Download - Warm Up to Identity Protocol Soup - GOTOpia
![Page 1: Warm Up to Identity Protocol Soup - GOTOpia](https://reader033.vdocuments.us/reader033/viewer/2022052013/6285ce1b344e4f7e7b2ccf21/html5/thumbnails/1.jpg)
Copyright ©2012 Ping Identity Corporation. All rights reserved.1
Warm Up to Identity Protocol Soup
David WaitePrincipal Technical Architect
Thursday, November 8, 12
![Page 2: Warm Up to Identity Protocol Soup - GOTOpia](https://reader033.vdocuments.us/reader033/viewer/2022052013/6285ce1b344e4f7e7b2ccf21/html5/thumbnails/2.jpg)
Copyright ©2012 Ping Identity Corporation. All rights reserved.
Topics
•What is Digital Identity?•What are the different technologies?
•How are they useful?•Where is this space going?
2
Thursday, November 8, 12
![Page 3: Warm Up to Identity Protocol Soup - GOTOpia](https://reader033.vdocuments.us/reader033/viewer/2022052013/6285ce1b344e4f7e7b2ccf21/html5/thumbnails/3.jpg)
Copyright ©2012 Ping Identity Corporation. All rights reserved.
Digital Identity
3
Thursday, November 8, 12
![Page 4: Warm Up to Identity Protocol Soup - GOTOpia](https://reader033.vdocuments.us/reader033/viewer/2022052013/6285ce1b344e4f7e7b2ccf21/html5/thumbnails/4.jpg)
Copyright ©2012 Ping Identity Corporation. All rights reserved.
Concepts
• Authentication / Authenticity–Is this entity (person/machine) who they say
4
Thursday, November 8, 12
![Page 5: Warm Up to Identity Protocol Soup - GOTOpia](https://reader033.vdocuments.us/reader033/viewer/2022052013/6285ce1b344e4f7e7b2ccf21/html5/thumbnails/5.jpg)
Copyright ©2012 Ping Identity Corporation. All rights reserved.
Concepts
• Attributes / Identity Information
–My name is David Waite–I work for Ping Identity–I’ve been in the Identity Space for 10 years–My email address is [email protected]
5
Thursday, November 8, 12
![Page 6: Warm Up to Identity Protocol Soup - GOTOpia](https://reader033.vdocuments.us/reader033/viewer/2022052013/6285ce1b344e4f7e7b2ccf21/html5/thumbnails/6.jpg)
Copyright ©2012 Ping Identity Corporation. All rights reserved.
Introductions
• Ping Identity–Focused on Identity standards
–Enterprise and Consumer-oriented solutions
–On-site software (PingFederate)
–Identity as a Service offerings (PingOne)
6
Thursday, November 8, 12
![Page 7: Warm Up to Identity Protocol Soup - GOTOpia](https://reader033.vdocuments.us/reader033/viewer/2022052013/6285ce1b344e4f7e7b2ccf21/html5/thumbnails/7.jpg)
Copyright ©2012 Ping Identity Corporation. All rights reserved.
Concepts
• Authorization–What are the rules on who can do what
• Access Control–Enforces whether you can or can’t do
something
7
Thursday, November 8, 12
![Page 8: Warm Up to Identity Protocol Soup - GOTOpia](https://reader033.vdocuments.us/reader033/viewer/2022052013/6285ce1b344e4f7e7b2ccf21/html5/thumbnails/8.jpg)
Copyright ©2012 Ping Identity Corporation. All rights reserved.
Concepts
• The bundle of credentials, identifiers and attributes makes up the traditional idea of an “Account”
• The services which work by the same system of accounts and authorization make up a “Security Domain”
8
Thursday, November 8, 12
![Page 9: Warm Up to Identity Protocol Soup - GOTOpia](https://reader033.vdocuments.us/reader033/viewer/2022052013/6285ce1b344e4f7e7b2ccf21/html5/thumbnails/9.jpg)
Copyright ©2012 Ping Identity Corporation. All rights reserved.
SAML / In the Beginning
9
Thursday, November 8, 12
![Page 10: Warm Up to Identity Protocol Soup - GOTOpia](https://reader033.vdocuments.us/reader033/viewer/2022052013/6285ce1b344e4f7e7b2ccf21/html5/thumbnails/10.jpg)
Copyright ©2012 Ping Identity Corporation. All rights reserved.
Simple App
10
DB Login
Application
Content
Thursday, November 8, 12
![Page 11: Warm Up to Identity Protocol Soup - GOTOpia](https://reader033.vdocuments.us/reader033/viewer/2022052013/6285ce1b344e4f7e7b2ccf21/html5/thumbnails/11.jpg)
Copyright ©2012 Ping Identity Corporation. All rights reserved.
Less Simple App
11
DB
Login
Application
Content
Self-Registration
Password Recovery
Thursday, November 8, 12
![Page 12: Warm Up to Identity Protocol Soup - GOTOpia](https://reader033.vdocuments.us/reader033/viewer/2022052013/6285ce1b344e4f7e7b2ccf21/html5/thumbnails/12.jpg)
Copyright ©2012 Ping Identity Corporation. All rights reserved.
Uh-Oh
12
DB
Login
Application
Content
Self-Registration
Login
Application
Content
Self-Registration
Password Recovery
Thursday, November 8, 12
![Page 13: Warm Up to Identity Protocol Soup - GOTOpia](https://reader033.vdocuments.us/reader033/viewer/2022052013/6285ce1b344e4f7e7b2ccf21/html5/thumbnails/13.jpg)
Copyright ©2012 Ping Identity Corporation. All rights reserved.
Reality (Simplified)
13
DB
Login
Application
Content
Self-Registration
Login
Application
Content
Self-Registration
Password Recovery
Login
Application
Content
Self-Registration
Password Recovery
Login
Application
Content
Self-Registration
DB DB
Thursday, November 8, 12
![Page 14: Warm Up to Identity Protocol Soup - GOTOpia](https://reader033.vdocuments.us/reader033/viewer/2022052013/6285ce1b344e4f7e7b2ccf21/html5/thumbnails/14.jpg)
Copyright ©2012 Ping Identity Corporation. All rights reserved.
Supportability Issues
• Multiple accounts
• Different usernames and passwords
• Varying support / recovery processes
• Hard to change Authorization policy
• Provisioning users is error-prone
14
Thursday, November 8, 12
![Page 15: Warm Up to Identity Protocol Soup - GOTOpia](https://reader033.vdocuments.us/reader033/viewer/2022052013/6285ce1b344e4f7e7b2ccf21/html5/thumbnails/15.jpg)
Copyright ©2012 Ping Identity Corporation. All rights reserved.
Security Issues
• Users may retain access to systems
• Duplicated passwords and user info
• Lack of auditing
• Home-grown auth may be insecure
• Difficult to switch to multi-factor
15
Thursday, November 8, 12
![Page 16: Warm Up to Identity Protocol Soup - GOTOpia](https://reader033.vdocuments.us/reader033/viewer/2022052013/6285ce1b344e4f7e7b2ccf21/html5/thumbnails/16.jpg)
Copyright ©2012 Ping Identity Corporation. All rights reserved.
Architectural impact
• Decomposing applications is hard
• Difficult to mash up APIs–Data Silos
• Code for authz policy changes
• Rebuilding same components
16
Thursday, November 8, 12
![Page 17: Warm Up to Identity Protocol Soup - GOTOpia](https://reader033.vdocuments.us/reader033/viewer/2022052013/6285ce1b344e4f7e7b2ccf21/html5/thumbnails/17.jpg)
Copyright ©2012 Ping Identity Corporation. All rights reserved.
Solution?
• Identity and Access Management–Infrastructure shared by apps–Centralized resources and management
• Examples:–Use LDAP for account attributes–Create groups representing authorizations
rather than departments
17
Thursday, November 8, 12
![Page 18: Warm Up to Identity Protocol Soup - GOTOpia](https://reader033.vdocuments.us/reader033/viewer/2022052013/6285ce1b344e4f7e7b2ccf21/html5/thumbnails/18.jpg)
Copyright ©2012 Ping Identity Corporation. All rights reserved.
Identity and Access Management
• Single Authentication Mechanism
–Transport: Client X.509, Kerberos
–Domain cookie w/App Server Plugin
–Authenticating Proxy in front of apps
18
Thursday, November 8, 12
![Page 19: Warm Up to Identity Protocol Soup - GOTOpia](https://reader033.vdocuments.us/reader033/viewer/2022052013/6285ce1b344e4f7e7b2ccf21/html5/thumbnails/19.jpg)
Copyright ©2012 Ping Identity Corporation. All rights reserved.
Identity and Access Management
• Central Authorization Policy
• Set policy at HTTP resource level
• Responsible for Access Control at resource level
19
Thursday, November 8, 12
![Page 20: Warm Up to Identity Protocol Soup - GOTOpia](https://reader033.vdocuments.us/reader033/viewer/2022052013/6285ce1b344e4f7e7b2ccf21/html5/thumbnails/20.jpg)
Copyright ©2012 Ping Identity Corporation. All rights reserved.
Drawbacks
• Time/TCO to retrofit existing apps• High cost of infrastructure upgrades• M&A often be a nightmare• There are no standards
–huge amount of vendor lock-in.
20
Thursday, November 8, 12
![Page 21: Warm Up to Identity Protocol Soup - GOTOpia](https://reader033.vdocuments.us/reader033/viewer/2022052013/6285ce1b344e4f7e7b2ccf21/html5/thumbnails/21.jpg)
Copyright ©2012 Ping Identity Corporation. All rights reserved.
Failings
•Not always possible to support
–COTS software
–3rd Party / Hosted software
21
Thursday, November 8, 12
![Page 22: Warm Up to Identity Protocol Soup - GOTOpia](https://reader033.vdocuments.us/reader033/viewer/2022052013/6285ce1b344e4f7e7b2ccf21/html5/thumbnails/22.jpg)
Copyright ©2012 Ping Identity Corporation. All rights reserved.
SAML
22
Thursday, November 8, 12
![Page 23: Warm Up to Identity Protocol Soup - GOTOpia](https://reader033.vdocuments.us/reader033/viewer/2022052013/6285ce1b344e4f7e7b2ccf21/html5/thumbnails/23.jpg)
Copyright ©2012 Ping Identity Corporation. All rights reserved.
SAML
• Security Assertion Markup Language
• 1.0 in November 2002• 2.0 in March 2005
“Securely Assert Identity Information”
23
Thursday, November 8, 12
![Page 24: Warm Up to Identity Protocol Soup - GOTOpia](https://reader033.vdocuments.us/reader033/viewer/2022052013/6285ce1b344e4f7e7b2ccf21/html5/thumbnails/24.jpg)
Copyright ©2012 Ping Identity Corporation. All rights reserved.
SAML Roles
• “Identity Provider” (IDP)–provides identity information
• “Service Provider” (SP)–consumes identity information–provides access to services
24
Thursday, November 8, 12
![Page 25: Warm Up to Identity Protocol Soup - GOTOpia](https://reader033.vdocuments.us/reader033/viewer/2022052013/6285ce1b344e4f7e7b2ccf21/html5/thumbnails/25.jpg)
Copyright ©2012 Ping Identity Corporation. All rights reserved.
SAML Pieces
•Assertion
–XML document–a signed and/or encrypted –containing identity information
25
Thursday, November 8, 12
![Page 26: Warm Up to Identity Protocol Soup - GOTOpia](https://reader033.vdocuments.us/reader033/viewer/2022052013/6285ce1b344e4f7e7b2ccf21/html5/thumbnails/26.jpg)
Copyright ©2012 Ping Identity Corporation. All rights reserved.
SAML Parts
• Protocol - messages built on assertions
• Binding - sending protocol over the wire
• Profile - combination to accomplish some use case
26
Thursday, November 8, 12
![Page 27: Warm Up to Identity Protocol Soup - GOTOpia](https://reader033.vdocuments.us/reader033/viewer/2022052013/6285ce1b344e4f7e7b2ccf21/html5/thumbnails/27.jpg)
Copyright ©2012 Ping Identity Corporation. All rights reserved.
SAML Web SSO
• Most popular profile isWeb Browser Single Sign-On Profile
• Use browser as a communication channel
• Authenticates browser that delivers the message
27
Thursday, November 8, 12
![Page 28: Warm Up to Identity Protocol Soup - GOTOpia](https://reader033.vdocuments.us/reader033/viewer/2022052013/6285ce1b344e4f7e7b2ccf21/html5/thumbnails/28.jpg)
Copyright ©2012 Ping Identity Corporation. All rights reserved.
SAML Web SSO
Bridges Accounts for the different Security Domains
28
Thursday, November 8, 12
![Page 29: Warm Up to Identity Protocol Soup - GOTOpia](https://reader033.vdocuments.us/reader033/viewer/2022052013/6285ce1b344e4f7e7b2ccf21/html5/thumbnails/29.jpg)
Copyright ©2012 Ping Identity Corporation. All rights reserved.
SAML Used by
•Web Browser SSO Profile•WS-* (as token)•WS-Federation (as token)•OAuth 2 (as authentication mechanism)
29
Thursday, November 8, 12
![Page 30: Warm Up to Identity Protocol Soup - GOTOpia](https://reader033.vdocuments.us/reader033/viewer/2022052013/6285ce1b344e4f7e7b2ccf21/html5/thumbnails/30.jpg)
Copyright ©2012 Ping Identity Corporation. All rights reserved.
OpenID
30
Thursday, November 8, 12
![Page 31: Warm Up to Identity Protocol Soup - GOTOpia](https://reader033.vdocuments.us/reader033/viewer/2022052013/6285ce1b344e4f7e7b2ccf21/html5/thumbnails/31.jpg)
Copyright ©2012 Ping Identity Corporation. All rights reserved.
OpenID
• Created by Brad Fitzpatrick in 2005• Came out of blogging space
–Don’t want to manage accounts just to let people comment on blog posts
• Initially for Lower Assurance• Dynamically Managed relationships
31
Thursday, November 8, 12
![Page 32: Warm Up to Identity Protocol Soup - GOTOpia](https://reader033.vdocuments.us/reader033/viewer/2022052013/6285ce1b344e4f7e7b2ccf21/html5/thumbnails/32.jpg)
Copyright ©2012 Ping Identity Corporation. All rights reserved.
OpenID
•Your “username” is a URL•Your login proves ownership•Your identity/persona is that URL
32
Thursday, November 8, 12
![Page 33: Warm Up to Identity Protocol Soup - GOTOpia](https://reader033.vdocuments.us/reader033/viewer/2022052013/6285ce1b344e4f7e7b2ccf21/html5/thumbnails/33.jpg)
Copyright ©2012 Ping Identity Corporation. All rights reserved.
OpenID - How it works
• Relying Party–Similar role to SP, requests/relies on OpenID
• OpenID Provider–Similar role to IDP, authenticates users
33
Thursday, November 8, 12
![Page 34: Warm Up to Identity Protocol Soup - GOTOpia](https://reader033.vdocuments.us/reader033/viewer/2022052013/6285ce1b344e4f7e7b2ccf21/html5/thumbnails/34.jpg)
Copyright ©2012 Ping Identity Corporation. All rights reserved.
OpenID - How it works
1.User enters OpenID or selects OP at Relying Party*
2.RP figures out appropriate OP
3.Sends browser to OP so the user can prove who they are
4.OP sends authenticated user back to RP
34
Thursday, November 8, 12
![Page 35: Warm Up to Identity Protocol Soup - GOTOpia](https://reader033.vdocuments.us/reader033/viewer/2022052013/6285ce1b344e4f7e7b2ccf21/html5/thumbnails/35.jpg)
Copyright ©2012 Ping Identity Corporation. All rights reserved.
Advantages
• User-Centric Identity–user maintains control
–determines who sees what
• Can run infrastructure without coordination
35
Thursday, November 8, 12
![Page 36: Warm Up to Identity Protocol Soup - GOTOpia](https://reader033.vdocuments.us/reader033/viewer/2022052013/6285ce1b344e4f7e7b2ccf21/html5/thumbnails/36.jpg)
Copyright ©2012 Ping Identity Corporation. All rights reserved.
Disadvantages
• Users do not understand URLs
• Hidden complexity in implementing
• Interoperability is poor
• Many sites are non-compliant
• Some sites require extensions
36
Thursday, November 8, 12
![Page 37: Warm Up to Identity Protocol Soup - GOTOpia](https://reader033.vdocuments.us/reader033/viewer/2022052013/6285ce1b344e4f7e7b2ccf21/html5/thumbnails/37.jpg)
Copyright ©2012 Ping Identity Corporation. All rights reserved.
Recommendation
• Support specific partners/software
• Choose a mature product or library
• Hide OpenID from user–Use a NASCAR page
37
Thursday, November 8, 12
![Page 38: Warm Up to Identity Protocol Soup - GOTOpia](https://reader033.vdocuments.us/reader033/viewer/2022052013/6285ce1b344e4f7e7b2ccf21/html5/thumbnails/38.jpg)
Copyright ©2012 Ping Identity Corporation. All rights reserved.
OAuth 1 and 2
38
Thursday, November 8, 12
![Page 39: Warm Up to Identity Protocol Soup - GOTOpia](https://reader033.vdocuments.us/reader033/viewer/2022052013/6285ce1b344e4f7e7b2ccf21/html5/thumbnails/39.jpg)
Copyright ©2012 Ping Identity Corporation. All rights reserved.
OAuth
• Negotiate/Represent Authorization for Apps
• Per-user–Delegation of user access–User participation in authorization policy
39
Thursday, November 8, 12
![Page 40: Warm Up to Identity Protocol Soup - GOTOpia](https://reader033.vdocuments.us/reader033/viewer/2022052013/6285ce1b344e4f7e7b2ccf21/html5/thumbnails/40.jpg)
Copyright ©2012 Ping Identity Corporation. All rights reserved.
The Old Model*
40
Thursday, November 8, 12
![Page 41: Warm Up to Identity Protocol Soup - GOTOpia](https://reader033.vdocuments.us/reader033/viewer/2022052013/6285ce1b344e4f7e7b2ccf21/html5/thumbnails/41.jpg)
Copyright ©2012 Ping Identity Corporation. All rights reserved.
The Old Model*
41
Thursday, November 8, 12
![Page 42: Warm Up to Identity Protocol Soup - GOTOpia](https://reader033.vdocuments.us/reader033/viewer/2022052013/6285ce1b344e4f7e7b2ccf21/html5/thumbnails/42.jpg)
Copyright ©2012 Ping Identity Corporation. All rights reserved.
OAuth 1
• Created in 2007
• 2-legged–Server to Server
• 3-legged–User authorization
42
Thursday, November 8, 12
![Page 43: Warm Up to Identity Protocol Soup - GOTOpia](https://reader033.vdocuments.us/reader033/viewer/2022052013/6285ce1b344e4f7e7b2ccf21/html5/thumbnails/43.jpg)
Copyright ©2012 Ping Identity Corporation. All rights reserved.
OAuth 1 Flow
• User selects to add/authorize third party
• App sends user to third party site
• User authenticates with site if needed, indicates what the app is authorized for
• User is sent back to App with token
43
Thursday, November 8, 12
![Page 44: Warm Up to Identity Protocol Soup - GOTOpia](https://reader033.vdocuments.us/reader033/viewer/2022052013/6285ce1b344e4f7e7b2ccf21/html5/thumbnails/44.jpg)
Copyright ©2012 Ping Identity Corporation. All rights reserved.
OAuth Benefits
• App access is limited
• App behaviors are auditable
• User makes their own policy decisions
• Users can revoke access to their data
44
Thursday, November 8, 12
![Page 45: Warm Up to Identity Protocol Soup - GOTOpia](https://reader033.vdocuments.us/reader033/viewer/2022052013/6285ce1b344e4f7e7b2ccf21/html5/thumbnails/45.jpg)
Copyright ©2012 Ping Identity Corporation. All rights reserved.
OAuth 2
• Removes complex signature requirement–Must use SSL
–Resource access is simple
• Separate roles for resource protected, authorization service
• Adds new flows for new native client use
45
Thursday, November 8, 12
![Page 46: Warm Up to Identity Protocol Soup - GOTOpia](https://reader033.vdocuments.us/reader033/viewer/2022052013/6285ce1b344e4f7e7b2ccf21/html5/thumbnails/46.jpg)
Copyright ©2012 Ping Identity Corporation. All rights reserved.
OAuth 1 vs 2
• OAuth 1 is very pragmatic–Hits two use cases
–Details them thoroughly with examples
• OAuth 2 is broad, extensible–Pieces used to solve particular problem
• Do not recommend OAuth 1 for new projects
46
Thursday, November 8, 12
![Page 47: Warm Up to Identity Protocol Soup - GOTOpia](https://reader033.vdocuments.us/reader033/viewer/2022052013/6285ce1b344e4f7e7b2ccf21/html5/thumbnails/47.jpg)
Copyright ©2012 Ping Identity Corporation. All rights reserved.
OAuth vs Web SSO
OAuth is for authorization, not authentication
• Web SSO lets you know who the user is• OAuth is permission to act for the user• NOT a replacement for Web SSO
47
Thursday, November 8, 12
![Page 48: Warm Up to Identity Protocol Soup - GOTOpia](https://reader033.vdocuments.us/reader033/viewer/2022052013/6285ce1b344e4f7e7b2ccf21/html5/thumbnails/48.jpg)
Copyright ©2012 Ping Identity Corporation. All rights reserved.
OAuth vs Web SSO
• OAuth does not give you–User attributes
–Confirmation (that the user is present)
–Audience (this token was meant for you)
48
Thursday, November 8, 12
![Page 49: Warm Up to Identity Protocol Soup - GOTOpia](https://reader033.vdocuments.us/reader033/viewer/2022052013/6285ce1b344e4f7e7b2ccf21/html5/thumbnails/49.jpg)
Copyright ©2012 Ping Identity Corporation. All rights reserved.
OpenID Connect
49
Thursday, November 8, 12
![Page 50: Warm Up to Identity Protocol Soup - GOTOpia](https://reader033.vdocuments.us/reader033/viewer/2022052013/6285ce1b344e4f7e7b2ccf21/html5/thumbnails/50.jpg)
Copyright ©2012 Ping Identity Corporation. All rights reserved.
OpenID Connect
• In-process specification building on top of OAuth 2
• Adds first-class identity information to protocol
• Supports additional use cases –(hybrid client)
50
Thursday, November 8, 12
![Page 51: Warm Up to Identity Protocol Soup - GOTOpia](https://reader033.vdocuments.us/reader033/viewer/2022052013/6285ce1b344e4f7e7b2ccf21/html5/thumbnails/51.jpg)
Copyright ©2012 Ping Identity Corporation. All rights reserved.
OpenID Connect
• New “ID Token”
• Normal Access token is for the resource, about the client application
• ID token is meant to be understood by the client, about the user
51
Thursday, November 8, 12
![Page 52: Warm Up to Identity Protocol Soup - GOTOpia](https://reader033.vdocuments.us/reader033/viewer/2022052013/6285ce1b344e4f7e7b2ccf21/html5/thumbnails/52.jpg)
Copyright ©2012 Ping Identity Corporation. All rights reserved.
OpenID Connect
• Defines UserInfo service–To get user attributes in a standard manner
• Has Simple discovery mechanism to authenticate by URL or email address
• Defines dynamic client support
52
Thursday, November 8, 12
![Page 53: Warm Up to Identity Protocol Soup - GOTOpia](https://reader033.vdocuments.us/reader033/viewer/2022052013/6285ce1b344e4f7e7b2ccf21/html5/thumbnails/53.jpg)
Copyright ©2012 Ping Identity Corporation. All rights reserved.
OpenID Connect
OpenID Connect provides a single way to securely support both Web SSO, and API access by native clients.
53
Thursday, November 8, 12
![Page 54: Warm Up to Identity Protocol Soup - GOTOpia](https://reader033.vdocuments.us/reader033/viewer/2022052013/6285ce1b344e4f7e7b2ccf21/html5/thumbnails/54.jpg)
Copyright ©2012 Ping Identity Corporation. All rights reserved.
Closing
54
Thursday, November 8, 12
![Page 55: Warm Up to Identity Protocol Soup - GOTOpia](https://reader033.vdocuments.us/reader033/viewer/2022052013/6285ce1b344e4f7e7b2ccf21/html5/thumbnails/55.jpg)
Copyright ©2012 Ping Identity Corporation. All rights reserved.
Closing
• Digital Identity is a broad topic representing the user authentication, attributes, and authorization policies for a domain
• Applications should not be their own security domains–does not scale
55
Thursday, November 8, 12
![Page 56: Warm Up to Identity Protocol Soup - GOTOpia](https://reader033.vdocuments.us/reader033/viewer/2022052013/6285ce1b344e4f7e7b2ccf21/html5/thumbnails/56.jpg)
Copyright ©2012 Ping Identity Corporation. All rights reserved.
Closing
• Web SSO is a way to bridge the gap in security domains–SAML - Security Assertion Markup Language–OpenID
56
Thursday, November 8, 12
![Page 57: Warm Up to Identity Protocol Soup - GOTOpia](https://reader033.vdocuments.us/reader033/viewer/2022052013/6285ce1b344e4f7e7b2ccf21/html5/thumbnails/57.jpg)
Copyright ©2012 Ping Identity Corporation. All rights reserved.
Closing
• For native clients, the browser flow of Web SSO is not appropriate
• SOAP services have WS-*–supports SAML tokens
• REST services have OAuth–supports SAML tokens
57
Thursday, November 8, 12
![Page 58: Warm Up to Identity Protocol Soup - GOTOpia](https://reader033.vdocuments.us/reader033/viewer/2022052013/6285ce1b344e4f7e7b2ccf21/html5/thumbnails/58.jpg)
Copyright ©2012 Ping Identity Corporation. All rights reserved.
Closing
• Going forward, OpenID Connect bridges Web SSO and API access.
• Supports authentication and authorization
• Previous protocols will stay in use
58
Thursday, November 8, 12
![Page 59: Warm Up to Identity Protocol Soup - GOTOpia](https://reader033.vdocuments.us/reader033/viewer/2022052013/6285ce1b344e4f7e7b2ccf21/html5/thumbnails/59.jpg)
Copyright ©2012 Ping Identity Corporation. All rights reserved.
Questions?
• Ask me about:–WS-Federation–WS-Security/WS-Trust–SCIM–ID-FF/Shibboleth
59
http
://w
ww
.flic
kr.c
om/p
hoto
s/ho
riava
rlan/
4273
1689
57/
Thursday, November 8, 12
![Page 60: Warm Up to Identity Protocol Soup - GOTOpia](https://reader033.vdocuments.us/reader033/viewer/2022052013/6285ce1b344e4f7e7b2ccf21/html5/thumbnails/60.jpg)
Copyright ©2012 Ping Identity Corporation. All rights reserved.
Questions?
• Visit www.pingidentity.com or www.pingone.com for more information
• Email [email protected] with questions
Are you a SaaS company interested in getting started with PingOne for free?
Contact us at [email protected] to learn how!
60
Thursday, November 8, 12