A recipe for standards-based Cloud IdM

Paul Madsen

@paulmadsen

2

3

4

5

6

Ingredients

SAML

OAuth

SCIM

JWT

Paul

• Small number of ingredients can be composed to create useful & tasty dishes

• SCIM, SAML, OAuth, and JWT provide a standards based framework for cloud identity recipes

Ingredients

• SAML – SSO for enterprise & cloud web apps

• OAuth – authn & authz for RESTful APIs

• SCIM – RESTful (and viable!) user provisioning

• JWT – JSON-based SAML assertions

(Gross) Oversimplications

SAML

JWT

SCIM OAuth

SAML

JWT

SCIM OAuth

• SCIM API messages to provision accounts for subsequent SAML SSO

• SAML binding for SCIM• Carry SCIM instance as attributes in SAML

SSO message• Alternaitve to a distinct CRUD operation

using the SCIM RESTful protocol• Enables JIT provisioning

SCIM & SAML

<saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:scim="http://placeholder.scim.org/2011/schema/extension"><saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" Name="SCIM.userName">

<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema- instance" xsi:type="xs:string">bjensen@example.com

</saml:AttributeValue> </saml:Attribute>

<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" Name="SCIM.name.formatted">

<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema- instance" xsi:type="xs:string">Ms. Babs J Jensen III

</saml:AttributeValue> </saml:Attribute>

</saml:AttributeStatement>

SCIM & SAML

• Non-trivial to map SCIM attribute schema into SAML's attribute model

• SCIM schema allows for• Complex structures• Multi-valued attributes

• Which is why I've been negligent in the work

Challenges

SAML

JWT

SCIM OAuth

SCIM & OAuth

1. Use SCIM to provision account for subsequent OAuth-based mobile access to SaaS APIs

2. Use OAuth to secure SCIM API calls

SCIM & OAuthPOST /User HTTP/1.1Host: example.com Accept: application/xml Authorization: Bearer h480djs93hd8

<?xml version="1.0" encoding="UTF-8"?><scim:User xmlns:scim="urn:scim:schemas:core:1.0">

<userName>bjensen@example.com</userName><externalId>701984</externalId><emails>

<email><value>bjensen@example.com</value><primary>true</primary><type>work</type></email>

</emails></scim:User>

OAuth access token issued by the SaaS to the enterprise to use on subsequent SCIM calls

Note difference from archetypical OAuth delegated authz use case

SAML

JWT

SCIM OAuth

SAML & OAuth

SAML OAuth

OAuth SAML

SAML OAuth

'Hybrid' – carry OAuth tokenin SAML SSO messages

'Assertion profile' - useSAML assertions within OAuth flow. Trade assertion for token

'Sequencing' – use SAML SSO inorder to authenticate user to AS

SAML

OAuth

OAuth

Copyright © 2011. Cloud Identity Summit. All Rights Reserved.20

Demo

Copyright © 2011. Cloud Identity Summit. All Rights Reserved.21

Demo

Copyright © 2011. Cloud Identity Summit. All Rights Reserved.22

Demo

Copyright © 2011. Cloud Identity Summit. All Rights Reserved.23

Demo

SAML

JWT

SCIM OAuth

25

SAML & JWT & OAuth

OAuth

Assertion profile

SAML JWT

Core protocol

How to use assertions for client authentication and as a grant type

Profiles assertion profileFor specific assertionformats

SAML & JWT & OAuth

• Use SAML assertion or JWT forOAuth client authentication and/or OAuth grant type

POST /token HTTP/1.1Host: server.example.comContent-Type: application/x-www-form-urlencoded

grant_type=authorization_code& code=i1WsRn1uB1& client_id=s6BhdRkqt3& client_assertion_type=urn%3Aoasis%3Anames%sAtc%3ASAML%3A2.0%3Aassertion& client_assertion=PHNhbWxwOl…...ZT

Client authenticating to AS token endpoint using assertion rather than secret

OpenIDConnect

SAML

JWT

SCIM OAuth

OpenID Connect == JWT & OAuth & identity

•OAuth is a general mechanism to authorize API access, OpenID Connect profiles the generic for purposes of sharing profile information & enabling a SSO protocol•Uses the authz code & implicit grant types – the pieces of OAuth optimized for user-consent scenarios•Leverages the authorization & token endpoints & adds identity-based params to core OAuth messages

• OpenID Provider– Adds to OAuth 2.0 Authorization Service

• Issues id_token in addition to access_token

– Codifies a standardized Resource Services• UserInfo Endpoint

• Relying Party– OAuth client to the endpoints exposed by the

OpenID Provider• Implicit Grant or Authorization Code Flows

OpenID Connect

AS

RS

Client

User AgentIgnoring the distinction as to

whether the tokens actually flow front-channel, or instead back-channel after a front-channel step

1) GET A TOKEN

2) USE A TOKEN

Base OAuth

UserInfoOpenID Connect

Ignoring the distinction as to whether the tokens actually flow front-channel, or instead back-channel after a front-channel step

3) USE A TOKEN2) READ A TOKEN

AS

RS

Client

Base OAuth

User AgentIgnoring the distinction as to

whether the tokens actually flow front-channel, or instead back-channel after a front-channel step

1) GET A TOKEN

UMA

SAML

JWT

SCIM OAuth

UMA == OAuth + centralized authz1. OAuth allows for pairwise app-to-app connections. UMA, in

addition, defines a hub from which many pairwise sharing connections can be managed, controlled, and revoked.

2. OAuth solves for person-to-self sharing. UMA, in addition, solves for secure person-to-person sharing and person-to-organization sharing.

3. OAuth leaves unstated how its "authorization server" and "resource server" components interact. UMA fully defines a standard interface between its enhanced versions of these two components, the authorization manager and host.

From UMA FAQ

XACML?

SAML

JWT

SCIM OAuth

XACML?

Compose

Speculative

•XACML policy (a TBD JSON binding) inside a JWT???• Extends simple scope model

•Interplay between SCIM-provisioned attributes & SaaS XACML policies?

•RESTful authz query for XACML?• PEP sends an access token to PDP (along with

scopes) PDP resolves token as necessary, returns yes/no to PEP

39

Client

AS

PEP RS

PDP

y/n

Issuance

Questions