Code One 2018 presentation. "A Thousand Things You Always Wanted To Know About SSO But Never Dared Ask". How many times have you been in a meeting with a salesperson and started to sweat when you heard, “Yes, the system will be fully integrated with your SSO”? How many times have you searched on the internet for SSO and closed your browser after the second click? SAML, OAUth, ws-fed...which of these is the right protocol? Shibboleth, OpenAM, ADFS2, Keycloak...do I need all of them? Do I need them at all? Which is the right solution for my application? How can I protect my APIs? This session covers the most-popular SSO scenarios and will guide you along the sometimes obscure path to the “log in once and access everything” Grail.
1. 1
A Thousand Things You Always Wanted
To Know About SSO But Never Dared Ask
Luis Rodríguez Fernández
Oracle Code One. San Francisco. 24/10/2018
2. 2
Agenda
What’s this presentation about ?
About your speaker
About CERN
About CERN openlab
Why SSO?
CERN SSO
CERN SSO. WS-Fed & SAML2
CERN SSO. OAUTH2
CERN SSO. What’s next?
Take-aways
Luis Rodríguez Fernández
3. 3
What is this presentation
about?
●
SSO components
– Identity Provider
– Service Provider
●
IdP high level implementation details
●
Focus on securing applications
●
SAML2, WS-Fed, Oauth2 (client credentials)
●
Real Use Cases
●
Open-source & commercial solutions
●
Tips & Tricks
Luis Rodríguez Fernández
IDP SP
SAML2
WS-FED
OAUTH2
4. 4
Agenda
What’s this presentation about ?
About your speaker
About CERN
About CERN openlab
Why SSO?
CERN SSO
CERN SSO. WS-Fed & SAML2
CERN SSO. OAUTH2
CERN SSO. What’s next?
Take-aways
Luis Rodríguez Fernández
5. 5
About your speaker
●
Software Engineer
●
Service Manager
– Databases Applications Service
●
Oracle WebLogic (~350 servers)
●
Apache Tomcat (~40 servers)
●
~200 URLs
●
From Spain (Asturias)
Luis Rodríguez Fernández
6. 6
Agenda
What’s this presentation about ?
About your speaker
About CERN
About CERN openlab
Why SSO?
CERN SSO
CERN SSO. WS-Fed & SAML2
CERN SSO. OAUTH2
CERN SSO. What’s next?
Take-aways
Luis Rodríguez Fernández
7. 7
About CERN
●
Fundamental Research
– What’s the Universe made of ?
– How did it start ?
– What matter is made of ?
●
Tools
– Accelerators
– Detectors
●
Three pillars
– Research
– Innovation
– Education
●
Science for peace
Luis Rodríguez Fernández
Research
uniting people
8. 8
Agenda
What’s this presentation about ?
About your speaker
About CERN
About CERN openlab
Why SSO?
CERN SSO
CERN SSO. WS-Fed & SAML2
CERN SSO. OAUTH2
CERN SSO. What’s next?
Take-aways
Luis Rodríguez Fernández
9. 9
About CERN openlab
A public-private partnership between the research community and industry
Luis Rodríguez Fernández
10. 10
Agenda
What’s this presentation about ?
About your speaker
About CERN
About CERN openlab
Why SSO?
CERN SSO
CERN SSO. WS-Fed & SAML2
CERN SSO. OAUTH2
CERN SSO. What’s next?
Take-aways
Luis Rodríguez Fernández
19. 19
Agenda
What’s this presentation about ?
About your speaker
About CERN
About CERN openlab
Why SSO?
CERN SSO
CERN SSO. WS-Fed & SAML2
CERN SSO. OAUTH2
CERN SSO. What’s next?
Take-aways
Luis Rodríguez Fernández
20. 20
CERN SSO. WS-Fed & SAML2
●
Very Similar
– WS-Fed
●
No metadata exchange
●
Simple Single Log Out
– SAML2
●
Metadata exchange (keys)
●
Single Log Out is hell !
●
Assertions : packages of information
– « Luis belongs to CERN IT-DEP »
– « He has been authenticated by login.cern.ch »
●
Actors
– User Agent : web browser
– Service Provider : relying party
– Identity Provider : asserting party
Luis Rodríguez Fernández
WS-Fed & SAML2 login
BOB
SP
IDP
WEB
BROWSER
Protected
resource
Challenge
credentials
Credentials
Resource
21. 21
CERN SSO. WS-Fed & SAML2
●
Very Similar
– WS-Fed
●
No metadata exchange
●
Simple Single Log Out
– SAML2
●
Metadata exchange (keys)
●
Single Log Out is hell !
●
Assertions : packages of information
– « Luis belongs to CERN IT-DEP »
– « He has been authenticated by login.cern.ch »
●
Actors
– User Agent : web browser
– Service Provider : relying party
– Identity Provider : asserting party
Luis Rodríguez Fernández
WS-Fed Single Logout
BOB
IDP
WEB
BROWSER
Request Logout
Page: 1
logout req
per SP
SP1
SP2
Request Logout
Request Logout
22. 22
CERN SSO. WS-Fed & SAML2
●
Very Similar
– WS-Fed
●
No metadata exchange
●
Simple Single Log Out
– SAML2
●
Metadata exchange (keys)
●
Single Log Out is hell !
●
Assertions : packages of information
– « Luis belongs to CERN IT-DEP »
– « He has been authenticated by login.cern.ch »
●
Actors
– User Agent : web browser
– Service Provider : relying party
– Identity Provider : asserting party
Luis Rodríguez Fernández
SAML2 Single Logout
BOB
IDP
WEB
BROWSER
Request Logout
SP1
SP2Logout page
23. 23
CERN SSO. WS-Fed & SAML2
●
Shibboleth
– Open-source
●
Active community
●
IdP & SP
– Linux/Windows
●
Apache httpd server
●
IIS web server
– Installation :
●
Simple
●
Modular
– Assertions
●
http headers
– Header too big !
●
Security : front-end delegated
– Tricky :
●
StorageService
●
Memcache client, uf…
– Single Log Out
●
Simple !
Luis Rodríguez Fernández
WS-Fed @ CERN
ERROR XMLTooling.StorageService.MEMCACHE [7]:
Memcache::getMemcache: CONNECTION FAILURE
27. 27
CERN SSO. WS-Fed & SAML2
●
Clients (no web browser)
– CERN SSO cookie client
●
Perl
●
Python
– Apache Jmeter
Luis Rodríguez Fernández
SAML2/WS-FED @ CERN
28. 28
Agenda
What’s this presentation about ?
About your speaker
About CERN
About CERN openlab
Why SSO?
CERN SSO
CERN SSO. WS-Fed & SAML2
CERN SSO. OAUTH2
CERN SSO. What’s next?
Take-aways
Luis Rodríguez Fernández
29. 29
CERN SSO. OAUTH2
●
Security Framework for Authorization
●
Access tokens + HTTPS
●
Actors (examples) :
– Resource owner : end user
– Resource server : API
– Client : web site consuming API
– Authorization Server
●
Grant access with owner approval
Luis Rodríguez Fernández
OAUTH2 in a nutshell
30. 30
CERN SSO. OAUTH2
●
Car → protected resource
●
Car owner → resource owner
●
Car owner → authorization server
●
Parking attendant → client
●
Valet key → access token
Luis Rodríguez Fernández
OAUTH2. Valet Parking analogy
31. 31
CERN SSO. OAUTH2
●
Two roles :
– Authorization Server :
●
Authenticates users
– Resource server. Endpoints :
●
/api/User
●
/api/Groups
●
Client Credentials grant
●
Server side applications
●
Applications = OAUTH2 clients
Luis Rodríguez Fernández
CERN SSO OAUTH2 Service
ALICE
WEB APPLICATION
CLIENT
AUTHZ SERVER
RESOURCE SERVER
Protected
Resource
Challenge
credentials
Credentials
Authz token
/api/User
User info
(JSON)
Protected
Resource
32. 32
CERN SSO. OAUTH2
●
Other clients:
– Java
●
Atlassian Jira
– Javascript
●
nile-sso-proxy
●
Other OAUTH2 flow
– Implicit client
●
Oracle JET & ORDS
Luis Rodríguez Fernández
CERN SSO OAUTH2 Service
33. 33
Agenda
What’s this presentation about ?
About your speaker
About CERN
About CERN openlab
Why SSO?
CERN SSO
CERN SSO. WS-Fed & SAML2
CERN SSO. OAUTH2
CERN SSO. What’s next?
Take-aways
Luis Rodríguez Fernández
35. 35
Agenda
What’s this presentation about ?
About your speaker
About CERN
About CERN openlab
Why SSO?
CERN SSO
CERN SSO. WS-Fed & SAML2
CERN SSO. OAUTH2
CERN SSO. What’s next?
Take-aways
Luis Rodríguez Fernández
36. 36
Take aways
●
Cloud services & third party systems
– Common authentication layer becomes a must
– Federation
●
Challenges :
– Authorization
– Integration
Luis Rodríguez Fernández
37. 37
Take aways
●
Other solutions
– CAS
– OpenAM
●
SAML2 vs OAUTH2 vs OpenID Connect (OIDC)
– SAML2
●
Mature
●
Verbose
●
SSO use case
●
Web apps UI (web profile)
●
Hard back-end integration
– OAUTH2
●
Young
●
Simple
●
Access delegation use case
●
Front end
●
APIs
– OpenID Connect
●
OAUTH2 authentication
– Access token
– ID token
●
JSON Web Token
●
SSO use case
●
When to use what ?
Luis Rodríguez Fernández
41. 41
References. Presentations
●
UKOUG: Oracle WebLogic as a Service Provider for CERN Web Applications : APEX & JAVA EE
●
https://openlab-archive-phases-iv-v.web.cern.ch/publications/presentations/weblogic-service-provider-cern-web-ap
●
6th Control System Cyber-Security Workshop (CS)2/HEP: 1000 Thousand Things…
●
https://openlab-archive-phases-iv-v.web.cern.ch/publications/presentations/1000-things-you-always-want-know-
about-sso-you-never-dare-ask
●
Building Secure REST Architectures with ORDS
●
https://openlab-archive-phases-iv-v.web.cern.ch/sites/openlab-archive-phases-iv-v.web.cern.ch/files/presentations
Luis Rodríguez Fernández
42. 42
References. Blog entries
●
Oracle WebLogic SAML2 Authorization
●
https://db-blog.web.cern.ch/blog/luis-rodriguez-fernandez/2015-02-oracle-weblogic-saml2-authorization
●
SSO For Oracle REST Data Services
●
https://db-blog.web.cern.ch/blog/luis-rodriguez-fernandez/2017-04-sso-oracle-rest-dataservices
●
Oracle JET, ORDS & OAUTH2
●
https://db-blog.web.cern.ch/blog/luis-rodriguez-fernandez/2017-04-oracle-jet-ords-oauth2
●
Java Web Application Based on OAUTH2
●
https://db-blog.web.cern.ch/blog/emil-kleszcz/2016-08-java-web-application-based-oauth2
Luis Rodríguez Fernández
43. 43
References. Documentation
●
Oracle WebLogic Server 12.1.3. Configuring SAML2 Services
– https://docs.oracle.com/middleware/1213/wls/SECMG/saml20.htm#SECMG279
●
Shibboleth Service Provider
– https://wiki.shibboleth.net/confluence/display/SP3/Home
●
Keycloack SAML Java Adapters
– https://www.keycloak.org/docs/latest/securing_apps/index.html#saml-2
Luis Rodríguez Fernández
44. 44
Credits
●
Open source image
●
http://www.picserver.org/o/open-source.html
●
Larry Ellison picture courtesy of Home Water Softener Reviews
●
www.homewatersoftenerreviews.com
●
CERN pictures
●
https://press.cern/press-releases
●
Potstit password pictures courtesy of Marco Verch
●
https://www.flickr.com/photos/30478819@N08/29613520138
Luis Rodríguez Fernández
45. 45
CERN OPENLAB CONTACTS
ALBERTO DI MEGLIO
CERN openlab Head
alberto.di.meglio@cern.ch
MARIA GIRONE
CERN openlab CTO
maria.girone@cern.ch
FONS RADEMAKERS
CERN openlab CRO
fons.rademakers@cern.ch
ANDREW PURCELL
CERN openlab Communications Officer
andrew.purcell@cern.ch
KRISTINA GUNNE
CERN openlab Administration/Finance Officer
kristina.gunne@cern.ch
www.cern.ch/openlab
Luis Rodríguez Fernández
Editor's Notes
- High Level Overview CERN Identity Provider
- Main component:Microsoft Active Directory Federation Services 2
- Exposes the endpoints used by the web applications
- receiving authentication requests
- sending authentication responses
- Standards/Protocols: WS-FED, SAML2 & OAUTH2
- Authentication: Users Directory: Microsoft Active Directory
- No big issues with the integration of both
- Users Directory info comes from HR systems
- Groups management: email lists; also used as Access Control List by the applications
- Linux systems: Kerberos
- LDAP endpoints
- Authentication
- Anonymous query (GDPR)
- Authentication:
- User name and password
- Personal certificate
- Windows:
- Windows authentication
- kiosk applications: service account → browser
- Linux:
- Kerberos ticket
- Two factor authentication
- Network applications
- External public accounts
- CERN Market: buy & sell second hand
- Federation
- User login in:
- Federated/Trusted Universities & Institutes
- Assertions
- Main tasks
- Authenticate
- Send assertions (user information)
- First Authorization layer
- Identity classes
- Type of accounts
- 100% apps WS-FED/SAML2
- WS-FED
- Microsoft, BEA, IBM
- Long time in the market
- Implemented by well known open-source solutions
- SAML2
- Standard Authentication Markup Language
- OASIS
- Organization for the Advancement of Structured Information Standards
- Very similar
- SAML2 more verbose
- Logout is hell
- Core of the implementation
- Assertions: packages of information
- Actors:
- User agent: web browser
- Service Provider: relaying party
- Identity Provider; asserting party
- Login flow
- WS-FED logout
- SAML2 logout