synergies of cloud identity: putting it all together

Synergies of Cloud Identity: Putting it All

Together

By Travis Spencer, CEO

Agenda

• Impact of mobile and cloud on business

• Central role of identity in coping with these

changes

• Using the different identity specs together to

this end

Copyright (C) 2012 Twobo Technologies AB

Mobile is Changing Business

• 75% of mobiles in Scandinavia

are smartphones; 50% in rest of

Europe & US

• BYOD is a foregone conclusion

for most

– 90% of orgs will support corporate

apps on personal devices by 2014

• 80% of orgs will use tablets by

next year


• Workflows are a business’s

circulatory system

• Automation and efficiency

are critical

• Mobile helps optimizes

these processes

Mobilizing Business Processes


Reusing Existing Technology

• Prior technology

investments will remain on

the books for years

• Existing data/systems

must be available to mobile

users and cloud services

• IT organizations need to

bridge the old and new

technologies


Seamless Access to Cloud Apps

• Giving employees new passwords for each

cloud app is not secure or scalable

• 123456 is not a secure password, but cloud

providers allows it!

• Existing OTP tokens are not supported

• Seamless cloud access is required


Crucial Security Concerns


Enterprise Security

API Security

Mobile Security

Identity is Central


MDM MAM

AuthZ

Mobile

Security

API

Security

Enterprise

Security

Identity

Venn diagram by Gunnar Peterson

http://1raindrop.typepad.com/

Neo-security Stack

• SCIM, SAML, OAuth, and JWT are the new

standards-based cloud security stack

• OAuth 2 is the new meta-protocol defining

how tokens are handled

• These address old requirements, solves

new problems & are composed

in useful ways

Grandpa SAML

& junior

• WS- again?

OpenID Connect


SAML + OAuth

• Relay OAuth token in SAML

messages

• Use SAML tokens to authenticate

OAuth clients or as the AS’s output

token format

• Use SAML SSO to authenticate

users to AS


SCIM + OAuth

• Use OAuth to secure

SCIM API calls

• Use SCIM to create

accounts needed to

access APIs secured

using OAuth


Push Tokens & Pull Identities

IdP/SCIM Server SP / SCIM Client

Browser

Access token in

federation message

Get User

User Data


SCIM + SAML/OIC

• Carry SCIM attributes in SAML assertions

(bindings for SCIM)

– Enables JIT provisioning

– Supplements SCIM API & schema

• Provisioning accounts using SCIM API to

updated before/after logon


OpenID Connect

• Builds on OAuth for profile sharing

• Uses the flows optimized for user-consent

scenarios

• Adds identity-based inputs/outputs to core

OAuth messages

• Tokens are JWTs


User Managed Access

• Also extends OAuth 2

• Allows users to centrally

control distribution of

their identity data

• Used with Personal Data

Stores (PDS) to create

“identity data lockers”


Questions & Thanks

@2botech

@travisspencer

www.2botech.com

www.travisspencer.com


http://www.twitter.com/2botech

http://www.twitter.com/travisspencer

http://www.2botech.com/

http://www.travisspencer.com/