openid connect oauth 2 0 server for the enterprise
play

OpenID Connect & OAuth 2.0 Server for the Enterprise Your - PowerPoint PPT Presentation

Dec 23, 2023 •301 likes •580 views

OpenID Connect & OAuth 2.0 Server for the Enterprise Your enterprise server for single identity sign-on provision identity API access federation management The four Connect2id server pillars Based on the latest standards OpenID

  1. OpenID Connect & OAuth 2.0 Server for the Enterprise

  2. Your enterprise server for single identity sign-on provision identity API access federation management The four Connect2id server pillars

  3. Based on the latest standards OpenID Connect OAuth 2.0 / 2.1 for ID tokens for access tokens Modern token-based security for web, mobile and native applications

  4. Identity and security profiles FAPI IdA / eKYC HEART financial-grade verified identities and data, electronic health record API security access and exchange AML compliance iGov Federation others to follow ... international government operate hierarchical and assurance profile mesh federations at scale Supported industry profiles for Open Banking, government / eID, health care

  5. Engineered for easy 365/24/7 integration uptime scaling + agile performance dev ops Move fast and with confidence

  6. Providing identity services to every 100 th person* on the planet, and growing... * 90 mio end-users as of July 2017

  7. Easy integration UI / UX User authN AuthZ logic Claims Admin Monitoring We want to liberate our customers. Smart web-based (REST + JSON) and native (Java SPI) integration for flexibility and performance.

  8. Sign-in experience Consent Login Allow Wonderland App access to your : User alice ☑ email Password ☒ profile xxxx deny Allow Design your own branded user experiences around login and consent

  9. Sign-in experience ● A powerful guided web API lets you integrate a sign-in experience branded and tailored specifically for your enterprise or SaaS. ● Choose any language and framework for your UI and authN / authZ logic. Save time and money, leverage your existing competence and resources. ● Zero service downtime for updates to the login page. ● You can even have multiple dedicated login pages, e.g. one for employees, another for contractors and a third for customers.

  10. User authentication All types of user authentication can ● be plugged in via the login web Submitting a user API to match your security needs. authentication Microsoft Active Directory / LDAP ● authentication is supported out of { the box. "sub" : "alice", You're free to integrate any other ● "auth_time" : 1604392924, authentication method, such as one-time passwords and "acr" : "c2id.loa.high", biometrics. "amr" : [ "pwd", "otp"] The Connect2id server never has ● } to deal with user credentials directly, which is good for security.

  11. Example authentication methods One-time x.509 LDAP * password certificate (OTP) secure remote SQL password biometrics database (SRP-6a) * Supported out of the box

  12. Your OAuth 2.0 authorisation server ● The Connect2id server can act as an OAuth 2.0 authorisation server to issue access tokens to clients. ● Supports all core OAuth 2.0 grants: code, implicit, password, client credentials. SAML 2.0 and JWT Bearer assertion grants are also accepted. ● Can generate self-contained (JWT) as well as identifier-based bearer access tokens. JWT-encoded access tokens are ideal for distributed applications. ● The issued tokens can be client x.509 certificate (mTLS) bound for extra security in financial (FAPI) and other applications. ● You can plug in arbitrary logic for consent (explicit / implicit), to customise tokens and their introspection.

  13. Access token attributes Authorisation { Access token "sub" : "alice", "cid" : "000123", "scp" : [ "openid", "email", "app:admin" ], eyfvJfja93jJjpie3j... "iss" : "https://openid.c2id.com", "iat" : 1360050795, "exp" : 1360410795, "aud" : [ "https://client-app.com" ], "clm" : [ "name", "email", "email_verified" ], "cll" : [ "es-ES", "en-US" ], "dat" : { "ip" : "192.168.0.1" } } Access tokens can be decoded and verified on the spot (JWT) or inspected at a Connect2id server endpoint

  14. Managing existing authorisations ● You can query and manage the authorisations for each user and client application via a dedicated web API. ● Authorisations can be persisted so that users are not asked again for previously consented scope values and claims. ● You can build a UI or a risk management agent to revoke tokens for a user, client or combination thereof.

  15. Revocation UI Alice : Your authorised apps ● Wonderland App [ edit ] [ revoke ] ● Weather App [ edit ] [ revoke ] ● Bookstore App [ edit ] [ revoke ] Design your own UIs and tools for managing authorisations

  16. UserInfo { "sub" : "alice", "name" : "Alice Adams", "given_name" : "Alice", "family_name" : "Adams", "email" : "alice@wonderland.net", "email_verified" : true, "phone_number" : "+359 (88) 200305", "profile" : "https://c2id.com/users/alice", "ldap_groups" : [ "audit", "admin" ] } OpenID Connect defines an extensible JSON schema for releasing consented user details (OpenID claims) to client applications

  17. OpenID claims sources ● OpenID Connect defines a simple extensible JSON schema for releasing consented user information (claims), such as name, profile and contact details, to client applications. ● The claims can be included in the ID token, returned at the UserInfo endpoint, or even piped into access tokens for resource server consumption. ● Support for verified claims and data (eKYC). ● The Connect2id server supports aggregation of UserInfo claims from one or more data sources (LDAP directory, HR database, etc). ● Claims sources can be integrated via a Java SPI or a web hook. ● Microsoft Active Directory / LDAP supported out of the box.

  18. Claims source aggregation LDAP Connect2id directory server SQL database UserInfo request claims source access_token: eyJ9f... SPI web service OpenID claims aggregation from multiple data sources

  19. Managing user sessions ● User sessions can be queried, monitored and managed via a dedicated web API (e.g. who is online?) ● The login page may store arbitrary attributes in the user session, to personalise the UI or for other purposes. ● Client applications can initiate standard logout requests. ● Clients can also receive standard front and back-channel logout notifications.

  20. User session object { "sub" : "alice", "auth_time" : 1604392924, "acr" : "c2id.loa.high", "amr" : [ "pwd", "otp" ] "creation_time" : 1604392924, "max_life" : 20160, "auth_life" : 1440, "max_idle" : 15, "data" : { "name" : "Alice Adams", "email" : "alice@wonderland.net" } } Rich session attributes with support for arbitrary data

  21. Engineered for 365/24/7 uptime Identity services can be critical to relying applications. The Connect2id server is designed from the ground up for continuous availability: ● Avoiding single points of failure: the web service layer and the underlying database can be clustered for high-availability. ● Seamless scaling: server and database nodes can be added or removed to / from the cluster when required. ● Seamless upgrades: the software is designed for upgrades with zero disruption to service. Front-ends, OAuth 2.0 grant handlers and claims sources are decoupled from the main service.

  22. Connect2id server cluster HTTP proxy Connect2id Connect2id Connect2id server server server sync sync cache cache cache sync DB DB Choice between stateless (with optional Redis cache) and replication clustering

  23. Scaling + performance ● For small and medium organisations (~ thousands of users) the Connect2id server can be run in a VM with 1 CPU core and 2 GB RAM. ● Large user bases can benefit from a Connect2id cluster where the OpenID Connect / OAuth 2.0 requests are load-balanced over multiple nodes. ● Selected asynchronous operations for improved responsiveness. ● Connect2id server nodes can be dynamically added or removed to / from the cluster to match demand. ● Redis can be optionally deployed as primary cache.

  24. Server monitoring ● Backend database health checks ● Monitoring endpoint with 120+ metrics: – sign-in activity – detailed endpoint stats – OAuth 2.0 grant handler stats – claims sources latency and performance – database latency and performance ● Token issue events for audit and accounting purposes

  25. DevOps friendly Key DevOps jobs can be done safely and without impacting the uptime of a running Connect2id server / cluster: ● Updating the OpenID Connect login UI or testing new ones; ● Upgrading the authentication method or incorporating new second factors (e.g. FIDO OTP or biometrics); ● Updating the user and administrative interfaces for the service or introducing new ones; ● Updating UserInfo claims sources (for web-based ones).

  26. To find out more about the Connect2id server https://connect2id.com/server

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Introduction to OpenID Connect October 23, 2018 Michael B. Jones Identity Standards Architect

Introduction to OpenID Connect October 23, 2018 Michael B. Jones Identity Standards Architect

Introduction to OpenID Connect October 23, 2018 Michael B. Jones Identity Standards Architect Microsoft Working Together OpenID Connect What is OpenID Connect? Simple identity layer on top of OAuth 2.0 Enables RPs to verify identity

831 views • 56 slides
OAuth 2.0 Security Reinforced Torsten Lodderstedt @tlodderstedt Daniel Fett @dfett42 yes.com

OAuth 2.0 Security Reinforced Torsten Lodderstedt @tlodderstedt Daniel Fett @dfett42 yes.com

OAuth 2.0 Security Reinforced Torsten Lodderstedt @tlodderstedt Daniel Fett @dfett42 yes.com AG The OAuth 2.0 Success Story Tremendous adoption since publication in 2012 Driven by large service providers and OpenID Connect

594 views • 30 slides
Fediz OIDC CXF Powered OpenId Connect Server Sergey Beryozkin Dr Colm O hEgeartaigh Talend

Fediz OIDC CXF Powered OpenId Connect Server Sergey Beryozkin Dr Colm O hEgeartaigh Talend

Fediz OIDC CXF Powered OpenId Connect Server Sergey Beryozkin Dr Colm O hEgeartaigh Talend Introduction to Apache CXF Production quality framework for creating Java JAX-RS 2.0 and JAX-WS services Widely used and integrated into

1.01k views • 27 slides
OpenID Connect fredag 7 september 12 OpenID Connect fredag 7 september 12 Necessity for

OpenID Connect fredag 7 september 12 OpenID Connect fredag 7 september 12 Necessity for

OpenID Connect fredag 7 september 12 OpenID Connect fredag 7 september 12 Necessity for communication - information about the other part fredag 7 september 12 Trust management not solved! fredag 7 september 12 (1) OP discovery The user

254 views • 23 slides
CLIENT INITIATED BACKCHANNEL AUTHENTICATION CIBA? CIBA is an authentication flow like OpenID

CLIENT INITIATED BACKCHANNEL AUTHENTICATION CIBA? CIBA is an authentication flow like OpenID

CLIENT INITIATED BACKCHANNEL AUTHENTICATION CIBA? CIBA is an authentication flow like OpenID Connect. However, unlike OpenID Connect, there is direct Relying Party to OpenID Provider communication without redirects through the user's browser.

505 views • 17 slides
OAuth 2.0 Weina Ma Weina.Ma@uoit.ca Agenda OAuth overview Simple example OAuth

OAuth 2.0 Weina Ma Weina.Ma@uoit.ca Agenda OAuth overview Simple example OAuth

OAuth 2.0 Weina Ma Weina.Ma@uoit.ca Agenda OAuth overview Simple example OAuth protocol workflow Server-side web application flow Client-side web application flow Whats the problem As the web grows, more and more sites

786 views • 45 slides
OAuth 2.0 Authorization Server Discovery Metadata draft-ietf-oauth-discovery Mike Jones IETF

OAuth 2.0 Authorization Server Discovery Metadata draft-ietf-oauth-discovery Mike Jones IETF

* OAuth 2.0 Authorization Server Discovery Metadata draft-ietf-oauth-discovery Mike Jones IETF 95, Buenos Aires April 2016 1 Document Status Current draft addresses WGLC feedback See

423 views • 8 slides
Subverting OpenID: Intro to Net::OpenID::Server Abram Hindle Kitchener/Waterloo Perl Mongers

Subverting OpenID: Intro to Net::OpenID::Server Abram Hindle Kitchener/Waterloo Perl Mongers

Subverting OpenID: Intro to Net::OpenID::Server Subverting OpenID: Intro to Net::OpenID::Server Abram Hindle Kitchener/Waterloo Perl Mongers Canada http://softwareprocess.es/ abram.hindle@softwareprocess.es Abram Hindle 1 Subverting

391 views • 21 slides
Enterprise Connect Resource Technology Innovation Centre February 2013 Enterprise Connect -

Enterprise Connect Resource Technology Innovation Centre February 2013 Enterprise Connect -

Enterprise Connect Resource Technology Innovation Centre February 2013 Enterprise Connect - Aim Drive a measurable increase in the productivity of Australian SMEs by: Assist SMEs to upgrade and connect to new technologies and

450 views • 31 slides
openid connect all the things @pquerna CTO, ScaleFT CoreOS Fest 2017 - 2017-07-01 Problem -

openid connect all the things @pquerna CTO, ScaleFT CoreOS Fest 2017 - 2017-07-01 Problem -

openid connect all the things @pquerna CTO, ScaleFT CoreOS Fest 2017 - 2017-07-01 Problem - More Client Devices per-Human - Many Cloud Accounts - More Apps: yay k8s - More Distributed Teams - VPNs arent fun - Legacy Solutions

788 views • 32 slides
OpenID Connect Authentication in iRODS Kyle Ferriter kferriter@renci.org Renaissance Computing

OpenID Connect Authentication in iRODS Kyle Ferriter kferriter@renci.org Renaissance Computing

OpenID Connect Authentication in iRODS Kyle Ferriter kferriter@renci.org Renaissance Computing Institute (RENCI) UNC - Chapel Hill Context and Use Case NIH Data Commons Web application - CommonsShare.org Compute Platform and

318 views • 11 slides
Wherefore Art Thou, OAuth? 1 What is OAuth? 2 What is OAuth? Your Valet Key for the Web 2

Wherefore Art Thou, OAuth? 1 What is OAuth? 2 What is OAuth? Your Valet Key for the Web 2

Wherefore Art Thou, OAuth? 1 What is OAuth? 2 What is OAuth? Your Valet Key for the Web 2 What is OAuth? Your Valet Key for the Web Delegated Authentication Protocol 2 What is OAuth? Your Valet Key for the Web Delegated Authentication

357 views • 33 slides
Leveraging OpenID To connect Vehicle to the Cloud ALS 2017 Tokyo Fulup Ar Foll Lead Architect

Leveraging OpenID To connect Vehicle to the Cloud ALS 2017 Tokyo Fulup Ar Foll Lead Architect

Leveraging OpenID To connect Vehicle to the Cloud ALS 2017 Tokyo Fulup Ar Foll Lead Architect fulup@iot.bzh Who Are We ? Securing AGL V2C with OpenIDconnect May-2017 2 V2C Multiple Requirements Car to Cloud Telematics Car

605 views • 16 slides
OAuth 2.0 for Browser Based Apps OAuth Security Workshop 2019 David Waite, Principal Technical

OAuth 2.0 for Browser Based Apps OAuth Security Workshop 2019 David Waite, Principal Technical

OAuth 2.0 for Browser Based Apps OAuth Security Workshop 2019 David Waite, Principal Technical Architect, Ping Identity Purpose Best Current Practices Document Builds mostly on RFC 8252 - OAuth 2.0 for Native Apps I-D

386 views • 10 slides
& 1st large scale oauth stealing botnet & Secure delegation mechanism De-facto

& 1st large scale oauth stealing botnet & Secure delegation mechanism De-facto

& 1st large scale oauth stealing botnet & Secure delegation mechanism De-facto authentication standard & & Exploit server Play store fake install/comments Ads injection Repacked (non-google) app Registration

717 views • 55 slides
External Authentication with Percona Server for MongoDB and MongoDB Enterprise Jason Terpko DBA

External Authentication with Percona Server for MongoDB and MongoDB Enterprise Jason Terpko DBA

External Authentication with Percona Server for MongoDB and MongoDB Enterprise Jason Terpko DBA @ Rackspace/ObjectRocket linkedin.com/in/jterpko 1 Overview Percona Server For MongoDB o SASL and LDAP o MongoDB Enterprise o Kerberos and

430 views • 25 slides
Network Tokens A DPI-alternative to deploy network services ONF Spotlight: 5G Transformation with

Network Tokens A DPI-alternative to deploy network services ONF Spotlight: 5G Transformation with

Network Tokens A DPI-alternative to deploy network services ONF Spotlight: 5G Transformation with Open Source Yiannis Yiakoumis, Co-Founder & CEO, Selfie Networks Work with Nick McKeown (Stanford), Frode Sorensen (NKOM)

506 views • 29 slides
Courtesy of Andrea Zonca, SDSC Science Gateway Security Considerations Applications of OAuth2

Courtesy of Andrea Zonca, SDSC Science Gateway Security Considerations Applications of OAuth2

Courtesy of Andrea Zonca, SDSC Science Gateway Security Considerations Applications of OAuth2 and OpenID Connect to Science Gateways https://tools.ietf.org/html/rfc6749 Three Layers of Science Gateway Cyberinfrastructure Tenants Resources

813 views • 43 slides
Issuing temporary credentials for MySQL using Hashicorp Vault Walter Heck - CTO at OlinData

Issuing temporary credentials for MySQL using Hashicorp Vault Walter Heck - CTO at OlinData

Issuing temporary credentials for MySQL using Hashicorp Vault Walter Heck - CTO at OlinData Percona Live Europe 2017 Sounds familiar? Hey, Jane Doe from that department youve never heard of wants to do some analysis and she needs

692 views • 21 slides
Windows Security CSE497b - Spring 2007 Introduction Computer and Network Security Professor

Windows Security CSE497b - Spring 2007 Introduction Computer and Network Security Professor

Windows Security CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse497b-s07/ CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Windows Security

265 views • 23 slides
Complex architectures for authentication and authorization on AWS Boyan Dimitrov Director

Complex architectures for authentication and authorization on AWS Boyan Dimitrov Director

Complex architectures for authentication and authorization on AWS Boyan Dimitrov Director Platform Engineering @ Sixt @nathariel September 2019 Our Focus Today ? Authenticate Key patterns for authentication & Authorize and

510 views • 38 slides
2nd Meeting of ICAC Federated Identity Status & Plans Mine Altunay October 15, 2019 Current

2nd Meeting of ICAC Federated Identity Status & Plans Mine Altunay October 15, 2019 Current

2nd Meeting of ICAC Federated Identity Status & Plans Mine Altunay October 15, 2019 Current Status Adoption of Federated Identity and Access Control is one of the top priorities for the lab Crucial for our success with DUNE,

403 views • 13 slides
Stateless Microservice Security via JWT, TomEE and MicroProfile Jean-Louis Monteiro Tomitribe

Stateless Microservice Security via JWT, TomEE and MicroProfile Jean-Louis Monteiro Tomitribe

EclipseCon France Stateless Microservice Security via JWT, TomEE and MicroProfile Jean-Louis Monteiro Tomitribe #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe EclipseCon France Why am I here today? Microservices architecture case

1.26k views • 69 slides
@PhilippeDeRyck 3 @PhilippeDeRyck 4 @PhilippeDeRyck 5 3 Who that? 4 It's me, Philippe! 2

@PhilippeDeRyck 3 @PhilippeDeRyck 4 @PhilippeDeRyck 5 3 Who that? 4 It's me, Philippe! 2

A UTHENTICATION WITH O PEN ID C ONNECT IN A NGULAR D R . P HILIPPE D E R YCK https://Pragmatic Web Security.com D R . P HILIPPE D E R YCK - Deep understanding of the web security landscape - Google Developer Expert (not employed by Google) -

1.23k views • 44 slides

More recommend