SlideShare uma empresa Scribd logo

Open ID Explained

Karthik Ethirajan
Karthik Ethirajan

OpenID is a decentralized authentication protocol that allows users to log into third-party websites using their existing account credentials from major identity providers like Google, Yahoo, and Facebook. While many large identity providers support OpenID, adoption among relying parties has been limited due to complexity of integration and a poor user experience. The newer OpenID Connect standard aims to address these issues through enhancements like support for user attribute sharing and compatibility with OAuth 2.0 and JSON Web Tokens. The document recommends implementing OpenID Connect and consulting Gigya to help with integration.

1 de 17
Baixar para ler offline
© 2011 Karthik Ethirajan, all rights reserved OpenID Explained Karthik Ethirajan October 2011
© 2011 Karthik Ethirajan, all rights reserved 2 Agenda 1. Executive Overview 2. What is OpenID ? 3. OpenID Identity Providers 4. OpenID Relying Parties 5. OpenID Adoption 6. OpenID Implementation & Login Flow 7. OpenID Evolution 8. Recommended Approach for OpenID 9. Appendix – Registration Flow
© 2011 Karthik Ethirajan, all rights reserved 3 Executive Overview Decentralized mechanism for single sign-on No one Identity Provider controls the Open ID ecosystem. Anyone can offer / accept OpenID using the published specs and sample libraries. No fees to enable OpenID OpenID is an open source project and hence there are no license fees to Identity Providers or Relying Parties. Join the big boys club Google, Yahoo, Facebook, Microsoft, PayPal, others are foundation members. OpenID is widely adopted from the Identity Providers side giving 1B+ users an OpenID ready to use. Lackluster adoption by Relying Parties Only about 50,000 sites have adopted OpenID
© 2011 Karthik Ethirajan, all rights reserved 4 What is OpenID ? OpenID leverages existing user accounts from well-known Identity Providers to log into Relying Party websites. It echoes the single Sign-on concept but without the need for the user to establish yet another ID.  OpenID could be an URL or an email address  Open ID enables dynamic discovery of Identity Provider by embedding their domain information as part of OpenID  The user account name/ID with Identity Provider is reformatted to be OpenID compliant
© 2011 Karthik Ethirajan, all rights reserved 5 OpenID Identity Providers Well adopted, but less publicized Although Identity Providers such as Google and Facebook have provided guidance to the standard (potentially as a hedge), they offer competing products and seek to maintain their dominance of the IDP market. Providers reluctant to accept OpenID The providers are strong proponents of OpenID. However, they are much less enthusiastic when it comes to accepting one for their websites. Examples of OpenID Format Google: https://www.google.com/accounts/o8/id AOL: openid.aol.com/username Yahoo: me.yahoo.com MySpace: myspace.com/username Blogger: username.blogger.com Verisign: username.pip.verisignlabs.com Orange: openid.orange.fr LiveJournal: username.livejournal.com
© 2011 Karthik Ethirajan, all rights reserved 6 OpenID Relying Parties Source: openiddirectory.com No real incentive for adoption Current version of OpenID offers limited support for user attribute transfer User experience has not been exceptional OpenID has failed to deliver on several of the issues which it aims to solve Well suited for long tail websites OpenID is the only viable option to participating in the federation of identity Examples of OpenID Login
© 2011 Karthik Ethirajan, all rights reserved 7 OpenID Adoption Relying Party Adoption • Majority of large Identity Providers such as Google, Yahoo, Microsoft provide OpenIDs • Potential gains in marketing and thought leadership are significant if the user community decides to adopt. • Major Identity Providers are also OpenID Foundation members • Current OpenID implementation is cumbersome for developers and users (integration is not smooth, long URL for users to remember). • Data attribute function very limited in first iteration, leaving little incentive for relying parties to adopt the standard over other federation methods. More than 1 Billion OpenID enabled user accounts Over 50K sites currently accept OpenID for login Identity Provider Adoption Factors Influencing Adoption Statistics Source: openid.net, http://upon2020.com OpenID adoption differs significantly between Identity Providers and Relying Parties. For large identity providers, potential gains outweigh costs. For relying parties, lack of attribution, complexity of integration, and poor user experience hinder more widespread adoption.
© 2011 Karthik Ethirajan, all rights reserved 8 OpenID Implementation & Login Flow Relying Party (OpenID Consumer) Identity Provider (Authentication Server) OpenID APIs from openid.net User attempts to log into website using OpenID. 1 Relying Party redirects user to IDP website for authentication. 2 Verification is returned and user redirected back to relying party website. 3 Authentication OpenID is enabled using free open source libraries. RPs and IDPs simply integrate the desired code into their sites. Integration Integration OpenID specifications are implemented on both Relying Party and Identity Provider servers using established open source libraries.
© 2011 Karthik Ethirajan, all rights reserved 9 OpenID Evolution OpenID Connect is the newly released version of OpenID. It contains several enhancements for easy integration and for enabling data attribution.  OpenID Connect is an identity framework that provides authentication, authorization, and attribute transmit capability  OpenID Connect is built on top of Oauth 2.0 and JSON Web Token (JWT)  Accepts email as a valid OpenID format  A suite of lightweight specifications communicating identity via RESTful APIs  Supports protocol extension, data encryption & advanced session management
© 2011 Karthik Ethirajan, all rights reserved 10 Recommended Approach for OpenID #1 Provision Access ID as OpenID  Access ID will most likely be used for federation of identity  Decide on the OpenID formats to be supported #2 Recommend implementing the newer version of OpenID, the OpenID Connect  We understand that OpenID is not well adopted today, but we feel that OpenID Connect has the major ingredients for high adoption  OpenID concept is blessed by NSTIC and gaining acceptance in government segment  Inclusion of Oauth 2.0 is aligned with CSO roadmap for tGuard #3 Recommend consulting with Gigya on OpenID integration options  Gigya claims to support integration of OpenID for Relying Parties  We are already talking to Gigya for federating Access ID  Need to check if Gigya can help integrate OpenID APIs
© 2011 Karthik Ethirajan, all rights reserved 11 Relying Parties Accepting OpenID APPENDIX
© 2011 Karthik Ethirajan, all rights reserved 12 Comparison of OpenID Providers Following comparison provided by openidexplained.com APPENDIX
© 2011 Karthik Ethirajan, all rights reserved 13 Initial Creation of OpenID from ID Provider Below is the Yahoo implementation of OpenID provider. The tool is accessible to any Yahoo subscriber. APPENDIX
© 2011 Karthik Ethirajan, all rights reserved 14 Initial Login Page of Relying Party User is given a choice of ID Providers along with generic Open ID as login methods. For both authentication flows, the user is redirected to the Identity Provider. User inputs generic OpenID URL as their login. User selects Yahoo icon as OpenID login provider. Login Using Generic OpenID URL Login Using Common ID Provider APPENDIX
© 2011 Karthik Ethirajan, all rights reserved 15 Authentication Page of Identity Provider Once user is redirected to the identity provider’s authentication page, credentials are requested, verified, and upon successful authentication, the user is asked to consent to sharing of information. Authentication Form Consent Screen APPENDIX
© 2011 Karthik Ethirajan, all rights reserved 16 Redirect to Relying Party Website Once authentication has taken place, the user is redirected back to the relying party website for further process. Account Creation Page of Relying Party Completed Account APPENDIX
© 2011 Karthik Ethirajan, all rights reserved 17 User Profile Page of Relying Party Website Note that the website was able to pull the users real name from the profile stored with the identity provider. However, the attributes tansferred are limited. Completed User Profile APPENDIX

Recomendados

Open ID in Government
Open ID in GovernmentOpen ID in Government
Open ID in Government
Karthik Ethirajan
 
Single Sign On Social Login
Single Sign On Social LoginSingle Sign On Social Login
Single Sign On Social Login
Karthik Ethirajan
 
Single Sign On IDM Value
Single Sign On IDM ValueSingle Sign On IDM Value
Single Sign On IDM Value
Karthik Ethirajan
 
Re-using existing PKIs for online Identity Management
Re-using existing PKIs for online Identity ManagementRe-using existing PKIs for online Identity Management
Re-using existing PKIs for online Identity Management
Martijn Oostdijk
 
Inside Security - Strong Authentication with Smartphones
Inside Security - Strong Authentication with SmartphonesInside Security - Strong Authentication with Smartphones
Inside Security - Strong Authentication with Smartphones
Ubisecure
 
Case Study: Harvard Business Review
Case Study: Harvard Business ReviewCase Study: Harvard Business Review
Case Study: Harvard Business Review
Gigya
 
Aditro - IAM as part of Cloud Business strategy
Aditro - IAM as part of Cloud Business strategyAditro - IAM as part of Cloud Business strategy
Aditro - IAM as part of Cloud Business strategy
Ubisecure
 
GSMA - How To Combine Cross-border eID Recognition With Convenience For Users...
GSMA - How To Combine Cross-border eID Recognition With Convenience For Users...GSMA - How To Combine Cross-border eID Recognition With Convenience For Users...
GSMA - How To Combine Cross-border eID Recognition With Convenience For Users...
Ubisecure
 

Recomendados

Open ID in Government
Open ID in GovernmentOpen ID in Government
Open ID in Government
Karthik Ethirajan
 
Single Sign On Social Login
Single Sign On Social LoginSingle Sign On Social Login
Single Sign On Social Login
Karthik Ethirajan
 
Single Sign On IDM Value
Single Sign On IDM ValueSingle Sign On IDM Value
Single Sign On IDM Value
Karthik Ethirajan
 
Re-using existing PKIs for online Identity Management
Re-using existing PKIs for online Identity ManagementRe-using existing PKIs for online Identity Management
Re-using existing PKIs for online Identity Management
Martijn Oostdijk
 
Inside Security - Strong Authentication with Smartphones
Inside Security - Strong Authentication with SmartphonesInside Security - Strong Authentication with Smartphones
Inside Security - Strong Authentication with Smartphones
Ubisecure
 
Case Study: Harvard Business Review
Case Study: Harvard Business ReviewCase Study: Harvard Business Review
Case Study: Harvard Business Review
Gigya
 
Aditro - IAM as part of Cloud Business strategy
Aditro - IAM as part of Cloud Business strategyAditro - IAM as part of Cloud Business strategy
Aditro - IAM as part of Cloud Business strategy
Ubisecure
 
GSMA - How To Combine Cross-border eID Recognition With Convenience For Users...
GSMA - How To Combine Cross-border eID Recognition With Convenience For Users...GSMA - How To Combine Cross-border eID Recognition With Convenience For Users...
GSMA - How To Combine Cross-border eID Recognition With Convenience For Users...
Ubisecure
 
WSO2Con Asia 2014 - Bring Your Own IDentity (BYOID) Benefits and Challenges
WSO2Con Asia 2014 - Bring Your Own IDentity (BYOID) Benefits and ChallengesWSO2Con Asia 2014 - Bring Your Own IDentity (BYOID) Benefits and Challenges
WSO2Con Asia 2014 - Bring Your Own IDentity (BYOID) Benefits and Challenges
WSO2
 
Open Identity Exchange - the Global Growth of Digital Identity
Open Identity Exchange - the Global Growth of Digital IdentityOpen Identity Exchange - the Global Growth of Digital Identity
Open Identity Exchange - the Global Growth of Digital Identity
Ubisecure
 
Kantara - Digital Identity in 2018
Kantara - Digital Identity in 2018Kantara - Digital Identity in 2018
Kantara - Digital Identity in 2018
Ubisecure
 
Spellpoint - Securing Access for Microservices
Spellpoint - Securing Access for MicroservicesSpellpoint - Securing Access for Microservices
Spellpoint - Securing Access for Microservices
Ubisecure
 
Blue Button 2.0
Blue Button 2.0Blue Button 2.0
Blue Button 2.0
SofiaGaldamez1
 
Saidot Ethics Friends Pre-Launch March 26 2019
Saidot Ethics Friends Pre-Launch March 26 2019Saidot Ethics Friends Pre-Launch March 26 2019
Saidot Ethics Friends Pre-Launch March 26 2019
Saidot
 
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
WSO2
 
Digital ID Protocol - Presentation 2015-12-04
Digital ID Protocol - Presentation 2015-12-04Digital ID Protocol - Presentation 2015-12-04
Digital ID Protocol - Presentation 2015-12-04
Synacts
 
Case Study: Frontier Communications
Case Study: Frontier CommunicationsCase Study: Frontier Communications
Case Study: Frontier Communications
Gigya
 
Securing Microservices in Hybrid Cloud
Securing Microservices in Hybrid CloudSecuring Microservices in Hybrid Cloud
Securing Microservices in Hybrid Cloud
VMware Tanzu
 
The Hong Kong Public Key Infrastruture 2010
The Hong Kong Public Key Infrastruture 2010The Hong Kong Public Key Infrastruture 2010
The Hong Kong Public Key Infrastruture 2010
SC Leung
 
OpenID Foundation MODRNA WG Update
OpenID Foundation MODRNA WG UpdateOpenID Foundation MODRNA WG Update
OpenID Foundation MODRNA WG Update
Bjorn Hjelm
 
Digital Identity In Canada - GovConnect Canada - ottawa - kenmcmillan
Digital Identity In Canada - GovConnect Canada - ottawa - kenmcmillanDigital Identity In Canada - GovConnect Canada - ottawa - kenmcmillan
Digital Identity In Canada - GovConnect Canada - ottawa - kenmcmillan
Ken McMillan, PMP, CISSP, ITIL
 
apidays LIVE Hong Kong 2021 - API Ecosystem and Banking Open API Phase III & ...
apidays LIVE Hong Kong 2021 - API Ecosystem and Banking Open API Phase III & ...apidays LIVE Hong Kong 2021 - API Ecosystem and Banking Open API Phase III & ...
apidays LIVE Hong Kong 2021 - API Ecosystem and Banking Open API Phase III & ...
apidays
 
GSMA-Mobile-Identity_Case-Study_Dialog-Connect_May2013
GSMA-Mobile-Identity_Case-Study_Dialog-Connect_May2013GSMA-Mobile-Identity_Case-Study_Dialog-Connect_May2013
GSMA-Mobile-Identity_Case-Study_Dialog-Connect_May2013
Alix Murphy
 
apidays LIVE India - Standardising financial account aggregation by Vamsi Mad...
apidays LIVE India - Standardising financial account aggregation by Vamsi Mad...apidays LIVE India - Standardising financial account aggregation by Vamsi Mad...
apidays LIVE India - Standardising financial account aggregation by Vamsi Mad...
apidays
 
Overall pictures of Identity provider mix-up attack patterns and trade-offs b...
Overall pictures of Identity provider mix-up attack patterns and trade-offs b...Overall pictures of Identity provider mix-up attack patterns and trade-offs b...
Overall pictures of Identity provider mix-up attack patterns and trade-offs b...
Hitachi, Ltd. OSS Solution Center.
 
apidays LIVE Hong Kong 2021 - Digital Identity Centric Approach to Accelerate...
apidays LIVE Hong Kong 2021 - Digital Identity Centric Approach to Accelerate...apidays LIVE Hong Kong 2021 - Digital Identity Centric Approach to Accelerate...
apidays LIVE Hong Kong 2021 - Digital Identity Centric Approach to Accelerate...
apidays
 
ForgeRock and Trusona - Simplifying the Multi-factor User Experience
ForgeRock and Trusona - Simplifying the Multi-factor User ExperienceForgeRock and Trusona - Simplifying the Multi-factor User Experience
ForgeRock and Trusona - Simplifying the Multi-factor User Experience
ForgeRock
 
FIDO Authentication Account Recovery Framework at Yahoo Japan
FIDO Authentication Account Recovery Framework at Yahoo JapanFIDO Authentication Account Recovery Framework at Yahoo Japan
FIDO Authentication Account Recovery Framework at Yahoo Japan
FIDO Alliance
 
20100923 oss-freeware-ecosystem
20100923 oss-freeware-ecosystem20100923 oss-freeware-ecosystem
20100923 oss-freeware-ecosystem
Boonlert Aroonpiboon
 
Creating a Sign On with Open id connect
Creating a Sign On with Open id connectCreating a Sign On with Open id connect
Creating a Sign On with Open id connect
Derek Binkley
 

Mais conteúdo relacionado

Mais procurados

WSO2Con Asia 2014 - Bring Your Own IDentity (BYOID) Benefits and Challenges
WSO2Con Asia 2014 - Bring Your Own IDentity (BYOID) Benefits and ChallengesWSO2Con Asia 2014 - Bring Your Own IDentity (BYOID) Benefits and Challenges
WSO2Con Asia 2014 - Bring Your Own IDentity (BYOID) Benefits and Challenges
WSO2
 
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
WSO2
 
GSMA-Mobile-Identity_Case-Study_Dialog-Connect_May2013
GSMA-Mobile-Identity_Case-Study_Dialog-Connect_May2013GSMA-Mobile-Identity_Case-Study_Dialog-Connect_May2013
GSMA-Mobile-Identity_Case-Study_Dialog-Connect_May2013
Alix Murphy
 
ForgeRock and Trusona - Simplifying the Multi-factor User Experience
ForgeRock and Trusona - Simplifying the Multi-factor User ExperienceForgeRock and Trusona - Simplifying the Multi-factor User Experience
ForgeRock and Trusona - Simplifying the Multi-factor User Experience
ForgeRock
 

Mais procurados (20)

WSO2Con Asia 2014 - Bring Your Own IDentity (BYOID) Benefits and Challenges
WSO2Con Asia 2014 - Bring Your Own IDentity (BYOID) Benefits and ChallengesWSO2Con Asia 2014 - Bring Your Own IDentity (BYOID) Benefits and Challenges
WSO2Con Asia 2014 - Bring Your Own IDentity (BYOID) Benefits and Challenges
 
Open Identity Exchange - the Global Growth of Digital Identity
Open Identity Exchange - the Global Growth of Digital IdentityOpen Identity Exchange - the Global Growth of Digital Identity
Open Identity Exchange - the Global Growth of Digital Identity
 
Kantara - Digital Identity in 2018
Kantara - Digital Identity in 2018Kantara - Digital Identity in 2018
Kantara - Digital Identity in 2018
 
Spellpoint - Securing Access for Microservices
Spellpoint - Securing Access for MicroservicesSpellpoint - Securing Access for Microservices
Spellpoint - Securing Access for Microservices
 
Blue Button 2.0
Blue Button 2.0Blue Button 2.0
Blue Button 2.0
 
Saidot Ethics Friends Pre-Launch March 26 2019
Saidot Ethics Friends Pre-Launch March 26 2019Saidot Ethics Friends Pre-Launch March 26 2019
Saidot Ethics Friends Pre-Launch March 26 2019
 
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
 
Digital ID Protocol - Presentation 2015-12-04
Digital ID Protocol - Presentation 2015-12-04Digital ID Protocol - Presentation 2015-12-04
Digital ID Protocol - Presentation 2015-12-04
 
Case Study: Frontier Communications
Case Study: Frontier CommunicationsCase Study: Frontier Communications
Case Study: Frontier Communications
 
Securing Microservices in Hybrid Cloud
Securing Microservices in Hybrid CloudSecuring Microservices in Hybrid Cloud
Securing Microservices in Hybrid Cloud
 
The Hong Kong Public Key Infrastruture 2010
The Hong Kong Public Key Infrastruture 2010The Hong Kong Public Key Infrastruture 2010
The Hong Kong Public Key Infrastruture 2010
 
OpenID Foundation MODRNA WG Update
OpenID Foundation MODRNA WG UpdateOpenID Foundation MODRNA WG Update
OpenID Foundation MODRNA WG Update
 
Digital Identity In Canada - GovConnect Canada - ottawa - kenmcmillan
Digital Identity In Canada - GovConnect Canada - ottawa - kenmcmillanDigital Identity In Canada - GovConnect Canada - ottawa - kenmcmillan
Digital Identity In Canada - GovConnect Canada - ottawa - kenmcmillan
 
apidays LIVE Hong Kong 2021 - API Ecosystem and Banking Open API Phase III & ...
apidays LIVE Hong Kong 2021 - API Ecosystem and Banking Open API Phase III & ...apidays LIVE Hong Kong 2021 - API Ecosystem and Banking Open API Phase III & ...
apidays LIVE Hong Kong 2021 - API Ecosystem and Banking Open API Phase III & ...
 
GSMA-Mobile-Identity_Case-Study_Dialog-Connect_May2013
GSMA-Mobile-Identity_Case-Study_Dialog-Connect_May2013GSMA-Mobile-Identity_Case-Study_Dialog-Connect_May2013
GSMA-Mobile-Identity_Case-Study_Dialog-Connect_May2013
 
apidays LIVE India - Standardising financial account aggregation by Vamsi Mad...
apidays LIVE India - Standardising financial account aggregation by Vamsi Mad...apidays LIVE India - Standardising financial account aggregation by Vamsi Mad...
apidays LIVE India - Standardising financial account aggregation by Vamsi Mad...
 
Overall pictures of Identity provider mix-up attack patterns and trade-offs b...
Overall pictures of Identity provider mix-up attack patterns and trade-offs b...Overall pictures of Identity provider mix-up attack patterns and trade-offs b...
Overall pictures of Identity provider mix-up attack patterns and trade-offs b...
 
apidays LIVE Hong Kong 2021 - Digital Identity Centric Approach to Accelerate...
apidays LIVE Hong Kong 2021 - Digital Identity Centric Approach to Accelerate...apidays LIVE Hong Kong 2021 - Digital Identity Centric Approach to Accelerate...
apidays LIVE Hong Kong 2021 - Digital Identity Centric Approach to Accelerate...
 
ForgeRock and Trusona - Simplifying the Multi-factor User Experience
ForgeRock and Trusona - Simplifying the Multi-factor User ExperienceForgeRock and Trusona - Simplifying the Multi-factor User Experience
ForgeRock and Trusona - Simplifying the Multi-factor User Experience
 
FIDO Authentication Account Recovery Framework at Yahoo Japan
FIDO Authentication Account Recovery Framework at Yahoo JapanFIDO Authentication Account Recovery Framework at Yahoo Japan
FIDO Authentication Account Recovery Framework at Yahoo Japan
 

Destaque

Virtualization and Open Virtualization Format (OVF)
Virtualization and Open Virtualization Format (OVF)Virtualization and Open Virtualization Format (OVF)
Virtualization and Open Virtualization Format (OVF)
rajsandhu1989
 
The passion goes on...
The passion goes on...The passion goes on...
The passion goes on...
Neptunesrest
 
자바스터디 2
자바스터디 2자바스터디 2
자바스터디 2
jangpd007
 
Welcome to my life
Welcome to my lifeWelcome to my life
Welcome to my life
sarahkwin
 
Robinson bosc2010 bio_hdf
Robinson bosc2010 bio_hdfRobinson bosc2010 bio_hdf
Robinson bosc2010 bio_hdf
BOSC 2010
 

Destaque (20)

20100923 oss-freeware-ecosystem
20100923 oss-freeware-ecosystem20100923 oss-freeware-ecosystem
20100923 oss-freeware-ecosystem
 
Creating a Sign On with Open id connect
Creating a Sign On with Open id connectCreating a Sign On with Open id connect
Creating a Sign On with Open id connect
 
Virtualization and Open Virtualization Format (OVF)
Virtualization and Open Virtualization Format (OVF)Virtualization and Open Virtualization Format (OVF)
Virtualization and Open Virtualization Format (OVF)
 
Restcomm in an oauth environment
Restcomm in an oauth environmentRestcomm in an oauth environment
Restcomm in an oauth environment
 
OTV(Overlay Transport Virtualization)
OTV(Overlay Transport Virtualization)OTV(Overlay Transport Virtualization)
OTV(Overlay Transport Virtualization)
 
Open Virtualization Format - Detailed
Open Virtualization Format - DetailedOpen Virtualization Format - Detailed
Open Virtualization Format - Detailed
 
Open Id, O Auth And Webservices
Open Id, O Auth And WebservicesOpen Id, O Auth And Webservices
Open Id, O Auth And Webservices
 
Megaprojects militarization
Megaprojects militarizationMegaprojects militarization
Megaprojects militarization
 
Cultural diff
Cultural diffCultural diff
Cultural diff
 
Isoiec Guide 65 Ias Ac 370 General Overview
Isoiec Guide 65 Ias Ac 370 General OverviewIsoiec Guide 65 Ias Ac 370 General Overview
Isoiec Guide 65 Ias Ac 370 General Overview
 
Portfolio de interiores e decoração
Portfolio de interiores e decoração Portfolio de interiores e decoração
Portfolio de interiores e decoração
 
Marcellus Shale
Marcellus ShaleMarcellus Shale
Marcellus Shale
 
The passion goes on...
The passion goes on...The passion goes on...
The passion goes on...
 
Utube
UtubeUtube
Utube
 
자바스터디 2
자바스터디 2자바스터디 2
자바스터디 2
 
Welcome to my life
Welcome to my lifeWelcome to my life
Welcome to my life
 
Chap011 imc
Chap011 imcChap011 imc
Chap011 imc
 
Inspirational Instruments 1 LAMPSHAPES
Inspirational Instruments 1 LAMPSHAPESInspirational Instruments 1 LAMPSHAPES
Inspirational Instruments 1 LAMPSHAPES
 
Robinson bosc2010 bio_hdf
Robinson bosc2010 bio_hdfRobinson bosc2010 bio_hdf
Robinson bosc2010 bio_hdf
 
Sales transformation management
Sales transformation managementSales transformation management
Sales transformation management
 

Semelhante a Open ID Explained

Open id & OAuth
Open id & OAuthOpen id & OAuth
Open id & OAuth
Paul Fryer
 
The “I” in API is for Identity (Nordic APIS April 2014)
The “I” in API is for Identity (Nordic APIS April 2014)The “I” in API is for Identity (Nordic APIS April 2014)
The “I” in API is for Identity (Nordic APIS April 2014)
Nordic APIs
 
CIS13: Taking the Hyperspace Bypass: Controlling User Access to Other Worlds
CIS13: Taking the Hyperspace Bypass: Controlling User Access to Other WorldsCIS13: Taking the Hyperspace Bypass: Controlling User Access to Other Worlds
CIS13: Taking the Hyperspace Bypass: Controlling User Access to Other Worlds
CloudIDSummit
 
Webinar: Identity Wars: The Unified Platform Awakens
Webinar: Identity Wars: The Unified Platform AwakensWebinar: Identity Wars: The Unified Platform Awakens
Webinar: Identity Wars: The Unified Platform Awakens
ForgeRock
 

Semelhante a Open ID Explained (20)

Review on OpenID Authentication Framework
Review on OpenID Authentication FrameworkReview on OpenID Authentication Framework
Review on OpenID Authentication Framework
 
Openid+Opensocial
Openid+OpensocialOpenid+Opensocial
Openid+Opensocial
 
Who’s Knocking? Identity for APIs, Web and Mobile
Who’s Knocking? Identity for APIs, Web and MobileWho’s Knocking? Identity for APIs, Web and Mobile
Who’s Knocking? Identity for APIs, Web and Mobile
 
OpenID Connect
OpenID ConnectOpenID Connect
OpenID Connect
 
Identity for IoT: An Authentication Framework for the IoT
Identity for IoT: An Authentication Framework for the IoTIdentity for IoT: An Authentication Framework for the IoT
Identity for IoT: An Authentication Framework for the IoT
 
Open ID
Open IDOpen ID
Open ID
 
Open id & OAuth
Open id & OAuthOpen id & OAuth
Open id & OAuth
 
The “I” in API is for Identity (Nordic APIS April 2014)
The “I” in API is for Identity (Nordic APIS April 2014)The “I” in API is for Identity (Nordic APIS April 2014)
The “I” in API is for Identity (Nordic APIS April 2014)
 
OpenID Foundation/Open Banking Workshop - OpenID Foundation Overview
OpenID Foundation/Open Banking Workshop - OpenID Foundation OverviewOpenID Foundation/Open Banking Workshop - OpenID Foundation Overview
OpenID Foundation/Open Banking Workshop - OpenID Foundation Overview
 
OpenAthens Conference 2018 - Don Thibeau - OpenID Connect
OpenAthens Conference 2018 - Don Thibeau - OpenID ConnectOpenAthens Conference 2018 - Don Thibeau - OpenID Connect
OpenAthens Conference 2018 - Don Thibeau - OpenID Connect
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID Connect
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID Connect
 
Facebook_Oauth
Facebook_OauthFacebook_Oauth
Facebook_Oauth
 
Facebook_Oauth
Facebook_OauthFacebook_Oauth
Facebook_Oauth
 
CIS13: Taking the Hyperspace Bypass: Controlling User Access to Other Worlds
CIS13: Taking the Hyperspace Bypass: Controlling User Access to Other WorldsCIS13: Taking the Hyperspace Bypass: Controlling User Access to Other Worlds
CIS13: Taking the Hyperspace Bypass: Controlling User Access to Other Worlds
 
PayPal Identity Services - Innovate 2010
PayPal Identity Services - Innovate 2010PayPal Identity Services - Innovate 2010
PayPal Identity Services - Innovate 2010
 
Webinar: Identity Wars: The Unified Platform Awakens
Webinar: Identity Wars: The Unified Platform AwakensWebinar: Identity Wars: The Unified Platform Awakens
Webinar: Identity Wars: The Unified Platform Awakens
 
Implementing OpenID for Your Social Networking Site
Implementing OpenID for Your Social Networking SiteImplementing OpenID for Your Social Networking Site
Implementing OpenID for Your Social Networking Site
 
Technical Considerations for Deploying FIDO Authentication
Technical Considerations for Deploying FIDO Authentication Technical Considerations for Deploying FIDO Authentication
Technical Considerations for Deploying FIDO Authentication
 
Higgins
HigginsHiggins
Higgins
 

Mais de Karthik Ethirajan

mHealth Insights for Wireless Carrier
mHealth Insights for Wireless CarriermHealth Insights for Wireless Carrier
mHealth Insights for Wireless Carrier
Karthik Ethirajan
 
iMX53 Quick Start board fact sheet
iMX53 Quick Start board fact sheetiMX53 Quick Start board fact sheet
iMX53 Quick Start board fact sheet
Karthik Ethirajan
 
Offers Partners & Diligence Process
Offers Partners & Diligence ProcessOffers Partners & Diligence Process
Offers Partners & Diligence Process
Karthik Ethirajan
 
Prepaid OCS Convergence Model
Prepaid OCS Convergence ModelPrepaid OCS Convergence Model
Prepaid OCS Convergence Model
Karthik Ethirajan
 
Offers App Product Positioning
Offers App Product PositioningOffers App Product Positioning
Offers App Product Positioning
Karthik Ethirajan
 
Why Should a SSP or DSP buy a DMP ?
Why Should a SSP or DSP buy a DMP ?Why Should a SSP or DSP buy a DMP ?
Why Should a SSP or DSP buy a DMP ?
Karthik Ethirajan
 

Mais de Karthik Ethirajan (18)

Economics of Home Buying
Economics of Home BuyingEconomics of Home Buying
Economics of Home Buying
 
Playables
PlayablesPlayables
Playables
 
Unified auction
Unified auctionUnified auction
Unified auction
 
mHealth Insights for Wireless Carrier
mHealth Insights for Wireless CarriermHealth Insights for Wireless Carrier
mHealth Insights for Wireless Carrier
 
PCRF Market Research
PCRF Market ResearchPCRF Market Research
PCRF Market Research
 
Architect Cheatsheet
Architect CheatsheetArchitect Cheatsheet
Architect Cheatsheet
 
UTM Appliance Fact Sheet
UTM Appliance Fact SheetUTM Appliance Fact Sheet
UTM Appliance Fact Sheet
 
iMX53 Quick Start board fact sheet
iMX53 Quick Start board fact sheetiMX53 Quick Start board fact sheet
iMX53 Quick Start board fact sheet
 
Intel Q2 Earnings Report
Intel Q2 Earnings ReportIntel Q2 Earnings Report
Intel Q2 Earnings Report
 
Intel Research Note
Intel Research NoteIntel Research Note
Intel Research Note
 
Org Structure Insights
Org Structure InsightsOrg Structure Insights
Org Structure Insights
 
Offers Partners & Diligence Process
Offers Partners & Diligence ProcessOffers Partners & Diligence Process
Offers Partners & Diligence Process
 
e-Giftcards Market
e-Giftcards Markete-Giftcards Market
e-Giftcards Market
 
Mobile Levers for Retail
Mobile Levers for RetailMobile Levers for Retail
Mobile Levers for Retail
 
Prepaid OCS Convergence Model
Prepaid OCS Convergence ModelPrepaid OCS Convergence Model
Prepaid OCS Convergence Model
 
Offers App Product Positioning
Offers App Product PositioningOffers App Product Positioning
Offers App Product Positioning
 
Offers Market Analysis
Offers Market AnalysisOffers Market Analysis
Offers Market Analysis
 
Why Should a SSP or DSP buy a DMP ?
Why Should a SSP or DSP buy a DMP ?Why Should a SSP or DSP buy a DMP ?
Why Should a SSP or DSP buy a DMP ?
 

Open ID Explained

  • 1. © 2011 Karthik Ethirajan, all rights reserved OpenID Explained Karthik Ethirajan October 2011
  • 2. © 2011 Karthik Ethirajan, all rights reserved 2 Agenda 1. Executive Overview 2. What is OpenID ? 3. OpenID Identity Providers 4. OpenID Relying Parties 5. OpenID Adoption 6. OpenID Implementation & Login Flow 7. OpenID Evolution 8. Recommended Approach for OpenID 9. Appendix – Registration Flow
  • 3. © 2011 Karthik Ethirajan, all rights reserved 3 Executive Overview Decentralized mechanism for single sign-on No one Identity Provider controls the Open ID ecosystem. Anyone can offer / accept OpenID using the published specs and sample libraries. No fees to enable OpenID OpenID is an open source project and hence there are no license fees to Identity Providers or Relying Parties. Join the big boys club Google, Yahoo, Facebook, Microsoft, PayPal, others are foundation members. OpenID is widely adopted from the Identity Providers side giving 1B+ users an OpenID ready to use. Lackluster adoption by Relying Parties Only about 50,000 sites have adopted OpenID
  • 4. © 2011 Karthik Ethirajan, all rights reserved 4 What is OpenID ? OpenID leverages existing user accounts from well-known Identity Providers to log into Relying Party websites. It echoes the single Sign-on concept but without the need for the user to establish yet another ID.  OpenID could be an URL or an email address  Open ID enables dynamic discovery of Identity Provider by embedding their domain information as part of OpenID  The user account name/ID with Identity Provider is reformatted to be OpenID compliant
  • 5. © 2011 Karthik Ethirajan, all rights reserved 5 OpenID Identity Providers Well adopted, but less publicized Although Identity Providers such as Google and Facebook have provided guidance to the standard (potentially as a hedge), they offer competing products and seek to maintain their dominance of the IDP market. Providers reluctant to accept OpenID The providers are strong proponents of OpenID. However, they are much less enthusiastic when it comes to accepting one for their websites. Examples of OpenID Format Google: https://www.google.com/accounts/o8/id AOL: openid.aol.com/username Yahoo: me.yahoo.com MySpace: myspace.com/username Blogger: username.blogger.com Verisign: username.pip.verisignlabs.com Orange: openid.orange.fr LiveJournal: username.livejournal.com
  • 6. © 2011 Karthik Ethirajan, all rights reserved 6 OpenID Relying Parties Source: openiddirectory.com No real incentive for adoption Current version of OpenID offers limited support for user attribute transfer User experience has not been exceptional OpenID has failed to deliver on several of the issues which it aims to solve Well suited for long tail websites OpenID is the only viable option to participating in the federation of identity Examples of OpenID Login
  • 7. © 2011 Karthik Ethirajan, all rights reserved 7 OpenID Adoption Relying Party Adoption • Majority of large Identity Providers such as Google, Yahoo, Microsoft provide OpenIDs • Potential gains in marketing and thought leadership are significant if the user community decides to adopt. • Major Identity Providers are also OpenID Foundation members • Current OpenID implementation is cumbersome for developers and users (integration is not smooth, long URL for users to remember). • Data attribute function very limited in first iteration, leaving little incentive for relying parties to adopt the standard over other federation methods. More than 1 Billion OpenID enabled user accounts Over 50K sites currently accept OpenID for login Identity Provider Adoption Factors Influencing Adoption Statistics Source: openid.net, http://upon2020.com OpenID adoption differs significantly between Identity Providers and Relying Parties. For large identity providers, potential gains outweigh costs. For relying parties, lack of attribution, complexity of integration, and poor user experience hinder more widespread adoption.
  • 8. © 2011 Karthik Ethirajan, all rights reserved 8 OpenID Implementation & Login Flow Relying Party (OpenID Consumer) Identity Provider (Authentication Server) OpenID APIs from openid.net User attempts to log into website using OpenID. 1 Relying Party redirects user to IDP website for authentication. 2 Verification is returned and user redirected back to relying party website. 3 Authentication OpenID is enabled using free open source libraries. RPs and IDPs simply integrate the desired code into their sites. Integration Integration OpenID specifications are implemented on both Relying Party and Identity Provider servers using established open source libraries.
  • 9. © 2011 Karthik Ethirajan, all rights reserved 9 OpenID Evolution OpenID Connect is the newly released version of OpenID. It contains several enhancements for easy integration and for enabling data attribution.  OpenID Connect is an identity framework that provides authentication, authorization, and attribute transmit capability  OpenID Connect is built on top of Oauth 2.0 and JSON Web Token (JWT)  Accepts email as a valid OpenID format  A suite of lightweight specifications communicating identity via RESTful APIs  Supports protocol extension, data encryption & advanced session management
  • 10. © 2011 Karthik Ethirajan, all rights reserved 10 Recommended Approach for OpenID #1 Provision Access ID as OpenID  Access ID will most likely be used for federation of identity  Decide on the OpenID formats to be supported #2 Recommend implementing the newer version of OpenID, the OpenID Connect  We understand that OpenID is not well adopted today, but we feel that OpenID Connect has the major ingredients for high adoption  OpenID concept is blessed by NSTIC and gaining acceptance in government segment  Inclusion of Oauth 2.0 is aligned with CSO roadmap for tGuard #3 Recommend consulting with Gigya on OpenID integration options  Gigya claims to support integration of OpenID for Relying Parties  We are already talking to Gigya for federating Access ID  Need to check if Gigya can help integrate OpenID APIs
  • 11. © 2011 Karthik Ethirajan, all rights reserved 11 Relying Parties Accepting OpenID APPENDIX
  • 12. © 2011 Karthik Ethirajan, all rights reserved 12 Comparison of OpenID Providers Following comparison provided by openidexplained.com APPENDIX
  • 13. © 2011 Karthik Ethirajan, all rights reserved 13 Initial Creation of OpenID from ID Provider Below is the Yahoo implementation of OpenID provider. The tool is accessible to any Yahoo subscriber. APPENDIX
  • 14. © 2011 Karthik Ethirajan, all rights reserved 14 Initial Login Page of Relying Party User is given a choice of ID Providers along with generic Open ID as login methods. For both authentication flows, the user is redirected to the Identity Provider. User inputs generic OpenID URL as their login. User selects Yahoo icon as OpenID login provider. Login Using Generic OpenID URL Login Using Common ID Provider APPENDIX
  • 15. © 2011 Karthik Ethirajan, all rights reserved 15 Authentication Page of Identity Provider Once user is redirected to the identity provider’s authentication page, credentials are requested, verified, and upon successful authentication, the user is asked to consent to sharing of information. Authentication Form Consent Screen APPENDIX
  • 16. © 2011 Karthik Ethirajan, all rights reserved 16 Redirect to Relying Party Website Once authentication has taken place, the user is redirected back to the relying party website for further process. Account Creation Page of Relying Party Completed Account APPENDIX
  • 17. © 2011 Karthik Ethirajan, all rights reserved 17 User Profile Page of Relying Party Website Note that the website was able to pull the users real name from the profile stored with the identity provider. However, the attributes tansferred are limited. Completed User Profile APPENDIX