Trust Elevation: Implementing an OAuth2 Infrastructure using OpenID Connect & UMA

2 likes2,650 views

Trust elevation allows increasing authentication strength to enable higher-risk transactions. It involves tradeoffs between security and usability. OAuth2 and OpenID Connect provide standard authentication frameworks for apps and APIs, supporting a range of authentication methods from passwords to biometrics. User managed access (UMA) further extends OAuth2 to implement policy-based access control. To enable cross-domain trust elevation, organizations can participate in federated identity systems like SAML and OAuth2 federations, which standardize technical and legal integration between identity providers. Emerging areas involve authentication for IoT devices and fine-grained access control over distributed data.

Trust Elevation
Implementing an OAuth 2.0 Infrastructure
using the OpenID Connect & UMA profiles
sales@gluu.org@GluuFederation
By: Michael Schwartz

What is trust elevation?
“Trust Elevation methods increase the
mitigation of risk of false assertion of identity in
order to allow the subject to engage in a
transaction.”
OASIS Trust-EL TC
Authentication Step-Up Protocol and Metadata
Version 1.0-Draft 3

Don’t use 2FA, unless you have to...
“Civilization advances by extending the number
of important operations which we can perform
without thinking about them.”
Albert North Whitehead
English Mathematician and Philosopher
(1861 - 1947)

Authentication Involves Tradeoffs

Agenda
1. What tools do we have for person
identification?
2. OAuth2 for trust elevation?
3. Inter-domain trust elevation?
4. New challenges!

Who am I:
Founded & Sold ISP: ‘95-’99
IAM Integrator: ‘98-’09
Founder / CEO Gluu: ‘09 - Present
Dad, hacker, pigeon enthusiast

Part I: Identification
electron → meat correlation…
How do we know who
is on the other side of
that digital transaction?

Cognitive
Something you know or
something your browser saved.

Biometric
Something you are or…
something you can’t change.

Token
Something you have.

Mobile
Some device you control.

Smart Card
Something you probably don’t
have a reader for...

Wearables / NFC
Something you have on.

FIDO: Second Factor Experience
Some U2F device that you have.

FIDO: Passwordless Experience
Some UAF that device you have.

Context and Behavior
Some way you use your phone or browser.

Risk Scores
Some big-data footprint you’re not even aware of..

Contextual Combinations Complicate
Relative Scale
● Is the IP address a known hacker?
● Was the device rooted?
● Is a browser cookie present?
● Is the device running virus
protection?
● Is the location recognized?
● When was credential issued?
● What is the time of day?

According to Microsoft
research (page 11), every
authentication scheme does
worse than passwords on
deployability.
Pick your poison:

Part II: OAuth2
How do apps use all these crazy authentication methods?
● Deployability = cost
● Less Cost = consolidation
● No “one-offs”!

A brief history in Web
Authentication Standards

Developers want JSON REST
API’s for authentication.

OpenID Connect
Only one protected endpoint: “user_info” which returns id_token

UMA
The requesting party must provide
a valid RPT Token to the resource server.

How does the app know
what kind of authn happened?

id_token
User claims + info about authentication event

OpenID Provider Discovery
GET host + /.well-known/openid-configuration

OpenID Dynamic Client Registration

Authentication Request
That is a space delimited string

Scope based
Not ABAC policies!

Best Practice:
Centralize Policy Management

UMA provides the PDP

What kind of policies can you make?

Return Hint...
You are Forbidden because you need acr...

Part III
Federations for inter-domain trust

EDURoam for wifi

SAML Federations
Normalize legal and technical details for trust.

SAML Federation Metadata

Many SAML Federations publish user schema

Domains need to collaborate
on the values for acr’s and amr’s

So what values should we
use for amr and acr?

SAML Federations
Identity Providers and Websites (SP)

OAuth2 has new entities and new jargon

OAuth2 Schema, not just attributes

Open Trust Taxonomy for OAuth2
(OTTO)
Enter...

Where do we need federations?

Part IV: New Challenges

Who’s that knocking at my door?

IOT Challenges

New Services like Data Federation
Not “can you access?” But “what can you access?”

Summary

Questions?
sales@gluu.org
@GluuFederation

Ad

Recommended

PPTX

RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!Mike Schwartz

PDF

OAuth2 for IoT Security: Why OpenID Connect & UMA Are They KeyMike Schwartz

PDF

The identity of things & the smart cities of tomorrow webinar may 2015ForgeRock

PDF

The Business Ecosystem is a Neighborhood - ForgeRock Identity Live Austin 2017ForgeRock

PDF

FIDO Technical Specifications OverviewFIDO Alliance

PPTX

Webinar: Extend The Power of The ForgeRock Identity Platform Through ScriptingForgeRock

PDF

ForgeRock Platform Release - Summer 2016 ForgeRock

PDF

Consumerizing Industrial IoT Access Control: Using UMA to Add Privacy and Usa...Eve Maler

PDF

Identiverse - Microservices SecurityBertrand Carlier

PPTX

User-Managed Access: Why and How? - Access Control in Digital Contract ContextsForgeRock

PPTX

NYC Identity Summit Tech Day: ForgeRock Identity Platform OverviewForgeRock

PPTX

The New Venn of Access Control in the API-Mobile-IOT EraForgeRock

PDF

How to Make Your IoT Devices Secure, Act Autonomously & Trusted SubjectsMaxim Salnikov

PDF

The Future is Now: The ForgeRock Identity Platform, Early 2017 ReleaseForgeRock

PPT

Authentication and strong authentication for Web ApplicationSylvain Maret

PDF

The Future of Digital Identity in the Age of the Internet of ThingsForgeRock

PPTX

ForgeRock Gartner 2016 Security & Risk Management Summit ForgeRock

PDF

Beyond username and password it's continuous authorization webinarForgeRock

PDF

Digital Trust: How Identity Tackles the Privacy, Security and IoT ChallengeForgeRock

PPTX

NYC Identity Summit Tech Day: Best Practices for API SecurityForgeRock

PPTX

Webinar: Consent 2.0: Applying User-Managed Access to the Privacy ChallengeForgeRock

PDF

FIDO Technical Specifications OverviewFIDO Alliance

PDF

Google Case Study - Towards simpler, stronger authenticationFIDO Alliance

PPTX

NYC Identity Summit Business Day: Identity is the Center of Everything (Mike ...ForgeRock

PDF

NYC Identity Summit Tech Day: Authorization for the Modern WorldForgeRock

PPTX

Getting to Know the FIDO Specifications - Technical TutorialFIDO Alliance

PDF

Sydney Identity Summit: Addressing the New Threat Landscape with Continuous S...ForgeRock

PDF

Sydney Identity Summit: Doing Authorisation, Consent and Delegation Right wit...ForgeRock

PDF

Cryptograpy ExamLisa Olive

PPT

Re-using existing PKIs for online Identity ManagementMartijn Oostdijk

More Related Content

What's hot (20)

PDF

Identiverse - Microservices SecurityBertrand Carlier

PPTX

User-Managed Access: Why and How? - Access Control in Digital Contract ContextsForgeRock

PPTX

NYC Identity Summit Tech Day: ForgeRock Identity Platform OverviewForgeRock

PPTX

The New Venn of Access Control in the API-Mobile-IOT EraForgeRock

PDF

How to Make Your IoT Devices Secure, Act Autonomously & Trusted SubjectsMaxim Salnikov

PDF

The Future is Now: The ForgeRock Identity Platform, Early 2017 ReleaseForgeRock

PPT

Authentication and strong authentication for Web ApplicationSylvain Maret

PDF

The Future of Digital Identity in the Age of the Internet of ThingsForgeRock

PPTX

ForgeRock Gartner 2016 Security & Risk Management Summit ForgeRock

PDF

Beyond username and password it's continuous authorization webinarForgeRock

PDF

Digital Trust: How Identity Tackles the Privacy, Security and IoT ChallengeForgeRock

PPTX

NYC Identity Summit Tech Day: Best Practices for API SecurityForgeRock

PPTX

Webinar: Consent 2.0: Applying User-Managed Access to the Privacy ChallengeForgeRock

PDF

FIDO Technical Specifications OverviewFIDO Alliance

PDF

Google Case Study - Towards simpler, stronger authenticationFIDO Alliance

PPTX

NYC Identity Summit Business Day: Identity is the Center of Everything (Mike ...ForgeRock

PDF

NYC Identity Summit Tech Day: Authorization for the Modern WorldForgeRock

PPTX

Getting to Know the FIDO Specifications - Technical TutorialFIDO Alliance

PDF

Sydney Identity Summit: Addressing the New Threat Landscape with Continuous S...ForgeRock

PDF

Sydney Identity Summit: Doing Authorisation, Consent and Delegation Right wit...ForgeRock

Identiverse - Microservices SecurityBertrand Carlier

User-Managed Access: Why and How? - Access Control in Digital Contract ContextsForgeRock

NYC Identity Summit Tech Day: ForgeRock Identity Platform OverviewForgeRock

The New Venn of Access Control in the API-Mobile-IOT EraForgeRock

How to Make Your IoT Devices Secure, Act Autonomously & Trusted SubjectsMaxim Salnikov

The Future is Now: The ForgeRock Identity Platform, Early 2017 ReleaseForgeRock

Authentication and strong authentication for Web ApplicationSylvain Maret

The Future of Digital Identity in the Age of the Internet of ThingsForgeRock

ForgeRock Gartner 2016 Security & Risk Management Summit ForgeRock

Beyond username and password it's continuous authorization webinarForgeRock

Digital Trust: How Identity Tackles the Privacy, Security and IoT ChallengeForgeRock

NYC Identity Summit Tech Day: Best Practices for API SecurityForgeRock

Webinar: Consent 2.0: Applying User-Managed Access to the Privacy ChallengeForgeRock

FIDO Technical Specifications OverviewFIDO Alliance

Google Case Study - Towards simpler, stronger authenticationFIDO Alliance

NYC Identity Summit Business Day: Identity is the Center of Everything (Mike ...ForgeRock

NYC Identity Summit Tech Day: Authorization for the Modern WorldForgeRock

Getting to Know the FIDO Specifications - Technical TutorialFIDO Alliance

Sydney Identity Summit: Addressing the New Threat Landscape with Continuous S...ForgeRock

Sydney Identity Summit: Doing Authorisation, Consent and Delegation Right wit...ForgeRock

Similar to Trust Elevation: Implementing an OAuth2 Infrastructure using OpenID Connect & UMA (20)

PDF

Cryptograpy ExamLisa Olive

PPT

Re-using existing PKIs for online Identity ManagementMartijn Oostdijk

PPTX

Digital Identity Landscape for Vancouver IAM Meetup 2017 12-19Andrew Hughes

PDF

Nt2580 Final Project Essay ExamplesSherry Bailey

PDF

[WSO2Con EU 2018] Identity APIs is the New BlackWSO2

PDF

Identity is Changing: The Rise of Self-Sovereign Identity Infrastructure usin...Kaliya "Identity Woman" Young

PPT

Cartes Asia Dem 2010 V2Donald Malloy

PDF

Mobile Ad Hoc Networks ( Manets )Heather Vargas

PDF

Information Technology Security Is Vital For The Success...Brianna Johnson

PPTX

Internet of Things: Identity & Security with Open StandardsGeorge Fletcher

PPTX

RSA Europe: Future of Cloud IdentityMike Schwartz

PDF

CIS14: Securing the Internet of Things with Open StandardsCloudIDSummit

PPTX

Kerberos-PKI-Federated identityWAFAA AL SALMAN

PDF

Cybersecurity SlidesJim Kaplan CIA CFE

PPTX

Trylogic- Cyber security by Vikalp Sharma- FDP Presentation July 9 2020Vikalp Sharma

PPTX

Security in microservices architecturesinovia

PPTX

SWXG 2010.6.9 v2Paul Trevithick

PPTX

Introduction to Blockchain and BitCoin New Business OpportuntiesValue Amplify Consulting

PDF

Network SecurityBeth Hall

PDF

Lessons in privacy engineering from a nation scale identity system - connect idDavid Kelts, CIPT

Cryptograpy ExamLisa Olive

Re-using existing PKIs for online Identity ManagementMartijn Oostdijk

Digital Identity Landscape for Vancouver IAM Meetup 2017 12-19Andrew Hughes

Nt2580 Final Project Essay ExamplesSherry Bailey

[WSO2Con EU 2018] Identity APIs is the New BlackWSO2

Identity is Changing: The Rise of Self-Sovereign Identity Infrastructure usin...Kaliya "Identity Woman" Young

Cartes Asia Dem 2010 V2Donald Malloy

Mobile Ad Hoc Networks ( Manets )Heather Vargas

Information Technology Security Is Vital For The Success...Brianna Johnson

Internet of Things: Identity & Security with Open StandardsGeorge Fletcher

RSA Europe: Future of Cloud IdentityMike Schwartz

CIS14: Securing the Internet of Things with Open StandardsCloudIDSummit

Kerberos-PKI-Federated identityWAFAA AL SALMAN

Cybersecurity SlidesJim Kaplan CIA CFE

Trylogic- Cyber security by Vikalp Sharma- FDP Presentation July 9 2020Vikalp Sharma

Security in microservices architecturesinovia

SWXG 2010.6.9 v2Paul Trevithick

Introduction to Blockchain and BitCoin New Business OpportuntiesValue Amplify Consulting

Network SecurityBeth Hall

Lessons in privacy engineering from a nation scale identity system - connect idDavid Kelts, CIPT

Ad

More from Mike Schwartz (15)

PPTX

LASCON 2017: SAML v. OpenID v. OauthMike Schwartz

PPTX

OTTO - Internet2 TechX 2017Mike Schwartz

PPTX

The Client is not always right! How to secure OAuth authentication from your...Mike Schwartz

PPTX

LASCON: Three Profiels of OAuth2 for Identity and Access ManagementMike Schwartz

PPTX

Kantara OTTO slidesMike Schwartz

PPTX

RSA Conference 2016: Who Are You? From Meat to Electrons and Back AgainMike Schwartz

PDF

Who Are You? From Meat to Electrons - SXSW 2014Mike Schwartz

PDF

OpenID Connect vs. OpenID 1 & 2Mike Schwartz

PPT

ID Next 2013 Keynote Slides by Mike SchwartzMike Schwartz

PPTX

Federation registryMike Schwartz

PPTX

Single Sign On 101Mike Schwartz

PPTX

Requirements for Personal Clouds : Tech Ranch Talk 8/7/13Mike Schwartz

PDF

Cloud Identity: A Recipe for Higher EducationMike Schwartz

PDF

Gluu EDU Webinar: Shibboleth/SAML SSOMike Schwartz

PDF

SAML Protocol OverviewMike Schwartz

LASCON 2017: SAML v. OpenID v. OauthMike Schwartz

OTTO - Internet2 TechX 2017Mike Schwartz

The Client is not always right! How to secure OAuth authentication from your...Mike Schwartz

LASCON: Three Profiels of OAuth2 for Identity and Access ManagementMike Schwartz

Kantara OTTO slidesMike Schwartz

RSA Conference 2016: Who Are You? From Meat to Electrons and Back AgainMike Schwartz

Who Are You? From Meat to Electrons - SXSW 2014Mike Schwartz

OpenID Connect vs. OpenID 1 & 2Mike Schwartz

ID Next 2013 Keynote Slides by Mike SchwartzMike Schwartz

Federation registryMike Schwartz

Single Sign On 101Mike Schwartz

Requirements for Personal Clouds : Tech Ranch Talk 8/7/13Mike Schwartz

Cloud Identity: A Recipe for Higher EducationMike Schwartz

Gluu EDU Webinar: Shibboleth/SAML SSOMike Schwartz

SAML Protocol OverviewMike Schwartz

Ad

Recently uploaded (20)

PPTX

Q2 FY26 Tableau User Group Leader Quarterly Calllward7

PDF

Exolore The Essential AI Tools in 2025.pdfSrinivasan M

PDF

Bitcoin for Millennials podcast with Bram, Power Laws of BitcoinStephen Perrenod

PDF

Building Real-Time Digital Twins with IBM Maximo & ArcGIS IndoorsSafe Software

PDF

CIFDAQ Weekly Market Wrap for 11th July 2025CIFDAQ

PDF

Log-Based Anomaly Detection: Enhancing System Reliability with Machine LearningMohammed BEKKOUCHE

PPTX

Webinar: Introduction to LF Energy EVerestDanBrown980551

PDF

HCIP-Data Center Facility Deployment V2.0 Training Material (Without Remarks ...mcastillo49

PPTX

From Sci-Fi to Reality: Exploring AI EvolutionSvetlana Meissner

PDF

SWEBOK Guide and Software Services Engineering EducationHironori Washizaki

PPTX

AI Penetration Testing Essentials: A Cybersecurity Guide for 2025defencerabbit Team

PDF

Newgen Beyond Frankenstein_Build vs Buy_Digital_version.pdfdarshakparmar

PDF

CIFDAQ Market Insights for July 7th 2025CIFDAQ

PDF

Fl Studio 24.2.2 Build 4597 Crack for Windows Free Download 2025faizk77g

PDF

From Code to Challenge: Crafting Skill-Based Games That Engage and Rewardaiyshauae

PPTX

UiPath Academic Alliance Educator Panels: Session 2 - Business Analyst ContentDianaGray10

PDF

Using FME to Develop Self-Service CAD Applications for a Major UK Police ForceSafe Software

PPTX

"Autonomy of LLM Agents: Current State and Future Prospects", Oles` PetrivFwdays

PDF

New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025BookNet Canada

PDF

Reverse Engineering of Security Products: Developing an Advanced Microsoft De...nwbxhhcyjv

Q2 FY26 Tableau User Group Leader Quarterly Calllward7

Exolore The Essential AI Tools in 2025.pdfSrinivasan M

Bitcoin for Millennials podcast with Bram, Power Laws of BitcoinStephen Perrenod

Building Real-Time Digital Twins with IBM Maximo & ArcGIS IndoorsSafe Software

CIFDAQ Weekly Market Wrap for 11th July 2025CIFDAQ

Log-Based Anomaly Detection: Enhancing System Reliability with Machine LearningMohammed BEKKOUCHE

Webinar: Introduction to LF Energy EVerestDanBrown980551

HCIP-Data Center Facility Deployment V2.0 Training Material (Without Remarks ...mcastillo49

From Sci-Fi to Reality: Exploring AI EvolutionSvetlana Meissner

SWEBOK Guide and Software Services Engineering EducationHironori Washizaki

AI Penetration Testing Essentials: A Cybersecurity Guide for 2025defencerabbit Team

Newgen Beyond Frankenstein_Build vs Buy_Digital_version.pdfdarshakparmar

CIFDAQ Market Insights for July 7th 2025CIFDAQ

Fl Studio 24.2.2 Build 4597 Crack for Windows Free Download 2025faizk77g

From Code to Challenge: Crafting Skill-Based Games That Engage and Rewardaiyshauae

UiPath Academic Alliance Educator Panels: Session 2 - Business Analyst ContentDianaGray10

Using FME to Develop Self-Service CAD Applications for a Major UK Police ForceSafe Software

"Autonomy of LLM Agents: Current State and Future Prospects", Oles` PetrivFwdays

New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025BookNet Canada

Reverse Engineering of Security Products: Developing an Advanced Microsoft De...nwbxhhcyjv

Trust Elevation: Implementing an OAuth2 Infrastructure using OpenID Connect & UMA

1. Trust Elevation Implementing an OAuth 2.0 Infrastructure using the OpenID Connect & UMA profiles [email protected]@GluuFederation By: Michael Schwartz

2. What is trust elevation? “Trust Elevation methods increase the mitigation of risk of false assertion of identity in order to allow the subject to engage in a transaction.” OASIS Trust-EL TC Authentication Step-Up Protocol and Metadata Version 1.0-Draft 3

3. Don’t use 2FA, unless you have to... “Civilization advances by extending the number of important operations which we can perform without thinking about them.” Albert North Whitehead English Mathematician and Philosopher (1861 - 1947)

4. Authentication Involves Tradeoffs

5. Agenda 1. What tools do we have for person identification? 2. OAuth2 for trust elevation? 3. Inter-domain trust elevation? 4. New challenges!

6. Who am I: Founded & Sold ISP: ‘95-’99 IAM Integrator: ‘98-’09 Founder / CEO Gluu: ‘09 - Present Dad, hacker, pigeon enthusiast

7. Part I: Identification electron → meat correlation… How do we know who is on the other side of that digital transaction?

8. Cognitive Something you know or something your browser saved.

9. Biometric Something you are or… something you can’t change.

10. Token Something you have.

11. Mobile Some device you control.

12. Smart Card Something you probably don’t have a reader for...

13. Wearables / NFC Something you have on.

14. FIDO: Second Factor Experience Some U2F device that you have.

15. FIDO: Passwordless Experience Some UAF that device you have.

16. Context and Behavior Some way you use your phone or browser.

17. Risk Scores Some big-data footprint you’re not even aware of..

18. Contextual Combinations Complicate Relative Scale ● Is the IP address a known hacker? ● Was the device rooted? ● Is a browser cookie present? ● Is the device running virus protection? ● Is the location recognized? ● When was credential issued? ● What is the time of day?

19. According to Microsoft research (page 11), every authentication scheme does worse than passwords on deployability. Pick your poison:

20. Part II: OAuth2 How do apps use all these crazy authentication methods? ● Deployability = cost ● Less Cost = consolidation ● No “one-offs”!

21. A brief history in Web Authentication Standards

22. Developers want JSON REST API’s for authentication.

23. OpenID Connect Only one protected endpoint: “user_info” which returns id_token

24. UMA The requesting party must provide a valid RPT Token to the resource server.

25. How does the app know what kind of authn happened?

26. id_token User claims + info about authentication event

27. OpenID Provider Discovery GET host + /.well-known/openid-configuration

28. OpenID Dynamic Client Registration

29. Authentication Request That is a space delimited string

30. Scope based Not ABAC policies!

31. Best Practice: Centralize Policy Management

32. UMA provides the PDP

33. What kind of policies can you make?

34. Return Hint... You are Forbidden because you need acr...

35. Part III Federations for inter-domain trust

36. EDURoam for wifi

37. SAML Federations Normalize legal and technical details for trust.

38. SAML Federation Metadata

39. Many SAML Federations publish user schema

40. Domains need to collaborate on the values for acr’s and amr’s

41. So what values should we use for amr and acr?

42. SAML Federations Identity Providers and Websites (SP)

43. OAuth2 has new entities and new jargon

44. OAuth2 Schema, not just attributes

45. Open Trust Taxonomy for OAuth2 (OTTO) Enter...

46. Where do we need federations?

47. Part IV: New Challenges

48. Who’s that knocking at my door?

49. IOT Challenges

50. New Services like Data Federation Not “can you access?” But “what can you access?”

52. Questions? [email protected] @GluuFederation