0
Open Source Identity Integration with OpenSSO
July 4th, 2008

Pat Patterson
Federation Architect
pat.patterson@sun.com
blo...
Agenda
• Web Access Management
  > The Problem
  > The Solution
  > How Does It Work?
• Federation
  > Single Sign-On Beyo...
Typical Problems
• “Every application wants me to log in!”

• “I have too many passwords – my monitor is
  covered in Post...
Web Access Management
• Simplest scenario is within a single organization
• Factor authentication and authorization out of...
Single Sign-On Within an Organization



                    Web Server
                                 Web Server
 SSO S...
How It Works
SSO Server            Browser                 Agent                Application
                            GE...
Web Access Management Products
• Sun Java System Access Manager
    > OpenSSO
•   CA (Netegrity) SiteMinder Access Manager...
Typical Problems
• “Every application wants me to log in!”

• “I have too many passwords – my monitor is
  covered in Post...
Single Sign-on between Organizations


• Cookies no longer work
  > Need a more sophisticated protocol

• Can't mandate si...
SSO Across Organizations




                    Service    Service
                    Provider   Provider
  Identity
  P...
SAML 2.0 SSO Basics
 Identity Provider       Browser         Service Provider
                             GET hrapp/index...
SAML 2.0 Assertion
(Abbreviated!)
<Assertion Version="2.0" ID="..." IssueInstant="2007-11-06T16:42:28Z">
    <Issuer>https...
SAML 2.0 Adoption
• Sun, IBM, CA – all the usual suspects, except Microsoft
• OpenSAML (Internet2)
  > Java, C++
• OpenSSO...
What is OpenSSO?

                    • OpenSSO 1.0 ==
                      Federated Access
                      Manage...
OpenSSO Momentum
• In less than 2 years...
  > >700 project members at opensso.org
  > ~15 external committers
  > Consist...
OpenSSO Extensions
https://opensso.dev.java.net/public/extensions/

                                   • PHP SAML 2.0 SP i...
Demo



        Deploy and Configure OpenSSO
          Create an Identity Provider
       SAML-enable a Service Provider.....
DEMO




       GO!!!
               18
Participez!
          Join             Download


       Sign up at         OpenSSO 1.0
      opensso.org           Build ...
Resources
https://opensso.dev.java.net/public/extensions/

OpenSSO                            • http://opensso.org/

OpenS...
Open Source Identity Integration with OpenSSO
July 4th, 2008

Pat Patterson
Federation Architect
pat.patterson@sun.com
blo...
Upcoming SlideShare
Loading in...5
×

Open Source Identity Integration with OpenSSO

5,287

Published on

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
5,287
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
199
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Transcript of "Open Source Identity Integration with OpenSSO"

  1. 1. Open Source Identity Integration with OpenSSO July 4th, 2008 Pat Patterson Federation Architect pat.patterson@sun.com blogs.sun.com/superpat
  2. 2. Agenda • Web Access Management > The Problem > The Solution > How Does It Work? • Federation > Single Sign-On Beyond a Single Enterprise > How Does It Work? • OpenSSO > Project Overview 2
  3. 3. Typical Problems • “Every application wants me to log in!” • “I have too many passwords – my monitor is covered in Post-its!” • “We're implementing Sarbanes-Oxley – we need to control access to applications!” • “We need to access outsourced functions!” • “Our partners need to access our applications!” 3
  4. 4. Web Access Management • Simplest scenario is within a single organization • Factor authentication and authorization out of web applications into web access management (WAM) solution • Can use browser cookies within a DNS domain • Proxy or Agent architecture implements role-based access control (RBAC) • Users get single sign-on, IT gets control 4
  5. 5. Single Sign-On Within an Organization Web Server Web Server SSO Server Application Server End User 5
  6. 6. How It Works SSO Server Browser Agent Application GET hrapp/index.html Redirect to SSO Server Authenticate Redirect to hrapp/index.html (with SSO cookie) GET hrapp/index.html (with SSO cookie) Is this user allowed to access hrapp/index.html? Yes! Allow request to proceed Application response 6
  7. 7. Web Access Management Products • Sun Java System Access Manager > OpenSSO • CA (Netegrity) SiteMinder Access Manager • IBM Tivoli Access Manager • Oracle (Oblix) Access Manager • Novell Access Maneger • JA-SIG CAS • Spring Security (Acegi) • JOSSO 7
  8. 8. Typical Problems • “Every application wants me to log in!” • “I have too many passwords – my monitor is covered in Post-its!” • “We're implementing Sarbanes-Oxley – we need to control access to applications!” • “We need to access outsourced functions!” • “Our partners need to access our applications!” 8
  9. 9. Single Sign-on between Organizations • Cookies no longer work > Need a more sophisticated protocol • Can't mandate single vendor solution > Need standards for interoperability 9
  10. 10. SSO Across Organizations Service Service Provider Provider Identity Provider Service Provider End User 10
  11. 11. SAML 2.0 SSO Basics Identity Provider Browser Service Provider GET hrapp/index.html Redirect with SAML Request SAML Authentication Request Authenticate HTML form with SAML Response SAML Response Service Provider examines SAML Response and makes access Response control decision 11
  12. 12. SAML 2.0 Assertion (Abbreviated!) <Assertion Version="2.0" ID="..." IssueInstant="2007-11-06T16:42:28Z"> <Issuer>https://pat-pattersons-computer.local:8181/</Issuer> <Signature>...</Signature> <saml:Subject> <saml:NameID Format="urn:oasis:...:persistent" ...> ZG0OZ3JWP9yduIQ1zFJbVVGHlQ9M </saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:...:bearer"> <saml:SubjectConfirmationData .../> </saml:SubjectConfirmation> </saml:Subject> <saml:Conditions NotBefore="2007-11-06T16:42:28Z" NotOnOrAfter="2007-11-06T16:52:28Z"> <saml:AudienceRestriction> <saml:Audience> https://pat-pattersons-computer.local/example-pat/ </saml:Audience> </saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthnInstant="2007-11-06T16:42:28Z" ...> <saml:AuthnContext> <saml:AuthnContextClassRef> urn:oasis:...:PasswordProtectedTransport </saml:AuthnContextClassRef> </saml:AuthnContext> </saml:AuthnStatement> </saml:Assertion> 12
  13. 13. SAML 2.0 Adoption • Sun, IBM, CA – all the usual suspects, except Microsoft • OpenSAML (Internet2) > Java, C++ • OpenSSO (Sun) > Java, PHP, Ruby • SimpleSAMLphp (Feide) • LASSO (Entr'ouvert) > C/SWIG • ZXID (Symlabs) > C/SWIG 13
  14. 14. What is OpenSSO? • OpenSSO 1.0 == Federated Access Manager 8.0 • All FAM 8.0 builds available via OpenSSO Open Access. • Preview Features Open Federation. • Provide Feedback • Review code security 14
  15. 15. OpenSSO Momentum • In less than 2 years... > >700 project members at opensso.org > ~15 external committers > Consistently in Top 10* java.net projects by mail traffic – * of over 3000 projects • Production deployments > www.audi.co.uk – 250,000 customer profiles > openid.sun.com – OpenID for Sun employees > telenet.be – Foundation for fine-grained authorization 15
  16. 16. OpenSSO Extensions https://opensso.dev.java.net/public/extensions/ • PHP SAML 2.0 SP implementation > Picked up by Feide (Norway) SAML 2.0 • Ruby SAML 2.0 SP implementation • SAML 2.0 ECP test rig • OpenID 1.1 Provider OpenID > Deployed at openid.sun.com Client SDK • PHP Client SDK implementation • ActivIdentity 4Tress Authentication Modules • Hitachi Finger Vein Biometric • Information Card (aka CardSpace) 16
  17. 17. Demo Deploy and Configure OpenSSO Create an Identity Provider SAML-enable a Service Provider... All in less than 10 minutes! 17
  18. 18. DEMO GO!!! 18
  19. 19. Participez! Join Download Sign up at OpenSSO 1.0 opensso.org Build 4 Subscribe Chat OpenSSO Mailing Lists #opensso on dev, users, announce freenode.net 19
  20. 20. Resources https://opensso.dev.java.net/public/extensions/ OpenSSO • http://opensso.org/ OpenSSO Wiki • http://wiki.opensso.org/ Pat's Blog • Superpatterns > http://blogs.sun.com/superpat/ Daniel Raskin's Blog • Virtual Daniel > http://blogs.sun.com/raskin/ 20
  21. 21. Open Source Identity Integration with OpenSSO July 4th, 2008 Pat Patterson Federation Architect pat.patterson@sun.com blogs.sun.com/superpat
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×