Copyright ©2012 Ping Identity Corporation. All rights reserved.1

Copyright ©2012 Ping Identity Corporation. All rights reserved.2

Unified Identity in Cloud Architectures

EEMA 2012

• John Bradley• @ve7jtb• Office of the CTO

•

Copyright ©2012 Ping Identity Corporation. All rights reserved.3 © 2011 Ping Identity Corporation

Future of IT Architecture

• Thousands of applications and services -- everywhere– Some you can control

• Local web services• Local infrastructure• Apps/Services on IaaS

– Many you can’t control• SaaS APIs• PaaS APIs• IaaS APIs• Partner APIs

3

Copyright ©2012 Ping Identity Corporation. All rights reserved.4

Ultimate Decentralization

• Diversity of Architecture– If the cloud vendor’s coding philosophy conflicts with yours,

you must adapt

• Limited Visibility– No database access– No direct audit file access

• No Contractual Power– Like it or lump it

4

Copyright ©2012 Ping Identity Corporation. All rights reserved.5 © 2011 Ping Identity Corporation

Decentralization == Chaos?

• Business Managers operating administration consoles

• Developers writing API code for the business– Native Mobile apps– Mashups– Are they security specialists?

• Silos of work with no central control

5

Copyright ©2012 Ping Identity Corporation. All rights reserved.6 © 2011 Ping Identity Corporation

Fragmentation Causes Risk

• Business Agility suffers– Decision making is impaired

• IT response time is low– Every application and service has to

be treated differently

• Productivity suffers– Every application looks and feels

different

– No secure “ceremony” for users

– Developers must re-invent a new process every time

• Risk to the organization increases– What happens when you fire

somebody?

6

Copyright ©2012 Ping Identity Corporation. All rights reserved.7 © 2011 Ping Identity Corporation

Solution: Centralize & Adapt

• Industry has adopted “federated identity” to move security decisions into central infrastructure

• Federated protocols now exist to protect both web applications and APIs

• Eg SAML, WS-Trust, OAuth 2.0, and openID Connect

7

Copyright ©2012 Ping Identity Corporation. All rights reserved.8

What does this mean?

• Developers don’t set passwords in code– They ask for a token– Token is used during API calls

• Applications don’t store passwords– They rely on a central authority to identify the user– They validate the central authority not the user

• Central Infrastructure does the rest– Password validation, security, risk/fraud

8

Copyright ©2012 Ping Identity Corporation. All rights reserved.9

Create Infrastructure

9

Legacy SOAPServices

IdentityManagement

Copyright ©2012 Ping Identity Corporation. All rights reserved.10

Act as a Client

10

Legacy SOAPServices

IdentityManagement

REST Calls Out

CloudApplication

Copyright ©2012 Ping Identity Corporation. All rights reserved.11

Act as a Server

11

Legacy SOAPServices

IdentityManagementREST Calls In

Copyright ©2012 Ping Identity Corporation. All rights reserved.12

Act as an Identity Provider

12

Legacy SOAPServices

IdentityManagement

Browser SSO

CloudApplication

Copyright ©2012 Ping Identity Corporation. All rights reserved.13

Leverage with Mobile Apps

13

REST Calls In

Legacy SOAPServices

IdentityManagement

1. Use Browser to

Fetch Oauth 2.0 Token

2. TransformAttributes

3. Use Token

For API Calls

Copyright ©2012 Ping Identity Corporation. All rights reserved.14

Leverage at Cloud Apps

14

Legacy SOAPServices

IdentityManagement

CloudApplication

1. Request Token

2. Browser SSOTo Fetch SAML

Token

3. Generate Oauth 2.0Token from SAML

4. Access API with Token

Copyright ©2012 Ping Identity Corporation. All rights reserved.15

Concrete Example: OAuth 2.0 with SAML

15

Copyright ©2012 Ping Identity Corporation. All rights reserved.16

Trigger an OAuth Token Request

16

GET /as/authorization.oauth2?client_id=mobileapp&

redirect_uri=mobileapp://redirect_here&response_type=code HTTP/1.1

Copyright ©2012 Ping Identity Corporation. All rights reserved.17

User Logs in at Enterprise

17

Copyright ©2012 Ping Identity Corporation. All rights reserved.18

Consent at Cloud Service

18

Copyright ©2012 Ping Identity Corporation. All rights reserved.19

Client Trades code for Access Token

19

POST /as/token.oauth2

Host: as.com

client_id=a&redirect_uri=mobileapp://redirecthere&grant_type=authorization_code&code=wizJmaSTPAf0wqSeB3vmDx2mNSZK6g HTTP/1.1

HTTP/1.1 200 OK

Content-Type: application/json; charset=UTF-8

{"token_type":"Bearer","expires_in":"600","refresh_token":"oQWqwMUIL2ndeMHsWEyFO0GyalvKSvc2QI4YuG82RMGkM","access_token":"lSBbci4Jg8MsjiSqZLBrzEXgd4mKUNhOkyF"}

HTTP/1.1 302 FoundLocation: mobileapp://redirect_here?

&code=wizJmaSTPAf0wqSeB3vmDx2mNSZK6g

Copyright ©2012 Ping Identity Corporation. All rights reserved.20

Client uses Token at API

20

HTTP/1.1 200 OK

Content-Type: application/json; charset=UTF-8

{

"aboutMe": "Head SE South",

"address": {

"city": "New Orleans",

"country": "US",

"state": "LA",

"street": "923 Bourbon Street",

"zip": "70116"

},

"currentStatus": {

GET https://na1.salesforce.com/services/data/v22.0/chatter/users/me

Authorization: Bearer lSBbci4Jg8MsjiSqZLBrzEXg

Copyright ©2012 Ping Identity Corporation. All rights reserved.21

• Users always authenticate in the same place– Teach them to expect your ceremony– Protect against the Password Antipattern

• Developers never see or store passwords– Only need to know how to ask for a token and use it at APIs– Or –ask once for credentials but never store them

• IT oversees every authentication– One attack surface & security plan– One audit point

• Same infrastructure regardless of medium– Web or web service

Architecture Advantages

Copyright ©2012 Ping Identity Corporation. All rights reserved.22 © 2011 Ping Identity Corporation

Cloud Identity Management

• Centralizes Cloud Access Control

• Strengthens Security• Integrates with Existing

Infrastructure• Simplifies Password

Maintenance• Deploys in Days• http://

www.pingidentity.com

22