OpenID connect @ Deutsche telekom. Dr. Torsten Lodderstedt, Deutsche Telekom AG

Similar documents
Dell One Identity Cloud Access Manager How to Develop OpenID Connect Apps

Axway API Gateway. Version 7.4.1

Oracle Fusion Middleware Oracle API Gateway OAuth User Guide 11g Release 2 ( )

OAuth 2.0 Developers Guide. Ping Identity, Inc th Street, Suite 100, Denver, CO

OAuth 2.0 andinternet Standard. Torsten Lodderstedt Deutsche Telekom AG

Integration Overview. Web Services and Single Sign On

A Standards-based Mobile Application IdM Architecture

OAuth Guide Release 6.0

Enterprise Access Control Patterns For REST and Web APIs

OpenID Connect 1.0 for Enterprise

Fairsail REST API: Guide for Developers

Globus Auth. Steve Tuecke. The University of Chicago

Security and ArcGIS Web Development. Heather Gonzago and Jeremy Bartley

Identity Management with Spring Security. Dave Syer, VMware, SpringOne 2011

How to create a SP and a IDP which are visible across tenant space via Config files in IS

Copyright Pivotal Software Inc, of 10

Trend of Federated Identity Management for Web Services

How to Extend Identity Security to Your APIs

The increasing popularity of mobile devices is rapidly changing how and where we

MIT Tech Talk, May 2013 Justin Richer, The MITRE Corporation

OAuth 2.0. Weina Ma

Lecture Notes for Advanced Web Security 2015

HOL9449 Access Management: Secure web, mobile and cloud access

Flexible Identity Federation

Copyright: WhosOnLocation Limited

UAF Architectural Overview

API-Security Gateway Dirk Krafzig

How To Use Saml 2.0 Single Sign On With Qualysguard

ACR Connect Authentication Service Developers Guide

Safewhere*Identify 3.4. Release Notes

Salesforce Integration User Guide Version 1.1

Introduction to SAML

Using SAML for Single Sign-On in the SOA Software Platform

Set My University of Melbourne Identity Management Password for the First Time

About Me. Software Architect with ShapeBlue Specialise in. 3 rd party integrations and features in CloudStack

How To Use Salesforce Identity Features

My Stuff Everywhere Your Content On Any Screen

Single Sign On (SSO) Implementation Manual. For Connect 5 & MyConnect Sites

Single Sign On. SSO & ID Management for Web and Mobile Applications

Mobile Security. Policies, Standards, Frameworks, Guidelines

Egnyte Single Sign-On (SSO) Installation for OneLogin

Single Sign-On Implementation Guide

OpenLogin: PTA, SAML, and OAuth/OpenID

itds OAuth Integration Paterva itds OAuth Integration Building and re-using OAuth providers within Maltego 2014/09/22

Single Sign-On Implementation Guide

nexus Hybrid Access Gateway

Web Based Single Sign-On and Access Control

TrustedX - PKI Authentication. Whitepaper

Keeping access control while moving to the cloud. Presented by Zdenek Nejedly Computing & Communications Services University of Guelph

Comparative analysis - Web-based Identity Management Systems

Identity Management in Telcos. Jörg Heuer, Deutsche Telekom AG, Laboratories. Munich, April 2008

BYE BYE PASSWORDS. The Future of Online Identity. Hans Zandbelt Sr. Technical Architect. CTO Office - Ping Identity

Building Secure Applications. James Tedrick

INTEGRATION GUIDE. DIGIPASS Authentication for Google Apps using IDENTIKEY Federation Server

Single Sign On for UNICORE command line clients

An Identity Management Survey. on Cloud Computing

Force.com REST API Developer's Guide

SAML and OAUTH comparison

Identity Management in Liferay Overview and Best Practices. Liferay Portal 6.0 EE

Onegini Token server / Web API Platform

Office365Mon Developer API

Remote Access End User Reference Guide for SHC Portal Access

CA Nimsoft Service Desk

Administering Jive Mobile Apps

OAuth: Where are we going?

MYOB EXO BUSINESS WHITE PAPER

Authentication and Authorization for Mobile Devices

OAuth2 Ready or not? Dominick Baier

The Essential OAuth Primer: Understanding OAuth for Securing Cloud APIs

SETTING UP YOUR JAVA DEVELOPER ENVIRONMENT

IVOA Single-Sign-On Profile: Authentication Mechanisms Version 2.0

Federation architectures for mobile applications OAuth 2.0 Drivers OAuth 2.0 Overview Mobile walkthrough

Authenticate and authorize API with Apigility. by Enrico Zimuel Software Engineer Apigility and ZF2 Team

IBM WebSphere Application Server

OpenID Single Sign On and OAuth Data Access for Google Apps. Ryan Dave Primmer May 2010

Enhancing Web Application Security

Creating federated authorisation

AAI for Mobile Apps How mobile Apps can use SAML Authentication and Attributes. Lukas Hämmerle

JVA-122. Secure Java Web Development

Accessing the Mercy Remote Access Portal (SSL VPN)

Security Implementation Guide

New Brunswick Internal Services Agency. RSA Self-Service Console User Guide

Federated Identity Management Solutions

Configuring Single Sign-On from the VMware Identity Manager Service to Office 365

REMOTE ACCESS USER GUIDE

An Introduction to User-Managed Access (UMA)

OPENIAM ACCESS MANAGER. Web Access Management made Easy

Google Identity Services for work

UNIVERSITY OF COLORADO Procurement Service Center INTENT TO SOLE SOURCE PROCUREMENT CU-JL SS. Single Sign-On (SSO) Solution

Computer Systems Security 2013/2014. Single Sign-On. Bruno Maia Pedro Borges

Simple Cloud Identity Management (SCIM)

Configuration Guide - OneDesk to SalesForce Connector

How To Use Kiteworks On A Microsoft Webmail Account On A Pc Or Macbook Or Ipad (For A Webmail Password) On A Webcomposer (For An Ipad) On An Ipa Or Ipa (For

Identity Implementation Guide

The Top 5 Federated Single Sign-On Scenarios

SPEECH REPOSITORY 2.0. Registration procedure

Add Microsoft Azure as the Federated Authenticator in WSO2 Identity Server

Transcription:

OpenID connect @ Deutsche telekom Dr. Torsten Lodderstedt, Deutsche Telekom AG

service ecosystem and Telekom Login Dr. Torsten Lodderstedt / OpenID Workshop @ IIW #18 2014-05-05 2

Open Standards: Our History We rely on open standards whenever they are secure, easy to understand, and to implement. Therefore, we follow the standardization processes implement emerging standards involve in standardization bodies Liberty Alliance OpenID 2.0 OAuth 1.0 OAuth 2.0 OpenID Connect 2002 2004 2006 2008 2010 2012 2014 2003 2005 2007 2009 2011 2013 Proprietary (Redirect & SOAP) SAML 2.0 OAuth /OpenID Hybrid 3

Why openid connect?

It s SimplE AND secure Simple Identity Layer on top of OAuth 2.0 REST and JSON instead of SOAP and XML No signatures (for lower levels of assurance) Protocol Complexity, e.g. Message Format Authentication request in OpenID Connect https://accounts.login.idm.telekom.com/oauth2/auth?response_type=code&client_id=mediast ORE&scope=openid+profile+phone&redirect_uri=https%3A%2F%2Fsamtestt1.toon.sul.t-online.d e%2fmedia-store%2flogin%2f%3fmode%3doic Authentication request in OpenID 2.0 https://accounts.login.idm.telekom.com/idmip?openid.ns=http%3a%2f%2fspecs.openid.net%2f auth%2f2.0&openid.claimed_id=http%3a%2f%2fspecs.openid.net%2fauth%2f2.0%2fidentifier_se lect&openid.identity=http%3a%2f%2fspecs.openid.net%2fauth%2f2.0%2fidentifier_select&ope nid.return_to=https%3a%2f%2ffavoriten.t-online.de%2fdashboard%2fverification_openid.htm l%3fproviderid%3dcdb-de&openid.realm=https%3a%2f%2ffavoriten.t-online.de&openid.assoc_h andle=s01995598-f734-4660-be3e-e09fb9cf4124&openid.mode=checkid_setup&openid.ns.ext2=ht tp%3a%2f%2fidm.telekom.com%2fopenid%2fext%2f2.0openid.ns.ext3=http%3a%2f%2fspecs.openid.net%2fextensions%2fui%2f1.0&openid.ext3.x-name=true&openid.ext3.icon=true&openid.ns.ex t4=http%3a%2f%2fopenid.net%2fsrv%2fax%2f1.0&openid.ext4.mode=fetch_request&openid.ext4. type.displayname=urn%3atelekom.com%3adisplayname&openid.ext4.type.msisdn=urn%3atelekom. com%3amsisdn&openid.ext4.type.usta=urn%3atelekom.com%3austa&openid.ext4.required=displa yname%2cmsisdn%2custa 5

The One Protocol Features User Authentication/ User ID Resource Authorization (Token) Provides User Attributes Web Flow * App Support OpenID Connect allows us to use the same protocol for all use case since it adds OpenID features to OAuth no need to understand different protocols Connect 2.0 no need for proprietary hybrid protocol: OpenID 2.0 with OAuth 2.0 token handling 6

It Works Great For Mobile Apps OpenID Connect Integration Patterns Supports the typical OAuth 2.0 integration patterns for Web Flows: web-based for login and REST calls for token exchange and user data access Alternative 1: In-App Browser Alternative 2: External Browser Login URL App http://localhost/myapp/callback?code =3741057699 myapp://openid-connect/callback?code=3741057699 No hassle with RP Discovery, form-encoded Login Response, And it s getting even better with the upcoming results of the Native Applications Working Group 7

It Works Great For Mobile Apps stay logged in Long-term access to ID data can be requested using a scope value of offline_access OpenID Provider issues a Refresh Token App stores Refresh Token permanently and uses it for sub-sequent login requests App Simplifies flow by eliminating user interactions Works for any grant type, e.g. authorization code Identity Provider 8

Our Implementation

How? Another interface of our IDM service Extension of existing OAuth 2.0 implementation/interface Same client_id can use both OAuth and OpenID Connect Core logic is shared among OpenID 2.0 and Connect implementation Authentication methods User interfaces User consent management Session management and single logout OpenID 2.0 OAuth 2.0/ OpenID Connect Session/Logout IDM Service (Telekom Login) 10

What? Starting with basic feature set and extending it demand-driven Grant types: code, refresh token, resource owner password, and JWT bearer ID token signing algorithms: none, hmac, rsa Control of authentication process: prompt, max_age, login_hint, acr_values UI optimized for Web and mobile (display parameter) offline_access claim requests by scope values and claims parameter combined authentication & authorization requests discovery document DT-specific session management & single logout Telco-specific functions 3 rd party login and attribute providing All kinds of security measures 11

Authentication App may specify requirements regarding the authentication process Authentication process itself (methods, user interaction, etc.) is at the discretion of the OP Deutsche Telekom uses username and password stay logged in SIM authentication In some scenarios, we also use PIN and/or mobile TAN/OTP 12

Handling of MSISDN Customers may associate their MSISDN(s) to their user account. Network authentication based on associated MSISDN Applications may retrieve associated MSISDN s in login response and in access token content e.g. OpenID Connect Authorization Request http://accounts.login.idm.telekom.com/oauth/auth?response_type=code &[...] &scope=openid+phone &[ ] UserInfo Response { "sub":"120049010000000046553883", "name":"dr. Torsten Lodderstedt", [ ], "phone_number":"+491711234567" "phone_number_verified":"true" } 13

3rd Party Apps Our customers shall use their Telekom Login for any Telekom application/service for web-based and mobile applications for 3 rd party apps and portals Benefits for our customers: simple access to additional services partners: simple access to a large user base User has to consent to data transfer to a 3 rd party application (at least once per partner) Partner-specific user IDs to prohibit tracking across applications 14

OpenID Connect @ Deutsche Telekom OpenID Connect Secure, easy to understand and implement Versatile in its usage Covers all our use-cases or may be easily extended to do so Deutsche Telekom Timeline Mid of 2013: first adoption of OpenID Connect Today: standard API for partner integrations is OpenID Connect Mid of 2014: switch of our largest service to OpenID Connect This is also our contribution to the ongoing GSMA efforts on cross-operator identity providing (Mobile Connect). 15

Any Questions?

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information