October 30–31, 2016: Training
October 31–November 2, 2016: Tutorials & Conference
New York, NY

Modern identity and access management for the Web

Jim Manico (Manicode Security)
9:00am–12:30pm Monday, 10/31/2016
Security in context (security datasci)
Location: Mercury Ballroom Level: Intermediate
Average rating: ***..
(3.33, 3 ratings)

Prerequisite knowledge

  • A general understanding of HTTP, web development, and web security

Materials or downloads needed in advance

  • A laptop

What you'll learn

  • Understand modern identity and access management on the Web
  • Learn how to use OAuth, SAML, and OIDC securely and for the right use cases


Modern identity and access management (IAM) on the Web is complex, putting a great burden on developers who have to integrate with modern authentication or access control layers. Jim Manico demystifies the relationship between modern protocols and frameworks such as OIDC, SAML, and OAuth that make up the core of modern web IAM.

Jim begins by discussing the security mechanisms critical when building an authentication (AuthN) layer of a web application and reviews a series of historical authentication threats that will inform a discussion on authentication design patterns necessary to build low-risk, high-security web applications. Jim also covers session management threats and best practices and offers several technical demonstrations and group code review labs.

Jim then turns to a deep discussion of SAML and OIDC, common technologies used for identity federation (and more), to ask how SAML and OIDC integrate with standard web authentication mechanisms and how these standard workflows are changed when modern protocols are introduced. These integrations can get complex fast, which often leads to insecurity.

Jim concludes with an exploration of the emerging importance of the OAuth framework. OAuth, a delegation framework that increasingly appears on the radar of security professionals and developers, intersects with authentication and access control, yet you would not likely use OAuth in and of itself for authentication, session management, or access control in your applications. Even more confusing, OAuth is not a standard; various service providers will likely have different implementations. To reiterate, OAuth is not a standard; it’s a framework for delegation—but what is delegation really and where does OAuth fit in? Jim explains how to use OAuth in a secure fashion, discusses the relationship between OAuth and OIDC, and outlines how OAuth integrates with SAML, tradition web authentication, web access control, single sign on, and similar technologies.

Photo of Jim Manico

Jim Manico

Manicode Security

Jim Manico is the founder of Manicode Security, where he trains software developers on secure coding and security engineering. Jim is also the founder of Brakeman Security, Inc. and is an investor/advisor for Signal Sciences. He is a frequent speaker on secure software practices, a member of the JavaOne Rock Star speaker community, and a volunteer and former board member for the OWASP foundation. Jim is the author of Iron-Clad Java: Building Secure Web Applications (McGraw-Hill).

Comments on this page are now closed.


Picture of Jim Manico
Jim Manico
07/13/2016 3:04pm EDT

I’m excited to have the chance to offer this workshop to the O’Reilly community. If you have any questions or comments please add them here and I’ll respond in short order. Aloha!