Best Practices for Cloud Identity
In JavaEE Enabled PaaS
Anil Saldhana Red Hat Inc.
Agenda • Introduction To Cloud Identity
– Concept of Identity and Trust • JavaEE Enabled PaaS
– OpenShift • What Identity Standard should I adopt?
– SAML, OpenID, OAuth, WS-Trust,Kerberos – NIST 800-63 Levels of Assurance
2
Agenda • Best Practices
– User Registration – Identity Management
• Cloud Directories and Corporate Directories – Authentication – Authorization – Mobile Devices – Identity Providers – API Access
3
Agenda
• Demo • Other Relevant Standards Work
– JSR 351 • Resources
4
Concept of Identity and
Trust
5
Concept of Trust
• Twitter Verified Accounts
6
Concept of Trust • Twitter Verified Accounts
– President Obama (Identity) – Blue Check Sign (Trust)
7
Concept of Trust • Twitter Verified Accounts
– Tim Oreilly (Identity) – Blue Check Sign (Trust)
8
JavaEE Enabled PaaS
(OpenShift) http://openshift.com
9
OpenShift • OpenShift by RedHat is a polyglot PaaS • Run Java,Ruby,Perl,Python,PHP and
Node.js in the Cloud • JavaEE Full Profile support via JBoss
Application Server v7.x as well as JBoss Enterprise Application Platform.
• Free
10
Which Identity Management Standard is relevant?
(SAML, OpenID, OAuth,WS-Trust,
Kerberos)?
11
Levels of Assurance • NIST 800-63 Special Publication • Four Levels of Assurance
– Level 1: • Little or no confidence in asserted identity. • OpenID, Oauth.
– Level 2: • Some confidence in the asserted identity. • Passwords and SAML Password Auth Mech.
12
Levels of Assurance • Four Levels of Assurance
– Level 3: • High Confidence. • Soft/Hard Crypto Tokens and OTP.
– Level 4: • Very High Confidence. • PKI and Smart Cards.
13
Which standard is relevant?
• Community Type Environment – Forums, Blogs etc. – Level 1 Assurance. – Decentralized setup; Internet Scale – OpenID and Oauth.
14
Which standard is relevant?
• Enterprise Type Environment – Need Level 2 assurance level.
• SAML Assertions (Password based authentication)
– Need Level 3 or 4 assurance of identity. • SAML Assertions (PKI/x509 Certificates)
15
Best Practices
16
User Registration • All Security Systems need users. • Users can come from corporate identity
stores or need to be dynamically registered.
• Dynamic Registration – CAPTCHA technology.
• Password Strength Meters/Indicators. • Important to understand Cloud Directories.
17
User Registration • Password Management
– Salt and Hash each password – Just hashing
• Susceptible to Dictionary or Brute Force Attacks. – Password Reset
• Send 15 min validity single use tokens to user email.
18
Identity Management • Directories of Users/Applications
– Cloud based. – Corporate based. – Hybrid (Both Cloud and Corporate).
• Synching Issues. • Legal and Compliance Issues.
19
Identity Management
20
Authentication • Classic Username/Password • Two Factor Authentication
– Additional factor : One Time Password. • Kerberos Based Login for API • External Authentication
– Sign In using Facebook, Twitter, Google.. • Eliminates Password Management Headaches.
21
Authorization • Coarse Grained Authorization
– Role Based Access Control. • Fine Grained Authorization
– ACL, XACML • OAuth Style Authorization.
22
Mobile Devices • Device Registration
– UDID, SIM ID, Chip ID can all be Identifiers for the same device.
• Mobile devices may need token based security.
23
Identity Providers • Central Identity Provider for the entire
PaaS system. – Global directory service for all tenants.
• Identity Provider for the applications of a single tenant. – Tenant deploys IDP application.
• Delegated Identity Providers to Corporate Identity Providers. – Salesforce to corporate Identity services.
24
Identity Providers
25
Cloud API Access • Majority of Cloud Access may be via API
– (Salesforce, Twitter, Facebook) 3rd party apps. • Token based REST system
– OAuth2 is a good candidate. • Various drafts and flavors in the industry.
– User has control over approval/revocation of access.
26
Cloud API Access • OAuth2 Interactions
– Register Application with server • Obtain Client Identifier and Client Secret
– Resource owner (User) authorizes application with server, for various scopes
• Obtain Authorization Code
27
Cloud API Access • OAuth2 Interactions
– Application uses authorization code to obtain access token and refresh token
• Refresh token helps obtain new access token on expiry
– Application provides token to resource server • Access to resource
28
Demo
29
Aerogear TODO Application
• Typical JavaEE6 application – HTML5 – CDI Application Programming – Jax-RS Endpoints – JPA
30
Aerogear TODO Application
• Deployed on OpenShift PaaS. – Identity User Registration Pattern – Identity Authentication Pattern
• Username/Password • Facebook Authentication • Google Authentication
– Role Based Authorization
31
Relevant Standards
32
JSR 351 • Java Identity JSR • http://jcp.org/en/jsr/detail?id=351 • http://java.net/projects/identity-api-spec/
pages/Home • Define API and identity interaction models
for applications and in access control decisions.
33
Oasis IDCloud TC • Oasis Identity In The Cloud TC
– Use Cases for Identity Management in the Cloud Ecosystem.
– http://docs.oasis-open.org/id-cloud/IDCloud-usecases/v1.0/cn01/IDCloud-usecases-v1.0-cn01.html
– Gap Analysis in existing standards
34
Oasis Cloud Authorization TC
• Oasis Cloud Authorization TC – Brand new TC at Oasis. – Build Profiles for Cloud Authorization using
XACML and Oauth. • SaaS, PaaS and IaaS models.
– Build Profiles for Cloud Entitlements.
35
Resources • OpenShift PaaS.
– http://openshift.com • Project PicketLink
– http://jboss.org/picketlink • My Blog
– http://anil-identity.blogspot.com
36
Top Related