OpenID Connect Authentication using MSS
OpenID Connect (OIDC) is a popular authentication layer. An OIDC client trusts OIDC servers to do user authentication in its behalf.
OIDC servers can authenticate users, for example, with the following methods:
- username/password credentials,
In username/password method the OIDC server asks a user to provide the credentials:
We decided to develop an OIDC server that authenticates users with MSS!
In MSS method the OIDC server asks the users to authenticate with her mobile device:
As a platform for our OIDC server, we use MITREid Connect, an open source OIDC implementation. MITREid is built with Java using the Spring platform, which makes it easy to extend.
In order to support MSS on the MITREid Connect platform, we made some modifications:
- Extended user profile
- MSS authentication
- Profile management
The Kiuru OpenID server fetches the users from the AE with SPML2. This allows us to use existing accounts that already have a well-defined life-cycle.
User profile is the user data that the OIDC server can be provide to clients. We moved this data to EntityDB, so we need to perform profile management in Kiuru MSSP. Therefore the Kiuru OpenID Connect server doesn’t need to keep any persistent data. This keeps the Kiuru OpenID Connect server simple and easy to scale up because the server doesn’t need to handle data synchronization.
MITREid stores the following components, which have the following relationships:
The data is easier for us to manage when it’s stored by the MSSP. For us it’s important to have at least the account data (Users and Client details) at the MSSP.
Other data doesn’t require persistent life-cycle, though it’s nice to have them at the MSSP, too. Losing the Approved clients means that users need to re-approve their clients (which is bad). Losing the Tokens means that the user needs to re-login to all clients.
The main problem for us is that MITREid Connect doesn’t implement a solution for scalability. We moved the data from MITREid to the MSSP to fix our problem.
OpenID Connect is a good additional connectivity technology for our product family. MITREid Connect allowed us to implement it with ease.