CIS 2015 What’s next? Discovery, Dynamic Registration, Mobile Connect and more! - David Waite
Post on 12-Aug-2015
76 Views
Preview:
Transcript
Part 3: What’s next? Discovery, Dynamic Registration, Mobile Connect and more!
David Waite
Contents
• Supporting Multiple partners • Discovery + Account Chooser • Metadata/Configuration and Dynamic Registration • Mobile Connect • Federation Proxy • Native Application Spec
Copyright © 2015 Cloud Identity Summit. All rights reserved. 2
Question
• How do you authenticate each person differently when you don’t yet know who they are?
Copyright © 2015 Cloud Identity Summit. All rights reserved. 3
Multiple Authentication Schemes
• Typical Bank Website • Ask for account information • Ask for user-specific authentication
• Federation (including OpenID Connect) decouples authentication from the process which needs it
Copyright © 2015 Cloud Identity Summit. All rights reserved. 4
Discovery in a SaaS World
• Branded URLs / Customer domains • Deep links • Persistent cookie (req. introduction) • Email domain to customer mapping • Account to customer mapping • HTTP Headers, CIDR Rules, etc etc.
Copyright © 2015 Cloud Identity Summit. All rights reserved. 5
Fallback
• Each of these is fallible
• Fall back to • Next heuristic • Error page • NASCAR page
Copyright © 2015 Cloud Identity Summit. All rights reserved. 6
Discovery Standards
• The federation standards have resulted in specifications on how to do this discovery • Where Are You From (WAYF)
• Intermediary for a network of connections (edu institutions)
Copyright © 2015 Cloud Identity Summit. All rights reserved. 7
Discovery Standards
• SAML Common Domain cookie • A network creates a common DNS domain that
each member joins in order to set/read standard-format cookies
• AccountChooser.com • A non-profit-managed domain and protocol to
cache accounts used for future user selection
Copyright © 2015 Cloud Identity Summit. All rights reserved. 8
Account Chooser
• RP triggers prompt for accounts • Based on requirements
• RP indicates “successful” authentications should be stored
• RP controls fallback (social media, local login/registration, NASCAR)
• Successful authentications cached in browser offline storage
Copyright © 2015 Cloud Identity Summit. All rights reserved. 9
Account Chooser Demo
Copyright © 2015 Cloud Identity Summit. All rights reserved. 10
Question
• What if a user enters an address you don’t recognize
Copyright © 2015 Cloud Identity Summit. All rights reserved. 11
Webfinger
• RFC xxxx • Query for information on resources • With OIDC, given a user account
dwaite@example.com, give information on OP that
Copyright © 2015 Cloud Identity Summit. All rights reserved. 12
Webfinger interface has a single, inconvenient location • https://<domain>/.well-known/webfinger • dynamic functionality • OIDC allows for this information to come from another
location, such as a proxy
Copyright © 2015 Cloud Identity Summit. All rights reserved. 13
Question
• This user account is associated with an OP I don’t know
Copyright © 2015 Cloud Identity Summit. All rights reserved. 14
OpenID Metadata
• Divided into two parts • Service endpoints and capabilities, catchable against
client forever • /.well-known/openid-configuration • Cryptographic keys, rotate often • pointed to by configuration
Copyright © 2015 Cloud Identity Summit. All rights reserved. 15
Question
• Now I know the OP, but I don’t have a relationship with/credentials for them
Copyright © 2015 Cloud Identity Summit. All rights reserved. 16
Dynamic Client Registration
• advertised in OpenID Metadata • request credentials from OP • credentials may expire/need to be refreshed
Copyright © 2015 Cloud Identity Summit. All rights reserved. 17
Dynamic Client Registration
• way to have a unique client for each installation of app • exchange hard-coded token for dynamic, per-user
one • prevents some credential hijacking and impersonation
attacks
Copyright © 2015 Cloud Identity Summit. All rights reserved. 18
Demos
• Webfinger Protocol Demo • OpenID Metadata Demo • Dynamic Client Registration demo • SSO using dynamic client
Copyright © 2015 Cloud Identity Summit. All rights reserved. 19
Question
• What to do if the site has a terms of service before you can connect a client, or other proof that you are a ‘trusted’ client?
Copyright © 2015 Cloud Identity Summit. All rights reserved. 20
Copyright © 2015 Cloud Identity Summit. All rights reserved. 21
Case Study: Mobile Connect
• Discovery process involving account chooser • Account chooser returns a fake account at the
carrier • GSMA gives a client attestation used for registration
at any of the worldwide carriers supporting connect • Get back a pseudonym for the user
Copyright © 2015 Cloud Identity Summit. All rights reserved. 22
Question
• The partner access token doesn’t give me access to the APIs I need. How can I get my own access token?
Copyright © 2015 Cloud Identity Summit. All rights reserved. 23
Need
• authentication/attributes/groups from partner • To issue the access token yourself • User information from partner can determine
capabilities of user on site, so authentication affects access
Copyright © 2015 Cloud Identity Summit. All rights reserved. 24
• OIDC to your AS server • your server does OIDC (or SAML) to your partners • Local authentication? Another “federation”
Federation Proxy
Copyright © 2015 Cloud Identity Summit. All rights reserved. 25
• App client doesn’t need to dynamically register itself with partners
• single connection to your AS • Can provide uniform attributes an API access for
your client needs
Benefits
Copyright © 2015 Cloud Identity Summit. All rights reserved. 26
• What are the best practices for implementing all this in mobile apps?
Question
Copyright © 2015 Cloud Identity Summit. All rights reserved. 27
Napps Working Group
• Working group progress…
top related