Mobile Cloud Identity

Mobile Cloud Identity

Mark Diodati Technical Director—CTO Office

@mark_diodati

mdiodati@pingidentity.com

Thurs 13-12-05

Agenda

• Cloud Identity

• Modern Identity’s Building Blocks

• OpenID Connect

• FIDO

• NFC

CLOUD IDENTITY

Mobile Cloud Identity

On-Premises, Hybrid, Cloud

on-premises

cloud

hybrid

Cloud Identity

• Identity Management as a Service (IDaaS)

– Externally hosted, turnkey SaaS applications that perform identity management

• Users and applications may be on-premises or hosted

– OPEX, flexible with changes in economies of scale

• Identity bridge

– On-premises component to connect on-premises and externally hosted environments

– Supports multiple identity services

Cloud Orientation

to

from

in

To The Cloud (SSO + Provisioning)

Hosted

On-Premises

Active Directory

Employee

Kerberos SSO

Fed

erat

ion

SSO Syn

c (AP

I)

Directory sync

Federation IdPDirectory synchronization

Identity bridge

To The Cloud (Mobile Identity)

Externally Hosted

On-Premises

Active DirectoryMicrosoft Certificate

Services

MDM cloud service

MMC

Private key

Identity BridgeMDM

Profile/policy

Group

Group

A

Credential provisioning

App distro

From The Cloud (SSO)

OAuth relying partyOAuth authorization service

Federation SPFederation IDP

SAML-enabled applicationWAM-protected application

SAML

OAuth resource server

HTTP

co

okie

OAuth

Partner

Identity bridge

SAML, OAuth, Password, X.509

Hosted

On-Premises

From the Cloud (Provisioning)

Externally Hosted

On-Premises

Provisioning IDaaS

Active Directory

Identitybridge

Reconciliation

Manufacturing

No

rth

Am

eric

a

Euro

pe

Identitybridge

Reconciliation

Active DirectoryERP

In The Cloud (SSO + Provisioning) Provisioning

Federation IdP

HostedOn-Premises

Federated SSO

Provisioning

IDaaS

Au

the

nti

cati

on

User

MODERN BUILDING BLOCKS

Mobile Cloud Identity

Modern Building Blocks

• REST (Representational State Transfer)

– Adopted in response to the complexity of SOAP

– Uses HTTP for its request/response

– Objects are represented as URLs

– Example HTTP verbs

• GET: retrieve object attributes

• POST: create object with new attributes

• DELETE: delete object

Modern Building Blocks

• JSON (JavaScript Object Notation)

– Adopted in response to the complexity of XML

– Data format representing name value pairs

Modern Building Blocks

• Most modern identity standards leverage JSON over REST

– Peanut butter and jelly

– OAuth (authorization), SCIM (provisioning), FIDO (authentication), OpenID Connect (multi-protocol)

• Some notable exceptions are SAML and XACML

Modern Building Blocks

POST https://pingidentity.com:8443/Users

Authorization: Basic Y249RGlyZWN0b3J5IE1...

Content-Type: application/json

{

"userType":"spy",

"externalId":“tstark86753",

"pacsSerial":"87654321",

"active":true,

"otpSerial":"12345678",

"email":“tony.stark@pingidentity.com",

"userName":"lcarroll",

"givenName":“Tony",

"familyName":“Stark“

}

REST HTTP verb (add user in SCIM)

Modern Building Blocks

POST https://pingidentity.com:8443/Users

Authorization: Basic Y249RGlyZWN0b3J5IE1...

Content-Type: application/json

{

"userType":"spy",

"externalId":“tstark86753",

"pacsSerial":"87654321",

"active":true,

"otpSerial":"12345678",

"email":“tony.stark@pingidentity.com",

"userName":"lcarroll",

"givenName":“Tony",

"familyName":“Stark“

}

In REST, objects and endpoints have

unique URLs

Modern Building Blocks

POST https://pingidentity.com:8443/Users

Authorization: Basic Y249RGlyZWN0b3J5IE1...

Content-Type: application/json

{

"userType":“superhero",

"externalId":"tstark86753",

"pacsSerial":"87654321",

"active":true,

"otpSerial":"12345678",

"email":"tony.stark@pingidentity.com",

"userName":"tstark",

"givenName":"Tony",

"familyName":"Stark"

}

JSON data representation

Modern Building Blocks

POST https://pingidentity.com:8443/Users

Authorization: Basic Y249RGlyZWN0b3J5IE1...

Content-Type: application/json

{

"userType":"spy",

"externalId":"tstark86753",

"pacsSerial":"87654321",

"active":true,

"otpSerial":"12345678",

"email":"tony.stark@pingidentity.com",

"userName":"tstark",

"givenName":"Tony",

"familyName":"Stark"

}

OPENID CONNECT

Mobile Cloud Identity

OAuth

• Increasingly popular protocol for session management in rich mobile applications

• Mobile web applications function well with traditional enterprise authentication

• Rich mobile applications may break existing infrastructure like authentication and Web access management

OAuth Components and Flow OAuth

authorization serverOAuth

resource server

Web browserNative application

1. Browser instantiated

3. T

oken

refe

renc

e re

turn

cod

e

4. Code delivery

2. U

ser a

uthe

n/co

nsen

t7. Access token presentation

6. Tokens downloaded

8. Access to application resource

A

accesstoken

R

refreshtoken

AOAuthclient/relying party

5. Reference code + authenticationA

Why Not Just Use OAuth?

• OAuth is:

– Valuable as an access delegation protocol

– A good fit for native mobile applications

– Friendly for developers

• OAuth is not:

– A user identity protocol

– An “identity at scale” protocol

OpenID Connect Flow OpenIDProvider

OAuthresource server

API AccessUser in

formatio

n

OAuthclient/relying party

A

accesstoken

R

refreshtoken

ID

IDtoken

A

authorization serveruser information endpoint

A

Tokens

OpenIDProvider

API AccessUser in

formatio

n

OAuthclient/relying party

A

accesstoken

R

refreshtoken

ID

A

authorization serveruser information endpoint

A

Tokens

OpenIDProvider

ID

AR

OIDC Multliple Provider Flow OpenID

Provider #1OAuth

resource server

3. API Access 2. User in

formatio

n

OAuthclient/relying party

A

accesstoken

R

refreshtoken

ID

IDtoken

A

authorization serveruser information endpoint

A

1. Tokens

OpenIDProvider #2

4. ID token

ID

AR

5. Access, Refresh tokens

OpenID Connect Protocols

Protocol for clients that support additional security

OpenID Connect Protocols

Protocol for simpler clients

OpenID Connect Protocols

Optional discovery of OpenID providers

OpenID Connect Protocols

Optional automated registration of clients (e.g., server applications, mobile devices)

OpenID Connect Under The Covers

• OAuth 2.0 specifications

• JSON Web Token (JWT)

• JOSE

– JSON Web Signature (JWS)

– JSON Web Encryption (JWE)

– JSON Web Algorithms (JWA)

– JSON Web Key (JWK)

FIDO

Mobile Cloud Identity

FIDO—A Tale of Two Protocols

• FIDO Unified Authentication Framework (UAF)

– Local mobile biometrics

– Initially proposed by Lenovo, Nok Nok, PayPal, others

– Also supports non-biometric authentication

• Universal Second Factor (U2F)

– “Smart” smart card

• Initially proposed by Google and Yubikey (first to partner)

FIDO UAF

F

authenticator(s)

(2)

FID

O h

and

shak

e

FIDO Client

FFIDOServer

device attestation F

device key pair

site-specific key pairs

(1) user authenticationto FIDO client

Binding of user info and public key

(3)

Asy

mm

etrc

i key

au

thn

FIDOAttestation

Service

web site/RP

ID Proofing

UAF to OpenID Connect

F

(2)

FID

O h

and

shak

e

FIDO client

F

OpenID Provider

(1) user authenticationto FIDO client

(3)

asym

met

ric

key

auth

n

FIDO authenticationmodule

A mobile application (relying party)

Binding of user info and public key

(4)

Toke

n in

form

atio

n

(5) A

PI re

quest/

resp

onseID A R

A

tokens

FIDO U2F web site/RP

device key pair (per batch)

site-specific key pairs(with Key Handles)activation button

siteauthn service

(activation required during enrollment and optional at

runtime)

U2Fauthn service

(1)

use

r p

assw

ord

au

th

(2)

Ch

alle

nge

res

po

nse

, w

ith

Key

Han

dle

User info, public key and Key Handle

device attestationattestation

service

U2F to Federation Federation IDP

primaryauthn service

U2Fauthn service

(1)

use

r p

assw

ord

au

th

(2)

Ch

alle

nge

res

po

nse

, w

ith

Key

Han

dle

User info, public key and Key Handle

(3) S

AM

L cr

eden

tial

s

Federation SP

(4) SAML credentia

ls

SCEP Certificate Enrollment

Profile serviceCertificate authority

User

SCEP.mobileconfig

iPhone Configuration Utility

(1) Utility publishesenrollment profile

(2) U

ser auth

enticates

(3) P

rofile is d

ow

nlo

aded (4

) iO

S ex

ecut

es S

CEP

enro

llmen

t

(5) C

ertific

ate is

inst

alled in

iOS s

tore

SCEP Enrollment Vulnerability Profile service Certificate authority

(1) Can I have a SCEP secret?

(2) Sure!Your SCEP secret is “8675309”.

(3) Tony Stark, enroll for a certificate.

Your SCEP secret is “8675309”.

(4) M

y nam

e is

“Nick

Fury

”.

My

SCEP

secr

et is

“8675309”.

(5) H

ere

you

go!

Your

cer

tific

ate

nam

e is

Nic

k Fu

ry.

Private Key

CertificateSCEP.mobileconfig

Enhanced Enrollment

Certificate

Private key

MDM service Certificate authority

(1) Here is public key for user Tony Stark

(2) Sure! Here is the certificate

(3) Here is your certificate

and private key!

MDM - Email Proxy

Exchange ServerMDM

Identity Bridge

Certificate

Private key

X.509 authenticationS4U Kerberosimpersonation

Kerberos tickets

Active Directory

NFC

Mobile Cloud Identity

Secure elementNFC controller

Antenna

NFC system

NFC on Mobile Device

NFC for Converged Authentication

NFC

IT access

Building access

NFC for Tablet Authentication

TabletNFC

Web application

Contactless smart card

Certificate

Private key

SSL

Smartphone

NFC Provisioning

PACS HostCertificate Authority

Active Directory

Externally Hosted

On-Premises

IdentityBridge

Mobile Credential Management Service

(MCM)

A AApplication Application

PACS Credential

PKI Certificate

Mobile Credential Management Service

Mobile Credential

Management Service (MCM)

A

NFC Secure Element

MDM

Mobile Network

Operators

Trusted Service

Manager

NFC Authorization

PKI Certificate

Authorization Policy

PKI Authentication

Policy Delivery

Copy right ©2013 Ping Identity Corporation. All rights reserv ed. 48