Part 3: What’s next? Discovery, Dynamic Registration, Mobile Connect and more!

David Waite

Contents

•  Supporting Multiple partners •  Discovery + Account Chooser •  Metadata/Configuration and Dynamic Registration •  Mobile Connect •  Federation Proxy •  Native Application Spec

Copyright © 2015 Cloud Identity Summit. All rights reserved. 2

Question

•  How do you authenticate each person differently when you don’t yet know who they are?

Copyright © 2015 Cloud Identity Summit. All rights reserved. 3

Multiple Authentication Schemes

•  Typical Bank Website •  Ask for account information •  Ask for user-specific authentication

•  Federation (including OpenID Connect) decouples authentication from the process which needs it

Copyright © 2015 Cloud Identity Summit. All rights reserved. 4

Discovery in a SaaS World

•  Branded URLs / Customer domains •  Deep links •  Persistent cookie (req. introduction) •  Email domain to customer mapping •  Account to customer mapping •  HTTP Headers, CIDR Rules, etc etc.

Copyright © 2015 Cloud Identity Summit. All rights reserved. 5

Fallback

•  Each of these is fallible

•  Fall back to •  Next heuristic •  Error page •  NASCAR page

Copyright © 2015 Cloud Identity Summit. All rights reserved. 6

Discovery Standards

•  The federation standards have resulted in specifications on how to do this discovery •  Where Are You From (WAYF)

•  Intermediary for a network of connections (edu institutions)

Copyright © 2015 Cloud Identity Summit. All rights reserved. 7

Discovery Standards

•  SAML Common Domain cookie •  A network creates a common DNS domain that

each member joins in order to set/read standard-format cookies

•  AccountChooser.com •  A non-profit-managed domain and protocol to

cache accounts used for future user selection

Copyright © 2015 Cloud Identity Summit. All rights reserved. 8

Account Chooser

•  RP triggers prompt for accounts •  Based on requirements

•  RP indicates “successful” authentications should be stored

•  RP controls fallback (social media, local login/registration, NASCAR)

•  Successful authentications cached in browser offline storage

Copyright © 2015 Cloud Identity Summit. All rights reserved. 9

Account Chooser Demo

Copyright © 2015 Cloud Identity Summit. All rights reserved. 10

Question

•  What if a user enters an address you don’t recognize

Copyright © 2015 Cloud Identity Summit. All rights reserved. 11

Webfinger

•  RFC xxxx •  Query for information on resources •  With OIDC, given a user account

dwaite@example.com, give information on OP that

Copyright © 2015 Cloud Identity Summit. All rights reserved. 12

Webfinger interface has a single, inconvenient location •  https://<domain>/.well-known/webfinger •  dynamic functionality •  OIDC allows for this information to come from another

location, such as a proxy

Copyright © 2015 Cloud Identity Summit. All rights reserved. 13

Question

•  This user account is associated with an OP I don’t know

Copyright © 2015 Cloud Identity Summit. All rights reserved. 14

OpenID Metadata

•  Divided into two parts •  Service endpoints and capabilities, catchable against

client forever •  /.well-known/openid-configuration •  Cryptographic keys, rotate often •  pointed to by configuration

Copyright © 2015 Cloud Identity Summit. All rights reserved. 15

Question

•  Now I know the OP, but I don’t have a relationship with/credentials for them

Copyright © 2015 Cloud Identity Summit. All rights reserved. 16

Dynamic Client Registration

•  advertised in OpenID Metadata •  request credentials from OP •  credentials may expire/need to be refreshed

Copyright © 2015 Cloud Identity Summit. All rights reserved. 17

Dynamic Client Registration

•  way to have a unique client for each installation of app •  exchange hard-coded token for dynamic, per-user

one •  prevents some credential hijacking and impersonation

attacks

Copyright © 2015 Cloud Identity Summit. All rights reserved. 18

Demos

•  Webfinger Protocol Demo •  OpenID Metadata Demo •  Dynamic Client Registration demo •  SSO using dynamic client

Copyright © 2015 Cloud Identity Summit. All rights reserved. 19

Question

•  What to do if the site has a terms of service before you can connect a client, or other proof that you are a ‘trusted’ client?

Copyright © 2015 Cloud Identity Summit. All rights reserved. 20

Copyright © 2015 Cloud Identity Summit. All rights reserved. 21

Case Study: Mobile Connect

•  Discovery process involving account chooser •  Account chooser returns a fake account at the

carrier •  GSMA gives a client attestation used for registration

at any of the worldwide carriers supporting connect •  Get back a pseudonym for the user

Copyright © 2015 Cloud Identity Summit. All rights reserved. 22

Question

•  The partner access token doesn’t give me access to the APIs I need. How can I get my own access token?

Copyright © 2015 Cloud Identity Summit. All rights reserved. 23

Need

•  authentication/attributes/groups from partner •  To issue the access token yourself •  User information from partner can determine

capabilities of user on site, so authentication affects access

Copyright © 2015 Cloud Identity Summit. All rights reserved. 24

•  OIDC to your AS server •  your server does OIDC (or SAML) to your partners •  Local authentication? Another “federation”

Federation Proxy

Copyright © 2015 Cloud Identity Summit. All rights reserved. 25

•  App client doesn’t need to dynamically register itself with partners

•  single connection to your AS •  Can provide uniform attributes an API access for

your client needs

Benefits

Copyright © 2015 Cloud Identity Summit. All rights reserved. 26

•  What are the best practices for implementing all this in mobile apps?

Question

Copyright © 2015 Cloud Identity Summit. All rights reserved. 27

Napps Working Group

•  Working group progress…