Dan Brinkmann presents on Identity Providers, SAML, and OAuth. An example of setting up Office 365 to use Active Directory Federation Services is also shown.
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1. IdP, SAML, OAuth New Acronyms for a Cloud World Dan
Brinkmann @dbrinkmann
2. About Me WhatWouldDanDo.com @dbrinkmann BriForum 2011, 2012,
2013, 2014 Citrix Synergy 2012, 2013, 2014 Former VMware
vExpert
3. I am not an identity expert
4. Agenda Definitions The Problem Identity & Service
Providers Office 365 Federation example OAuth
5. Definitions
6. Authentication Verifying Identity Authentication (AuthN) -
Verifies who you are Username/password 2FA / strong authentication
Certificates Enterprise: Username / Password Consumer: Drivers
license
7. Authentication Verifying Identity Authentication (AuthN) -
Verifies who you are Username/password 2FA / strong authentication
Certificates Enterprise: Username / Password Consumer: Drivers
license Massively broken
8. Authorization Possession is 9/10ths of ownership
Authorization (AuthZ) - What you are able to do
9. Authorization Start car, lock doors, deny trunk Valet
key
10. Definition of Terms SAML Security Assertion Markup Language
Oauth Open standard for authorization Federation Youve
authenticated to a different system than the one youre tyring to
access and your identity has been proven by a 3rd party and on that
basis youre being allowed to this system
11. History SAML 1.0 - 2002 1.1 - 2003 2.0 - 2005 (not
backwards compatible with 1.x) OAuth 1.0 - 2010 2.0 - 2012 (not
backwards compatible with 1.0)
12. The Problem Why does federation exist?
13. Genesis u: bob p: password1 u: bob1 p: logmein u: bobby p:
123
14. Along came Active Directory u: bobjones p: ComplexP1!
15. And then came SaaS / Cloud apps
16. Why not use Active Directory?
17. Why not use Active Directory? Bad admin
>>passwords.txt
18. Why not use Active Directory? No Trust Bad admin
>>passwords.txt
19. IdP / SP Architecture SaaS Solution Enterprise Service
Provider (SP) Identity Provider (IDP) Trust Claims LDAP Signed
Active Directory
20. Common IdPs Ping Identity PingFederate CA SiteMinder
Microsoft ADFS Shibboleth Okta
21. Microsoft ADFS ADFS 1.0 - Part of Windows 2003 R2 ADFS 1.1
- Part of Windows 2008 and R2 (Installed as Role from Server Mgr)
Used SAML 1.x so forget about these
22. Microsoft ADFS ADFS 2.0 - Released after Windows 2008 R2 as
a standalone download ADFS 2.1 - Part of Windows Server 2012 and
installed as a Role ADFS 3.0 - Part of Windows Server 2012 R2 and
installed as a Role Service ADFS 2.x rely on IIS ADFS 3.x is built
on http.sys (IIS is not installed or needed)
23. IdP / SP Architecture Trust / Configuration
24. IdP / SP Architecture How is trust established? SaaS
Solution Enterprise Service Provider (SP) Identity Provider (IDP)
Trust LDAP Active Directory
26. IDP trusts Service Provider: Relying Party ID When a user
requests claims from this Federation Service for the relying party,
the relying party identifier will be used to identify the relying
party for which the claims should be targeted Translate: Match
incoming SP request to IdP Relying Party Trust configuration
27. IDP trusts Service Provider: Signature SAML request from
the Service Provider is signed Not always used
28. Service Provider trusts IDP: Token-signing certificate
29. IdP / SP Architecture Authentication
30. IdP / SP Architecture Authentication (AuthN) SaaS Solution
Enterprise Service Provider (SP) Identity Provider (IDP) Trust LDAP
Active Directory
31. ADFS Authentication ADFS Proxy ADFS Server Enterprise LDAP
Active Directory ADFS Proxy - 2.x Web Application Proxy - 3.x
32. ADFS Authentication Basic Authentication Username &
password sent in clear text over network You should always use
SSL/TLS Windows Integrated (IWA) Kerberos, NTLMSSP Can work
silently / background
33. ADFS Authentication Forms Webpage 2FA Works with virtually
any device X509 / Client Certificates
34. ADFS Authentication Matrix ADFS 2.x ADFS 2.x Proxy ADFS 3.x
Web Application Proxy Basic Auth Windows Integrated Forms X509 /
Client Cert
35. Manipulating Authentication Priority
36. IdP / SP Architecture Claims
37. IdP / SP Architecture Claims SaaS Solution Enterprise
Service Provider (SP) Identity Provider (IDP) Trust Claims LDAP
Signed Active Directory
38. Claims SAML assertions contain claims Attribute claims
contain information about the user (email address) Transformations
can convert / modify data before creating the claim
39. Example SAML Token With a lot trimmed out
http://adfs.sharefiletest.com/adfs/services/trusthttp://adfs.sharefiletest.com/adfs/services/trustKXdq8sGKJoFSBSB9YkF9LN7/8Ik=aUawdzA==natureValue>[email protected]://onprem.sharefile.com/saml/[email protected]><
AuthnContext>urn:federation:authentication:windowsnStatement>
76. OAuth vs SAML Token And I even trimmed out the signing
certificate of the SAML Token {"expires_in28800,"token_type":"beare
r","apicp":"sharefile.com,"access_fil
es_folders":true,"change_my_settings":
true,"admin_users:true,"expires_at_un
ix":"1,405,816,443.33826","refresh_tok
en":"m5rU7aWB.","subdomain":"danbrink
mann","modify_files_folders":true,"web
_app_login":true,"admin_accounts":true
,"appcp":"sharefile.com,"access_token ":"m5rU7aWB.."}
http://adfs.sharefiletest.com/adfs/services/trus
thttp://adfs.sharefiletest.com/adfs/servi
ces/trustKXdq8sGKJoFSBSB9YkF9LN7/8Ik=aUawdzA==MIICKOw==9Certificate>[email protected]://onprem.sharefile.com/saml/infoce>juliano.malda
[email protected]<
AuthnContext>urn:federation:authentication:windowsContextClassRef>
77. OAuth in Consumer Lives Creating a separate username /
password not required
78. OAuth in Consumer Lives Scoped Access
79. OAuth in Consumer Lives The irony of this slide
80. How OAuth is used in Enterprise Apps Instead of AuthN each
time use AuthZ Protect mobile application using PIN / Passcode
81. Mobile App Solution Authenticate via IdP (FTU) Exchange
SAML Token for OAuth Token Use OAuth Access Token to access the
application
82. Mobile App Solution If the Access Token fails get a new one
using the Refresh Token If the Refresh Token fails then prompt user
to re-authenticate Re-authenticate via IdP
83. Summary Federation necessary for next-generation &
mobile applications Authentication (AuthN) Authorization (AuthZ)
SAML OAuth