OpenID Connect Authentication using MSS

OpenID-Connect OpenID Connect (OIDC) is a popular authentication layer. An OIDC client trusts OIDC servers to do user authentication in its behalf.

OIDC servers can authenticate users, for example, with the following methods:

  • username/password credentials,
  • dongles,
  • biometrics.

In username/password method the OIDC server asks a user to provide the credentials:

 

OpenID_Connect_Generic

We decided to develop an OIDC server that authenticates users with MSS!

In MSS method the OIDC server asks the users to authenticate with her mobile device:

OpenID_Connect_Overview

MITREid

As a platform for our OIDC server, we use MITREid Connect, an open source OIDC implementation. MITREid is built with Java using the Spring platform, which makes it easy to extend.

In order to support MSS on the MITREid Connect platform, we made some modifications:

  • Extended user profile
  • MSS authentication
  • Profile management

The Kiuru OpenID server fetches the users from the AE with SPML2. This allows us to use existing accounts that already have a well-defined life-cycle.

Kiuru OpenID system

System Overview

User profile is the user data that the OIDC server can be provide to clients. We moved this data to EntityDB, so we need to perform profile management in Kiuru MSSP. Therefore the Kiuru OpenID Connect server doesn’t need to keep any persistent data. This keeps the Kiuru OpenID Connect server simple and easy to scale up because the server doesn’t need to handle data synchronization.

Managing data

MITREid stores the following components, which have the following relationships:

OpenID_Connect_Data

 

The data is easier for us to manage when it’s stored by the MSSP. For us it’s important to have at least the account data (Users and Client details) at the MSSP.

Other data doesn’t require persistent life-cycle, though it’s nice to have them at the MSSP, too. Losing the Approved clients means that users need to re-approve their clients (which is bad). Losing the Tokens means that the user needs to re-login to all clients.

Feasibility

The main problem for us is that MITREid Connect doesn’t implement a solution for scalability. We moved the data from MITREid to the MSSP to fix our problem.

OpenID Connect is a good additional connectivity technology for our product family. MITREid Connect allowed us to implement it with ease.

Posted in Blog Tagged with: , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

*

*