OpenSSO Overview
Sidharth Mishra
Sun Microsystems, Inc.
1

Todays SSO Problems
1. How do I centralize SSO and security policy for my
web applications?
2. How can I quickly connect with partners, SaaS
providers, subsidiaries, acquisitions and affiliates?
3. How do I centralize SSO and security policy for my
web services?
2

OpenSSO Enterprise
Single solution that solves ALL of SSO problems
Web Single Sign On, Federation, and Secure Web services
3

Web SSO

OpenSSO Enterprise
How does it work?
5

SSO And Access Control
Authentication
• Standards-based, extensible authentication framework
(JAAS based)
• Supports multiple pluggable Authentication
mechanisms
> LDAP, RADIUS, Certificate, SafeWord, RSA SecureID, Unix,
Windows NT, WindowsDesktopSSO (Kerberos), Anonymous,
Membership (self-enrollment)
``
> Custom authentication mechanisms using the SPI
• Multi-factor Authentication (Chained Authenticaton
Mechanisms)
• Multi-Level and Multi-Scheme Authentication
• Resource-based Authentication
6

SSO And Access Control
Authorization
• Policy = Rules + Subjects + Conditions +
Response Provider
> Rules – The resource to be protected (e.g.
URL)
> Subjects – Who is allowed to access
(User/Role/Group etc.)
> Condition – Extra Constraints (IP Address
mask, authN level/scheme, time/day etc.)
> Response Provider – Additional Response
data to be sent back to resource.
7

Solution: OpenSSO Web Access Management
Three Tough Challenges. One Powerful Solution.
Centralized server configuration
•
Centralized agent configuration
•
Agent and proxy modes
•
AAA Identity Services
•
Embedded directory server for user store and policy store
•
XACML support for standards-based policy management
•
Consumes and translates 3rd party tokens from all major
•
WAM solutions
8

Federation

Federated Single Sign On
• Federation is built-in to OpenSSO Enterprise.
No additional software needed.
• Federation for cross-domain application
integration.
> software-infrastructure independent. Sites only
agree on protocol version and binding type.
• Facilitates trusted relationships.
> Creates tighter, more satisfying customer,
partner and employee relationships.
> Extended existing and new revenue
opportunities.
> Implement business models that generate
efficiencies and productivity gains.
10

Solution: OpenSSO Federation
Three Tough Challenges. One Powerful Solution.
• The Fedlet, 8.5MB package that allows service providers to
create fully configured trust networks based SAML 2 in minutes
• Multi-protocol Federation Hub, easily federate with any company
regardless of what “federation language” they speak
• Virtual Federation Proxy, incorporate any number of legacy
authentications with a single instance of OpenSSO
• Supports all major standards including SAML, WS-Federation,
Liberty ID-FF, WS-Trust, WS-Security, and WS-Policy
• Coexists with other major WAM solutions and participates in
federation.
11

Web Services Security

OpenSSO and Web Services Security
• Problem:
WSS/J2EE Agent
4
> How do I support web services for my web clientsdk
applications in various containers when it is
Web Service
handled differently container to container?
Provider
• What It Does? SOAP 5
3
(WSS)
> Provides agents that can be deployed in containers 2 OpenSSO
for consuming, processing and transforming
Server
WSS Agent
security tokens including SAML
clientsdk
> Abstracts security from the application.
> Agent allows standardization on security across Web Service
multiple containers (e.g. Sun, IBM, BEA etc.) Client
– Implements container's authentication SPI (JSR 196)
1 Request
– Secures SOAP request and validates SOAP
response at WSC.
– Validates SOAP request and secures SOAP
response at WSP.
13

Secure Token Service
• Problem:
> How does the Web service verify the credentials
presented by the client?
• How It Works Web Service
Provider
Issue Token
> An authenticated client requests token needed to
SOAP (WS-Trust)
access web service provider. 3
(WSS)
2
> The STS verifies the credentials presented by the
client, and then in response, it issues a security token
that provides proof that the client has authenticated
with the STS.
> The client presents the WS-I BSP based security Security Token
Web Service
token(User Name, X.509, SAML etc.) to the Web Service
Client
service.
1 Request
> The Web service verifies that the token was issued by
a trusted STS, which proves that the client has
successfully authenticated with the STS.
14

Solution: OpenSSO Secure Web Services
Three Tough Challenges. One Powerful Solution.
• Only standards-based solution that provides a pluggable,
end-to-end secure web-services solution
• Standards based integration with Glassfish.
• SecurityToken Service that can be deployed as an
Integrated, or standalone, solution
• Security Token Service that can handle token issuance,
validation and translation via WS-Trust
• Policy enforcement point plugins for Weblogic, WebSphere,
Tomcat and JBOSS
15

Identity Services
Problem Benefits
• How do I invoke and leverage OpenSSO
• Allows developers to easily invoke
services (authN, authZ etc.) in a platform /
OpenSSO services.
language independent manner?
• Identity Access Layer provides abstraction
OpenSSO Identity Services so components can change without
affecting applications.
• Makes OpenSSO services and
functionalities available in an easy-to-
• Agentless solution that does not require
use set of Web Services accessible via
deployment of agent or proxy to protect a
SOAP and REST.
resource.
• Supports usage of the IDE of developer's
choice
> NetBeans, Eclipse, Visual Studio
Identity Services – Easily accessible, design approach independent.
16

Identity Services
Identity Services
17

Thank You.
sid@sun.com
18