If you have ever worked on a crucial web service, you know that one obstacle to expanding the service is user account management and authentication services. The days of creating a simple MySQL with PHP frontend page will not cut it anymore in any enterprise space. The security is too limited, the asset is too valuable, and the risk is too high. However, an investment in a custom identity solution is complex, costly, and takes away time from focusing on the core product features. Imagine if each team at Symantec provided a different login account and mismatching experiences for each product. This is where Norton Secure Login fits in, and why OpenID Connect certification matter to teams with user information.
Norton Secure Login (NSL) is an Identity Provider that provides a simple, secure, and centralized way to authenticate users. We provide an infrastructure for identity management for millions of users across various Norton brands (Norton Security, Norton Mobile Security, Norton Online Family, Norton Identity, and more), Symantec’s EPMP, and even upcoming products like Norton Core. To date NSL has used SAML2.0 protocol, an industry standard for the past decade, to handle these communication traffic loads. The protocol has become more complex and expanded to accommodate new needs that were not accounted for at the onset. In mid-2015, when Ilya Sokolov presented OpenID Connect protocol to the team as the next step, we were excited to make it happen. After a year of hard work, the NSL team is proud to announce our certification as an OpenID Connect Provider. More importantly for you, below, we outline what the protocol offers its adopters:
Simplicity – SAML2.0 protocol uses XML and data compression to minify the message. This makes it difficult for our clients (Service Provider or Relying Party) to understand why a request failed, and even more difficult to debug a problem without reading the lengthy SAML 2.0 spec. OpenID Connect does away with tags and replaces it with JSON schema, thus providing more concise data for developers to examine and identify problems. The protocol also shifts public details and metadata content from the message to the provider’s metadata end point in human readable form.
Performance – Those who have worked with SAML2.0 protocol understand that a basic SAML2.0 can be quite large. Currently, a simple request is more than 800 characters and the encrypted response is over 12,000 characters. OpenID Connect starts with a mobile-first mindset and removes redundant specifications. In addition, it uses JSON schema and relies on RESTful APIs to make the messages smaller. As a result, the same request and response in OpenID Connect protocol is under 3500 characters of uncompressed text. This is a message size reduction of almost 75% compared to SAML2.0 protocol!
Resilience – OpenID Connect is built on top of OAuth2.0 protocol, but extended to provide a standard with flexibility. One way it achieves this is by creating a separation of concerns, where one end point (URL) is for authentication and authorization (i.e., log in users), while other end points are for other services (e.g., retrieve user’s data). These end points work together using a token system, where a JSON Web Token (JWT) is used in exchange for the authorized user’s information.
Beyond OpenID Connect Provider certification, the NSL team has also developed a Java client library that your web service can leverage to use OpenID Connect protocol. This library provides a configuration-based Java Servlet filter that handles a user authentication and session. If your project is currently authenticating with NSL (at https://login.norton.com URL), we strongly encourage you to consider this upgrade. Many prominent identity providers like Google, Microsoft, and Amazon have seen the benefits and have become certified OpenID Connect Providers in the past 18 months. If you have any questions or want to us know what you think, just shoot us an email. We welcome and appreciate your feedback. Even better, visit us in-person! We have team members in the west coast (Culver City, Mountain), east coast (Cambridge), or India office (Chennai).