Skip to content

zentralpro/JNUC2020_Slides_ExtraLinks

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
 
 
 
 
 
 

Repository files navigation

Virtual JNUC2020 - slides and extra links

Welcome, here you'll find the slides and complementary info about our Jamf Nation User Conference 2020 talk.

"Jamf Connect and… Accelerate identity!"

Find the JNUC 2020 session on YouTube here

Virtual JNUC 2020 presentation (Session: JNUC326) - stream date: 2020-09-29 19:00 MESZ / 12:00 PM CDT:
  • See a Listing of all Jamf Nation User Conference 2020 sessionshere
  • Download our JNUC326 session slides here.

Virtual JNUC 2020 - Jamf Connect and… Accelerate identity!

Who are we ?

We are Zentral Pro Services - a consulting, research and development company. We help clients unleash the potential of their Apple devices in a business environment.

We also build Zentral opensource. We have created IDent as a custom solution to improve identity provisioning to enterprise needs in a distributed fleet of Macs.

Links


Related Topics

In this listing you can find some info that may help to get more in-depth with Jamf Connect, OpenID Connect and IDent topics.

Talks

Books

Tools

A brief overview to OpenID Connect

OpenID Connect is a layer build on top of the OAuth 2.0 protocol.

This section strives to give a concise overview to the OpenID Connect protocol in relation to Jamf Connect (all examples: Azure used as IdP).

OAuth 2.0

OAuth2 may be well-known to anyone who's used something like a "Sign in with Facebook/Google/LinkedIn/GitHub" process. The application a user will try to log in will use an outside provider (the identity provider) to attest a users identity instead of having the user insert a username and password with the application itself.

The interaction between the application and the outside provider proceeds with this kind of flow:

  1. A user visits an application.
  2. The application redirects the user to "Sign in with..." to press a button to sign in with an identity provider.
  3. The user logs into the identity provider (sign in happens with Facebook/Google/GitHub. etc.), which sends an authentication request. User is asked if it's ok to let the application view the user's profile, and perform some authorized actions on their behalf.
  4. If the user clicks Ok, the identity provider redirects the user back to the application with a temporary secret.
  5. The application redeems that temporary secret with the identity provider for a token that can be used to access the authorized operations.

In Jamf Connect as well as with IDent the "provider" in the OpenID Connect flow will redirect a client apps to attest for the end user's identity.

ID Token

The access token applications get from an OAuth 2.0 provider are opaque to the client and in fact will vary in the format returned depending on the identity provider used. The access token you receive from Facebook will be entirely different from the one you get from Google or GitHub. OpenID Connect's primary extension of OAuth 2.0 is an additional token returned in the token response referred to as the ID Token. This token is a JSON Web Token signed by the OpenID Connect server, with well known fields for user ID, name, upn, etc.

Here you can see an example response including an ID Token from an OpenID Connect session (example: drafted from Azure):

{
  "access_token": "5H0yN0QQ2VBgkRTyf7HlsW-sFX1nAjR4YOTj2s5Vuz85_SYbA3y3qAaYAtKgFZZqiSa75u62M2jk_VhJORK3Gx8gCElsW3SrpO-<REMOVED_FOR_CLARITY>-cSHmtN50CxNVT066Q1DbM5AMrc8Nw1yl07lSFucuspQRcCXJQ2",
  "expires_in": "3599",
  "expires_on": "1601303638",
  "ext_expires_in": "3599",
  "id_token": "aznCND9ct6zu8kVkXiSJB1SB<REMOVED_FOR_CLARITY>E3rlFJC.Hzgajt8QkmlK6ugGUXXSKg50v7jzfylwqR<REMOVED_FOR_CLARITY>uSN.2J0N3<REMOVED_FOR_CLARITY>fCR_Slam",
  "id_token_decoded": {
    "amr": ["pwd", "mfa"],
    "aud": "5905dcf2-2873-4dfb-87fc-c8165db8cf4c",
    "exp": 1601303638,
    "family_name": "Appleseed",
    "given_name": "John",
    "groups": [
      "67610c8b-e288-4d6d-a0fb-564808aaff79",
      "490b6910-dacd-4c20-993c-d187c12bedab",
      "f89f9a56-8d12-4dd8-8a99-0ba727c8c737",
      "3c2ec84e-22c5-42d6-8ef3-0f820f871d20"
    ],
    "iat": 1601299738,
    "ipaddr": "92.158.165.xxx",
    "iss": "https://sts.windows.net/8f27e724-0190-11eb-adc1-0242ac120002/",
    "name": "John Appleseed",
    "nbf": 1601299738,
    "oid": "eedaa16a-e721-42ce-8696-bf77ec704104",
    "rh": "0.AAAA3qnqydQIXE-lm_nn_sp7ur4kIi9T6uVBin0vrwZHfXs5AIg.",
    "sub": "XU4WmgjxUh6ptVcvmYugjXyy40bUVcTNHJaX0FIoZs2kw6KdPC",
    "tid": "8f27e724-0190-11eb-adc1-0242ac120002",
    "unique_name": "jappleseed@example.com",
    "email": "jappleseed@example.com",
    "uti": "XCD7-2kvGVSgM9qqt6cDS",
    "ver": "1.0",
    "wids": [
      "cc91b6f4-a01d-43b2-8110-3553431a047d",
      "2e65f4bd-a220-4864-abaf-c9efa28e8b5c"
    ]
  },
  "id_token_header_decoded": {
    "alg": "RS256",
    "kid": "9MEFkLjLaBCsF3uawZUZqoCnaT",
    "typ": "JWT",
    "x5t": "9MEFkLjLaBCsF3uawZUZqoCnaT"
  },
  "refresh_token": "0.AAAA3qnqydQIXE-lm_nn_sp7ur4kIi9T6uVBin0vrwZHfXs5AIg.8E815jQ7ZyDPYkBOKNUgi-HOxBVD4S5JDe9-<REMOVED_FOR_CLARITY>-s9CaeJi4ZkeDA6WSbBiTD9jxMIL8eIBzKTjkgvU5CL6iorHHon",
  "token_type": "Bearer",
  "userinfo": {
    "amr": "[\"pwd\",\"mfa\"]",
    "family_name": "Appleseed",
    "given_name": "John",
    "groups": [
      "[\"67610c8b-e288-4d6d-a0fb-564808aaff79\",\"490b6910-dacd-4c20-993c-d187c12bedab\",\"f89f9a56-8d12-4dd8-8a99-0ba727c8c737\",\"3c2ec84e-22c5-42d6-8ef3-0f820f871d20\"]"
    ],
    "ipaddr": "92.158.165.xxx",
    "name": "John Appleseed",
    "oid": "eedaa16a-e721-42ce-8696-bf77ec704104",
    "rh": "0.AAAA3qnqydQIXE-lm_nn_sp7ur4kIi9T6uVBin0vrwZHfXs5AIg.",
    "sub": "XU4WmgjxUh6ptVcvmYugjXyy40bUVcTNHJaX0FIoZs2kw6KdPC",
    "tid": "aa2aee83-f8d2-4659-9f9e-a8af4723b52d",
    "unique_name": "jappleseed@example.com",
    "email": "jappleseed@example.com",
    "uti": "fXRchA91c0Ga8n1RUH6CAA",
    "ver": "1.0",
    "wids": "[\"cc91b6f4-a01d-43b2-8110-3553431a047d\",\"2e65f4bd-a220-4864-abaf-c9efa28e8b5c\"]"
  }
}

In the ID Token payload claims we can find some fields of interest:

Claim Short Description
sub Token's subject (sub) A unique ID, the principal information which the token asserts, i.e. the end user of an app
iss Server that issued this token (iss) Identifies the security token service (STS) that constructs and returns the token, i.e. the Azure AD tenant in which the user authenticated
aud Token's audience (aud) The Application ID, the intended recipient the request was issued for
unique_name Token's subject user (unique_name) Provides a human readable value that identifies the subject of the token.
email Token's user mail address (email) Token details for the email OpenID Connect in scope.

Some more detailed descriptions (from Azure) can be seen here:

Discovery URL

OpenID Connect servers have a discovery mechanism for OAuth 2.0 endpoints, this present the claims supported, and gives indications of other OpenID Connect features used.

The Discovery URL details may look as outlined in this example: https://login.microsoftonline.com/5905dcf2-2873-4dfb-87fc-c8165db8cf4c/v2.0/.well-known/openid-configuration

{
  "token_endpoint": "https://login.microsoftonline.com/5905dcf2-2873-4dfb-87fc-c8165db8cf4c/oauth2/v2.0/token",
  "token_endpoint_auth_methods_supported": [
    "client_secret_post",
    "private_key_jwt",
    "client_secret_basic"
  ],
  "jwks_uri": "https://login.microsoftonline.com/5905dcf2-2873-4dfb-87fc-c8165db8cf4c/discovery/v2.0/keys",
  "response_modes_supported": ["query", "fragment", "form_post"],
  "subject_types_supported": ["pairwise"],
  "id_token_signing_alg_values_supported": ["RS256"],
  "response_types_supported": [
    "code",
    "id_token",
    "code id_token",
    "id_token token"
  ],
  "scopes_supported": ["openid", "profile", "email", "offline_access"],
  "issuer": "https://login.microsoftonline.com/5905dcf2-2873-4dfb-87fc-c8165db8cf4c/v2.0",
  "request_uri_parameter_supported": false,
  "userinfo_endpoint": "https://graph.microsoft.com/oidc/userinfo",
  "authorization_endpoint": "https://login.microsoftonline.com/5905dcf2-2873-4dfb-87fc-c8165db8cf4c/oauth2/v2.0/authorize",
  "device_authorization_endpoint": "https://login.microsoftonline.com/5905dcf2-2873-4dfb-87fc-c8165db8cf4c/oauth2/v2.0/devicecode",
  "http_logout_supported": true,
  "frontchannel_logout_supported": true,
  "end_session_endpoint": "https://login.microsoftonline.com/5905dcf2-2873-4dfb-87fc-c8165db8cf4c/oauth2/v2.0/logout",
  "claims_supported": [
    "sub",
    "iss",
    "cloud_instance_name",
    "cloud_instance_host_name",
    "cloud_graph_host_name",
    "msgraph_host",
    "aud",
    "exp",
    "iat",
    "auth_time",
    "acr",
    "nonce",
    "preferred_username",
    "name",
    "tid",
    "ver",
    "at_hash",
    "c_hash",
    "email"
  ],
  "tenant_region_scope": "EU",
  "cloud_instance_name": "microsoftonline.com",
  "cloud_graph_host_name": "graph.windows.net",
  "msgraph_host": "graph.microsoft.com",
  "rbac_url": "https://pas.windows.net"
}

Some more detailed descriptions:

Public Keys

A set of public keys to verify the signatures is provided as well:

The Key URL details will looks as displayed in this example:

https://login.microsoftonline.com/5905dcf2-2873-4dfb-87fc-c8165db8cf4c/discovery/v2.0/keys

{
  "keys": [
    {
      "kty": "RSA",
      "use": "sig",
      "kid": "9MEFkLjLaBCsF3uawZUZqoCnaT",
      "x5t": "9MEFkLjLaBCsF3uawZUZqoCnaT",
      "n": "2YX-YDuuTzPiaiZKt04IuUzAjCjPLLmBCVA6npKuZyIouMuaSEuM7BP8QctfCprUY16Rq2-KDrAEvaaKJvsD5ZONddt79yFdCs1E8wKlYIPO74fSpePdVDizflr5W-QCFH9tokbZrHBBuluFojgtbvPMXAhHfZTGC4ItZ0i_Lc9eXwtENHJQC4e4m7olweK1ExM-OzsKGzDlOsOUOU5pN2sHY74nXPqQRH1dQKfB0NT0YrfkbnR8fiq8z-soixfECUXkF8FzWnMnqL6X90wngnuIi8OtH2mvDcnsvUVh3K2JgvSgjRWZbsDx6G-mVQL2vEuHXMXoIoe8hd1ZpV16pQ",
      "e": "AQAB",
      "x5c": [
        "MIIDBTCCAe2gAwIBAgIQUUG7iptQUoVA7bYvX2tHlDANBgkqhkiG9w0BAQsFADAtMSswKQYDVQQDEyJhY2NvdW50cy5hY2Nlc3Njb250cm9sLndpbmRvd3MubmV0MB4XDTIwMDcxODAwMDAwMFoXDTI1MDcxODAwMDAwMFowLTErMCkGA1UEAxMiYWNjb3VudHMuYWNjZXNzY29udHJvbC53aW5kb3dzLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANmF/mA7rk8z4momSrdOCLlMwIwozyy5gQlQOp6SrmciKLjLmkhLjOwT/EHLXwqa1GNekatvig6wBL2miib7A+WTjXXbe/chXQrNRPMCpWCDzu+H0qXj3VQ4s35a+VvkAhR/baJG2axwQbpbhaI4LW7zzFwIR32UxguCLWdIvy3PXl8LRDRyUAuHuJu6JcHitRMTPjs7Chsw5TrDlDlOaTdrB2O+J1z6kER9XUCnwdDU9GK35G50fH4qvM/rKIsXxAlF5BfBc1pzJ6i+l/dMJ4J7iIvDrR9prw3J7L1FYdytiYL0oI0VmW7A8ehvplUC9rxLh1zF6CKHvIXdWaVdeqUCAwEAAaMhMB8wHQYDVR0OBBYEFFOUEOWLUJOTFTOlr7P+6GxsmM90MA0GCSqGSIb3DQEBCwUAA4IBAQCP+LLZw7SSYnWQmRGWHmksBwwJ4Gy32C6g7+wZZv3ombHW9mwLQuzsir97/PP042i/ZIxePHJavpeLm/z3KMSpGIPmiPtmgNcK4HtLTEDnoTprnllobOAqU0TREFWogjkockNo98AvpsmHxNMXuwDikto9o/d9ACBtpkpatS2xgVOZxZtqyMpwZzSJARD5A4qcKov4zdqntVyjpZGK4N6ZaedRbEVd12m1VI+dtDB9+EJRqtTn8zamPYljVTEPNCbDAFgKBDtrhwBnrrrnKTq4/LEOouNQZuUucBTMOGDn4FEejNh3qbxNdWR6tSZbXUnJ+NIQ99IqZMvvMqm9ndL7"
      ],
      "issuer": "https://login.microsoftonline.com/5905dcf2-2873-4dfb-87fc-c8165db8cf4c/v2.0"
    }
  ]
}

About

Slides for Jamf Nation User Conference 2020 - session JNUC326

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published