ApacheCon 2013 SSO and Fine Grained Authorization in the Cloud


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

ApacheCon 2013 SSO and Fine Grained Authorization in the Cloud

  1. 1. SSO and fine grainedauthorization in the cloud Oliver Wulff
  2. 2. Brief introduction● Solution Architect● Web Services (Axis, CXF, …)● Security (WS-*, Kerberos, Web SSO, …)● Corba● Java / C# / C++● Apache CXF PMC member● Talend Community Coder (coders.talend.com)● http://owulff.blogspot.com● owulff@apache.org
  3. 3. Agenda● Authentication & Authorization in Web Applications● Apache CXF Fediz● Fediz and STS Use cases● Relying Party IDP● Fediz Roadmap
  4. 4. Authentication & Authorization in Web Applications
  5. 5. Application Security 10 years ago● SSO solution using Reverse Proxy● Proprietary SSO token / protocol● Same product at Reverse Proxy, Application Server andcentral Security Service● Security tokens validated by remote Security Server● Role Based Access Control (Java, .NET API)● User/ID management internal
  6. 6. Security Challenges● Non IT company – Buy vs build (non IT company) – Applications hosted in the cloud● SaaS for IT companies● Integrate several IDM systems (B2B customers)● Access to user information – Network connectivity – Replicating user information● Reduce Security Code in the Application
  7. 7. Gaps● Fine grained authorization (beyond RBAC) in application logic● Tight coupling to custom security components and protocols (central server, reverse proxy, proxy agent)● Tight coupling to single user domain● Lack of agility and risk due to managing B2B users internally● Different authentication mechanism in the application (container)● Integration with Web Services Stack● Mock testing
  8. 8. How to address that?● Indirect Trust Relationship to Security Server● Push user data to the application instead of pulling it● Externalize Authentication to a Central server● Lightweight Open Source component● Industry standard based solution
  9. 9. WS-Federation● OASIS Standard 2009● Security Token agnostic (SAML 1.1/2.0, …)● Extends WS-Trust● Browser and Web Services SSO● PRP adapts Browser to WS-Trust● No connectivity between Application and IDP required (Cloud)● Claims/Attribute Based Access Control● Supports several Authentication domains
  10. 10. WS-Trust Security Token Service 1. Consumer requests token from STS, presenting credentials (RST = Request Security Token) 2. STS verifies credentials and issues signed token 3. STS sends token back to consumer (RSTR = Request Security Token Response) 4. Consumer encloses token in message to service provider (optionally signing message) 5. Service provider validates token (and signature) 6. Service provider sends response to consumer WS-SecurityPolicy brings flexibility and transparency to service consumer
  11. 11. Apache CXF Fediz
  12. 12. Apache CXF Fediz● Sub-project of Apache CXF project● Work started mid of 2011● Community growing● First release in June 2012● Current release 1.0.2● Finishing work for 1.1
  13. 13. Apache CXF Fediz Id e n tity P r o v id e r (ID P ) S e c u r ity T o k e n S e r v ic e (S T S ) W S - F e d e r a tio n F e d iz ID P n tio S e c u r ity T o k e n s t ic a e n W S -T ru s t is s u e d b y S T S en Tok F e d iz S T S u th A U s e r M a c h in e B ro w s e r R e ly in g P a r ty (R P ) A cc es s  W W e b A p p lic a tio n R eb ec ed A to ir p p ID t lic P at io n F e d iz P lu g in H TTP S S e r v le t C o n ta in e r
  14. 14. Apache CXF Fediz 2 ) S ig n In R e q u e s t 3 ) L o g in Id e n tity P r o v id e rW eb U ser ID P / S T S 4 ) P o s t C r e d e n tia ls 5 ) S ig n In R e s p o n s e S A M L to k e n B ro w s e r T r u s t r e la t io n s h ip S ig n e d T o k e n N o C a ll to S T S 7 ) R e s o u r c e , S e t C o o k ie R e ly in g P a r ty 6 ) P o s t S ig n In R e s p o n s e E x . T o m c a t, W e b s p h e re , A S P .N E T , e tc . 1 ) H T T P G E T re s o u rc e R e d ir e c t to I D P
  15. 15. Apache CXF STS● WS-Trust 1.3/1.4 ● SAML token creation● WS-SecurityPolicy 1.3 customizable● RST Subject, Audience, authenticationUsername/Kerb AttributeStatements,… eros/SAML token ● Claims support● Security Bindings: ● Support for realms/security Symmetric, Asymmetric, domains Transport ● Identity Mapping● Supported bindings ● Claims transformation Issue, validate, cancel, renew ● Advanced RST● Token provider elementsKeyType, Entropy, SAML 1.1/2.0 (HOK, Bearer), AppliesTo, Custom, SecondaryParameters, … Secure Conversation ● Intermediary● Token encryption supportOnBehalfOf, ActAs● Issue/validate supports ● Custom Claims dialects token transformation ● Batch processing (RSTC)
  16. 16. Fediz IDP / STS● Username / password authentication● User store (File, LDAP, JAAS) – File store – LDAPLoginModule – Other JAAS Login Module● Claims/Role store (File, LDAP) – LdapClaimsHandler – FileClaimsHandler – custom● SAML Token creation customizable● Small footprint (Mock testing)● Wiki http://cxf.apache.org/fediz-idp.html
  17. 17. Fediz Plugin● WS-Federation 1.0/1.1/1.2● SAML 1.1 / 2.0 Tokens● IDP trust types Chain Trust, Direct Trust● Core Logic Container independent● Supports Tomcat 7● WS-Federation Metadata publish● Claims provided in FederationPrincipal● Wiki http://cxf.apache.org/fediz-idp.html
  18. 18. Fediz Plugin Configuration Config element Description Metadataissuer Issuer URL PassiveRequestorEndpointrealm Realm TargetScopeauthenticationType Authentication Type NAroleURI Claim URI for roles NAroleDelimiter Role Value Delimiter NAclaimTypesRequested Requested claims ClaimTypesRequestedhomeRealm Home Realm NAtokenValidators Security Token Validator NAsigningKey Key for Metadata Metadata signature signature
  19. 19. Fediz Plugin Extensions (1/2)● Customize Sign-In Request Configuration SignIn Request Callback object authenticationType wauth WAuthCallback homeRealm whr HomeRealmCallback freshness wfresh FreshnessCallback issuer N.A. IDPCallback● Customize Security Token Validation
  20. 20. Fediz Plugin Extensions (2/2)● Callback Handler implementation for Home Realm Discoverypublic class MyCallbackHandler implements CallbackHandler { public void handle(Callback[] callbacks) throws … { for (int i = 0; i < callbacks.length; i++) { if (callbacks[i] instanceof HomeRealmCallback) { HomeRealmCallback callback = (HomeRealmCallback) callbacks[i]; HttpServletRequest request = callback.getRequest(); String homeRealm = ... callback.setHomeRealm(homeRealm); } else { throw new UnsupportedCallbackException(callbacks[i],"Unrecognized Callback"); } } }} ● Wiki http://cxf.apache.org/fediz-extensions.html
  21. 21. Fediz Interoperability Fediz IDP Adnovum IDP Microsoft ADFS Fediz Plugin ASP.NET● Fediz STS based on Apache CXF STS● Apache CXF STS integrated into Adnovum IDP
  22. 22. Fediz and STS Use cases
  23. 23. STS: Use case Web SSO Fediz example “simpleWebapp”https://localhost:8443/fedizhelloworld/secure/fedservlet
  24. 24. Standards ● WS-Federation 1.2 ● WS-Trust 1.3 ● SAML 2.0 ● OASIS Identity MetasystemCXF STS capabilities ● RST UsernameKerberos ● SAML 2.0 Bearer ● Claims from LDAP ● Claim data in AttributeStatementFederation plugin ● SAML token validation (WSS4J, OpenSAML) ● Creates security context
  25. 25. STS: Use case intermediary Fediz example “wsclientWebapp”https://localhost:8443/fedizhelloworld/secure/service.jsp
  26. 26. Standards ● WS-Trust 1.3 ● SAML 2.0 ● WS-SecurityPolicy CXF STS capabilitiesCXF capabilities ● RST SAML token [4,6] ● Issued token assertion(WS-SecurityPolicy) ● SAML 2.0 Bearer [6] ● SecondaryParameters ● Custom Token [4] ● OnBehalfOf (BinarySecurityToken) ● Token caching ● Token transformation [4,6] ● Identity Mapping[4] ● OnBehalfOf [4,6]
  27. 27. Relying Party IDP
  28. 28. More than one Requestor IDP● WS-Federation defines Requestor and Relying Party IDP● RP IDP issues SAML token for application in a requestor independent format● Integrate Requestor IDPs without affecting application● HomeRealm Discovery● RP IDP federates Identities or Claims
  29. 29. Internal ID management Federate identites R e q u e s to r Id P ● CXF IdentityMapperR e q u e s to r Id P m y c o m p a n y .c o m ● Relationship: FederateIdentity APACm y c o m p a n y .c o mEM EA R P - Id P H o m e r e a lm d is c o v e r y 3 Id P m y c o m p a n y .c o m 2 B ro w s e r In tr a n e t 1 R e ly in g P a r ty A p p lic a tio n C o n ta in e r Ex. Tom cat
  30. 30. Hyprid ID management R e q u e s to r Id P F a b r ik a m .c o m In te r n a l R e q u e s to r Id P m y c o m p a n y .c o mR e q u e s to r Id P APAC B ro w s e rm y c o m p a n y .c o m 3 f a b r ik a m .c o mEM EA R P -Id P 2 H o m e r e a lm d is c o v e r y 3 Id P m y c o m p a n y .c o m 2 B ro w s e r In tr a n e t 1 1 R e ly in g P a r ty A p p lic a tio n C o n ta in e r Ex. Tom cat Federate identities ● CXF IdentityMapper ● Relationship: FederateIdentity
  31. 31. External requestor IDPs (SaaS) R e q u e s to r Id P F a b r ik a m .c o m In te r n a l R e q u e s to r Id P m y c o m p a n y .c o mR e q u e s to r Id P APAC B ro w s e rm y c o m p a n y .c o m 3 f a b r ik a m .c o mEM EA R P -Id P 2 H o m e r e a lm d is c o v e r y 3 Id P m y c o m p a n y .c o m 2 B ro w s e r In tr a n e t 1 2 B ro w s e r a d a ta m .c o m 1 R e ly in g P a r ty 1 A p p lic a tio n 3 C o n ta in e r Ex. Tom cat R e q u e s to r Id P Federate claims/attributes a d a ta m .c o m ● CXF ClaimsMapper E x te rn a l ● Relationship: FederateClaims
  32. 32. Fediz Roadmap● WS-Federation support for RP-IDP (1.1)● HomeRealm Discovery (1.1)● SAML Profile (1.1+)● Support encrypted SAML tokens (1.1)● SAML Holder-Of-Key (1.1)● Fediz Plugin support – Karaf (1.1) – Jetty (1.1) – Spring Security (1.1)
  33. 33. More information● Fediz website http://cxf.apache.org/fediz.html● Blogs http://coheigea.blogspot.com http://www.dankulp.com/blog/ http://sberyozkin.blogspot.com http://owulff.blogspot.com
  34. 34. Content Slides● Level 1 – Level 2 ● Level 3 – Level 4 ● Level 5
  35. 35. Standards ● WS-Trust 1.3 ● SAML 2.0 Id e n tity P r o v id e r ● WS-SecurityPolicy < < S o la r is > > Id e n tit y S to r e Id e n tity S to r e < < W in d o w s > > < < M a in f r a m e > > ID P < < N e v is > >CXF STS capabilities 2 .1 LDAP RACF STS 2 .2 RST SAML token [4,6] <<CXF>> ● ● SAML 2.0 Bearer [6] 4 .1 ● Custom Token [4] (BinarySecurityToken) B u s in e s s S e r v ic e 2 < < T o m c a t> > ● Token transformation [4,6] 4 / 6 Identity Mapping[4] A p p lic a t io n ● J A X -R P C ● OnBehalfOf [4,6] Not CXF W e b A p p lic a tio n < < T o m c a t> > T ) ( BSCXF capabilities B ro w s e r 5 3 A p p lic a tio n ● Issued token assertion(WS- 1 J A X -W S B u s in e s s S e r v ic e SecurityPolicy) F e d e r a t io n _ _ CXF < < O S G i K a ra f> > ● SecondaryParameters 7 (S T ) A p p lic a t io n ● OnBehalfOf J A X -W S ● Token caching CXF