Академический Документы
Профессиональный Документы
Культура Документы
presents
slides: http://is.gd/1qoMXG
As
As Portfolio
Portfolio Architect
Architect for
for Ping
Ping Identity,
Identity, Brian
Brian Campbell
Campbell aspires
aspires to
to one
one day
day know
know what
what aa
Portfolio
Portfolio Architect
Architect actually
actually does
does for
for aa living.
living. In
In the
the meantime,
meantime, he
he tries
tries to
to make
make himself
himself
useful
useful by
by building
building software
software systems
systems such
such as
as Pings
Pings flagship
flagship product
product PingFederate.
PingFederate.
When
When not
not making
making himself
himself useful,
useful, he
he contributes
contributes to
to various
various identity
identity and
and security
security
standards
standards including
including aa two-year
two-year stint
stint as
as co-chair
co-chair of
of the
the OASIS
OASIS Security
Security Services
Services
Technical
Technical Committee
Committee (SAML)
(SAML) and
and aa current
current focus
focus on
on OAuth
OAuth 2.0,
2.0, JOSE
JOSE and
and OpenID
OpenID
Connect.
Connect. He
He holds
holds aa B.A.,
B.A., magna
magna cum
cum laude,
laude, in
in Computer
Computer Science
Science from
from Amherst
Amherst
College
College in
in Massachusetts.
Massachusetts. Despite
Despite spending
spending four
four years
years in
in the
the state,
state, he
he has
has to
to look
look up
up
how
how to
to spell
spell "Massachusetts"
"Massachusetts" every
every time
time he
he writes
writes it.
it.
Agenda
Backstory
With a Quick SAML Intro/Refresher
JWS
JWE (just a wee bit)
JWT
JWK
SC NE
H W
O
O
L
at
y
l
Ju
t
s
a
L
th e
SAML
is
DEAD!
Craig Burton
e
l
i
h
w
n e
a
Me at th
Beer is still
alive
though
5
SAML
http://blogs.kuppingercole.com/kearns/2012/07/31/the-deathand-life-of-a-protocol
/
The Future
European Identity and Cloud Conference:
Best Innovation/New Standard in Information Security went to OpenID Connect for
Providing the Consumerization of SAML. Driving the adoption of federation and making
this much simpler.
OpenID Connect is a simple JSON/REST-based interoperable identity protocol built on top
of the OAuth 2.0 family of specifications. Its design philosophy is make simple things
simple and make complicated things possible.
WebFinger
base64url
JOSE
JWS
JWE
JWK
JWA
JWS
JWS Header
JWS Header
A bit of JSON that describes the digital signature or MAC operation applied to create the JWS
Signature value
kid: Key ID
jku: JWK Set URL
jwk: JSON Web Key
x5u: X.509 URL
x5t: X.509 Certificate Thumbprint
x5c: X.509 Certificate Chain
typ: Type
cty: Content Type
Header Example
I signed this thing with RSA-SHA256 using key ID of 9er and you can find the corresponding
public key at https://www.example.com/jwk
{"alg":"RS256", "kid":9er", "jwk:"https://www.example.com/ jwk"}
JWS Example
Payload -> U SA # 1!
base64urlencoded payload -> VVN BICM xIQ
Example
Simple [Relatively]
Compact
No canonicalization
Entirely Web Safe Alphabet
JWE
More complicated
More headers
JWT
JWT Claims
iss: Issuer
sub: Subject
aud: Audience
exp: Expiration Time
nbf: Not Before
iat: Issued At
jti: JWT ID
typ: Type
JWT Example
The JSO N claim s of a JW T saying that the subject is Brian,the JW T w as issued by
https://idp.exam ple.com ,expires at such and such a tim e,and is intended for
consum ption by https://sp.exam ple.org (+ a few other things) w ould look like this:
{
"iss":"https:\/\/idp.exam ple.com ",
"exp":1357255788,
"aud":"https:\/\/sp.exam ple.org",
"jti":"tm YvYVU 2x8LvN 72B5Q _EacH ._5A,
"acr":"2",
"sub":"Brian
}
Example
JWT
SAML
Examples
JWK
Common Parameters: "kty: Key Type, "use: Key Use, "alg: Algorithm, "kid: Key
ID
RSA: n: Modulus, e: Exponent
EC: crv: Curve (P-256, P-384, P-521), x: X Coordinate, y: Y Coordinate
{"keys":
[
{"kty":"EC",
"crv":"P-256",
"x":"MKBCTNIcKUSDii11ySs3526iDZ8AiTo7Tu6KPAqv7D4",
"y":"4Etl6SRW2YiLUrN5vfvVHuhp7x8PxltmWWlbbM4IFyM",
"kid":9er"},
{"kty":"RSA",
"n": "0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx
4cbbfAAtVT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCiFV4n3oknjhMs
tn64tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65YGjQR0_FDW2
QvzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1n91CbOpbI
SD08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPksINHaQ-G_xBniIqb
w0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw",
"e":"AQAB",
"kid":7ish"}
]
}
Example
Examples
Certifi
cate:
D ata:
Version: 3 (0x2)
SerialN um ber:
01:3c:05:fe:51:4b
Signature Algorithm : sha1W ithRSAEncryption
Issuer: C= AU , O = Skulland Bones,C N = Brian's Key
Validity
N ot Before: Jan 4 14:36:58 2013 G M T
N ot After : Jan 6 14:36:58 2013 G M T
Subject: C = AU ,O = Skulland Bones, CN = Brian's Key
Subject Public Key Info:
Public Key Algorithm : rsaEncryption
RSA Public Key: (2048 bit)
M odulus (2048 bit):
00:83:aa:49:64:72:a1:0d:a6:93:ee:e8:6a:3a:94:
26:6e:3d:1d:8a:3a:5f:2e:31:b8:78:76:4f:58:6d:
92:4a:a1:e0:40:1f:ce:d5:8c:b7:1b:93:03:c5:65:
79:98:89:41:c5:2e:73:e4:b8:81:1f:d6:ae:74:0e:
29:0f:04:f9:80:45:23:e9:38:bf:b6:79:c5:3e:cd:
53:8f:59:e7:82:b8:cb:4f:73:0e:6d:84:13:b3:67:
e0:f0:94:d6:95:ef:f0:3d:ec:cc:21:82:a2:64:cc:
e8:d9:37:b6:e9:ac:10:2a:ef:d0:52:e2:5f:c4:67:
f1:fb:88:35:9d:39:ae:5d:45:27:d1:21:9f:33:18:
f3:a5:6f:13:20:b4:b9:58:dd:8e:93:82:9c:28:6a:
65:a0:a4:46:0a:72:5e:e5:93:0e:21:50:a8:4e:1b:
c2:15:e6:b7:77:23:de:9a:b8:63:a2:53:3e:a3:e5:
6f:6a:dd:f4:57:c4:c4:8d:d3:84:e7:3f:44:f3:66:
5c:66:59:0e:df:bf:88:d6:3d:ba:a5:dd:6e:c7:29:
cb:ac:94:b0:c9:9f:7e:41:f4:d3:ea:cf:bd:8a:13:
c2:a5:ad:67:96:9e:60:3c:a1:19:eb:29:14:18:a6:
cc:e6:9b:8f:f2:49:c1:bb:ab:bb:d2:a0:d1:96:ad:
92:2f
Exponent: 65537 (0x10001)
Signature Algorithm : sha1W ithR SAEncryption
24:50:50:de:c3:94:f0:e8:32:88:a4:6c:36:c3:f3:b0:59:dc:
56:39:dd:36:0d:68:2b:3f:4d:4c:de:ef:f4:ff
:23:ba:a9:a3:
3c:c8:29:41:21:0e:d3:94:89:a8:de:c8:f2:1f:10:4e:57:16:
5c:7a:36:2c:5c:df:2e:ff
:cf:7e:9e:1e:6b:26:7b:ee:b2:8a:
68:29:cb:7a:b1:86:a8:a8:ba:94:b4:6d:ab:79:52:6e:84:39:
1f:28:35:b9:ee:ec:51:7d:22:33:82:e7:6c:a8:9c:45:8e:a7:
ab:93:79:39:9f:83:62:c1:9a:1d:64:bc:b3:39:c9:50:e4:78:
b3:8c:c4:ea:d5:d3:d7:41:c3:61:60:55:4e:20:a5:f2:56:30:
6c:f0:b5:58:45:88:c1:79:31:f4:ed:ab:2d:1e:3e:21:c5:2f:
a3:3b:8c:5b:38:04:d8:a7:02:4c:09:b3:18:1c:a3:49:50:5a:
96:a8:24:38:80:ee:c0:87:3c:c4:69:1d:10:cb:32:b6:61:9b:
a1:73:1a:f2:53:8f:29:e1:7a:42:14:57:77:1c:59:37:fb:99:
f9:c6:c6:88:c0:67:59:c7:eb:ac:e0:2c:bd:87:7c:27:a6:f5:
40:b3:e1:96:77:40:ec:2e:ca:ed:2b:54:fb:91:0c:68:07:16:
01:96:9e:fa
JWKs can be
Java
https://bitbucket.org/b_c/jose4j
Ruby
https://github.com/nov/json-jwt
JavaScript
http://kjur.github.com/jsjws/
Perl
https://metacpan.org/module/JSON::WebToken
Client
Authorization
Server
Use
a
Resource
Server
toke
n
etc.
27
OAuth 2.0
Resource
Resource Server
Server
Protected
Resource(s)
Client
Client
Authorization
Authorization Server
Server
Token
Endpoint
Authorization
Endpoint
Resource
Owner
OAuth 2.0
Resource
Resource Server
Server
Protected
Resource(s)
Client
Client
Authorization
Authorization Server
Server
Token
Endpoint
Authorization
Endpoint
29
Resource
Owner
OAuth 2.0
Resource
Resource Server
Server
Protected
Protected
Resource(s)
Resource(s)
Client
Client
Authorization
Authorization Server
Server
Token
Endpoint
Authorization
Endpoint
30
Resource
Owner
OAuth 2.0
Authorization Response +
code
Resource
Resource Server
Server
Protected
Resource(s)
Client
Client
Authorization
Authorization Server
Server
Token
Endpoint
Authorization
Endpoint
31
Resource
Owner
OAuth 2.0
Resource
Resource Server
Server
Protected
Protected
Resource(s)
Resource(s)
Authorization
Authorization Server
Server
Token
Endpoint
Authorization
Endpoint
32
Resource
Owner
OAuth 2.0
Resource
Resource Server
Server
Protected
Protected
Resource(s)
Resource(s)
Authorization
Authorization Server
Server
Token
Endpoint
Authorization
Endpoint
33
Resource
Owner
OAuth 2.0
Resource
Resource Server
Server
Protected
Protected
Resource(s)
Resource(s)
Client
Client
Authorization
Authorization Server
Server
Token
Endpoint
Authorization
Endpoint
34
Resource
Owner
OpenID Connect is a
simple identity layer on top
of the OAuth 2.0 protocol.
35
OpenID Connect
Basic Client Profile
or
Code Flow
36
OAuth 2.0
OpenID Connect
Resource
Resource Server
Server
Protected
Resource(s)
Resource
Resource Server
Server
Client
Client //
Relying
Relying
Party
Party
User Info
Endpoint
Authorization
Authorization Server
Server //
Identity
Identity Provider
Provider //
Token
OpenID
OpenID Provider
Provider
Endpoint
Authorization
Endpoint
37
Resource
Owner / End-User
OAuth 2.0
OpenID Connect
Resource
Resource Server
Server
Protected
Resource(s)
response_type=code &
scope=openid profile email address phone
& maybe other new stuff, request[_uri], prompt,
nonce, etc.
Client
Client //
Relying
Relying
Party
Party
Resource
Resource Server
Server
User Info
Endpoint
Authorization
Authorization Server
Server //
Identity
Identity Provider
Provider //
Token
OpenID
OpenID Provider
Provider
Endpoint
Authorization
Endpoint
38
Resource
Owner / End-User
OAuth 2.0
OpenID Connect
Resource
Resource Server
Server
Protected
Resource(s)
Resource
Resource Server
Server
Client
Client //
Relying
Relying
Party
Party
User Info
Endpoint
Authorization
Authorization Server
Server //
Identity
Identity Provider
Provider //
Token
OpenID
OpenID Provider
Provider
Endpoint
Authorization
Endpoint
39
Resource
Owner / End-User
OAuth 2.0
OpenID Connect
Resource
Resource Server
Server
Protected
Resource(s)
Resource
Resource Server
Server
Client
Client //
Relying
Relying
Party
Party
User Info
Endpoint
Authorization
Authorization Server
Server //
Identity
Identity Provider
Provider //
Token
OpenID
OpenID Provider
Provider
Endpoint
Authorization
Endpoint
40
Resource
Owner / End-User
OAuth 2.0
OpenID Connect
Resource
Resource Server
Server
Protected
Resource(s)
Resource
Resource Server
Server
User Info
Endpoint
Authorization
Authorization Server
Server //
Identity
Identity Provider
Provider //
Token
OpenID
OpenID Provider
Provider
Endpoint
Authorization
Endpoint
41
Resource
Owner / End-User
OAuth 2.0
OpenID Connect
Resource
Resource Server
Server
Protected
Resource(s)
Resource
Resource Server
Server
User Info
Endpoint
Authorization
Authorization Server
Server //
Identity
Identity Provider
Provider //
Token
OpenID
OpenID Provider
Provider
Endpoint
Authorization
Endpoint
42
Resource
Owner / End-User
OAuth 2.0
OpenID Connect
Resource
Resource Server
Server
Protected
Resource(s)
Resource
Resource Server
Server
User Info
Endpoint
Authorization
Authorization Server
Server //
Identity
Identity Provider
Provider //
Token
OpenID
OpenID Provider
Provider
Endpoint
Authorization
Endpoint
43
Resource
Owner / End-User
OAuth 2.0
OpenID Connect
Resource
Resource Server
Server
Protected
Resource(s)
Resource
Resource Server
Server
User Info
Endpoint
Authorization
Authorization Server
Server //
Identity
Identity Provider
Provider //
Token
OpenID
OpenID Provider
Provider
Endpoint
Authorization
Endpoint
44
Resource
Owner / End-User
OAuth 2.0
OpenID Connect
End-User is logged into the
Client/RP
Resource
Resource Server
Server
Protected
Resource(s)
Resource
Resource Server
Server
Client
Client //
Relying
Relying
Party
Party
User Info
Endpoint
Authorization
Authorization Server
Server //
Identity
Identity Provider
Provider //
Token
OpenID
OpenID Provider
Provider
Endpoint
Authorization
Endpoint
45
Resource
Owner / End-User
OAuth 2.0
OpenID Connect
Resource
Resource Server
Server
Protected
Resource(s)
Resource
Resource Server
Server
User Info
Endpoint
Authorization
Authorization Server
Server //
Identity
Identity Provider
Provider //
Token
OpenID
OpenID Provider
Provider
Endpoint
Authorization
Endpoint
46
Resource
Owner / End-User
e
l
p
m
i
S
47
g
i
r
,
?
t
h
Any Questions?
SAML
Brian Campbell
@weeUnquietMind
Gluecon 2013
http://is.gd/1qoMXG