Your SlideShare is downloading. ×
0
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Lecture 20101124
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Lecture 20101124

1,498

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,498
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
35
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Web Identity Management Anderson Liang CTO, cacaFly Nov. 24, 2010
  • 2. Problems 2 Too many ids & passwords Someone took my desired name Duplicated profiles everywhere Account management is hard
  • 3. Users want 3 Single Identity Roaming among sites sign on once v.s. sign on every sites
  • 4. Administrators want 4 “They” are the same guy? Federated Identity
  • 5. Portal 5 Portal Hide & bridge everything behind Provide Sign On once experiences
  • 6. What Enterprises have There are a lot of solutions dealing with these problems for enterprises Novell Microsoft IBM Oracle Sun Microsystems (acquired by Oracle) Other ISVs 6
  • 7. Portal w/ SSO & Identity Integration Source: Novell Inc. 客戶 Portal + Novell Access Manager Oracle DB Web Server MS AD Sun iDS Mail Server NIS Driver eDirectory Novell Identity Manager LDAP Driver JDBC Driver AD Driver FTP Server 合作夥伴 員工 帳號 密碼 anderson ********
  • 8. Unified Management of Identity 8 Single Sign On Central Management Identity Integration Source: Novell Inc.
  • 9. 9 Cover complete Identity Lifecycle Promote Relocate New Project Forget Password Password Expired Resource Access Control PROVISION Account Management DE-PROVISION AM IDM Password Management Source: Novell Inc.
  • 10. What Open Web has 10 SAML (2002~) & OpenID (2005~) http://connectid.blogspot.com/2006/11/we-need-iiw-in-panama.html
  • 11. What Open Web has Open Stack (OpenID & more) 11 • Unencumbered, Cross- Platform Standards • Open Source / Free Software Implementations • No Single-Vendor "Lock-In” • Distributed Extensibility http://developer.mozilla.org/presentations/sxsw2007/the_open_web/
  • 12. Why sites accept external identities? Enhance user engagement Leverage social impressions or The “outside” identity belongs to the same real person, who has relationship with “inside” identity 12
  • 13. Technically Speaking 13 We’re dealing with the problem: “Authentication” & “Authorization” among different sites
  • 14. OpenID Introduction Ref: http://www.slideshare.net/daveman692/open-id-overview-seoul-july-2007
  • 15. What’s OpenID Single sign-on for the web Simple and light-weight not going to replace your bank card pin Easy to use and deploy Built upon proven existing technologies DNS, HTTP, SSL/TLS, Diffie-Hellman Decentralized no single point of failure in the protocol User-Centric (not Site-Centric) Free! 15
  • 16. An OpenID is a URI URLs are globally unique and ubiquitous OpenID allows proving ownership of an URI People already have identity at URLs via blogs, photos, MySpace, FaceBook, DAUM, etc 16
  • 17. My OpenID 17
  • 18. How it works 18 Service Provider (IDP) Consumer Application (Relying Party, RP) End User
  • 19. How it works? 1. Site fetches the HTML of my OpenID 2. Finds "openid.server“ 3. Establishes a shared secret with the Provider 4. Redirects my browser to the Provider where I authenticate and allow the OpenID login 5. Provider redirects my browser back to the site with an OpenID response 6. Site verifies the signature and logs me in 19
  • 20. Sign On in RP site 20
  • 21. Redirect to IDP for authentication 21
  • 22. Grant permission to RP site 22
  • 23. Sign On process success! 23
  • 24. Create OpenID on your own domain 24 in http://andersonlamp.hopto.org/index.php
  • 25. How it works in detail 25http://www.openaselect.org/trac/openaselect/wiki/OpenID
  • 26. Related Specifications OpenID Authentication 1.1/2.0 OpenID Attribute Exchange (AX) 1.0 OpenID Provider Authentication Policy Extension (PAPE) 1.0 OpenID Simple Registration Extension (SReg) 1.0 Yadis Discovery Protocol 26
  • 27. Demo: Yadis Discovery Open Source OpenID Implementation Test Sites myid.tw myopenid.com google yahoo 27
  • 28. myid.tw 28
  • 29. myopenid.com 29
  • 30. Google 30
  • 31. blogspot 31
  • 32. Yahoo 32
  • 33. 33
  • 34. Is OpenID enough? OpenID deal with the “Identity”, not the “resources” Several extensions to enhance the authorization of accessing “resources” 34
  • 35. OpenID Conversation 35 http://www.slideshare.net/steveivy/openid-oauth-an-introduction
  • 36. OAuth Conversation 36 http://www.slideshare.net/steveivy/openid-oauth-an-introduction
  • 37. OAuth Introduction Ref: http://www.slideshare.net/rmetzler/identity-on-the-web-openid-vs-oauth
  • 38. What’s OAuth? Sharing your data without sharing your password Site-Centric/Centralized Registration-based Secure API authentication 38
  • 39. Role 39 •User own Resource at Service Provider •Manually register Consumer at Service Provider •User grants Consumer access to Resource
  • 40. OAuth Flow 40http://oauth.net/core/diagram.png
  • 41. Sign in with OAuth 41
  • 42. Authenticate 42
  • 43. Grant Access 43
  • 44. Logged in 44
  • 45. OpenID v.s. OAuth OpenID Sharing Identity Decentralized Consumer-Provider- Relationship: unknown OAuth Sharing Resources Centralized Consumer-Provider- Relationship: known 45
  • 46. Google works OpenID + OAuth
  • 47. Google Account as OpenID Everyone can paste https://www.google.com/accounts/o8/id and login as your OpenID It will be discovered by RP as an server endpoint, trigger an id_select login process You will be issued an OpenID as https://www.google.com/accounts/o8/id?id=AItO wk...nqJOSI 47from: http://www.slideshare.net/timdream/google-apps-account-as-openid
  • 48. Google Account as OpenID 48 <?xml version="1.0" encoding="UTF-8"?> <xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)"> <XRD> <Service priority="0"> <Type>http://specs.openid.net/auth/2.0/server</Type> <Type>http://openid.net/srv/ax/1.0</Type> <Type>http://specs.openid.net/extensions/ui/1.0/mode/popup</Type> <Type>http://specs.openid.net/extensions/ui/1.0/icon</Type> <Type>http://specs.openid.net/extensions/pape/1.0</Type> <URI>https://www.google.com/accounts/o8/ud</URI> </Service> </XRD> </xrds:XRDS> from: http://www.slideshare.net/timdream/google-apps-account-as-openid
  • 49. OpenID + OAuth Dance 49 from: http://code.google.com/intl/zh-TW/apis/accounts/docs/OpenID.html
  • 50. “id_select” process? New* in OpenID 2.0 Which is introduced back in 2007 Indicate that user wishes to use a specific OpenID IdP, however he didn’t know/say his own OpenID Therefore the “id_select” login process asks the OpenID IdP to select an ID for the user. The other login process being “signon” process 50
  • 51. Yahoo OpenID + OAuth
  • 52. http://openid.yahoo.com/ 52
  • 53. Authenticate 53
  • 54. Rename your OpenID 54
  • 55. Yahoo Dance 55
  • 56. Facebook
  • 57. facebook & yelp ! 57
  • 58. Single Sign-On Facebook enables you to remove the registration process for your site by enabling users to log in to your site with their Facebook account. Once a user logs in to your site with his or her Facebook account, you can access the user's account information from Facebook, and the user is logged in to your site as long as he or she is logged in to Facebook. http://developers.facebook.com/docs/guides/web#login http://www.facebook.com/instantpersonalization/ 58
  • 59. Register Your Resource (App) 59 http://developers.facebook.com/setup/
  • 60. OAuth Authorization 60 https://graph.facebook.com/oauth/authorize?client_id=<your App ID>&redirect_uri=<redirect URL> resource
  • 61. Grant Access to the Resource (App) 61 This is a demo APP to show the usage of facebook social plugins http://andersonlamp.hopto.org/?code=2.XX7JPLln LnC26i_5ldohMQ__.3600.1290531600- 702462107|7qT7yWTCm4CjglPkLQDT2NnsMVw
  • 62. Get Access Token & Invoke Graph API 62 https://graph.facebook.com/oauth/access_token? client_id=<app id>& redirect_uri=<redirect url>& client_secret=<app secret>& code=<verification string> access_token=1558827777************************4b20009d789d- 100001*******************************LA44qC1NxGh-*** https://graph.facebook.com/me?access_token=...
  • 63. Quick start with social plugins http://developers.facebook.com/plugins Like Button Like Box Comments Activity Feed Recommendations FriendpileLogin ButtonLive Stream 63
  • 64. Case Study
  • 65. Redefine the Problems How to achieve Identity Federation? Web Single Sign On How to let users sign on once (on one site), and roam everywhere (on other sites), for a given period of time? Examples facebook Like Button outside facebook funP Push Button outside funP Yam’s Identity in funP.com 65
  • 66. facebook Like Button 66
  • 67. funP Push Button 67
  • 68. Sign On Yam 68
  • 69. Sign On Yam Successed 69
  • 70. Visit funP.com & Click Push Button 70
  • 71. Ask Remote Identity 71 We have a valid session from Yam at this moment!
  • 72. funP grant access w/o Sign On 72 Duration of the permission granted User has choice to refuse to use the identity from Yam
  • 73. Enter funP with Yam’s Identity 73
  • 74. Click Push Button with Yam’s Identity 74
  • 75. Redefine the Problems How to achieve Identity Federation? Identity Integration (Identity Acquisition) How to recognize different Web identities represents the same real identity? cross-domain user account provisioning cross-domain entitlement management cross-domain user attribute exchange Examples funP – account acquisition from Yam Jibjab.com – leverage facebook accounts 75
  • 76. funP.com 76
  • 77. Option 1: Clone Yam’s Identity 77 Option 1 Option 2
  • 78. Option 1: Create a funP Identity from Yam’s Identity 78
  • 79. Option 2: Upgrade Yam’s Identity to funP Identity 79 Upgrade notice Name the new identity
  • 80. Option 2: Upgrade complete 80
  • 81. Yam Identity’s replica in funP 81
  • 82. Option 2: Acquire Yam’s Identity 82
  • 83. Sign On funP 83 Go to acquire external accounts
  • 84. Acquire Yam’s Identity 84 Acquire Yam’s Identity
  • 85. Redirect to authenticate Yam’s Identity 85
  • 86. Yam’s Authentication 86
  • 87. Authenticated! Return to funP 87 User can abandon the acquired identity instead Identity acquired! Ask for final confirmation
  • 88. Identity acquisition complete 88
  • 89. Compound Identity 89
  • 90. Jibjab.com 90
  • 91. Choose to Sign On w/ fb Identity 91
  • 92. Redirect to Sign On with fb Identity 92
  • 93. Grant fb permissions 93
  • 94. Grant fb permission (again?) 94
  • 95. Ask to merge fb Identity w/ Jibjab one 95
  • 96. Signed in w/ fb Identity 96
  • 97. Users have freedom to link to a jibjab account anytime 97
  • 98. Remarks
  • 99. OpenID is “Open” for “Users” 99 http://www.slideshare.net/steveivy/openid-oauth-an-introduction
  • 100. OAuth is “Open” for “Applications” 100 http://www.slideshare.net/steveivy/openid-oauth-an-introduction
  • 101. Q&A

×