Mobile Cloud Identity
-
Upload
mark-diodati -
Category
Technology
-
view
644 -
download
0
description
Transcript of Mobile Cloud Identity
![Page 1: Mobile Cloud Identity](https://reader034.fdocuments.us/reader034/viewer/2022051210/54b6beed4a7959e21b8b4572/html5/thumbnails/1.jpg)
Mobile Cloud Identity
Mark Diodati Technical Director—CTO Office
@mark_diodati
Thurs 13-12-05
![Page 2: Mobile Cloud Identity](https://reader034.fdocuments.us/reader034/viewer/2022051210/54b6beed4a7959e21b8b4572/html5/thumbnails/2.jpg)
Agenda
• Cloud Identity
• Modern Identity’s Building Blocks
• OpenID Connect
• FIDO
• NFC
![Page 3: Mobile Cloud Identity](https://reader034.fdocuments.us/reader034/viewer/2022051210/54b6beed4a7959e21b8b4572/html5/thumbnails/3.jpg)
CLOUD IDENTITY
Mobile Cloud Identity
![Page 4: Mobile Cloud Identity](https://reader034.fdocuments.us/reader034/viewer/2022051210/54b6beed4a7959e21b8b4572/html5/thumbnails/4.jpg)
On-Premises, Hybrid, Cloud
on-premises
cloud
hybrid
![Page 5: Mobile Cloud Identity](https://reader034.fdocuments.us/reader034/viewer/2022051210/54b6beed4a7959e21b8b4572/html5/thumbnails/5.jpg)
Cloud Identity
• Identity Management as a Service (IDaaS)
– Externally hosted, turnkey SaaS applications that perform identity management
• Users and applications may be on-premises or hosted
– OPEX, flexible with changes in economies of scale
• Identity bridge
– On-premises component to connect on-premises and externally hosted environments
– Supports multiple identity services
![Page 6: Mobile Cloud Identity](https://reader034.fdocuments.us/reader034/viewer/2022051210/54b6beed4a7959e21b8b4572/html5/thumbnails/6.jpg)
Cloud Orientation
to
from
in
![Page 7: Mobile Cloud Identity](https://reader034.fdocuments.us/reader034/viewer/2022051210/54b6beed4a7959e21b8b4572/html5/thumbnails/7.jpg)
To The Cloud (SSO + Provisioning)
Hosted
On-Premises
Active Directory
Employee
Kerberos SSO
Fed
erat
ion
SSO Syn
c (AP
I)
Directory sync
Federation IdPDirectory synchronization
Identity bridge
![Page 8: Mobile Cloud Identity](https://reader034.fdocuments.us/reader034/viewer/2022051210/54b6beed4a7959e21b8b4572/html5/thumbnails/8.jpg)
To The Cloud (Mobile Identity)
Externally Hosted
On-Premises
Active DirectoryMicrosoft Certificate
Services
MDM cloud service
MMC
Private key
Identity BridgeMDM
Profile/policy
Group
Group
A
Credential provisioning
App distro
![Page 9: Mobile Cloud Identity](https://reader034.fdocuments.us/reader034/viewer/2022051210/54b6beed4a7959e21b8b4572/html5/thumbnails/9.jpg)
From The Cloud (SSO)
OAuth relying partyOAuth authorization service
Federation SPFederation IDP
SAML-enabled applicationWAM-protected application
SAML
OAuth resource server
HTTP
co
okie
OAuth
Partner
Identity bridge
SAML, OAuth, Password, X.509
Hosted
On-Premises
![Page 10: Mobile Cloud Identity](https://reader034.fdocuments.us/reader034/viewer/2022051210/54b6beed4a7959e21b8b4572/html5/thumbnails/10.jpg)
From the Cloud (Provisioning)
Externally Hosted
On-Premises
Provisioning IDaaS
Active Directory
Identitybridge
Reconciliation
Manufacturing
No
rth
Am
eric
a
Euro
pe
Identitybridge
Reconciliation
Active DirectoryERP
![Page 11: Mobile Cloud Identity](https://reader034.fdocuments.us/reader034/viewer/2022051210/54b6beed4a7959e21b8b4572/html5/thumbnails/11.jpg)
In The Cloud (SSO + Provisioning) Provisioning
Federation IdP
HostedOn-Premises
Federated SSO
Provisioning
IDaaS
Au
the
nti
cati
on
User
![Page 12: Mobile Cloud Identity](https://reader034.fdocuments.us/reader034/viewer/2022051210/54b6beed4a7959e21b8b4572/html5/thumbnails/12.jpg)
MODERN BUILDING BLOCKS
Mobile Cloud Identity
![Page 13: Mobile Cloud Identity](https://reader034.fdocuments.us/reader034/viewer/2022051210/54b6beed4a7959e21b8b4572/html5/thumbnails/13.jpg)
Modern Building Blocks
• REST (Representational State Transfer)
– Adopted in response to the complexity of SOAP
– Uses HTTP for its request/response
– Objects are represented as URLs
– Example HTTP verbs
• GET: retrieve object attributes
• POST: create object with new attributes
• DELETE: delete object
![Page 14: Mobile Cloud Identity](https://reader034.fdocuments.us/reader034/viewer/2022051210/54b6beed4a7959e21b8b4572/html5/thumbnails/14.jpg)
Modern Building Blocks
• JSON (JavaScript Object Notation)
– Adopted in response to the complexity of XML
– Data format representing name value pairs
![Page 15: Mobile Cloud Identity](https://reader034.fdocuments.us/reader034/viewer/2022051210/54b6beed4a7959e21b8b4572/html5/thumbnails/15.jpg)
Modern Building Blocks
• Most modern identity standards leverage JSON over REST
– Peanut butter and jelly
– OAuth (authorization), SCIM (provisioning), FIDO (authentication), OpenID Connect (multi-protocol)
• Some notable exceptions are SAML and XACML
![Page 16: Mobile Cloud Identity](https://reader034.fdocuments.us/reader034/viewer/2022051210/54b6beed4a7959e21b8b4572/html5/thumbnails/16.jpg)
Modern Building Blocks
POST https://pingidentity.com:8443/Users
Authorization: Basic Y249RGlyZWN0b3J5IE1...
Content-Type: application/json
{
"userType":"spy",
"externalId":“tstark86753",
"pacsSerial":"87654321",
"active":true,
"otpSerial":"12345678",
"email":“[email protected]",
"userName":"lcarroll",
"givenName":“Tony",
"familyName":“Stark“
}
REST HTTP verb (add user in SCIM)
![Page 17: Mobile Cloud Identity](https://reader034.fdocuments.us/reader034/viewer/2022051210/54b6beed4a7959e21b8b4572/html5/thumbnails/17.jpg)
Modern Building Blocks
POST https://pingidentity.com:8443/Users
Authorization: Basic Y249RGlyZWN0b3J5IE1...
Content-Type: application/json
{
"userType":"spy",
"externalId":“tstark86753",
"pacsSerial":"87654321",
"active":true,
"otpSerial":"12345678",
"email":“[email protected]",
"userName":"lcarroll",
"givenName":“Tony",
"familyName":“Stark“
}
In REST, objects and endpoints have
unique URLs
![Page 18: Mobile Cloud Identity](https://reader034.fdocuments.us/reader034/viewer/2022051210/54b6beed4a7959e21b8b4572/html5/thumbnails/18.jpg)
Modern Building Blocks
POST https://pingidentity.com:8443/Users
Authorization: Basic Y249RGlyZWN0b3J5IE1...
Content-Type: application/json
{
"userType":“superhero",
"externalId":"tstark86753",
"pacsSerial":"87654321",
"active":true,
"otpSerial":"12345678",
"email":"[email protected]",
"userName":"tstark",
"givenName":"Tony",
"familyName":"Stark"
}
JSON data representation
![Page 19: Mobile Cloud Identity](https://reader034.fdocuments.us/reader034/viewer/2022051210/54b6beed4a7959e21b8b4572/html5/thumbnails/19.jpg)
Modern Building Blocks
POST https://pingidentity.com:8443/Users
Authorization: Basic Y249RGlyZWN0b3J5IE1...
Content-Type: application/json
{
"userType":"spy",
"externalId":"tstark86753",
"pacsSerial":"87654321",
"active":true,
"otpSerial":"12345678",
"email":"[email protected]",
"userName":"tstark",
"givenName":"Tony",
"familyName":"Stark"
}
![Page 20: Mobile Cloud Identity](https://reader034.fdocuments.us/reader034/viewer/2022051210/54b6beed4a7959e21b8b4572/html5/thumbnails/20.jpg)
OPENID CONNECT
Mobile Cloud Identity
![Page 21: Mobile Cloud Identity](https://reader034.fdocuments.us/reader034/viewer/2022051210/54b6beed4a7959e21b8b4572/html5/thumbnails/21.jpg)
OAuth
• Increasingly popular protocol for session management in rich mobile applications
• Mobile web applications function well with traditional enterprise authentication
• Rich mobile applications may break existing infrastructure like authentication and Web access management
![Page 22: Mobile Cloud Identity](https://reader034.fdocuments.us/reader034/viewer/2022051210/54b6beed4a7959e21b8b4572/html5/thumbnails/22.jpg)
OAuth Components and Flow OAuth
authorization serverOAuth
resource server
Web browserNative application
1. Browser instantiated
3. T
oken
refe
renc
e re
turn
cod
e
4. Code delivery
2. U
ser a
uthe
n/co
nsen
t7. Access token presentation
6. Tokens downloaded
8. Access to application resource
A
accesstoken
R
refreshtoken
AOAuthclient/relying party
5. Reference code + authenticationA
![Page 23: Mobile Cloud Identity](https://reader034.fdocuments.us/reader034/viewer/2022051210/54b6beed4a7959e21b8b4572/html5/thumbnails/23.jpg)
Why Not Just Use OAuth?
• OAuth is:
– Valuable as an access delegation protocol
– A good fit for native mobile applications
– Friendly for developers
• OAuth is not:
– A user identity protocol
– An “identity at scale” protocol
![Page 24: Mobile Cloud Identity](https://reader034.fdocuments.us/reader034/viewer/2022051210/54b6beed4a7959e21b8b4572/html5/thumbnails/24.jpg)
OpenID Connect Flow OpenIDProvider
OAuthresource server
API AccessUser in
formatio
n
OAuthclient/relying party
A
accesstoken
R
refreshtoken
ID
IDtoken
A
authorization serveruser information endpoint
A
Tokens
![Page 25: Mobile Cloud Identity](https://reader034.fdocuments.us/reader034/viewer/2022051210/54b6beed4a7959e21b8b4572/html5/thumbnails/25.jpg)
OpenIDProvider
API AccessUser in
formatio
n
OAuthclient/relying party
A
accesstoken
R
refreshtoken
ID
A
authorization serveruser information endpoint
A
Tokens
OpenIDProvider
ID
AR
OIDC Multliple Provider Flow OpenID
Provider #1OAuth
resource server
3. API Access 2. User in
formatio
n
OAuthclient/relying party
A
accesstoken
R
refreshtoken
ID
IDtoken
A
authorization serveruser information endpoint
A
1. Tokens
OpenIDProvider #2
4. ID token
ID
AR
5. Access, Refresh tokens
![Page 26: Mobile Cloud Identity](https://reader034.fdocuments.us/reader034/viewer/2022051210/54b6beed4a7959e21b8b4572/html5/thumbnails/26.jpg)
OpenID Connect Protocols
Protocol for clients that support additional security
![Page 27: Mobile Cloud Identity](https://reader034.fdocuments.us/reader034/viewer/2022051210/54b6beed4a7959e21b8b4572/html5/thumbnails/27.jpg)
OpenID Connect Protocols
Protocol for simpler clients
![Page 28: Mobile Cloud Identity](https://reader034.fdocuments.us/reader034/viewer/2022051210/54b6beed4a7959e21b8b4572/html5/thumbnails/28.jpg)
OpenID Connect Protocols
Optional discovery of OpenID providers
![Page 29: Mobile Cloud Identity](https://reader034.fdocuments.us/reader034/viewer/2022051210/54b6beed4a7959e21b8b4572/html5/thumbnails/29.jpg)
OpenID Connect Protocols
Optional automated registration of clients (e.g., server applications, mobile devices)
![Page 30: Mobile Cloud Identity](https://reader034.fdocuments.us/reader034/viewer/2022051210/54b6beed4a7959e21b8b4572/html5/thumbnails/30.jpg)
OpenID Connect Under The Covers
• OAuth 2.0 specifications
• JSON Web Token (JWT)
• JOSE
– JSON Web Signature (JWS)
– JSON Web Encryption (JWE)
– JSON Web Algorithms (JWA)
– JSON Web Key (JWK)
![Page 31: Mobile Cloud Identity](https://reader034.fdocuments.us/reader034/viewer/2022051210/54b6beed4a7959e21b8b4572/html5/thumbnails/31.jpg)
FIDO
Mobile Cloud Identity
![Page 32: Mobile Cloud Identity](https://reader034.fdocuments.us/reader034/viewer/2022051210/54b6beed4a7959e21b8b4572/html5/thumbnails/32.jpg)
FIDO—A Tale of Two Protocols
• FIDO Unified Authentication Framework (UAF)
– Local mobile biometrics
– Initially proposed by Lenovo, Nok Nok, PayPal, others
– Also supports non-biometric authentication
• Universal Second Factor (U2F)
– “Smart” smart card
• Initially proposed by Google and Yubikey (first to partner)
![Page 33: Mobile Cloud Identity](https://reader034.fdocuments.us/reader034/viewer/2022051210/54b6beed4a7959e21b8b4572/html5/thumbnails/33.jpg)
FIDO UAF
F
authenticator(s)
(2)
FID
O h
and
shak
e
FIDO Client
FFIDOServer
device attestation F
device key pair
site-specific key pairs
(1) user authenticationto FIDO client
Binding of user info and public key
(3)
Asy
mm
etrc
i key
au
thn
FIDOAttestation
Service
web site/RP
ID Proofing
![Page 34: Mobile Cloud Identity](https://reader034.fdocuments.us/reader034/viewer/2022051210/54b6beed4a7959e21b8b4572/html5/thumbnails/34.jpg)
UAF to OpenID Connect
F
(2)
FID
O h
and
shak
e
FIDO client
F
OpenID Provider
(1) user authenticationto FIDO client
(3)
asym
met
ric
key
auth
n
FIDO authenticationmodule
A mobile application (relying party)
Binding of user info and public key
(4)
Toke
n in
form
atio
n
(5) A
PI re
quest/
resp
onseID A R
A
tokens
![Page 35: Mobile Cloud Identity](https://reader034.fdocuments.us/reader034/viewer/2022051210/54b6beed4a7959e21b8b4572/html5/thumbnails/35.jpg)
FIDO U2F web site/RP
device key pair (per batch)
site-specific key pairs(with Key Handles)activation button
siteauthn service
(activation required during enrollment and optional at
runtime)
U2Fauthn service
(1)
use
r p
assw
ord
au
th
(2)
Ch
alle
nge
res
po
nse
, w
ith
Key
Han
dle
User info, public key and Key Handle
device attestationattestation
service
![Page 36: Mobile Cloud Identity](https://reader034.fdocuments.us/reader034/viewer/2022051210/54b6beed4a7959e21b8b4572/html5/thumbnails/36.jpg)
U2F to Federation Federation IDP
primaryauthn service
U2Fauthn service
(1)
use
r p
assw
ord
au
th
(2)
Ch
alle
nge
res
po
nse
, w
ith
Key
Han
dle
User info, public key and Key Handle
(3) S
AM
L cr
eden
tial
s
Federation SP
(4) SAML credentia
ls
![Page 37: Mobile Cloud Identity](https://reader034.fdocuments.us/reader034/viewer/2022051210/54b6beed4a7959e21b8b4572/html5/thumbnails/37.jpg)
SCEP Certificate Enrollment
Profile serviceCertificate authority
User
SCEP.mobileconfig
iPhone Configuration Utility
(1) Utility publishesenrollment profile
(2) U
ser auth
enticates
(3) P
rofile is d
ow
nlo
aded (4
) iO
S ex
ecut
es S
CEP
enro
llmen
t
(5) C
ertific
ate is
inst
alled in
iOS s
tore
![Page 38: Mobile Cloud Identity](https://reader034.fdocuments.us/reader034/viewer/2022051210/54b6beed4a7959e21b8b4572/html5/thumbnails/38.jpg)
SCEP Enrollment Vulnerability Profile service Certificate authority
(1) Can I have a SCEP secret?
(2) Sure!Your SCEP secret is “8675309”.
(3) Tony Stark, enroll for a certificate.
Your SCEP secret is “8675309”.
(4) M
y nam
e is
“Nick
Fury
”.
My
SCEP
secr
et is
“8675309”.
(5) H
ere
you
go!
Your
cer
tific
ate
nam
e is
Nic
k Fu
ry.
Private Key
CertificateSCEP.mobileconfig
![Page 39: Mobile Cloud Identity](https://reader034.fdocuments.us/reader034/viewer/2022051210/54b6beed4a7959e21b8b4572/html5/thumbnails/39.jpg)
Enhanced Enrollment
Certificate
Private key
MDM service Certificate authority
(1) Here is public key for user Tony Stark
(2) Sure! Here is the certificate
(3) Here is your certificate
and private key!
![Page 40: Mobile Cloud Identity](https://reader034.fdocuments.us/reader034/viewer/2022051210/54b6beed4a7959e21b8b4572/html5/thumbnails/40.jpg)
MDM - Email Proxy
Exchange ServerMDM
Identity Bridge
Certificate
Private key
X.509 authenticationS4U Kerberosimpersonation
Kerberos tickets
Active Directory
![Page 41: Mobile Cloud Identity](https://reader034.fdocuments.us/reader034/viewer/2022051210/54b6beed4a7959e21b8b4572/html5/thumbnails/41.jpg)
NFC
Mobile Cloud Identity
![Page 42: Mobile Cloud Identity](https://reader034.fdocuments.us/reader034/viewer/2022051210/54b6beed4a7959e21b8b4572/html5/thumbnails/42.jpg)
Secure elementNFC controller
Antenna
NFC system
NFC on Mobile Device
![Page 43: Mobile Cloud Identity](https://reader034.fdocuments.us/reader034/viewer/2022051210/54b6beed4a7959e21b8b4572/html5/thumbnails/43.jpg)
NFC for Converged Authentication
NFC
IT access
Building access
![Page 44: Mobile Cloud Identity](https://reader034.fdocuments.us/reader034/viewer/2022051210/54b6beed4a7959e21b8b4572/html5/thumbnails/44.jpg)
NFC for Tablet Authentication
TabletNFC
Web application
Contactless smart card
Certificate
Private key
SSL
Smartphone
![Page 45: Mobile Cloud Identity](https://reader034.fdocuments.us/reader034/viewer/2022051210/54b6beed4a7959e21b8b4572/html5/thumbnails/45.jpg)
NFC Provisioning
PACS HostCertificate Authority
Active Directory
Externally Hosted
On-Premises
IdentityBridge
Mobile Credential Management Service
(MCM)
A AApplication Application
PACS Credential
PKI Certificate
![Page 46: Mobile Cloud Identity](https://reader034.fdocuments.us/reader034/viewer/2022051210/54b6beed4a7959e21b8b4572/html5/thumbnails/46.jpg)
Mobile Credential Management Service
Mobile Credential
Management Service (MCM)
A
NFC Secure Element
MDM
Mobile Network
Operators
Trusted Service
Manager
![Page 47: Mobile Cloud Identity](https://reader034.fdocuments.us/reader034/viewer/2022051210/54b6beed4a7959e21b8b4572/html5/thumbnails/47.jpg)
NFC Authorization
PKI Certificate
Authorization Policy
PKI Authentication
Policy Delivery
![Page 48: Mobile Cloud Identity](https://reader034.fdocuments.us/reader034/viewer/2022051210/54b6beed4a7959e21b8b4572/html5/thumbnails/48.jpg)
Copy right ©2013 Ping Identity Corporation. All rights reserv ed. 48