Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Identity 2.0: the what, why and how of social a...

Identity 2.0: the what, why and how of social and federated login

Whether you're developing public-facing web apps or deploying behind the corporate firewall, the days of identity silos are over. Social auth (log in with FooBookHub) and federated identity (SAML, OpenID Connect and friends) are the new normal. The advantages are clear: developers and operators have less security-sensitive code to write and deploy, while users experience less password/account fatigue, and enjoy improved productivity through single sign-on.

But there's no such thing as a free lunch; like most things in technology there are trade-offs. Federated authentication protocols are inherently more elaborate than plain old passwords; more moving parts means more complex deployment and more points of failure. Fortunately there are tools to ease the burden and smooth the process of securing your applications.

In this extended session for web developers and administrators/operations folks, attendees will learn and experience how to deploy and use federated auth, end-to-end from the identity provider to the app. The session will cover:

The basics of federated authentication including protocol overviews and comparisons.

How to use social auth providers for public-facing applications, allowing users to log in with an account they already have.

How to leverage accounts in centralised identity management systems (FreeIPA, Active Directory, LDAP, etc) for single sign-on in an organisation.

How identity brokers like Keycloak make it easy to use a variety of external authentication providers, and provide a consistent user experience across multiple applications.

How to use external identities in your applications with the help of your web server, focusing in particlar on popular Python web frameworks and Apache (though the principles are more widely applicable).

Security characteristics, and discussion of some challenging scenarios including testing, account merging and single sign-out.

Fraser Tweedale

August 03, 2017
Tweet

More Decks by Fraser Tweedale

Other Decks in Technology

Transcript

  1. Identity 2.0 The what, why and how of social and

    federated auth Fraser Tweedale @hackuador August 5, 2017 #pyconau
  2. Why? authentication is hard to get right data silos are

    bad authentication is burdensome for users user often is already authenticated by someone therefore outsource your authentication
  3. UA SP IDP GET /thing Who's that? It's Alice! Here

    you go UA = User Agent SP = Service Provider IDP = Identity Provider
  4. Who? Social login providers Google, Facebook, Twitter, Linked.in, GitHub, Microsoft,

    . . . The enterprise Active Directory, FreeIPA, . . . LDAP
  5. Why not? not everyone uses Facebook, GitHub, . . .

    might not want to use social login more moving parts
  6. UA SP IDP Request Redirect to IdP Login user not

    logged in Login form user not logged in
  7. UA SP IDP Request Redirect to IdP Login Redirect (token)

    user not logged in Login form user not logged in
  8. UA SP IDP Request Redirect to IdP Login Redirect (token)

    Get user info user not logged in Login form user not logged in
  9. UA SP IDP Request Redirect to IdP Login Redirect (token)

    Get user info Resource user not logged in Login form user not logged in
  10. UA SP IDP Request Redirect to IdP Redirect (token) Get

    user info Resource user not logged in user already logged in
  11. Protocols SAML 2.01 Security Assertion Markup Language 2005, XML OpenID

    Connect2 2014, JSON + JWT based on OAuth 2.0 1http://saml.xml.org/saml-specifications 2https://openid.net/connect/
  12. Identity brokers connect SPs with IDPs (many-to-many) may support multiple

    service realms may support multiple IDP and federation protocols
  13. IDP UA SP Broker Request Redirect to broker Login Redirect

    (token) Get user info Resource Login form Redirect to IDP Redirect (token) Get user info
  14. Keycloak Open Source identity broker http://www.keycloak.org/ IDPs: social, SAML, OpenID

    Connect, LDAP, Kerberos SPs: SAML, OpenID Connect Red Hat Single Sign-On Docker images available3,4 3https://hub.docker.com/r/jboss/keycloak/ 4https://github.com/jboss-dockerfiles/keycloak
  15. Demo GitHub social login LDAP-based IDP Keycloak Apache modules mod_auth_mellon5

    mod_auth_openidc6 REMOTE_USER 5https://github.com/UNINETT/mod_auth_mellon 6https://github.com/pingidentity/mod_auth_openidc
  16. HTTP SAML OAuth 2.0 GitHub Firefox app.py / Apache Keycloak

    Request Redirect to broker Login & authorise Redirect (token) Resource Login/authz form Redirect to IDP SAML assertion Get user info "social" realm /saml
  17. HTTP OIDC LDAP FreeIPA LDAP Firefox app.py / Apache Keycloak

    Request Redirect to broker Resource LDAP BIND Login form authz code Get ID token Get user entry "corp" realm /oidc
  18. REMOTE_USER - general guidelines use middleware(s) to interpret request environment

    map remote roles to app roles users: transient or persisted? tweak login view as needed
  19. Security use TLS everywhere how secure are the libraries? how

    secure are the protocols?7,8,9 preventing token / data interception at UA 7A Comprehensive Formal Security Analysis of OAuth 2.0 8The Web SSO Standard OpenID Connect: In-Depth Formal Security Analysis and Security Guidelines 9Formal Analysis of SAML 2.0 Web Browser Single Sign-On: Breaking the SAML-based Single Sign-On for Google Apps
  20. UA SP IDP Request Redirect to IdP Login Redirect (token)

    Get user info Resource user not logged in Login form user not logged in
  21. UA SP IDP Request Redirect to IdP Login Redirect to

    SP POST /token Resource user not logged in Login form user not logged in (authz code payload) JWT (id_token) OpenID Connect verify JWT
  22. UA SP IDP Request Redirect to IdP Login Redirect to

    SP Resource user not logged in Login form user not logged in (encrypted SAML assertion) SAML decrypt & verify SAML assertion
  23. SAML or OpenID Connect? if you’re implementing new services: OpenID

    Connect if it’s a mobile app: OpenID Connect if the SP only speaks one or the other: use that if you have SAML and OpenID Connect SPs: broker
  24. Single sign-out what happens when user signs out of IDP?

    supported by SAML; draft spec for OpenID Connect
  25. Other UA Other SP UA SP IDP invalidate session invalidate

    session Logout Logout iframe invalidate session Logout Poll Logged out
  26. Recap Socialise or centralise your authentication Identity brokers can do

    a lot of the heavy lifting Web servers can present a consistent view to apps