SlideShare a Scribd company logo

1000 things-sso-code-one

Download as ODP, PDF
G
gauchoproluanco

Code One 2018 presentation. "A Thousand Things You Always Wanted To Know About SSO But Never Dared Ask". How many times have you been in a meeting with a salesperson and started to sweat when you heard, “Yes, the system will be fully integrated with your SSO”? How many times have you searched on the internet for SSO and closed your browser after the second click? SAML, OAUth, ws-fed...which of these is the right protocol? Shibboleth, OpenAM, ADFS2, Keycloak...do I need all of them? Do I need them at all? Which is the right solution for my application? How can I protect my APIs? This session covers the most-popular SSO scenarios and will guide you along the sometimes obscure path to the “log in once and access everything” Grail.

Software
1 of 45
1 A Thousand Things You Always Wanted To Know About SSO But Never Dared Ask Luis Rodríguez Fernández Oracle Code One. San Francisco. 24/10/2018
2 Agenda What’s this presentation about ? About your speaker About CERN About CERN openlab Why SSO? CERN SSO CERN SSO. WS-Fed & SAML2 CERN SSO. OAUTH2 CERN SSO. What’s next? Take-aways Luis Rodríguez Fernández
3 What is this presentation about? ● SSO components – Identity Provider – Service Provider ● IdP high level implementation details ● Focus on securing applications ● SAML2, WS-Fed, Oauth2 (client credentials) ● Real Use Cases ● Open-source & commercial solutions ● Tips & Tricks Luis Rodríguez Fernández IDP SP SAML2 WS-FED OAUTH2
4 Agenda What’s this presentation about ? About your speaker About CERN About CERN openlab Why SSO? CERN SSO CERN SSO. WS-Fed & SAML2 CERN SSO. OAUTH2 CERN SSO. What’s next? Take-aways Luis Rodríguez Fernández
5 About your speaker ● Software Engineer ● Service Manager – Databases Applications Service ● Oracle WebLogic (~350 servers) ● Apache Tomcat (~40 servers) ● ~200 URLs ● From Spain (Asturias) Luis Rodríguez Fernández
6 Agenda What’s this presentation about ? About your speaker About CERN About CERN openlab Why SSO? CERN SSO CERN SSO. WS-Fed & SAML2 CERN SSO. OAUTH2 CERN SSO. What’s next? Take-aways Luis Rodríguez Fernández
7 About CERN ● Fundamental Research – What’s the Universe made of ? – How did it start ? – What matter is made of ? ● Tools – Accelerators – Detectors ● Three pillars – Research – Innovation – Education ● Science for peace Luis Rodríguez Fernández Research uniting people
8 Agenda What’s this presentation about ? About your speaker About CERN About CERN openlab Why SSO? CERN SSO CERN SSO. WS-Fed & SAML2 CERN SSO. OAUTH2 CERN SSO. What’s next? Take-aways Luis Rodríguez Fernández
9 About CERN openlab A public-private partnership between the research community and industry Luis Rodríguez Fernández
10 Agenda What’s this presentation about ? About your speaker About CERN About CERN openlab Why SSO? CERN SSO CERN SSO. WS-Fed & SAML2 CERN SSO. OAUTH2 CERN SSO. What’s next? Take-aways Luis Rodríguez Fernández
11 Why SSO? Luis Rodríguez Fernández Security
12 Why SSO? Luis Rodríguez Fernández Federation
13 Why SSO? Luis Rodríguez Fernández Unique pair of credentials
14 Why SSO? Luis Rodríguez Fernández Computer Security Officer
15 Agenda What’s this presentation about ? About your speaker About CERN About CERN openlab Why SSO? CERN SSO CERN SSO. WS-Fed & SAML2 CERN SSO. OAUTH2 CERN SSO. What’s next? Take-aways Luis Rodríguez Fernández
16 About CERN SSO Luis Rodríguez Fernández
17 About CERN SSO Luis Rodríguez Fernández
18 About CERN SSO Luis Rodríguez Fernández
19 Agenda What’s this presentation about ? About your speaker About CERN About CERN openlab Why SSO? CERN SSO CERN SSO. WS-Fed & SAML2 CERN SSO. OAUTH2 CERN SSO. What’s next? Take-aways Luis Rodríguez Fernández
20 CERN SSO. WS-Fed & SAML2 ● Very Similar – WS-Fed ● No metadata exchange ● Simple Single Log Out – SAML2 ● Metadata exchange (keys) ● Single Log Out is hell ! ● Assertions : packages of information – « Luis belongs to CERN IT-DEP » – « He has been authenticated by login.cern.ch » ● Actors – User Agent : web browser – Service Provider : relying party – Identity Provider : asserting party Luis Rodríguez Fernández WS-Fed & SAML2 login BOB SP IDP WEB BROWSER Protected resource Challenge credentials Credentials Resource
21 CERN SSO. WS-Fed & SAML2 ● Very Similar – WS-Fed ● No metadata exchange ● Simple Single Log Out – SAML2 ● Metadata exchange (keys) ● Single Log Out is hell ! ● Assertions : packages of information – « Luis belongs to CERN IT-DEP » – « He has been authenticated by login.cern.ch » ● Actors – User Agent : web browser – Service Provider : relying party – Identity Provider : asserting party Luis Rodríguez Fernández WS-Fed Single Logout BOB IDP WEB BROWSER Request Logout Page: 1 logout req per SP SP1 SP2 Request Logout Request Logout
22 CERN SSO. WS-Fed & SAML2 ● Very Similar – WS-Fed ● No metadata exchange ● Simple Single Log Out – SAML2 ● Metadata exchange (keys) ● Single Log Out is hell ! ● Assertions : packages of information – « Luis belongs to CERN IT-DEP » – « He has been authenticated by login.cern.ch » ● Actors – User Agent : web browser – Service Provider : relying party – Identity Provider : asserting party Luis Rodríguez Fernández SAML2 Single Logout BOB IDP WEB BROWSER Request Logout SP1 SP2Logout page
23 CERN SSO. WS-Fed & SAML2 ● Shibboleth – Open-source ● Active community ● IdP & SP – Linux/Windows ● Apache httpd server ● IIS web server – Installation : ● Simple ● Modular – Assertions ● http headers – Header too big ! ● Security : front-end delegated – Tricky : ● StorageService ● Memcache client, uf… – Single Log Out ● Simple ! Luis Rodríguez Fernández WS-Fed @ CERN ERROR XMLTooling.StorageService.MEMCACHE [7]: Memcache::getMemcache: CONNECTION FAILURE
24 CERN SSO. WS-Fed & SAML2 ● Oracle WebLogic – « Swiss army knife » ● WLST (jython) ● Console ● REST ● Cluster, Datasources ● JEE 7 compliant ● Multiple scenarios – Enterprise Apps – ORDS, APEX, PL/SQL – Proxy (HttpProxyServlet) – Embedded SAML2 module ● « Complex » configuration – « Easy » automate – Cluster : requires RDBMS ● IdP & SP ● Implementation gaps – Principal & role mapping – Single Log Out ● Some warnings – « /saml2 » context mandatory – « / » cookie path all apps in WLS ● One application per cluster Luis Rodríguez Fernández SAML2 @ CERN MAPPERALICE IDP Logout SP1 SP2 Logout page
25 CERN SSO. WS-Fed & SAML2 ● Keycloak – Open-source – Active Community – IdP & SP – Commercial Support (Red-Hat) ● RH-SSO (Red Hat Single Sign On) – Adapters ● Java: wildfly, tomcat, spring... ● Javascript – Tomcat 8.5,9 & Tomee ● Tomcat Valve – context.xml ● Servlet Filter – web.xml ● Some warnings – One keycloak conf per /context ● Opposite as Oracle WebLogic – Global Logout signature verification Luis Rodríguez Fernández SAML2 @ CERN
26 CERN SSO. WS-Fed & SAML2 ● Other – spring-security – SimpleSAMLphp – Native implementations: ● Sharepoint Luis Rodríguez Fernández SAML2/WS-FED @ CERN
27 CERN SSO. WS-Fed & SAML2 ● Clients (no web browser) – CERN SSO cookie client ● Perl ● Python – Apache Jmeter Luis Rodríguez Fernández SAML2/WS-FED @ CERN
28 Agenda What’s this presentation about ? About your speaker About CERN About CERN openlab Why SSO? CERN SSO CERN SSO. WS-Fed & SAML2 CERN SSO. OAUTH2 CERN SSO. What’s next? Take-aways Luis Rodríguez Fernández
29 CERN SSO. OAUTH2 ● Security Framework for Authorization ● Access tokens + HTTPS ● Actors (examples) : – Resource owner : end user – Resource server : API – Client : web site consuming API – Authorization Server ● Grant access with owner approval Luis Rodríguez Fernández OAUTH2 in a nutshell
30 CERN SSO. OAUTH2 ● Car → protected resource ● Car owner → resource owner ● Car owner → authorization server ● Parking attendant → client ● Valet key → access token Luis Rodríguez Fernández OAUTH2. Valet Parking analogy
31 CERN SSO. OAUTH2 ● Two roles : – Authorization Server : ● Authenticates users – Resource server. Endpoints : ● /api/User ● /api/Groups ● Client Credentials grant ● Server side applications ● Applications = OAUTH2 clients Luis Rodríguez Fernández CERN SSO OAUTH2 Service ALICE WEB APPLICATION CLIENT AUTHZ SERVER RESOURCE SERVER Protected Resource Challenge credentials Credentials Authz token /api/User User info (JSON) Protected Resource
32 CERN SSO. OAUTH2 ● Other clients: – Java ● Atlassian Jira – Javascript ● nile-sso-proxy ● Other OAUTH2 flow – Implicit client ● Oracle JET & ORDS Luis Rodríguez Fernández CERN SSO OAUTH2 Service
33 Agenda What’s this presentation about ? About your speaker About CERN About CERN openlab Why SSO? CERN SSO CERN SSO. WS-Fed & SAML2 CERN SSO. OAUTH2 CERN SSO. What’s next? Take-aways Luis Rodríguez Fernández
34 CERN SSO. WHAT’S NEXT? Luis Rodríguez Fernández
35 Agenda What’s this presentation about ? About your speaker About CERN About CERN openlab Why SSO? CERN SSO CERN SSO. WS-Fed & SAML2 CERN SSO. OAUTH2 CERN SSO. What’s next? Take-aways Luis Rodríguez Fernández
36 Take aways ● Cloud services & third party systems – Common authentication layer becomes a must – Federation ● Challenges : – Authorization – Integration Luis Rodríguez Fernández
37 Take aways ● Other solutions – CAS – OpenAM ● SAML2 vs OAUTH2 vs OpenID Connect (OIDC) – SAML2 ● Mature ● Verbose ● SSO use case ● Web apps UI (web profile) ● Hard back-end integration – OAUTH2 ● Young ● Simple ● Access delegation use case ● Front end ● APIs – OpenID Connect ● OAUTH2 authentication – Access token – ID token ● JSON Web Token ● SSO use case ● When to use what ? Luis Rodríguez Fernández
38 QUESTIONS ? luis.rodriguez.fernandez@cern.ch https://www.slideshare.net/gauchoproluanco/1000-thingsssocodeone http://db-blog.web.cern.ch/ Luis Rodríguez Fernández
39 References. Clients ● CERN SSO Client Cookie ● https://linux.web.cern.ch/linux/docs/cernssocookie.shtml ● CERN SSO Python ● https://github.com/cerndb/cern-sso-python ● CERNDB JMETER TEST PLAN ● https://github.com/jdanielcano/cerndb-sw-jmeter-test-plan ● OAUTH2 Authz Service Java Demo Client ● https://gitlab.cern.ch/db/cern-oauth2-authz-service-client ● Nile SSO Proxy ● https://gitlab.cern.ch/db/nile-sso-proxy ● JET OAUTH2 ORDS client ● https://github.com/cerndb/jet-oauth2-ords Luis Rodríguez Fernández
40 References. WLS libraries ● Oracle WebLogic CERN SSO integration packages ● https://github.com/cerndb/wls-cern-sso Luis Rodríguez Fernández
41 References. Presentations ● UKOUG: Oracle WebLogic as a Service Provider for CERN Web Applications : APEX & JAVA EE ● https://openlab-archive-phases-iv-v.web.cern.ch/publications/presentations/weblogic-service-provider-cern-web-ap ● 6th Control System Cyber-Security Workshop (CS)2/HEP: 1000 Thousand Things… ● https://openlab-archive-phases-iv-v.web.cern.ch/publications/presentations/1000-things-you-always-want-know- about-sso-you-never-dare-ask ● Building Secure REST Architectures with ORDS ● https://openlab-archive-phases-iv-v.web.cern.ch/sites/openlab-archive-phases-iv-v.web.cern.ch/files/presentations Luis Rodríguez Fernández
42 References. Blog entries ● Oracle WebLogic SAML2 Authorization ● https://db-blog.web.cern.ch/blog/luis-rodriguez-fernandez/2015-02-oracle-weblogic-saml2-authorization ● SSO For Oracle REST Data Services ● https://db-blog.web.cern.ch/blog/luis-rodriguez-fernandez/2017-04-sso-oracle-rest-dataservices ● Oracle JET, ORDS & OAUTH2 ● https://db-blog.web.cern.ch/blog/luis-rodriguez-fernandez/2017-04-oracle-jet-ords-oauth2 ● Java Web Application Based on OAUTH2 ● https://db-blog.web.cern.ch/blog/emil-kleszcz/2016-08-java-web-application-based-oauth2 Luis Rodríguez Fernández
43 References. Documentation ● Oracle WebLogic Server 12.1.3. Configuring SAML2 Services – https://docs.oracle.com/middleware/1213/wls/SECMG/saml20.htm#SECMG279 ● Shibboleth Service Provider – https://wiki.shibboleth.net/confluence/display/SP3/Home ● Keycloack SAML Java Adapters – https://www.keycloak.org/docs/latest/securing_apps/index.html#saml-2 Luis Rodríguez Fernández
44 Credits ● Open source image ● http://www.picserver.org/o/open-source.html ● Larry Ellison picture courtesy of Home Water Softener Reviews ● www.homewatersoftenerreviews.com ● CERN pictures ● https://press.cern/press-releases ● Potstit password pictures courtesy of Marco Verch ● https://www.flickr.com/photos/30478819@N08/29613520138 Luis Rodríguez Fernández
45 CERN OPENLAB CONTACTS ALBERTO DI MEGLIO CERN openlab Head alberto.di.meglio@cern.ch MARIA GIRONE CERN openlab CTO maria.girone@cern.ch FONS RADEMAKERS CERN openlab CRO fons.rademakers@cern.ch ANDREW PURCELL CERN openlab Communications Officer andrew.purcell@cern.ch KRISTINA GUNNE CERN openlab Administration/Finance Officer kristina.gunne@cern.ch www.cern.ch/openlab Luis Rodríguez Fernández

Recommended

Open Social Shindig Preso for FB and OpenSocial Meetup
Open Social Shindig Preso for FB and OpenSocial MeetupOpen Social Shindig Preso for FB and OpenSocial Meetup
Open Social Shindig Preso for FB and OpenSocial MeetupChris Schalk
 
Secure your Java EE projects by using JOnAS Java EE server audit & diagnostic...
Secure your Java EE projects by using JOnAS Java EE server audit & diagnostic...Secure your Java EE projects by using JOnAS Java EE server audit & diagnostic...
Secure your Java EE projects by using JOnAS Java EE server audit & diagnostic...Florent BENOIT
 
SecureWorld St. Louis: Survival in an Evolving Threat Landscape
SecureWorld St. Louis: Survival in an Evolving Threat LandscapeSecureWorld St. Louis: Survival in an Evolving Threat Landscape
SecureWorld St. Louis: Survival in an Evolving Threat LandscapeRadware
 
Software maintenance PyConPL 2016
Software maintenance PyConPL 2016Software maintenance PyConPL 2016
Software maintenance PyConPL 2016Cesar Cardenas Desales
 
Open Social Summit Korea Overview
Open Social Summit Korea OverviewOpen Social Summit Korea Overview
Open Social Summit Korea OverviewChris Schalk
 
An EyeWitness View into your Network
An EyeWitness View into your NetworkAn EyeWitness View into your Network
An EyeWitness View into your NetworkCTruncer
 
Software maintenance PyConUK 2016
Software maintenance PyConUK 2016Software maintenance PyConUK 2016
Software maintenance PyConUK 2016Cesar Cardenas Desales
 
Real-time applications with sockets and websockets. Introduction to Smartfoxs...
Real-time applications with sockets and websockets. Introduction to Smartfoxs...Real-time applications with sockets and websockets. Introduction to Smartfoxs...
Real-time applications with sockets and websockets. Introduction to Smartfoxs...Pablo Monterde Perez
 

Recommended

Open Social Shindig Preso for FB and OpenSocial Meetup
Open Social Shindig Preso for FB and OpenSocial MeetupOpen Social Shindig Preso for FB and OpenSocial Meetup
Open Social Shindig Preso for FB and OpenSocial MeetupChris Schalk
 
Secure your Java EE projects by using JOnAS Java EE server audit & diagnostic...
Secure your Java EE projects by using JOnAS Java EE server audit & diagnostic...Secure your Java EE projects by using JOnAS Java EE server audit & diagnostic...
Secure your Java EE projects by using JOnAS Java EE server audit & diagnostic...Florent BENOIT
 
SecureWorld St. Louis: Survival in an Evolving Threat Landscape
SecureWorld St. Louis: Survival in an Evolving Threat LandscapeSecureWorld St. Louis: Survival in an Evolving Threat Landscape
SecureWorld St. Louis: Survival in an Evolving Threat LandscapeRadware
 
Software maintenance PyConPL 2016
Software maintenance PyConPL 2016Software maintenance PyConPL 2016
Software maintenance PyConPL 2016Cesar Cardenas Desales
 
Open Social Summit Korea Overview
Open Social Summit Korea OverviewOpen Social Summit Korea Overview
Open Social Summit Korea OverviewChris Schalk
 
An EyeWitness View into your Network
An EyeWitness View into your NetworkAn EyeWitness View into your Network
An EyeWitness View into your NetworkCTruncer
 
Software maintenance PyConUK 2016
Software maintenance PyConUK 2016Software maintenance PyConUK 2016
Software maintenance PyConUK 2016Cesar Cardenas Desales
 
Real-time applications with sockets and websockets. Introduction to Smartfoxs...
Real-time applications with sockets and websockets. Introduction to Smartfoxs...Real-time applications with sockets and websockets. Introduction to Smartfoxs...
Real-time applications with sockets and websockets. Introduction to Smartfoxs...Pablo Monterde Perez
 
Expressive Microservice Framework Blastoff
Expressive Microservice Framework BlastoffExpressive Microservice Framework Blastoff
Expressive Microservice Framework BlastoffAdam Culp
 
[Pass the SALT 2021] Hosting Identity in the Cloud with free softwares
[Pass the SALT 2021] Hosting Identity in the Cloud with free softwares[Pass the SALT 2021] Hosting Identity in the Cloud with free softwares
[Pass the SALT 2021] Hosting Identity in the Cloud with free softwaresWorteks
 
Bogdan Kecman INIT Presentation
Bogdan Kecman INIT PresentationBogdan Kecman INIT Presentation
Bogdan Kecman INIT Presentationarhismece
 
SDN - Openflow + OpenVSwitch + Quantum
SDN - Openflow + OpenVSwitch + QuantumSDN - Openflow + OpenVSwitch + Quantum
SDN - Openflow + OpenVSwitch + QuantumRodrigo Campos
 
Rundeck's History and Future
Rundeck's History and FutureRundeck's History and Future
Rundeck's History and Futuredev2ops
 
Redis at LINE
Redis at LINERedis at LINE
Redis at LINELINE Corporation
 
Unifying Events and Logs into the Cloud
Unifying Events and Logs into the CloudUnifying Events and Logs into the Cloud
Unifying Events and Logs into the CloudEduardo Silva Pereira
 
Unifying Events and Logs into the Cloud
Unifying Events and Logs into the CloudUnifying Events and Logs into the Cloud
Unifying Events and Logs into the CloudTreasure Data, Inc.
 
LemonLDAP::NG - the New Generation WebSSO !, David Coutadeur, Linagora.
LemonLDAP::NG - the New Generation WebSSO !, David Coutadeur, Linagora. LemonLDAP::NG - the New Generation WebSSO !, David Coutadeur, Linagora.
LemonLDAP::NG - the New Generation WebSSO !, David Coutadeur, Linagora.OW2
 
FIWARE Global Summit - Real-time Media Stream Processing Using Kurento
FIWARE Global Summit - Real-time Media Stream Processing Using KurentoFIWARE Global Summit - Real-time Media Stream Processing Using Kurento
FIWARE Global Summit - Real-time Media Stream Processing Using KurentoFIWARE
 
Thinking DevOps in the Era of the Cloud - Demi Ben-Ari
Thinking DevOps in the Era of the Cloud - Demi Ben-AriThinking DevOps in the Era of the Cloud - Demi Ben-Ari
Thinking DevOps in the Era of the Cloud - Demi Ben-AriDemi Ben-Ari
 
Monitoring Big Data Systems Done "The Simple Way" - Demi Ben-Ari - Codemotion...
Monitoring Big Data Systems Done "The Simple Way" - Demi Ben-Ari - Codemotion...Monitoring Big Data Systems Done "The Simple Way" - Demi Ben-Ari - Codemotion...
Monitoring Big Data Systems Done "The Simple Way" - Demi Ben-Ari - Codemotion...Codemotion
 
Monitoring Big Data Systems "Done the simple way" - Demi Ben-Ari - Codemotion...
Monitoring Big Data Systems "Done the simple way" - Demi Ben-Ari - Codemotion...Monitoring Big Data Systems "Done the simple way" - Demi Ben-Ari - Codemotion...
Monitoring Big Data Systems "Done the simple way" - Demi Ben-Ari - Codemotion...Demi Ben-Ari
 
Experiences building a distributed shared log on RADOS - Noah Watkins
Experiences building a distributed shared log on RADOS - Noah WatkinsExperiences building a distributed shared log on RADOS - Noah Watkins
Experiences building a distributed shared log on RADOS - Noah WatkinsCeph Community
 
WebGoat.SDWAN.Net in Depth
WebGoat.SDWAN.Net in DepthWebGoat.SDWAN.Net in Depth
WebGoat.SDWAN.Net in Depthyalegko
 
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment Sergey Gordeychik
 
Managing the SSL Process
Managing the SSL ProcessManaging the SSL Process
Managing the SSL ProcessRocket Software
 
FIWARE Tech Summit - Stream Processing with Kurento Media Server
FIWARE Tech Summit - Stream Processing with Kurento Media ServerFIWARE Tech Summit - Stream Processing with Kurento Media Server
FIWARE Tech Summit - Stream Processing with Kurento Media ServerFIWARE
 
Api presentation
Api presentationApi presentation
Api presentationTiago Cardoso
 
Ostd.ksplice.talk
Ostd.ksplice.talkOstd.ksplice.talk
Ostd.ksplice.talkUdo Seidel
 
Abortion Clinic In Polokwane ](+27832195400*)[ 🏥 Safe Abortion Pills in Polok...
Abortion Clinic In Polokwane ](+27832195400*)[ 🏥 Safe Abortion Pills in Polok...Abortion Clinic In Polokwane ](+27832195400*)[ 🏥 Safe Abortion Pills in Polok...
Abortion Clinic In Polokwane ](+27832195400*)[ 🏥 Safe Abortion Pills in Polok...Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg
 
Prompt Engineering - an Art, a Science, or your next Job Title?
Prompt Engineering - an Art, a Science, or your next Job Title?Prompt Engineering - an Art, a Science, or your next Job Title?
Prompt Engineering - an Art, a Science, or your next Job Title?Maxim Salnikov
 

More Related Content

Similar to 1000 things-sso-code-one

Expressive Microservice Framework Blastoff
Expressive Microservice Framework BlastoffExpressive Microservice Framework Blastoff
Expressive Microservice Framework BlastoffAdam Culp
 
[Pass the SALT 2021] Hosting Identity in the Cloud with free softwares
[Pass the SALT 2021] Hosting Identity in the Cloud with free softwares[Pass the SALT 2021] Hosting Identity in the Cloud with free softwares
[Pass the SALT 2021] Hosting Identity in the Cloud with free softwaresWorteks
 
Bogdan Kecman INIT Presentation
Bogdan Kecman INIT PresentationBogdan Kecman INIT Presentation
Bogdan Kecman INIT Presentationarhismece
 
SDN - Openflow + OpenVSwitch + Quantum
SDN - Openflow + OpenVSwitch + QuantumSDN - Openflow + OpenVSwitch + Quantum
SDN - Openflow + OpenVSwitch + QuantumRodrigo Campos
 
Rundeck's History and Future
Rundeck's History and FutureRundeck's History and Future
Rundeck's History and Futuredev2ops
 
Unifying Events and Logs into the Cloud
Unifying Events and Logs into the CloudUnifying Events and Logs into the Cloud
Unifying Events and Logs into the CloudEduardo Silva Pereira
 
Unifying Events and Logs into the Cloud
Unifying Events and Logs into the CloudUnifying Events and Logs into the Cloud
Unifying Events and Logs into the CloudTreasure Data, Inc.
 
LemonLDAP::NG - the New Generation WebSSO !, David Coutadeur, Linagora.
LemonLDAP::NG - the New Generation WebSSO !, David Coutadeur, Linagora. LemonLDAP::NG - the New Generation WebSSO !, David Coutadeur, Linagora.
LemonLDAP::NG - the New Generation WebSSO !, David Coutadeur, Linagora.OW2
 
FIWARE Global Summit - Real-time Media Stream Processing Using Kurento
FIWARE Global Summit - Real-time Media Stream Processing Using KurentoFIWARE Global Summit - Real-time Media Stream Processing Using Kurento
FIWARE Global Summit - Real-time Media Stream Processing Using KurentoFIWARE
 
Thinking DevOps in the Era of the Cloud - Demi Ben-Ari
Thinking DevOps in the Era of the Cloud - Demi Ben-AriThinking DevOps in the Era of the Cloud - Demi Ben-Ari
Thinking DevOps in the Era of the Cloud - Demi Ben-AriDemi Ben-Ari
 
Monitoring Big Data Systems Done "The Simple Way" - Demi Ben-Ari - Codemotion...
Monitoring Big Data Systems Done "The Simple Way" - Demi Ben-Ari - Codemotion...Monitoring Big Data Systems Done "The Simple Way" - Demi Ben-Ari - Codemotion...
Monitoring Big Data Systems Done "The Simple Way" - Demi Ben-Ari - Codemotion...Codemotion
 
Monitoring Big Data Systems "Done the simple way" - Demi Ben-Ari - Codemotion...
Monitoring Big Data Systems "Done the simple way" - Demi Ben-Ari - Codemotion...Monitoring Big Data Systems "Done the simple way" - Demi Ben-Ari - Codemotion...
Monitoring Big Data Systems "Done the simple way" - Demi Ben-Ari - Codemotion...Demi Ben-Ari
 
Experiences building a distributed shared log on RADOS - Noah Watkins
Experiences building a distributed shared log on RADOS - Noah WatkinsExperiences building a distributed shared log on RADOS - Noah Watkins
Experiences building a distributed shared log on RADOS - Noah WatkinsCeph Community
 
WebGoat.SDWAN.Net in Depth
WebGoat.SDWAN.Net in DepthWebGoat.SDWAN.Net in Depth
WebGoat.SDWAN.Net in Depthyalegko
 
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment Sergey Gordeychik
 
Managing the SSL Process
Managing the SSL ProcessManaging the SSL Process
Managing the SSL ProcessRocket Software
 
FIWARE Tech Summit - Stream Processing with Kurento Media Server
FIWARE Tech Summit - Stream Processing with Kurento Media ServerFIWARE Tech Summit - Stream Processing with Kurento Media Server
FIWARE Tech Summit - Stream Processing with Kurento Media ServerFIWARE
 
Ostd.ksplice.talk
Ostd.ksplice.talkOstd.ksplice.talk
Ostd.ksplice.talkUdo Seidel
 

Similar to 1000 things-sso-code-one (20)

Expressive Microservice Framework Blastoff
Expressive Microservice Framework BlastoffExpressive Microservice Framework Blastoff
Expressive Microservice Framework Blastoff
 
[Pass the SALT 2021] Hosting Identity in the Cloud with free softwares
[Pass the SALT 2021] Hosting Identity in the Cloud with free softwares[Pass the SALT 2021] Hosting Identity in the Cloud with free softwares
[Pass the SALT 2021] Hosting Identity in the Cloud with free softwares
 
Bogdan Kecman INIT Presentation
Bogdan Kecman INIT PresentationBogdan Kecman INIT Presentation
Bogdan Kecman INIT Presentation
 
SDN - Openflow + OpenVSwitch + Quantum
SDN - Openflow + OpenVSwitch + QuantumSDN - Openflow + OpenVSwitch + Quantum
SDN - Openflow + OpenVSwitch + Quantum
 
Rundeck's History and Future
Rundeck's History and FutureRundeck's History and Future
Rundeck's History and Future
 
Redis at LINE
Redis at LINERedis at LINE
Redis at LINE
 
Unifying Events and Logs into the Cloud
Unifying Events and Logs into the CloudUnifying Events and Logs into the Cloud
Unifying Events and Logs into the Cloud
 
Unifying Events and Logs into the Cloud
Unifying Events and Logs into the CloudUnifying Events and Logs into the Cloud
Unifying Events and Logs into the Cloud
 
LemonLDAP::NG - the New Generation WebSSO !, David Coutadeur, Linagora.
LemonLDAP::NG - the New Generation WebSSO !, David Coutadeur, Linagora. LemonLDAP::NG - the New Generation WebSSO !, David Coutadeur, Linagora.
LemonLDAP::NG - the New Generation WebSSO !, David Coutadeur, Linagora.
 
FIWARE Global Summit - Real-time Media Stream Processing Using Kurento
FIWARE Global Summit - Real-time Media Stream Processing Using KurentoFIWARE Global Summit - Real-time Media Stream Processing Using Kurento
FIWARE Global Summit - Real-time Media Stream Processing Using Kurento
 
Thinking DevOps in the Era of the Cloud - Demi Ben-Ari
Thinking DevOps in the Era of the Cloud - Demi Ben-AriThinking DevOps in the Era of the Cloud - Demi Ben-Ari
Thinking DevOps in the Era of the Cloud - Demi Ben-Ari
 
Monitoring Big Data Systems Done "The Simple Way" - Demi Ben-Ari - Codemotion...
Monitoring Big Data Systems Done "The Simple Way" - Demi Ben-Ari - Codemotion...Monitoring Big Data Systems Done "The Simple Way" - Demi Ben-Ari - Codemotion...
Monitoring Big Data Systems Done "The Simple Way" - Demi Ben-Ari - Codemotion...
 
Monitoring Big Data Systems "Done the simple way" - Demi Ben-Ari - Codemotion...
Monitoring Big Data Systems "Done the simple way" - Demi Ben-Ari - Codemotion...Monitoring Big Data Systems "Done the simple way" - Demi Ben-Ari - Codemotion...
Monitoring Big Data Systems "Done the simple way" - Demi Ben-Ari - Codemotion...
 
Experiences building a distributed shared log on RADOS - Noah Watkins
Experiences building a distributed shared log on RADOS - Noah WatkinsExperiences building a distributed shared log on RADOS - Noah Watkins
Experiences building a distributed shared log on RADOS - Noah Watkins
 
WebGoat.SDWAN.Net in Depth
WebGoat.SDWAN.Net in DepthWebGoat.SDWAN.Net in Depth
WebGoat.SDWAN.Net in Depth
 
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
 
Managing the SSL Process
Managing the SSL ProcessManaging the SSL Process
Managing the SSL Process
 
FIWARE Tech Summit - Stream Processing with Kurento Media Server
FIWARE Tech Summit - Stream Processing with Kurento Media ServerFIWARE Tech Summit - Stream Processing with Kurento Media Server
FIWARE Tech Summit - Stream Processing with Kurento Media Server
 
Api presentation
Api presentationApi presentation
Api presentation
 
Ostd.ksplice.talk
Ostd.ksplice.talkOstd.ksplice.talk
Ostd.ksplice.talk
 

Recently uploaded

Prompt Engineering - an Art, a Science, or your next Job Title?
Prompt Engineering - an Art, a Science, or your next Job Title?Prompt Engineering - an Art, a Science, or your next Job Title?
Prompt Engineering - an Art, a Science, or your next Job Title?Maxim Salnikov
 
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-CloudAlluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-CloudAlluxio, Inc.
 
Microsoft365_Dev_Security_2024_05_16.pdf
Microsoft365_Dev_Security_2024_05_16.pdfMicrosoft365_Dev_Security_2024_05_16.pdf
Microsoft365_Dev_Security_2024_05_16.pdfMarkus Moeller
 
From Theory to Practice: Utilizing SpiraPlan's REST API
From Theory to Practice: Utilizing SpiraPlan's REST APIFrom Theory to Practice: Utilizing SpiraPlan's REST API
From Theory to Practice: Utilizing SpiraPlan's REST APIInflectra
 
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdfThe Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdfkalichargn70th171
 
[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse
[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse
[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypseTomasz Kowalczewski
 
Spring into AI presented by Dan Vega 5/14
Spring into AI presented by Dan Vega 5/14Spring into AI presented by Dan Vega 5/14
Spring into AI presented by Dan Vega 5/14VMware Tanzu
 
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...Andrea Goulet
 
The Strategic Impact of Buying vs Building in Test Automation
The Strategic Impact of Buying vs Building in Test AutomationThe Strategic Impact of Buying vs Building in Test Automation
The Strategic Impact of Buying vs Building in Test AutomationElement34
 
Community is Just as Important as Code by Andrea Goulet
Community is Just as Important as Code by Andrea GouletCommunity is Just as Important as Code by Andrea Goulet
Community is Just as Important as Code by Andrea GouletAndrea Goulet
 
^Clinic ^%[+27788225528*Abortion Pills For Sale In harare
^Clinic ^%[+27788225528*Abortion Pills For Sale In harare^Clinic ^%[+27788225528*Abortion Pills For Sale In harare
^Clinic ^%[+27788225528*Abortion Pills For Sale In hararekasambamuno
 
Modern binary build systems - PyCon 2024
Modern binary build systems - PyCon 2024Modern binary build systems - PyCon 2024
Modern binary build systems - PyCon 2024Henry Schreiner
 
^Clinic ^%[+27788225528*Abortion Pills For Sale In witbank
^Clinic ^%[+27788225528*Abortion Pills For Sale In witbank^Clinic ^%[+27788225528*Abortion Pills For Sale In witbank
^Clinic ^%[+27788225528*Abortion Pills For Sale In witbankkasambamuno
 
A Deep Dive into Secure Product Development Frameworks.pdf
A Deep Dive into Secure Product Development Frameworks.pdfA Deep Dive into Secure Product Development Frameworks.pdf
A Deep Dive into Secure Product Development Frameworks.pdfICS
 
OpenChain @ LF Japan Executive Briefing - May 2024
OpenChain @ LF Japan Executive Briefing - May 2024OpenChain @ LF Japan Executive Briefing - May 2024
OpenChain @ LF Japan Executive Briefing - May 2024Shane Coughlan
 
Software Engineering - Introduction + Process Models + Requirements Engineering
Software Engineering - Introduction + Process Models + Requirements EngineeringSoftware Engineering - Introduction + Process Models + Requirements Engineering
Software Engineering - Introduction + Process Models + Requirements EngineeringPrakhyath Rai
 
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...Lisi Hocke
 
Lessons Learned from Building a Serverless Notifications System.pdf
Lessons Learned from Building a Serverless Notifications System.pdfLessons Learned from Building a Serverless Notifications System.pdf
Lessons Learned from Building a Serverless Notifications System.pdfSrushith Repakula
 
Food Delivery Business App Development Guide 2024
Food Delivery Business App Development Guide 2024Food Delivery Business App Development Guide 2024
Food Delivery Business App Development Guide 2024Chirag Panchal
 

Recently uploaded (20)

Abortion Clinic In Polokwane ](+27832195400*)[ 🏥 Safe Abortion Pills in Polok...
Abortion Clinic In Polokwane ](+27832195400*)[ 🏥 Safe Abortion Pills in Polok...Abortion Clinic In Polokwane ](+27832195400*)[ 🏥 Safe Abortion Pills in Polok...
Abortion Clinic In Polokwane ](+27832195400*)[ 🏥 Safe Abortion Pills in Polok...
 
Prompt Engineering - an Art, a Science, or your next Job Title?
Prompt Engineering - an Art, a Science, or your next Job Title?Prompt Engineering - an Art, a Science, or your next Job Title?
Prompt Engineering - an Art, a Science, or your next Job Title?
 
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-CloudAlluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
 
Microsoft365_Dev_Security_2024_05_16.pdf
Microsoft365_Dev_Security_2024_05_16.pdfMicrosoft365_Dev_Security_2024_05_16.pdf
Microsoft365_Dev_Security_2024_05_16.pdf
 
From Theory to Practice: Utilizing SpiraPlan's REST API
From Theory to Practice: Utilizing SpiraPlan's REST APIFrom Theory to Practice: Utilizing SpiraPlan's REST API
From Theory to Practice: Utilizing SpiraPlan's REST API
 
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdfThe Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
 
[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse
[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse
[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse
 
Spring into AI presented by Dan Vega 5/14
Spring into AI presented by Dan Vega 5/14Spring into AI presented by Dan Vega 5/14
Spring into AI presented by Dan Vega 5/14
 
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
 
The Strategic Impact of Buying vs Building in Test Automation
The Strategic Impact of Buying vs Building in Test AutomationThe Strategic Impact of Buying vs Building in Test Automation
The Strategic Impact of Buying vs Building in Test Automation
 
Community is Just as Important as Code by Andrea Goulet
Community is Just as Important as Code by Andrea GouletCommunity is Just as Important as Code by Andrea Goulet
Community is Just as Important as Code by Andrea Goulet
 
^Clinic ^%[+27788225528*Abortion Pills For Sale In harare
^Clinic ^%[+27788225528*Abortion Pills For Sale In harare^Clinic ^%[+27788225528*Abortion Pills For Sale In harare
^Clinic ^%[+27788225528*Abortion Pills For Sale In harare
 
Modern binary build systems - PyCon 2024
Modern binary build systems - PyCon 2024Modern binary build systems - PyCon 2024
Modern binary build systems - PyCon 2024
 
^Clinic ^%[+27788225528*Abortion Pills For Sale In witbank
^Clinic ^%[+27788225528*Abortion Pills For Sale In witbank^Clinic ^%[+27788225528*Abortion Pills For Sale In witbank
^Clinic ^%[+27788225528*Abortion Pills For Sale In witbank
 
A Deep Dive into Secure Product Development Frameworks.pdf
A Deep Dive into Secure Product Development Frameworks.pdfA Deep Dive into Secure Product Development Frameworks.pdf
A Deep Dive into Secure Product Development Frameworks.pdf
 
OpenChain @ LF Japan Executive Briefing - May 2024
OpenChain @ LF Japan Executive Briefing - May 2024OpenChain @ LF Japan Executive Briefing - May 2024
OpenChain @ LF Japan Executive Briefing - May 2024
 
Software Engineering - Introduction + Process Models + Requirements Engineering
Software Engineering - Introduction + Process Models + Requirements EngineeringSoftware Engineering - Introduction + Process Models + Requirements Engineering
Software Engineering - Introduction + Process Models + Requirements Engineering
 
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
 
Lessons Learned from Building a Serverless Notifications System.pdf
Lessons Learned from Building a Serverless Notifications System.pdfLessons Learned from Building a Serverless Notifications System.pdf
Lessons Learned from Building a Serverless Notifications System.pdf
 
Food Delivery Business App Development Guide 2024
Food Delivery Business App Development Guide 2024Food Delivery Business App Development Guide 2024
Food Delivery Business App Development Guide 2024
 

1000 things-sso-code-one

  • 1. 1 A Thousand Things You Always Wanted To Know About SSO But Never Dared Ask Luis Rodríguez Fernández Oracle Code One. San Francisco. 24/10/2018
  • 2. 2 Agenda What’s this presentation about ? About your speaker About CERN About CERN openlab Why SSO? CERN SSO CERN SSO. WS-Fed & SAML2 CERN SSO. OAUTH2 CERN SSO. What’s next? Take-aways Luis Rodríguez Fernández
  • 3. 3 What is this presentation about? ● SSO components – Identity Provider – Service Provider ● IdP high level implementation details ● Focus on securing applications ● SAML2, WS-Fed, Oauth2 (client credentials) ● Real Use Cases ● Open-source & commercial solutions ● Tips & Tricks Luis Rodríguez Fernández IDP SP SAML2 WS-FED OAUTH2
  • 4. 4 Agenda What’s this presentation about ? About your speaker About CERN About CERN openlab Why SSO? CERN SSO CERN SSO. WS-Fed & SAML2 CERN SSO. OAUTH2 CERN SSO. What’s next? Take-aways Luis Rodríguez Fernández
  • 5. 5 About your speaker ● Software Engineer ● Service Manager – Databases Applications Service ● Oracle WebLogic (~350 servers) ● Apache Tomcat (~40 servers) ● ~200 URLs ● From Spain (Asturias) Luis Rodríguez Fernández
  • 6. 6 Agenda What’s this presentation about ? About your speaker About CERN About CERN openlab Why SSO? CERN SSO CERN SSO. WS-Fed & SAML2 CERN SSO. OAUTH2 CERN SSO. What’s next? Take-aways Luis Rodríguez Fernández
  • 7. 7 About CERN ● Fundamental Research – What’s the Universe made of ? – How did it start ? – What matter is made of ? ● Tools – Accelerators – Detectors ● Three pillars – Research – Innovation – Education ● Science for peace Luis Rodríguez Fernández Research uniting people
  • 8. 8 Agenda What’s this presentation about ? About your speaker About CERN About CERN openlab Why SSO? CERN SSO CERN SSO. WS-Fed & SAML2 CERN SSO. OAUTH2 CERN SSO. What’s next? Take-aways Luis Rodríguez Fernández
  • 9. 9 About CERN openlab A public-private partnership between the research community and industry Luis Rodríguez Fernández
  • 10. 10 Agenda What’s this presentation about ? About your speaker About CERN About CERN openlab Why SSO? CERN SSO CERN SSO. WS-Fed & SAML2 CERN SSO. OAUTH2 CERN SSO. What’s next? Take-aways Luis Rodríguez Fernández
  • 11. 11 Why SSO? Luis Rodríguez Fernández Security
  • 12. 12 Why SSO? Luis Rodríguez Fernández Federation
  • 13. 13 Why SSO? Luis Rodríguez Fernández Unique pair of credentials
  • 14. 14 Why SSO? Luis Rodríguez Fernández Computer Security Officer
  • 15. 15 Agenda What’s this presentation about ? About your speaker About CERN About CERN openlab Why SSO? CERN SSO CERN SSO. WS-Fed & SAML2 CERN SSO. OAUTH2 CERN SSO. What’s next? Take-aways Luis Rodríguez Fernández
  • 16. 16 About CERN SSO Luis Rodríguez Fernández
  • 17. 17 About CERN SSO Luis Rodríguez Fernández
  • 18. 18 About CERN SSO Luis Rodríguez Fernández
  • 19. 19 Agenda What’s this presentation about ? About your speaker About CERN About CERN openlab Why SSO? CERN SSO CERN SSO. WS-Fed & SAML2 CERN SSO. OAUTH2 CERN SSO. What’s next? Take-aways Luis Rodríguez Fernández
  • 20. 20 CERN SSO. WS-Fed & SAML2 ● Very Similar – WS-Fed ● No metadata exchange ● Simple Single Log Out – SAML2 ● Metadata exchange (keys) ● Single Log Out is hell ! ● Assertions : packages of information – « Luis belongs to CERN IT-DEP » – « He has been authenticated by login.cern.ch » ● Actors – User Agent : web browser – Service Provider : relying party – Identity Provider : asserting party Luis Rodríguez Fernández WS-Fed & SAML2 login BOB SP IDP WEB BROWSER Protected resource Challenge credentials Credentials Resource
  • 21. 21 CERN SSO. WS-Fed & SAML2 ● Very Similar – WS-Fed ● No metadata exchange ● Simple Single Log Out – SAML2 ● Metadata exchange (keys) ● Single Log Out is hell ! ● Assertions : packages of information – « Luis belongs to CERN IT-DEP » – « He has been authenticated by login.cern.ch » ● Actors – User Agent : web browser – Service Provider : relying party – Identity Provider : asserting party Luis Rodríguez Fernández WS-Fed Single Logout BOB IDP WEB BROWSER Request Logout Page: 1 logout req per SP SP1 SP2 Request Logout Request Logout
  • 22. 22 CERN SSO. WS-Fed & SAML2 ● Very Similar – WS-Fed ● No metadata exchange ● Simple Single Log Out – SAML2 ● Metadata exchange (keys) ● Single Log Out is hell ! ● Assertions : packages of information – « Luis belongs to CERN IT-DEP » – « He has been authenticated by login.cern.ch » ● Actors – User Agent : web browser – Service Provider : relying party – Identity Provider : asserting party Luis Rodríguez Fernández SAML2 Single Logout BOB IDP WEB BROWSER Request Logout SP1 SP2Logout page
  • 23. 23 CERN SSO. WS-Fed & SAML2 ● Shibboleth – Open-source ● Active community ● IdP & SP – Linux/Windows ● Apache httpd server ● IIS web server – Installation : ● Simple ● Modular – Assertions ● http headers – Header too big ! ● Security : front-end delegated – Tricky : ● StorageService ● Memcache client, uf… – Single Log Out ● Simple ! Luis Rodríguez Fernández WS-Fed @ CERN ERROR XMLTooling.StorageService.MEMCACHE [7]: Memcache::getMemcache: CONNECTION FAILURE
  • 24. 24 CERN SSO. WS-Fed & SAML2 ● Oracle WebLogic – « Swiss army knife » ● WLST (jython) ● Console ● REST ● Cluster, Datasources ● JEE 7 compliant ● Multiple scenarios – Enterprise Apps – ORDS, APEX, PL/SQL – Proxy (HttpProxyServlet) – Embedded SAML2 module ● « Complex » configuration – « Easy » automate – Cluster : requires RDBMS ● IdP & SP ● Implementation gaps – Principal & role mapping – Single Log Out ● Some warnings – « /saml2 » context mandatory – « / » cookie path all apps in WLS ● One application per cluster Luis Rodríguez Fernández SAML2 @ CERN MAPPERALICE IDP Logout SP1 SP2 Logout page
  • 25. 25 CERN SSO. WS-Fed & SAML2 ● Keycloak – Open-source – Active Community – IdP & SP – Commercial Support (Red-Hat) ● RH-SSO (Red Hat Single Sign On) – Adapters ● Java: wildfly, tomcat, spring... ● Javascript – Tomcat 8.5,9 & Tomee ● Tomcat Valve – context.xml ● Servlet Filter – web.xml ● Some warnings – One keycloak conf per /context ● Opposite as Oracle WebLogic – Global Logout signature verification Luis Rodríguez Fernández SAML2 @ CERN
  • 26. 26 CERN SSO. WS-Fed & SAML2 ● Other – spring-security – SimpleSAMLphp – Native implementations: ● Sharepoint Luis Rodríguez Fernández SAML2/WS-FED @ CERN
  • 27. 27 CERN SSO. WS-Fed & SAML2 ● Clients (no web browser) – CERN SSO cookie client ● Perl ● Python – Apache Jmeter Luis Rodríguez Fernández SAML2/WS-FED @ CERN
  • 28. 28 Agenda What’s this presentation about ? About your speaker About CERN About CERN openlab Why SSO? CERN SSO CERN SSO. WS-Fed & SAML2 CERN SSO. OAUTH2 CERN SSO. What’s next? Take-aways Luis Rodríguez Fernández
  • 29. 29 CERN SSO. OAUTH2 ● Security Framework for Authorization ● Access tokens + HTTPS ● Actors (examples) : – Resource owner : end user – Resource server : API – Client : web site consuming API – Authorization Server ● Grant access with owner approval Luis Rodríguez Fernández OAUTH2 in a nutshell
  • 30. 30 CERN SSO. OAUTH2 ● Car → protected resource ● Car owner → resource owner ● Car owner → authorization server ● Parking attendant → client ● Valet key → access token Luis Rodríguez Fernández OAUTH2. Valet Parking analogy
  • 31. 31 CERN SSO. OAUTH2 ● Two roles : – Authorization Server : ● Authenticates users – Resource server. Endpoints : ● /api/User ● /api/Groups ● Client Credentials grant ● Server side applications ● Applications = OAUTH2 clients Luis Rodríguez Fernández CERN SSO OAUTH2 Service ALICE WEB APPLICATION CLIENT AUTHZ SERVER RESOURCE SERVER Protected Resource Challenge credentials Credentials Authz token /api/User User info (JSON) Protected Resource
  • 32. 32 CERN SSO. OAUTH2 ● Other clients: – Java ● Atlassian Jira – Javascript ● nile-sso-proxy ● Other OAUTH2 flow – Implicit client ● Oracle JET & ORDS Luis Rodríguez Fernández CERN SSO OAUTH2 Service
  • 33. 33 Agenda What’s this presentation about ? About your speaker About CERN About CERN openlab Why SSO? CERN SSO CERN SSO. WS-Fed & SAML2 CERN SSO. OAUTH2 CERN SSO. What’s next? Take-aways Luis Rodríguez Fernández
  • 34. 34 CERN SSO. WHAT’S NEXT? Luis Rodríguez Fernández
  • 35. 35 Agenda What’s this presentation about ? About your speaker About CERN About CERN openlab Why SSO? CERN SSO CERN SSO. WS-Fed & SAML2 CERN SSO. OAUTH2 CERN SSO. What’s next? Take-aways Luis Rodríguez Fernández
  • 36. 36 Take aways ● Cloud services & third party systems – Common authentication layer becomes a must – Federation ● Challenges : – Authorization – Integration Luis Rodríguez Fernández
  • 37. 37 Take aways ● Other solutions – CAS – OpenAM ● SAML2 vs OAUTH2 vs OpenID Connect (OIDC) – SAML2 ● Mature ● Verbose ● SSO use case ● Web apps UI (web profile) ● Hard back-end integration – OAUTH2 ● Young ● Simple ● Access delegation use case ● Front end ● APIs – OpenID Connect ● OAUTH2 authentication – Access token – ID token ● JSON Web Token ● SSO use case ● When to use what ? Luis Rodríguez Fernández
  • 39. 39 References. Clients ● CERN SSO Client Cookie ● https://linux.web.cern.ch/linux/docs/cernssocookie.shtml ● CERN SSO Python ● https://github.com/cerndb/cern-sso-python ● CERNDB JMETER TEST PLAN ● https://github.com/jdanielcano/cerndb-sw-jmeter-test-plan ● OAUTH2 Authz Service Java Demo Client ● https://gitlab.cern.ch/db/cern-oauth2-authz-service-client ● Nile SSO Proxy ● https://gitlab.cern.ch/db/nile-sso-proxy ● JET OAUTH2 ORDS client ● https://github.com/cerndb/jet-oauth2-ords Luis Rodríguez Fernández
  • 40. 40 References. WLS libraries ● Oracle WebLogic CERN SSO integration packages ● https://github.com/cerndb/wls-cern-sso Luis Rodríguez Fernández
  • 41. 41 References. Presentations ● UKOUG: Oracle WebLogic as a Service Provider for CERN Web Applications : APEX & JAVA EE ● https://openlab-archive-phases-iv-v.web.cern.ch/publications/presentations/weblogic-service-provider-cern-web-ap ● 6th Control System Cyber-Security Workshop (CS)2/HEP: 1000 Thousand Things… ● https://openlab-archive-phases-iv-v.web.cern.ch/publications/presentations/1000-things-you-always-want-know- about-sso-you-never-dare-ask ● Building Secure REST Architectures with ORDS ● https://openlab-archive-phases-iv-v.web.cern.ch/sites/openlab-archive-phases-iv-v.web.cern.ch/files/presentations Luis Rodríguez Fernández
  • 42. 42 References. Blog entries ● Oracle WebLogic SAML2 Authorization ● https://db-blog.web.cern.ch/blog/luis-rodriguez-fernandez/2015-02-oracle-weblogic-saml2-authorization ● SSO For Oracle REST Data Services ● https://db-blog.web.cern.ch/blog/luis-rodriguez-fernandez/2017-04-sso-oracle-rest-dataservices ● Oracle JET, ORDS & OAUTH2 ● https://db-blog.web.cern.ch/blog/luis-rodriguez-fernandez/2017-04-oracle-jet-ords-oauth2 ● Java Web Application Based on OAUTH2 ● https://db-blog.web.cern.ch/blog/emil-kleszcz/2016-08-java-web-application-based-oauth2 Luis Rodríguez Fernández
  • 43. 43 References. Documentation ● Oracle WebLogic Server 12.1.3. Configuring SAML2 Services – https://docs.oracle.com/middleware/1213/wls/SECMG/saml20.htm#SECMG279 ● Shibboleth Service Provider – https://wiki.shibboleth.net/confluence/display/SP3/Home ● Keycloack SAML Java Adapters – https://www.keycloak.org/docs/latest/securing_apps/index.html#saml-2 Luis Rodríguez Fernández
  • 44. 44 Credits ● Open source image ● http://www.picserver.org/o/open-source.html ● Larry Ellison picture courtesy of Home Water Softener Reviews ● www.homewatersoftenerreviews.com ● CERN pictures ● https://press.cern/press-releases ● Potstit password pictures courtesy of Marco Verch ● https://www.flickr.com/photos/30478819@N08/29613520138 Luis Rodríguez Fernández
  • 45. 45 CERN OPENLAB CONTACTS ALBERTO DI MEGLIO CERN openlab Head alberto.di.meglio@cern.ch MARIA GIRONE CERN openlab CTO maria.girone@cern.ch FONS RADEMAKERS CERN openlab CRO fons.rademakers@cern.ch ANDREW PURCELL CERN openlab Communications Officer andrew.purcell@cern.ch KRISTINA GUNNE CERN openlab Administration/Finance Officer kristina.gunne@cern.ch www.cern.ch/openlab Luis Rodríguez Fernández

Editor's Notes

  1. - High Level Overview CERN Identity Provider - Main component:Microsoft Active Directory Federation Services 2 - Exposes the endpoints used by the web applications - receiving authentication requests - sending authentication responses - Standards/Protocols: WS-FED, SAML2 & OAUTH2 - Authentication: Users Directory: Microsoft Active Directory - No big issues with the integration of both - Users Directory info comes from HR systems - Groups management: email lists; also used as Access Control List by the applications - Linux systems: Kerberos - LDAP endpoints - Authentication - Anonymous query (GDPR)
  2. - Authentication: - User name and password - Personal certificate - Windows: - Windows authentication - kiosk applications: service account → browser - Linux: - Kerberos ticket - Two factor authentication - Network applications - External public accounts - CERN Market: buy & sell second hand - Federation - User login in: - Federated/Trusted Universities & Institutes - Assertions
  3. - Main tasks - Authenticate - Send assertions (user information) - First Authorization layer - Identity classes - Type of accounts
  4. - 100% apps WS-FED/SAML2 - WS-FED - Microsoft, BEA, IBM - Long time in the market - Implemented by well known open-source solutions - SAML2 - Standard Authentication Markup Language - OASIS - Organization for the Advancement of Structured Information Standards - Very similar - SAML2 more verbose - Logout is hell - Core of the implementation - Assertions: packages of information - Actors: - User agent: web browser - Service Provider: relaying party - Identity Provider; asserting party - Login flow - WS-FED logout - SAML2 logout
  5. sadasasdasadasdsad