Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Internet Identity Layer OpenID Connect Update for HIT Standards Committee’s Privacy and Security Workgroup Wednesday, March 12th from 10:00-2:45 PM.

Published byEdith Eaton Modified over 9 years ago

Similar presentations

Presentation on theme: "The Internet Identity Layer OpenID Connect Update for HIT Standards Committee’s Privacy and Security Workgroup Wednesday, March 12th from 10:00-2:45 PM."— Presentation transcript:

1 The Internet Identity Layer OpenID Connect Update for HIT Standards Committee’s Privacy and Security Workgroup Wednesday, March 12th from 10:00-2:45 PM Nat Sakimura Chairman, OpenID Foundation

2 The Internet Identity Layer TCP/IP Reference Model

3 The Internet Identity Layer Application Software/Service IAM Over 95% of the internet security issues stems from lousy identity and access management (IAM). Application Software/Service IAM

4 The Internet Identity Layer Outsourcing to the Identity Layer  enables application software / service to focus on what they are good at. Application Software/Service Identity Layer

5 The Internet Identity Layer OpenID Connect is now a fully ratified international standard and is ready to be used  OpenID Connect specifications:  OpenID Connect Core OpenID Connect Core  Defines the core OpenID Connect functionality: authentication built on top of OAuth 2.0 and the use of claims to communicate information about the End-User  http://openid.net/specs/openid-connect-core-1_0.html  OpenID Connect Discovery OpenID Connect Discovery  (Optional) Defines how clients dynamically discover information about OpenID Providers  http://openid.net/specs/openid-connect-discovery-1_0.html  OpenID Connect Dynamic Registration OpenID Connect Dynamic Registration  (Optional) Defines how clients dynamically register with OpenID Providers  http://openid.net/specs/openid-connect-registration-1_0.html  OAuth 2.0 Multiple Response Types OAuth 2.0 Multiple Response Types  Defines several specific new OAuth 2.0 response types  http://openid.net/specs/oauth-v2-multiple-response-types-1_0.html (c)2014 by Nat Sakimura. CC-BY-SA

6 The Internet Identity Layer An identity layer on top of OAuth 2.0  Simple, REST based, yet secure;  Authentication method agnostic and supports Authentication Context and step up authentication;  Consent Framework Inside (explicit, implicit, revocation);  Fair Information Practice Principles (FIPPs) friendly;  Access Delegation (Access Granting) so that data can be accessed without user in presence;  Distributed Claims model for dealing with multiple data sources; (c)2014 by Nat Sakimura. CC-BY-SA

7 The Internet Identity Layer Implementing OpenID Connect is “Simple & Easy” yet Secure  Multiple open source implementations as well as commercial implementations are available.  Options for digital signature and end to end encryption. Open source implementations Java MITREid Connect oleo OX OpenID Connect Platform PHP phpOIDC Python pyoidc Ruby Ruby OpenID Connect etc. Open source implementations Java MITREid Connect oleo OX OpenID Connect Platform PHP phpOIDC Python pyoidc Ruby Ruby OpenID Connect etc. (c)2014 by Nat Sakimura. CC-BY-SA

8 The Internet Identity Layer IdP Has been looking at the NwHIN related use cases when coming up with requirements. “Alice goes to a college use case” Alice IdP 1.Alice downloads higher assurance authentication app and creates an account at an IdP. (May reuse her account if she has it already) Chicago Clinic 2. Consumer goes to doctor’s office and have her existing health record bound to her IdP identity The doctor knows Alice well so there is no issue in the identity binding. (c)2014 by Nat Sakimura. CC-BY-SA

9 The Internet Identity Layer IdP “Alice goes to a college use case” (continued) Alice IdP 3. Now she moves to Boston to attend college. She fell sick after that. Chicago Clinic 4. Alice authorizes the access to her records at Chicago Clinic to Boston Clinic (ID Token format based structured token) Boston Clinic 5. Boston clinic presents the token to obtain Alice’s record at the Chicago Clinic (c)2014 by Nat Sakimura. CC-BY-SA

10 The Internet Identity Layer Used in Blue Button+ & RHEx  “Final Recommendations for RESTful Exchange Standards”  http://www.healthit.gov/facas/sites/faca/files/2013 Aug_HITSC_NwHINPT_FINAL.pdf http://www.healthit.gov/facas/sites/faca/files/2013 Aug_HITSC_NwHINPT_FINAL.pdf (c)2014 by Nat Sakimura. CC-BY-SA

11 The Internet Identity Layer Appendix: Useful Links  OpenID Foundation OpenID Foundation  OpenID Specifications OpenID Specifications  OpenID Connect is here! – An Identity Layer on the internet OpenID Connect is here! – An Identity Layer on the internet  OpenID Connect Stripped down to just “Authentication” OpenID Connect Stripped down to just “Authentication”  Write an OpenID Connect server in three simple steps Write an OpenID Connect server in three simple steps (c)2014 by Nat Sakimura. CC-BY-SA

Download ppt "The Internet Identity Layer OpenID Connect Update for HIT Standards Committee’s Privacy and Security Workgroup Wednesday, March 12th from 10:00-2:45 PM."

Similar presentations

User-Managed Access UMA Work tinyurl.com/umawg | tinyurl.com/umafaq IIW 16, May 2013 1.

User-Managed Access UMA Work tinyurl.com/umawg | tinyurl.com/umafaq IIW 16, May
Contrail and Federated Identity Management

Contrail and Federated Identity Management
Commercial Presentation 1AIAC 2010-2011 Group 1.  Motivation – Qualification Assurance  CERTCOP - Competence verification  Motivation – Document Validity.

Commercial Presentation 1AIAC Group 1.  Motivation – Qualification Assurance  CERTCOP - Competence verification  Motivation – Document Validity.
Internet Security Protocols

Internet Security Protocols
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Securing Insecure Prabath Siriwardena, WSO2 Twitter

Securing Insecure Prabath Siriwardena, WSO2 Twitter
WSO2 Identity Server Road Map

WSO2 Identity Server Road Map
Mashing Up with User-Centric Identity America Online LLC John Panzer, Praveen Alavilli.

Mashing Up with User-Centric Identity America Online LLC John Panzer, Praveen Alavilli.
Notes to the presenter. I would like to thank Jim Waldo, Jon Bostrom, and Dennis Govoni. They helped me put this presentation together for the field.

Notes to the presenter. I would like to thank Jim Waldo, Jon Bostrom, and Dennis Govoni. They helped me put this presentation together for the field.
OpenID Connect Update and Discussion Mountain View Summit – September 12, 2011 Mike Jones – Microsoft John Bradley – Independent Nat Sakimura – Nomura.

OpenID Connect Update and Discussion Mountain View Summit – September 12, 2011 Mike Jones – Microsoft John Bradley – Independent Nat Sakimura – Nomura.
Hannes Tschofenig MIT CFP Privacy & Security Working Group Feb. 2 nd 2011.

Hannes Tschofenig MIT CFP Privacy & Security Working Group Feb. 2 nd 2011.
Finalize RESTful Application Programming Interface (API) Security Recommendations Transport & Security Standards Workgroup January 28, 2014.

Finalize RESTful Application Programming Interface (API) Security Recommendations Transport & Security Standards Workgroup January 28, 2014.
User Authentication Recommendations Transport & Security Standards Workgroup December 10, 2014.

User Authentication Recommendations Transport & Security Standards Workgroup December 10, 2014.
Federated Shibboleth, OpenID, oAuth, and Multifactor | 1 Federated Shibboleth, OpenID, oAuth, and Multifactor Russell Beall Senior Programmer/Analyst University.

Federated Shibboleth, OpenID, oAuth, and Multifactor | 1 Federated Shibboleth, OpenID, oAuth, and Multifactor Russell Beall Senior Programmer/Analyst University.
OAuth/UMA for ACE 24 th March 2015 draft-maler-ace-oauth-uma-00.txt Eve Maler, Erik Wahlström, Samuel Erdtman, Hannes Tschofenig.

OAuth/UMA for ACE 24 th March 2015 draft-maler-ace-oauth-uma-00.txt Eve Maler, Erik Wahlström, Samuel Erdtman, Hannes Tschofenig.
TATRC and MITRE to NwHIN Power Team 12 June 2013 RESTful Health Exchange (RHEx)

TATRC and MITRE to NwHIN Power Team 12 June 2013 RESTful Health Exchange (RHEx)
Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.

Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.
Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.
UMA Could I Manage My Own Data. Please?. Agenda Business Trends & Technical Solutions Distributed Business (Decentralisation) Mobility & Automation Delegation.

UMA Could I Manage My Own Data. Please?. Agenda Business Trends & Technical Solutions Distributed Business (Decentralisation) Mobility & Automation Delegation.
Distributed Web Security for Science Gateways Jim Basney In collaboration with: Rion Dooley Jeff Gaynor

Distributed Web Security for Science Gateways Jim Basney In collaboration with: Rion Dooley Jeff Gaynor

Similar presentations

Ads by Google