1. IdP, SAML, OAuth New Acronyms for a Cloud World Dan Brinkmann @dbrinkmann

2. About Me WhatWouldDanDo.com @dbrinkmann BriForum 2011, 2012, 2013, 2014 Citrix Synergy 2012, 2013, 2014 Former VMware vExpert

3. I am not an identity expert

4. Agenda Definitions The Problem Identity & Service Providers Office 365 Federation example OAuth

5. Definitions

6. Authentication Verifying Identity Authentication (AuthN) - Verifies who you are Username/password 2FA / strong authentication Certificates Enterprise: Username / Password Consumer: Drivers license

7. Authentication Verifying Identity Authentication (AuthN) - Verifies who you are Username/password 2FA / strong authentication Certificates Enterprise: Username / Password Consumer: Drivers license Massively broken

8. Authorization Possession is 9/10ths of ownership Authorization (AuthZ) - What you are able to do

9. Authorization Start car, lock doors, deny trunk Valet key

10. Definition of Terms SAML Security Assertion Markup Language Oauth Open standard for authorization Federation Youve authenticated to a different system than the one youre tyring to access and your identity has been proven by a 3rd party and on that basis youre being allowed to this system

11. History SAML 1.0 - 2002 1.1 - 2003 2.0 - 2005 (not backwards compatible with 1.x) OAuth 1.0 - 2010 2.0 - 2012 (not backwards compatible with 1.0)

12. The Problem Why does federation exist?

13. Genesis u: bob p: password1 u: bob1 p: logmein u: bobby p: 123

14. Along came Active Directory u: bobjones p: ComplexP1!

15. And then came SaaS / Cloud apps

16. Why not use Active Directory?

17. Why not use Active Directory? Bad admin >>passwords.txt

18. Why not use Active Directory? No Trust Bad admin >>passwords.txt

19. IdP / SP Architecture SaaS Solution Enterprise Service Provider (SP) Identity Provider (IDP) Trust Claims LDAP Signed Active Directory

20. Common IdPs Ping Identity PingFederate CA SiteMinder Microsoft ADFS Shibboleth Okta

21. Microsoft ADFS ADFS 1.0 - Part of Windows 2003 R2 ADFS 1.1 - Part of Windows 2008 and R2 (Installed as Role from Server Mgr) Used SAML 1.x so forget about these

22. Microsoft ADFS ADFS 2.0 - Released after Windows 2008 R2 as a standalone download ADFS 2.1 - Part of Windows Server 2012 and installed as a Role ADFS 3.0 - Part of Windows Server 2012 R2 and installed as a Role Service ADFS 2.x rely on IIS ADFS 3.x is built on http.sys (IIS is not installed or needed)

23. IdP / SP Architecture Trust / Configuration

24. IdP / SP Architecture How is trust established? SaaS Solution Enterprise Service Provider (SP) Identity Provider (IDP) Trust LDAP Active Directory

25. IDP Configuration: Metadata https://nexus.microsoftonline-p.com/federationmetadata/2007-06/federationmetadata.xml

26. IDP trusts Service Provider: Relying Party ID When a user requests claims from this Federation Service for the relying party, the relying party identifier will be used to identify the relying party for which the claims should be targeted Translate: Match incoming SP request to IdP Relying Party Trust configuration

27. IDP trusts Service Provider: Signature SAML request from the Service Provider is signed Not always used

28. Service Provider trusts IDP: Token-signing certificate

29. IdP / SP Architecture Authentication

30. IdP / SP Architecture Authentication (AuthN) SaaS Solution Enterprise Service Provider (SP) Identity Provider (IDP) Trust LDAP Active Directory

31. ADFS Authentication ADFS Proxy ADFS Server Enterprise LDAP Active Directory ADFS Proxy - 2.x Web Application Proxy - 3.x

32. ADFS Authentication Basic Authentication Username & password sent in clear text over network You should always use SSL/TLS Windows Integrated (IWA) Kerberos, NTLMSSP Can work silently / background

33. ADFS Authentication Forms Webpage 2FA Works with virtually any device X509 / Client Certificates

34. ADFS Authentication Matrix ADFS 2.x ADFS 2.x Proxy ADFS 3.x Web Application Proxy Basic Auth Windows Integrated Forms X509 / Client Cert

35. Manipulating Authentication Priority

36. IdP / SP Architecture Claims

37. IdP / SP Architecture Claims SaaS Solution Enterprise Service Provider (SP) Identity Provider (IDP) Trust Claims LDAP Signed Active Directory

38. Claims SAML assertions contain claims Attribute claims contain information about the user (email address) Transformations can convert / modify data before creating the claim

39. Example SAML Token With a lot trimmed out http://adfs.sharefiletest.com/adfs/services/trusthttp://adfs.sharefiletest.com/adfs/services/trustKXdq8sGKJoFSBSB9YkF9LN7/8Ik=aUawdzA==natureValue>MIICKOw==dan.brinkmann@citrix.comhttp://onprem.sharefile.com/saml/infojuliano.maldaner@citrix.comibute>< AuthnContext>urn:federation:authentication:windowsnStatement>

40. SAML Assertion ?????dbrinkmann@danbrinkmann.com

76. OAuth vs SAML Token And I even trimmed out the signing certificate of the SAML Token {"expires_in28800,"token_type":"beare r","apicp":"sharefile.com,"access_fil es_folders":true,"change_my_settings": true,"admin_users:true,"expires_at_un ix":"1,405,816,443.33826","refresh_tok en":"m5rU7aWB.","subdomain":"danbrink mann","modify_files_folders":true,"web _app_login":true,"admin_accounts":true ,"appcp":"sharefile.com,"access_token ":"m5rU7aWB.."} http://adfs.sharefiletest.com/adfs/services/trus thttp://adfs.sharefiletest.com/adfs/servi ces/trustKXdq8sGKJoFSBSB9YkF9LN7/8Ik=aUawdzA==MIICKOw==9Certificate>juliano.maldaner@citrix.comhttp://onprem.sharefile.com/saml/infoce>juliano.malda ner@citrix.com< AuthnContext>urn:federation:authentication:windowsContextClassRef>

77. OAuth in Consumer Lives Creating a separate username / password not required

78. OAuth in Consumer Lives Scoped Access

79. OAuth in Consumer Lives The irony of this slide

80. How OAuth is used in Enterprise Apps Instead of AuthN each time use AuthZ Protect mobile application using PIN / Passcode

81. Mobile App Solution Authenticate via IdP (FTU) Exchange SAML Token for OAuth Token Use OAuth Access Token to access the application

82. Mobile App Solution If the Access Token fails get a new one using the Refresh Token If the Refresh Token fails then prompt user to re-authenticate Re-authenticate via IdP

83. Summary Federation necessary for next-generation & mobile applications Authentication (AuthN) Authorization (AuthZ) SAML OAuth