CIS14: Knowing vs. Asking: Innovation in User Recognition
-
Upload
cloudidsummit -
Category
Technology
-
view
96 -
download
0
description
Transcript of CIS14: Knowing vs. Asking: Innovation in User Recognition
![Page 1: CIS14: Knowing vs. Asking: Innovation in User Recognition](https://reader034.fdocuments.us/reader034/viewer/2022051817/547cae8eb4af9f635b8b4686/html5/thumbnails/1.jpg)
![Page 2: CIS14: Knowing vs. Asking: Innovation in User Recognition](https://reader034.fdocuments.us/reader034/viewer/2022051817/547cae8eb4af9f635b8b4686/html5/thumbnails/2.jpg)
KNOWING VS ASKING INNOVATION IN USER RECOGNITION
Pamela Dingle @pamelarosiedee Office of the CTO, Ping Identity
![Page 3: CIS14: Knowing vs. Asking: Innovation in User Recognition](https://reader034.fdocuments.us/reader034/viewer/2022051817/547cae8eb4af9f635b8b4686/html5/thumbnails/3.jpg)
day one
![Page 4: CIS14: Knowing vs. Asking: Innovation in User Recognition](https://reader034.fdocuments.us/reader034/viewer/2022051817/547cae8eb4af9f635b8b4686/html5/thumbnails/4.jpg)
![Page 5: CIS14: Knowing vs. Asking: Innovation in User Recognition](https://reader034.fdocuments.us/reader034/viewer/2022051817/547cae8eb4af9f635b8b4686/html5/thumbnails/5.jpg)
day two
![Page 6: CIS14: Knowing vs. Asking: Innovation in User Recognition](https://reader034.fdocuments.us/reader034/viewer/2022051817/547cae8eb4af9f635b8b4686/html5/thumbnails/6.jpg)
![Page 7: CIS14: Knowing vs. Asking: Innovation in User Recognition](https://reader034.fdocuments.us/reader034/viewer/2022051817/547cae8eb4af9f635b8b4686/html5/thumbnails/7.jpg)
day five-hundred eighty five
![Page 8: CIS14: Knowing vs. Asking: Innovation in User Recognition](https://reader034.fdocuments.us/reader034/viewer/2022051817/547cae8eb4af9f635b8b4686/html5/thumbnails/8.jpg)
![Page 9: CIS14: Knowing vs. Asking: Innovation in User Recognition](https://reader034.fdocuments.us/reader034/viewer/2022051817/547cae8eb4af9f635b8b4686/html5/thumbnails/9.jpg)
State of the Industry
![Page 10: CIS14: Knowing vs. Asking: Innovation in User Recognition](https://reader034.fdocuments.us/reader034/viewer/2022051817/547cae8eb4af9f635b8b4686/html5/thumbnails/10.jpg)
![Page 11: CIS14: Knowing vs. Asking: Innovation in User Recognition](https://reader034.fdocuments.us/reader034/viewer/2022051817/547cae8eb4af9f635b8b4686/html5/thumbnails/11.jpg)
Compartmentalization
![Page 12: CIS14: Knowing vs. Asking: Innovation in User Recognition](https://reader034.fdocuments.us/reader034/viewer/2022051817/547cae8eb4af9f635b8b4686/html5/thumbnails/12.jpg)
http
s://w
ww
.flic
kr.c
om/p
hoto
s/be
nson
kua/
2754
3129
51
![Page 13: CIS14: Knowing vs. Asking: Innovation in User Recognition](https://reader034.fdocuments.us/reader034/viewer/2022051817/547cae8eb4af9f635b8b4686/html5/thumbnails/13.jpg)
The
US
Arm
y ht
tps:
//flic
.kr/p
/bE
xfoR
![Page 14: CIS14: Knowing vs. Asking: Innovation in User Recognition](https://reader034.fdocuments.us/reader034/viewer/2022051817/547cae8eb4af9f635b8b4686/html5/thumbnails/14.jpg)
Leo
Rey
nold
s ht
tps:
//flic
.kr/p
/nfx
qQG
![Page 15: CIS14: Knowing vs. Asking: Innovation in User Recognition](https://reader034.fdocuments.us/reader034/viewer/2022051817/547cae8eb4af9f635b8b4686/html5/thumbnails/15.jpg)
Gin
ny h
ttps:
//flic
.kr/p
/5V
9Viy
![Page 16: CIS14: Knowing vs. Asking: Innovation in User Recognition](https://reader034.fdocuments.us/reader034/viewer/2022051817/547cae8eb4af9f635b8b4686/html5/thumbnails/16.jpg)
https://ww
w.flickr.com
/photos/bensonkua/2754312951/in/photostream
/
![Page 17: CIS14: Knowing vs. Asking: Innovation in User Recognition](https://reader034.fdocuments.us/reader034/viewer/2022051817/547cae8eb4af9f635b8b4686/html5/thumbnails/17.jpg)
![Page 18: CIS14: Knowing vs. Asking: Innovation in User Recognition](https://reader034.fdocuments.us/reader034/viewer/2022051817/547cae8eb4af9f635b8b4686/html5/thumbnails/18.jpg)
The
US
Arm
y ht
tps:
//flic
.kr/p
/bE
xfoR
![Page 19: CIS14: Knowing vs. Asking: Innovation in User Recognition](https://reader034.fdocuments.us/reader034/viewer/2022051817/547cae8eb4af9f635b8b4686/html5/thumbnails/19.jpg)
IDP
Today: Stranger Flow
RP
![Page 20: CIS14: Knowing vs. Asking: Innovation in User Recognition](https://reader034.fdocuments.us/reader034/viewer/2022051817/547cae8eb4af9f635b8b4686/html5/thumbnails/20.jpg)
We need one more representation
![Page 21: CIS14: Knowing vs. Asking: Innovation in User Recognition](https://reader034.fdocuments.us/reader034/viewer/2022051817/547cae8eb4af9f635b8b4686/html5/thumbnails/21.jpg)
![Page 22: CIS14: Knowing vs. Asking: Innovation in User Recognition](https://reader034.fdocuments.us/reader034/viewer/2022051817/547cae8eb4af9f635b8b4686/html5/thumbnails/22.jpg)
Our Lexicon must grow to Encompass Hints
• What is a hint? – Statement based on probability but lacking authority – Multiple evolutions evolving into the concept of a
Hint • Passive Factors / Real-time analytics • Cached previous data • Account Chooser
![Page 23: CIS14: Knowing vs. Asking: Innovation in User Recognition](https://reader034.fdocuments.us/reader034/viewer/2022051817/547cae8eb4af9f635b8b4686/html5/thumbnails/23.jpg)
![Page 24: CIS14: Knowing vs. Asking: Innovation in User Recognition](https://reader034.fdocuments.us/reader034/viewer/2022051817/547cae8eb4af9f635b8b4686/html5/thumbnails/24.jpg)
Security Posture should never be OSFA again
• It isn’t 1995 anymore • The device to user ratio has
inverted • In the 1st world at least, 5-year
olds have iPads • You can’t abandon the 1995
flow but you can choose who to offer it to
![Page 25: CIS14: Knowing vs. Asking: Innovation in User Recognition](https://reader034.fdocuments.us/reader034/viewer/2022051817/547cae8eb4af9f635b8b4686/html5/thumbnails/25.jpg)
IDP
Tomorrow: Friendly Flow
RP
![Page 26: CIS14: Knowing vs. Asking: Innovation in User Recognition](https://reader034.fdocuments.us/reader034/viewer/2022051817/547cae8eb4af9f635b8b4686/html5/thumbnails/26.jpg)
![Page 27: CIS14: Knowing vs. Asking: Innovation in User Recognition](https://reader034.fdocuments.us/reader034/viewer/2022051817/547cae8eb4af9f635b8b4686/html5/thumbnails/27.jpg)
That must be dangerous!
Because, Security
![Page 28: CIS14: Knowing vs. Asking: Innovation in User Recognition](https://reader034.fdocuments.us/reader034/viewer/2022051817/547cae8eb4af9f635b8b4686/html5/thumbnails/28.jpg)
Xavi
Talle
da h
ttps:
//flic
.kr/p
/997
LWw
v
![Page 29: CIS14: Knowing vs. Asking: Innovation in User Recognition](https://reader034.fdocuments.us/reader034/viewer/2022051817/547cae8eb4af9f635b8b4686/html5/thumbnails/29.jpg)
Session bound with Context allows us to help “friendlies”
But what tooling allows contextual collaboration
across domains?
![Page 30: CIS14: Knowing vs. Asking: Innovation in User Recognition](https://reader034.fdocuments.us/reader034/viewer/2022051817/547cae8eb4af9f635b8b4686/html5/thumbnails/30.jpg)
Two Flow Elements • Continuation Flow
– Is there some context that can forecast an identifier and/or idp?
• Bootstrap flow – No continuation exists – Is there a way to introduce the user & idp to the flow?
![Page 31: CIS14: Knowing vs. Asking: Innovation in User Recognition](https://reader034.fdocuments.us/reader034/viewer/2022051817/547cae8eb4af9f635b8b4686/html5/thumbnails/31.jpg)
Hint Spectrum
Login Hint Refresh Token
Previously Issued IDToken
Shared Signal
Expired Token & context assertion embedded in signed AuthnRequest
![Page 32: CIS14: Knowing vs. Asking: Innovation in User Recognition](https://reader034.fdocuments.us/reader034/viewer/2022051817/547cae8eb4af9f635b8b4686/html5/thumbnails/32.jpg)
Login Hint
• Exactly the information the user would have to type themselves anyway – User Identifier – IDP
• Equivalent to “Remember me” (but crossing domains)
![Page 33: CIS14: Knowing vs. Asking: Innovation in User Recognition](https://reader034.fdocuments.us/reader034/viewer/2022051817/547cae8eb4af9f635b8b4686/html5/thumbnails/33.jpg)
How can an RP derive a Login Hint?
• Continuation Flow – Check the expired session
cookie – Dig up the previous id_token
• Bootstrapping Flow – Ask for it (NASCAR, OpenID) (ie – stranger flow) – Query a common authority
• CDC, Account Chooser
Dave Carter h*ps://www.flickr.com/photos/david_s_carter/3041065755
![Page 34: CIS14: Knowing vs. Asking: Innovation in User Recognition](https://reader034.fdocuments.us/reader034/viewer/2022051817/547cae8eb4af9f635b8b4686/html5/thumbnails/34.jpg)
Bootstrapping == Discovery?
![Page 35: CIS14: Knowing vs. Asking: Innovation in User Recognition](https://reader034.fdocuments.us/reader034/viewer/2022051817/547cae8eb4af9f635b8b4686/html5/thumbnails/35.jpg)
Choosers FTW
• d
![Page 36: CIS14: Knowing vs. Asking: Innovation in User Recognition](https://reader034.fdocuments.us/reader034/viewer/2022051817/547cae8eb4af9f635b8b4686/html5/thumbnails/36.jpg)
![Page 37: CIS14: Knowing vs. Asking: Innovation in User Recognition](https://reader034.fdocuments.us/reader034/viewer/2022051817/547cae8eb4af9f635b8b4686/html5/thumbnails/37.jpg)
Bootstrapping
HTTP/1.1 302 Found! Location: https://server.example.com/authorize!! ?response_type=code!
&scope=openid%20profile%20email! &client_id=s6BhdRkqt3! &state=af0ifjsldkj! &redirect_uri=https%3A%2F%2Fclnt.example.org%2Fcb!
&login_hint=patty%40integralcurve.com!
![Page 38: CIS14: Knowing vs. Asking: Innovation in User Recognition](https://reader034.fdocuments.us/reader034/viewer/2022051817/547cae8eb4af9f635b8b4686/html5/thumbnails/38.jpg)
Continuation
{! "iss": "s6BhdRkqt3",! "aud": "https://server.example.com",! "response_type": "code id_token",! "client_id": "s6BhdRkqt3",! "redirect_uri": "https://client.example.org/cb",! "scope": "openid",! "state": "af0ifjsldkj",! "nonce": "n-0S6_WzA2Mj",! "max_age": 86400,!"id_token_hint": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjFlOWdkazcifQ.ewogImlzc!K5hoDalrcvRYLSrQAZZKflyuVCyixEoV9GfNQC3_osjzw2PAithfubEEBLuVVk4XUVrWOLrLl0nx7RkKU8NXNHq-rvKMzqg"! }!
![Page 39: CIS14: Knowing vs. Asking: Innovation in User Recognition](https://reader034.fdocuments.us/reader034/viewer/2022051817/547cae8eb4af9f635b8b4686/html5/thumbnails/39.jpg)
An attacker who emulates the login hint only gets this far
![Page 40: CIS14: Knowing vs. Asking: Innovation in User Recognition](https://reader034.fdocuments.us/reader034/viewer/2022051817/547cae8eb4af9f635b8b4686/html5/thumbnails/40.jpg)
![Page 41: CIS14: Knowing vs. Asking: Innovation in User Recognition](https://reader034.fdocuments.us/reader034/viewer/2022051817/547cae8eb4af9f635b8b4686/html5/thumbnails/41.jpg)
https://ww
w.flickr.com
/photos/bensonkua/2754312951/in/photostream
/
![Page 42: CIS14: Knowing vs. Asking: Innovation in User Recognition](https://reader034.fdocuments.us/reader034/viewer/2022051817/547cae8eb4af9f635b8b4686/html5/thumbnails/42.jpg)
Thanks!
@pamelarosiedee http://pingidentity.com
http://eternallyoptimistic.com