Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright ©2012 Ping Identity Corporation. All rights reserved.1.

Published byJared Hunt Modified over 9 years ago

Similar presentations

Presentation on theme: "Copyright ©2012 Ping Identity Corporation. All rights reserved.1."— Presentation transcript:

1 Copyright ©2012 Ping Identity Corporation. All rights reserved.1

2 2 Unified Identity in Cloud Architectures EEMA 2012 John Bradley @ve7jtb Office of the CTO

3 Copyright ©2012 Ping Identity Corporation. All rights reserved.3 © 2011 Ping Identity Corporation Future of IT Architecture Thousands of applications and services -- everywhere –Some you can control Local web services Local infrastructure Apps/Services on IaaS –Many you can’t control SaaS APIs PaaS APIs IaaS APIs Partner APIs 3

4 Copyright ©2012 Ping Identity Corporation. All rights reserved.4 Ultimate Decentralization Diversity of Architecture –If the cloud vendor’s coding philosophy conflicts with yours, you must adapt Limited Visibility –No database access –No direct audit file access No Contractual Power –Like it or lump it 4

5 Copyright ©2012 Ping Identity Corporation. All rights reserved.5 © 2011 Ping Identity Corporation Decentralization == Chaos? Business Managers operating administration consoles Developers writing API code for the business –Native Mobile apps –Mashups –Are they security specialists? Silos of work with no central control 5

6 Copyright ©2012 Ping Identity Corporation. All rights reserved.6 © 2011 Ping Identity Corporation Fragmentation Causes Risk Business Agility suffers –Decision making is impaired IT response time is low –Every application and service has to be treated differently Productivity suffers –Every application looks and feels different –No secure “ceremony” for users –Developers must re-invent a new process every time Risk to the organization increases –What happens when you fire somebody? 6

7 Copyright ©2012 Ping Identity Corporation. All rights reserved.7 © 2011 Ping Identity Corporation Solution: Centralize & Adapt Industry has adopted “federated identity” to move security decisions into central infrastructure Federated protocols now exist to protect both web applications and APIs Eg SAML, WS-Trust, OAuth 2.0, and openID Connect 7

8 Copyright ©2012 Ping Identity Corporation. All rights reserved.8 What does this mean? Developers don’t set passwords in code –They ask for a token –Token is used during API calls Applications don’t store passwords –They rely on a central authority to identify the user –They validate the central authority not the user Central Infrastructure does the rest –Password validation, security, risk/fraud 8

9 Copyright ©2012 Ping Identity Corporation. All rights reserved.9 Create Infrastructure 9 Legacy SOAP Services Identity Management

10 Copyright ©2012 Ping Identity Corporation. All rights reserved.10 Act as a Client 10 Legacy SOAP Services Identity Management REST Calls Out Cloud Application

11 Copyright ©2012 Ping Identity Corporation. All rights reserved.11 Act as a Server 11 Legacy SOAP Services Identity Management REST Calls In

12 Copyright ©2012 Ping Identity Corporation. All rights reserved.12 Act as an Identity Provider 12 Legacy SOAP Services Identity Management Browser SSO Cloud Application

13 Copyright ©2012 Ping Identity Corporation. All rights reserved.13 Leverage with Mobile Apps 13 REST Calls In Legacy SOAP Services Identity Management 1. Use Browser to Fetch Oauth 2.0 Token 2. Transform Attributes 3. Use Token For API Calls

14 Copyright ©2012 Ping Identity Corporation. All rights reserved.14 Leverage at Cloud Apps 14 Legacy SOAP Services Identity Management Cloud Application 1. Request Token 2. Browser SSO To Fetch SAML Token 3. Generate Oauth 2.0 Token from SAML 4. Access API with Token

15 Copyright ©2012 Ping Identity Corporation. All rights reserved.15 Concrete Example: OAuth 2.0 with SAML 15

16 Copyright ©2012 Ping Identity Corporation. All rights reserved.16 Trigger an OAuth Token Request 16 GET /as/authorization.oauth2? client_id=mobileapp& redirect_uri=mobileapp://redirect_here& response_type=code HTTP/1.1

17 Copyright ©2012 Ping Identity Corporation. All rights reserved.17 User Logs in at Enterprise 17

18 Copyright ©2012 Ping Identity Corporation. All rights reserved.18 Consent at Cloud Service 18

19 Copyright ©2012 Ping Identity Corporation. All rights reserved.19 Client Trades code for Access Token 19 POST /as/token.oauth2 Host: as.com client_id=a&redirect_uri=mobileapp://redirecthere&grant_type=authoriza tion_code&code=wizJmaSTPAf0wqSeB3vmDx2mNSZK6g HTTP/1.1 HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 {"token_type":"Bearer","expires_in":"600","refresh_token":"oQWqwMUIL 2ndeMHsWEyFO0GyalvKSvc2QI4YuG82RMGkM","access_token":" lSBbci4Jg8MsjiSqZLBrzEXgd4mKUNhOkyF"} HTTP/1.1 302 Found Location: mobileapp://redirect_here?&code=wizJmaS TPAf0wqSeB3vmDx2mNSZK6g

20 Copyright ©2012 Ping Identity Corporation. All rights reserved.20 Client uses Token at API 20 HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 { "aboutMe": "Head SE South", "address": { "city": "New Orleans", "country": "US", "state": "LA", "street": "923 Bourbon Street", "zip": "70116" }, "currentStatus": { GET https://na1.salesforce.com/services/data/v22.0/ch atter/users/me Authorization: Bearer lSBbci4Jg8MsjiSqZLBrzEXg

21 Copyright ©2012 Ping Identity Corporation. All rights reserved.21 Users always authenticate in the same place –Teach them to expect your ceremony –Protect against the Password Antipattern Developers never see or store passwords –Only need to know how to ask for a token and use it at APIs –Or –ask once for credentials but never store them IT oversees every authentication –One attack surface & security plan –One audit point Same infrastructure regardless of medium –Web or web service Architecture Advantages

22 Copyright ©2012 Ping Identity Corporation. All rights reserved.22 © 2011 Ping Identity Corporation Cloud Identity Management Centralizes Cloud Access Control Strengthens Security Integrates with Existing Infrastructure Simplifies Password Maintenance Deploys in Days http://www.pingidentity. com 22

Download ppt "Copyright ©2012 Ping Identity Corporation. All rights reserved.1."

Similar presentations

22 May 2008IVOA Trieste: Grid & Web Services1 Alternate security mechanisms Matthew J. Graham (Caltech, NVO) T HE US N ATIONAL V IRTUAL O BSERVATORY.

22 May 2008IVOA Trieste: Grid & Web Services1 Alternate security mechanisms Matthew J. Graham (Caltech, NVO) T HE US N ATIONAL V IRTUAL O BSERVATORY.
Identity Network Ideals – Heterogeneity & Co-existence

Identity Network Ideals – Heterogeneity & Co-existence
Govern the Flow of Data: Moving from Chaos to Control

Govern the Flow of Data: Moving from Chaos to Control
A Practical Approach To Secure Access To On Premise And Off Premise Applications & Solving The Problem Of Cloud Security: Top 3 Ways To Secure A Cloud.

A Practical Approach To Secure Access To On Premise And Off Premise Applications & Solving The Problem Of Cloud Security: Top 3 Ways To Secure A Cloud.
Beyond Brute Force Strategies for Securely leveraging Mobile Devices Rajesh Pakkath, Sr. Principal Product Manger, Oracle Bob Beach, CIO, Chevron October,

Beyond Brute Force Strategies for Securely leveraging Mobile Devices Rajesh Pakkath, Sr. Principal Product Manger, Oracle Bob Beach, CIO, Chevron October,
Beyond Brute Force Strategies for Securely leveraging Mobile Devices Rajesh Pakkath, Sr. Product Manager, Oracle Bob Beach, CIO, Chevron October, 2014.

Beyond Brute Force Strategies for Securely leveraging Mobile Devices Rajesh Pakkath, Sr. Product Manager, Oracle Bob Beach, CIO, Chevron October, 2014.
FIspace Security Components FIspace Security Components NetFutures 2015 FIspace project Javier Romero Negrín Javier Hitado Simarro ATOS Serdar Arslan KoçSistem.

FIspace Security Components FIspace Security Components NetFutures 2015 FIspace project Javier Romero Negrín Javier Hitado Simarro ATOS Serdar Arslan KoçSistem.
Securing Insecure Prabath Siriwardena, WSO2 Twitter

Securing Insecure Prabath Siriwardena, WSO2 Twitter
WSO2 Identity Server Road Map

WSO2 Identity Server Road Map
Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.

Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
1 Trillion Azure AD authentications since the release of the service 50 M Office 365 users active every month >1 Billion authentications every.

1 Trillion Azure AD authentications since the release of the service 50 M Office 365 users active every month >1 Billion authentications every.
1 Trillion Azure AD authentications since the release of the service 50 M Office 365 users active every month >1 Billion authentications every.

1 Trillion Azure AD authentications since the release of the service 50 M Office 365 users active every month >1 Billion authentications every.
Architecting a Complete Solution for the Cloud Economy Delivering Standards-Based Access Control Marc Chanliau Oracle Identity Management Bernard Diwakar.

Architecting a Complete Solution for the Cloud Economy Delivering Standards-Based Access Control Marc Chanliau Oracle Identity Management Bernard Diwakar.
Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.

Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.
Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.
Oracle Confidential – Internal/Restricted/Highly RestrictedCopyright © 2014, Oracle and/or its affiliates. All rights reserved. | Oracle Identity Management.

Oracle Confidential – Internal/Restricted/Highly RestrictedCopyright © 2014, Oracle and/or its affiliates. All rights reserved. | Oracle Identity Management.
SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.

SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
The Cloud Identity Security Leader. © 2012 Ping Identity Corporation Nair the twain shall meet Enterprise Social Mobile.

The Cloud Identity Security Leader. © 2012 Ping Identity Corporation Nair the twain shall meet Enterprise Social Mobile.

Similar presentations

Ads by Google