IRM Summit 2014

ELECTRONIC DREAMS:The Rise of Machine to

Machine Communication

Dirk Hogan, Sr. Software Engineer,

ForgeRock

2IRM Summit 2014

What is REST STS ?

3IRM Summit 2014

What is REST STS ?

REST-based token transformation service, inspired by the Security Token Service defined in WS-Trust.

4IRM Summit 2014

WS-Trust STS

Overly ambitious

Abstraction is lossy

Complexity

Interoperability challenges

SOAP / XML

5IRM Summit 2014

REST STS

■ WS-Trust supports an explicit token transformation

■ WS-Trust supports an implicit token transformation

Building on WS-Trust

Why not make the implicit explicit ?

6IRM Summit 2014

REST STS

■ Instead of a single (ambiguous) abstraction set to rule them all, why not specific, explicit json payloads defining a token transformation POSTed to RESTful endpoint?

Why Not Simplify ?

{ "input_token_state": { "token_type": "OPENIDCONNECT", "oidc_id_token": "eyZTQxODkzM2ZlMmQifQ.eyJpc3MiOiJhDA2OTM2NTJ9.enWa7YcxO6PsXMFQZXMuPn7o8PF5Cv71PNLcIQ" },"output_token_state": { "token_type": "SAML2", "serviceProviderAssertionConsumerServiceUrl":http://tomcat-host.dirk.internal.forgerock.com:8080/openam/Consumer/metaAlias/sp,"subjectConfirmation": "BEARER"}}

7IRM Summit 2014

REST STS

■ Apache-CXF has all the elegant abstractions

Built On Apache-CXF STS

Why not re-skin CXF-STS ?

Why not replace SOAP/XML withREST/JSON ?

Open Source Rocks !!

8IRM Summit 2014

REST STS

■ Heterogeneity in the identity space

■ Different services require different identity formats

■ Any combination of tokens validated and issued by OpenAM candidate for STS token transformation

Identity Meta-System

9IRM Summit 2014

Why Does It Matter ?

10IRM Summit 2014

Demo

Demo AppDemo App

4

0/73

6

2

5

1

OpenAM OpenAM

Legend:0: Publish STS Instance1: STS instance created2: Obtain OIDC ID Token3: Invoke STS OIDC->SAML24: OIDC token validation5: SAML2 Assertion Generation6: Present Assertion to Service Provider7: Un-publish REST STS instance