API
Application programming interfaces
Resources in the cloud are offered and accessed through specific services and APIs
CSC
Cloud service customer
CSP
Cloud service provider
Identity Federation in the Cloud
The Identity management infrastructure that enables a CSC user to access the cloud services that his/her company has subscribed to with a CSP is always based on an Identity Federation.
Identity Provider (IdP)
Create, maintain and manage identity information and credentials for users –Issues them to users
Relying Party (RP) / Service Provider (SP)
Receive and Consume identity data, authentication event and attributes from identity providers in the form of assertions
CSC vs CSP in identity federation in a cloud environment
the CSC plays the role of an Identity provider (IdP) while the CSP plays the role of service provider (SP)
Private Cloud
A private cloud can only be accessed by a single CSC and is thus accessible only to users from that CSC
Public Cloud
A public cloud is accessed by many CSCs each with many users. Sometimes a subscribing CSC may provide access to cloud service for not only its own employees and contractors but for certain affiliates such as partners.
For cloud-based identity federation trust must be established between…
CSC and CSP
STS
Security Token Service
Provides tokens in private cloud infrasturcture
Authentication in a private cloud
The user, a member of the CSC, requests a service from the private cloud
The cloud requests an identity token from Secure Token Service (STS)
The identity token generated from the user’s attributes is transmitted to the private cloud
The cloud checks the token’s validity and if successful, allows the user access to service
Authentication in a public cloud
- A CSC user attempts to connect to the public cloud provider in order to access a service.
- The cloud redirects the user to the identity provider, which may be the CSC itself (or a third party or IDaaS provider) for authentication=
- The user authenticates to the redirected IdP
- The IdP generates the identity token containing all required information regarding the identity of the CSC user and sends it to the CSP.
- The CSP validates the token and permits the user to access the cloud service.
The cloud provider who provides the identity management as a service is called
Identity as a Service (IDaaS) provider
IDaaS Advantages
reduces the cost and complexity of identity management for cloud service access to some CSCs
IDaaS Disadvantages
the IDaaS provider must be trusted to keep the CSC users identity data safe against breach and misuse. This is especially critical since the IDaaS provider may also hold sensitive data such as CSC users’ passwords.
First model of IDaaS
The identity information of all CSC users (who need access to cloud services) is stored in the IDaaS provider directories.
The above information is not integrated with contents of on-premises directories of CSC.
This approach may work for new organizations (especially if they are small and have not invested well in an identity infrastructure) but it is unlikely to work for most medium and large businesses (CSCs in our context).
Second Model of IDaaS
The business (CSC) also maintains on-premise directories for storing identity information
All the identity information including passwords are synchronized between on-premises directories and the IDaaS provider’s cloud-based directories. This process is called replication
The replication is carried out using special tools and use of scripting (e.g., PowerShell).
The synchronization (or replication) architecture has several security implications: (a) When User IDs and authenticators (e.g., passwords) are copied between on-premises and cloud-based directories (of IDaaS provider) there is potential for attacker to capture them
the on-premises and cloud-based directories (of IDaaS provider) could fall out of sync due to the fact that changes made in in-premise directory (e.g., Active Directory) may not be replicated immediately to IDaaS provider’s cloud-based directory. This is due to the fact that scripts for replication may be programmed to run at only certain intervals of time..
Third mode of IDaaS
This method is to federate identity between the on-premises directory and the cloud-based directories (of IDaaS provider).
This is done through a directory federation software (e.g., Active Directory Federation Services (ADFS)).
The advantage here is that you can have multiple cloud-based directories for different services.
A directory federation links a person’s electronic identity and attributes that are stored across multiple directories.
Federation enables a single sign-on (SSO) access for CSC users to access multiple cloud services.
That is a CSC may have subscribed to many Software-as-a-Service (SaaS) cloud applications. A CSC user can access these applications as well as on-premise applications by signing in once and be authenticated to any of these applications (on-premise or cloud service).
Examples of SaaS cloud services include Office 365, Salesforce, ServiceNow, Workday and Zendesk.
OAuth 2.0 in the cloud
OAuth 2.0 is the protocol used for secure calls to the REST API from CSC to CSP.
OAuth 2.0 Protocol for Secure Access to CSP APIs
- It is assumed that the CSC user (called OAuth client in this context) is able to obtain a SAML Assertion (Identity token) through a local security token service (when the CSC itself plays the role of IdP).
- The SAML Assertion is digitally signed by enterprise IdP (i.e., local STS). This signature serves to demonstrate that the CSC user (OAuth Client in our context) belongs to the enterprise and is implicitly authorized by the enterprise to request access tokens from the OAuth 2.0 Access Server (AS)
- The OAuth client, instead of sending the signed SAML Assertion directly to CSP (SaaS provider in our discussion) through the browser, sends it to SaaS provider’s Authorization Server (AS) for the desired access token.
- After obtaining the access token from AS, the OAuth client includes it on subsequent API calls to the SaaS provider’s Resource Server (RS) which is the entry point for SaaS provider application.
- As the access token was issued based on named user in the SAML assertion, the SaaS provider allows the API call to execute to provide the necessary resource.
