JaveOne 2010 - Distributed Identity Architecture

®

1http://www.blogspot.com/SoftwareForAllSeasons

Cloud Identity Architecture

Farhang Kassaei Lead Platform Architect, eBay Inc.

®

2http://www.blogspot.com/

SoftwareForAllSeasons

My Profile

Software guy

Do not use Nmap, Snort, Wireshark… (sometimes Tcpdump)

Not “security” guy

build large scale systems

Not encryption guru

Complex, Consequential that must evolve gracefully

Believe that majority of security issues are software architecture flaws with security consequences.

®



Your Profile

Planning to build a Cloud

Size of your Company?

Familiar with SAML, OAuth, OpenID, Federated Identity

Planning to build an application for Cloud

Primary function?

Building products for your own company or for sale?

®



This presentation is interesting if you are

Platform Architect building a large cloud to host internal or external applications.

Application Engineers building applications to be deployed in a cloud.

Security architects/engineers responsible to authentication and authorization polices and implementation.

Anyone who is curious to see an example of large scale identity system in action (eBay Marketplaces).

®


Infrastructure(IAAS)

The [De facto] Cloud Model

Platform(PAAS)

Software/Application(SAAS)

Infrastructure (IAAS)

Platform (PAAS)

Software/Application (SAAS)

Services

®


The Security Boundaries

Infrastructure IAAS

PlatformPAAS

Software/ApplicationSAAS

Services/AP

Authentication

Authentication

®


What Do We Mean by Distributed Identity?

Monolithic Identity

Architecture

Federated Users

Federated Service Providers

Fully Federated

Internal IDP External IDP

Sam

e D

omai

nO

ther

Dom

ain

Where do users of an application come from

Lo

cati

on

of

Ser

vice

s u

sed

by

an

app

lica

tio

n

®



Resource/Services

Resource/Services

App App

What Do We Mean by Distributed Identity?

®



An Example: eBay Application Platform (AP)A Platform for building and operating distributed applications.

Uses an internal cloud as application operation environment.

Runs most of what you see on eBay.com

Consists of a portfolio of services and a standard application container (Java)

®



An Example: eBay Application Platform

Tracking Billing Storage Payment

Search Cart Checkout Similarity Preferences Tax

Messaging

Identity

IdentityServices

Fashion Shop eBay Motors 3P Application

Java Container

®



Application Platform had to support

Manage identity of apps, services, all end user.

Manage and enforce policies for groups of resources with heterogynous security policies

Support direct authN as well as delegated and delegating authZ cases. (more on this in a bit)

Plus Federated SSO, Impersonation, Integrating acquisitions, mobile authentication etc.

The rest is what we learned doing this…

®



Don’t we have SAML, OAuth, OpenID … for this?

DirectoryService

STS

Consumer

3M - Management, Monitoring, Measuring

Distribution

Service Provider/RP

Guard

Provisioning

Message Bus

®

13

Receptors

DirectoryService

STSConsumer

SP/RP

SP/RP

3M – Management, Monitoring, Measurement

Secure

Storage

Policy Service

PAM

PKI

AuthN

Mgmt.Tools

AccountLinking

Local Account

Risk

Verification &

Assurances

Entity Resolution

Reg.PrimaryAuthenticators

(Federated)

Privilege [Granting]Authority

AuthZ

…And this is what it looks like at eBay

®



Ten Best Practices

Before you start

®


Establish Reference Model

STS

SP/RP

Consumer

G

®



STS

SP/RP

Consumer

GSTS

IDP


®



STS

SP/RP

Consumer

GSTS

IDP

3M (Manage, Measure, Monitor)


®


STS

SP/RP

Consumer

GSTS

IDP



®




STS

SP/RP

Consumer

G IDP


STS IDP

AuthN

G

®


Isolate RP from Identity Source

STS

SP/RP

Consumer

IDP

Consumer

3M

Application deployed in cloud should not make any assumptions about:

Source of identityAuthentication mechanisms

Applications operate based on a well known Identity context and policy expression framework.

Application should maintain a local account and platform should provide an Account Linking/Mapping service.

®


Primary Authentication vs. Token Authentication

STS

SP/RP

Consumer

IDP

Consumer

3M

Primary credential should never be submitted to SP/RP.Primary credential couples RP/SP to IDP implementation and authentication mechanisms detail.More than likely leads to RP issued tokens and token type proliferations.

Primary credential should only be exchanged with a STS issued token.

®


Direct vs. Delegated Authentication

STS

SP/RP

Consumer

IDP

Consumer

3M

Direct: Authenticating to access a resource on you own behalf.Delegated: Systems to allow 3P application to obtain a token and call services on behalf of your users.

Delegating: System that is the custodian of tokens received from 3P resources to allow YOUR application to make call to on behalf of 3P users.

®



Direct, Delegated and Delegating

Resource/Services

Resource/Services

App App

DirectDelegatin

gDelegated

To

Resource/Services

App

®


Think Protocol, Token, Binding, Policy

STS

SP/RP

Consumer

IDP

Consumer

3M

The communication foundation of architectural componentsTokens: How assertions and claims are encoded

Protocols: How Tokens are requested, validated, exchanged, renewed and de-referenced

Binding: How protocol is carried over a lower level transport such as HTTP or SOAP.

Policy: How policies are expressed, enforced and managed.

®


Use/Design the Right STSSTS

SP/RP

Consumer

IDP

Consumer

3M

- Primary Authentication with Multi-IDP/Identity directory

- Federation and token exchange

- Multi-Mode

- Policy Driven

- Multiple Encoding

- Pluggable Attribute Provider

- We use an internal STS called IAF

®


Use Standard GuardsSTS

SP/RP

Consumer

IDP

Consumer

3M

- Validate and process tokens- Transform tokens to a canonical form useable

by RP- POE of all policies - Implemented as ESB handler or in process Java

handlers

®


STS

SP/RP

Consumer

IDP

Consumer

3M

Security DomainSP

IDP

Policy

STSN

0..N

1

1

Establish Security Domains & Separate Logical and

Physical

®


Security Domains Illustrated

I

®


Establish Security Domains & Separate Logical and

Physical

STS

SP/RP

Consumer

IDP

Consumer

3M

- Sec Domain: A group of SPs that are governed by the same policies

- Policies: Protection Tokens, Session, Native IDPs, Transport Security

- Security Domain is a security boundary

- A STS to mint the tokens for the domain

- Security Domain meta data provider

®


Think Federation not Centralization

STS

SP/RP

Consumer

IDP

Consumer

3M

- Which SPs can be accessed with the same token?- Can a user logs into eBay if she is logged into PayPal?- Can an eBay seller use Google Calendar directly from eBay?- Can StubHub check out application call eBay Tax Service?

- Can Half.com use eBay Shopping Cart service Tax Service?

®


Federation of Security Domains

I

®


Design with 3M in mindSTS

SP/RP

Consumer

IDP

Consumer

3M

- How many security domains are there?- What are the protection token policies

of each?

- How are roles mapped among domains?- How do I rotate keys for a domain?

- What are the roles in each security domain?- Where and what are the federation agreements ?

- Design in a way that someone else can manage the system.

- How many tokens issued, revoked, renewed, used?

®



If you forget everything, remember this…

- Identity Architecture is the first thing you should put in place (right after your business model)

- Architecture at least should include IDP, STS, Guard and 3M

- Manage Tokens like an enterprise asset.- Any retrofit or redesign is deceptively costly and

risky

Design with the assumptions that - No control over the source of identity - No control over the format of token- No direct access to where identity attributes are

stored - A standard identity context and identity context

provider

Platform Designers

Application Designers

®



Questions?

Thank you.

®



Backup Slides

®



Direct Authentication

Delegated Authentication

Federations

IAF Authentication

SOA Admin.

Guard Utility

IAF (eBay STS) Service Interface

Technology

JaveOne 2010 - Distributed Identity Architecture