Session Management at Scale Scott Tomilson Jamshid (Jim) Khosravian
Aug 12, 2015
Session Management at Scale Scott Tomilson Jamshid (Jim) Khosravian
Copyright © 2015 Cloud Identity Summit. All rights reserved. 2
Session Management Web
• Senior Software Developer at PingIdentity • Software Technology Enthusiast • Canadian
Copyright © 2015 Cloud Identity Summit. All rights reserved. 3
Jamshid (Jim) Khosravian
(Sorry that I say sorry so much)
Agenda
• PingAccess Session Management • Session Initiation/Creation • Session Token attributes • Session Attributes and Timeouts • Single Logout
• PingAccess Scalability • Q&A
Copyright © 2015 Cloud Identity Summit. All rights reserved. 4
Session Initiation
• PingAccess deployed in front of web apps (Proxy) • PingAccess Agent installed on the webserver hosting
web app (Agent) • PingFederate and PingAccess interactions
Copyright © 2015 Cloud Identity Summit. All rights reserved. 5
Proxy
Copyright © 2015 Cloud Identity Summit. All rights reserved. 6
3
1
4
2 5
High-level Flow: 1) Resource requested 2) PA checks URL policy – it's a protected resource. No PA session. Redirect to PF to login user. 3) User login, PF session created / validated. 4) User redirected back to resource. PA session created. 5) PA session check – OK. 6) Request OK – forward to backend resource.
6
Agent
Copyright © 2015 Cloud Identity Summit. All rights reserved. 7
3 1
4
2
High-level Flow: 1) Resource requested 2) PA agent forwards request to PA server 3) PA checks URL policy – it's a protected resource. No PA session. Creates Redirect to PF for Agent. Agent sends redirect back 4) User login, PF session created / validated. 5) User redirected back to resource. 6) PA agent forwards request to PA server 7) PA Checks PF Response – OK – Creates sessions – Send Response To Agent 8) PA response – OK – Access granted – Requested resource Served
6
7 5
8
Session Initiation
Copyright © 2015 Cloud Identity Summit. All rights reserved. 8
• "Varied" Session Management handled within IdP Adapters at time of authentication / SSO
• E.g.: • HTML Form Adapter • IWA • WAM IK (Third-party tokens)
• Session tokens issued upon SSO & re-issued regularly to handle idle timeouts
• JWT format (signed or encrypted) • Contain attributes required by
protected apps & authn level • Can be scoped per Application
Session Token
• JWT • Signed (JWS) • Encrypted (JWE)
• Content • Session Attributes • (Optional) User Attributes
Copyright © 2015 Cloud Identity Summit. All rights reserved. 9
Session Token (cont’d)
Copyright © 2015 Cloud Identity Summit. All rights reserved. 10
Received PF ID Token (Signed) PA Session Token (Signed) { "alg": "RS256", "kid": "gcs0e" }. { "sub": "joe", "aud": "PingAccessOIDC", "jti": "FfCzPyb74vu3va6RNjIBhC", "iss": "https://synapse.pingfederatelabs.com:9031", "iat": 1433128115, "exp": 1433128175, "pi.sri": "YPKOMwK7PF2xB9woQexUteMpn_U", "nonce": "rhZvrAswWdztaPq-RQSqcSVAWdOiXkRTGeg6y_zVvW0", "at_hash": "YSO7fz1xkW_kRliDzmJ_Sg" }. { Signature data }
{ "pi.sri": "YPKOMwK7PF2xB9woQexUteMpn_U", "kid": "7", "alg": "ES256" }. { "sub": "joe”, "aud": "global", "jti": "5c68d4a7-357c-475d-8f01-02c0ddfc90ca", "iat": 1433128123, "at_hash": "YSO7fz1xkW_kRliDzmJ_Sg", "iss": "PingAccess", "exp": 1433131723, "pingaccess_refresh_exp": 1433305544, "access_token": "9TwtEfi4fYnuQkDKUYnRivf8uHIN”, "phone_number": "+1 (425) 555-1212", "role": "sales", "address": { "street_address": "123 Main Street", "country": "USA", "formatted": "123 Main Street, Smallville, ME USA 11223", "locality": "Smallville", "region": "ME", "postal_code": "11223" } }. { Signature data }
Session Storage
• Client Side • Session attributes and user attributes inside
session cookie • Server Side
• Session attributes inside session cookie • User attributes stored on server
Copyright © 2015 Cloud Identity Summit. All rights reserved. 11
Session Storage (cont’d)
Copyright © 2015 Cloud Identity Summit. All rights reserved. 12
Session Token (Server) Session Token (Client) { "pi.sri": "YPKOMwK7PF2xB9woQexUteMpn_U", "kid": "7", "alg": "ES256" }. { "sub": "joe”, "aud": "global", "jti": "5c68d4a7-357c-475d-8f01-02c0ddfc90ca", "iat": 1433128123, "updated_time": "2011-01-03T23:58:42+0000", "at_hash": "YSO7fz1xkW_kRliDzmJ_Sg", "iss": "PingAccess", "exp": 1433131723, "access_token": "9TwtEfi4fYnuQkDKUYnRivf8uHIN” }. { Signature data }
{ "pi.sri": "YPKOMwK7PF2xB9woQexUteMpn_U", "kid": "7", "alg": "ES256" }. { "sub": "joe”, "aud": "global", "jti": "5c68d4a7-357c-475d-8f01-02c0ddfc90ca", "iat": 1433128123, "updated_time": "2011-01-03T23:58:42+0000", "at_hash": "YSO7fz1xkW_kRliDzmJ_Sg", "iss": "PingAccess", "exp": 1433131723, "access_token": "9TwtEfi4fYnuQkDKUYnRivf8uHIN”, "pingac`cess_refresh_exp": 1433305544, "phone_number": "+1 (425) 555-1212", "role": "sales", "address": { "street_address": "123 Main Street", "country": "USA", "formatted": "123 Main Street, Smallville, ME USA 11223", "locality": "Smallville", "postal_code": "11223" } }. { Signature data }
Session Status check and refresh
• Going back a couple of days … WHAT IF …
Copyright © 2015 Cloud Identity Summit. All rights reserved. 13
WHAT IF THE RIGHT IDENTITY BECOMES A BAD ACTOR? WHAT IF IDENTITY IS TOO WEAK & TOO DISCONNECTED TO PROTECT US AT SCALE?
Session Status check and refresh
• PingFederate Session Reference ID validation • pi.sri session attribute • PingFederate Session State Cache (seconds)
• PingAccess User Attribute Refresh • pingaccess_refresh_exp • Refresh User Attributes Interval (seconds)
Copyright © 2015 Cloud Identity Summit. All rights reserved. 14
Session Timeout
• Idle Timeout (Minutes) default 60 minutes • Max Timeout (Minutes) default 240 minutes
Copyright © 2015 Cloud Identity Summit. All rights reserved. 15
JWT Attribute Description
"iat": 1433128123 JWT Creation timestamp, will NOT change on reissue
"exp": 1433131723
JWT Expiry timestamp, will change on reissue
OpenID Connect Based Single Logout
• Simple Logout (/pa/oidc/logout) • Single Logout
• PF Config • Track User Sessions for Logout (AS setting) • Revoke User Session on Logout (Client Settings) • PingAccess Logout Capable (Client Settings)
• https://<PF-BASE>/idp/startSLO.ping
Copyright © 2015 Cloud Identity Summit. All rights reserved. 16
PingAccess Scalability
• Stateless Engine Nodes • Load balancing and fail over for protecting sites • Simple Engine Node Deployment • Token Mediation
Copyright © 2015 Cloud Identity Summit. All rights reserved. 17
Stateless Engine nodes
• How much? • Temporary Token Cache • (Optional) User Attributes
• Self-contained Session Token • No State Sharing needed • No Shared database needed • Missing data is calculated or fetched from PF
Copyright © 2015 Cloud Identity Summit. All rights reserved. 18
Load balancing and fail over for sites
• Proxy deployment • Load balance requests to multiple instances of target
site • Fail over strategy for target sites • (Coming soon) implement custom Load Balancing
strategies
Copyright © 2015 Cloud Identity Summit. All rights reserved. 19
Simple Engine Node Deployment
• Mostly environment setup • Engine:
• Install JDK and PingAccess • Modify one Line in run.properties
• Agent • Install agent on web server of choice
• Create Agent/Engine config file from admin console, copy to the target server.
Copyright © 2015 Cloud Identity Summit. All rights reserved. 20
Token Mediation
• Token Exchange Using WS-TRUST • Server: PingFederate • Input: PA Session Token • Output: Tokens Supported by PF (WAM,
OpenToken, etc) • Get a session token specific to a target site.
Copyright © 2015 Cloud Identity Summit. All rights reserved. 21
Copyright © 2015 Cloud Identity Summit. All rights reserved. 22
Thank you Q&A