 Thank you. Thank you for coming for last lecture for today, you have the power and what we will see today. First of all I will give a number view of OpenD Connect and I will describe the protocol and will show how to compare it to other protocols. Then I will review a couple of implementations and finally I will show the best OpenD Connect implementation from Kiklo. Before I will start, a couple of words about me and the company I work for. I have a lot of years in development and at most of you I do like application security. I start to work more than 10 years in this year and I enjoy every day that I work in this area. Last couple of years I focus lead security architecting to FIEN and I am responsible for application security of all the products. Something personal, I do like to travel, I do like to read books, listen to music, especially jazz. And now a couple of words about to FIEN, it's a great company and it's already 12 years old, our bar meets me next year. So in addition we have a lot of customers, big customers, small customers, customers in every industry, for example AT&T, Visa, BMW, our customers. We are always growing, when I came to the company we took about one and a half floors in the building, now we take about four floors and it's only in Israel, we also expand, we recently opened, sorry, we recently opened additional a new main office in Boston. Okay, we are always looking for good people and you can open the link and you see we are looking for people in R&D, sales, marketing, every area. And now about open eddy client, our customers have very strong demand in the security. They have a lot of features and requests, for example they want password policy, for example they want proof of protection, they want authentication with servers, they want authentication with someone. About one year ago we have, we have choice, we have required to select between options to develop this in-house or to adopt something, some product. I recommend to adopt open eddy connect and you will see in during this lecture why I recommended and what we benefit from this protocol. This protocol is based on OS2, it used REST and GWT messages, it's simple and extendable protocol, maybe you will visit the first lecture today, Omer described one scenario when he adopt open eddy connect. Okay, in addition to Omen company, many companies, many back vendors adopt open eddy connect. You can take, if you will adopt open eddy connect, you will be able to authenticate your application against these vendors, you will be able to authenticate against Google, against Microsoft, yeah on PayPal and the list of companies that provide open eddy connect is growing. Now, for example, you can find semantic or other companies. Okay, what companies we kept in open eddy connect, first of all is identity provider, these components that authenticate users and reliant party is some, these companies that just want to use authentication with identity provider. In our, in our case, in case of fiend, reliant party was our product, they use web UI interface, in case of your company, it's maybe some Android application. Okay, here is our components, this is a reliant party, identity provider and user, let's start with the indication flow. First of all, user access request and the reliant party redirect request to identity provider. Identity provider, just provide the login page. Please understand that for, this is example of form authentication. In case of form authentication, user will see login page. In case of other type of authentication, user will not see login page. For example, Kerberos, it will be seamless authentication. IDP will authenticate user and user will not see the login page. Let's continue our example, user need to provide credentials, identity provider authenticate user and redirect request back to reliant party to IDP. RP access to IDP via REST API and get user information. User information also called identity token, identity token and this is complete username and additional user attributes. Okay, I present to you flow called authorization flow. It's flow is quite common to use. We use it in a traditional web application where we have channel from RP backend channel from RP to IDP. There is additional flow, implicit flow that I will not show. In case the identity information about user is provided with last request to RP. When you can use it, when we have application, for example, only JavaScript application, JavaScript cannot access via backend channel to IDP. Finally, RP create authentication session, create user session and resource, user can see the resource in the browser. Okay, how many people know some? How many people know some? When I show slides, do you feel that it's something that you know? Do you see that the flow? Can you tell me what is flow? It's SP initiated flow of SAML. It's exactly as implicit flow of OpenID Connect. You see, we have very similar flow. OpenID Connect use very similar flow, but so why OpenID Connect and not SAML? Let's compare OpenID Connect to additional protocols. Okay, first of all, let's start from SAML. SAML is very known and long-haul protocol. SAML 1 wasn't introduced in 2002 and SAML 2 additional version of SAML 1 was introduced in 2005. It's high rate of adoption. We have requirements from many customers. We want SAML authentication. My enterprise customers use the SAML, but it's use XML messages. OpenID Connect uses JSONREST messages. What's the benefit? The package size, the total package size used for the total authentication flow is decreased. Also, if you want to develop single sign for multiple application, you will not be able to do the SAML. OpenID Connect. Once again, in the morning session, they use OpenID Connect and not OpenID Connect with different protocols. OpenID Connect is first protocol designed by OpenID Foundation. You see that even they have very similar icons, openID, just have here OpenID Connect. What's the difference? OpenID Connect uses XML with some custom signatures. Okay, and the OpenID Connect uses GWT. GWT is standard and it allows you to create a variable application. Let's compare the last protocol. It's OS2. Who thinks that OS2 is authentication protocol? Who thinks it's authorization protocol? Great. OS2 was developed as protocol to give application access to resource. It's somehow called like self-due authentication, but it's only authorization protocol. So we cannot use this protocol for authentication. On the other side, it's good framework. It's good protocol. You can use it. So you can take authentication. You can take identity. You can always take OS2, combine together. You have OpenID Connect. OpenID Connect uses OS2 flows and scan and we have good protocol for authentication. Ladies and gentlemen, we finished our overview. Now you may ask the question, Michael, what's our next step? We want to adopt OpenID Connect. We want to deliver in the next print. What we should do? My answer will be simple. You need to select your reliant party. Then you need to select your identity provider and you complete your OpenID Connect adoption. Where you can take your reliant party? Here you have big list on the OpenID Connect. OpenID Connect Foundation has good process of certifications and you can find certified reliant party libraries in this list. It depends on your language, on your technology, of your application, of your client. For example, if your client uses PHP, you can use PHP reliant party. If your application run behind Apache HDPD, then you can use reliant party of Apache HDPD. Identity provider. When you take and adopt reliant party in your application, you need to authenticate against some IDP. You can authenticate against IDP, for example, against public IDP that I provided at the beginning of the lecture. Also, you can take some of IDP provided in this list and use it. You can take Glue Server, you can take Meteor ID Connect, you can take Key Clock. Now, to fill, we selected Key Clock. Couple reasons. First of all, it's open source. Second, we need OEM solution. We want to move our authentication to some company and to finish to develop our authentication. It continuously and rapidly developed. Also, Red Hat support Key Clock, Red Hat is very good company and it's commercial product Red Hat SSO is based on Key Clock. What's interesting, I will show it to you, if we will try to access any page in Red Hat site that requires authentication. Finally, I will show you something interesting. It's take time. Do you see the cycle? Did you see it today? It's last lecture. It's tired. It's up here, exactly here. It's Key Clock Logo. When I adopt Key Clock in Red Hat, they use it for single sign-on. They forget to change the title icon. Please don't tell it to Red Hat. I will need to use it in next presentation. So, don't tell it. Let's continue. Key Clock IDP. Key Clock IDP is based on Wifi labels. If you need to configure some feature like separate administration of clustering, you will do it in a similar way like in Wifi. I will show now the Key Clock UI. I will not be able to show every feature, but I will show a couple of important features. Let's go. Password, you can record it. What we have here? You have here real configuration. You can configure here users. You can add users. You can add its groups and roles. Here you can see every authentication event. It's audit trail of Key Clock internal, user login, user logout. Here you can configure identity provider. Key Clock can be reached to external identity provider. If you want the application, you will be authenticated against some OpenID Connect provider. Just edit here. If you want to connect it against some provider, you edit here. If you take your applications and once you adopt OpenID Connect and you adopt it against Key Clock, it's like a breach to any some OpenID provider in the world. In addition, you can already, they have built in social identity provider like Stack Overflow. If you like Stack Overflow, you can authenticate your user against Stack Overflow. Back to the presentation. RP. They have very long list of adapters. It's their name of RP. And if you select Key Clock, you can choose this one of adapters, one of RP. Just open this link. Once again, I need somehow to close presentation. I will show in couple of minutes list of Java adapters and see Spring Boot, Spring Security just flagging. I use, I take, for example, Spring Security, who knows what Spring Security. Spring Security, also great framework for Java. I enjoy to use it. And I just take one example. It's called like Spring Security Tutorial. Just name. I download it. I use the instruction and show it before. This configuration file, I configure it. In Key Clock, I need to configure applications. It's Client. They call it Client. They have built in Client for daily Key Clock use, but I have added sample one and sample two. What's most important when I configure Client, it's Client ID and Client Secret. The same Client ID and Client Secret appear here. It's a secret. And this is Client ID. Now I used, I have two Tomcats. I just configured to run different ports. And I specially take two Tomcats to show it's two separate application without some hidden Tomcat SSO. But two separate application. Now I will access the first application. I will always use private window. Okay. Sample one. You see, now it's redirected to Key Clock. This app, this is Tomcat. First Tomcat. Second Tomcat. And this is an identity provider Key Clock. And you see that it's redirected for the Key Clock URL. This is the same login page we see before. Let's authenticate using the same user. You can see authenticated. I will close it and you open the second application. Just, you will see that it is protected. Okay. I can access two applications only after Key Clock is authenticated. Now I will add some user called D. Let's say O. I will hit password also. Okay. And now I will, now I access the first application. I will authenticate using the O. And now I will open the second. People, what do you say? Single sign or written application. Okay. Let's continue our journey. Cut off advanced Key Clock features. Somebody don't know what is brute force protection. Okay. Great. Just I put it in slide because I was happy to find something from OST. All previous links not from OST. This link was from OST. And I just edit this slide to move it then from OST. And what we have in Key Clock. Key Clock has two kinds of brute force protection. One protection is against automation attack and second type of protection against manual attack or manual attacks. Okay. Maybe you will tell me that, wow, it's not our customers required something in addition. Okay. But at least Key Clock provide some kind of brute force attack. Okay. You don't need to develop. And let's, I will show it to you. Once again, I need to close this view. I need to go to Key Clock. How can I do it? Very simple. I come here, brute force protection enabled. Two clicks and my application protected against brute force protection attack. Okay. To demo it to you with your permission, I will change max player from 30 to 3. Otherwise, it will be difficult to show it to you. Okay. I will add, I will use, you know, I will use the same user U. Okay. Still possible. Wrong password. First, now I will try to use correct password. This is the reason. Can you see it by the way? Yes. Users, why? It's user type disabled. Whether it's good from the security point of view that we don't show it to user. Authentication failed. I don't want to show to users that, oh, your account is type disabled. But I can, as administrator, I can go to users and unlock all users. Additional feature, password policy. What's password policy? Is set of requirements or rules? User follow these rules and application owner administrator can ensure that the user password is strong. I was not able to find any definition on auth page. So I am with my own. I hope it's clear what key clock can provide. Key clock have very long support of policy types. You can define minimal digit. You can tell the password to contain two digits. You can tell that password will expire in three days. I will show the link and then I will provide the real demo. Policy is possible. Lower case character, special character, not user name. Great feature. One additional feature not recently used. History. I know it's from, also I need, in my company, I use password policy for windows. And I use my own techniques, this counter with some numbers because it's very difficult to remember it. But from the security point of view, it's very easy and very good. Let's see how can I do it. Once again, I go to configuration. This is your permission. I first will disable workforce protection. It's disabled only by one click. Now I want to configure password policy. Surprise with the password policy. Let's define one digit. Let's define one other case. For example, and what else? Minimum length, let's say three. By the way, 55. By then, your user will kill you, but you can configure it easily. Three, three, safe. Now what I will do, I will add additional user, let's say Alice, and I will provide, I will enforce user to change password after classification. Alice need to provide password. Alice don't know that she need to provide password with some policy. She will try one and one. At least one more per case. Let's try another case. Now I understand she needs three characters. What do I say? Also simple and last slide. If what we learned from lecture, if your business not authentication, you can adopt, you are most welcome to adopt OpenID Connect. It allows you to enforce strong authentication scheme. It allows immediate support for advanced feature like brute force protection, password policy or in other features. It also will allow to leverage additional IDP enhancement as a feature. You don't need to develop it. At this point of time I want to thank you for your time, for your post and you can contact me if you have any questions or you want to send resume. Thank you.