OAuth 101 & Secure API's - Paul Madsen and Brian Campbell, Ping Identity
155
!"#$% ' (#$%)*+,(+-* . (#$%-/01(+-* 2/(3)4-/5 2-/ 6789 ":;< =/0(* >(3?@)AA . :(#A B(C<)* :0*D ;C)*+$E
-
Upload
brian-campbell -
Category
Technology
-
view
3.065 -
download
3
description
A key technical underpinning of the Cloud are Application Programming Interfaces (API) - consistent methods for applications to interface with services in the cloud. More and more it will be through APIs that cloud data moves. The security of consumer APIs was threatened by the so-called 'password anti-pattern' – a model in which a client would collect and replay the password for a user at an API in order to access information on behalf of that user. OAuth not only defeats the password anti-pattern, but does much more. OAuth 2.0 defines a consistent, flexible identity and policy architecture for web applications, web services, devices, and desktop clients attempting to communicate with Cloud APIs. We'll discuss what OAuth provides, where it came from, and where its going. About Paul Madsen Paul Madsen is a Senior Technical Architect within the Office of the CTO at Ping Identity. He has served in various design, chairing, editing, and education roles for a number of federation standards, including OASIS Security Assertion Markup Language (SAML), OASIS Service Provisioning Markup Language (SPML), and Liberty Identity Web Services Framework (ID-WSF). He participates in a number of the Kantara Initiative's activities, as well as various other cloud identity initiatives. He holds an M.Sc. in Applied Mathematics and a Ph.D. in Theoretical Physics from Carleton University and the University of Western About Brian Campbell As Principal Architect for Ping Identity, Brian Campbell aspires to one day know what a Principal Architect actually does for a living. In the meantime, he tries to make himself useful by ideating, designing and building software systems such as Ping’s flagship product PingFederate. When not making himself useful, he contributes to various identity and security standards including a two-year stint as co-chair of the OASIS Security Services Technical Committee and a current focus on OAuth 2.0 within the IETF. He holds a B.A., magna cum laude, in Computer Science from Amherst College in Massachusetts. Despite spending four years in the state, he has to look up how to spell "Massachusetts" every time he writes it.
Transcript of OAuth 101 & Secure API's - Paul Madsen and Brian Campbell, Ping Identity
!"#$%&'&(#$%)*+,(+-*&.&(#$%-/01(+-*&
2/(3)4-/5&2-/&6789&":;<&
=/0(*&>(3?@)AA&.&:(#A&B(C<)*&
:0*D&;C)*+$E&
F-D0<+,<&
• 9%)&(??/-?/0($)&2-/3&-2&(CC/)<<&2-/&$%)&<?)(5)/<&0<&G80/G&
• "@<$/(,$&$%0*50*D&($&)A)H(+-*&,(*&@)&C(*D)/-#<I&J/0*5&?A)*$E&-2&
4($)/I&&
• 6)A($)C&$-&?/)H0-#<K&$%)/)&40AA&@)&*-&@0-&@/)(5<K&?A)(<)&3(5)&*-$)&-2&
A-,(+-*&-2&@#,5)$&0*&@(,5&-2&/--3I&&
• ;2&E-#&40<%&$-&(<5&(&L#)<+-*K&?A)(<)&$4))$&0$&40$%&$%)&$(D&
GM?(#A(*C@/0(*<(4)<-3)-(#$%4-/5<%-?G&
• N)&40AA&@)&C-0*D&(&/-A)O?A(E0*D&)P)/,0<)&$-&<03#A($)&$%)&!"#$%&Q-4I&
8$(/$&$%0*50*D&(@-#$&4%-&E-#&4(*$&0*&E-#/&D/-#?<&-2&R&(*CK&
03?-/$(*$AEK&4%-&40AA&?A(E&$%)&/-A)&-2&$%)&GC#3@G&,A0)*$I&
• 9%)/)&40AA&@)&(*&!"#$%&L#01&($&$%)&)*CI&9%)&%0D%)<$&<,-/)&40AA&/),)0H)&
(&S--DA)T&0*H0$)I&9%)&U*C&%0D%)<$&<,-/)&40AA&/),)0H)&U&0*H0$)<&)$,&
• V-/&B-*C(E&C0**)/K&&
– 850&90?&/)<$(#/(*$&O&W-$&($&$-?&-2&3-#*$(0*&
– =#<)<&,-AA),$&($&XIYZ&– W-&<?-#<)<&$-*0$)&'&<?(,)&,-*<$/(0*)C&
" 8)*0-/&9),%*0,(A&"/,%0$),$&40$%0*&$%)&![,)&-2&
$%)&>9!&($&:0*D&;C)*+$E&
" ?3(C<)*\?0*D0C)*+$EI,-3&
" %]?^__444IA0*5)C0*I,-3_0*_?(#A3(C<)*&
" 8)/H)C&0*&H(/0-#<&C)<0D*K&,%(0/0*DK&)C0+*DK&(*C&)C#,(+-*&/-A)<&2-/&(&*#3@)/&-2&2)C)/(+-*&
<$(*C(/C<K&0*,A#C0*D&8:BFK&;JON8V&.&
;*2-/3(+-*&>(/C<&
" N-/5)C&40$%&<#,,)<<2#A&<$(*C(/C<&$--K&A05)&
8"BF&.&`%-?)2#AAEa&!"#$%&.&8>;B&
" b-AC<&(*&BI8,I&0*&"??A0)C&B($%)3(+,<&(*C&(&:%IJI&0*&9%)-/)+,(A&:%E<0,<&2/-3&>(/A)$-*&
c*0H)/<0$E&(*C&$%)&c*0H)/<0$E&-2&N)<$)/*&!*$(/0-&/)<?),+H)AEI&
" ;&5*-4K&3E&@-EG<&40,5)C&<3(%$I&
" d)$K&?/-2)<<0-*(AAEK&%)&0<&)e),+H)AE&3E&?))/I&
" 8-&4%-f<&<-&<3(/$&*-4K&)%g&
" 8)A2&(<<)/$)C&B-<$&;*$)/)<+*D&B(*&0*&;C)*+$E&&
" J-)<*f$&(A4(E<&C/0*5&@)2-/)&*--*K&@#$&4%)*&%)&C-)<&`E-#&5*-4K&02&$%)/)&4(<&(&A-*D&3))+*D&-/&<-3)$%0*DaK&%)&?/)2)/<&(&S.9&
" !/&<0P&" :/-A0h,&$4))$)/&40$%&4)AA&-H)/&%(A2&(&$%-#<(*C&2-AA-4)/<&O&\?(#A3(C<)*&
" 8+AA&@A-D<&`%-4&L#(0*$a&($&,-**),+CI@A-D<?-$I,-3&.&?(#A3(C<)*I?-<$)/-#<I,-3&
" 8+AA&4(0+*D&2-/&(&S--DA)T&0*H0$)&
=/0(*&>(3?@)AA&
• F)(C<&:0*D&7*D0*))/0*D&$)(3&(CC0*D&!"#$%&$-&
?/-C#,$&A0*)&
• =),(3)&<-i4(/)&C)H)A-?)/&(i)/&/)(A010*D&,%-<)*&
,(/))/&-2&A02)&,-(,%&0*H-AH)C&$(A50*D&$-&?)-?A)&
• N0$%0*&<$(*C(/C<&4-/AC&'&%(<&(,%0)H)C&*-$-/0)$E&
2-/&%(@0$&-2&4-/50*D&?/-2(*0$E&0*$-&*(3)<?(,)&
c6;<&
• N%0A)&,%(0/0*D&!"8;8&8"BF&9>K&9>&/)H)*#)<&
0*,/)(<)C&2/-3&jZ&$-&jkIXZ&C#)&$-&%0<&0C)(&2-/&(&
GS0H)&3)&jkllG&,(3?(0D*&
• N0$%0*&:0*DK&/#*<&N)A,-3)&N(D-*&2-/&*)4&
)3?A-E))<&
• "H0C&?%-$-D/(?%)/&'&?%-$-<&%(H)&D/(,)C&$%)&2/0D<&
-2&3(*E&-2&%0<&2(30AE&
• >#//)*$AE&,-O)C0+*D&$%)&8"BF&"<<)/+-*&?/-hA)&
2-/&!"#$%I&;*&$%($&,-*$)P$K&?/-?-<0*D&(&G6)(C&$%)&
mjM.n&<?),G&)//-/&/)<?-*<)&,-C)&
• b(<&(A3-<$&-@<)<<0H)&0*$)/)<$&0*&>(*(C(&
• \4))#*L#0)$30*C&
"D)*C(&
• !"#$%&C/0H)/<&• 8,/))*<%-$&C)3-&
• !"#$%&%0<$-/E&• !"#$%&U&• !"#$%&0*&,-*$)P$&• o)E&#<)&,(<)<&• !"#$%&<),#/0$E&3-C)A&
• "AA&$%)&@)AA<&.&4%0<$A)<&4(A5&$%/-#D%&
"#$%)*+,(+-*&2-/&8!":&
• 9%)&8!":&4-/AC&%(<&A-*D&%(C&<$(*C(/C<&/)A($)C&$-&(#$%)*+,(+-*&.&(#$%-/01(+-*&-2&4)@&<)/H0,)<&
• N8O9/#<$&C)h*)<&(&?/-$-,-A&@E&4%0,%&(&8!":&,A0)*$&
,(*&-@$(0*&(&<),#/0$E&$-5)*&`$E?0,(AAE&(&8"BF&
(<<)/+-*a&
• N8O8),#/0$E&<+?#A($)<&%-4&$-&(](,%&$%)&$-5)*&
`8"BF&(<<)/+-*a&$-&(&8!":&/)L#)<$&
=#$&pII&
ka&6789&(#$%)*+,(+-*&
• 6789&4-/AC&%(<&*-$&%(C&,-3?(/(@A)&<$(*C(/C<&
• W-$%0*D&,-3?(/(@A)&$-&N8O8),#/0$E&O&30<%3(<%&-2&
b99:&=(<0,K&b99:&J0D)<$K&?/-?/0)$(/E&3),%(*0<3<K&
(*C&3#$#(A&88F&2-/&,A0)*$&(#$%)*+,(+-*&&
• W-$%0*D&,-3?(/(@A)&$-&N8O9/#<$&'&,-*<)L#)*$AE&
,A0)*$&@)(/<&@#/C)*&-2&3(*(D0*D&,/)C)*+(A<&.&$/#<$&
Ua&:(<<4-/C&(*+O?(])/*&&
80$)<&(<5<&d!c&2-/&E-#/&S!!SF7&?(<<4-/C&<-&0$&
,(*&(,,)<<&E-#/&S--DA)&<$#eI&
9<5&$<5l&
• >A0)*$&3#<$&<$-/)&?(<<4-/C<&
• 9)(,%)<&#<)/<&$-&@)&0*C0<,/030*($)&
40$%&$%)0/&?(<<4-/C<&
• B-/)&C0[,#A$&$-&3-H)&$-&3#A+O2(,$-/&
(*C&2)C)/($)C&(#$%)*+,(+-*&
• J-)<*f$&<#??-/$&D/(*#A(/&?)/30<<0-*<K&
)IDI&q&,(*&/)(C&@#$&*-$&4/0$)&
• J-)<*f$&<#??-/$&5*-4A)CD)_C0e)/)*+(+-*&-2&$%)&(,,)<<&D/(*$)C&
• J-)<*f$&<#??-/$&`)(<Ea&/)H-,(+-*&'&$-&@)&<#/)&-2&$#/*0*D&-e&(,,)<<&#<)/<&
3#<$&,%(*D)&?(<<4-/C&&
;3?-/$(*,)&-2&/)H-,(+-*&
N9V&0<&$%0<&$%0*Dg&
;&<%-#AC&#<)&$%($&3-/)&
9%0<&0<&<%0*Elllll&
Ya&>A-#C&":;<&
• N0$%0*&3-H)&$-4(/C<&8((8&'&$/)*C&$-4(/C<&":;&(,,)<<&
$-&C($(_<)/H0,)<&$-&<#??A)3)*$_/)?A(,)&@/-4<)/&
(,,)<<&
• Salesforce.com expects that within the next year – only 1/3 of access will be via browser&
• ":;<&-2&:((8&-e)/0*D<&(AA-4&$%)&,#<$-3)/&$-&)P?-<)&0$<&
-4*&,A-#C&<)/H0,)<&
• >A)(/&$/)*C&2-/&$%)<)&":;<&0<&$-4(/C<&6789&
>A-#C&,#/)<&)H)/E$%0*D&
Ra&W(+H)&3-@0A)&(??<&
\4))c*L#0)$B0*C&\?(#A3(C<)*&
"<0C)&O&W(+H)&H<&4)@&
• W-$&D-0*D&$-&$/E&$-&?/)C0,$&40**)/&'&)P?),$&@-$%&• W(+H)G<&,#//)*$&?-?#A(/0$E&A05)AE&@(A(*,)C&@E&
b9BFX&2)($#/)<&
• "#$%)*+,(+-*&.&(#$%-/01(+-*&<%-#AC&@)&,-*<0<$)*$&(,/-<<&@-$%&3-C)A<K&<-&$%($&
– c<)/<&(/)&*-$&,-*2#<)CK&)D&#<)&C0e)/)*$&,/)C)*+(A<&(*C_-/&(#$%)*+,(+-*&,)/)3-*E&2-/&
$%)&$4-&3-C)A<K&)H)*&02&(,,)<<0*D&$%)&<(3)&
(??A0,(+-*&
– 8)/H0,)&:/-H0C)/<&(/)*f$&2-/,)C&$-&03?A)3)*$&
C#?A0,($)&.&0*,-3?(+@A)&<),#/0$E&2/(3)4-/5<&
2-/&$%)&$4-&3-C)A<&
J/0H)/<&
F(,5&-2&
<$(*C(/C<&
&
&
>A-#C&":;<&
:(<<4-/C&
(*+O
?(])/*&
W(+H)&
3-@0A)&
"??A0,(+-*<&
!"#$%&
7*$)/&!"#$%l&
• "*&-?)*&?/-$-,-A&$-&(AA-4&<),#/)&":;&(#$%-/01(+-*&0*&(&<03?A)&(*C&<$(*C(/C&3)$%-C&2/-3&C)<5$-?K&3-@0A)&(*C&
4)@&(??A0,(+-*<I&
• J)h*)<&(#$%-/01(+-*&.&(#$%)*+,(+-*&2/(3)4-/5&2-/&
67892#A&":;<&
• "??A0)C&$-&C)A)D($)C&(#$%-/01(+-*&'&30+D($)<&?(<<4-/C&
(*+O?(])/*&O&(/,%)$E?0,(A&#<)&,(<)&
• :/-H0C)<&(&<$(*C(/C&4(E&$-&D0H)&(&r5)Ef&$-&(&$%0/CO?(/$E&4%0,%&(AA-4<&-*AE&A030$)C&(,,)<<&$-&?)/2-/3&<?),0h,&
2#*,+-*<&
– N0$%-#$&C0H#AD0*D&E-#/&,/)C)*+(A<&&
"*&!H)/#<)C&"*(A-DE&
OAuth is your valet key to the Interwebs
It’s going happen one way or the other so may as well tax and regulate!
"D)*C(&
• !"#$%&C/0H)/<&• 8,/))*<%-$&C)3-&
• !"#$%&%0<$-/E&• !"#$%&U&• !"#$%&0*&,-*$)P$&• o)E&#<)&,(<)<&• !"#$%&<),#/0$E&3-C)A&
• "AA&$%)&@)AA<&.&4%0<$A)<&4(A5&$%/-#D%&
Real World Demo -> brizzly.com accesses the twitters &
Real World Demo -> brizzly.com accesses the twitters &
Real World Demo -> brizzly.com accesses the twitters &
Real World Demo -> brizzly.com accesses the twitters &
Real World Demo -> brizzly.com accesses the twitters &
Real World Demo -> brizzly.com accesses the twitters &
Real World Demo -> brizzly.com accesses the twitters &
Real World Demo -> brizzly.com accesses the twitters &
"D)*C(&
• !"#$%&C/0H)/<&• 8,/))*<%-$&C)3-&
• !"#$%&%0<$-/E&• !"#$%&U&• !"#$%&0*&,-*$)P$&• o)E&#<)&,(<)<&• !"#$%&<),#/0$E&3-C)A&
• "AA&$%)&@)AA<&.&4%0<$A)<&4(A5&$%/-#D%&
A [confusing] Little History&• First was the Emergence of Proprietary Solutions
– Google AuthSub, AOL OpenAuth, Yahoo BBAuth, Upcoming API, Flickr API, AWS API, and more
• OAuth Core 1.0 [Oct 2007] – Open protocol to standardize what was already being
done • OAuth Core 1.0 Revision A [June 2009]
– Addresses a session fixation attack • The OAuth 1.0 Protocol / RFC 5849 [April 2010]
– Move to the IETF as informational documentation of 1.0a with editorial clarifications and errata
!"#$%&903)A0*)&
>-33#*0$E&
;79V&
N6":&
UZkZ& UZkk&UZZs&UZZt&UZZu&
!"#$%&kIZ&
!"#$%&kIZ(&
!"#$%&UIZ&
;*2-&6V>&XtRs&
&
vN9&
B-/)&b0<$-/EK&8+AA&>-*2#<0*D&
• !"#$%&N6":&`N)@&6)<-#/,)&"#$%-/01(+-*&
:/-hA)<a [v(*&UZkZ] – Better Support for non-web applications – Simplify the Client – Short lived, opaque, bearer access tokens with
long lived refresh tokens – Cleaner separation of roles
• Server handling authorization requests • Server handling protected resource access • Client
– Simple Web Token (SWT) • Attempt to standardize an access token format
• Oauth 2.0 [in progress]
=#$&%)&)P?A(0*)C&$%($&%)&%(C&2-/D-])*&0$&($&%-3)I&
"*C&(*E4(E<K&dH-**)&($&$%)&<(A-*&$-AC&3)&$%($&
!"#$%&N6":&C-)<*f$&)H)*&/)L#0/)&,A0)*$&
<0D*($#/)<&<-&;&C-*G$&5*-4&4%E&E-#&(/)&@)0*D&<-&
w#CD)3)*$(A&p&&
b-*)<$AE&8(AAEll&;&,(*G$&@)A0)H)&E-#&2)AA&2-/&
$%)&G;&C-*f$&%(H)&3E&$-5)*x<),/)$&40$%&3)G&
A0*)ll&>A0)*$<&%(H)&@))*&$)AA0*D&#<&68<&$%($&
-*)&2-/&E)(/<ll&
"D)*C(&
• !"#$%&C/0H)/<&• 8,/))*<%-$&C)3-&
• !"#$%&%0<$-/E&• !"#$%&U&• !"#$%&0*&,-*$)P$&• o)E&#<)&,(<)<&• !"#$%&<),#/0$E&3-C)A&
• "AA&$%)&@)AA<&.&4%0<$A)<&4(A5&$%/-#D%&
OAuth 2.0 • >-*,)?$#(AAE&<030A(/&$-&N6":&
• N0$%&@#0A$&0*&)P$)*<0@0A0$E&
• >A)(/&<)?(/(+-*&-2&D)y*D&(&$-5)*&(*C&#<0*D&(&$-5)*&
– 7(/AE&C/(i<&%(C&(*&-?+-*&2-/&$-5)*&<0D*($#/)<&@#$&$%($&4(<&C/-??)C&
– z!"#$%&UIZ&0<&=(C&2-/&$%)&N)@{&'&<?),&(#$%-/_)C0$-/&
– =)(/)/&$-5)*<&– 6)$#/*&-2&$%)&B">&
• "??/-(,%0*D&h*(A&<$(*C(/C01(+-*&0*&;79V&– 6)(AAEg&&– >#//)*$AE&($&C/(i&Okt&&
• "??A0,(@A)&$-&3(*E&-$%)/&<,)*(/0-<&'&)H)*&$%-<)&40$%&*-&#<)/<&
• W-$(@A)&2-/&0$<&-?+301(+-*<&2-/&3-@0A)&
– !%&E)(%g&
!"#$%&UIZ&9)/30*-A-DE^&6-A)<&
• !"#$%!&"'$()"!^&(*&)*+$E&`#<#(AAE&(*&)*CO#<)/_?)/<-*a
,(?(@A)&-2&D/(*+*D&(,,)<<&$-&(&
?/-$),$)C&/)<-#/,)&I&
• &*+"),^&(*&(??A0,(+-*&-@$(0*0*D&(#$%-/01(+-*&(*C&3(50*D&
?/-$),$)C&/)<-#/,)&/)L#)<$<&
`-*&@)%(A2&-2&$%)&/)<-#/,)&
-4*)/aI&&
• !"#$%!&"'#"!-"!'`./a^&$%)&<)/H)/&%-<+*D&?/-$),$)C&
/)<-#/,)<&
• 0%,1$!+203$)'#"!-"!'`4/a^&(&<)/H)/&,(?(@A)&-2&0<<#0*D&
$-5)*<K&-@$(0*0*D&
(#$%-/01(+-*K&(*C&
(#$%)*+,(+*D&/)<-#/,)&
-4*)/<I&
B-/)&9)/30*-A-DE^&9-5)*<&
• ",,)<<&9-5)*&– ,/)C)*+(A&#<)C&@E&,A0)*$&$-&(,,)<<&?/-$),$)C&/)<-#/,)<&($&$%)&68&– ?)/30<<0-*<&(e-/C)C&@E&$%)&$-5)*&,(*&@)&<,-?)C&
– 0<<#)C&@E&$%)&"8&&– <$/#,$#/)&0<&#*C)h*)C&@E&$%)&<?),`<a&– #<#(AAE&-?(L#)&$-&$%)&,A0)*$&– D)*)/(AAE&<%-/$&A0H)C&– ,(*&@)&<)A2&,-*$(0*)C&-/&(&/)2)/)*,)&– <%0i<&,-3?A)P0$E&2/-3&$%)&68&$-&$%)&"8&
• 6)2/)<%&9-5)*&– #<)C&@E&,A0)*$&$-&-@$(0*&(&*)4&(,,)<<&$-5)*&4%)*&$%)&-AC&-*)&)P?0/)<&
– ,A0)*$&-*AE&<)*C<&$-&"8K&*)H)/&$-&68&– D)*)/(AAE&A-*D&A0H)C&&
",,)<<&9-5)*&9E?)<&
• ",,)<<&$-5)*<&,(*&%(H)&C0e)/)*$&– 2-/3($<&
– <$/#,$#/)<&– 3)$%-C<&-2&#+A01(+-*&`)IDI&,/E?$-D/(?%0,&?/-?)/+)<a&
• ",,)<<&$-5)*<&3#<$&@)&C)h*)C&@E&,-3?(*0-*&
<?),0h,(+-*<&
– $-5)*x$E?)&&– (CC0+-*(A&?(/(3)$)/<&(<&*))C)C&
– %-4&$-&#<)&($&68&
=)(/)/&",,)<<&9-5)*<&
• "*E&?(/$E&0*&?-<<)<<0-*&-2&$%)&$-5)*&`(&z@)(/)/za&,(*&#<)&$%)&$-5)*&0*&(*E&4(E&$%($&
(*E&-$%)/&?(/$E&0*&?-<<)<<0-*&-2&0$&,(*I&
• $-5)*x$E?)^&=)(/)/&&• 9-5)*&,(*&@)&?/)<)*$)C&$-&$%)&68&0*&b99:&"#$%-/01(+-*&b)(C)/K&&=-CE&:(/(3)$)/K&-/&
|#)/E&:(/(3)$)/&
• 6)L#0/)<&9F8&• 9-5)*&<$/#,$#/)&<+AA&#*C)h*)C&
B">&",,)<<&9-5)*<&
• "I5I(I&:/--2&-2&?-<<)<<0-*&$-5)*K&?/--2&$-5)*K&b-o&$-5)*&• J)h*)<&(*&b99:&B">&(,,)<<&(#$%)*+,(+-*&<,%)3)&`5)E&0CK&
B">&5)E&.&(AD-/0$%3K&(*C&0<<#)&+3)a&
– ;C&0<&<)*$&40$%&/)L#)<$&&– o)E&0<&<%(/)C&<E33)$/0,&<),/)$&@)$4))*&$%)&,A0)*$&(*C&$%)&<)/H)/&
#<)C&$-&r<0D*f&/)L#)<$<&`$%)/)@E&?/-H0*D&?-<<)<<0-*&-2&$%)&<),/)$a&
• !"#$%&UIZ&@0*C0*D&2-/&#<)&(<&(*&(,,)<<O$-5)*&$E?)&&– $-5)*x$E?)^&3(,&
– o)E&0C&0<&$%)&(,,)<<x$-5)*&• V-/3($&.&<$/#,$#/)&0<&<+AA&#*C)h*)C&
– 3(,x5)E&.&3(,x(AD-/0$%3&(<&(CC0+-*(A&?(/(3)$)/<&
• :/-$),$<&(D(0*<$&$-5)*&A)(5(D)&• o0*C(&<+AA&*))C<&9F8&0*&<-3)&,(<)<&
B-/)&9)/30*-A-DE^&7*C?-0*$<&
• "8&7*C?-0*$<&– 4%,1$!+203$)'")56$+),&
• #<)CK&H0(&#<)/O(D)*$&/)C0/),+-*K&$-&(#$%)*+,($)&(*C&-@$(0*&(#$%-/01(+-*&2/-3&$%)&/)<-#/,)&-4*)/I&&
• 7*C&#<)/&-*&$%)&2/-*$&,%(**)AI&– 7$8")'")56$+),'
• c<)C&$-&)P,%(*D)&(*&(#$%-/01(+-*&D/(*$&2-/&(*&(,,)<<&$-5)*I&• >A0)*$&-*&$%)&@(,5&,%(**)AI&
• >A0)*$&7*C?-0*$&– ."5+!"&3$)'9.:'
• "i)/&,-3?A)+*D&0$<&0*$)/(,+-*&40$%&$%)&/)<-#/,)&-4*)/K&$%)&"8&
C0/),$<&$%)&/)<-#/,)&-4*)/G<&#<)/O(D)*$&@(,5&$-&$%)&,A0)*$&($&$%)&
,A0)*$f<&/)C0/),+-*&c6;I&
• V/-*$&,%(**)A&,(AA@(,5&&
9)/30*-A-DE^&"#$%-/01(+-*&S/(*$&
• S)*)/(A&$)/3&#<)C&$-&C)<,/0@)&$%)&0*$)/3)C0($)&
,/)C)*+(A<&/)?/)<)*+*D&$%)&/)<-#/,)&-4*)/&
(#$%-/01(+-*&
• 8)/H)<&(<&(*&(@<$/(,+-*&A(E)/&– *-$&$%)&,A)(*)<$&(@<$/(,+-*&
• c<)C&@E&$%)&,A0)*$&$-&-@$(0*&(*&(,,)<<&$-5)*&• "AA&$-5)*&)*C?-0*$&,(AA<&0*H-AH)&)P,%(*D0*D&<-3)&
D/(*$&2-/&(*&(,,)<<&$-5)*&
• 8?),&C)h*)<&<)H)/(A&$E?)<&(<&4)AA&(<&(*&)P$)*<0@0A0$E&3),%(*0<3&
9)/30*-A-DE^&8,-?)&
• 9%)&C)h*0+-*&-2&<,-?)&0<&`3-<$AEa&-#$&-2&<,-?)&
– 8))&4%($&;&C0C&$%)/)g&– 9%)&<,-?)&-2&$%)&(,,)<<&/)L#)<$&0<&)P?/)<<)C&(<&(&A0<$&-2&<?(,)OC)A030$)CK&,(<)&<)*<0+H)&<$/0*D<I&
– !/C)/&C-)<*f$&3(])/I&
– 9%)&H(A#)&(*C&3)(*0*D&-2&<,-?)&<$/0*D<&(/)&C)h*)C&@E&$%)&
(#$%-/01(+-*&<)/H)/I&
• 6)L#)<+*D_D/(*+*D&<?),0h,&<,-?)`<a&(AA-4<&$%)&(,,)<<&/0D%$<&(<<-,0($)C&40$%&(&$-5)*&$-&@)&A030$)C&
– 7*(@A)<&$%)&?/0*,0?A)&-2&A)(<$&?/0H0A)D)&`-/&A)<<&?/0H0A)D)&(*E4(Ea&
– !*AE&(<5&2-/&4%($&0<&*))C)C&
"@<$/(,$&VA-4&
• >A0)*$&-@$(0*<&(#$%-/01(+-*&D/(*$&2/-3&/)<-#/,)&
-4*)/n&
• >A0)*$&,(AA<&$%)&(#$%-/01(+-*&<)/H)/&$-&)P,%(*D)&$%)&D/(*$&2-/&(*&(,,)<<&$-5)*nn&
• >A0)*$&#<)<&$%)&(,,)<<&$-5)*&$-&(,,)<<&?/-$),$)C&/),-#/<)<&($&$%)&/)<-#/,)&<)/H)/nnn&
n<-3)+3)<&
nn#<#(AAE&
nnn?/-@(@AE&
"#$%-/01(+-*&S/(*$&9E?)<&
• (#$%-/01(+-*&,-C)&• 03?A0,0$n&
• /)<-#/,)&-4*)/&?(<<4-/C&,/)C)*+(A<&• ,A0)*$&,/)C)*+(A<&• /)2/)<%&$-5)*&• 7P$)*<0-*<&
n&-*)&-2&$%)<)&$%0*D<&0<&*-$&A05)&$%)&-$%)/<p&
S/(*$&9E?)^&"#$%-/01(+-*&>-C)&
• >A0)*$&<)*C<&/)<-#/,)&-4*)/K&H0(&@/-4<)/K&$-&$%)&(#$%-/01(+-*&)*C?-0*$&($&$%)&"8&&
– 7*CO#<)/&(#$%)*+,($)<&– 7*CO#<)/&(??/-H)<&/)L#)<$)C&(,,)<<&
• "8&<)*C<&$%)&)*CO#<)/&$-&$%)&,A0)*$f<&/)C0/),$&c6;&(*C&0*,A#C)<&$%)&,-C)&(<&(&L#)/E&?(/(3)$)/&
• >A0)*$&/),)0H)<&$%)&/)C0/),+-*&,(AA@(,5K&)P$/(,$<&$%)&,-C)K&(*C&<)*C<&0$&$-&$%)&"8&0*&)P,%(*D)&2-/&(*&(,,)<<&$-5)*&(*C&
?/-@(@AE&(&/)2/)<%&$-5)*&
• S/)($&2-/&4)@&(??&,A0)*$<&– >A0)*$&(#$%)*+,(+-*&– 7(<E&$-&%(*CA)&$%)&/)C0/),$&
• !5(E&2-/&3-@0A)&,A0)*$<&
– N0$%-#$&,A0)*$&(#$%)*+,(+-*&
– W))C&$/0,5<&$-&%(*CA)&$%)&/)C0/),$&
S)y*D&(*&"#$%-/01(+-*&>-C)&
S79&_(<_(#$%-/01(+-*I-(#$%Ug,A0)*$x0C}(,A0)*$.&
&/)C0/),$x#/0}%]?<mY"__,A0)*$I)P(3?A)I,-3_,@.&
&&&&&&&&&/)<?-*<)x$E?)},-C).<,-?)}@))/T%-,5)ETC-*#$<&b99:_kIk&&
b-<$^&<)/H)/I)P(3?A)I,-3&&
b99:_kIk&YZU&V-#*C&
F-,(+-*^&%]?<^__,A0)*$I)P(3?A)I,-3_,@g,-C)}S),B7C0P8o6v!tP2?>qbDsVDUb1)&
4%,1$!+203$)'.";%"#,'
4%,1$!+203$)'."#6$)#"'
/%6"!<%$%#'=0)050'>0#1+)?@'A+!#,''$B'C0)D'
7P,%(*D)&"#$%-/01(+-*&>-C)&2-/&",,)<<&9-5)*&
:!89&_(<_$-5)*I-(#$%U&b99:_kIk&
b-<$^&(<I)P(3?A)I,-3&
>-*$)*$O9E?)^&(??A0,(+-*_PO444O2-/3O#/A)*,-C)C~,%(/<)$}c9VOt&
&
,A0)*$x0C}(,A0)*$.,A0)*$x<),/)$}%-<)/./)C0/),$x#/0}%]?<mY"__,A0)*$I)P(3?A)I,-3_
,@.D/(*$x$E?)}(#$%-/01(+-*x,-C).,-C)}S),B7C0P8o6v!tP2?>qbDsVDUb1)&
b99:_kIk&UZZ&!o&
>(,%)O>-*$/-A^&*-O<$-/)&
:/(D3(^&*-O,(,%)&
>-*$)*$O9E?)^&(??A0,(+-*_w<-*~&,%(/<)$}c9VOt&
&&
�&
&z$-5)*x$E?)z^z=)(/)/zK&
&z(,,)<<x$-5)*z^z(ZÄ#1JYW2J<w><9cÅ=XF3q<uN:|kPZuJ>b6{K&&
&z)P?0/)<x0*z^YÇZZK
&z/)2/)<%x$-5)*z^z389=?L|,8567>W2J,A26Jw67*3L)NÄ(?ZJ<)BÇ(q50P;q{&
É&
4&&"##'7$8")'.";%"#,'
4&&"##'7$8")'."#6$)#"'
=/0)2&;*$)/A#C)^&c<0*D&$%)&",,)<<&9-5)*&
S79&_C-#@A)_<),/)$_?/-@(+-*_/)<-#/,)&b99:_kIk&&
b-<$^&/<I)P(3?A)I,-3&&
"#$%-/01(+-*^&=)(/)/&(ZÄ#1JYW2J<w><9cÅ=XF3q<uN:|kPZuJ>b6&
E!$,"&,"5'."#$%!&"'.";%"#,'(+,1'0'F"0!"!'7$8")'
G4='7$8")'0'F+,'G$!"'=$C6*+&0,"5'
&
&&&&&:!89&_$(5)_-e_)%&b99:_kIk&
&&&&&b-<$^&/<I)P(3?A)I,-3&
&&&&&>-*$)*$O9E?)^&(??A0,(+-*_PO444O2-/3O#/A)*,-C)C&
&&&&&"#$%-/01(+-*^&B">&0C}zwCsYC%sC%YsJzK&
&&&&&&&&&&&&&&&&&&&&&&&&*-*,)}zUuYkXÇ^C0Y%HC2tzK&
&&&&&&&&&&&&&&&&&&&&&&&&@-CE%(<%}z5s5@$>;EZ>5;Y_V72?8_-;Jw5Ç5}zK&
&&&&&&&&&&&&&&&&&&&&&&&&3(,}zNu@CBÅ@HscN!9(C"8;|b(DÅE0/"}z&
S/(*$&9E?)^&;3?A0,0$&
• 8030A(/&$-&$%)&(#$%-/01(+-*&,-C)&Q-4&)P,)?$p&&
• "i)/&/)<-#/,)&-4*)/&(#$%)*+,(+-*&(*C&(#$%-/01(+-*K&$%)&"8&<)*C<&$%)&)*CO#<)/&$-&$%)&
,A0)*$f<&/)C0/),$&c6;&(*C&0*,A#C)<&$%)&(,,)<<&
$-5)*&-*&2/(D3)*$&&
• W-&$-5)*&)*C?-0*$&,(AA&<-&*-$&n/)(AAEn&(&D/(*$&$E?)&
• !?+301)C&2-/&r40CD)$f&,A0)*$<&-/&0*O@/-4<)/&
v(H(8,/0?$&(??A0,(+-*<&
• >-#AC&(A<-&4-/5&2-/&*(+H)_3-@0A)&,A0)*$<&
S)y*D&(&9-5)*&40$%&;3?A0,0$&
S79&_(<_(#$%-/01(+-*I-(#$%Ug,A0)*$x0C}(,A0)*$.&
&/)C0/),$x#/0}%]?<mY"__,A0)*$I)P(3?A)I,-3_,@./)<?-*<)x$E?)}$-5)*&b99:_kIk&&
b-<$^&<)/H)/I)P(3?A)I,-3&&
b99:_kIk&YZU&V-#*C&
F-,(+-*^&%]?<^__,A0)*$I)P(3?A)I,-3_,@M)P?0/)<x0*}YÇZZ &
&.$-5)*x$E?)}=)(/)/.(,,)<<x$-5)*}D=w""2u;-ZV;24Å(qJ96|DZCuS94"!FuSÇ)&
4%,1$!+203$)'.";%"#,'
4%,1$!+203$)'."#6$)#"'
S79&_C-#@A)_<),/)$_?/-@(+-*_/)<-#/,)&b99:_kIk&&
b-<$^&/<I)P(3?A)I,-3&&
"#$%-/01(+-*^&=)(/)/&D=w""2u;-ZV;24Å(qJ96|DZCuS94"!FuSÇ)&
E!$,"&,"5'."#$%!&"'.";%"#,'
S/(*$&9E?)^&&
6)<-#/,)&!4*)/&:(<<4-/C&>/)C)*+(A<&
• >A0)*$&-@$(0*<&/)<-#/,)&-4*)/f<&#<)/*(3)&(*C&
?(<<4-/C&C0/),$AE&2/-3&$%)&/)<-#/,)&-4*)/&(*C&
<)*C<&$%)3&C0/),$AE&$-&$%)&"8&(<&(&D/(*$I&
• 6)L#0/)<&$/#<$&0*&$%)&,A0)*$I&• 6)2/)<%&$-5)*&)A030*($)<&$%)&*))C&2-/&$%)&,A0)*$&$-&
<$-/)&$%)&?(<<4-/CI&
• ;*$)*C)C&(<&(&30D/(+-*&3),%(*0<3&&
7P,%(*D)&6!&>/)C<&2-/&",,)<<&9-5)*&
:!89&_(<_$-5)*I-(#$%U&b99:_kIk&
b-<$^&(<I)P(3?A)I,-3&
"#$%-/01(+-*^&=(<0,&,Us$ÅNW<(NÄ#CJ?=@NÄE(NW%vYW;dq|}&
>-*$)*$O9E?)^&(??A0,(+-*_PO444O2-/3O#/A)*,-C)C~,%(/<)$}c9VOt&
&
,A0)*$x0C}<-3),A0)*$.D/(*$x$E?)}?(<<4-/C.#<)/*(3)}3(C<)*.?(<<4-/C}#<)A)<<$(P-*-3E&
b99:_kIk&UZZ&!o&
>(,%)O>-*$/-A^&*-O<$-/)&
:/(D3(^&*-O,(,%)&
>-*$)*$O9E?)^&(??A0,(+-*_w<-*~&,%(/<)$}c9VOt&
&&
�&
&z$-5)*x$E?)z^z=)(/)/zK&
&z(,,)<<x$-5)*z^z(ZÄ#1JYW2J<w><9cÅ=XF3q<uN:|kPZuJ>b6{K&&
&z)P?0/)<x0*z^YÇZZK
&z/)2/)<%x$-5)*z^z389=?L|,8567>W2J,A26Jw67*3L)NÄ(?ZJ<)BÇ(q50P;q{&
É&
4&&"##'7$8")'.";%"#,'
4&&"##'7$8")'."#6$)#"'/%6"!<%$%#'=0)05+0)'>0#1+)?@'
S/(*$&9E?)^&>A0)*$&>/)C)*+(A<&
• >A0)*$&,(*&/)L#)<$&(*&(,,)<<&$-5)*&#<0*D&-*AE&0$<&-4*&,/)C)*+(A<&
• V-/&/)<-#/,)<&#*C)/&$%)&,A0)*$f<&,-*$/-A&-/&-$%)/&/)<-#/,)<&(<&?-A0,E&C0,$($)<&
• Bc89&-*AE&@)&#<)C&@E&Ñ?/0H($){&,A0)*$<&`,A0)*$<&$%($&,(*&
(#$%)*+,($)&<),#/)AEa&
• W-&/)2/)<%&$-5)*&• >A0)*$&"#$%)*+,(+-*&B),%(*0<3<&
– ,A0)*$x0C&.&,A0)*$x<),/)$&?(/(3)$)/<&&
– b99:&=(<0,&– Ñ9%)&(#$%-/01(+-*&<)/H)/&B"d&<#??-/$&(*E&<#0$(@A)&b99:&
(#$%)*+,(+-*&<,%)3)&3($,%0*D&0$<&<),#/0$E&/)L#0/)3)*$<{&
– B#$#(A&9F8&
– ,A0)*$x(<<)/+-*&.&,A0)*$x(<<)/+-*x$E?)&?(/(3)$)/<&
S/(*$&9E?)^&6)2/)<%&9-5)*&
• ;2&(&/)2/)<%&$-5)*&4(<&0<<#)C&$-&$%)&,A0)*$&C#/0*D&$%)&)P,%(*D)&-2&(&?/0-/&D/(*$K&0$&,(*&@)&#<)C&(<&(*&
(#$%-/01(+-*&D/(*$&$-&D)$&(&*)4&(,,)<<&$-5)*&
– c*A)<<&/)H-5)C&-/&-$%)/40<)&0*H(A0C&• 6)2/)<%&(*&)P?0/)C&(,,)<<&$-5)*&40$%-#$&0*H-AH0*D&#<)/&(#$%-/01(+-*&
• 9%)&"8&3(E&0<<#)&(&*)4&/)2/)<%&$-5)*&
– S--C&<),#/0$E&%ED0)*)&
6)2/)<%0*D&(*&",,)<<&9-5)*&
:!89&_(<_$-5)*I-(#$%U&b99:_kIk&
b-<$^&(<I)P(3?A)I,-3&
"#$%-/01(+-*^&=(<0,&,Us$ÅNW<(NÄ#CJ?=@NÄE(NW%vYW;dq|}&
>-*$)*$O9E?)^&(??A0,(+-*_PO444O2-/3O#/A)*,-C)C~,%(/<)$}c9VOt&
&
,A0)*$x0C}<-3),A0)*$.D/(*$x$E?)}/)2/)<%x$-5)*./)2/)<%x$-5)*}389=?L|,8567>W2J,A26Jw
67*3L)NÄ(?ZJ<)BÇ(q50P;q&
b99:_kIk&UZZ&!o&
>(,%)O>-*$/-A^&*-O<$-/)&
:/(D3(^&*-O,(,%)&
>-*$)*$O9E?)^&(??A0,(+-*_w<-*~&,%(/<)$}c9VOt&
&&
�&
&z$-5)*x$E?)z^z=)(/)/zK&
&z(,,)<<x$-5)*z^zBCL=#)PqdAB8-D@/"40::Ru)SPSLÅ(w#vW({K&&
&z)P?0/)<x0*z^YÇZZK
&z/)2/)<%x$-5)*z^z%AE7!!s:qD3H:0d;tDÇto87<Ub|%D/50c|S<,sqP<5C{&
É&
4&&"##'7$8")'.";%"#,'
4&&"##'7$8")'."#6$)#"'
7P$)*<0-*&S/(*$&9E?)<&
• 7P$)*<0-*&(#$%-/01(+-*&D/(*$&$E?)<&,(*&@)&C)h*)C&@E&(<<0D*0*D&$%)3&(&#*0L#)&(@<-A#$)&c6;&
2-/&#<)&40$%&$%)&zD/(*$x$E?)z&?(/(3)$)/I&
• 7P$)*<0-*<&,(*&C)h*)&(CC0+-*(A&?(/(3)$)/<&
*))C)CI&
• 7*(@A)<&@/0CD0*D&@)$4))*&!"#$%&(*C&-$%)/&?/-$-,-A<I&
– 8"BF&UIZ&
– vN9&kIZ&
• 7*(@A)<&-$%)/&<$#e&$--&– =)(/)/&(,,)<<&$-5)*&H(A0C(+-*&– 898&<$EA)&$-5)*&)P,%(*D)&
:(/+(A&8?),0h,(+-*&F(*C<,(?)&
9%)&!"#$%&UIZ&"#$%-/01(+-*&:/-$-,-A&
C/(iO0)ÖO-(#$%OHU&
9%)&!"#$%&UIZ&:/-$-,-A^&=)(/)/&9-5)*<&
C/(iO0)ÖO-(#$%OHUO@)(/)/&
b99:&"#$%)*+,(+-*^&B">&",,)<<&"#$%)*+,(+-*&
C/(iO0)ÖO-(#$%OHUO%]?O3(,&
8"BF&UIZ&=)(/)/&"<<)/+-*&S/(*$&&
9E?)&:/-hA)&2-/&!"#$%&UIZ&
C/(iO0)ÖO-(#$%O<(3AUO@)(/)/&
!"#$%&UIZ&"<<)/+-*&:/-hA)&&&&&&&&&&&&&&&&&&&&&&
C/(iO0)ÖO-(#$%O(<<)/+-*<&
v8!W&N)@&9-5)*&`vN9a&=)(/)/&
:/-hA)&2-/&!"#$%&UIZ&
&C/(iOw-*)<O-(#$%Ow4$O@)(/)/&
v8!W&N)@&9-5)*&`vN9a&&
C/(iOw-*)<Ow<-*O4)@O$-5)*&
"<<)/+-*<&(*C&:/-$-,-A<&2-/&8"BF&ÄUIZ&
<(3AO,-/)OUIZO-<&
9#+)?'0'7$8")'H"I)?'0'7$8")'
7P$)*<0-*&S/(*$<&&
.&
&>A0)*$&"#$%)*+,(+-*&
7$8")#'
v8!W&N)@&80D*($#/)&`vN8a&
C/(iOw-*)<Ow<-*O4)@O<0D*($#/)&
v8!W&N)@&80D*($#/)&`vN7a&
C/(iOw-*)<Ow<-*O4)@O)*,/E?+-*&
JKLMN'
O,1"!'E!$,$&$*#'c<)/OB(*(D)C&",,)<<&`cB"a&
>-/)&:/-$-,-A&
C/(iO%(/Cw-*-O-(#$%O#3(,-/)&!?)*;J&>-**),$&>-/)&kIZ&
"D)*C(&
• !"#$%&C/0H)/<&• 8,/))*<%-$&C)3-&
• !"#$%&%0<$-/E&• !"#$%&U&• !"#$%&0*&,-*$)P$&• o)E&#<)&,(<)<&• !"#$%&<),#/0$E&3-C)A&
• "AA&$%)&@)AA<&.&4%0<$A)<&4(A5&$%/-#D%&
>-*$/(<$&.&>-3?-<)&
d";Ä&`d)$&"*-$%)/&;C)*+$E&Ä)**a&
8"BF&
!"#$%&
q">BF&
• :-A0,E&<E*$(P&
• "#$%1&|#)/En&
• "#$%*&2-/&8!":&":;<&• 9-5)*&2-/3($&
• 88!&?/-hA)&• ;>"B&
• >A-#C&"#$%1&
• "#$%1&C),0<0-*<&
• "#$%*&2-/&6789&":;<&• "]/0@#$)&<%(/0*D&&
!"#$%&/)A(+-*<%0?&$-&!?)*;J&
• ;*&-*)&<)*<)K&!"#$%&.&!?)*;J&(/)&-/$%-D-*(AK&0)&!?)*;J&,-#AC&@)&#<)C&$-&(#$%)*+,($)&#<)/&
($&"8&2-/&-@$(0*0*D&,-*<)*$&
• =#$&$%)&<030A(/0+)<&@)$4))*&!?)*;J&UIZ&(*C&
$%)&!"#$%&UIZ&(,,)<<&$-5)*&/)$/0)H(A&?0),)&
%(H)&3-+H($)C&?/-?-<(A<&2-/&@(<0*D&*)P$&
H)/<0-*&-2&!?)*;J&r-*&$-?&-2f&!"#$%&'&!?)*;J&
>-**),$&
:/-@A)3<&40$%&!?)*;J&UIZ&
• F-*D&c6F&A030$(+-*<&
– B(*E&3-@0A)&@/-4<)/&(*C&<-3)&:>&@/-4<)/<&,%-5)&($&
A-*D&c6F<&,(#<)C&@E&"qK&:":7K&(*C&-$%)/&)P$)*<0-*<I&
• F!"&,)0A0*D&– ,(**-$&(](0*&F!"U&@),(#<)&-2&(<<)/+-*&C0<,A-<#/)&($&@/-4<)/&
• ;3?A)3)*$(+-*&,-3?A)P0$E&
– J0[)Ob)A3(*&5)E&)P,%(*D)K&>(*-*0,(A01(+-*&(*C&
80D*($#/)&%(/C&$-&03?A)3)*$&
• J($(&8%(/0*D&F030$(+-*<&
– !*AE&?(0/O40<)&C($(&<%(/0*D&@)$4))*&$%)&!:&(*C&6:&0<&?-<<0@A)I&
!?)*;J&>-**),$&
• J)<0D*)C&$-&(CC/)<<&?/)H0-#<AE&<$($)C&A030$(+-*<&-2&!?)*;J&UIZ&
• 6)Q),$<&(&%(/3-*01(+-*&-2&3#A+?A)&
,-3?)+*D&H0<0-*<&2-/&)H-A#+-*&-2&!?)*;J&UIZ&
• "CC<&(&$%0*&G0C)*+$E&A(E)/G&-*$-&!"#$%&UIZ&• J)<0D*)C&$-&<#??-/$&%0D%)/&F!"&
!?)*;J&>-**),$&V(30AE&$/))&
V(,)=--5&>-**),$&
vN9&
Z&
!?)*;J&>-**),$&/)A(+-*&$-&!"#$%&
• N%)/)(<&!"#$%&0<&(&D)*)/(A&3),%(*0<3&$-&
(#$%-/01)&":;&(,,)<<K&!?)*;J&>-**),$&?/-hA)<&
$%)&D)*)/0,&2-/&?#/?-<)<&-2&<%(/0*D&?/-hA)&
0*2-/3(+-*&
• c<)<&$%)&(#$%1&,-C)&.&03?A0,0$&D/(*$&$E?)<&'&$%)&
?0),)<&-2&!"#$%&-?+301)C&2-/&#<)/O,-*<)*$&
<,)*(/0-<&
• F)H)/(D)<&$%)&(#$%-/01(+-*&.&$-5)*&)*C?-0*$<&.&(CC<&0C)*+$EO@(<)C&?(/(3<&$-&,-/)&!"#$%&
3)<<(D)<&
&
8"BF&.&!"#$%&
8"BF&!"#$%&
!"#$%&8"BF&
8"BF& !"#$%&
GbE@/0CG&'&,(//E&!"#$%&$-5)*&
0*&8"BF&88!&3)<<(D)<&
G"<<)/+-*&?/-hA)G&#<)&
8"BF&(<<)/+-*<&40$%0*&&
!"#$%&Q-4&
G8)L#)*,0*DG&'&#<)&8"BF&88!&
$-&(#$%)*+,($)&#<)/&$-&"8&
8)/H0,)&?/-H0C)/&
8)L#)*,0*D&
J)H0,)&
=/-4<)/&
"??A0,(+-*&
9-5)*&
v8!W_qBF&
;C)*+$E&?/-H0C)/&
9-5)*&
:4C&
8"BF&
&
!"#$%&
"??A0,(+-*&
9/(C0*D&
Use SAML assertion( or JWT) for OAuth client authentication and/or OAuth grant type :!89&_$-5)*&b99:_kIk&
b-<$^&<)/H)/I)P(3?A)I,-3&
>-*$)*$O9E?)^&(??A0,(+-*_PO444O2-/3O#/A)*,-C)C&
&
D/(*$x$E?)}(#$%-/01(+-*x,-C).&,-C)}0kN<6*k#=k.&,A0)*$x0C}<Ç=%C65L$Y.&
,A0)*$x(<<)/+-*x$E?)}#/*mY"-(<0<mY"*(3)<m<"$,mY"8"BF
mY"UIZmY"(<<)/+-*.&,A0)*$x(<<)/+-*}:bW%@NP4!AIIIÜ-30])C&2-/&
@/)H0$EáIIIÅ9&
&
&
&
& &
&
9/(C0*D&
!"#$%&
"<<)/+-*&?/-hA)&
8"BF& vN9&
>-/)&?/-$-,-A&
b-4&$-&#<)&(<<)/+-*<&&
2-/&,A0)*$&(#$%)*+,(+-*&&
(*C&(<&(&D/(*$&$E?)&Üká&&
:/-hA)<&(<<)/+-*&?/-hA)&
V-/&<?),0h,&(<<)/+-*&
V-/3($<&ÜUá&.&ÜYá&
Üká&O&%]?^__$--A<I0)ÖI-/D_%$3A_C/(iO0)ÖO-(#$%O(<<)/+-*<&
ÜUá&O&C/(iO0)ÖO-(#$%O<(3AUO@)(/)/&
ÜYáO&C/(iO0)ÖO-(#$%Ow4$O@)(/)/&
&
&
!"#$%&/)A(+-*<%0?&$-&q">BF&
9%-#D%&@-$%&2-,#<)C&-*&
r(#$%-/01(+-*fK&!"#$%&.&
q">BF&(/)&*0,)AE&
,-3?-<)(@A)&
!"#$%&0<&(#$%-/01(+-*g&
• J)?)*C<&-*&4%($&?(/$&-2&$%)&(#$%1&)A)?%(*$&E-#&(/)&
A--50*D&($&
– :-A0,E&`q">BFa&
– |#)/E&`q">BF_8"BF&?/-hA)a&
– >A(03<&`8"BF&.&N8OV)C&88!a&
– c<)/&,-*<)*$&`!"#$%a&– :)/30<<0-*<&`!"#$%a&
F%,'+B'D$%!'%#"'&0#"#'5$)P,'+)-$*-"'%#"!Q&$)#"),R',1")'O4%,1'#,0!,#',$'*$$8'C$!"'*+8"'0%,1")3&03$)'
&
cB"&.&!"#$%&
• User Managed Access extends OAuth 2.0 to allow for a user to manage access to multiple (and distributed) resources through centralized Authorization Manager
• Leverages separation between AS & RS introduced by WRAP
& O4%,1' 9G4'
9%)&/)<-#/,)&<)/H)/&/)<?),$<&(,,)<<&$-5)*<&
2/-3&Ñ0$<{&(#$%-/01(+-*&<)/H)/&
9%)&%-<$&-#$<-#/,)<&(#$%-/01(+-*&w-@<&$-&
(*&(#$%-/01(+-*&3(*(D)/&,%-<)*&@E&$%)&
#<)/&
9%)&(#$%-/01(+-*&<)/H)/&0<<#)<&$-5)*<&
@(<)C&-*&$%)&,A0)*$f<&(@0A0$E&$-&(#$%)*+,($)I&
9%)&(#$%-/01(+-*&3(*(D)/&0<<#)<&$-5)*<&
@(<)C&-*&#<)/&?-A0,E&(*C&Ñ,A(03<{&,-*H)E)C&
@E&$%)&/)L#)<$)/I&
9%)&/)<-#/,)&<)/H)/&H(A0C($)<&$-5)*<&0*&(*&
#*<?),0h)C&3(**)/K&(<<#3)C&A-,(AAE&
9%)&%-<$&,(*&(<5&$%)&(#$%-/01(+-*&3(*(D)/&
$-&H(A0C($)&$-5)*<&0*&/)(A&+3)I&
8$(+,&,A0)*$&/)D0<$/(+-*&<$)?&& B-/)&CE*(30,&3-C)A&
cB"&.&!"#$%&
ST'9#"!'+),!$5%&"#'U$#,',$'4G'
VT'.";%"#,$!'$>,0+)#'',$8")'B!$C'4G',$'%#"''0,'U$#,'
WT'U$#,'-"!+X"#',$8")'0,'4G'
"D)*C(&
• !"#$%&C/0H)/<&• 8,/))*<%-$&C)3-&
• !"#$%&%0<$-/E&• !"#$%&U&• !"#$%&0*&,-*$)P$&• o)E&#<)&,(<)<&• !"#$%&<),#/0$E&3-C)A&
• "AA&$%)&@)AA<&.&4%0<$A)<&4(A5&$%/-#D%&
!"#$%&c<)&,(<)<&
c<)&,(<)&$(P-*-3E&
=*+"),'8)/H)/& B-@0A)&
8(3)&
C-3(0*&
4/Y9#"!'!"*03$)#1+6'
>A-#C&
@#<0*)<<&
B-@0A)&
4-/52-/,)&
;*$)/*(A& B-@0A)&
,-*<#3)/&
J0e)/)*$&
C-3(0*&
J0<+*D#0<%0*D&2)($#/)<&
• W($#/)&-2&$%)&,A0)*$K&0)&3-@0A)&-/&4)@&(??&
• N%)$%)/K&(*C&%-4K&#<)/&(#$%)*+,($)<&$-&"8&
• N%)$%)/K&(*C&%-4K&,A0)*$&(#$%)*+,($)<&$-&"8&
• N%)$%)/K&(*C&%-4K&#<)/&*))C<&$-&D0H)&,-*<)*$&
• 9/#<$&3-C)A&@)$4))*&>A0)*$&.&"8&
• 9/#<$&3-C)A&@)$4))*&68&.&"8&
!"#$%&c<)&>(<)^&B-@0A)&>-*<#3)/&
• "&>-*<#3)/&>A-#C&=#<0*)<<&`)IDI&B(//0-]a&@#0AC0*D&
B-@0A)&"??<&
• :/-H0C)&88!&(,,)<<&H0(&0:(CK&0:%-*)K&"*C/-0CK&)$,&• 9/#<$&/)A(+-*<%0?&0<&@)$4))*&)*$)/?/0<)&.&,-*<#3)/&
B-@0A)&>-*<#3)/^&&8?),0h,<&
ka&B-@0A)&(??A0,(+-*&A(#*,%)<&
@/-4<)/K&0*&4%0,%&#<)/&
(#$%)*+,($)<&$-&:0*DV)C)/($)&
`(*C&D/(*$<&,-*<)*$a&&&
Ua&:0*DV)C)/($)&/)$#/*<&,-C)&$-&
3-@0A)&(??A0,(+-*&$%/-#D%&
@/-4<)/&
Ya&B-@0A)&(??A0,(+-*&)P,%(*D)<&,-C)&
2-/&(,,)<<&$-5)*&
Ra&B-@0A)&(??A0,(+-*&(CC<&(,,)<<&
$-5)*&$-&0$<&6789&/)L#)<$&-2&
6)<-#/,)&8)/H)/&`":;a&
Xa&68&0*$)/(,$<&40$%&:0*DV)C)/($)&$-&
H)/02E&$-5)*K&(*C&/)$/0)H)&C)<0/)C&
(]/0@#$)<&
Ça&"<<#30*D&!oK&68&/)$#/*<&
/)L#)<$)C&C($(&$-&3-@0A)&
(??A0,(+-*&
9-5)*&
7*C?-0*$&
Ä(A0C(+-*&
7*C?-0*$&
"#$%Å&
7*C?-0*$&
68&
S'
V'
W'
Z'
['
\'
B-@0A)&>-*<#3)/<^&;*A0*)&-?+-*&
ka&B-@0A)&(??A0,(+-*&,-AA),$<&#<)/&
?(<<4-/C&(*C&<)*C<&$-&
:0*DV)C)/($)&0*&/)L#)<$&2-/&
(,,)<<&$-5)*a&&&
Ua&:0*DV)C)/($)&/)$#/*<&(,,)<<&$-5)*&
$-&3-@0A)&(??A0,(+-*&
Ya&B-@0A)&(??A0,(+-*&(CC<&(,,)<<&
$-5)*&$-&0$<&6789&/)L#)<$&-2&
6)<-#/,)&8)/H)/&`":;a&
Ra&68&0*$)/(,$<&40$%&:0*DV)C)/($)&$-&
H)/02E&$-5)*K&(*C&/)$/0)H)&
C)<0/)C&(]/0@#$)<&
Xa&"<<#30*D&!oK&68&/)$#/*<&
/)L#)<$)C&C($(&$-&3-@0A)&
(??A0,(+-*&
9-5)*&
7*C?-0*$&
Ä(A0C(+-*&
7*C?-0*$&
"#$%Å&
7*C?-0*$&
68&
W'
['
S'
V'
Z'
J0<,#<<0-*&
• B-@0A)&,A0)*$<&(/)&D)*)/(AAE&*-$&0<<#)C&#*0L#)&,A0)*$&
,/)C)*+(A<&'&/($%)/&(AA&,-?0)<&<%(/)&$%)&<(3)&
– :/-H0C)<&-*AE&,-(/<)&r(#$%)*+,(+-*f&`-/&H(A0C(+-*a&• J0e)/)*$&#<)/&(#$%)*+,(+-*&3),%(*0<3<&%(H)&?/-<_
,-*<&
– =/-4<)/O@(<)C&3),%(*0<3<&3(E&@)&(CH(*$(D)-#<&2/-3&
<),#/0$E&:-ÄI&"A<-&(AA-4<&2-/&h*)OD/(0*)C&,-*<)*$&
?-<<0@0A0+)<I&=/-4<)/&3(E&@)&)3@)CC)C&
– ;*A0*)&3),%(*0<3&3(E&-e)/&#<(@0A0$E&(CH(*$(D)<K&@#$&($&(&
,-<$&
• S/(*#A(/0$E&-H)/&,-*<)*$&• 6)A0(*,)&-*&?(<<4-/C<&
!"#$%&c<)&>(<)^&B-@0A)&>A-#C_8((<&&
• "&>A-#C&=#<0*)<<_8((8&@#0AC0*D&B-@0A)&"??A0,(+-*<&
• 8#??-/$<&4-/52-/,)&(,,)<<&H0(&H0(&0:(CK&0:%-*)K&"*C/-0CK&)$,&$-&>A-#CO%-<$)C&":;<&
• 9/#<$&/)A(+-*<%0?&0<&@)$4))*&$%)&)*$)/?/0<)&(*C&>A-#C&=#<0*)<<_8((8&
B-@0A)&>A-#C&
ka&B-@0A)&(??A0,(+-*&A(#*,%)<&
@/-4<)/&$-&:0*DV)C)/($)&(#$%*&
?(D)&
&Ua&:0*DV)C)/($)&<)*C<&)3?A-E))&
@/-4<)/&$-&)*$)/?/0<)&;C:&2-/&88!K&
/),)0H)<&8"BF&(<<)/+-*&
Ya&:0*DV)C)/($)&/)$#/*<&,-C)&$-&
3-@0A)&(??A0,(+-*&$%/-#D%&
@/-4<)/&
Ra&B-@0A)&(??A0,(+-*&)P,%(*D)<&,-C)&
2-/&(,,)<<&$-5)*&
Xa&B-@0A)&(??A0,(+-*&(CC<&(,,)<<&
$-5)*&$-&0$<&6789&/)L#)<$&-2&
6)<-#/,)&8)/H)/&`":;a&
Ça&68&0*$)/(,$<&40$%&:0*DV)C)/($)&$-&
H)/02E&$-5)*K&(*C&/)$/0)H)&C)<0/)C&
(]/0@#$)<&
ua&"<<#30*D&!oK&68&/)$#/*<&
/)L#)<$)C&C($(&$-&3-@0A)&
(??A0,(+-*&
9-5)*&
7*C?-0*$&
Ä(A0C(+-*&
7*C?-0*$&
"#$%Å&
7*C?-0*$&
68&
S'
V'
Z'
['
\'
]'
;C:&
V'
W'
W'
c>&'&;*$)/*(A&8)/H)/&>A0)*$<&
• 7*$)/?/0<)&,-**),$<&0*$)/*(A&(??A0,(+-*<&$%/-#D%&6789&":;<&2-/&0*$)D/(+-*&
• >A0)*$<&3(E&(,$&(#$-*-3-#<AEK&-/&(A$)/*(+H)AE&
-*&@)%(A2&-2&(*&)3?A-E))&-/&/-A)&
;*$)/*(A&":;<^&O&"#$-*-3-#<&
kI ;*$)/*(A&,A0)*$&(#$%)*+,($)<&$-&
:0*DV)C)/($)&-*&/)L#)<$&2-/&
(,,)<<&$-5)*&
UI :0*DV)C)/($)&/)$#/*<&(,,)<<&
$-5)*&$-&,A0)*$&
YI B-@0A)&(??A0,(+-*&(CC<&(,,)<<&
$-5)*&$-&0$<&6789&/)L#)<$&-2&
6)<-#/,)&8)/H)/&`":;a&
RI 68&0*$)/(,$<&40$%&:0*DV)C)/($)&
$-&H)/02E&$-5)*K&(*C&/)$/0)H)&
(??/-?/0($)&,A0)*$&(]/0@#$)<&
XI "<<#30*D&!oK&68&/)$#/*<&
/)L#)<$)C&C($(&$-&,A0)*$&
(??A0,(+-*&
9-5)*&
7*C?-0*$&
Ä(A0C(+-*&
7*C?-0*$&
"#$%Å&
7*C?-0*$&
68&
W'
['
S'
V'
Z'
;*$)/*(A&":;<^&&O&J)A)D($)C&
kI >A0)*$&(??A0,(+-*&A(#*,%)<&
@/-4<)/&$-&:0*DV)C)/($)&(#$%*&
?(D)&
UI &"i)/&A-D0*K&:0*DV)C)/($)&
/)$#/*<&,-C)&$-&,A0)*$&
(??A0,(+-*&$%/-#D%&@/-4<)/&
YI >A0)*$&(??A0,(+-*&)P,%(*D)<&
,-C)&2-/&(,,)<<&$-5)*&
RI >A0)*$&(??A0,(+-*&(CC<&(,,)<<&
$-5)*&$-&0$<&6789&/)L#)<$&-2&
6)<-#/,)&8)/H)/&`":;a&
XI 68&0*$)/(,$<&40$%&:0*DV)C)/($)&
$-&H)/02E&$-5)*K&(*C&/)$/0)H)&
C)<0/)C&(]/0@#$)<&
ÇI "<<#30*D&!oK&68&/)$#/*<&
/)L#)<$)C&C($(&$-&,A0)*$&
(??A0,(+-*&
9-5)*&
7*C?-0*$&
Ä(A0C(+-*&
7*C?-0*$&
"#$%Å&
7*C?-0*$&
68&
\'
['
S'
V'
V'
W'
Z'
>A-#C&=#<0*)<<_8((8&
• "&>A-#C&=#<0*)<<_8((8&?/-H0C)<&C($(&(,,)<<&$%/-#D%&6789&":;<&
• ":;&,A0)*$<&(/)&4)@&(??A0,(+-*<&`0I)I&-*&(&<)/H)/a&
• F(/D)&*#3@)/&-2&,A0)*$<&(,,)<<0*D&":;<&'&)(<0)/&$-&3(*(D)&$/#<$&($&$%)&
?(/$*)/_,#<$-3)/&A)H)A&$%(*&0*C0H0C#(A&,A0)*$<&
• "#$%)*+,($)&,A0)*$&.&#<)/<&$%/-#D%&2)C)/(+-*K&/($%)/&$%(*&C0/),$AE&0<<#)C&
,/)C)*+(A<&
VA-4&
kI >A0)*$&(??A0,(+-*&/)$/0)H)<&8"BF&
(<<)/+-*&2/-3&A-,(A&;C:&
UI >A0)*$&<)*C<&8"BF&(<<)/+-*&$-&
:0*DV)C)/($)&($&8((8&:/-H0C)/_
?(/$*)/&)$,&
YI :0*DV)C)/($)&/)$#/*<&(,,)<<&
$-5)*&$-&,A0)*$&
RI >A0)*$&(??A0,(+-*&(CC<&(,,)<<&
$-5)*&$-&0$<&6789&/)L#)<$&-2&
6)<-#/,)&8)/H)/&`":;a&
XI 8((8&68&0*$)/(,$<&40$%&
:0*DV)C)/($)&$-&H)/02E&$-5)*K&
(*C&/)$/0)H)&C)<0/)C&(]/0@#$)<&
ÇI "<<#30*D&!oK&8((8&68&/)$#/*<&
/)L#)<$)C&C($(&$-&,A0)*$&
(??A0,(+-*&
"D)*C(&
• !"#$%&C/0H)/<&• 8,/))*<%-$&C)3-&
• !"#$%&%0<$-/E&• !"#$%&U&• !"#$%&0*&,-*$)P$&• o)E&#<)&,(<)<&• !"#$%&<),#/0$E&3-C)A&
• "AA&$%)&@)AA<&.&4%0<$A)<&4(A5&$%/-#D%&
!"#$%&U&8),#/0$E&B-C)A&
• N)AAK&0$&<-/$&-2&C)?)*C<p&
– 9-5)*&$E?)&– S/(*$&$E?)&– >A0)*$&$E?)&
• "A<-K&0$f<&50*C&-2&,-3?A0,($)Cp&
8)<<0-*&>--50)&"*(A-DE&&
• !"#$%&#<0*D&@)(/)/&$-5)*<&0<&<-/$&-2&A05)&<)<<0-*&,--50)<&2-/&":;_/)<-#/,)&(,,)<<&&
• S)*)/(AAE&E-#&A-D0*&$-&(&4)@<0$)&(*C&(/)&0<<#)C&(&<)<<0-*&,--50)&2-/&<#@<)L#)*$&/)L#)<$<&
• S/(*$&0<&A05)&$%)&A-D0*&(*C&(,,)<<&$-5)*&0<&A05)&$%)&<)<<0-*&,--50)&&
• 9F8&0<&/)L#0/)C&($&)H)/E&<$)?&• >--50)<&/)AE&-*&<(3)&-/0D0*&?-A0,E&
• ",,)<<&$-5)*<&/)AE&-*&<$(+,&-/&4)AA&5*-4&<)/H)/<&• W)0$%)/&0<&?)/2),$&• J0<,-H)/E&,(**-$&@)&<(2)AE&C-*)&40$%&@)(/)/&$-5)*<&
N%($&(@-#$&B">g&
• b)A?<&40$%&$%)&C0<,-H)/E&?/-@A)3&
• 8+AA&50*C&-2&<030A(/&$-&<)<<0-*&,--50)<&
– ;*&2(,$K&$%)&B">&<?),&C)h*)<&(*&)P$)*<0-*&$-&$%)&
b99:&z8)$O>--50)&z&/)<?-*<)&%)(C)/&h)AC&
• :/)H)*$<&,/)C)*+(A&A)(5(D)&• >(*&@)&#<)C&-H)/&0*<),#/)&,%(**)A<&
– "CC<&,-3?A)P0$E&`*-/3(A01(+-*K&,/E?$-D/(?%EK&
<$($)&3(*(D)3)*$a&
– W-&,-*hC)*+(A0$E&`<+AA&*))C&9F8&2-/&$%($a&
9-5)*<&.&80D*0*D&&
• 80D*)C&9-5)*<&– 9-5)*&0<&<0D*)C&@E&$%)&0<<#)/&`"8a&– vN9K&8N9K&8"BFK&)$,I&
– 9-5)*&0<&<)A2O,-*$(0*)C&• 80D*0*D&40$%&9-5)*<&&
– >A0)*$&<0D*<&$%)&/)L#)<$&40$%&<-3)&<),/)$&0<<#)C&
(A-*D&<0C)&$%)&$-5)*&
– B">&
– 9-5)*&,(*&@)&<)A2O,-*$(0*)C&-/&/)2)/)*,)&&
N%E&(/)*f$&9-5)*<&J)h*)Cg&
• ;$f<&-5(EK&0$&/)(AAE&0<&• ;&C-*f$&5*-4&4%E&)P(,$AEK&@#$&;fH)&D/-4*&$-&(,,)?$&(*C&)H)*&A05)&0$&
• ;$&C-)<&03?AE&<-3)&A)H)A&-2&,--/C0*(+-*&
@)$4))*&$%)&"8&.&68&
• 903)&40AA&$)AAp&
!$%)/&8),#/0$E&8$#e&
• 6)2)/)*,)&<$EA)&$-5)*<&*))C&(&A-$&-2&)*$/-?E&• 6)H-,(+-*&0<&D--C&$-&?/-H0C)&• 9F8&• >A0)*$&"#$%)*+,(+-*&(*C&@0*C0*D&$-&$-5)*<_,-C)<&• =/#$)&2-/,)&,-#*$)/3)(<#/)<&
• 9-5)*&<$-/(D)&• 9-5)*_,-C)&A)(5(D)&• :%0<%0*D&• J0C&;&3)*+-*&9F8g&
• 8,-?)&
"D)*C(&
• !"#$%&C/0H)/<&• 8,/))*<%-$&C)3-&
• !"#$%&%0<$-/E&• !"#$%&U&• !"#$%&0*&,-*$)P$&• o)E&#<)&,(<)<&• !"#$%&<),#/0$E&3-C)A&
• "AA&$%)&@)AA<&.&4%0<$A)<&4(A5&$%/-#D%&
N(A5&$%/-#D%&
• N(A5&$%/-#D%&<,)*(/0-&-2&(*&)3?A-E))&#<0*D&(&
*(+H)&(??&-*&$%)0/&?%-*)_$(@A)$&$-&0*$)/(,$&
40$%&(&8((8&?/-H0C)/&
• 8"BF&?/-H0C)<&
– "#$%)*+,(+-*&-2&)3?A-E))&$-&8((8&?/-H0C)/&
• !"#$%&?/-H0C)<&– (#$%-/01(+-*&-2&*(+H)&(??&$-&(,,)<<&8((8&":;<&– ;<<#(*,)&-2&$-5)*<&2/-3&8((8&$-&*(+H)&(??&
N(A5&$%/-#D%&
&
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&8"BF&
&
&
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&!"#$%&
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&!"#$%&
F-(C&(#$%1&?(D)&
F-(C&(#$%1&?(D)&
F-(C&(#$%1&?(D)&
S79&_(<_(#$%-/01(+-*I-(#$%Ug
,A0)*$x0C}3-@0A)(??.<$($)}%-<)/./)C0/),$x#/0}3-@0A)(??^__
/)C0/),$x%)/)./)<?-*<)x$E?)},-C)&b99:_kIk&
^$,"'O O&W-&,A0)*$&?4C&O O&,#<$-3&<,%)3)&-*&/)C0/),$&c6F&
O O&/)<?-*<)&$E?)&-2&r,-C)f&
;C:&J0<,-H)/E&
;C:&J0<,-H)/E&
;C:&C0<,-H)/E&
88!&6)L#)<$&
88!&/)L#)<$&
88!&6)L#)<$&
à<(3A?^"#$%*6)L#)<$&
&P3A*<^<(3A?}z#/*^-(<0<^*(3)<^$,^8"BF^UIZ^?/-$-,-Az&
P3A*<^<(3A}z#/*^-(<0<^*(3)<^$,^8"BF^UIZ^(<<)/+-*z&;J}z((2UYksÇOkuuYOUkkYORuR(O
2)kkRRkU(@uUz&Ä)/<0-*}zUIZz&;<<#);*<$(*$}zUZZROkUOZX9Zs^Uk^XsÅ{â&
& &à<(3A^;<<#)/â%]?<^__<?I)P(3?A)I,-3_8"BFUà_<(3A^;<<#)/â&&à<(3A?^W(3);J:-A0,E&
"AA-4>/)($)}z$/#)z& &V-/3($}z#/*^-(<0<^*(3)<^$,^8"BF^
UIZ^*(3)0C^2-/3($^?)/<0<$)*$z_â&
à_<(3A?^"#$%*6)L#)<$â&
à2-/3&3)$%-C}z?-<$z&(,+-*}z%]?<^__0C?I)P(3?A)I-/D_8"BFU_88!_:!89z&â&
à0*?#$&$E?)}z%0CC)*z&*(3)}z8"BF6)L#)<$z&H(A#)}z!"#$"%&z&_â&à0*?#$&$E?)}z<#@30$z&H(A#)}z8#@30$z&_â&
à_2-/3â&&
c<)/&(#$%)*+,(+-*&
c<)/&(#$%)*+,(+-*&
c<)/&(#$%)*+,(+-*&
88!&/)<?-*<)&
88!&6)<?-*<)&
88!&6)<?-*<)&à<(3A^"<<)/+-*â&
à<(3A^;<<#)/â%]?<^__0C?I)P(3?A)I-/D_8"BFUà_<(3A^;<<#)/â&
àC<^80D*($#/)&P3A*<^C<}z%]?^__444I4YI-/D_UZZZ_Zs_P3AC<0DMzâIIIà_C<^80D*($#/)â&
à<(3A^8#@w),$â&à<(3A^W(3);J&V-/3($}z#/*^-(<0<^*(3)<^$,^8"BF^UIZ^*(3)0CO2-/3($^?)/<0<$)*$zâ&
Y2u@YC,2OkÇuROR),COsU,tOkXRR2YRÇ@(2t&à_<(3A^W(3);Jâà_<(3A^8#@w),$â&
à<(3A^"]/0@#$)8$($)3)*$â&
à<(3A^"]/0@#$)&W(3)}Ñ)3(0A{&â&
à<(3A^"]/0@#$)Ä(A#)&P<0^$E?)}zP<^<$/0*Dzâ?3(C<)*\?0*D0C)*+$EI,-3à_<(3A^"]/0@#$)Ä(A#)â&&
à_<(3A^"]/0@#$)â&&
à_<(3A^"]/0@#$)8$($)3)*$â&&
à_<(3A^"<<)/+-*â&&
6)<?-*<)&40$%&,-C)&
6)<?-*<)&40$%&,-C)&
6)<?-*<)&40$%&,-C)&
b99:_kIk&YZU&V-#*C&
F-,(+-*^&3-@0A)(??^__/)C0/),$x%)/)g&
&<$($)}%-<)/.&
&,-C)}401v3(89:"2Z4L8)=YH3JPU3W8ÅoÇD&
>-*$)*$OF)*D$%^&Z&
9/(C)&,-C)&2-/&$-5)*&
9/(C)&,-C)&2-/&$-5)*&
9/(C)&,-C)&2-/&$-5)*&
:!89&_(<_$-5)*I-(#$%U&
b-<$^&(<I,-3&
,A0)*$x0C}(./)C0/),$x#/0}3-@0A)(??^__
/)C0/),$%)/).D/(*$x$E?)}(#$%-/01(+-*x,-C).,-C)}401v3(89:"2Z4L8)=YH3JPU
3W8ÅoÇD&b99:_kIk&
&
&
b99:_kIk&UZZ&!o&
>-*$)*$O9E?)^&(??A0,(+-*_w<-*~&,%(/<)$}c9VOt&
�z$-5)*x$E?)z^z=)(/)/zKz)P?0/)<x0*z^zÇZZzKz/)2/)<%x$-5)*z^z-|NL4Bc;FU*C)Bb<N7
EV!ZSE(AHo8H,U|;Rd#StU6BS5BzKz(,,)<<x$-5)*z^zA8=@,0RvDtB<w08LÅF=/17qDCR
3ocW%!5EVzÉ&
>A0)*$&,(AA<&":;&
>A0)*$&,(AA<&":;&
>A0)*$&,(AA<&":;&
%]?<^__D/(?%I2(,)@--5I,-3_?(#AI)I3(C<)*_
2/0)*C<_g
(,,)<<x$-5)*}A8=@,0RvDtB<w08LÅF=/17qDCR3o
cW%!5EV&
&
&
&
&
&
Ä)/02E&$-5)*&
Ä)/02E&$-5)*&
Ä)/02E&$-5)*&S79&_(<_$-5)*I-(#$%Ug
,A0)*$x0C}@.,A0)*$x<),/)$}?4C.D/(*$x$E?)}#/*^?0*D^H(A0C($).$-5)*}A8=@,0RvDtB<w08LÅF=/17qDCR3ocW%!5EV&
b99:_kIk&
b-<$^&(<I,-3&
",,)?$^&n_n&
&
&b99:_kIk&UZZ&!o&
>-*$)*$O9E?)^&(??A0,(+-*_w<-*~&,%(/<)$}c9VOt&&^$,'O4%,1'5"X)"5'
6)$#/*&J($(&
6)$#/*&J($(&
6)$#/*&C($(&
b99:_kIk&UZZ&!o&
>-*$)*$O9E?)^&(??A0,(+-*_w<-*~&,%(/<)$}c9VOt&
&
903)&?(<<)<&
&
&
&
6)2/)<%&$-5)*&
6)2/)<%&$-5)*&
6)2/)<%&$-5)*&/)L#)<$&
:!89&_(<_$-5)*I-(#$%U&b99:_kIk&
b-<$^&A-,(A%-<$^sZYk&
&
,A0)*$x0C}(.D/(*$x$E?)}/)2/)<%x$-5)*.&
&/)2/)<%x$-5)*}-|NL4Bc;FU*C)Bb<N7EV!ZSE(AHo8H,U|;Rd#StU6BS5B&&
S)$&2/)<%&(]/0@#$)<&
S)$&2/)<%&(]/0@#$)<&
S)$&2/)<%&(]/0@#$)<&
8>;B&-/&8"BFgg&
6)$#/*&(,,)<<&$-5)*&
6)$#/*&(,,)<<&$-5)*&
6)$#/*&(,,)<<&$-5)*&
b99:_kIk&UZZ&!o&
>-*$)*$O9E?)^&(??A0,(+-*_w<-*~&,%(/<)$}c9VOt&
�z$-5)*x$E?)z^z=)(/)/zKz)P?0/)<x0*z^zÇZzKz/)2/)<%x$-5)*z^zvÅu|(REbX>t7Y>0
5H,ÅÅ<CRÅFcDÄEd*0)qLE@"Vw!@|?1zKz(,,)<<x$-5)*z^zRs=:;XF#WBYkZ-u
%@=s3s,;1;39XBtD,6w7zÉ&
&
60*<)&.&/)?)($&p&
&
&
&
&
(/,%0H)&
&
&
B-@0A)&(??&;CB&(/,%0$),$#/)&&
W(+H)&H<&4)@&(??<&
• W-$&D-0*D&$-&$/E&$-&?/)C0,$&40**)/&'&)P?),$&@-$%&• "#$%)*+,(+-*&.&(#$%-/01(+-*&<%-#AC&@)&,-*<0<$)*$&
(,/-<<&@-$%&3-C)A<K&<-&$%($&
– c<)/<&(/)&*-$&,-*2#<)CK&)D&#<)&C0e)/)*$&,/)C)*+(A<&(*C_-/&(#$%)*+,(+-*&,)/)3-*E&2-/&
$%)&$4-&3-C)A<K&)H)*&02&(,,)<<0*D&$%)&<(3)&
(??A0,(+-*&
– 8)/H0,)&:/-H0C)/<&(/)*f$&2-/,)C&$-&03?A)3)*$&
C#?A0,($)&.&0*,-3?(+@A)&<),#/0$E&2/(3)4-/5<&
2-/&$%)&$4-&3-C)A<&
V)C)/(+-*&
• V)C)/(+-*&(@<$/(,$<&(4(E&2/-3&(??A0,(+-*<&
<?),0h,<&-2&(#$%)*+,(+-*&.&(#$%-/01(+-*&'&
-#$<-#/,)C&$-&<?),0(A01)C&?/-H0C)/<&
• >-3?A)P0$E&%0CC)*&@E&$-5)*&0<<#(*,)&.&H(A0C(+-*&
• V)C)/(+-*&<$(*C(/C<&C)h*)&– 9-5)*&2-/3($<&
– b-4&,A0)*$<&-@$(0*&$-5)*<&– b-4&,A0)*$<&?/)<)*$&$-5)*<&$-&(??A0,(+-*&?/-H0C)/<&&
9-5)*<&
• V)C)/($)C&(#$%)*+,(+-*&2-/&@-$%&4)@&(*C&*(+H)&3-@0A)&(??A0,(+-*<&0<&@(<)C&-*&)P,%(*D)&
(*C&C)A0H)/E&-2&&'(")%*$-&$%)&(??A0,(+-*&• 9-5)*<&,(//E&`-/&?-0*$&$-a&<),#/0$E&0*2-/3(+-*&
`A05)&(]/0@#$)<&-/&(#$%-/01(+-*<a&2-/&#<)/&$/E0*D&
$-&(,,)<<&$%)&(??A0,(+-*I&&
• >A0)*$<&$E?0,(AAE&)P,%(*D)&,/)C)*+(A<&2-/&$-5)*<&O&)(<0)/_<(2)/&$-&<%(/)&$%)&$-5)*&(,/-<<&$%)&
*)$4-/5&/($%)/&$%(*&$%)&-/0D0*(A&,/)C)*+(A<&
• N%)*&$-5)*&0<&<#@<)L#)*$AE&?/)<)*$)C&$-&(*&
(??A0,(+-*&?/-H0C)/K&$%)E&<)/H)&$-&(#$%)*+,($)&
(*C_-/&(#$%-/01)&$%)&/)L#)<$&
V)C)/(+-*&$(5)<&C0e)/)*$&2-/3<&
(??&
C($(&
"]/0@#$)<&2-/&(#$%)*+,(+-*&
"#$%-/01(+-*&2-/&(]/0@#$)<&
V-/&4)@&(??<K&$-5)*<&,(//E&
V-/&*(+H)&(??<K&$-5)*<&,(//E&
(??&
=/-4<)/&
9-5)*<&2-/&3-@0A)&4)@&(??A0,(+-*<&
• V)C)/(+-*&2-/&4)@&(??A0,(+-*<&3(*02)<$<&(<&
88!&2/-3&<-3)&;C:&$-&$%)&(??A0,(+-*&?/-H0C)/&
• 88!&)<?),0(AAE&/)A)H(*$&2-/&3-@0A)&
• 9-5)*<&(])<+*D&$-&$%)&#<)/f<&0C)*+$E&(*C_-/&(#$%)*+,(+-*&<$($#<&C)A0H)/)C&&+!'$,+*`(<&/)C0/),$<a&$%)&@/-4<)/&2/-3&;C:&$-&$%)&
(??A0,(+-*&?/-H0C)/&
• "??A0,(+-*&?/-H0C)/&H(A0C($)<&$-5)*&(*C&)P$/(,$<&0C)*+$E&(]/0@#$)<&2/-3&40$%0*&0*&-/C)/&
$-&,/)($)&A-,(A&<)<<0-*&&
9-5)*<&2-/&4)@&(??A0,(+-*<&
;C)*+$E&?/-H0C)/& 8)/H0,)&?/-H0C)/&
J)H0,)&=/-4<)/&
:4C& b9BF&
kI c<)/&$/(C)<&,/)C)*+(A<&2-/&(&
$-5)*&2/-3&;C:&
UI 9-5)*&C)A0H)/)C&$%/-#D%&$%)&
@/-4<)/&$-&8:&
YI 8:&H(A0C($)<&$-5)*K&(*C&C)A0H)/<&
(??A0,(+-*&b9BF&
$-&@/-4<)/&
9-5)*&
8"BF&
!?)*;J&"??A0,(+-*&
=)<$&?/(,+,)<&
• 8$(*C(/C<&– !?)*;J&UIZ&2-/&,-*<#3)/&<,)*(/0-<&
– 8"BF&UIZ&2-/&)*$)/?/0<)&.&,A-#C&
– N8OV)C)/(+-*&2-/&%-3-D)*)-#<&B8V9&
• ;C:&J0<,-H)/E&– ;*&,-*<#3)/&<?(,)K&,-*<0C)/&W(<,(/&40$%&)3(0AO
@(<)C&<#??A)3)*$&
– ;*&,A-#C&<?(,)K&,-*<0C)/&)3(0AO@(<)C&
• =-$%&;C:&`?-/$(Aa&(*C&8:&`C))?OA0*50*Da&0*0+($)C&(/)&/)A)H(*$&
• B-@0A)&@/-4<)/&,-*<$/(0*$<&3(E&/),-33)*C&
(/+2(,$&3-C)A&0*&8"BF&
9-5)*<&2-/&*(+H)&(??A0,(+-*<&
• W(+H)&(??A0,(+-*<&(#$%)*+,($)&$-&6789&":;<&@E&?/)<)*+*D&(&$-5)*&-*&$%)&,(AA&
• 9%)&?/),#/<-/&(,$&-2&$%)&*(+H)&(??A0,(+-*&-@$(0*0*D&(&$-5)*&0<&-i)*&,(AA)C&r(#$%-/01(+-*f&`?(/+,#A(/AE&0*&
$%-<)&,(<)<&4%)*&$%)&":;&2/-*$<&#<)/&0*2-K&)D&?/-hA)K&
$4))$<K&)$,a&
• c<)/&(#$%-/01)<&`-/&,-*<)*$<a&$-&$%)&*(+H)&(??A0,(+-*&%(H0*D&(,,)<<&$-&$%)&":;&`(*C&$%)0/&C($(a&'&$%)&
(#$%-/01(+-*&0<&3(*02)<$)C&(<&$%)&0<<#(*,)&-2&(&$-5)*&
$-&$%)&*(+H)&(??&
• !"#$%&UIZ&C-30*(*$&?/-$-,-A&@E&4%0,%&(&*(+H)&(??&
-@$(0*<&$%)&C)<0/)C&(#$%-/01(+-*<&(*C&$%)&
,-//)<?-*C0*D&$-5)*&`(*C&$%)*&#<)<&(D(0*<$&":;a&
B-@0A)&(#$%*&-?+-*<&
:)*+)"'
_`,"!)0*'>!$(#"!'
_C>"55"5'>!$(#"!' • E(5'#10!"5'(+,1'W!5'60!,D'• 466'$()#'9:'
• a+#%0*',!%#,'&%"#'• =0)'*"-"!0?"'#,$!"5'6(5#'
• ̂ $')""5',$'*"0-"'066'
• =%#,$C'#&1"C"'• _)0>*"#'//O'• _)0>*"#'#,!$)?'0%,1)'• 4/'$()#'9:'
9-5)*<&2-/&*(+H)&(??A0,(+-*<&
8)/H0,)&?/-H0C)/&
J)H0,)&
=/-4<)/&
"??A0,(+-*&
9-5)*&:4C&
v8!W_qBF&
kI c<)/&$/(C)<&,/)C)*+(A<&2-/&(&$-5)*&UI 9-5)*&C)A0H)/)C&$%/-#D%&$%)&@/-4<)/&
$-&*(+H)&(??A0,(+-*&
YI W(+H)&(??A0,(+-*&?/)<)*$<&$-5)*&-*&":;&,(AA<&
RI "??A0,(+-*&/)$#/*<&(??A0,(+-*&C($(&(<&v8!W&
!"#$%&
"??A0,(+-*&
=)<$&?/(,+,)<&
• c<)&$%)&@/-4<)/&$-&(#$%)*+,($)&$%)&#<)/&$-&$%)&"8K&C-*f$&,-AA),$&#<)/&?(<<4-/C<&40$%0*&*(+H)&(??A0,(+-*&
0$<)A2&
• "&<)?(/($)&@/-4<)/&40*C-4&?/)2)//)C&$-&)3@)CC)C&'&
D0H)<&#<)/&$%)&H0<#(A&$/#<$&,#)<&$/(0*)C&$-&A--5&2-/&
• !"#$%&(#$%-/01(+-*&,-C)&D/(*$&$E?)&0<&/)A)H(*$&'&(AA-4<&(&/)2/)<%&$-5)*&$-&@)&C)A0H)/)C&$-&$%)&*(+H)&
(??A0,(+-*&`-@H0($)<&*))C&$-&,-*+*#(AAE&/)(#$%-/01)a&
• c<)&@/-4<)/&2-/&;C:&C0<,-H)/E&02&C-0*D&88!&`/($%)/&$%(*&40$%0*&*(+H)&(??A0,(+-*&0$<)A2a&
• W(+H)&(??A0,(+-*&<%-#AC&/)D0<$)/&,#<$-3&<,%)3)&-*&
0*<$(AAK&$-&)*(@A)&<#@<)L#)*$&?(<<0*D&&-2&$-5)*&2/-3&
@/-4<)/&-./(*$-&*(+H)&(??A0,(+-*&
