Post on 12-Jan-2016
Copyright ©2012 Ping Identity Corporation. All rights reserved.1
Copyright ©2012 Ping Identity Corporation. All rights reserved.2
Unified Identity in Cloud Architectures
EEMA 2012
• John Bradley• @ve7jtb• Office of the CTO
•
Copyright ©2012 Ping Identity Corporation. All rights reserved.3 © 2011 Ping Identity Corporation
Future of IT Architecture
• Thousands of applications and services -- everywhere– Some you can control
• Local web services• Local infrastructure• Apps/Services on IaaS
– Many you can’t control• SaaS APIs• PaaS APIs• IaaS APIs• Partner APIs
3
Copyright ©2012 Ping Identity Corporation. All rights reserved.4
Ultimate Decentralization
• Diversity of Architecture– If the cloud vendor’s coding philosophy conflicts with yours,
you must adapt
• Limited Visibility– No database access– No direct audit file access
• No Contractual Power– Like it or lump it
4
Copyright ©2012 Ping Identity Corporation. All rights reserved.5 © 2011 Ping Identity Corporation
Decentralization == Chaos?
• Business Managers operating administration consoles
• Developers writing API code for the business– Native Mobile apps– Mashups– Are they security specialists?
• Silos of work with no central control
5
Copyright ©2012 Ping Identity Corporation. All rights reserved.6 © 2011 Ping Identity Corporation
Fragmentation Causes Risk
• Business Agility suffers– Decision making is impaired
• IT response time is low– Every application and service has to
be treated differently
• Productivity suffers– Every application looks and feels
different
– No secure “ceremony” for users
– Developers must re-invent a new process every time
• Risk to the organization increases– What happens when you fire
somebody?
6
Copyright ©2012 Ping Identity Corporation. All rights reserved.7 © 2011 Ping Identity Corporation
Solution: Centralize & Adapt
• Industry has adopted “federated identity” to move security decisions into central infrastructure
• Federated protocols now exist to protect both web applications and APIs
• Eg SAML, WS-Trust, OAuth 2.0, and openID Connect
7
Copyright ©2012 Ping Identity Corporation. All rights reserved.8
What does this mean?
• Developers don’t set passwords in code– They ask for a token– Token is used during API calls
• Applications don’t store passwords– They rely on a central authority to identify the user– They validate the central authority not the user
• Central Infrastructure does the rest– Password validation, security, risk/fraud
8
Copyright ©2012 Ping Identity Corporation. All rights reserved.9
Create Infrastructure
9
Legacy SOAPServices
IdentityManagement
Copyright ©2012 Ping Identity Corporation. All rights reserved.10
Act as a Client
10
Legacy SOAPServices
IdentityManagement
REST Calls Out
CloudApplication
Copyright ©2012 Ping Identity Corporation. All rights reserved.11
Act as a Server
11
Legacy SOAPServices
IdentityManagementREST Calls In
Copyright ©2012 Ping Identity Corporation. All rights reserved.12
Act as an Identity Provider
12
Legacy SOAPServices
IdentityManagement
Browser SSO
CloudApplication
Copyright ©2012 Ping Identity Corporation. All rights reserved.13
Leverage with Mobile Apps
13
REST Calls In
Legacy SOAPServices
IdentityManagement
1. Use Browser to
Fetch Oauth 2.0 Token
2. TransformAttributes
3. Use Token
For API Calls
Copyright ©2012 Ping Identity Corporation. All rights reserved.14
Leverage at Cloud Apps
14
Legacy SOAPServices
IdentityManagement
CloudApplication
1. Request Token
2. Browser SSOTo Fetch SAML
Token
3. Generate Oauth 2.0Token from SAML
4. Access API with Token
Copyright ©2012 Ping Identity Corporation. All rights reserved.15
Concrete Example: OAuth 2.0 with SAML
15
Copyright ©2012 Ping Identity Corporation. All rights reserved.16
Trigger an OAuth Token Request
16
GET /as/authorization.oauth2?client_id=mobileapp&
redirect_uri=mobileapp://redirect_here&response_type=code HTTP/1.1
Copyright ©2012 Ping Identity Corporation. All rights reserved.17
User Logs in at Enterprise
17
Copyright ©2012 Ping Identity Corporation. All rights reserved.18
Consent at Cloud Service
18
Copyright ©2012 Ping Identity Corporation. All rights reserved.19
Client Trades code for Access Token
19
POST /as/token.oauth2
Host: as.com
client_id=a&redirect_uri=mobileapp://redirecthere&grant_type=authorization_code&code=wizJmaSTPAf0wqSeB3vmDx2mNSZK6g HTTP/1.1
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
{"token_type":"Bearer","expires_in":"600","refresh_token":"oQWqwMUIL2ndeMHsWEyFO0GyalvKSvc2QI4YuG82RMGkM","access_token":"lSBbci4Jg8MsjiSqZLBrzEXgd4mKUNhOkyF"}
HTTP/1.1 302 FoundLocation: mobileapp://redirect_here?
&code=wizJmaSTPAf0wqSeB3vmDx2mNSZK6g
Copyright ©2012 Ping Identity Corporation. All rights reserved.20
Client uses Token at API
20
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
{
"aboutMe": "Head SE South",
"address": {
"city": "New Orleans",
"country": "US",
"state": "LA",
"street": "923 Bourbon Street",
"zip": "70116"
},
"currentStatus": {
GET https://na1.salesforce.com/services/data/v22.0/chatter/users/me
Authorization: Bearer lSBbci4Jg8MsjiSqZLBrzEXg
Copyright ©2012 Ping Identity Corporation. All rights reserved.21
• Users always authenticate in the same place– Teach them to expect your ceremony– Protect against the Password Antipattern
• Developers never see or store passwords– Only need to know how to ask for a token and use it at APIs– Or –ask once for credentials but never store them
• IT oversees every authentication– One attack surface & security plan– One audit point
• Same infrastructure regardless of medium– Web or web service
Architecture Advantages
Copyright ©2012 Ping Identity Corporation. All rights reserved.22 © 2011 Ping Identity Corporation
Cloud Identity Management
• Centralizes Cloud Access Control
• Strengthens Security• Integrates with Existing
Infrastructure• Simplifies Password
Maintenance• Deploys in Days• http://
www.pingidentity.com
22