Authors: Sean O'Dell (Disney), Atul Tulshibagwale (SGNL)
An Identiverse 2024 Panel Recap
The attendance for this panel, which featured all co-chairs of the Shared Signals Working Group (SSWG), was near capacity and the engagement from the audience in the Q&A was resounding…because the hype is real with CAEP. The panel was moderated by IDAC podcast host, Jeff Steadman. His questions ranged from provisioning use cases to applicability in connected scenarios with other IAM domains (such as ITDR) and diving deeper into the CAEP specification and Shared Signals Framework. The “IAM CAEPable” T-shirts were also a hot commodity…and there might be another order coming soon.
The many questions from the audience made the discussion even more lively, allowing for open and real conversations to occur with the assembled panel of experts. The panelists felt the audience's engagement as they saw people scribbling notes, typing on a laptop, or nodding their heads before raising their hands to elaborate or branch off into new areas. Sometimes the energetic Q&A led to a conversation between the audience and multiple panelists. This article covers the highlights.
Highlights & Key Points
Q: What are the practical use cases and applications of CAEP Events?
Apart from the immediate “session revoked” scenario, now implemented by platform providers like Apple, CAEP can be applied in numerous other scenarios. These include, for example, revoking a suspicious device’s session without impacting the end user or informing an IdP of assurance level changes - informative and actionable signals.
A real world scenario is when an event is emitted from an anomaly detection engine, which results in a CAEP event being transmitted so you could take action to revoke the specific session for both the user and possibly the device, if applicable.
Q: Where do CAEP and ITDR intersect? Can you explain the significance of this intersection?
CAEP brings the “R” in ITDR (Identity Threat Detection and Response). Additionally, Shared Signals (SSF) can be leveraged to enhance ITDR by providing a way to communicate detected threats and trigger responses to security systems…using an open standard. Think of Shared Signals as the management framework and CAEP as, effectively, the events that sit on top of it. The new events introduced in the latest CAEP draft, “Session Established” and “Session Presented”, can also help detect usage anomalies like lateral movement across cloud resources.
Q: Can this be used in provisioning use cases?
A new draft in the IETF called “SCIM Events” defines events that can be shared using the Shared Signals Framework (SSF). This can be used to communicate changes to accounts such as new account provisioning or account termination.
Q: How can you link events to the same underlying action or reason?
The latest draft of the Shared Signals Framework (SSF) includes guidelines on using the JWT “txn” claim to ensure that transmitters and receivers do not process multiple events for the same underlying cause or reason and to establish a lineage between cause or reason to the events transmitted for reconciliation or closing the loop.
New Features and Drafts Released
There have been some exciting new developments from the Shared Signals Working Group. The new drafts have been released for review by the OpenID Foundation membership and voting. This stemmed from feedback at the Gartner Interoperability Summit, robust security analysis by the University of Stuttgart, natural maturation of the specification, and Work Group feedback where more use cases were brought to light.
Shared Signals Framework (SSF) - Draft 03
Clarification and bug fixes have been added to this draft. There have also been security issues addressed with issuer and stream audience mix up and potential attacker subject insertion. New features added include: the use of the txn claim to prevent cascading chains from the same underlying event and a means of using it for reconciliation and transmitters can now specify in their metadata which streams have no subjects by default or “appropriate subjects”.
Continuous Access Evaluation Profile (CAEP) Draft 03
The big update here is the introduction of 2 new events: “Session Established” and “Session Presented”. Additionally, the draft has been updated to reflect new formats and fields in examples to match the new SSF draft.
CAEP Interoperability Profile - Draft 00
The first version of the CAEP Interoperability Profile, which defines how implementations can be fully interoperable for specific use cases such as session revocation and credentials change, is also released.
To learn more about the new drafts from the Shared Signals Working Group (SSWG) please click here.