SlideShare a Scribd company logo

CIS13: Identity at Scale

CloudIDSummit
CloudIDSummit

This document discusses solutions for managing identity at scale. It begins by describing trends like cloud computing, mobile devices, and the internet of things that are increasing the need for identity management. It then examines challenges like maintaining metadata across many connections. Two proposed solutions are a proxy that manages connections indirectly, and a metadata service that allows centralized management of metadata. The document recommends a metadata service approach that supports multiple protocols and can combine with proxy solutions for different deployment scenarios. This would help scale identity management to a global level.

Technology
1 of 30
Download to read offline
Copyright ©2013 Ping Identity Corporation. All rights reserved.1 Identity at Scale Hans Zandbelt CTO Office – Ping Identity CIS 2013
Copyright ©2013 Ping Identity Corporation. All rights reserved.2 •  Trends and Standards •  Identity at Scale •  Recommendations Contents
Copyright ©2013 Ping Identity Corporation. All rights reserved.3 Trends •  Cloud (SaaS), Mobile, Social –  Authentication: SAML -> +OpenID Connect •  Web -> API –  Core business: information and data, not presentation •  Internet of Things •  Mutual authentication? –  controlling other cars, toasters, lightbulbs
Copyright ©2013 Ping Identity Corporation. All rights reserved.4 •  Standards –  Interoperability: need to deal with another vendor’s API/ product? Not an app for every thing in the IoT! –  cross-domain –  competition, replaceable implementations, leading to good but cheap products? •  APIs –  Light-weight, SOAP -> REST/OAuth 2.0 •  Web SSO –  Enterprise/Customer Identity, Consumer Identity –  SAML -> OpenID Connect : scale? •  OpenID Connect –  Simplicity for clients/RPs -> complexity shifted to the OP Standards (the nice thing is…)
Copyright ©2013 Ping Identity Corporation. All rights reserved.5 IDENTITY AT SCALE
Copyright ©2013 Ping Identity Corporation. All rights reserved.6 1-1 Federated Identity Today •  Increase of Cloud/SaaS adoption –  # federated SSO applications (SAML) –  # partner connections –  # connection management overhead (*) •  But(!) also for “incidental” connections –  How to obtain updates •  Authoritative source -> trust •  Infrastructure: authenticated source (e-mail…) –  How to configure them •  Automated •  Managed, outsourced IDP IDP IDP SP SP SP
Copyright ©2013 Ping Identity Corporation. All rights reserved.7 •  Metadata related (not so standard for other-than-SAML protocols) –  key material –  SSO service URLs –  point of contact •  Attributes –  could be metadata, often isn’t –  may be bilateral (!) –  required/optional, consent •  Policies –  contractual agreements –  privacy •  End-user/application/SSO related –  how users can sign in (relation to service URLs) –  change in look and feel –  change in functionality (*) Connection Management <md>
Copyright ©2013 Ping Identity Corporation. All rights reserved.8 Metadata - SAML 2.0 •  Technical Trust •  X.509 Certificate –  Anchored vs. unanchored –  Key vs. other cert info •  URLs/Bindings •  Contact info –  Company name, admin/tech contact <md:EntityDescriptor! xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"! xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"! xmlns:ds="http://www.w3.org/2000/09/xmldsig#"! entityID="https://idp.example.org/SAML2">! ! <!-- insert ds:Signature element -->! ! <md:IDPSSODescriptor! protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">! ! <md:KeyDescriptor use="signing">! <ds:KeyInfo>…</ds:KeyInfo>! </md:KeyDescriptor>! ! <md:SingleSignOnService! Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"! Location="https://idp.example.org/SAML2/SSO/POST"/>! <md:SingleSignOnService! Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"! Location="https://idp.example.org/SAML2/Artifact"/>! ! </md:IDPSSODescriptor>! ! <md:Organization>! <md:OrganizationName xml:lang="en">! SAML Identity Provider ! </md:OrganizationName>! <md:OrganizationURL xml:lang="en">! http://www.idp.example.org/! </md:OrganizationURL>! </md:Organization>! ! <md:ContactPerson contactType="technical">! <md:SurName>SAML IdP Support</md:SurName>! <md:EmailAddress>mailto:saml-support@idp.example.org</ md:EmailAddress>! </md:ContactPerson>! ! </md:EntityDescriptor>!
Copyright ©2013 Ping Identity Corporation. All rights reserved.9 Connection Management Metadata/Technical Issues •  Conn Mgmt often a one-shot process (cq. a snapshot) •  Certificate expiry and update •  Contact info update •  URL and binding updates •  Changes in IDP discovery process •  Metadata documents can contribute to the solution, but how to scale exchange? Key Rollover Contact Info Bindings & URLs
Copyright ©2013 Ping Identity Corporation. All rights reserved.10 Contrary to popular belief: The connection management problem is NOT specific to SAML; any federated authentication system deployed on true internet scale will have to address this issue. So: any solution should be protocol agnostic. BE AWARE
Copyright ©2013 Ping Identity Corporation. All rights reserved.11 TOWARDS A SOLUTION What can we do?
Copyright ©2013 Ping Identity Corporation. All rights reserved.12 Solution Approach (n=2): Shared Conn. Mgmt. •  Single/central/shared point of connection management (trust) •  Trusted 3rd party –  From: user trust scale through 2nd party to SP/IDP trust through 3rd-party •  Compares to TLS and a Certificate Authority or DNS •  Challenge –  How to create a trusted channel Shared Service IDP IDP IDP SP SP SP
Copyright ©2013 Ping Identity Corporation. All rights reserved.13 A shared service… where does it apply? •  intra-enterprise –  large distributed organizations, both infrastructure and responsibilities/trust (acquisitions and mergers) –  connect multiple applications to a variety of externals & internals; “user access firewall” •  inter-enterprise –  verticals: healthcare, automotive, banking/ financial, education but also "cross e-Gov” –  homogeneous(!) group with shared interest/organization IDP SP IDP SP IDP SP IDP SP
Copyright ©2013 Ping Identity Corporation. All rights reserved.14 A Next Step In Architecture Evolution… Application Server App 1 Fed Fed Fed App 2 App 3 App Server or Access System App 1 Federation App 2 App 3 App Server App 1 Federation Server App 2 App 3 App Server App Srv App 1 Fed Server App 2 App Srv Connection Management App Server App 3 Fed Fed App 4 1 2 3 4
Copyright ©2013 Ping Identity Corporation. All rights reserved.15 Solution 1: Proxy •  Indirect peer-to-peer communication •  Trust proxy only, relay to peers, inband •  Shift the metadata problem to a central facility: no distr. mgmt •  Technical trust may be combined with organizational trust •  Connection Mgmt –  MxN -> M+N •  Accommodate for diff SAML implementations •  Protocol translations are possible Operator IDP IDP IDP SP SP SP SAML Proxy SP-IDP SAML
Copyright ©2013 Ping Identity Corporation. All rights reserved.16 Benefits •  Scalability of trust –  Technical: single connection to proxy, central management of partner connections –  Organizational: trust in proxy operator •  Updates –  outsourced to the proxy; proxy to solve… •  Discovery & Autoconf –  Outsourced to the proxy; proxy to solve… Centralized Trust Mgmt Updates Discovery & Autoconf
Copyright ©2013 Ping Identity Corporation. All rights reserved.17 Solution 2: Metadata Service •  aka. multi-party federation •  Higher Education & Research –  InCommon, UK Access Federation –  40+ across the world •  Business Verticals –  Healthcare –  Finance –  e-Gov •  Async technical trust •  Sync direct peer-to- peer communication •  Metadata upload (!) Federation Operator IDP IDP IDP SP SP SP SAML Metadata
Copyright ©2013 Ping Identity Corporation. All rights reserved.18 Distribution variants (SAML 2.0 metadata) •  Flat file based (classic) –  > 10 Mb files for large federations (EntitiesDescriptor) •  Query-based (MDX) •  Well known location for metadata –  EntityID-is-URL-to- Metadata –  SAML auto-connect (Ping Identity) •  DNS based (registry) •  Trust 1.  signed metadata 2.  trusted registry 3.  SSL CA IDP SP IDP SP IDP SP IDP SP IDP IDP D N S IDP D N S 1 2 3
Copyright ©2013 Ping Identity Corporation. All rights reserved.19 Metadata Expiry (!) •  Attributes on Entity and Entities level: validUntil and cacheDuration •  On EntitiesDescriptor and EntityDescriptor level •  use only validUntil to enforce expiration •  use cacheDuration to override (downward) the refresh interval •  keep using (valid) metadata if the refresh fails d! t1! t1+d! t1+2d! v=t2! t2+d! t2+2d! d = cacheDuration (interval)! v = validUntil (timestamp)! d!
Copyright ©2013 Ping Identity Corporation. All rights reserved.20 Benefits •  Scalability of trust –  Technical: removes need to exchange metadata on peer-to- peer basis –  Organizational: federation operator does IDP and SP vetting through contractual agreements •  Key rollover –  Include multiple signing keys for a <validUntil> period •  Discovery and auto- configuration –  Building block… Scalability of Trust Key Rollover Discovery & Autoconf
Copyright ©2013 Ping Identity Corporation. All rights reserved.21 Metadata Service layering: interfederation Interfederation Operator IDP IDP SP SP IDP IDP SP SP Metadata Metadata Aggregated Metadata
Copyright ©2013 Ping Identity Corporation. All rights reserved.22 •  MDUI –  SAML version 2.0 Metadata Extensions for Login and Discovery User interface, version 1.0 •  Entity attributes –  SAML V2.0 Metadata Extension for Entity Attributes Version 1.0 –  Generic extension point •  Signed Entity Attributes –  Single source of metadata, support multiple trust levels or hierarchies •  Other protocols –  SAML 1.0, SAML 1.1 –  WS-Federation (ADFS 2.0) –  OpenID 2.0 –  OpenID Connect (?) -> independent registry or attr SAML 2.0 Metadata extensions
Copyright ©2013 Ping Identity Corporation. All rights reserved.23 Taxonomy + Examples External Internal Model Proxy Metadata IDMaaS (PingOne) Federation (InCommon) Proxy (PingFed`) “Metadata Server” Deployment
Copyright ©2013 Ping Identity Corporation. All rights reserved.24 •  Proxy –  PingOne –  wayf.dk •  Metadata Service –  InCommon –  UK Access Federation Any SAML product implementation today may or not support one or both models, in the core or through customizations. Solution Examples for SAML 2.0
Copyright ©2013 Ping Identity Corporation. All rights reserved.25 OpenID Connect Metadata (OP and RP) •  Metadata and key material separated •  Use HTTP cache info for the JWK set (optional) •  Multiple keys with “kids” – JIT: client fetches kid if unknown •  Client updates keys with OP through DynReg OPRP JWK set metadata JWK set metadata Metadata Service Dynamic Client Registration
Copyright ©2013 Ping Identity Corporation. All rights reserved.26 RECOMMENDATIONS
Copyright ©2013 Ping Identity Corporation. All rights reserved.27 •  The problem is not protocol specific (!) –  Any solution should be multi-protocol enabled or rather protocol agnostic •  A shared service, two possible approaches –  Metadata Service (“automate”) or Proxy (“outsource”) •  True Internet scale? Expect combinations (!) –  Local/enterprise/community: proxy based –  Protocol Translation: proxy –  Global: (interconnected) metadata service based Recommendations
Copyright ©2013 Ping Identity Corporation. All rights reserved.28 •  Registration and publishing service for “endpoint” metadata –  Multi-protocol: both SAML 2.0 and OpenID Connect (OPs) •  Technical Trust –  authenticated, trusted source •  Discovery –  multiple entities on a single OIDC domain –  Entities that cannot or will not host their own metadata –  Replace well-known URL starting point •  Validation •  Certification Metadata Service
Copyright ©2013 Ping Identity Corporation. All rights reserved.29 Future? Not so much! •  Identity is/as KEY –  not just users, but also devices and applications •  Unified access policy implementation across web and APIs/Mobile –  Based on identity •  Enterprise: –  Single System -> Identity Bridge •  Identity Bridge –  Bridge external SAML and OpenID Connect to internal OpenID Connect (both ends standardized)
Copyright ©2013 Ping Identity Corporation. All rights reserved.30 Thank You Q&A @hanszandbelt Ping Identity

Recommended

OAuth 101 & Secure APIs 2012 Cloud Identity Summit
OAuth 101 & Secure APIs 2012 Cloud Identity SummitOAuth 101 & Secure APIs 2012 Cloud Identity Summit
OAuth 101 & Secure APIs 2012 Cloud Identity Summit
Brian Campbell
 
Criticality of identity
Criticality of identityCriticality of identity
Criticality of identity
Nordic APIs
 
Securing online services by combining smart cards and web-based applications
Securing online services by combining smart cards and web-based applicationsSecuring online services by combining smart cards and web-based applications
Securing online services by combining smart cards and web-based applications
Olivier Potonniée
 
Smart Card Authentication
Smart Card AuthenticationSmart Card Authentication
Smart Card Authentication
Dan Usher
 
OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...
Salesforce Developers
 
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
Richard Bullington-McGuire
 
TrustBearer - CTST 2009 - OpenID & Strong Authentication
TrustBearer - CTST 2009 - OpenID & Strong AuthenticationTrustBearer - CTST 2009 - OpenID & Strong Authentication
TrustBearer - CTST 2009 - OpenID & Strong Authentication
TrustBearer
 
Con8902 developing secure mobile applications-final
Con8902 developing secure mobile applications-finalCon8902 developing secure mobile applications-final
Con8902 developing secure mobile applications-final
OracleIDM
 

Recommended

OAuth 101 & Secure APIs 2012 Cloud Identity Summit
OAuth 101 & Secure APIs 2012 Cloud Identity SummitOAuth 101 & Secure APIs 2012 Cloud Identity Summit
OAuth 101 & Secure APIs 2012 Cloud Identity Summit
Brian Campbell
 
Criticality of identity
Criticality of identityCriticality of identity
Criticality of identity
Nordic APIs
 
Securing online services by combining smart cards and web-based applications
Securing online services by combining smart cards and web-based applicationsSecuring online services by combining smart cards and web-based applications
Securing online services by combining smart cards and web-based applications
Olivier Potonniée
 
Smart Card Authentication
Smart Card AuthenticationSmart Card Authentication
Smart Card Authentication
Dan Usher
 
OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...
Salesforce Developers
 
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
Richard Bullington-McGuire
 
TrustBearer - CTST 2009 - OpenID & Strong Authentication
TrustBearer - CTST 2009 - OpenID & Strong AuthenticationTrustBearer - CTST 2009 - OpenID & Strong Authentication
TrustBearer - CTST 2009 - OpenID & Strong Authentication
TrustBearer
 
Con8902 developing secure mobile applications-final
Con8902 developing secure mobile applications-finalCon8902 developing secure mobile applications-final
Con8902 developing secure mobile applications-final
OracleIDM
 
Smart Cards & Devices Forum 2012 - Securing Cloud Computing
Smart Cards & Devices Forum 2012 - Securing Cloud ComputingSmart Cards & Devices Forum 2012 - Securing Cloud Computing
Smart Cards & Devices Forum 2012 - Securing Cloud Computing
OKsystem
 
CIS 2015 Easy Federation in Cloud and on Premises - Ian Jaffe
CIS 2015 Easy Federation in Cloud and on Premises - Ian JaffeCIS 2015 Easy Federation in Cloud and on Premises - Ian Jaffe
CIS 2015 Easy Federation in Cloud and on Premises - Ian Jaffe
CloudIDSummit
 
DDS Web Enabled
DDS Web EnabledDDS Web Enabled
DDS Web Enabled
Real-Time Innovations (RTI)
 
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
CA Technologies
 
SWM_WP_MaturityModel_July15
SWM_WP_MaturityModel_July15SWM_WP_MaturityModel_July15
SWM_WP_MaturityModel_July15
Mike Lemons
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CloudIDSummit
 
CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0
CloudIDSummit
 
CIS13: Bootcamp: PingOne as a Simple Identity Service
CIS13: Bootcamp: PingOne as a Simple Identity ServiceCIS13: Bootcamp: PingOne as a Simple Identity Service
CIS13: Bootcamp: PingOne as a Simple Identity Service
CloudIDSummit
 
Workshop: Advanced Federation Use-Cases with PingFederate
Workshop: Advanced Federation Use-Cases with PingFederateWorkshop: Advanced Federation Use-Cases with PingFederate
Workshop: Advanced Federation Use-Cases with PingFederate
Craig Wu
 
Collaborating with Extranet Partners on SharePoint 2010 - SharePoint Connecti...
Collaborating with Extranet Partners on SharePoint 2010 - SharePoint Connecti...Collaborating with Extranet Partners on SharePoint 2010 - SharePoint Connecti...
Collaborating with Extranet Partners on SharePoint 2010 - SharePoint Connecti...
Michael Noel
 
Simplifying User Access with NetScaler SDX and CA Single Sign-on
Simplifying User Access with NetScaler SDX and CA Single Sign-on Simplifying User Access with NetScaler SDX and CA Single Sign-on
Simplifying User Access with NetScaler SDX and CA Single Sign-on
CA Technologies
 
Gartner Catalyst Savvis Cloud API Case Study
Gartner Catalyst Savvis Cloud API Case StudyGartner Catalyst Savvis Cloud API Case Study
Gartner Catalyst Savvis Cloud API Case Study
CA API Management
 
EDI WS API ECGridOS Web Services
EDI WS API ECGridOS Web ServicesEDI WS API ECGridOS Web Services
EDI WS API ECGridOS Web Services
bizquirk
 
Deploying an Extranet on SharePoint
Deploying an Extranet on SharePointDeploying an Extranet on SharePoint
Deploying an Extranet on SharePoint
Alan Marshall
 
CIS13: Bootcamp: Ping Identity SAML in Action with PingFederate Hands-On
CIS13: Bootcamp: Ping Identity SAML in Action with PingFederate Hands-OnCIS13: Bootcamp: Ping Identity SAML in Action with PingFederate Hands-On
CIS13: Bootcamp: Ping Identity SAML in Action with PingFederate Hands-On
CloudIDSummit
 
SSO Strategy Implementation Considerations
SSO Strategy Implementation ConsiderationsSSO Strategy Implementation Considerations
SSO Strategy Implementation Considerations
John Bauer
 
InterConnect 2015 session 2825 cics_and_the_new soa
InterConnect 2015 session 2825 cics_and_the_new soaInterConnect 2015 session 2825 cics_and_the_new soa
InterConnect 2015 session 2825 cics_and_the_new soa
nick_garrod
 
Thiramas
ThiramasThiramas
Thiramas
thiyagu raj
 
SharePoint 2010 anywhere access uag vs dmz
SharePoint 2010 anywhere access uag vs dmz SharePoint 2010 anywhere access uag vs dmz
SharePoint 2010 anywhere access uag vs dmz
Kjell-Sverre Jerijærvi
 
Integrated social solutions, the power and pitfalls of mashups
Integrated social solutions, the power and pitfalls of mashupsIntegrated social solutions, the power and pitfalls of mashups
Integrated social solutions, the power and pitfalls of mashups
Nordic APIs
 
CIS13: Hope or Hype: A Look at the Next Generation of Identity Standards
CIS13: Hope or Hype: A Look at the Next Generation of Identity StandardsCIS13: Hope or Hype: A Look at the Next Generation of Identity Standards
CIS13: Hope or Hype: A Look at the Next Generation of Identity Standards
CloudIDSummit
 
CIS13: Identity Trends and Transients
CIS13: Identity Trends and TransientsCIS13: Identity Trends and Transients
CIS13: Identity Trends and Transients
CloudIDSummit
 

More Related Content

What's hot

Smart Cards & Devices Forum 2012 - Securing Cloud Computing
Smart Cards & Devices Forum 2012 - Securing Cloud ComputingSmart Cards & Devices Forum 2012 - Securing Cloud Computing
Smart Cards & Devices Forum 2012 - Securing Cloud Computing
OKsystem
 
CIS 2015 Easy Federation in Cloud and on Premises - Ian Jaffe
CIS 2015 Easy Federation in Cloud and on Premises - Ian JaffeCIS 2015 Easy Federation in Cloud and on Premises - Ian Jaffe
CIS 2015 Easy Federation in Cloud and on Premises - Ian Jaffe
CloudIDSummit
 
SWM_WP_MaturityModel_July15
SWM_WP_MaturityModel_July15SWM_WP_MaturityModel_July15
SWM_WP_MaturityModel_July15
Mike Lemons
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CloudIDSummit
 
Collaborating with Extranet Partners on SharePoint 2010 - SharePoint Connecti...
Collaborating with Extranet Partners on SharePoint 2010 - SharePoint Connecti...Collaborating with Extranet Partners on SharePoint 2010 - SharePoint Connecti...
Collaborating with Extranet Partners on SharePoint 2010 - SharePoint Connecti...
Michael Noel
 
Simplifying User Access with NetScaler SDX and CA Single Sign-on
Simplifying User Access with NetScaler SDX and CA Single Sign-on Simplifying User Access with NetScaler SDX and CA Single Sign-on
Simplifying User Access with NetScaler SDX and CA Single Sign-on
CA Technologies
 
CIS13: Bootcamp: Ping Identity SAML in Action with PingFederate Hands-On
CIS13: Bootcamp: Ping Identity SAML in Action with PingFederate Hands-OnCIS13: Bootcamp: Ping Identity SAML in Action with PingFederate Hands-On
CIS13: Bootcamp: Ping Identity SAML in Action with PingFederate Hands-On
CloudIDSummit
 
SSO Strategy Implementation Considerations
SSO Strategy Implementation ConsiderationsSSO Strategy Implementation Considerations
SSO Strategy Implementation Considerations
John Bauer
 
InterConnect 2015 session 2825 cics_and_the_new soa
InterConnect 2015 session 2825 cics_and_the_new soaInterConnect 2015 session 2825 cics_and_the_new soa
InterConnect 2015 session 2825 cics_and_the_new soa
nick_garrod
 

What's hot (20)

Smart Cards & Devices Forum 2012 - Securing Cloud Computing
Smart Cards & Devices Forum 2012 - Securing Cloud ComputingSmart Cards & Devices Forum 2012 - Securing Cloud Computing
Smart Cards & Devices Forum 2012 - Securing Cloud Computing
 
CIS 2015 Easy Federation in Cloud and on Premises - Ian Jaffe
CIS 2015 Easy Federation in Cloud and on Premises - Ian JaffeCIS 2015 Easy Federation in Cloud and on Premises - Ian Jaffe
CIS 2015 Easy Federation in Cloud and on Premises - Ian Jaffe
 
DDS Web Enabled
DDS Web EnabledDDS Web Enabled
DDS Web Enabled
 
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
 
SWM_WP_MaturityModel_July15
SWM_WP_MaturityModel_July15SWM_WP_MaturityModel_July15
SWM_WP_MaturityModel_July15
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
 
CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0
 
CIS13: Bootcamp: PingOne as a Simple Identity Service
CIS13: Bootcamp: PingOne as a Simple Identity ServiceCIS13: Bootcamp: PingOne as a Simple Identity Service
CIS13: Bootcamp: PingOne as a Simple Identity Service
 
Workshop: Advanced Federation Use-Cases with PingFederate
Workshop: Advanced Federation Use-Cases with PingFederateWorkshop: Advanced Federation Use-Cases with PingFederate
Workshop: Advanced Federation Use-Cases with PingFederate
 
Collaborating with Extranet Partners on SharePoint 2010 - SharePoint Connecti...
Collaborating with Extranet Partners on SharePoint 2010 - SharePoint Connecti...Collaborating with Extranet Partners on SharePoint 2010 - SharePoint Connecti...
Collaborating with Extranet Partners on SharePoint 2010 - SharePoint Connecti...
 
Simplifying User Access with NetScaler SDX and CA Single Sign-on
Simplifying User Access with NetScaler SDX and CA Single Sign-on Simplifying User Access with NetScaler SDX and CA Single Sign-on
Simplifying User Access with NetScaler SDX and CA Single Sign-on
 
Gartner Catalyst Savvis Cloud API Case Study
Gartner Catalyst Savvis Cloud API Case StudyGartner Catalyst Savvis Cloud API Case Study
Gartner Catalyst Savvis Cloud API Case Study
 
EDI WS API ECGridOS Web Services
EDI WS API ECGridOS Web ServicesEDI WS API ECGridOS Web Services
EDI WS API ECGridOS Web Services
 
Deploying an Extranet on SharePoint
Deploying an Extranet on SharePointDeploying an Extranet on SharePoint
Deploying an Extranet on SharePoint
 
CIS13: Bootcamp: Ping Identity SAML in Action with PingFederate Hands-On
CIS13: Bootcamp: Ping Identity SAML in Action with PingFederate Hands-OnCIS13: Bootcamp: Ping Identity SAML in Action with PingFederate Hands-On
CIS13: Bootcamp: Ping Identity SAML in Action with PingFederate Hands-On
 
SSO Strategy Implementation Considerations
SSO Strategy Implementation ConsiderationsSSO Strategy Implementation Considerations
SSO Strategy Implementation Considerations
 
InterConnect 2015 session 2825 cics_and_the_new soa
InterConnect 2015 session 2825 cics_and_the_new soaInterConnect 2015 session 2825 cics_and_the_new soa
InterConnect 2015 session 2825 cics_and_the_new soa
 
Thiramas
ThiramasThiramas
Thiramas
 
SharePoint 2010 anywhere access uag vs dmz
SharePoint 2010 anywhere access uag vs dmz SharePoint 2010 anywhere access uag vs dmz
SharePoint 2010 anywhere access uag vs dmz
 
Integrated social solutions, the power and pitfalls of mashups
Integrated social solutions, the power and pitfalls of mashupsIntegrated social solutions, the power and pitfalls of mashups
Integrated social solutions, the power and pitfalls of mashups
 

Viewers also liked

Consumer Identity Management
Consumer Identity ManagementConsumer Identity Management
Consumer Identity Management
webhostingguy
 

Viewers also liked (6)

CIS13: Hope or Hype: A Look at the Next Generation of Identity Standards
CIS13: Hope or Hype: A Look at the Next Generation of Identity StandardsCIS13: Hope or Hype: A Look at the Next Generation of Identity Standards
CIS13: Hope or Hype: A Look at the Next Generation of Identity Standards
 
CIS13: Identity Trends and Transients
CIS13: Identity Trends and TransientsCIS13: Identity Trends and Transients
CIS13: Identity Trends and Transients
 
2016 04-26 webinar - consumer-focused identity management
2016 04-26 webinar - consumer-focused identity management2016 04-26 webinar - consumer-focused identity management
2016 04-26 webinar - consumer-focused identity management
 
Consumer Identity Management
Consumer Identity ManagementConsumer Identity Management
Consumer Identity Management
 
CIS13: OpenID Connect: How it Solves your Problems
CIS13: OpenID Connect: How it Solves your ProblemsCIS13: OpenID Connect: How it Solves your Problems
CIS13: OpenID Connect: How it Solves your Problems
 
Push, Pull, or Punt - Identity management tug-of-war: Then, Now, and Beyond
Push, Pull, or Punt - Identity management tug-of-war: Then, Now, and BeyondPush, Pull, or Punt - Identity management tug-of-war: Then, Now, and Beyond
Push, Pull, or Punt - Identity management tug-of-war: Then, Now, and Beyond
 

Similar to CIS13: Identity at Scale

Company and Market Overview
Company and Market OverviewCompany and Market Overview
Company and Market Overview
Okta-Inc
 
Transforming Consumer Banking with a 100% Cloud-Based Bank (FSV204) - AWS re:...
Transforming Consumer Banking with a 100% Cloud-Based Bank (FSV204) - AWS re:...Transforming Consumer Banking with a 100% Cloud-Based Bank (FSV204) - AWS re:...
Transforming Consumer Banking with a 100% Cloud-Based Bank (FSV204) - AWS re:...
Amazon Web Services
 
Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)
Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)
Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)
Okta-Inc
 

Similar to CIS13: Identity at Scale (20)

CIS14: Identity at Scale: Next Gen Federation Architectures
CIS14: Identity at Scale: Next Gen Federation ArchitecturesCIS14: Identity at Scale: Next Gen Federation Architectures
CIS14: Identity at Scale: Next Gen Federation Architectures
 
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
 
Introduction to Event-Driven Architecture
Introduction to Event-Driven Architecture Introduction to Event-Driven Architecture
Introduction to Event-Driven Architecture
 
Who’s Knocking? Identity for APIs, Web and Mobile
Who’s Knocking? Identity for APIs, Web and MobileWho’s Knocking? Identity for APIs, Web and Mobile
Who’s Knocking? Identity for APIs, Web and Mobile
 
Company and Market Overview
Company and Market OverviewCompany and Market Overview
Company and Market Overview
 
Taw opening session
Taw opening sessionTaw opening session
Taw opening session
 
Single Sign On 101
Single Sign On 101Single Sign On 101
Single Sign On 101
 
Getting Started with ThousandEyes Proof of Concepts
Getting Started with ThousandEyes Proof of ConceptsGetting Started with ThousandEyes Proof of Concepts
Getting Started with ThousandEyes Proof of Concepts
 
Transforming Consumer Banking with a 100% Cloud-Based Bank (FSV204) - AWS re:...
Transforming Consumer Banking with a 100% Cloud-Based Bank (FSV204) - AWS re:...Transforming Consumer Banking with a 100% Cloud-Based Bank (FSV204) - AWS re:...
Transforming Consumer Banking with a 100% Cloud-Based Bank (FSV204) - AWS re:...
 
Hitachi ID Identity and Access Management Suite
Hitachi ID Identity and Access Management SuiteHitachi ID Identity and Access Management Suite
Hitachi ID Identity and Access Management Suite
 
EduID Mobile App - Use-Cases, Concepts and Implementation
EduID Mobile App - Use-Cases, Concepts and ImplementationEduID Mobile App - Use-Cases, Concepts and Implementation
EduID Mobile App - Use-Cases, Concepts and Implementation
 
Getting Started With ThousandEyes Proof of Concepts: End User Digital Experience
Getting Started With ThousandEyes Proof of Concepts: End User Digital ExperienceGetting Started With ThousandEyes Proof of Concepts: End User Digital Experience
Getting Started With ThousandEyes Proof of Concepts: End User Digital Experience
 
Solace Singapore User Group: Dell Boomi Presentation
Solace Singapore User Group: Dell Boomi PresentationSolace Singapore User Group: Dell Boomi Presentation
Solace Singapore User Group: Dell Boomi Presentation
 
Identity in an API Economy KuppingerCole Webinar Sponsored by Layer 7
Identity in an API Economy KuppingerCole Webinar Sponsored by Layer 7 Identity in an API Economy KuppingerCole Webinar Sponsored by Layer 7
Identity in an API Economy KuppingerCole Webinar Sponsored by Layer 7
 
Federation Services
Federation ServicesFederation Services
Federation Services
 
SSO Manager
SSO ManagerSSO Manager
SSO Manager
 
Fédération d’identité : des concepts Théoriques aux études de cas d’implément...
Fédération d’identité : des concepts Théoriques aux études de cas d’implément...Fédération d’identité : des concepts Théoriques aux études de cas d’implément...
Fédération d’identité : des concepts Théoriques aux études de cas d’implément...
 
Using IBM DataPower for rapid security and application integration with an op...
Using IBM DataPower for rapid security and application integration with an op...Using IBM DataPower for rapid security and application integration with an op...
Using IBM DataPower for rapid security and application integration with an op...
 
Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)
Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)
Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)
 
The Case For Next Generation IAM
The Case For Next Generation IAM The Case For Next Generation IAM
The Case For Next Generation IAM
 

More from CloudIDSummit

CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CloudIDSummit
 
Mobile security, identity & authentication reasons for optimism 20150607 v2
Mobile security, identity & authentication reasons for optimism 20150607 v2Mobile security, identity & authentication reasons for optimism 20150607 v2
Mobile security, identity & authentication reasons for optimism 20150607 v2
CloudIDSummit
 
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CloudIDSummit
 
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CloudIDSummit
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CloudIDSummit
 
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid KhosravianCIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CloudIDSummit
 

More from CloudIDSummit (20)

CIS 2016 Content Highlights
CIS 2016 Content HighlightsCIS 2016 Content Highlights
CIS 2016 Content Highlights
 
Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016
 
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
 
Mobile security, identity & authentication reasons for optimism 20150607 v2
Mobile security, identity & authentication reasons for optimism 20150607 v2Mobile security, identity & authentication reasons for optimism 20150607 v2
Mobile security, identity & authentication reasons for optimism 20150607 v2
 
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
 
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
 
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
 
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
 
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian PuhlCIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
 
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian KatzCIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
 
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
 
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve ToutCIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
 
CIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean DeubyCIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean Deuby
 
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish JainCIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
 
The Industrial Internet, the Identity of Everything and the Industrial Enterp...
The Industrial Internet, the Identity of Everything and the Industrial Enterp...The Industrial Internet, the Identity of Everything and the Industrial Enterp...
The Industrial Internet, the Identity of Everything and the Industrial Enterp...
 
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John DasilvaCIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
 
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid KhosravianCIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
 
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John DasilvaCIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
 
CIS 2015 Identity Relationship Management in the Internet of Things
CIS 2015 Identity Relationship Management in the Internet of ThingsCIS 2015 Identity Relationship Management in the Internet of Things
CIS 2015 Identity Relationship Management in the Internet of Things
 

Recently uploaded

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 

Recently uploaded (20)

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 

CIS13: Identity at Scale

  • 1. Copyright ©2013 Ping Identity Corporation. All rights reserved.1 Identity at Scale Hans Zandbelt CTO Office – Ping Identity CIS 2013
  • 2. Copyright ©2013 Ping Identity Corporation. All rights reserved.2 •  Trends and Standards •  Identity at Scale •  Recommendations Contents
  • 3. Copyright ©2013 Ping Identity Corporation. All rights reserved.3 Trends •  Cloud (SaaS), Mobile, Social –  Authentication: SAML -> +OpenID Connect •  Web -> API –  Core business: information and data, not presentation •  Internet of Things •  Mutual authentication? –  controlling other cars, toasters, lightbulbs
  • 4. Copyright ©2013 Ping Identity Corporation. All rights reserved.4 •  Standards –  Interoperability: need to deal with another vendor’s API/ product? Not an app for every thing in the IoT! –  cross-domain –  competition, replaceable implementations, leading to good but cheap products? •  APIs –  Light-weight, SOAP -> REST/OAuth 2.0 •  Web SSO –  Enterprise/Customer Identity, Consumer Identity –  SAML -> OpenID Connect : scale? •  OpenID Connect –  Simplicity for clients/RPs -> complexity shifted to the OP Standards (the nice thing is…)
  • 5. Copyright ©2013 Ping Identity Corporation. All rights reserved.5 IDENTITY AT SCALE
  • 6. Copyright ©2013 Ping Identity Corporation. All rights reserved.6 1-1 Federated Identity Today •  Increase of Cloud/SaaS adoption –  # federated SSO applications (SAML) –  # partner connections –  # connection management overhead (*) •  But(!) also for “incidental” connections –  How to obtain updates •  Authoritative source -> trust •  Infrastructure: authenticated source (e-mail…) –  How to configure them •  Automated •  Managed, outsourced IDP IDP IDP SP SP SP
  • 7. Copyright ©2013 Ping Identity Corporation. All rights reserved.7 •  Metadata related (not so standard for other-than-SAML protocols) –  key material –  SSO service URLs –  point of contact •  Attributes –  could be metadata, often isn’t –  may be bilateral (!) –  required/optional, consent •  Policies –  contractual agreements –  privacy •  End-user/application/SSO related –  how users can sign in (relation to service URLs) –  change in look and feel –  change in functionality (*) Connection Management <md>
  • 8. Copyright ©2013 Ping Identity Corporation. All rights reserved.8 Metadata - SAML 2.0 •  Technical Trust •  X.509 Certificate –  Anchored vs. unanchored –  Key vs. other cert info •  URLs/Bindings •  Contact info –  Company name, admin/tech contact <md:EntityDescriptor! xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"! xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"! xmlns:ds="http://www.w3.org/2000/09/xmldsig#"! entityID="https://idp.example.org/SAML2">! ! <!-- insert ds:Signature element -->! ! <md:IDPSSODescriptor! protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">! ! <md:KeyDescriptor use="signing">! <ds:KeyInfo>…</ds:KeyInfo>! </md:KeyDescriptor>! ! <md:SingleSignOnService! Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"! Location="https://idp.example.org/SAML2/SSO/POST"/>! <md:SingleSignOnService! Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"! Location="https://idp.example.org/SAML2/Artifact"/>! ! </md:IDPSSODescriptor>! ! <md:Organization>! <md:OrganizationName xml:lang="en">! SAML Identity Provider ! </md:OrganizationName>! <md:OrganizationURL xml:lang="en">! http://www.idp.example.org/! </md:OrganizationURL>! </md:Organization>! ! <md:ContactPerson contactType="technical">! <md:SurName>SAML IdP Support</md:SurName>! <md:EmailAddress>mailto:saml-support@idp.example.org</ md:EmailAddress>! </md:ContactPerson>! ! </md:EntityDescriptor>!
  • 9. Copyright ©2013 Ping Identity Corporation. All rights reserved.9 Connection Management Metadata/Technical Issues •  Conn Mgmt often a one-shot process (cq. a snapshot) •  Certificate expiry and update •  Contact info update •  URL and binding updates •  Changes in IDP discovery process •  Metadata documents can contribute to the solution, but how to scale exchange? Key Rollover Contact Info Bindings & URLs
  • 10. Copyright ©2013 Ping Identity Corporation. All rights reserved.10 Contrary to popular belief: The connection management problem is NOT specific to SAML; any federated authentication system deployed on true internet scale will have to address this issue. So: any solution should be protocol agnostic. BE AWARE
  • 11. Copyright ©2013 Ping Identity Corporation. All rights reserved.11 TOWARDS A SOLUTION What can we do?
  • 12. Copyright ©2013 Ping Identity Corporation. All rights reserved.12 Solution Approach (n=2): Shared Conn. Mgmt. •  Single/central/shared point of connection management (trust) •  Trusted 3rd party –  From: user trust scale through 2nd party to SP/IDP trust through 3rd-party •  Compares to TLS and a Certificate Authority or DNS •  Challenge –  How to create a trusted channel Shared Service IDP IDP IDP SP SP SP
  • 13. Copyright ©2013 Ping Identity Corporation. All rights reserved.13 A shared service… where does it apply? •  intra-enterprise –  large distributed organizations, both infrastructure and responsibilities/trust (acquisitions and mergers) –  connect multiple applications to a variety of externals & internals; “user access firewall” •  inter-enterprise –  verticals: healthcare, automotive, banking/ financial, education but also "cross e-Gov” –  homogeneous(!) group with shared interest/organization IDP SP IDP SP IDP SP IDP SP
  • 14. Copyright ©2013 Ping Identity Corporation. All rights reserved.14 A Next Step In Architecture Evolution… Application Server App 1 Fed Fed Fed App 2 App 3 App Server or Access System App 1 Federation App 2 App 3 App Server App 1 Federation Server App 2 App 3 App Server App Srv App 1 Fed Server App 2 App Srv Connection Management App Server App 3 Fed Fed App 4 1 2 3 4
  • 15. Copyright ©2013 Ping Identity Corporation. All rights reserved.15 Solution 1: Proxy •  Indirect peer-to-peer communication •  Trust proxy only, relay to peers, inband •  Shift the metadata problem to a central facility: no distr. mgmt •  Technical trust may be combined with organizational trust •  Connection Mgmt –  MxN -> M+N •  Accommodate for diff SAML implementations •  Protocol translations are possible Operator IDP IDP IDP SP SP SP SAML Proxy SP-IDP SAML
  • 16. Copyright ©2013 Ping Identity Corporation. All rights reserved.16 Benefits •  Scalability of trust –  Technical: single connection to proxy, central management of partner connections –  Organizational: trust in proxy operator •  Updates –  outsourced to the proxy; proxy to solve… •  Discovery & Autoconf –  Outsourced to the proxy; proxy to solve… Centralized Trust Mgmt Updates Discovery & Autoconf
  • 17. Copyright ©2013 Ping Identity Corporation. All rights reserved.17 Solution 2: Metadata Service •  aka. multi-party federation •  Higher Education & Research –  InCommon, UK Access Federation –  40+ across the world •  Business Verticals –  Healthcare –  Finance –  e-Gov •  Async technical trust •  Sync direct peer-to- peer communication •  Metadata upload (!) Federation Operator IDP IDP IDP SP SP SP SAML Metadata
  • 18. Copyright ©2013 Ping Identity Corporation. All rights reserved.18 Distribution variants (SAML 2.0 metadata) •  Flat file based (classic) –  > 10 Mb files for large federations (EntitiesDescriptor) •  Query-based (MDX) •  Well known location for metadata –  EntityID-is-URL-to- Metadata –  SAML auto-connect (Ping Identity) •  DNS based (registry) •  Trust 1.  signed metadata 2.  trusted registry 3.  SSL CA IDP SP IDP SP IDP SP IDP SP IDP IDP D N S IDP D N S 1 2 3
  • 19. Copyright ©2013 Ping Identity Corporation. All rights reserved.19 Metadata Expiry (!) •  Attributes on Entity and Entities level: validUntil and cacheDuration •  On EntitiesDescriptor and EntityDescriptor level •  use only validUntil to enforce expiration •  use cacheDuration to override (downward) the refresh interval •  keep using (valid) metadata if the refresh fails d! t1! t1+d! t1+2d! v=t2! t2+d! t2+2d! d = cacheDuration (interval)! v = validUntil (timestamp)! d!
  • 20. Copyright ©2013 Ping Identity Corporation. All rights reserved.20 Benefits •  Scalability of trust –  Technical: removes need to exchange metadata on peer-to- peer basis –  Organizational: federation operator does IDP and SP vetting through contractual agreements •  Key rollover –  Include multiple signing keys for a <validUntil> period •  Discovery and auto- configuration –  Building block… Scalability of Trust Key Rollover Discovery & Autoconf
  • 21. Copyright ©2013 Ping Identity Corporation. All rights reserved.21 Metadata Service layering: interfederation Interfederation Operator IDP IDP SP SP IDP IDP SP SP Metadata Metadata Aggregated Metadata
  • 22. Copyright ©2013 Ping Identity Corporation. All rights reserved.22 •  MDUI –  SAML version 2.0 Metadata Extensions for Login and Discovery User interface, version 1.0 •  Entity attributes –  SAML V2.0 Metadata Extension for Entity Attributes Version 1.0 –  Generic extension point •  Signed Entity Attributes –  Single source of metadata, support multiple trust levels or hierarchies •  Other protocols –  SAML 1.0, SAML 1.1 –  WS-Federation (ADFS 2.0) –  OpenID 2.0 –  OpenID Connect (?) -> independent registry or attr SAML 2.0 Metadata extensions
  • 23. Copyright ©2013 Ping Identity Corporation. All rights reserved.23 Taxonomy + Examples External Internal Model Proxy Metadata IDMaaS (PingOne) Federation (InCommon) Proxy (PingFed`) “Metadata Server” Deployment
  • 24. Copyright ©2013 Ping Identity Corporation. All rights reserved.24 •  Proxy –  PingOne –  wayf.dk •  Metadata Service –  InCommon –  UK Access Federation Any SAML product implementation today may or not support one or both models, in the core or through customizations. Solution Examples for SAML 2.0
  • 25. Copyright ©2013 Ping Identity Corporation. All rights reserved.25 OpenID Connect Metadata (OP and RP) •  Metadata and key material separated •  Use HTTP cache info for the JWK set (optional) •  Multiple keys with “kids” – JIT: client fetches kid if unknown •  Client updates keys with OP through DynReg OPRP JWK set metadata JWK set metadata Metadata Service Dynamic Client Registration
  • 26. Copyright ©2013 Ping Identity Corporation. All rights reserved.26 RECOMMENDATIONS
  • 27. Copyright ©2013 Ping Identity Corporation. All rights reserved.27 •  The problem is not protocol specific (!) –  Any solution should be multi-protocol enabled or rather protocol agnostic •  A shared service, two possible approaches –  Metadata Service (“automate”) or Proxy (“outsource”) •  True Internet scale? Expect combinations (!) –  Local/enterprise/community: proxy based –  Protocol Translation: proxy –  Global: (interconnected) metadata service based Recommendations
  • 28. Copyright ©2013 Ping Identity Corporation. All rights reserved.28 •  Registration and publishing service for “endpoint” metadata –  Multi-protocol: both SAML 2.0 and OpenID Connect (OPs) •  Technical Trust –  authenticated, trusted source •  Discovery –  multiple entities on a single OIDC domain –  Entities that cannot or will not host their own metadata –  Replace well-known URL starting point •  Validation •  Certification Metadata Service
  • 29. Copyright ©2013 Ping Identity Corporation. All rights reserved.29 Future? Not so much! •  Identity is/as KEY –  not just users, but also devices and applications •  Unified access policy implementation across web and APIs/Mobile –  Based on identity •  Enterprise: –  Single System -> Identity Bridge •  Identity Bridge –  Bridge external SAML and OpenID Connect to internal OpenID Connect (both ends standardized)
  • 30. Copyright ©2013 Ping Identity Corporation. All rights reserved.30 Thank You Q&A @hanszandbelt Ping Identity