10 things around Decentralized Identity today

Hi there,

I've been involved in decentralized identity space for about 5 years now. I've played with uPort, Azure Active Directory Verifiable Credentials, Mattr, etc. and recently I've launched several PoC projects and won a prize at the Decentralized Identity Hackathon hosted by Microsoft.

I'd like to have another chance to talk about this at conferences, so I'm just writing as I think. (Needless to say, this is completely my opinion and has nothing to do with the various organizations and businesses I am involved with.)

1. Still surprisingly misunderstood, it is not a decentralized "identity".
• DIDs are Decentralized "Identifiers", not Decentralized "Identities".
• This is because Identity = Set of attributes (ISO/IEC 24760-1 2019), so if we are talking about decentralized "identity", the distributed claims spec in OpenID Connect is much more decentralized.
• So what has been decentralized? Identifier and metadata are deployed on a distributed ledger (this is not specifically defined as a blockchain, and there are DIDs that are not distributed at all), which reduces the dependency on a single entity. In addition, it reduces the need to worry about availability and so on, although relatively speaking.
• In other words, W3C defines Decentralized "Identifiers", and the only thing it decides is how to write identifiers and metadata (DID Document).
2. Is Self-Sovereign Identity an Illusion?
• What is sovereignty over data in the first place? As I mentioned earlier, it is unclear whether the word "Decentralized" means literally decentralized or distributed, or decentralized, and what is "self-sovereign"? Still no clear answer.
• By publishing a metadata (DID Document) that includes an identifier and a public key for signature verification in a public/permission-less distributed ledger, it would be difficult for a specific entity to control the digital life or death of that entity. I understand what you are trying to say, but does it really lead to "self sovereign"?
• The other thing is the portability of Verifiable Credentials. As I will discuss later, it is certainly possible to reduce the strength of binding between the IdP and the RP by using DIDs well, and as a result, it is possible to store Verifiable Credentials in software that runs on smartphones, etc., called a "Wallet", and individuals can carry it with them. In this sense, it is possible for individuals to feel they are able to control their identities by themselves.
• In the end, the only thing I can say is that a self-sovereign identity is an idea and should be considered separately from technology. Indeed, given the current federation, Verifiable Credentials signed by DIDs and associated keys, which are relatively linked to distributed ledgers, make me feel that I can escape from the "control" of the business entities.
• By the way, this may be the most important point, but I think we should not overlook the fact that it is virtually impossible to carry (move) DIDs and signed VCs across methods as long as DIDs are in the form of "did:method name:unique identifier".
3. Is Verifiable Credentials the real deal?
• As described in the white paper by the Trusted Web Promotion Council of the Japanese Cabinet Secretariat, which I am helping a little this year, the trend from implicit trust to explicit trust based on verification will be the key to DX. The key phrase "Don't trust, Verify" says it all.
• However, what needs to be resolved here is the difference between digital signatures on SAML and OpenID Connect Assertions. There is certainly something new in the use of Verifiable Credentials for vaccine certification in COVID-19, but the reality is that it is just JSON that has been digitally self-signed by the Digital Agency Japan, so in terms of tamper resistance, it is no different from SAML Assertions or OpenID Connect id_ token. (Of course, I think this is a very important approach in terms of using FHIR's standardized Schema as a payload, and in terms of interoperation at the application layer.)
• So, what is the point of combining VCs with DIDs? As a matter of fact, I cannot say there is no advantage. What I mean by that is, compared to the case where the public key for signature verification is published by jwks_uri, etc., there are advantages such as the following cases;
• The operator does not have to think so much about the availability of the IdP (even if the IdP is down, if the DID Document is published on the distributed ledger, the controllability is reduced but the relative availability is often improved).
• Even if the IdP is shut down, users will be able to prove the authenticity of their signed credentials.
• However, there is a common story of compromise of signature algorithms, so it is not clear that the signature of Verifiable Credentials can be trusted forever just because the public key is stored in a distributed ledger (where the availability is relatively less affected by the convenience of a single operator). In actual operation, it is likely to be necessary to reissue VCs at least once every few years. In that case, the logic that VCs are superior in terms of business continuity of IdPs is very limited (i.e., at least at the level of being able to prove their credentials for a few years even if the IdP goes out of business), and it is not likely to be a silver bullet against neglect by the IdPs of the state, which is discussed in the context of so-called social inclusion.
4. Trust in VC issuers is a difficult issue
• When issuing a VC, the issuer signs it with a private key associated with his or her DID, so who is the DID? Can it be trusted? This is an important point.
• However, I'm sure I'm not the only one who feels that keywords like "distributed" and "decentralized" are vain when they depend on something outside the DID/VC model.
• And, in the end, the most suspicious thing is the reliability of Resolver to lookup DID Document from DID. Of course, open implementations, including Universal Resolver, can be trusted to a certain extent in terms of transparency, but in the end, we can only "trust" the integrity of the implementer of the driver and the business running the actual instance.
5. No matter how verifiable they are, they are not always trusted.
• In the first place, Trust Framework is not something that can be closed in the IT world.
• In fact, no matter how much you say that a digitally signed data set is tamper-proof, humans are heuristic creatures, and they trust others better when being presented with a "physical ID card made of paper or plastic that you have seen before" in person.
• This is the essence of DX, it is good to define the stages of Digitization to Digitalization, but in reality, I think there is a big gap between Digitization and Digitalization. We all love PDF and Excel, and we are at the stage where we think we can continue our business if we return to paper as a last resort, so I don't think we can move forward to the Digitalization stage where paper is not a prerequisite.
• In this sense, our biggest mission may be to find a use case that can fully utilize the characteristics of Verifiable as soon as possible. The Trusted Web Promotion Council, which I mentioned earlier, is expected to play a major role in this area.
6. They are not suitable for KYC, or identification and identity verification
• In the end, the essence of Identity Proofing is what NIST SP800-63A calls,
• Resolution
• Validation
• Verification
• NIST SP800-63A states that the essence of identity proofing consists of the following steps: Resolution, Validation, and Verification. However, if you think about it carefully, the essence of validation is an inquiry to the authority (this is also reflected in the word "reference" in the identity proofing), so it is not enough to prove that the evidence has not been tampered with.
• It is true that the revoke specification (Status List 2021) is becoming more standardized, so it will be possible to confirm validity, but it does not guarantee the reliability of the KYC process at the issuer of the Evidence, and the reliability of the Authority is more important than the tamper-resistance of the Evidence itself.
• Also, verification (confirming the identity of the entity listed in the Evidence and the entity with the Evidence) is not possible.
• If this is the case, it would be more realistic to use it as a proof of qualification, as OpenBadge is doing, rather than for identity verification.
7. In the end, the biggest advantage is that it is possible to reduce the degree of binding between the IdP and the RP.
• In this case, why not OpenBadge? However, considering that most of the current OpenBadge is not Signed but Hosted (which verifies authenticity and validity by querying the Issuer), there is a certain advantage in terms of the degree of binding between systems (at least until Signed becomes popular). (at least until the Signed type becomes popular).
• In other words, in the end, the best way to use it is to reduce the degree of coupling between systems (between OP and RP).
• In fact, when we were discussing the use cases at IIW last year, I mentioned that it might be possible to reduce the management burden (licensing, infrastructure sizing, availability) of the university's ID infrastructure. It seems to have resonated the most with the audience. (At least my friend Vittorio)
8. What is the actual state of standardization?
• It still looks like chaos, with DIDcomm being pushed by the Hyperledger folks at the Decentralized Identity Foundation and Trust over IP Foundation, and SIOPv2 and OIDC4VP at the OpenID Foundation.
• In the first place, whether to use JSON-LD or JSON for VC is also a point of endless debate.
• In the midst of this, various vendors are starting up as businesses, implementing specifications at a delicate stage and releasing sample code, so developers around the world are copying them, creating an even more chaotic situation, and a world of "what is standardization?
9. Are Zero-Knowledge Proof (ZKP) and Selective Disclosure the real deal?
• Zero-knowledge proofs have been studied for a long time, such as uProve (acquired by MS) and IBM's IdeMix, but they are still far from practical use. (Come to think of it, I miss the time when I was testing the Private Preview of Windows Identity Foundation with uProve's test implementation more than 10 years ago.)
• ZKP and Selective Disclosure are often confused, but in the end what is needed is Selective Disclosure. The BBS+ is doing a good job in this area, but there are still some issues (e.g., limited scope of hiding).
• It is often said that it is not possible in the physical world, but it would be nice if it could be done in the digital world. There are expectations for the maturity and implementation of technology in this area to deal with the problem that if you show your driver's license to check your age when entering a bar, the guard will know information other than your age. However, is it really problematic if the guard could know your name in addition to your age? So, I think we need to discuss the use cases more.
10. In the end, has it solved any of the world's problems?
• Problems that often said are,
• Privacy
• Verifiability
• However, looking at the above, I can't say that it has solved that problem.
• Rather, as I mentioned above, the biggest advantage is the reduction of administrative and infrastructure costs by reducing the degree of binding between OP and RP.

However, I believe that this technology is very interesting and has the potential to change the world, so I will continue to study it.

Enable Sign In with Apple on Azure AD B2C(without custom policy)

Hi, there.

Recently Apple revealed 'Sign In with Apple' on WWDC'19, and in this article I'm going to explain how to configure this new capability with Azure Active Directory B2C. Of course you can configure this using Identity Experience Framework(Custom Policy), but this time I use built in OpenID Connect IdP configuration(Public Preview).

First of all, let me show you video of how this works.

Pre-requirements

• Apple Developer Account(need to subscribe for at least one year!)
• Azure Active Directory B2C tenant
• Azure WebApps or some web hosting service to upload metadata

Configure client on Apple Developer console

Actually, 'Sign In with Apple' uses OAuth/OpenID Connect like mechanism(it seems not an exact compliant with these protocols). So if you are familiar with these protocols, it is not difficult to implement this scenario.

You can create OAuth/OIDC client on Apple Developer console by following Okta developer blog. This is really great post!!

https://developer.okta.com/blog/2019/06/04/what-the-heck-is-sign-in-with-apple

Steps for configuration are following;

1. Register App Id with Sign In with Apple capability
2. Register Services Id. -> this Id will be used as client_id
• Verify domain ownership
• Configure redirect uri
3. Register Key for Sign In with Apple
4. Download the registered key and convert it to JWT format. -> this key will be used as client_secret

Configure Identity Provider on Azure AD B2C

Before configuring Identity Provider on Azure AD B2C, you have to create discovery document(metadata) for Apple Id because Apple does not expose the document on any web so far.

I used Azure WebApps to publish metadata, but you can use any web services to expose.

Built in OIDC IdP configuration of Azure AD B2C requires,

• Issuer
• Authorization Endpoint
• Token Endpoint
• Jwks Endpoint

on the metadata, and the metadata uri must be ended with ./well-known/openid-configuration.

This is my metadata.

Now you can configure the built-in policy on Azure AD B2C console.

Add new Identity Provider.

Choose OpenID Connect(preview) for Identity provider type.

Set metadata uri, client_id, client_secret values.

Map claim type 'sub' for mandatory attributes. Actually Apple does not return name or email values on id_token.

Configure User Flow(policies) using the IdP

The last step on Azure AD B2C console is User Flow configuration as usual. This time I created Sign In and Sign Up (v2) policy using Apple IdP which I configured on previous step.

Configuring attribute flow for application.

Now all of configurations was done!

You can use the new policy for any applications registered on Azure AD B2C!

[Updated]Unintended access rights are granted by sharing contents on OneDrive for Business

In the last article I posted, I made an attention to Office365 administrators that by enabling external sharing unintended access rights are granted to guest users.

Recently, Microsoft team added new capabilities on Azure Portal to restrict accessing directory configuration by guest users and non-admin users.

With this new capability, administrators are not required to use conditional access to deny guest users accessing to directory configuration which requires Azure AD Premium P1 license as I wrote on the last article.

You can use this capability with following instructions.

1. Restrict guest access to directory configuration

To restrict guest access to directory configuration, administrators are required to enable 'Guest users permissions are restricted' option to 'Yes'. *Normally no actions are needed because the default value for this option is 'Yes'.

After enabling this option, guest users can not access directory configurations.

*Note) This option is only for prohibiting access to directory configuration, so guest users are still able to access Azure Portal itself.

2. Restrict non-admin access to directory configuration

The second option prohibits non-admin access to directory configuration.

On the same menu on Azure AD configuration page, there is another new option which name is 'Restrict access to Azure AD administration portal'.

By enabling this option, non-admin users are prohibited to access to Azure AD administration portal so that they can not see directory configuration any more.
*Notes) The default value for this option is 'No', so if you want to restrict to access by non-admin users, you have to set 'Yes' explicitly for this option.

Safe enough?

By enabling these options, administrators can prevent unintended access to directory configurations. But guest users and non-admin users are still able to access to the access panel, https://myapps.microsoft.com, and can see application icons which are assigned to 'All Users' group. So admins still have to take care when creating applications on Azure AD by assign to specific group which does not include guest users alternative to use 'All Users' group as I wrote on the last article.

Cheers,
Naohiro

Unintended access rights are granted by sharing contents on OneDrive for Business

#This entry was originally wrote in Japanese here.
#Updated on 2017/04/04. You can see updated article here.

In some case that an organization willing to share contents on OneDrive for Business or SharePoint online team site, there is a security risk to grant unnecessary access rights to guest users without administrators' awareness.

I'm reporting this problem to Azure AD team of Microsoft Corporation and requesting fix as soon as possible, but so far no changes were made, and it is strongly recommended that administrators check own environment and change some configuration to avoid this issue.

Overview of the problem

Guest users who were invited to Office365 tenant by sharing contents on OneDrive for Business or on SharePoint online team site are able to access following information unintendedly in addition to the contents which were shared,

• Applications which are connected to Azure AD and granted to 'All Users' group through Access Panel.
• Directory configuration on Azure AD through Azure Portal.

And no administrators or users who invite guests aware this because there is no documents describes this so far.

This happens whether the invited user is an organization account or a Microsoft Account.

What happens when invite a guest

They say 'Seeing is believing' in Japan and it is true that to understand what happens by seeing a movie is the fastest way I guess.


Directory "eIdentity" : Inviting party
- using Office365
- "test001@ems.adfs20.net" shares a folder on OneDrive for Business to an external user "test001@gapps21.adfs20.net".
- on this directory, there is an applications which called "ts2016" assigned to "All Users" group.

Directory "InternetWeek" : Guest party
- not using Office365 but using Azure AD
- a user called "test001@gapps21.adfs20.net" is belonging to this directory.

By sharing a folder on OneDrive for Business, the guest user is able to access "ts2016" application and is able to see domain list on eIdentity directory.

Obtain domain lists on eIdentity directory by the guest. (sorry for Japanese screen shot)

Access applications on eIdentity directory by the guest.


No administrators wished to share these information or grant access rights to applications other than contents sharing.

This behavior will be a big problem in some case.

What's happening in background

When a user who was invited accepts the invitation, the invited user is registered as a guest user on Azure AD of inviting party. This behavior is the same as behavior of Azure AD B2B inviting and this happens because Office365 invitation is using this capability internally.

And a guest user is able to
1. sign in on the directory(authentication)
2. access to own profile on the directory
and
3. access to directory configuration(at least domain lists)
4. access to applications which "All Users" assigned. Because the user is automatically added to the "All Users" group.

The root causes are 3 and 4 above, and Microsoft should change default access rights of guest users to not allowed unnecessary resources.

What administrators should do to avoid this problem

To avoid this problem, administrators should do following things at least.
* most of operation requires Azure AD Premium licence.

1. Check existence of guest users on the directory

With Azure Active Directory PowerShell, admins can check existence of guest users on the directory by following command. It is strongly recommended to check regularly.

Get-MsolUser | Where-Object { $_.userType -eq 'Guest' }

2. Create a security group which includes only members(not include guest users) alternative to "All Users"

Create a security group with dynamic membership and set the membership condition to "userType=Member". By using this group, admins can assign or grant rights to only original member on the directory.

Also admin can create a security group which includes only guest users with the same operation (the membership rule should be "userType=Guest").

3. Change application assignment from All Users to All Members group

It is very easy way to assign "All Users" group to applications, but now admins should change assignment to "All Members".

By this change, guest users no longer see applications on the Access Panel(https://myapps.microsoft.com).

(before the change assignment)

(after the change assignment)

4. Authorize users on applications

Security issues are finally solved with not only authentication but authorization on application itself. So it is very important thing to configure authorization properly on applications.

For example, the application "ts2016" on the movie was configured to be accessed with only authentication and guest users very easily access there. Admins should configure applications not to permit access important data on application by guest users.

5. Prohibit guest users to access Azure Portal

Be careful while configure this policy. Wrong configuration may cause very big problem such as no users include admins can access Azure Portal. 

You can prohibit access to Azure Portal by guest users with conditional access policy on Windows Azure Service Management API.

Creating this access policy and enable to prohibit access to Azure Portal.
- Users and groups : All Guests(group includes only guest users)
- Cloud apps : Windows Azure Service Management API (Updated on 2017/04)Microsoft Azure Subscription Management
- Grant : Block access
- Enable policy : On

By enabling this policy, guest users access to Azure Portal is blocked.

Change directory,

the access is blocked.

What's the next

This behavior is not treated as a bug and I guess it takes some while to change the behavior.(I don't sure they fix this or not.) So admins should manage own directory properly by checking guest access and configure applications properly.

If any change have been made by Microsoft, I'll update this entry. Stay tuned!

Cheers,
Naohiro

Three things you should know about SAML

When you are planning to configure single sign on some applications with Azure AD, first of all you have to ask application team whether the target application can "speak" federation protocol such as SAML or OpenID Connect. Of course also ws-federation is good protocol as you know:)

Today, I explain you top three things you should know at least when you choose SAML protocol to federate some applications with Azure AD.

1. Entity id and endpoints

To enable SSO, both of the identity provider(IdP) like Azure AD and the service provider(SP. i.e. application) like Google Apps are required to know each other. "Entity id" is the identifier to specify each entities(IdP and SP) and IdP have to know SP's entity id to specify SSO target application, and SP have to know IdP's entity id to specify where user was authenticated.

It is often misunderstood but entity id is not required to be uri format so that it is not required to be reached on the internet. For example, G Suite(a.k.a. Google Apps)'s entity id is "google.com/a/domainname", not "https://google.com/a/domainame".

Also IdP and SP have to know endpoint addresses to contact to the other party. There are several endpoints to be used while finishing SSO process and at least you should to know following two endpoints.

party	endpoint type	description	sample value
IdP	SingleSignOnService	endpoint to send authentication request from SP	https://login.windows.net/{tenant id}/saml2
SP	AssertionConsumerService	endpoint to send authentication result(SAML assertion) from IdP	https://www.google.com/a/{domain name}/acs

figure 1. SSO setting on Azure AD(IdP)

figure 2. SSO setting on G Suite(SP) * In case of G Suite, IdP's entity id is not required.

2. Certificate for token signing

To finishing SSO process, user-agent(i.e. Web browser) have to POST identity information(SAML Assertion) including authentication result to SP's assertion consumer service endpoint. To avoid identity spoofing, SP verifies SAML Assertion which is received from IdP. To verify the assertion SP uses public key certificate which is paired with private key which IdP uses to sign the SAML Assertion.

Usually during configuring SSO on IdP side, you can create and download token(i.e. SAML Assertion) signing certificate and upload the certificate to SP.

figure 3. Create and download signing certificate from Azure AD(IdP).

figure 4. Upload token signing certificate to G Suite(SP).

3. name id and attributes

"Identity federation" means "To link users between IdP and SP", so to complete SSO process, it is required to determine how to link users both parties. Usually name id element's value in SAML Assertion is used to link users. For example, G Suite requires name id value in SAML Assertion matches email address value of the user to be signed in.

In case of identifier in IdP does not match with SP's identifier, you have to put SP's identifier value to some attribute of the user in IdP. For example, identifier of G Suite is user@example.com and identifier(userPrincipalName) of Azure AD is user@example.net, administrator have to put the value "user@example.com" on mail attribute of user@example.net on Azure AD.

figure 5. Attribute mapping for name id.

Conclusion

SAML is very popular protocol to enable SSO especially for enterprise applications. But there are some tricks to configure successfully and doing trouble shooting. In fact, some one said that 99% of failure while configuring SAML SSO are caused by typo of entity id or endpoints, e.g. a lack of last '/' of entity id causes connection problem. So it is important to know basic structures and components of SAML protocol to configure SSO successfully.

Cheers,
Naohiro

Starting new blog in English!!

I have been blogging about Identity and Access Management solutions like Microsoft Identity Manager(a.k.a. MIM) and Azure Active Directory(Azure AD) in Japanese for 9 years.

From this new year, I decided to start writing posts in English as well, because I believe that Identity and Access Management is one of the most difficult topics for not only Japanese developers/administrators but for ones works for global companies. This is proven by my experiences in global IAM projects that I've been involved recently. There were no special requirements from other countries, it were almost the same requirements from Japanese local companies have.

You can see my historical posts from following link(in Japanese) and I placed translation widget on left side of the site so you can see my post with machine translation.

IdM Labo(in Japanese)

http://idmlab.eidentity.jp/

Cheers,

Naohiro