slide1 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
John Bradley, Ping Identity @ve7jtb PowerPoint Presentation
Download Presentation
John Bradley, Ping Identity @ve7jtb

Loading in 2 Seconds...

play fullscreen
1 / 22

John Bradley, Ping Identity @ve7jtb - PowerPoint PPT Presentation


  • 211 Views
  • Uploaded on

Synergies or (hey you got SAML on my OAuth!). John Bradley, Ping Identity @ve7jtb. SAML. OAuth. SCIM. JWT. UMA. OpenID. Double-click to enter title. Double-click to enter text. SAML. OAuth. SCIM. JWT. UMA. OpenID. OpenID & JWT & OAuth. OpenID Connect profiles/extends OAuth & JWT

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'John Bradley, Ping Identity @ve7jtb' - coen


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1

Synergies or (hey you got SAML on my OAuth!)

John Bradley, Ping Identity

@ve7jtb

slide2

SAML

OAuth

SCIM

JWT

UMA

OpenID

slide3

Double-click to enter title

Double-click to enter text

slide4

SAML

OAuth

SCIM

JWT

UMA

OpenID

slide5

OpenID & JWT & OAuth

  • OpenID Connect profiles/extends OAuth & JWT
    • Adds identity layer on top of OAuth 2.0
    • Stipulates use of JWT for 'identity tokens'
  • Reflects harmonization of competing proposals (vNext, Connect, AB) for evolution of OpenID 2.0
  • Enables higher LOA by allowing for assertions to flow through back-channel a la artifact or via signing and encryption
slide6

OpenID & JWT & OAuth

  • Whereas OAuth is a general mechanism to authorize API access, OpenID Connect profiles the generic for purposes of sharing profile information
  • Uses the authz code & code grant types – the pieces of OAuth optimized for user-consent scenarios
  • Leverages the authorization & token endpoints & adds identity-based params to core OAuth messages
slide7

OpenID & JWT & OAuth

  • Authorization Endpoint: Client sends a request to the Server at the Authorization endpoint. Server authenticates the End-User. After authorization, Server returns an Authorization Code.
  • Token Endpoint: The Client sends the Access Token Request to the Token Endpoint to obtain Access Token Response which includes an access_token.
  • UserInfo Endpoint: The access_token MAY be sent to the UserInfo Endpoint to obtain user information/assertion/claims about the user
  • The ID Token, aggregated claims,distributed claims and Session Management.

As in OAuth 2

As in Facebook Connect

New

slide8

SAML

OAuth

SCIM

JWT

UMA

OpenID

slide9

SAML & OAuth

SAML

'Hybrid' – carry OAuth token

in SAML SSO messages

OAuth

'Assertion profile' use

SAML assertions within

OAuth flow

OAuth

SAML

SAML

OAuth

'Sequencing' – use SAML SSO

To authenticate user to AS

slide10

SAML

OAuth

SCIM

JWT

UMA

OpenID

slide11

SCIM & SAML

  • SAML binding for SCIM
    • Carry SCIM instance as attributes in SAML SSO message
    • Enables JIT provisioning
    • Supplements SCIM API model
  • SCIM API messages to provision accounts for subsequent SAML SSO
slide12

SCIM & SAML

<saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:scim="http://placeholder.scim.org/2011/schema/extension">

<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname- format:unspecified" Name="SCIM.userName">

<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema- instance" xsi:type="xs:string">bjensen@example.com</saml:AttributeValue>

</saml:Attribute>

<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname- format:unspecified" Name="SCIM.name.formatted">

<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema- instance" xsi:type="xs:string">Ms. Babs J Jensen III</saml:AttributeValue>

</saml:Attribute>

</saml:AttributeStatement>

slide13

SAML

OAuth

SCIM

JWT

UMA

OpenID

slide14

SCIM & OAuth

Use OAuth to secure SCIM API calls

Use SCIM to provision account for subsequent OAuth-based mobile access to SaaS APIs

slide15

SCIM & OAuth

POST /User HTTP/1.1

Host: example.com

Accept: application/xml

Authorization: Bearer h480djs93hd8

<?xml version="1.0" encoding="UTF-8"?>

<scim:User xmlns:scim="urn:scim:schemas:core:1.0">

<userName>bjensen@example.com</userName>

<externalId>701984</externalId>

<emails>

<email>

<value>bjensen@example.com</value>

<primary>true</primary>

<type>work</type>

</email>

</emails>

</scim:User>

slide16

SAML

OAuth

SCIM

JWT

UMA

OpenID

slide17

SAML & JWT & OAuth

  • Use SAML assertion or JWT for
  • OAuth client authentication and/or OAuth grant type
  • POST /token HTTP/1.1
  • Host: server.example.com
  • Content-Type: application/x-www-form-urlencoded
  • grant_type=authorization_code& code=i1WsRn1uB1& client_id=s6BhdRkqt3& client_assertion_type=urn%3Aoasis%3Anames%sAtc%3ASAML%3A2.0%3Aassertion& client_assertion=PHNhbWxwOl…...ZT
slide18

SAML & JWT & OAuth

SAML

JWT

Profiles assertion profile

For specific assertion

formats

How to use assertions

for client authentication

and as a grant type

Assertion profile

OAuth

Core protocol

slide19

SAML

OAuth

SCIM

JWT

UMA

OpenID

slide20

UMA & OAuth

  • User Managed Access extends OAuth 2.0 to allow for a user to manage access to multiple (and distributed) resources through centralized Authorization Manager
  • Leverages separation between AS & RS introduced by WRAP
slide21

SAML

OAuth

SCIM

JWT

UMA

OpenID

slide22

Thank you.

@ve7jtb