" ID="oPm.DxOqT3ZZi83IwuVr3x83xlr" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <Issuer>https://idp.example.com</Issuer> <ds:Signature><ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/> <ds:Reference URI="#oPm.DxOqT3ZZi83IwuVr3x83xlr"> <ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> <ds:DigestValue>8JT03jjlsqBgXhStxmDhs2zlCPsgMkMTC1lIK9g7e0o=</ds:DigestValue> </ds:Reference></ds:SignedInfo> <ds:SignatureValue>SAXf8eCmTjuhV742blyvLvVumZJ+TqiG3eMsRDUQU8RnNSspZzNJ8MOUwffkT6kvAR3BXeVzob5p08jsb99UJQ==</ds:SignatureValue> </ds:Signature> <Subject> <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">Brian</NameID> <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <SubjectConfirmationData NotOnOrAfter="2013-01-03T23:39:38.552Z" Recipient="https://sp.example.org"/> </SubjectConfirmation> </Subject> <Conditions NotOnOrAfter="2013-01-03T23:39:38.552Z" NotBefore="2013-01-03T23:29:38.552Z"> <AudienceRestriction><Audience>https://sp.example.org</Audience></AudienceRestriction> </Conditions> <AuthnStatement AuthnInstant="2013-01-03T23:34:38.483Z" SessionIndex="oPm.DxOqT3ZZi83IwuVr3x83xlr"> <AuthnContext><AuthnContextClassRef>2</AuthnContextClassRef></AuthnContext> </AuthnStatement> </Assertion>
#RSAC …it’s how you use it Simpler = Better Web safe encoding w/ no canonicalization (Because canonicalization is a four letter word*) Improved Interoperability & Security Mostly been true Eliminates entire classes of attacks XSLT Transform DOS, Remote Code Execution, and Bypass C14N Hash Truncation Entity Expansion Attacks XPath Transform DOS and Bypass External Reference DOS Signature Wrapping Attacks Brad Hill, pictured here speaking in 2011, published some of these attacks * especially when you spell it c14n
Analysts* Predict 4.81 Zillion Mobile Devices by 2020 * Might have been me
OAuth 2.0 used for sign-on with native mobile applications https://tools.ietf.org/html/draft-ietf-oauth-native-apps
#RSAC OAuth 2.0 for Native Apps 1. Request authorization + PKCE 2. User authentication & approval 3. Callback to custom scheme URI 4. Exchange code for tokens + PKCE 5. Access protected API Device Native App System Browser 1 https:// Home Service 1 2 3 Authorization Endpoint Token Endpoint 3 45
#RSAC Enables Federated and Multi-factor Sign-on Device Native App System Browser 1 https:// Home Service 1 2 3 Authorization Endpoint Token Endpoint 3 45 Enterprise or Social Identity Provider Leveraging existing and future investment in web based authentication
• Standardized Online Authentication Using Public Key Cryptography • PKI without the I • UAF & U2F
Fast IDentity Online Strong cryptographic 2nd factor option for end user security U2F device: USB, NFC, Bluetooth LE, on-board machine/mobile Registration of client generated site-specific public key Authentication by signing a challenge U2F
What’s In Your Pocket? Phone becoming a nearly ubiquitous “something you have”
Biometrics Used as device local authentication to unlock a key used in remote authentication
Token Binding • Enables a long-lived binding to browser generated public-private key pair used to sign TLS exported keying material and sent as an HTTP header • Bind to cookies, SSO tokens, OAuth tokens
#RSAC Are we done yet? IAM: Seamlessly enabling the right people to have access to the right resources at the right time Federated single sign-on to SaaS & organizational applications Stronger user authentication with less frequent direct user interaction Stronger session and SSO tokens bound to keys on the device Almost…
SESSION ID:SESSION ID: #RSAC Brian Campbell Identity and Access Management: Past/Present/Future, SAML, OAuth, FIDO, OIDC, other acronyms, and emerging trends SEM-M04 Distinguished Engineer Ping Identity @__b_c Thanks! You’ve been watching:

More Related Content

PDF
Identity and Access Management 101
Jerod Brennen
 
PDF
Open iam technicalarchitecture-v3-a
Bibhuti Kr Jha +91-9810016292
 
PPTX
What to Expect in 2016: Top 5 Predictions for Security and Access Control
SecureAuth
 
PPTX
2013 12 18 webcast - building the privileged identity management business case
pmcbrideva1
 
PPTX
Identity Management Over the Horizon: What’s New and What’s Next
ENow Software
 
PDF
Pragmatic Identity and Access Management: Secure Your Business without Breaki...
Enterprise Management Associates
 
PPTX
The Path to IAM Maturity
Jerod Brennen
 
PDF
Identity and Access Management - Data modeling concepts
Alain Huet
 
Identity and Access Management 101
Jerod Brennen
 
Open iam technicalarchitecture-v3-a
Bibhuti Kr Jha +91-9810016292
 
What to Expect in 2016: Top 5 Predictions for Security and Access Control
SecureAuth
 
2013 12 18 webcast - building the privileged identity management business case
pmcbrideva1
 
Identity Management Over the Horizon: What’s New and What’s Next
ENow Software
 
Pragmatic Identity and Access Management: Secure Your Business without Breaki...
Enterprise Management Associates
 
The Path to IAM Maturity
Jerod Brennen
 
Identity and Access Management - Data modeling concepts
Alain Huet
 

What's hot (20)

PDF
IDENTITY ACCESS MANAGEMENT
Prof. Jacques Folon (Ph.D)
 
PDF
Identity Management for the 21st Century IT Mission
CA API Management
 
PPT
A Pragmatic Approach to Identity and Access Management
hankgruenberg
 
PDF
50 data principles for loosely coupled identity management v1 0
Ganesh Prasad
 
PDF
Comparing forefront identity manager vs. other identity managers
InfraMatix Inc.
 
PDF
Digital documents & e-discovery
Prof. Jacques Folon (Ph.D)
 
PDF
CA Technologies and Deloitte: Unleash and Protect your Business with Identity...
CA Technologies
 
PPTX
Identity & access management
Vandana Verma
 
PDF
Identity and Access Management (IAM)
Jack Forbes
 
PPTX
Identity & Access Management - Securing Your Data in the 21st Century Enterprise
Lance Peterman
 
PPT
Mr. desmond cloud security_format
MULTIMATICS_ID
 
PDF
PIM, PAM, PUM: Best Practices for Unix/Linux Privileged Identity & Access Man...
Ryan Gallavin
 
PDF
CIS13: Avoiding the Pitfalls of Managing IAM for a Hybrid Environment
CloudIDSummit
 
PPT
Building an Effective Identity Management Strategy
NetIQ
 
PPTX
Identity and Access Management (IAM)
Identacor
 
PPT
Identity Access Management (IAM)
Prof. Jacques Folon (Ph.D)
 
PDF
The Essentials | Privileged Access Management
Ryan Gallavin
 
PDF
Privileged identity management
Nis
 
PPTX
Sailpoint Training | Best Sailpoint IdentityIQ Online Course -GOT
Global Online Trainings
 
PDF
Identity Governance: Not Just For Compliance
IBM Security
 
IDENTITY ACCESS MANAGEMENT
Prof. Jacques Folon (Ph.D)
 
Identity Management for the 21st Century IT Mission
CA API Management
 
A Pragmatic Approach to Identity and Access Management
hankgruenberg
 
50 data principles for loosely coupled identity management v1 0
Ganesh Prasad
 
Comparing forefront identity manager vs. other identity managers
InfraMatix Inc.
 
Digital documents & e-discovery
Prof. Jacques Folon (Ph.D)
 
CA Technologies and Deloitte: Unleash and Protect your Business with Identity...
CA Technologies
 
Identity & access management
Vandana Verma
 
Identity and Access Management (IAM)
Jack Forbes
 
Identity & Access Management - Securing Your Data in the 21st Century Enterprise
Lance Peterman
 
Mr. desmond cloud security_format
MULTIMATICS_ID
 
PIM, PAM, PUM: Best Practices for Unix/Linux Privileged Identity & Access Man...
Ryan Gallavin
 
CIS13: Avoiding the Pitfalls of Managing IAM for a Hybrid Environment
CloudIDSummit
 
Building an Effective Identity Management Strategy
NetIQ
 
Identity and Access Management (IAM)
Identacor
 
Identity Access Management (IAM)
Prof. Jacques Folon (Ph.D)
 
The Essentials | Privileged Access Management
Ryan Gallavin
 
Privileged identity management
Nis
 
Sailpoint Training | Best Sailpoint IdentityIQ Online Course -GOT
Global Online Trainings
 
Identity Governance: Not Just For Compliance
IBM Security
 
Ad

Viewers also liked (17)

PDF
OAuth 2.0 Token Exchange: An STS for the REST of Us
Brian Campbell
 
PDF
オープンソースRDBMS新機能ランダウンOSC2017TokyoSpring
Meiji Kimura
 
PPTX
Identity and Access Management in the Era of Digital Transformation
Uthaiyashankar
 
PDF
Identity and Access Management from Microsoft and Razor Technology
David J Rosenthal
 
PPTX
超先取りShenandoahGC
Yohei Oda
 
PDF
About DevOps++ Alliance
DevOps++ Alliance
 
PDF
MySQL 5.7 InnoDB 日本語全文検索
yoyamasaki
 
PDF
JWTを使った簡易SSOで徐々にシステムをリニューアルしている話
Kazuyoshi Tsuchiya
 
PDF
tce
Mateus Cozer
 
PDF
Сторінками юридичних періодичних видань.
Понкратова Людмила
 
PPT
Finding Key Influencers and Viral Topics in Twitter Networks Related to ISIS ...
Steve Kramer
 
PPTX
Missions Mobilization Principles @globalcast
GlobalCAST Resources
 
PDF
NeuString - Roaming Discount Agreements vs Spreadsheets e.1.1
Casper Tribler
 
PDF
BioSharing - ELIXIR All Hands, March 2017
Susanna-Assunta Sansone
 
PPTX
XOHW17 - tReeSearch Project Presentation
tReeSearch@NECST
 
PPTX
ICDS2 IARIA presentation M. Hartog
eSociety Institute of The Hague University of Applied Sciences
 
PPTX
Thank you 3.22.2017
Kevin Schafer
 
OAuth 2.0 Token Exchange: An STS for the REST of Us
Brian Campbell
 
オープンソースRDBMS新機能ランダウンOSC2017TokyoSpring
Meiji Kimura
 
Identity and Access Management in the Era of Digital Transformation
Uthaiyashankar
 
Identity and Access Management from Microsoft and Razor Technology
David J Rosenthal
 
超先取りShenandoahGC
Yohei Oda
 
About DevOps++ Alliance
DevOps++ Alliance
 
MySQL 5.7 InnoDB 日本語全文検索
yoyamasaki
 
JWTを使った簡易SSOで徐々にシステムをリニューアルしている話
Kazuyoshi Tsuchiya
 
tce
Mateus Cozer
 
Сторінками юридичних періодичних видань.
Понкратова Людмила
 
Finding Key Influencers and Viral Topics in Twitter Networks Related to ISIS ...
Steve Kramer
 
Missions Mobilization Principles @globalcast
GlobalCAST Resources
 
NeuString - Roaming Discount Agreements vs Spreadsheets e.1.1
Casper Tribler
 
BioSharing - ELIXIR All Hands, March 2017
Susanna-Assunta Sansone
 
XOHW17 - tReeSearch Project Presentation
tReeSearch@NECST
 
ICDS2 IARIA presentation M. Hartog
eSociety Institute of The Hague University of Applied Sciences
 
Thank you 3.22.2017
Kevin Schafer
 
Ad

Similar to Identity and Access Management - RSA 2017 Security Foundations Seminar (20)

PPTX
IAM Overview Identiverse 2018
Brian Campbell
 
PDF
JDD2015: Security in the era of modern applications and services - Bolesław D...
PROIDEA
 
PPTX
Help! I Have An Identity Crisis: A look at various mechanisms of Single Sign On
Saloni Shah
 
PPTX
Single Sign On 101
Mike Schwartz
 
PDF
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
CA API Management
 
PDF
Patterns to Bring Enterprise and Social Identity to the Cloud
CA API Management
 
PDF
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CloudIDSummit
 
PDF
Open sso fisl9.0
Startup Cursos
 
PDF
Improving Mobile Authentication for Public Safety and First Responders
Priyanka Aash
 
PDF
OpenID Connect "101" Introduction -- October 23, 2018
OpenIDFoundation
 
PPTX
Presentation- SecurID presentation for the Channel (1).pptx
ssuserba2d14
 
PDF
Passwords and Fingerprints and Faces—Oh My! Comparing Old and New Authentication
Priyanka Aash
 
PDF
DON'T Use Two-Factor Authentication...Unless You Need It!
Priyanka Aash
 
PPTX
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!
Mike Schwartz
 
PDF
Openstack identity protocols unconference
David Waite
 
PPTX
Presentation
Laxman Kumar
 
PDF
The Case For Next Generation IAM
Patrick Harding
 
PPT
RSASecureID (2).ppt
PepeMartin23
 
PPT
RSASecureID.ppt
PepeMartin23
 
PDF
[4developers2016] - Security in the era of modern applications and services (...
PROIDEA
 
IAM Overview Identiverse 2018
Brian Campbell
 
JDD2015: Security in the era of modern applications and services - Bolesław D...
PROIDEA
 
Help! I Have An Identity Crisis: A look at various mechanisms of Single Sign On
Saloni Shah
 
Single Sign On 101
Mike Schwartz
 
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
CA API Management
 
Patterns to Bring Enterprise and Social Identity to the Cloud
CA API Management
 
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CloudIDSummit
 
Open sso fisl9.0
Startup Cursos
 
Improving Mobile Authentication for Public Safety and First Responders
Priyanka Aash
 
OpenID Connect "101" Introduction -- October 23, 2018
OpenIDFoundation
 
Presentation- SecurID presentation for the Channel (1).pptx
ssuserba2d14
 
Passwords and Fingerprints and Faces—Oh My! Comparing Old and New Authentication
Priyanka Aash
 
DON'T Use Two-Factor Authentication...Unless You Need It!
Priyanka Aash
 
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!
Mike Schwartz
 
Openstack identity protocols unconference
David Waite
 
Presentation
Laxman Kumar
 
The Case For Next Generation IAM
Patrick Harding
 
RSASecureID (2).ppt
PepeMartin23
 
RSASecureID.ppt
PepeMartin23
 
[4developers2016] - Security in the era of modern applications and services (...
PROIDEA
 

More from Brian Campbell (15)

PPTX
The Burden of Proof
Brian Campbell
 
PPTX
Token Binding Identiverse 2018
Brian Campbell
 
PPTX
Beyond Bearer: Token Binding as the Foundation for a More Secure Web
Brian Campbell
 
PPTX
Denver Startup Week '15: Mobile SSO
Brian Campbell
 
PPTX
Mobile SSO: are we there yet?
Brian Campbell
 
PPTX
Mobile Single Sign-On (Gluecon '15)
Brian Campbell
 
PPTX
I Left My JWT in San JOSE
Brian Campbell
 
PPTX
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
Brian Campbell
 
PPTX
JOSE Can You See...
Brian Campbell
 
PPTX
An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...
Brian Campbell
 
PPTX
Hope or Hype: A Look at the Next Generation of Identity Standards
Brian Campbell
 
PPTX
Introduction to the Emerging JSON-Based Identity and Security Protocols
Brian Campbell
 
PPTX
OAuth 101 & Secure APIs 2012 Cloud Identity Summit
Brian Campbell
 
PPTX
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
Brian Campbell
 
PDF
OAuth 101 & Secure API's - Paul Madsen and Brian Campbell, Ping Identity
Brian Campbell
 
The Burden of Proof
Brian Campbell
 
Token Binding Identiverse 2018
Brian Campbell
 
Beyond Bearer: Token Binding as the Foundation for a More Secure Web
Brian Campbell
 
Denver Startup Week '15: Mobile SSO
Brian Campbell
 
Mobile SSO: are we there yet?
Brian Campbell
 
Mobile Single Sign-On (Gluecon '15)
Brian Campbell
 
I Left My JWT in San JOSE
Brian Campbell
 
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
Brian Campbell
 
JOSE Can You See...
Brian Campbell
 
An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...
Brian Campbell
 
Hope or Hype: A Look at the Next Generation of Identity Standards
Brian Campbell
 
Introduction to the Emerging JSON-Based Identity and Security Protocols
Brian Campbell
 
OAuth 101 & Secure APIs 2012 Cloud Identity Summit
Brian Campbell
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
Brian Campbell
 
OAuth 101 & Secure API's - Paul Madsen and Brian Campbell, Ping Identity
Brian Campbell
 

Recently uploaded (20)

PPTX
CHAPTER 2 - PM Management and IT Context
KevinPutra14
 
PPTX
Transform Your Business with a Software ERP System
Canada Software Company
 
PDF
Raksha Bandhan Grocery Pricing Trends in India 2025.pdf
Actowiz Solustions
 
PDF
Design an Analysis of Algorithms II-SECS-1021-03
DilanEscobar1
 
PPTX
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
PDF
Softaken Excel to vCard Converter Software.pdf
markwillsonmw004
 
PDF
Understanding Forklifts - TECH EHS Solution
TECH EHS Solution
 
PPTX
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
PDF
Digital Strategies for Manufacturing Companies
Virendra Rai, PMP
 
PDF
T3DD25 TYPO3 Content Blocks - Deep Dive by André Kraus
Andre Kraus
 
PPTX
L1 - Introduction to python Backend.pptx
MoizAhmed480282
 
PDF
System and Network Administraation Chapter 3
jaramharo
 
PDF
Upgrade and Innovation Strategies for SAP ERP Customers
Virendra Rai, PMP
 
PDF
How to Migrate SBCGlobal Email to Yahoo Easily
raymondjones7273
 
PDF
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
PPTX
VVF-Customer-Presentation2025-Ver1.9.pptx
blackmambaettijean
 
PPTX
ai tools demonstartion for schools and inter college
harshavardhanreddyka11
 
PDF
EN-Survey-Report-SAP-LeanIX-EA-Insights-2025.pdf
deepakkhaitan3
 
PDF
Addressing The Cult of Project Management Tools-Why Disconnected Work is Hold...
OnePlan Solutions
 
PDF
AI in Product Development-omnex systems
omnex systems
 
CHAPTER 2 - PM Management and IT Context
KevinPutra14
 
Transform Your Business with a Software ERP System
Canada Software Company
 
Raksha Bandhan Grocery Pricing Trends in India 2025.pdf
Actowiz Solustions
 
Design an Analysis of Algorithms II-SECS-1021-03
DilanEscobar1
 
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
Softaken Excel to vCard Converter Software.pdf
markwillsonmw004
 
Understanding Forklifts - TECH EHS Solution
TECH EHS Solution
 
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
Digital Strategies for Manufacturing Companies
Virendra Rai, PMP
 
T3DD25 TYPO3 Content Blocks - Deep Dive by André Kraus
Andre Kraus
 
L1 - Introduction to python Backend.pptx
MoizAhmed480282
 
System and Network Administraation Chapter 3
jaramharo
 
Upgrade and Innovation Strategies for SAP ERP Customers
Virendra Rai, PMP
 
How to Migrate SBCGlobal Email to Yahoo Easily
raymondjones7273
 
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
VVF-Customer-Presentation2025-Ver1.9.pptx
blackmambaettijean
 
ai tools demonstartion for schools and inter college
harshavardhanreddyka11
 
EN-Survey-Report-SAP-LeanIX-EA-Insights-2025.pdf
deepakkhaitan3
 
Addressing The Cult of Project Management Tools-Why Disconnected Work is Hold...
OnePlan Solutions
 
AI in Product Development-omnex systems
omnex systems
 

Identity and Access Management - RSA 2017 Security Foundations Seminar

  • 1. SESSION ID:SESSION ID: #RSAC Brian Campbell Identity and Access Management: Past/Present/Future, SAML, OAuth, FIDO, OIDC, other acronyms, and emerging trends SEM-M04 Distinguished Engineer Ping Identity @__b_c
  • 2. #RSAC I am going to talk about IAM Identity and Access Management
  • 3. let the right people access what they need
  • 4. keep the wrong people out
  • 6. #RSAC Back Where It All Begins 6 Okay, passwords are ancient But first known computer use was in ‘61 at MIT for the Compatible Time-Sharing System — each user had a private set of files and allotment of computing time Even back then IAM was about the right people having access to the right things at the right time System defeated just one year later request to print the password file offline
  • 7. Sixteen years later I was born (not actually me)
  • 8. And I’m a little hazy on what happened in that time
  • 9. #RSAC Twenty-Some Years Later The World Wide Web is Now a Thing HTTP Basic Authentication Per application credentials Centralized LDAP credentials sent & checked on every request HTML form based login Cookie based session established from login Typically opaque value referencing server side memory Around this time I’d write my first single sign-on system…
  • 10. (blindly trusting a user id value in a site-wide cookie, what could possibly go wrong?)
  • 11. #RSAC Luckily, competent people were also working on it Web Access Management (WAM) Products/Solutions Single sign-on, authorization policy, and authentication management Web sever agent (but sometimes also proxies) Domain-wide cookie (but secured unlike mine) Centralized policy server Typically deployed in — Large consumer web sites — Enterprise applications behind the firewall Cross-domain solutions existed but proprietary & non-interoperable
  • 12. Cross Domain Standardization Efforts Also Underway SAML 1.0, 1.1 & 2.0 ID-FF 1.0, 1.1 & 1.2
  • 14. It's a SaaS world after all
  • 15. It's a SaaS world after all
  • 16. It's a SaaS world after all
  • 17. How does that make you feel?
  • 19. SAML Single Sign-On to SaaS AuthnRequest
  • 20. SAML Single Sign-On to SaaS UserAuthenticates
  • 21. SAML Single Sign-On to SaaS SAMLAssertion &SessionCookie
  • 22. SAML Single Sign-On to SaaS AuthnRequest& SessionCookie
  • 23. SAML Single Sign-On to SaaS SAMLAssertion
  • 24. SAML Single Sign-On to SaaS et cetera, et cetera, et cetera, etc.
  • 25. <saml:Assertion ID="y2bvAdFrnRNvnm103yjiimgjhw7" IssueInstant="2016-12-05T21:38:44.771Z” Version="2.0” xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> <saml:Issuer>https://pongidentity.com</saml:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> <ds:Reference URI="#y2bvAdFrnRNvnm103yjiimgjhw7"><ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> <ds:DigestValue>zsB4Oo4ebepuGBJ3FC7z6qRei5d4DWjQlEqhJhEu/+4=</ds:DigestValue> </ds:Reference></ds:SignedInfo><ds:SignatureValue>gZbkpGU[...omitted...]o2riMFGnTraY=</ds:SignatureValue></ds:Signature> <saml:Subject> <saml:NameID Format="rn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">bcampbell</saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData Recipient="https://workplace247.com/ACS" NotOnOrAfter="2016-12-05T21:48:44.771Z"/> </saml:SubjectConfirmation></saml:Subject> <saml:Conditions NotBefore="2016-12-05T21:33:44.771Z" NotOnOrAfter="2016-12-05T21:48:44.771Z"> <saml:AudienceRestriction><saml:Audience>urn:federation:workplace-24-7</saml:Audience></saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement SessionIndex="y2bvAdFrnRNvnm103yjiimgjhw7" AuthnInstant="2016-12-05T21:27:35.000Z"> <saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext> </saml:AuthnStatement> <saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <saml:Attribute Name="fname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml:AttributeValue xsi:type="xs:string">Brian</saml:AttributeValue></saml:Attribute> <saml:Attribute Name="lname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml:AttributeValue xsi:type="xs:string">Campbell</saml:AttributeValue></saml:Attribute> <saml:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml:AttributeValue xsi:type="xs:string">bcampbell@pongidentity.com</saml:AttributeValue></saml:Attribute> </saml:AttributeStatement></saml:Assertion> SAML: XML standard for exchanging security & identity information From To (also a constraint) Signatur e Who Constraints More Constraints Authentication info More user info
  • 26. #RSAC OAuth Drivers: Password Sharing is Bad Other sites asks YOU for your <redacted> password so it can access your <redacted> stuff.
  • 27. #RSAC OAuth Drivers: SOAP -> REST & JSON but there were no comparable authentication & authorization standards to WS-*
  • 28. #RSAC OAuth 2.0 In A Nutshell Client Resource Server Authorization Server
  • 29. #RSAC OpenID Connect: SSO built on OAuth 2.0 “OpenID Connect is a simple identity layer on top of the OAuth 2.0 protocol.” Simple is in the eye of the beholder But complexity burden shifted to the identity provider Adds a lot to OAuth But the main thing is the JSON Web Token (JWT) based ID Token Client Resource Server Authorization Server
  • 30. #RSAC jot or not? The JWT eyJraWQiOiI1IiwiYWxnIjoiRVMyNTYifQ.eyJpc3MiOiJodHRwczpcL1wvaWRwLmV4YW1wbGUuY29tIiwKIm V4cCI6MTM1NzI1NTc4OCwKImF1ZCI6Imh0dHBzOlwvXC9zcC5leGFtcGxlLm9yZyIsCiJqdGkiOiJ0bVl2WVZ VMng4THZONzJCNVFfRWFjSC5fNUEiLAoiYWNyIjoiMiIsCiJzdWIiOiJCcmlhbiJ9. The Header {"kid":"5","alg":"ES256"} The Payload {"iss":"https://idp.example.com", "exp":1357255788, "aud":"https://sp.example.org", "jti":"tmYvYVU2x8LvN72B5Q_EacH._5A", "acr":"2", "sub":"Brian"}
  • 31. #RSAC it’s not the size of your token… eyJraWQiOiI1IiwiYWxnIjoiRVMyNTYifQ.eyJpc3MiOiJodHRwczpcL1wvaWRwLmV4YW1wbGUuY29tIiwKImV4cCI6MTM1NzI1NTc4OCwKImF1ZCI6Imh0dHBzOlwvXC9zcC5leGFtcG xlLm9yZyIsCiJqdGkiOiJ0bVl2WVZVMng4THZONzJCNVFfRWFjSC5fNUEiLAoiYWNyIjoiMiIsCiJzdWIiOiJCcmlhbiJ9.SbPJIx_JSRM1wluioY0SvfykKWK_yK4LO0BKBiESHu0GUG wikgC8iPrv8qnVkIK1aljVMXcbgYnZixZJ5UOArg <Assertion Version="2.0" IssueInstant="2013-01-03T23:34:38.546Z" ID="oPm.DxOqT3ZZi83IwuVr3x83xlr" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <Issuer>https://idp.example.com</Issuer> <ds:Signature><ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/> <ds:Reference URI="#oPm.DxOqT3ZZi83IwuVr3x83xlr"> <ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> <ds:DigestValue>8JT03jjlsqBgXhStxmDhs2zlCPsgMkMTC1lIK9g7e0o=</ds:DigestValue> </ds:Reference></ds:SignedInfo> <ds:SignatureValue>SAXf8eCmTjuhV742blyvLvVumZJ+TqiG3eMsRDUQU8RnNSspZzNJ8MOUwffkT6kvAR3BXeVzob5p08jsb99UJQ==</ds:SignatureValue> </ds:Signature> <Subject> <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">Brian</NameID> <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <SubjectConfirmationData NotOnOrAfter="2013-01-03T23:39:38.552Z" Recipient="https://sp.example.org"/> </SubjectConfirmation> </Subject> <Conditions NotOnOrAfter="2013-01-03T23:39:38.552Z" NotBefore="2013-01-03T23:29:38.552Z"> <AudienceRestriction><Audience>https://sp.example.org</Audience></AudienceRestriction> </Conditions> <AuthnStatement AuthnInstant="2013-01-03T23:34:38.483Z" SessionIndex="oPm.DxOqT3ZZi83IwuVr3x83xlr"> <AuthnContext><AuthnContextClassRef>2</AuthnContextClassRef></AuthnContext> </AuthnStatement> </Assertion>
  • 32. #RSAC …it’s how you use it Simpler = Better Web safe encoding w/ no canonicalization (Because canonicalization is a four letter word*) Improved Interoperability & Security Mostly been true Eliminates entire classes of attacks XSLT Transform DOS, Remote Code Execution, and Bypass C14N Hash Truncation Entity Expansion Attacks XPath Transform DOS and Bypass External Reference DOS Signature Wrapping Attacks Brad Hill, pictured here speaking in 2011, published some of these attacks * especially when you spell it c14n
  • 33. Analysts* Predict 4.81 Zillion Mobile Devices by 2020 * Might have been me
  • 34. OAuth 2.0 used for sign-on with native mobile applications https://tools.ietf.org/html/draft-ietf-oauth-native-apps
  • 35. #RSAC OAuth 2.0 for Native Apps 1. Request authorization + PKCE 2. User authentication & approval 3. Callback to custom scheme URI 4. Exchange code for tokens + PKCE 5. Access protected API Device Native App System Browser 1 https:// Home Service 1 2 3 Authorization Endpoint Token Endpoint 3 45
  • 36. #RSAC Enables Federated and Multi-factor Sign-on Device Native App System Browser 1 https:// Home Service 1 2 3 Authorization Endpoint Token Endpoint 3 45 Enterprise or Social Identity Provider Leveraging existing and future investment in web based authentication
  • 37. • Standardized Online Authentication Using Public Key Cryptography • PKI without the I • UAF & U2F
  • 38. Fast IDentity Online Strong cryptographic 2nd factor option for end user security U2F device: USB, NFC, Bluetooth LE, on-board machine/mobile Registration of client generated site-specific public key Authentication by signing a challenge U2F
  • 39. What’s In Your Pocket? Phone becoming a nearly ubiquitous “something you have”
  • 40. Biometrics Used as device local authentication to unlock a key used in remote authentication
  • 41. Token Binding • Enables a long-lived binding to browser generated public-private key pair used to sign TLS exported keying material and sent as an HTTP header • Bind to cookies, SSO tokens, OAuth tokens
  • 42. #RSAC Are we done yet? IAM: Seamlessly enabling the right people to have access to the right resources at the right time Federated single sign-on to SaaS & organizational applications Stronger user authentication with less frequent direct user interaction Stronger session and SSO tokens bound to keys on the device Almost…
  • 43. SESSION ID:SESSION ID: #RSAC Brian Campbell Identity and Access Management: Past/Present/Future, SAML, OAuth, FIDO, OIDC, other acronyms, and emerging trends SEM-M04 Distinguished Engineer Ping Identity @__b_c Thanks! You’ve been watching: