Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
IDENTITY MANAGEMENT IN THE 21ST CENTURY
Arjan Lamers
Software architect Conclusion
ABOUT CONCLUSION
• 2000 employees
• 200 mln turnover
• Privately owned
• 2 divisions: IT services and Organisation services
• RedHat: Infrastructure services, Data & Integration services, Application services
1 2 3
Social Networking Cloud Computing Mobile Communications
GARTNER’S THE NEXUS OF FORCES
Integrated Single Sign On / Identity
management system by Red Hat
WHAT IS IDENTITY MANAGEMENT?
• Identification
• Who are you?
• Authentication
• Can you proof that?
• Authorization
• What are you allowed to do?
• Integrated SSO and
IDM for browser apps
and RESTful web
services.
• Built on top of the
OAuth 2.0, Open ID
Connect, JSON Web
Token (JWT) and
SAML 2.0
specifications.
WHY KEYCLOAK?
• Why not DIY
• Security is hard
• Modern use-cases are complex
WHY NOT DIY
• Learning a new product takes time
• It’s faster typing such a trivial thing myself
WHY NOT DIY
• Just a user name + password is not much work
• But how about:
• Password reset / forgot password
• Create account
• Update account
• Assigning roles
• Change password
WHY NOT DIY
• Building all those features is just plain boring
DIY LOGIN
• Creating a “user” table with passwords is easy
DIY LOGIN
• Creating a “user” table with passwords is easy
• What about hashing?
• Which hashing algorithm?
• Salting?
• Password policies?
DIY LOGIN
• Looked ok: 36 million passwords protected by bcrypt
• Only 0.0668% (+- 4000 very weak passwords) recovered after 5 days of non-stop computing
• They did their research
• Looked ok: 36 million passwords protected by bcrypt
• Only 0.0668% (+- 4000 very weak passwords) recovered after 5 days of non-stop computing
• Until a bug was found in the Ashley Madison code…
• 11 million passwords recovered in the next 5 days
• Even if you did your research, it doesn’t guarantee a correct implementation
USER FEDERATION• Why not use accounts people already have?
• Social media
• Or corporate databases
MODERN ARCHITECTURE
MODERN ARCHITECTURE
MODERN ARCHITECTURE
MODERN USE CASES
• And what about SaaS providers?
MODERN USE CASES
I want to have a single store of users I want a single login We don’t want to store users
MODERN IDENTITY MANAGEMENT
• Different protocols, conventions, naming
• OAuth2 – Yahoo/Facebook/Google
• I want to share my album with that application
• SAML – B2B/SaaS
• I want to give that user access to that service
• OpenID Connect, SAML 2.0
• Social Broker, Identity Broker.
• LDAP/Active Directory integration
• User Registration, Recaptcha, TOTP
• Fully Customizable
• Admin Console & REST API
• Deployable as a WAR, appliance, or an
Openshift cloud service (SaaS).
• Supports multiple client platforms
• User profile CRUD, Revocation
policies, Password policies,
Impersonation.
CASE STUDY
• At an internet core services company we use Keycloak for:
• Protecting an existing JEE application
• Delegating User Federation to LDAP
• Role based authentication
.NL
CASE STUDY
• At an agriculture data company, we are building using Keycloak:
• Protecting microservices
• Complex authorisation rules
• With different security levels
• Using governmental provided identities
CLOUD DONE DIFFERENTLY
Visit us at our stand at Red Hat Forum Benelux 2015