Embed Size (px)
DESCRIPTION
Brian Campbell, Senior Researcher, Ping Identity OpenID Connect, OAuth, JOSE and JWT may be the new kids on the block, but many experts and visionaries have already anointed them to replace SAML. Is the wheel being needlessly reinvented or is genuine progress on the horizon?
Citation preview
Brian Campbell CIS Napa July 2013 @__b_c background and layout of slides specially designed for
@lpeterman & @NishantK
http://flic.kr/s/aHsjziVAwV
http://flic.kr/s/aHsjAP3nKo
SAML is DEAD!
* http://www.linkedin.com/in/burtonian
SAML
@craigburton
WTF “SAML is dead”? I’ve got a mortgage to
pay…
*Disclaimer: I work with these guys at Ping
But I just started this
job!
@paulmadsen
@ian13550
*http://blogs.kuppingercole.com/kearns/2012/07/31/the-death-and-life-of-a-protocol/
* @dak3
• OpenID Connect • simple JSON/REST-based interoperable identity protocol built on top of the OAuth
2.0 family of specifications. • design philosophy: “make simple things simple and make complicated things
possible.” • Wins 2012 European Identity and Cloud Award
• “OpenID Connect the award[ed] Best Innovation/New Standard this year. What’s most impressive is that this elegantly simple design resulted from the cooperation of such a diverse global set of contributors. I expect OpenID Connect to have a substantial positive impact on usable, secure identity solutions both for traditional computing platforms and mobile devices. My congratulations to the OpenID Foundation!” - Dave Kearns
• “spurs global economic growth by enabling simple and secure exchange of verified attributes from multiple sources at Internet scale.”
http://openid.net/2012/04/18/openid-connect-wins-2012-european-identity-and-cloud-award/
May, 2010: Conceptual
Debut of Connect
time elapses February, 2012: 1st
Implementer’s Drafts
March 2012 time elapses May, 2013: 2nd Implementer’s
Drafts …?
https://twitter.com/__b_c/status/181884679513833473
three nerds holding a blurry piece of paper...
*Disclaimer: this guy also ‘works’ for Ping
And I know these guys reasonably well from various initiatives
http://www.thread-safe.com/2012/04/openid-connect-wins-2012-european.html
“The OpenID Connect specifications are
expected to be completed in the second
half of 2012.”
@selfissued @_nat_en @ve7jtb
*I did actually receive permission to use this photo
@JasonABonds
Client
Resource Server
Get an access token
Authorization Server
Authorization Endpoint
Token Endpoint
Important Stuff
Where the magic
happens
Discovery
Client Relying Party
Resource Server
Get an access token
& an ID Token (JWT)
Use an access token
Authorization Server
Identity Provider or IDP or
OpenID Provider or OP
Authorization Endpoint
Token Endpoint
Important Stuff
Userinfo Endpoint
Registration Endpoint
JWKS Endpoint
JWKS Endpoint
Validate (JWT)
ID Token
/.well-known /webfinger /openid-configuration
Check Session IFrame
End Session Endpoint
The JWT eyJraWQiOiI1IiwiYWxnIjoiRVMyNTYifQ.eyJpc3MiOiJodHRwczpcL1wvaWRwLmV4YW1wbGUuY29tIiwKImV4cCI6MTM1NzI1NTc4OCwKImF1ZCI6Imh0dHBzOlwvXC9zcC5leGFtcGxlLm9yZyIsCiJqdGkiOiJ0bVl2WVZVMng4THZONzJCNVFfRWFjSC5fNUEiLAoiYWNyIjoiMiIsCiJzdWIiOiJCcmlhbiJ9.SbPJIx_JSRM1wluioY0SvfykKWK_yK4LO0BKBiESHu0GUGwikgC8iPrv8qnVkIK1aljVMXcbgYnZixZJ5UOArg
The Header {"kid":"5","alg":"ES256"}
The Payload {"iss":"https:\/\/idp.example.com", "exp":1357255788, "aud":"https:\/\/sp.example.org", "jti":"tmYvYVU2x8LvN72B5Q_EacH._5A", "acr":"2", "sub":"Brian"}
The Signature [computery junk]
eyJraWQiOiI1IiwiYWxnIjoiRVMyNTYifQ.eyJpc3MiOiJodHRwczpcL1wvaWRwLmV4YW1wbGUuY29tIiwKImV4cCI6MTM1NzI1NTc4OCwKImF1ZCI6Imh0dHBzOlwvXC9zcC5leGFtcGxlLm9yZyIsCiJqdGkiOiJ0bVl2WVZVMng4THZONzJCNVFfRWFjSC5fNUEiLAoiYWNyIjoiMiIsCiJzdWIiOiJCcmlhbiJ9.SbPJIx_JSRM1wluioY0SvfykKWK_yK4LO0BKBiESHu0GUGwikgC8iPrv8qnVkIK1aljVMXcbgYnZixZJ5UOArg
<Assertion Version="2.0" IssueInstant="2013-‐01-‐03T23:34:38.546Z” ID="oPm.DxOqT3ZZi83IwuVr3x83xlr" xmlns="urn:oasis:names:tc:SAML:2.0:assertion” xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <Issuer>https://idp.example.com</Issuer> <ds:Signature> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-‐exc-‐c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-‐more#ecdsa-‐sha256"/> <ds:Reference URI="#oPm.DxOqT3ZZi83IwuVr3x83xlr"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-‐signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-‐exc-‐c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> <ds:DigestValue>8JT03jjlsqBgXhStxmDhs2zlCPsgMkMTC1lIK9g7e0o=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>SAXf8eCmTjuhV742blyvLvVumZJ+TqiG3eMsRDUQU8RnNSspZzNJ8MOUwffkT6kvAR3BXeVzob5p08jsb99UJQ==</ds:SignatureValue> </ds:Signature> <Subject> <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-‐format:unspecified">Brian</NameID> <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <SubjectConfirmationData NotOnOrAfter="2013-‐01-‐03T23:39:38.552Z" Recipient="https://sp.example.org"/> </SubjectConfirmation> </Subject> <Conditions NotOnOrAfter="2013-‐01-‐03T23:39:38.552Z" NotBefore="2013-‐01-‐03T23:29:38.552Z"> <AudienceRestriction> <Audience>https://sp.example.org</Audience> </AudienceRestriction> </Conditions> <AuthnStatement AuthnInstant="2013-‐01-‐03T23:34:38.483Z" SessionIndex="oPm.DxOqT3ZZi83IwuVr3x83xlr"> <AuthnContext> <AuthnContextClassRef>2</AuthnContextClassRef> </AuthnContext> </AuthnStatement> </Assertion>
* http://www.google.com/about/appsecurity/hall-of-fame/reward/
JWT/JWS Header {"kid":"5", "alg":"ES256"}
{"keys":[ {"kty":"EC", "kid":"4", "x":"LX-7aQn7RAx3jDDTioNssbODUfED_6XvZP8NsGzMlRo", "y":"dJbHEoeWzezPYuz6qjKJoRVLks7X8-BJXbewfyoJQ-A", "crv":"P-256"}, {"kty":"EC", "kid":"5", "x":"f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU", "y":"x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0", "crv":"P-256"}, {"kty":"EC", "kid":"6", "x":"J8z237wci2YJAzArSdWIj4OgrOCCfuZ18WI77jsiS00", "y":"5tTxvax8aRMMJ4unKdKsV0wcf3pOI3OG771gOa45wBU", "crv":"P-256"} ]}
Brian Campbell CIS Napa July 2013 @__b_c
SAML Any Questions?
Brian Campbell CIS Napa July 2013 @__b_c
