Session Management at Scale Scott Tomilson Jamshid (Jim) Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
Aug 12, 2015
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Session Management at Scale Scott Tomilson Jamshid (Jim) Khosravian
Copyright © 2015 Cloud Identity Summit. All rights reserved. 2
Session Management Web
• Senior Software Developer at PingIdentity • Software Technology Enthusiast • Canadian
Copyright © 2015 Cloud Identity Summit. All rights reserved. 3
Jamshid (Jim) Khosravian
(Sorry that I say sorry so much)
Agenda
• PingAccess Session Management • Session Initiation/Creation • Session Token attributes • Session Attributes and Timeouts • Single Logout
• PingAccess Scalability • Q&A
Copyright © 2015 Cloud Identity Summit. All rights reserved. 4
Session Initiation
• PingAccess deployed in front of web apps (Proxy) • PingAccess Agent installed on the webserver hosting
web app (Agent) • PingFederate and PingAccess interactions
Copyright © 2015 Cloud Identity Summit. All rights reserved. 5
Proxy
Copyright © 2015 Cloud Identity Summit. All rights reserved. 6
3
1
4
2 5
High-level Flow: 1) Resource requested 2) PA checks URL policy – it's a protected resource. No PA session. Redirect to PF to login user. 3) User login, PF session created / validated. 4) User redirected back to resource. PA session created. 5) PA session check – OK. 6) Request OK – forward to backend resource.
6
Agent
Copyright © 2015 Cloud Identity Summit. All rights reserved. 7
3 1
4
2
High-level Flow: 1) Resource requested 2) PA agent forwards request to PA server 3) PA checks URL policy – it's a protected resource. No PA session. Creates Redirect to PF for Agent. Agent sends redirect back 4) User login, PF session created / validated. 5) User redirected back to resource. 6) PA agent forwards request to PA server 7) PA Checks PF Response – OK – Creates sessions – Send Response To Agent 8) PA response – OK – Access granted – Requested resource Served
6
7 5
8
Session Initiation
Copyright © 2015 Cloud Identity Summit. All rights reserved. 8
• "Varied" Session Management handled within IdP Adapters at time of authentication / SSO
• E.g.: • HTML Form Adapter • IWA • WAM IK (Third-party tokens)
• Session tokens issued upon SSO & re-issued regularly to handle idle timeouts
• JWT format (signed or encrypted) • Contain attributes required by
protected apps & authn level • Can be scoped per Application
Session Token
• JWT • Signed (JWS) • Encrypted (JWE)
• Content • Session Attributes • (Optional) User Attributes
Copyright © 2015 Cloud Identity Summit. All rights reserved. 9
Session Token (cont’d)
Copyright © 2015 Cloud Identity Summit. All rights reserved. 10
Received PF ID Token (Signed) PA Session Token (Signed) { "alg": "RS256", "kid": "gcs0e" }. { "sub": "joe", "aud": "PingAccessOIDC", "jti": "FfCzPyb74vu3va6RNjIBhC", "iss": "https://synapse.pingfederatelabs.com:9031", "iat": 1433128115, "exp": 1433128175, "pi.sri": "YPKOMwK7PF2xB9woQexUteMpn_U", "nonce": "rhZvrAswWdztaPq-RQSqcSVAWdOiXkRTGeg6y_zVvW0", "at_hash": "YSO7fz1xkW_kRliDzmJ_Sg" }. { Signature data }
{ "pi.sri": "YPKOMwK7PF2xB9woQexUteMpn_U", "kid": "7", "alg": "ES256" }. { "sub": "joe”, "aud": "global", "jti": "5c68d4a7-357c-475d-8f01-02c0ddfc90ca", "iat": 1433128123, "at_hash": "YSO7fz1xkW_kRliDzmJ_Sg", "iss": "PingAccess", "exp": 1433131723, "pingaccess_refresh_exp": 1433305544, "access_token": "9TwtEfi4fYnuQkDKUYnRivf8uHIN”, "phone_number": "+1 (425) 555-1212", "role": "sales", "address": { "street_address": "123 Main Street", "country": "USA", "formatted": "123 Main Street, Smallville, ME USA 11223", "locality": "Smallville", "region": "ME", "postal_code": "11223" } }. { Signature data }
Session Storage
• Client Side • Session attributes and user attributes inside
session cookie • Server Side
• Session attributes inside session cookie • User attributes stored on server
Copyright © 2015 Cloud Identity Summit. All rights reserved. 11
Session Storage (cont’d)
Copyright © 2015 Cloud Identity Summit. All rights reserved. 12
Session Token (Server) Session Token (Client) { "pi.sri": "YPKOMwK7PF2xB9woQexUteMpn_U", "kid": "7", "alg": "ES256" }. { "sub": "joe”, "aud": "global", "jti": "5c68d4a7-357c-475d-8f01-02c0ddfc90ca", "iat": 1433128123, "updated_time": "2011-01-03T23:58:42+0000", "at_hash": "YSO7fz1xkW_kRliDzmJ_Sg", "iss": "PingAccess", "exp": 1433131723, "access_token": "9TwtEfi4fYnuQkDKUYnRivf8uHIN” }. { Signature data }
{ "pi.sri": "YPKOMwK7PF2xB9woQexUteMpn_U", "kid": "7", "alg": "ES256" }. { "sub": "joe”, "aud": "global", "jti": "5c68d4a7-357c-475d-8f01-02c0ddfc90ca", "iat": 1433128123, "updated_time": "2011-01-03T23:58:42+0000", "at_hash": "YSO7fz1xkW_kRliDzmJ_Sg", "iss": "PingAccess", "exp": 1433131723, "access_token": "9TwtEfi4fYnuQkDKUYnRivf8uHIN”, "pingac`cess_refresh_exp": 1433305544, "phone_number": "+1 (425) 555-1212", "role": "sales", "address": { "street_address": "123 Main Street", "country": "USA", "formatted": "123 Main Street, Smallville, ME USA 11223", "locality": "Smallville", "postal_code": "11223" } }. { Signature data }
Session Status check and refresh
• Going back a couple of days … WHAT IF …
Copyright © 2015 Cloud Identity Summit. All rights reserved. 13
WHAT IF THE RIGHT IDENTITY BECOMES A BAD ACTOR? WHAT IF IDENTITY IS TOO WEAK & TOO DISCONNECTED TO PROTECT US AT SCALE?
Session Status check and refresh
• PingFederate Session Reference ID validation • pi.sri session attribute • PingFederate Session State Cache (seconds)
• PingAccess User Attribute Refresh • pingaccess_refresh_exp • Refresh User Attributes Interval (seconds)
Copyright © 2015 Cloud Identity Summit. All rights reserved. 14
Session Timeout
• Idle Timeout (Minutes) default 60 minutes • Max Timeout (Minutes) default 240 minutes
Copyright © 2015 Cloud Identity Summit. All rights reserved. 15
JWT Attribute Description
"iat": 1433128123 JWT Creation timestamp, will NOT change on reissue
"exp": 1433131723
JWT Expiry timestamp, will change on reissue
OpenID Connect Based Single Logout
• Simple Logout (/pa/oidc/logout) • Single Logout
• PF Config • Track User Sessions for Logout (AS setting) • Revoke User Session on Logout (Client Settings) • PingAccess Logout Capable (Client Settings)
• https://<PF-BASE>/idp/startSLO.ping
Copyright © 2015 Cloud Identity Summit. All rights reserved. 16
PingAccess Scalability
• Stateless Engine Nodes • Load balancing and fail over for protecting sites • Simple Engine Node Deployment • Token Mediation
Copyright © 2015 Cloud Identity Summit. All rights reserved. 17
Stateless Engine nodes
• How much? • Temporary Token Cache • (Optional) User Attributes
• Self-contained Session Token • No State Sharing needed • No Shared database needed • Missing data is calculated or fetched from PF
Copyright © 2015 Cloud Identity Summit. All rights reserved. 18
Load balancing and fail over for sites
• Proxy deployment • Load balance requests to multiple instances of target
site • Fail over strategy for target sites • (Coming soon) implement custom Load Balancing
strategies
Copyright © 2015 Cloud Identity Summit. All rights reserved. 19
Simple Engine Node Deployment
• Mostly environment setup • Engine:
• Install JDK and PingAccess • Modify one Line in run.properties
• Agent • Install agent on web server of choice
• Create Agent/Engine config file from admin console, copy to the target server.
Copyright © 2015 Cloud Identity Summit. All rights reserved. 20
Token Mediation
• Token Exchange Using WS-TRUST • Server: PingFederate • Input: PA Session Token • Output: Tokens Supported by PF (WAM,
OpenToken, etc) • Get a session token specific to a target site.
Copyright © 2015 Cloud Identity Summit. All rights reserved. 21
Copyright © 2015 Cloud Identity Summit. All rights reserved. 22
Thank you Q&A
Related Documents
