The document discusses the need for next generation identity and access management (IAM) systems due to trends like cloud computing, mobile devices, and data breaches. It outlines some key challenges with traditional IAM, including only supporting web SSO. The author proposes a next generation IAM approach built on standards like SAML, OAuth 2.0 and OpenID Connect to support web, mobile, APIs and large scale deployments across clouds in a consistent way.
15. The Paradigm Shift driven by cloud and mobile
76% of Network Intrusions Exploited Weak or Stolen Passwords
Traditional IDENTITY MANAGEMENT not working
Identity is the new perimeter – Dan Headrick, GE
16. How To Design Access to Resources?
Getting users to their
resources is a product
of standards and scale
What emerging trends
will change the way
this is done?
19. A Basic Web SSO Architecture
Authentication
Service(s)
Identity
Repository
Federation
Services
Your Web Apps
Third Party Apps
SAML
Integration
or
SAML
22. SAML ROI
• Introduction Service
– Sends structured, signed, XML documents to applications
– Includes a subject
• Security/Validation
– Issuer
– Audience
– Validity Window
– Signatures
• Visibility
– Nobody visits an app unless central infrastructure approves
23. If you only need Web SSO, Stop Here
• Well known design
pattern
• You can buy the whole
thing as IDaaS with
very little technical
know-how
• Scale up, go crazy
Courtesy https://flic.kr/p/4Btadi
24. Some Folks Need More
Courtesy Matt Morgan https://flic.kr/p/6Thyod
• API’s and Mobile
• Massive Scale
• Customer &
Workforce
• Lower Overhead
• Self-Service
25. Why are Mobile/API Different?
• Web SSO
– the user is present, manipulating a “passive” client – the browser
• Mobile and API
– A piece of active software (client) is executing, even if the user is not
around
– This active client may not be in a position to validate signatures or parse
XML
YOUR IAM SYSTEM MUST KNOW THE DIFFERENCE
BETWEEN THESE TWO USE CASES
26. Next Gen: Small but Self-Sustaining
Courtesy Daniele Oberti https://flic.kr/p/8FY8v5
28. OpenID Connect: Delegated Missions
• Built on OAuth 2.0
• OAuth 2.0 gives you Access Tokens
– Delegated authorization tokens
– Made for active clients to access APIs
• OpenID Connect gives you ID Tokens
– Assertions similar to SAML
– Works as initial introduction so client can validate the
authentication moment associated to an access token
29. Future Of IAM
• Next Gen Identity Protocol Stack
– OAuth 2.0, OpenID Connect, SCIM
• Consistent architecture
– For workforce, partners and customers
– For web, devices, apps and things
• BONUS: Federated architecture allows for migration away from passwords