1 / 37

USC’s OAuth Recipe: OAuth + Enriched Identity Data + Central Authorization

USC’s OAuth Recipe: OAuth + Enriched Identity Data + Central Authorization. Brendan Bellina Mgr, Identity and Access Management University of Southern California brendan.bellina@usc.edu. Discussion Points. Benefits and Challenges of OAuth Techniques to Address Major Challenges

latika
Download Presentation

USC’s OAuth Recipe: OAuth + Enriched Identity Data + Central Authorization

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. USC’s OAuth Recipe:OAuth + Enriched Identity Data + Central Authorization Brendan Bellina Mgr, Identity and Access Management University of Southern California brendan.bellina@usc.edu

  2. Discussion Points • Benefits and Challenges of OAuth • Techniques to Address Major Challenges • Self-Registration into Institutional Identity Store using Shibboleth • Enriched Identity Data • Account Linking and Unlinking • External Authorization using Groups • Live Demonstration

  3. Benefits of Using OAuth (Social Providers) • Extend USC Services to greater populations using existing credentials stored elsewhere • Password related issues addressed by OAuth provider • Social providers being commonplace reduces barrier to adoption

  4. Challenges With Using OAuth • Different versions of OAuth with different capabilities • Inconsistent and unpredictable attribute release • Attributes required for applications may be missing • Identity is self-asserted – potential risk to applications • User may use multiple OAuth providers, leads to login confusion and multiple identifiers • OAuth providers come and go, leading to potential loss of identifier persistence • How to Revoke an OAuth Login • Authentication without Authorization

  5. What Is Needed • Allow multiple OAuth providers per identity and the provider should be transparent to the service • Addresses problem of user using multiple OAuth providers • Addresses problem of deprecated OAuth providers • Deliver a standard attribute set regardless of OAuth provider or version for compatibility with applications • Provide consistent user attribute values to services • Externalize authorization to apps to reduce risk and allow revocation • Support for both Just-in-Time provisioning and ETL provisioning

  6. Benefits of Self-Registration • Registry provides single place for maintenance of user attributes • Opportunity to enrich data released by OAuth providers to meet requirements and provide consistency • Allows creation of persistent identifiers for use across institutional services • Opportunity to provide linking to multiple OAuth providers to address continuity • Ability for user to unlink an OAuth Provider or credential • Registry entries can be used for ETL Provisioning • Registry entries can be used for authorization

  7. Workflow for External Guest at USC Register using OAuth Provider at USC Guestreg site, select user ID GDS Groups Sync process initiated every 10 minutes Receive Email with registered id (eppn) 5 - 10 min Group manager uses MyGroups to submit participant to groups GDS Groups Sync process initiated every 10 minutes Contacts group managers, providing registered id Wait < 10 minutes Enriched Packet consisting of registered id (eppn), standard attribute set, and scoped group memberships from USC IdP provided to application Guest goes to app and selects OAuth provider and logs in End User Actions Administrator Actions Automated Processes

  8. Guest Self-Registration

  9. Live Demonstration

  10. Oh great gods of the Demo, we beseech thee, bless us with bandwidth and stability in these times of interactivity. Let not browser bugs hamper us in our clicking. Credit to Jim Phelps, UW Madison

  11. Directed to Guest Registration Site (www.usc.edu/guestreg)

  12. Select Your OAuth Provider

  13. Login to the OAuth Provider (Facebook in this case)

  14. Allow Release of Attributes from OAuth Provider

  15. Select Persistent ID

  16. Self-assert Enriched Data

  17. Display/Maintenance of Current Registration

  18. Notification of Registered ID / ePPN

  19. Linking An Additional OAuth Provider

  20. Use “Link social account” Option

  21. Select OAuth Provider to Link

  22. Login to the OAuth Provider (Google in this case)

  23. Presto Chango…

  24. External Authorization

  25. But… An Account Alone Isn’t Authorization

  26. Application Administrator Authorizes Guest

  27. Authorized Guest Accesses Application

  28. Selects OAuth Provider

  29. Login to OAuth Provider (Facebook this time)

  30. Personalized Access to the Application

  31. Select a Linked OAuth Provider

  32. Login to OAuth Provider (Google this time)

  33. Identical Personalized Access to the Application

  34. Some Technical Decision Points • Session Lifetime of OAuth Login Credential – We decided on short • Avoiding Potential ID conflicts – We decided to put all guest IDs in the unique domain guest.usc.edu • Using the same OAuth login with multiple registrations – We do not allow this as it would not be evident which registered ID and attributes to use • Bypassing registration for an app – We are not requiring registration for all applications but encourage it because of the significant benefits of registering • Lifetime of Registered Guest Accounts – We are not terminating them at this time

  35. Questions…

  36. Links • USC: http://www.usc.edu • USC IAM Website: http://www.usc.edu/iam • USC Guest Registration: http://www.usc.edu/guestreg • USC MyGroups: http://www.usc.edu/mygroups

More Related