Upload
farhang-kassaei
View
1.492
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Identity, authentication, and authorization are the glues for modern distributed applications. They affect security, availability, and usability directly and are often a significant barrier to adoption of distributed paradigms such as SOA and cloud. Performing these tasks in monolithic and coupled systems is fairly well understood, but distributed environments of applications and services with heterogynous security profiles often present different challenges. In this session, we'll present architectural models, deployment techniques, and policy management ideas that represent the top 10 most important lessons we learned from implementing IAF: a large-scale, distributed authentication scheme for eBay marketplaces, PayPal, and eBay Mobile.
Citation preview
®
1http://www.blogspot.com/SoftwareForAllSeasons
Cloud Identity Architecture
Farhang Kassaei Lead Platform Architect, eBay Inc.
®
2http://www.blogspot.com/
SoftwareForAllSeasons
My Profile
Software guy
Do not use Nmap, Snort, Wireshark… (sometimes Tcpdump)
Not “security” guy
build large scale systems
Not encryption guru
Complex, Consequential that must evolve gracefully
Believe that majority of security issues are software architecture flaws with security consequences.
®
3http://www.blogspot.com/
SoftwareForAllSeasons
Your Profile
Planning to build a Cloud
Size of your Company?
Familiar with SAML, OAuth, OpenID, Federated Identity
Planning to build an application for Cloud
Primary function?
Building products for your own company or for sale?
®
4http://www.blogspot.com/
SoftwareForAllSeasons
This presentation is interesting if you are
Platform Architect building a large cloud to host internal or external applications.
Application Engineers building applications to be deployed in a cloud.
Security architects/engineers responsible to authentication and authorization polices and implementation.
Anyone who is curious to see an example of large scale identity system in action (eBay Marketplaces).
®
5http://www.blogspot.com/SoftwareForAllSeasons
Infrastructure(IAAS)
The [De facto] Cloud Model
Platform(PAAS)
Software/Application(SAAS)
Infrastructure (IAAS)
Platform (PAAS)
Software/Application (SAAS)
Services
®
6http://www.blogspot.com/SoftwareForAllSeasons
The Security Boundaries
Infrastructure IAAS
PlatformPAAS
Software/ApplicationSAAS
Services/AP
Authentication
Authentication
®
7http://www.blogspot.com/SoftwareForAllSeasons
What Do We Mean by Distributed Identity?
Monolithic Identity
Architecture
Federated Users
Federated Service Providers
Fully Federated
Internal IDP External IDP
Sam
e D
omai
nO
ther
Dom
ain
Where do users of an application come from
Lo
cati
on
of
Ser
vice
s u
sed
by
an
app
lica
tio
n
®
8http://www.blogspot.com/
SoftwareForAllSeasons
Resource/Services
Resource/Services
App App
What Do We Mean by Distributed Identity?
®
9http://www.blogspot.com/
SoftwareForAllSeasons
An Example: eBay Application Platform (AP)A Platform for building and operating distributed applications.
Uses an internal cloud as application operation environment.
Runs most of what you see on eBay.com
Consists of a portfolio of services and a standard application container (Java)
®
10http://www.blogspot.com/
SoftwareForAllSeasons
An Example: eBay Application Platform
Tracking Billing Storage Payment
Search Cart Checkout Similarity Preferences Tax
Messaging
Identity
IdentityServices
Fashion Shop eBay Motors 3P Application
Java Container
®
11http://www.blogspot.com/
SoftwareForAllSeasons
Application Platform had to support
Manage identity of apps, services, all end user.
Manage and enforce policies for groups of resources with heterogynous security policies
Support direct authN as well as delegated and delegating authZ cases. (more on this in a bit)
Plus Federated SSO, Impersonation, Integrating acquisitions, mobile authentication etc.
The rest is what we learned doing this…
®
12http://www.blogspot.com/
SoftwareForAllSeasons
Don’t we have SAML, OAuth, OpenID … for this?
DirectoryService
STS
Consumer
3M - Management, Monitoring, Measuring
Distribution
Service Provider/RP
Guard
Provisioning
Message Bus
®
13
Receptors
DirectoryService
STSConsumer
SP/RP
SP/RP
3M – Management, Monitoring, Measurement
Secure
Storage
Policy Service
PAM
PKI
AuthN
Mgmt.Tools
AccountLinking
Local Account
Risk
Verification &
Assurances
Entity Resolution
Reg.PrimaryAuthenticators
(Federated)
Privilege [Granting]Authority
AuthZ
…And this is what it looks like at eBay
®
14http://www.blogspot.com/
SoftwareForAllSeasons
Ten Best Practices
Before you start
®
15http://www.blogspot.com/SoftwareForAllSeasons
Establish Reference Model
STS
SP/RP
Consumer
G
®
16http://www.blogspot.com/
SoftwareForAllSeasons
STS
SP/RP
Consumer
GSTS
IDP
Establish Reference Model
®
17http://www.blogspot.com/
SoftwareForAllSeasons
STS
SP/RP
Consumer
GSTS
IDP
3M (Manage, Measure, Monitor)
Establish Reference Model
®
18http://www.blogspot.com/SoftwareForAllSeasons
STS
SP/RP
Consumer
GSTS
IDP
3M (Manage, Measure, Monitor)
Establish Reference Model
®
19http://www.blogspot.com/
SoftwareForAllSeasons
Establish Reference Model
STS
SP/RP
Consumer
G IDP
3M (Manage, Measure, Monitor)
STS IDP
AuthN
G
®
20http://www.blogspot.com/SoftwareForAllSeasons
Isolate RP from Identity Source
STS
SP/RP
Consumer
IDP
Consumer
3M
Application deployed in cloud should not make any assumptions about:
Source of identityAuthentication mechanisms
Applications operate based on a well known Identity context and policy expression framework.
Application should maintain a local account and platform should provide an Account Linking/Mapping service.
®
21http://www.blogspot.com/SoftwareForAllSeasons
Primary Authentication vs. Token Authentication
STS
SP/RP
Consumer
IDP
Consumer
3M
Primary credential should never be submitted to SP/RP.Primary credential couples RP/SP to IDP implementation and authentication mechanisms detail.More than likely leads to RP issued tokens and token type proliferations.
Primary credential should only be exchanged with a STS issued token.
®
22http://www.blogspot.com/SoftwareForAllSeasons
Direct vs. Delegated Authentication
STS
SP/RP
Consumer
IDP
Consumer
3M
Direct: Authenticating to access a resource on you own behalf.Delegated: Systems to allow 3P application to obtain a token and call services on behalf of your users.
Delegating: System that is the custodian of tokens received from 3P resources to allow YOUR application to make call to on behalf of 3P users.
®
23http://www.blogspot.com/
SoftwareForAllSeasons
Direct, Delegated and Delegating
Resource/Services
Resource/Services
App App
DirectDelegatin
gDelegated
To
Resource/Services
App
®
24http://www.blogspot.com/SoftwareForAllSeasons
Think Protocol, Token, Binding, Policy
STS
SP/RP
Consumer
IDP
Consumer
3M
The communication foundation of architectural componentsTokens: How assertions and claims are encoded
Protocols: How Tokens are requested, validated, exchanged, renewed and de-referenced
Binding: How protocol is carried over a lower level transport such as HTTP or SOAP.
Policy: How policies are expressed, enforced and managed.
®
25http://www.blogspot.com/SoftwareForAllSeasons
Use/Design the Right STSSTS
SP/RP
Consumer
IDP
Consumer
3M
- Primary Authentication with Multi-IDP/Identity directory
- Federation and token exchange
- Multi-Mode
- Policy Driven
- Multiple Encoding
- Pluggable Attribute Provider
- We use an internal STS called IAF
®
26http://www.blogspot.com/SoftwareForAllSeasons
Use Standard GuardsSTS
SP/RP
Consumer
IDP
Consumer
3M
- Validate and process tokens- Transform tokens to a canonical form useable
by RP- POE of all policies - Implemented as ESB handler or in process Java
handlers
®
27http://www.blogspot.com/SoftwareForAllSeasons
STS
SP/RP
Consumer
IDP
Consumer
3M
Security DomainSP
IDP
Policy
STSN
0..N
1
1
Establish Security Domains & Separate Logical and
Physical
®
28http://www.blogspot.com/SoftwareForAllSeasons
Security Domains Illustrated
I
®
29http://www.blogspot.com/SoftwareForAllSeasons
Establish Security Domains & Separate Logical and
Physical
STS
SP/RP
Consumer
IDP
Consumer
3M
- Sec Domain: A group of SPs that are governed by the same policies
- Policies: Protection Tokens, Session, Native IDPs, Transport Security
- Security Domain is a security boundary
- A STS to mint the tokens for the domain
- Security Domain meta data provider
®
30http://www.blogspot.com/SoftwareForAllSeasons
Think Federation not Centralization
STS
SP/RP
Consumer
IDP
Consumer
3M
- Which SPs can be accessed with the same token?- Can a user logs into eBay if she is logged into PayPal?- Can an eBay seller use Google Calendar directly from eBay?- Can StubHub check out application call eBay Tax Service?
- Can Half.com use eBay Shopping Cart service Tax Service?
®
31http://www.blogspot.com/SoftwareForAllSeasons
Federation of Security Domains
I
®
32http://www.blogspot.com/SoftwareForAllSeasons
Design with 3M in mindSTS
SP/RP
Consumer
IDP
Consumer
3M
- How many security domains are there?- What are the protection token policies
of each?
- How are roles mapped among domains?- How do I rotate keys for a domain?
- What are the roles in each security domain?- Where and what are the federation agreements ?
- Design in a way that someone else can manage the system.
- How many tokens issued, revoked, renewed, used?
®
33http://www.blogspot.com/
SoftwareForAllSeasons
If you forget everything, remember this…
- Identity Architecture is the first thing you should put in place (right after your business model)
- Architecture at least should include IDP, STS, Guard and 3M
- Manage Tokens like an enterprise asset.- Any retrofit or redesign is deceptively costly and
risky
Design with the assumptions that - No control over the source of identity - No control over the format of token- No direct access to where identity attributes are
stored - A standard identity context and identity context
provider
Platform Designers
Application Designers
®
34http://www.blogspot.com/
SoftwareForAllSeasons
Questions?
Thank you.
®
35http://www.blogspot.com/
SoftwareForAllSeasons
Backup Slides
®
36http://www.blogspot.com/
SoftwareForAllSeasons
Direct Authentication
Delegated Authentication
Federations
IAF Authentication
SOA Admin.
Guard Utility
IAF (eBay STS) Service Interface