Your SlideShare is downloading. ×
Open Source Identity Integration with OpenSSO
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Open Source Identity Integration with OpenSSO

5,204

Published on

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
5,204
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
197
Comments
0
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Open Source Identity Integration with OpenSSO July 4th, 2008 Pat Patterson Federation Architect pat.patterson@sun.com blogs.sun.com/superpat
  • 2. Agenda • Web Access Management > The Problem > The Solution > How Does It Work? • Federation > Single Sign-On Beyond a Single Enterprise > How Does It Work? • OpenSSO > Project Overview 2
  • 3. Typical Problems • “Every application wants me to log in!” • “I have too many passwords – my monitor is covered in Post-its!” • “We're implementing Sarbanes-Oxley – we need to control access to applications!” • “We need to access outsourced functions!” • “Our partners need to access our applications!” 3
  • 4. Web Access Management • Simplest scenario is within a single organization • Factor authentication and authorization out of web applications into web access management (WAM) solution • Can use browser cookies within a DNS domain • Proxy or Agent architecture implements role-based access control (RBAC) • Users get single sign-on, IT gets control 4
  • 5. Single Sign-On Within an Organization Web Server Web Server SSO Server Application Server End User 5
  • 6. How It Works SSO Server Browser Agent Application GET hrapp/index.html Redirect to SSO Server Authenticate Redirect to hrapp/index.html (with SSO cookie) GET hrapp/index.html (with SSO cookie) Is this user allowed to access hrapp/index.html? Yes! Allow request to proceed Application response 6
  • 7. Web Access Management Products • Sun Java System Access Manager > OpenSSO • CA (Netegrity) SiteMinder Access Manager • IBM Tivoli Access Manager • Oracle (Oblix) Access Manager • Novell Access Maneger • JA-SIG CAS • Spring Security (Acegi) • JOSSO 7
  • 8. Typical Problems • “Every application wants me to log in!” • “I have too many passwords – my monitor is covered in Post-its!” • “We're implementing Sarbanes-Oxley – we need to control access to applications!” • “We need to access outsourced functions!” • “Our partners need to access our applications!” 8
  • 9. Single Sign-on between Organizations • Cookies no longer work > Need a more sophisticated protocol • Can't mandate single vendor solution > Need standards for interoperability 9
  • 10. SSO Across Organizations Service Service Provider Provider Identity Provider Service Provider End User 10
  • 11. SAML 2.0 SSO Basics Identity Provider Browser Service Provider GET hrapp/index.html Redirect with SAML Request SAML Authentication Request Authenticate HTML form with SAML Response SAML Response Service Provider examines SAML Response and makes access Response control decision 11
  • 12. SAML 2.0 Assertion (Abbreviated!) <Assertion Version="2.0" ID="..." IssueInstant="2007-11-06T16:42:28Z"> <Issuer>https://pat-pattersons-computer.local:8181/</Issuer> <Signature>...</Signature> <saml:Subject> <saml:NameID Format="urn:oasis:...:persistent" ...> ZG0OZ3JWP9yduIQ1zFJbVVGHlQ9M </saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:...:bearer"> <saml:SubjectConfirmationData .../> </saml:SubjectConfirmation> </saml:Subject> <saml:Conditions NotBefore="2007-11-06T16:42:28Z" NotOnOrAfter="2007-11-06T16:52:28Z"> <saml:AudienceRestriction> <saml:Audience> https://pat-pattersons-computer.local/example-pat/ </saml:Audience> </saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthnInstant="2007-11-06T16:42:28Z" ...> <saml:AuthnContext> <saml:AuthnContextClassRef> urn:oasis:...:PasswordProtectedTransport </saml:AuthnContextClassRef> </saml:AuthnContext> </saml:AuthnStatement> </saml:Assertion> 12
  • 13. SAML 2.0 Adoption • Sun, IBM, CA – all the usual suspects, except Microsoft • OpenSAML (Internet2) > Java, C++ • OpenSSO (Sun) > Java, PHP, Ruby • SimpleSAMLphp (Feide) • LASSO (Entr'ouvert) > C/SWIG • ZXID (Symlabs) > C/SWIG 13
  • 14. What is OpenSSO? • OpenSSO 1.0 == Federated Access Manager 8.0 • All FAM 8.0 builds available via OpenSSO Open Access. • Preview Features Open Federation. • Provide Feedback • Review code security 14
  • 15. OpenSSO Momentum • In less than 2 years... > >700 project members at opensso.org > ~15 external committers > Consistently in Top 10* java.net projects by mail traffic – * of over 3000 projects • Production deployments > www.audi.co.uk – 250,000 customer profiles > openid.sun.com – OpenID for Sun employees > telenet.be – Foundation for fine-grained authorization 15
  • 16. OpenSSO Extensions https://opensso.dev.java.net/public/extensions/ • PHP SAML 2.0 SP implementation > Picked up by Feide (Norway) SAML 2.0 • Ruby SAML 2.0 SP implementation • SAML 2.0 ECP test rig • OpenID 1.1 Provider OpenID > Deployed at openid.sun.com Client SDK • PHP Client SDK implementation • ActivIdentity 4Tress Authentication Modules • Hitachi Finger Vein Biometric • Information Card (aka CardSpace) 16
  • 17. Demo Deploy and Configure OpenSSO Create an Identity Provider SAML-enable a Service Provider... All in less than 10 minutes! 17
  • 18. DEMO GO!!! 18
  • 19. Participez! Join Download Sign up at OpenSSO 1.0 opensso.org Build 4 Subscribe Chat OpenSSO Mailing Lists #opensso on dev, users, announce freenode.net 19
  • 20. Resources https://opensso.dev.java.net/public/extensions/ OpenSSO • http://opensso.org/ OpenSSO Wiki • http://wiki.opensso.org/ Pat's Blog • Superpatterns > http://blogs.sun.com/superpat/ Daniel Raskin's Blog • Virtual Daniel > http://blogs.sun.com/raskin/ 20
  • 21. Open Source Identity Integration with OpenSSO July 4th, 2008 Pat Patterson Federation Architect pat.patterson@sun.com blogs.sun.com/superpat

×