cis13: hope or hype: a look at the next generation of identity standards
DESCRIPTION
Brian Campbell, Senior Researcher, Ping Identity OpenID Connect, OAuth, JOSE and JWT may be the new kids on the block, but many experts and visionaries have already anointed them to replace SAML. Is the wheel being needlessly reinvented or is genuine progress on the horizon?TRANSCRIPT
![Page 1: CIS13: Hope or Hype: A Look at the Next Generation of Identity Standards](https://reader034.vdocuments.net/reader034/viewer/2022042714/554f93afb4c9052a518b5510/html5/thumbnails/1.jpg)
Brian Campbell CIS Napa July 2013 @__b_c background and layout of slides specially designed for
@lpeterman & @NishantK
![Page 2: CIS13: Hope or Hype: A Look at the Next Generation of Identity Standards](https://reader034.vdocuments.net/reader034/viewer/2022042714/554f93afb4c9052a518b5510/html5/thumbnails/2.jpg)
http://flic.kr/s/aHsjziVAwV
![Page 3: CIS13: Hope or Hype: A Look at the Next Generation of Identity Standards](https://reader034.vdocuments.net/reader034/viewer/2022042714/554f93afb4c9052a518b5510/html5/thumbnails/3.jpg)
http://flic.kr/s/aHsjAP3nKo
![Page 4: CIS13: Hope or Hype: A Look at the Next Generation of Identity Standards](https://reader034.vdocuments.net/reader034/viewer/2022042714/554f93afb4c9052a518b5510/html5/thumbnails/4.jpg)
SAML is DEAD!
* http://www.linkedin.com/in/burtonian
SAML
@craigburton
![Page 5: CIS13: Hope or Hype: A Look at the Next Generation of Identity Standards](https://reader034.vdocuments.net/reader034/viewer/2022042714/554f93afb4c9052a518b5510/html5/thumbnails/5.jpg)
WTF “SAML is dead”? I’ve got a mortgage to
pay…
*Disclaimer: I work with these guys at Ping
But I just started this
job!
@paulmadsen
@ian13550
![Page 6: CIS13: Hope or Hype: A Look at the Next Generation of Identity Standards](https://reader034.vdocuments.net/reader034/viewer/2022042714/554f93afb4c9052a518b5510/html5/thumbnails/6.jpg)
*http://blogs.kuppingercole.com/kearns/2012/07/31/the-death-and-life-of-a-protocol/
* @dak3
![Page 7: CIS13: Hope or Hype: A Look at the Next Generation of Identity Standards](https://reader034.vdocuments.net/reader034/viewer/2022042714/554f93afb4c9052a518b5510/html5/thumbnails/7.jpg)
• OpenID Connect • simple JSON/REST-based interoperable identity protocol built on top of the OAuth
2.0 family of specifications. • design philosophy: “make simple things simple and make complicated things
possible.” • Wins 2012 European Identity and Cloud Award
• “OpenID Connect the award[ed] Best Innovation/New Standard this year. What’s most impressive is that this elegantly simple design resulted from the cooperation of such a diverse global set of contributors. I expect OpenID Connect to have a substantial positive impact on usable, secure identity solutions both for traditional computing platforms and mobile devices. My congratulations to the OpenID Foundation!” - Dave Kearns
• “spurs global economic growth by enabling simple and secure exchange of verified attributes from multiple sources at Internet scale.”
http://openid.net/2012/04/18/openid-connect-wins-2012-european-identity-and-cloud-award/
![Page 8: CIS13: Hope or Hype: A Look at the Next Generation of Identity Standards](https://reader034.vdocuments.net/reader034/viewer/2022042714/554f93afb4c9052a518b5510/html5/thumbnails/8.jpg)
May, 2010: Conceptual
Debut of Connect
time elapses February, 2012: 1st
Implementer’s Drafts
March 2012 time elapses May, 2013: 2nd Implementer’s
Drafts …?
https://twitter.com/__b_c/status/181884679513833473
three nerds holding a blurry piece of paper...
*Disclaimer: this guy also ‘works’ for Ping
And I know these guys reasonably well from various initiatives
http://www.thread-safe.com/2012/04/openid-connect-wins-2012-european.html
“The OpenID Connect specifications are
expected to be completed in the second
half of 2012.”
@selfissued @_nat_en @ve7jtb
![Page 9: CIS13: Hope or Hype: A Look at the Next Generation of Identity Standards](https://reader034.vdocuments.net/reader034/viewer/2022042714/554f93afb4c9052a518b5510/html5/thumbnails/9.jpg)
![Page 10: CIS13: Hope or Hype: A Look at the Next Generation of Identity Standards](https://reader034.vdocuments.net/reader034/viewer/2022042714/554f93afb4c9052a518b5510/html5/thumbnails/10.jpg)
*I did actually receive permission to use this photo
@JasonABonds
![Page 11: CIS13: Hope or Hype: A Look at the Next Generation of Identity Standards](https://reader034.vdocuments.net/reader034/viewer/2022042714/554f93afb4c9052a518b5510/html5/thumbnails/11.jpg)
![Page 12: CIS13: Hope or Hype: A Look at the Next Generation of Identity Standards](https://reader034.vdocuments.net/reader034/viewer/2022042714/554f93afb4c9052a518b5510/html5/thumbnails/12.jpg)
![Page 13: CIS13: Hope or Hype: A Look at the Next Generation of Identity Standards](https://reader034.vdocuments.net/reader034/viewer/2022042714/554f93afb4c9052a518b5510/html5/thumbnails/13.jpg)
Client
Resource Server
Get an access token
Authorization Server
Authorization Endpoint
Token Endpoint
Important Stuff
Where the magic
happens
![Page 14: CIS13: Hope or Hype: A Look at the Next Generation of Identity Standards](https://reader034.vdocuments.net/reader034/viewer/2022042714/554f93afb4c9052a518b5510/html5/thumbnails/14.jpg)
Discovery
Client Relying Party
Resource Server
Get an access token
& an ID Token (JWT)
Use an access token
Authorization Server
Identity Provider or IDP or
OpenID Provider or OP
Authorization Endpoint
Token Endpoint
Important Stuff
Userinfo Endpoint
Registration Endpoint
JWKS Endpoint
JWKS Endpoint
Validate (JWT)
ID Token
/.well-known /webfinger /openid-configuration
Check Session IFrame
End Session Endpoint
![Page 15: CIS13: Hope or Hype: A Look at the Next Generation of Identity Standards](https://reader034.vdocuments.net/reader034/viewer/2022042714/554f93afb4c9052a518b5510/html5/thumbnails/15.jpg)
The JWT eyJraWQiOiI1IiwiYWxnIjoiRVMyNTYifQ.eyJpc3MiOiJodHRwczpcL1wvaWRwLmV4YW1wbGUuY29tIiwKImV4cCI6MTM1NzI1NTc4OCwKImF1ZCI6Imh0dHBzOlwvXC9zcC5leGFtcGxlLm9yZyIsCiJqdGkiOiJ0bVl2WVZVMng4THZONzJCNVFfRWFjSC5fNUEiLAoiYWNyIjoiMiIsCiJzdWIiOiJCcmlhbiJ9.SbPJIx_JSRM1wluioY0SvfykKWK_yK4LO0BKBiESHu0GUGwikgC8iPrv8qnVkIK1aljVMXcbgYnZixZJ5UOArg
The Header {"kid":"5","alg":"ES256"}
The Payload {"iss":"https:\/\/idp.example.com", "exp":1357255788, "aud":"https:\/\/sp.example.org", "jti":"tmYvYVU2x8LvN72B5Q_EacH._5A", "acr":"2", "sub":"Brian"}
The Signature [computery junk]
![Page 16: CIS13: Hope or Hype: A Look at the Next Generation of Identity Standards](https://reader034.vdocuments.net/reader034/viewer/2022042714/554f93afb4c9052a518b5510/html5/thumbnails/16.jpg)
eyJraWQiOiI1IiwiYWxnIjoiRVMyNTYifQ.eyJpc3MiOiJodHRwczpcL1wvaWRwLmV4YW1wbGUuY29tIiwKImV4cCI6MTM1NzI1NTc4OCwKImF1ZCI6Imh0dHBzOlwvXC9zcC5leGFtcGxlLm9yZyIsCiJqdGkiOiJ0bVl2WVZVMng4THZONzJCNVFfRWFjSC5fNUEiLAoiYWNyIjoiMiIsCiJzdWIiOiJCcmlhbiJ9.SbPJIx_JSRM1wluioY0SvfykKWK_yK4LO0BKBiESHu0GUGwikgC8iPrv8qnVkIK1aljVMXcbgYnZixZJ5UOArg
<Assertion Version="2.0" IssueInstant="2013-‐01-‐03T23:34:38.546Z” ID="oPm.DxOqT3ZZi83IwuVr3x83xlr" xmlns="urn:oasis:names:tc:SAML:2.0:assertion” xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <Issuer>https://idp.example.com</Issuer> <ds:Signature> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-‐exc-‐c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-‐more#ecdsa-‐sha256"/> <ds:Reference URI="#oPm.DxOqT3ZZi83IwuVr3x83xlr"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-‐signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-‐exc-‐c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> <ds:DigestValue>8JT03jjlsqBgXhStxmDhs2zlCPsgMkMTC1lIK9g7e0o=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>SAXf8eCmTjuhV742blyvLvVumZJ+TqiG3eMsRDUQU8RnNSspZzNJ8MOUwffkT6kvAR3BXeVzob5p08jsb99UJQ==</ds:SignatureValue> </ds:Signature> <Subject> <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-‐format:unspecified">Brian</NameID> <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <SubjectConfirmationData NotOnOrAfter="2013-‐01-‐03T23:39:38.552Z" Recipient="https://sp.example.org"/> </SubjectConfirmation> </Subject> <Conditions NotOnOrAfter="2013-‐01-‐03T23:39:38.552Z" NotBefore="2013-‐01-‐03T23:29:38.552Z"> <AudienceRestriction> <Audience>https://sp.example.org</Audience> </AudienceRestriction> </Conditions> <AuthnStatement AuthnInstant="2013-‐01-‐03T23:34:38.483Z" SessionIndex="oPm.DxOqT3ZZi83IwuVr3x83xlr"> <AuthnContext> <AuthnContextClassRef>2</AuthnContextClassRef> </AuthnContext> </AuthnStatement> </Assertion>
![Page 17: CIS13: Hope or Hype: A Look at the Next Generation of Identity Standards](https://reader034.vdocuments.net/reader034/viewer/2022042714/554f93afb4c9052a518b5510/html5/thumbnails/17.jpg)
* http://www.google.com/about/appsecurity/hall-of-fame/reward/
![Page 18: CIS13: Hope or Hype: A Look at the Next Generation of Identity Standards](https://reader034.vdocuments.net/reader034/viewer/2022042714/554f93afb4c9052a518b5510/html5/thumbnails/18.jpg)
JWT/JWS Header {"kid":"5", "alg":"ES256"}
{"keys":[ {"kty":"EC", "kid":"4", "x":"LX-7aQn7RAx3jDDTioNssbODUfED_6XvZP8NsGzMlRo", "y":"dJbHEoeWzezPYuz6qjKJoRVLks7X8-BJXbewfyoJQ-A", "crv":"P-256"}, {"kty":"EC", "kid":"5", "x":"f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU", "y":"x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0", "crv":"P-256"}, {"kty":"EC", "kid":"6", "x":"J8z237wci2YJAzArSdWIj4OgrOCCfuZ18WI77jsiS00", "y":"5tTxvax8aRMMJ4unKdKsV0wcf3pOI3OG771gOa45wBU", "crv":"P-256"} ]}
![Page 19: CIS13: Hope or Hype: A Look at the Next Generation of Identity Standards](https://reader034.vdocuments.net/reader034/viewer/2022042714/554f93afb4c9052a518b5510/html5/thumbnails/19.jpg)
![Page 20: CIS13: Hope or Hype: A Look at the Next Generation of Identity Standards](https://reader034.vdocuments.net/reader034/viewer/2022042714/554f93afb4c9052a518b5510/html5/thumbnails/20.jpg)
![Page 21: CIS13: Hope or Hype: A Look at the Next Generation of Identity Standards](https://reader034.vdocuments.net/reader034/viewer/2022042714/554f93afb4c9052a518b5510/html5/thumbnails/21.jpg)
Brian Campbell CIS Napa July 2013 @__b_c
![Page 22: CIS13: Hope or Hype: A Look at the Next Generation of Identity Standards](https://reader034.vdocuments.net/reader034/viewer/2022042714/554f93afb4c9052a518b5510/html5/thumbnails/22.jpg)
SAML Any Questions?
Brian Campbell CIS Napa July 2013 @__b_c