SlideShare uma empresa Scribd logo

IdP, SAML, OAuth

Transferir como PPTX, PDF
Dan Brinkmann
Dan Brinkmann

IdP, SAML, OAuth are new acronyms for identity in the cloud. SAML is used for federated authentication between an identity provider (IdP) like Active Directory and a service provider (SP) like Office 365. The IdP authenticates the user and sends a SAML token with claims to the SP. OAuth streamlines authentication for mobile by issuing short-lived access tokens instead of passing full credentials or SAML assertions between each service. It allows authorization without passwords and tokens can be revoked, reducing risks of compromised apps. Office 365 uses Azure Active Directory as an IdP with SAML or OAuth to authenticate users from an on-premises Active Directory via federation or synchronization.

Tecnologia
1 de 86
IdP, SAML, OAuth New Acronyms for a Cloud World Dan Brinkmann @dbrinkmann
About Me WhatWouldDanDo.com @dbrinkmann BriForum 2011, 2012, 2013, 2014 Citrix Synergy 2012, 2013, 2014 Former VMware vExpert
I am not an identity expert
Agenda Definitions The Problem Identity & Service Providers Office 365 Federation example OAuth
Definitions
Authentication Verifying Identity Authentication (AuthN) - Verifies who you are • Username/password • 2FA / strong authentication • Certificates Enterprise: Username / Password Consumer: Drivers license
Authentication Verifying Identity Authentication (AuthN) - Verifies who you are • Username/password • 2FA / strong authentication • Certificates Enterprise: Username / Password Consumer: Drivers license Massively broken
Authorization Possession is 9/10ths of ownership Authorization (AuthZ) - What you are able to do
Authorization Start car, lock doors, deny trunk Valet key
Definition of Terms SAML • Security Assertion Markup Language Oauth • Open standard for authorization Federation • You’ve authenticated to a different system than the one you’re tyring to access and your identity has been proven by a 3rd party and on that basis you’re being allowed to this system
History SAML • 1.0 - 2002 • 1.1 - 2003 • 2.0 - 2005 (not backwards compatible with 1.x) OAuth • 1.0 - 2010 • 2.0 - 2012 (not backwards compatible with 1.0)
The Problem Why does federation exist?
Genesis u: bob p: password1 u: bob1 p: logmein u: bobby p: 123
Along came Active Directory u: bobjones p: ComplexP1!
And then came SaaS / Cloud apps
Why not use Active Directory?
Why not use Active Directory? Bad admin >>passwords.txt
Why not use Active Directory? No Trust Bad admin >>passwords.txt
IdP / SP Architecture SaaS Solution Enterprise Service Provider (SP) Identity Provider (IDP) Trust Claims LDAP Signed Active Directory
Common IdP’s Ping Identity PingFederate CA SiteMinder Microsoft ADFS Shibboleth Okta
Microsoft ADFS ADFS 1.0 - Part of Windows 2003 R2 ADFS 1.1 - Part of Windows 2008 and R2 (Installed as Role from Server Mgr) Used SAML 1.x so forget about these
Microsoft ADFS ADFS 2.0 - Released after Windows 2008 R2 as a standalone download ADFS 2.1 - Part of Windows Server 2012 and installed as a Role ADFS 3.0 - Part of Windows Server 2012 R2 and installed as a Role Service ADFS 2.x rely on IIS ADFS 3.x is built on http.sys (IIS is not installed or needed)
IdP / SP Architecture Trust / Configuration
IdP / SP Architecture How is trust established? SaaS Solution Enterprise Service Provider (SP) Identity Provider (IDP) Trust LDAP Active Directory
IDP Configuration: Metadata https://nexus.microsoftonline-p.com/federationmetadata/2007-06/federationmetadata.xml
IDP trusts Service Provider: Relying Party ID When a user requests claims from this Federation Service for the relying party, the relying party identifier will be used to identify the relying party for which the claims should be targeted Translate: Match incoming SP request to IdP Relying Party Trust configuration
IDP trusts Service Provider: Signature SAML request from the Service Provider is signed Not always used
Service Provider trusts IDP: Token-signing certificate
IdP / SP Architecture Authentication
IdP / SP Architecture Authentication (AuthN) SaaS Solution Enterprise Service Provider (SP) Identity Provider (IDP) Trust LDAP Active Directory
ADFS Authentication ADFS Proxy ADFS Server Enterprise LDAP Active Directory ADFS Proxy - 2.x Web Application Proxy - 3.x
ADFS Authentication Basic Authentication • Username & password sent in clear text over network • You should always use SSL/TLS Windows Integrated (IWA) • Kerberos, NTLMSSP • Can work silently / background
ADFS Authentication Forms • Webpage • 2FA • Works with virtually any device X509 / Client Certificates
ADFS Authentication Matrix ADFS 2.x ADFS 2.x Proxy ADFS 3.x Web Application Proxy Basic Auth Windows Integrated Forms X509 / Client Cert
Manipulating Authentication Priority
IdP / SP Architecture Claims
IdP / SP Architecture Claims SaaS Solution Enterprise Service Provider (SP) Identity Provider (IDP) Trust Claims LDAP Signed Active Directory
Claims SAML assertions contain claims Attribute claims contain information about the user (email address) Transformations can convert / modify data before creating the claim
Example SAML Token With a lot trimmed out <samlp:Response ID="_97c40e4a-d04e-409d-8ecc-1a2728f87873" Version="2.0" IssueInstant="2013-01-21T17:50:41.470Z" Destination="https://onprem.sharefile.com/saml/acs" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="_ef94eec3026e4b49b86d6d162a3def59" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://adfs.sharefiletest.com/adfs/services/trust</Issuer><samlp:Status><samlp:Status Code Value="urn:oasis:names:tc:SAML:2.0:status:Success" /></samlp:Status><Assertion ID="_f1ad9c25-5632-414e-9b9c-e80d08c1f3ca" IssueInstant="2013-01-21T17:50:41.470Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><Issuer>http://adfs.sharefiletest.com/adfs/services/trust</Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc- c14n#" /><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /><ds:Reference URI="#_f1ad9c25-5632-414e- 9b9c-e80d08c1f3ca"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /><ds:DigestValue>KXdq8sGKJoFSBSB9YkF9LN7/8Ik=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>aUaw…dzA==</ds:Sig natureValue><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIC…KOw==</ds:X509Certificate></ds:X509Data></KeyInfo> </ds:Signature><Subject><NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format: emailAddress">dan.brinkmann@citrix.com</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="_ef94eec3026e4b49b86d6d162a3def59" NotOnOrAfter="2013-01-21T17:55:41.470Z" Recipient="https://onprem.sharefile.com/saml/acs" /></SubjectConfirmation></Subject><Conditions NotBefore="2013-01-21T17:50:41.467Z" NotOnOrAfter="2013-01- 21T18:50:41.467Z"><AudienceRestriction><Audience>http://onprem.sharefile.com/saml/info</Audience></AudienceRestriction></Conditions ><AttributeStatement><Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"><AttributeValue>juliano.maldaner@citrix.com</AttributeValue></Attr ibute></AttributeStatement><AuthnStatement AuthnInstant="2013-01-21T17:50:41.429Z" SessionIndex="_f1ad9c25-5632-414e-9b9c-e80d08c1f3ca">< AuthnContext><AuthnContextClassRef>urn:federation:authentication:windows</AuthnContextClassRef></AuthnContext></Auth nStatement></Assertion></samlp:Response>
SAML Assertion <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format: emailAddress”>dan.brinkmann@citrix.com</NameID>... Attribute Store (Active Directory) Rule Transform Claims
Create a Claim Rule Claims
IdP / SP Architecture What does a SP do with the claim? Verify trust information (cert) Match claim against an user object in its database/directory This database usually needs to be pre-populated although it is possible to use the assertion / claims to do this SaaS Solution Service Provider (SP) Claims Signed
IdP / SP Architecture Claims SaaS Solution Enterprise Service Provider (SP) Identity Provider (IDP) Trust Claims LDAP Signed Active Directory Populate with accounts
IDP / SP Sign-on Flow
IdP / SP Architecture SaaS Solution Enterprise Service Provider (SP) Identity Provider (IDP) Trust Claims LDAP Signed Active Directory
SAML: IDP-Initiated Sign-On Identity Provider (IDP) Service Provider (SP) Go to SaaS-App.com 302 + Claims https://account.Saas-App.com/saml/acs + Claims
SAML: SP-Initiated Sign-On (Passive) Identity Provider (IDP) Service Provider (SP) https://account.SaaS-App.com/saml/login 302 + Request ../adfs/ls + Request 401(Auth Challenge) ../adfs/ls + R e q u e s t + 302 + Claims https://account.SaaS-App.com/saml/acs + Claims
Troubleshooting IdP / SP federation issues
Common IdP Issues 1. Attribute claim doesn’t match up 2. Certificate is incorrect 3. IdP time is out of whack (5 minute tolerance)
How to debug SAML Fiddler Google Chrome Developer Tools Internet Explorer Developer Tools Firefox Firebug SAML debugger https://fed-lab.org
https://fed-lab.org
SAML Token <saml:Attribute AttributeName="UPN" AttributeNamespace="http://schemas.xmlsoap.org/claims"> <saml:AttributeValue>?????</saml:AttributeValue> </saml:Attribute> <saml:Attribute AttributeName="ImmutableID" AttributeNamespace="http://schemas.microsoft.com/LiveID/Federation/2008/05” >
Service Provider trusts IDP: Token-signing certificate
Demo 56
How to handle IDP Errors:
Further information on IDP logs… Bad Signature Bad Identifier
Authentication Issues One common issue using Integrated (prompt comes up but auth always fails)
Office 365 Federation Example
Office 365 & Azure Active Directory Services Identity Provider (IDP) Service Provider (SP) Azure Active Directory Local Active Directory Claims
Office 365 & Azure Active Directory Services Identity Provider (IDP) Service Provider (SP) Azure Active Directory Local Active Directory
Office 365 & Azure Active Directory Services Identity Provider (IDP) Service Provider (SP) Azure Active Directory Local Active Directory
DirSync DirSync populates Azure Active Directory with user accounts and groups from a local Active Directory http://blogs.office.com/2014/04/15/synchronizing-your-directory-with-office-365-is-easy/
DirSync Configuration
Office 365 & Azure Active Directory Services Identity Provider (IDP) Service Provider (SP) Azure Active Directory Local Active Directory
Enabling Federation Install Azure Active Directory Powershell module Run Powershell commands • $cred=Get-Credential • Connect-MsolService –Credential $cred • Convert-MsolDomainToFederated –DomainName <domain>
Office 365 Federated Login login.microsoftonline.com
Office 365 Federated Login danbrinkmann.com is a Federated
Office 365 Federated Login After typing the username it automatically redirect to my IdP
Office 365 Federated Login Login to ADFS 3.0 (Windows 2012 R2) ADFS server then redirects to: https://login.microsoftonline.com/login.srf
Office 365 Federated Login <saml:Attribute AttributeName="UPN" AttributeNamespace="http://schemas.xmlsoap.org/claims"> <saml:AttributeValue>dbrinkmann@danbrinkmann.com</saml:AttributeValue> </saml:Attribute> <saml:Attribute AttributeName="ImmutableID" AttributeNamespace="http://schemas.microsoft.com/LiveID/Federation/2008/05” >
Office 365 Federated Login Authorization succeeds, account is matched to O365 mail account
Problem Solved? How many times would you want to do this on a mobile device? SAML / WS-Federation is a heavy process 2-factor authentication is a common enterprise IdP implementation Cumbersome to end users
Problem Solved? How can we streamline AuthN? Cache password on mobile device • What about 2FA? • Apps get complete access to a users account • Users can’t revoke access to an app / device except by changing their password • Compromised apps expose the user’s password • Remember WebDav?
Enter OAuth AuthZ Authorization (AuthZ) without passwords Tokens can be revoked Tokens can be scoped Tokens can be time-limited Lightweight
Example OAuth Token {"expires_in”:28800,"token_type":"bearer","apicp":"sharefile.com", "access_files_folders":true,"change_my_settings":true,"admin_users” :true,"expires_at_unix":"1,405,816,443.33826","refresh_token":"m5r U7aWB….","subdomain":"danbrinkmann","modify_files_folders":true, "web_app_login":true,"admin_accounts":true,"appcp":"sharefile.com", "access_token":"m5rU7aWB….."}
OAuth vs SAML Token And I even trimmed out the signing certificate of the SAML Token {"expires_in”28800,"token_type":"beare r","apicp":"sharefile.com”,"access_fil es_folders":true,"change_my_settings": true,"admin_users”:true,"expires_at_un ix":"1,405,816,443.33826","refresh_tok en":"m5rU7aWB….","subdomain":"danbrink mann","modify_files_folders":true,"web _app_login":true,"admin_accounts":true ,"appcp":"sharefile.com”,"access_token ":"m5rU7aWB….."} <samlp:Response ID="_97c40e4a-d04e-409d-8ecc-1a2728f87873" Version="2.0" IssueInstant="2013- 01-21T17:50:41.470Z" Destination="https://onprem.sharefile.com/saml/acs" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="_ef94eec3026e4b49b86d6d162a3def59" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://adfs.sharefiletest.com/adfs/services/trus t</Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /></samlp:Status><Assertion ID="_f1ad9c25-5632-414e-9b9c-e80d08c1f3ca" IssueInstant="2013-01- 21T17:50:41.470Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><Issuer>http://adfs.sharefiletest.com/adfs/servi ces/trust</Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /><ds:Reference URI="#_f1ad9c25-5632- 414e-9b9c-e80d08c1f3ca"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /><ds:DigestValue>KXdq8sGKJoFSBSB9YkF9LN7/8Ik=</ds:DigestValue></ds:Reference></ds:SignedInfo> <ds:SignatureValue>aUaw…dzA==</ds:SignatureValue><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIC…KOw==</ds:X50 9Certificate></ds:X509Data></KeyInfo></ds:Signature><Subject><NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format: emailAddress">juliano.maldaner@citrix.com</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="_ef94eec3026e4b49b86d6d162a3def59" NotOnOrAfter="2013-01-21T17:55:41.470Z" Recipient="https://onprem.sharefile.com/saml/acs" /></SubjectConfirmation></Subject><Conditions NotBefore="2013-01-21T17:50:41.467Z" NotOnOrAfter="2013-01- 21T18:50:41.467Z"><AudienceRestriction><Audience>http://onprem.sharefile.com/saml/info</Audien ce></AudienceRestriction></Conditions><AttributeStatement><Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"><AttributeValue>juliano.malda ner@citrix.com</AttributeValue></Attribute></AttributeStatement><AuthnStatement AuthnInstant="2013-01-21T17:50:41.429Z" SessionIndex="_f1ad9c25-5632-414e-9b9c-e80d08c1f3ca">< AuthnContext><AuthnContextClassRef>urn:federation:authentication:windows</Authn ContextClassRef></AuthnContext></AuthnStatement></Assertion></samlp:Response>
OAuth in Consumer Lives Creating a separate username / password not required
OAuth in Consumer Lives Scoped Access
OAuth in Consumer Lives The irony of this slide
How OAuth is used in Enterprise Apps Instead of AuthN each time use AuthZ Protect mobile application using PIN / Passcode
Mobile App Solution Authenticate via IdP (FTU) Exchange SAML Token for OAuth Token Use OAuth Access Token to access the application
Mobile App Solution If the Access Token fails get a new one using the Refresh Token If the Refresh Token fails then prompt user to re-authenticate Re-authenticate via IdP
Summary Federation necessary for next-generation & mobile applications Authentication (AuthN) Authorization (AuthZ) SAML OAuth
IdP, SAML, OAuth

Recomendados

Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0Mika Koivisto
 
Single Sign On Considerations
Single Sign On ConsiderationsSingle Sign On Considerations
Single Sign On ConsiderationsVenkat Gattamaneni
 
SAML Protocol Overview
SAML Protocol OverviewSAML Protocol Overview
SAML Protocol OverviewMike Schwartz
 
SSO introduction
SSO introductionSSO introduction
SSO introductionAidy Tificate
 
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectDemystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectVinay Manglani
 
Single sign on (SSO) How does your company apply?
Single sign on (SSO) How does your company apply?Single sign on (SSO) How does your company apply?
Single sign on (SSO) How does your company apply?Đỗ Duy Trung
 
Introduction to AWS IAM
Introduction to AWS IAMIntroduction to AWS IAM
Introduction to AWS IAMKnoldus Inc.
 
Single Sign On - The Basics
Single Sign On - The BasicsSingle Sign On - The Basics
Single Sign On - The BasicsIshan A B Ambanwela
 

Recomendados

Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0Mika Koivisto
 
Single Sign On Considerations
Single Sign On ConsiderationsSingle Sign On Considerations
Single Sign On ConsiderationsVenkat Gattamaneni
 
SAML Protocol Overview
SAML Protocol OverviewSAML Protocol Overview
SAML Protocol OverviewMike Schwartz
 
SSO introduction
SSO introductionSSO introduction
SSO introductionAidy Tificate
 
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectDemystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectVinay Manglani
 
Single sign on (SSO) How does your company apply?
Single sign on (SSO) How does your company apply?Single sign on (SSO) How does your company apply?
Single sign on (SSO) How does your company apply?Đỗ Duy Trung
 
Introduction to AWS IAM
Introduction to AWS IAMIntroduction to AWS IAM
Introduction to AWS IAMKnoldus Inc.
 
Single Sign On - The Basics
Single Sign On - The BasicsSingle Sign On - The Basics
Single Sign On - The BasicsIshan A B Ambanwela
 
Single sign on using SAML
Single sign on using SAML Single sign on using SAML
Single sign on using SAML Programming Talents
 
Single sign on - SSO
Single sign on - SSOSingle sign on - SSO
Single sign on - SSOAjit Dadresa
 
Single Sign On 101
Single Sign On 101Single Sign On 101
Single Sign On 101Mike Schwartz
 
AWS IAM Introduction
AWS IAM IntroductionAWS IAM Introduction
AWS IAM IntroductionAmazon Web Services
 
SAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID ConnectSAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID ConnectUbisecure
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
 
Access Security - Privileged Identity Management
Access Security - Privileged Identity ManagementAccess Security - Privileged Identity Management
Access Security - Privileged Identity ManagementEng Teong Cheah
 
Azure Active Directory - An Introduction
Azure Active Directory - An IntroductionAzure Active Directory - An Introduction
Azure Active Directory - An IntroductionVenkatesh Narayanan
 
SINGLE SIGN-ON
SINGLE SIGN-ONSINGLE SIGN-ON
SINGLE SIGN-ONShambhavi Sahay
 
IBM DataPower Gateway - Common Use Cases
IBM DataPower Gateway - Common Use CasesIBM DataPower Gateway - Common Use Cases
IBM DataPower Gateway - Common Use CasesIBM DataPower Gateway
 
API Security : Patterns and Practices
API Security : Patterns and PracticesAPI Security : Patterns and Practices
API Security : Patterns and PracticesPrabath Siriwardena
 
Introduction to Amazon EC2
Introduction to Amazon EC2Introduction to Amazon EC2
Introduction to Amazon EC2Amazon Web Services
 
WEBINAR: OWASP API Security Top 10
WEBINAR: OWASP API Security Top 10WEBINAR: OWASP API Security Top 10
WEBINAR: OWASP API Security Top 1042Crunch
 
Elastic Load Balancing Deep Dive - AWS Online Tech Talk
Elastic Load Balancing Deep Dive - AWS Online Tech TalkElastic Load Balancing Deep Dive - AWS Online Tech Talk
Elastic Load Balancing Deep Dive - AWS Online Tech TalkAmazon Web Services
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
Enterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSOEnterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSOOliver Mueller
 
OAuth 2.0 with IBM WebSphere DataPower
OAuth 2.0 with IBM WebSphere DataPowerOAuth 2.0 with IBM WebSphere DataPower
OAuth 2.0 with IBM WebSphere DataPowerShiu-Fun Poon
 
IBM Datapower Security Scenarios - Using JWT to secure microservices
IBM Datapower Security Scenarios - Using JWT to secure microservicesIBM Datapower Security Scenarios - Using JWT to secure microservices
IBM Datapower Security Scenarios - Using JWT to secure microservicessandipg123
 
Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013
Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013
Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013Amazon Web Services
 
Identity and Access Management (IAM)
Identity and Access Management (IAM)Identity and Access Management (IAM)
Identity and Access Management (IAM)Identacor
 
Developing and deploying Identity-enabled applications for the cloud
Developing and deploying Identity-enabled applications for the cloudDeveloping and deploying Identity-enabled applications for the cloud
Developing and deploying Identity-enabled applications for the cloudMaarten Balliauw
 
Azure Global Bootcamp 2017 Azure AD Deployment
Azure Global Bootcamp 2017 Azure AD DeploymentAzure Global Bootcamp 2017 Azure AD Deployment
Azure Global Bootcamp 2017 Azure AD DeploymentAnthony Clendenen
 

Mais conteúdo relacionado

Mais procurados

Single sign on - SSO
Single sign on - SSOSingle sign on - SSO
Single sign on - SSOAjit Dadresa
 
SAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID ConnectSAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID ConnectUbisecure
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
 
Access Security - Privileged Identity Management
Access Security - Privileged Identity ManagementAccess Security - Privileged Identity Management
Access Security - Privileged Identity ManagementEng Teong Cheah
 
Azure Active Directory - An Introduction
Azure Active Directory - An IntroductionAzure Active Directory - An Introduction
Azure Active Directory - An IntroductionVenkatesh Narayanan
 
IBM DataPower Gateway - Common Use Cases
IBM DataPower Gateway - Common Use CasesIBM DataPower Gateway - Common Use Cases
IBM DataPower Gateway - Common Use CasesIBM DataPower Gateway
 
API Security : Patterns and Practices
API Security : Patterns and PracticesAPI Security : Patterns and Practices
API Security : Patterns and PracticesPrabath Siriwardena
 
WEBINAR: OWASP API Security Top 10
WEBINAR: OWASP API Security Top 10WEBINAR: OWASP API Security Top 10
WEBINAR: OWASP API Security Top 1042Crunch
 
Elastic Load Balancing Deep Dive - AWS Online Tech Talk
Elastic Load Balancing Deep Dive - AWS Online Tech TalkElastic Load Balancing Deep Dive - AWS Online Tech Talk
Elastic Load Balancing Deep Dive - AWS Online Tech TalkAmazon Web Services
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
Enterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSOEnterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSOOliver Mueller
 
OAuth 2.0 with IBM WebSphere DataPower
OAuth 2.0 with IBM WebSphere DataPowerOAuth 2.0 with IBM WebSphere DataPower
OAuth 2.0 with IBM WebSphere DataPowerShiu-Fun Poon
 
IBM Datapower Security Scenarios - Using JWT to secure microservices
IBM Datapower Security Scenarios - Using JWT to secure microservicesIBM Datapower Security Scenarios - Using JWT to secure microservices
IBM Datapower Security Scenarios - Using JWT to secure microservicessandipg123
 
Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013
Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013
Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013Amazon Web Services
 
Identity and Access Management (IAM)
Identity and Access Management (IAM)Identity and Access Management (IAM)
Identity and Access Management (IAM)Identacor
 

Mais procurados (20)

Single sign on using SAML
Single sign on using SAML Single sign on using SAML
Single sign on using SAML
 
Single sign on - SSO
Single sign on - SSOSingle sign on - SSO
Single sign on - SSO
 
Single Sign On 101
Single Sign On 101Single Sign On 101
Single Sign On 101
 
AWS IAM Introduction
AWS IAM IntroductionAWS IAM Introduction
AWS IAM Introduction
 
SAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID ConnectSAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID Connect
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
 
Access Security - Privileged Identity Management
Access Security - Privileged Identity ManagementAccess Security - Privileged Identity Management
Access Security - Privileged Identity Management
 
Azure Active Directory - An Introduction
Azure Active Directory - An IntroductionAzure Active Directory - An Introduction
Azure Active Directory - An Introduction
 
SINGLE SIGN-ON
SINGLE SIGN-ONSINGLE SIGN-ON
SINGLE SIGN-ON
 
IBM DataPower Gateway - Common Use Cases
IBM DataPower Gateway - Common Use CasesIBM DataPower Gateway - Common Use Cases
IBM DataPower Gateway - Common Use Cases
 
API Security : Patterns and Practices
API Security : Patterns and PracticesAPI Security : Patterns and Practices
API Security : Patterns and Practices
 
Introduction to Amazon EC2
Introduction to Amazon EC2Introduction to Amazon EC2
Introduction to Amazon EC2
 
WEBINAR: OWASP API Security Top 10
WEBINAR: OWASP API Security Top 10WEBINAR: OWASP API Security Top 10
WEBINAR: OWASP API Security Top 10
 
Elastic Load Balancing Deep Dive - AWS Online Tech Talk
Elastic Load Balancing Deep Dive - AWS Online Tech TalkElastic Load Balancing Deep Dive - AWS Online Tech Talk
Elastic Load Balancing Deep Dive - AWS Online Tech Talk
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
 
Enterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSOEnterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSO
 
OAuth 2.0 with IBM WebSphere DataPower
OAuth 2.0 with IBM WebSphere DataPowerOAuth 2.0 with IBM WebSphere DataPower
OAuth 2.0 with IBM WebSphere DataPower
 
IBM Datapower Security Scenarios - Using JWT to secure microservices
IBM Datapower Security Scenarios - Using JWT to secure microservicesIBM Datapower Security Scenarios - Using JWT to secure microservices
IBM Datapower Security Scenarios - Using JWT to secure microservices
 
Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013
Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013
Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013
 
Identity and Access Management (IAM)
Identity and Access Management (IAM)Identity and Access Management (IAM)
Identity and Access Management (IAM)
 

Semelhante a IdP, SAML, OAuth

Developing and deploying Identity-enabled applications for the cloud
Developing and deploying Identity-enabled applications for the cloudDeveloping and deploying Identity-enabled applications for the cloud
Developing and deploying Identity-enabled applications for the cloudMaarten Balliauw
 
Azure Global Bootcamp 2017 Azure AD Deployment
Azure Global Bootcamp 2017 Azure AD DeploymentAzure Global Bootcamp 2017 Azure AD Deployment
Azure Global Bootcamp 2017 Azure AD DeploymentAnthony Clendenen
 
Single Sign On using ADFS.pptx
Single Sign On using ADFS.pptxSingle Sign On using ADFS.pptx
Single Sign On using ADFS.pptxAlireza Vafi
 
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010Michael Noel
 
O365con14 - moving from on-premises to online, the road to follow
O365con14 - moving from on-premises to online, the road to followO365con14 - moving from on-premises to online, the road to follow
O365con14 - moving from on-premises to online, the road to followNCCOMMS
 
Building Secure Extranets with Claims-Based Authentication #SPEvo13
Building Secure Extranets with Claims-Based Authentication #SPEvo13Building Secure Extranets with Claims-Based Authentication #SPEvo13
Building Secure Extranets with Claims-Based Authentication #SPEvo13Gus Fraser
 
SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...
SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...
SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...NCCOMMS
 
A Technical Guide To Deploying Single Sign On
A Technical Guide To Deploying Single Sign OnA Technical Guide To Deploying Single Sign On
A Technical Guide To Deploying Single Sign OnGabriella Davis
 
SAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your EnterpriseSAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your EnterpriseDenis Gundarev
 
IAM/IRM CONSIDERATIONS FOR SAAS PROVIDER SELECTION
IAM/IRM CONSIDERATIONS FOR SAAS PROVIDER SELECTIONIAM/IRM CONSIDERATIONS FOR SAAS PROVIDER SELECTION
IAM/IRM CONSIDERATIONS FOR SAAS PROVIDER SELECTIONForgeRock
 
Planning Extranet Environments with SharePoint 2010
Planning Extranet Environments with SharePoint 2010Planning Extranet Environments with SharePoint 2010
Planning Extranet Environments with SharePoint 2010Michael Noel
 
ITPROCEED_TransformTheDatacenter_ten most common mistakes when deploying adfs...
ITPROCEED_TransformTheDatacenter_ten most common mistakes when deploying adfs...ITPROCEED_TransformTheDatacenter_ten most common mistakes when deploying adfs...
ITPROCEED_TransformTheDatacenter_ten most common mistakes when deploying adfs...ITProceed
 
2. Day 2 - Identify and SSO
2. Day 2 - Identify and SSO2. Day 2 - Identify and SSO
2. Day 2 - Identify and SSOHuy Pham
 
Extending Oracle SSO
Extending Oracle SSOExtending Oracle SSO
Extending Oracle SSOkurtvm
 
SPS Sydney - Office 365 and Cloud Identity – What does it mean for me?
SPS Sydney - Office 365 and Cloud Identity – What does it mean for me?SPS Sydney - Office 365 and Cloud Identity – What does it mean for me?
SPS Sydney - Office 365 and Cloud Identity – What does it mean for me?Scott Hoag
 
70 346 Managing office 365 identities
70 346 Managing office 365 identities70 346 Managing office 365 identities
70 346 Managing office 365 identitiesclounoud
 
Office 365 MCSA TechEd
Office 365 MCSA TechEdOffice 365 MCSA TechEd
Office 365 MCSA TechEdRobert Gabos
 
Develop iOS and Android apps with SharePoint/Office 365
Develop iOS and Android apps with SharePoint/Office 365Develop iOS and Android apps with SharePoint/Office 365
Develop iOS and Android apps with SharePoint/Office 365Kashif Imran
 

Semelhante a IdP, SAML, OAuth (20)

Developing and deploying Identity-enabled applications for the cloud
Developing and deploying Identity-enabled applications for the cloudDeveloping and deploying Identity-enabled applications for the cloud
Developing and deploying Identity-enabled applications for the cloud
 
Azure Global Bootcamp 2017 Azure AD Deployment
Azure Global Bootcamp 2017 Azure AD DeploymentAzure Global Bootcamp 2017 Azure AD Deployment
Azure Global Bootcamp 2017 Azure AD Deployment
 
Single Sign On using ADFS.pptx
Single Sign On using ADFS.pptxSingle Sign On using ADFS.pptx
Single Sign On using ADFS.pptx
 
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
 
O365con14 - moving from on-premises to online, the road to follow
O365con14 - moving from on-premises to online, the road to followO365con14 - moving from on-premises to online, the road to follow
O365con14 - moving from on-premises to online, the road to follow
 
Building Secure Extranets with Claims-Based Authentication #SPEvo13
Building Secure Extranets with Claims-Based Authentication #SPEvo13Building Secure Extranets with Claims-Based Authentication #SPEvo13
Building Secure Extranets with Claims-Based Authentication #SPEvo13
 
SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...
SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...
SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...
 
Office 365 identity
Office 365 identityOffice 365 identity
Office 365 identity
 
A Technical Guide To Deploying Single Sign On
A Technical Guide To Deploying Single Sign OnA Technical Guide To Deploying Single Sign On
A Technical Guide To Deploying Single Sign On
 
SAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your EnterpriseSAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your Enterprise
 
Andy Malone - The new office 365 for it pro's
Andy Malone - The new office 365 for it pro'sAndy Malone - The new office 365 for it pro's
Andy Malone - The new office 365 for it pro's
 
IAM/IRM CONSIDERATIONS FOR SAAS PROVIDER SELECTION
IAM/IRM CONSIDERATIONS FOR SAAS PROVIDER SELECTIONIAM/IRM CONSIDERATIONS FOR SAAS PROVIDER SELECTION
IAM/IRM CONSIDERATIONS FOR SAAS PROVIDER SELECTION
 
Planning Extranet Environments with SharePoint 2010
Planning Extranet Environments with SharePoint 2010Planning Extranet Environments with SharePoint 2010
Planning Extranet Environments with SharePoint 2010
 
ITPROCEED_TransformTheDatacenter_ten most common mistakes when deploying adfs...
ITPROCEED_TransformTheDatacenter_ten most common mistakes when deploying adfs...ITPROCEED_TransformTheDatacenter_ten most common mistakes when deploying adfs...
ITPROCEED_TransformTheDatacenter_ten most common mistakes when deploying adfs...
 
2. Day 2 - Identify and SSO
2. Day 2 - Identify and SSO2. Day 2 - Identify and SSO
2. Day 2 - Identify and SSO
 
Extending Oracle SSO
Extending Oracle SSOExtending Oracle SSO
Extending Oracle SSO
 
SPS Sydney - Office 365 and Cloud Identity – What does it mean for me?
SPS Sydney - Office 365 and Cloud Identity – What does it mean for me?SPS Sydney - Office 365 and Cloud Identity – What does it mean for me?
SPS Sydney - Office 365 and Cloud Identity – What does it mean for me?
 
70 346 Managing office 365 identities
70 346 Managing office 365 identities70 346 Managing office 365 identities
70 346 Managing office 365 identities
 
Office 365 MCSA TechEd
Office 365 MCSA TechEdOffice 365 MCSA TechEd
Office 365 MCSA TechEd
 
Develop iOS and Android apps with SharePoint/Office 365
Develop iOS and Android apps with SharePoint/Office 365Develop iOS and Android apps with SharePoint/Office 365
Develop iOS and Android apps with SharePoint/Office 365
 

Mais de Dan Brinkmann

Briforum 2011 Chicago
Briforum 2011 ChicagoBriforum 2011 Chicago
Briforum 2011 ChicagoDan Brinkmann
 
Citrix Remote Access Solution Soup
Citrix Remote Access Solution SoupCitrix Remote Access Solution Soup
Citrix Remote Access Solution SoupDan Brinkmann
 
Denver VMUG nov 2011
Denver VMUG nov 2011Denver VMUG nov 2011
Denver VMUG nov 2011Dan Brinkmann
 
VMware vSphere Performance Troubleshooting
VMware vSphere Performance TroubleshootingVMware vSphere Performance Troubleshooting
VMware vSphere Performance TroubleshootingDan Brinkmann
 

Mais de Dan Brinkmann (7)

Briforum 2011 Chicago
Briforum 2011 ChicagoBriforum 2011 Chicago
Briforum 2011 Chicago
 
The Tools I Use
The Tools I UseThe Tools I Use
The Tools I Use
 
VDI Design Guide
VDI Design GuideVDI Design Guide
VDI Design Guide
 
How to Fail at VDI
How to Fail at VDIHow to Fail at VDI
How to Fail at VDI
 
Citrix Remote Access Solution Soup
Citrix Remote Access Solution SoupCitrix Remote Access Solution Soup
Citrix Remote Access Solution Soup
 
Denver VMUG nov 2011
Denver VMUG nov 2011Denver VMUG nov 2011
Denver VMUG nov 2011
 
VMware vSphere Performance Troubleshooting
VMware vSphere Performance TroubleshootingVMware vSphere Performance Troubleshooting
VMware vSphere Performance Troubleshooting
 

Último

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdfChristopherTHyatt
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 

Último (20)

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 

IdP, SAML, OAuth

  • 1. IdP, SAML, OAuth New Acronyms for a Cloud World Dan Brinkmann @dbrinkmann
  • 2. About Me WhatWouldDanDo.com @dbrinkmann BriForum 2011, 2012, 2013, 2014 Citrix Synergy 2012, 2013, 2014 Former VMware vExpert
  • 3.
  • 4. I am not an identity expert
  • 5. Agenda Definitions The Problem Identity & Service Providers Office 365 Federation example OAuth
  • 7. Authentication Verifying Identity Authentication (AuthN) - Verifies who you are • Username/password • 2FA / strong authentication • Certificates Enterprise: Username / Password Consumer: Drivers license
  • 8. Authentication Verifying Identity Authentication (AuthN) - Verifies who you are • Username/password • 2FA / strong authentication • Certificates Enterprise: Username / Password Consumer: Drivers license Massively broken
  • 9. Authorization Possession is 9/10ths of ownership Authorization (AuthZ) - What you are able to do
  • 10. Authorization Start car, lock doors, deny trunk Valet key
  • 11. Definition of Terms SAML • Security Assertion Markup Language Oauth • Open standard for authorization Federation • You’ve authenticated to a different system than the one you’re tyring to access and your identity has been proven by a 3rd party and on that basis you’re being allowed to this system
  • 12. History SAML • 1.0 - 2002 • 1.1 - 2003 • 2.0 - 2005 (not backwards compatible with 1.x) OAuth • 1.0 - 2010 • 2.0 - 2012 (not backwards compatible with 1.0)
  • 13. The Problem Why does federation exist?
  • 14. Genesis u: bob p: password1 u: bob1 p: logmein u: bobby p: 123
  • 15. Along came Active Directory u: bobjones p: ComplexP1!
  • 16. And then came SaaS / Cloud apps
  • 17. Why not use Active Directory?
  • 18. Why not use Active Directory? Bad admin >>passwords.txt
  • 19. Why not use Active Directory? No Trust Bad admin >>passwords.txt
  • 20. IdP / SP Architecture SaaS Solution Enterprise Service Provider (SP) Identity Provider (IDP) Trust Claims LDAP Signed Active Directory
  • 21. Common IdP’s Ping Identity PingFederate CA SiteMinder Microsoft ADFS Shibboleth Okta
  • 22. Microsoft ADFS ADFS 1.0 - Part of Windows 2003 R2 ADFS 1.1 - Part of Windows 2008 and R2 (Installed as Role from Server Mgr) Used SAML 1.x so forget about these
  • 23. Microsoft ADFS ADFS 2.0 - Released after Windows 2008 R2 as a standalone download ADFS 2.1 - Part of Windows Server 2012 and installed as a Role ADFS 3.0 - Part of Windows Server 2012 R2 and installed as a Role Service ADFS 2.x rely on IIS ADFS 3.x is built on http.sys (IIS is not installed or needed)
  • 24. IdP / SP Architecture Trust / Configuration
  • 25. IdP / SP Architecture How is trust established? SaaS Solution Enterprise Service Provider (SP) Identity Provider (IDP) Trust LDAP Active Directory
  • 26. IDP Configuration: Metadata https://nexus.microsoftonline-p.com/federationmetadata/2007-06/federationmetadata.xml
  • 27. IDP trusts Service Provider: Relying Party ID When a user requests claims from this Federation Service for the relying party, the relying party identifier will be used to identify the relying party for which the claims should be targeted Translate: Match incoming SP request to IdP Relying Party Trust configuration
  • 28. IDP trusts Service Provider: Signature SAML request from the Service Provider is signed Not always used
  • 29. Service Provider trusts IDP: Token-signing certificate
  • 30. IdP / SP Architecture Authentication
  • 31. IdP / SP Architecture Authentication (AuthN) SaaS Solution Enterprise Service Provider (SP) Identity Provider (IDP) Trust LDAP Active Directory
  • 32. ADFS Authentication ADFS Proxy ADFS Server Enterprise LDAP Active Directory ADFS Proxy - 2.x Web Application Proxy - 3.x
  • 33. ADFS Authentication Basic Authentication • Username & password sent in clear text over network • You should always use SSL/TLS Windows Integrated (IWA) • Kerberos, NTLMSSP • Can work silently / background
  • 34. ADFS Authentication Forms • Webpage • 2FA • Works with virtually any device X509 / Client Certificates
  • 35. ADFS Authentication Matrix ADFS 2.x ADFS 2.x Proxy ADFS 3.x Web Application Proxy Basic Auth Windows Integrated Forms X509 / Client Cert
  • 37. IdP / SP Architecture Claims
  • 38. IdP / SP Architecture Claims SaaS Solution Enterprise Service Provider (SP) Identity Provider (IDP) Trust Claims LDAP Signed Active Directory
  • 39. Claims SAML assertions contain claims Attribute claims contain information about the user (email address) Transformations can convert / modify data before creating the claim
  • 40. Example SAML Token With a lot trimmed out <samlp:Response ID="_97c40e4a-d04e-409d-8ecc-1a2728f87873" Version="2.0" IssueInstant="2013-01-21T17:50:41.470Z" Destination="https://onprem.sharefile.com/saml/acs" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="_ef94eec3026e4b49b86d6d162a3def59" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://adfs.sharefiletest.com/adfs/services/trust</Issuer><samlp:Status><samlp:Status Code Value="urn:oasis:names:tc:SAML:2.0:status:Success" /></samlp:Status><Assertion ID="_f1ad9c25-5632-414e-9b9c-e80d08c1f3ca" IssueInstant="2013-01-21T17:50:41.470Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><Issuer>http://adfs.sharefiletest.com/adfs/services/trust</Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc- c14n#" /><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /><ds:Reference URI="#_f1ad9c25-5632-414e- 9b9c-e80d08c1f3ca"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /><ds:DigestValue>KXdq8sGKJoFSBSB9YkF9LN7/8Ik=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>aUaw…dzA==</ds:Sig natureValue><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIC…KOw==</ds:X509Certificate></ds:X509Data></KeyInfo> </ds:Signature><Subject><NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format: emailAddress">dan.brinkmann@citrix.com</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="_ef94eec3026e4b49b86d6d162a3def59" NotOnOrAfter="2013-01-21T17:55:41.470Z" Recipient="https://onprem.sharefile.com/saml/acs" /></SubjectConfirmation></Subject><Conditions NotBefore="2013-01-21T17:50:41.467Z" NotOnOrAfter="2013-01- 21T18:50:41.467Z"><AudienceRestriction><Audience>http://onprem.sharefile.com/saml/info</Audience></AudienceRestriction></Conditions ><AttributeStatement><Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"><AttributeValue>juliano.maldaner@citrix.com</AttributeValue></Attr ibute></AttributeStatement><AuthnStatement AuthnInstant="2013-01-21T17:50:41.429Z" SessionIndex="_f1ad9c25-5632-414e-9b9c-e80d08c1f3ca">< AuthnContext><AuthnContextClassRef>urn:federation:authentication:windows</AuthnContextClassRef></AuthnContext></Auth nStatement></Assertion></samlp:Response>
  • 41. SAML Assertion <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format: emailAddress”>dan.brinkmann@citrix.com</NameID>... Attribute Store (Active Directory) Rule Transform Claims
  • 42. Create a Claim Rule Claims
  • 43. IdP / SP Architecture What does a SP do with the claim? Verify trust information (cert) Match claim against an user object in its database/directory This database usually needs to be pre-populated although it is possible to use the assertion / claims to do this SaaS Solution Service Provider (SP) Claims Signed
  • 44. IdP / SP Architecture Claims SaaS Solution Enterprise Service Provider (SP) Identity Provider (IDP) Trust Claims LDAP Signed Active Directory Populate with accounts
  • 45. IDP / SP Sign-on Flow
  • 46. IdP / SP Architecture SaaS Solution Enterprise Service Provider (SP) Identity Provider (IDP) Trust Claims LDAP Signed Active Directory
  • 47. SAML: IDP-Initiated Sign-On Identity Provider (IDP) Service Provider (SP) Go to SaaS-App.com 302 + Claims https://account.Saas-App.com/saml/acs + Claims
  • 48. SAML: SP-Initiated Sign-On (Passive) Identity Provider (IDP) Service Provider (SP) https://account.SaaS-App.com/saml/login 302 + Request ../adfs/ls + Request 401(Auth Challenge) ../adfs/ls + R e q u e s t + 302 + Claims https://account.SaaS-App.com/saml/acs + Claims
  • 49. Troubleshooting IdP / SP federation issues
  • 50. Common IdP Issues 1. Attribute claim doesn’t match up 2. Certificate is incorrect 3. IdP time is out of whack (5 minute tolerance)
  • 51. How to debug SAML Fiddler Google Chrome Developer Tools Internet Explorer Developer Tools Firefox Firebug SAML debugger https://fed-lab.org
  • 52.
  • 54. SAML Token <saml:Attribute AttributeName="UPN" AttributeNamespace="http://schemas.xmlsoap.org/claims"> <saml:AttributeValue>?????</saml:AttributeValue> </saml:Attribute> <saml:Attribute AttributeName="ImmutableID" AttributeNamespace="http://schemas.microsoft.com/LiveID/Federation/2008/05” >
  • 55. Service Provider trusts IDP: Token-signing certificate
  • 57. How to handle IDP Errors:
  • 58. Further information on IDP logs… Bad Signature Bad Identifier
  • 59. Authentication Issues One common issue using Integrated (prompt comes up but auth always fails)
  • 61. Office 365 & Azure Active Directory Services Identity Provider (IDP) Service Provider (SP) Azure Active Directory Local Active Directory Claims
  • 62. Office 365 & Azure Active Directory Services Identity Provider (IDP) Service Provider (SP) Azure Active Directory Local Active Directory
  • 63. Office 365 & Azure Active Directory Services Identity Provider (IDP) Service Provider (SP) Azure Active Directory Local Active Directory
  • 64. DirSync DirSync populates Azure Active Directory with user accounts and groups from a local Active Directory http://blogs.office.com/2014/04/15/synchronizing-your-directory-with-office-365-is-easy/
  • 66. Office 365 & Azure Active Directory Services Identity Provider (IDP) Service Provider (SP) Azure Active Directory Local Active Directory
  • 67. Enabling Federation Install Azure Active Directory Powershell module Run Powershell commands • $cred=Get-Credential • Connect-MsolService –Credential $cred • Convert-MsolDomainToFederated –DomainName <domain>
  • 68. Office 365 Federated Login login.microsoftonline.com
  • 69. Office 365 Federated Login danbrinkmann.com is a Federated
  • 70. Office 365 Federated Login After typing the username it automatically redirect to my IdP
  • 71. Office 365 Federated Login Login to ADFS 3.0 (Windows 2012 R2) ADFS server then redirects to: https://login.microsoftonline.com/login.srf
  • 72. Office 365 Federated Login <saml:Attribute AttributeName="UPN" AttributeNamespace="http://schemas.xmlsoap.org/claims"> <saml:AttributeValue>dbrinkmann@danbrinkmann.com</saml:AttributeValue> </saml:Attribute> <saml:Attribute AttributeName="ImmutableID" AttributeNamespace="http://schemas.microsoft.com/LiveID/Federation/2008/05” >
  • 73. Office 365 Federated Login Authorization succeeds, account is matched to O365 mail account
  • 74. Problem Solved? How many times would you want to do this on a mobile device? SAML / WS-Federation is a heavy process 2-factor authentication is a common enterprise IdP implementation Cumbersome to end users
  • 75. Problem Solved? How can we streamline AuthN? Cache password on mobile device • What about 2FA? • Apps get complete access to a users account • Users can’t revoke access to an app / device except by changing their password • Compromised apps expose the user’s password • Remember WebDav?
  • 76. Enter OAuth AuthZ Authorization (AuthZ) without passwords Tokens can be revoked Tokens can be scoped Tokens can be time-limited Lightweight
  • 77. Example OAuth Token {"expires_in”:28800,"token_type":"bearer","apicp":"sharefile.com", "access_files_folders":true,"change_my_settings":true,"admin_users” :true,"expires_at_unix":"1,405,816,443.33826","refresh_token":"m5r U7aWB….","subdomain":"danbrinkmann","modify_files_folders":true, "web_app_login":true,"admin_accounts":true,"appcp":"sharefile.com", "access_token":"m5rU7aWB….."}
  • 78. OAuth vs SAML Token And I even trimmed out the signing certificate of the SAML Token {"expires_in”28800,"token_type":"beare r","apicp":"sharefile.com”,"access_fil es_folders":true,"change_my_settings": true,"admin_users”:true,"expires_at_un ix":"1,405,816,443.33826","refresh_tok en":"m5rU7aWB….","subdomain":"danbrink mann","modify_files_folders":true,"web _app_login":true,"admin_accounts":true ,"appcp":"sharefile.com”,"access_token ":"m5rU7aWB….."} <samlp:Response ID="_97c40e4a-d04e-409d-8ecc-1a2728f87873" Version="2.0" IssueInstant="2013- 01-21T17:50:41.470Z" Destination="https://onprem.sharefile.com/saml/acs" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="_ef94eec3026e4b49b86d6d162a3def59" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://adfs.sharefiletest.com/adfs/services/trus t</Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /></samlp:Status><Assertion ID="_f1ad9c25-5632-414e-9b9c-e80d08c1f3ca" IssueInstant="2013-01- 21T17:50:41.470Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><Issuer>http://adfs.sharefiletest.com/adfs/servi ces/trust</Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /><ds:Reference URI="#_f1ad9c25-5632- 414e-9b9c-e80d08c1f3ca"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /><ds:DigestValue>KXdq8sGKJoFSBSB9YkF9LN7/8Ik=</ds:DigestValue></ds:Reference></ds:SignedInfo> <ds:SignatureValue>aUaw…dzA==</ds:SignatureValue><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIC…KOw==</ds:X50 9Certificate></ds:X509Data></KeyInfo></ds:Signature><Subject><NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format: emailAddress">juliano.maldaner@citrix.com</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="_ef94eec3026e4b49b86d6d162a3def59" NotOnOrAfter="2013-01-21T17:55:41.470Z" Recipient="https://onprem.sharefile.com/saml/acs" /></SubjectConfirmation></Subject><Conditions NotBefore="2013-01-21T17:50:41.467Z" NotOnOrAfter="2013-01- 21T18:50:41.467Z"><AudienceRestriction><Audience>http://onprem.sharefile.com/saml/info</Audien ce></AudienceRestriction></Conditions><AttributeStatement><Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"><AttributeValue>juliano.malda ner@citrix.com</AttributeValue></Attribute></AttributeStatement><AuthnStatement AuthnInstant="2013-01-21T17:50:41.429Z" SessionIndex="_f1ad9c25-5632-414e-9b9c-e80d08c1f3ca">< AuthnContext><AuthnContextClassRef>urn:federation:authentication:windows</Authn ContextClassRef></AuthnContext></AuthnStatement></Assertion></samlp:Response>
  • 79. OAuth in Consumer Lives Creating a separate username / password not required
  • 80. OAuth in Consumer Lives Scoped Access
  • 81. OAuth in Consumer Lives The irony of this slide
  • 82. How OAuth is used in Enterprise Apps Instead of AuthN each time use AuthZ Protect mobile application using PIN / Passcode
  • 83. Mobile App Solution Authenticate via IdP (FTU) Exchange SAML Token for OAuth Token Use OAuth Access Token to access the application
  • 84. Mobile App Solution If the Access Token fails get a new one using the Refresh Token If the Refresh Token fails then prompt user to re-authenticate Re-authenticate via IdP
  • 85. Summary Federation necessary for next-generation & mobile applications Authentication (AuthN) Authorization (AuthZ) SAML OAuth

Notas do Editor

  1. <saml:Attribute AttributeName="UPN" AttributeNamespace="http://schemas.xmlsoap.org/claims"><saml:AttributeValue>dbrinkmann@danbrinkmann.com</saml:AttributeValue></saml:Attribute><saml:Attribute AttributeName="ImmutableID" AttributeNamespace="http://schemas.microsoft.com/LiveID/Federation/2008/05">
  2. with refresh token send API request with access token If access token is invalid, try to update it using refresh token if refresh request passes, update the access token and re-send the initial API request If refresh request fails, ask user to re-authenticate