OpenSSO Tech Overview Aquarium

4,282 views

Published on

An Overview of OpenSSO, OpenSource Single-Sign On. At TheAquarium Online

Published in: Technology
1 Comment
3 Likes
Statistics
Notes
No Downloads
Views
Total views
4,282
On SlideShare
0
From Embeds
0
Number of Embeds
30
Actions
Shares
0
Downloads
209
Comments
1
Likes
3
Embeds 0
No embeds

No notes for slide

OpenSSO Tech Overview Aquarium

  1. 1. OpenSSO Overview Sidharth Mishra Sun Microsystems, Inc. 1
  2. 2. Todays SSO Problems 1. How do I centralize SSO and security policy for my web applications? 2. How can I quickly connect with partners, SaaS providers, subsidiaries, acquisitions and affiliates? 3. How do I centralize SSO and security policy for my web services? 2
  3. 3. OpenSSO Enterprise Single solution that solves ALL of SSO problems Web Single Sign On, Federation, and Secure Web services 3
  4. 4. Web SSO
  5. 5. OpenSSO Enterprise How does it work? 5
  6. 6. SSO And Access Control Authentication • Standards-based, extensible authentication framework (JAAS based) • Supports multiple pluggable Authentication mechanisms > LDAP, RADIUS, Certificate, SafeWord, RSA SecureID, Unix, Windows NT, WindowsDesktopSSO (Kerberos), Anonymous, Membership (self-enrollment) `` > Custom authentication mechanisms using the SPI • Multi-factor Authentication (Chained Authenticaton Mechanisms) • Multi-Level and Multi-Scheme Authentication • Resource-based Authentication 6
  7. 7. SSO And Access Control Authorization • Policy = Rules + Subjects + Conditions + Response Provider > Rules – The resource to be protected (e.g. URL) > Subjects – Who is allowed to access (User/Role/Group etc.) > Condition – Extra Constraints (IP Address mask, authN level/scheme, time/day etc.) > Response Provider – Additional Response data to be sent back to resource. 7
  8. 8. Solution: OpenSSO Web Access Management Three Tough Challenges. One Powerful Solution. Centralized server configuration • Centralized agent configuration • Agent and proxy modes • AAA Identity Services • Embedded directory server for user store and policy store • XACML support for standards-based policy management • Consumes and translates 3rd party tokens from all major • WAM solutions 8
  9. 9. Federation
  10. 10. Federated Single Sign On • Federation is built-in to OpenSSO Enterprise. No additional software needed. • Federation for cross-domain application integration. > software-infrastructure independent. Sites only agree on protocol version and binding type. • Facilitates trusted relationships. > Creates tighter, more satisfying customer, partner and employee relationships. > Extended existing and new revenue opportunities. > Implement business models that generate efficiencies and productivity gains. 10
  11. 11. Solution: OpenSSO Federation Three Tough Challenges. One Powerful Solution. • The Fedlet, 8.5MB package that allows service providers to create fully configured trust networks based SAML 2 in minutes • Multi-protocol Federation Hub, easily federate with any company regardless of what “federation language” they speak • Virtual Federation Proxy, incorporate any number of legacy authentications with a single instance of OpenSSO • Supports all major standards including SAML, WS-Federation, Liberty ID-FF, WS-Trust, WS-Security, and WS-Policy • Coexists with other major WAM solutions and participates in federation. 11
  12. 12. Web Services Security
  13. 13. OpenSSO and Web Services Security • Problem: WSS/J2EE Agent 4 > How do I support web services for my web clientsdk applications in various containers when it is Web Service handled differently container to container? Provider • What It Does? SOAP 5 3 (WSS) > Provides agents that can be deployed in containers 2 OpenSSO for consuming, processing and transforming Server WSS Agent security tokens including SAML clientsdk > Abstracts security from the application. > Agent allows standardization on security across Web Service multiple containers (e.g. Sun, IBM, BEA etc.) Client – Implements container's authentication SPI (JSR 196) 1 Request – Secures SOAP request and validates SOAP response at WSC. – Validates SOAP request and secures SOAP response at WSP. 13
  14. 14. Secure Token Service • Problem: > How does the Web service verify the credentials presented by the client? • How It Works Web Service Provider Issue Token > An authenticated client requests token needed to SOAP (WS-Trust) access web service provider. 3 (WSS) 2 > The STS verifies the credentials presented by the client, and then in response, it issues a security token that provides proof that the client has authenticated with the STS. > The client presents the WS-I BSP based security Security Token Web Service token(User Name, X.509, SAML etc.) to the Web Service Client service. 1 Request > The Web service verifies that the token was issued by a trusted STS, which proves that the client has successfully authenticated with the STS. 14
  15. 15. Solution: OpenSSO Secure Web Services Three Tough Challenges. One Powerful Solution. • Only standards-based solution that provides a pluggable, end-to-end secure web-services solution • Standards based integration with Glassfish. • SecurityToken Service that can be deployed as an Integrated, or standalone, solution • Security Token Service that can handle token issuance, validation and translation via WS-Trust • Policy enforcement point plugins for Weblogic, WebSphere, Tomcat and JBOSS 15
  16. 16. Identity Services Problem Benefits • How do I invoke and leverage OpenSSO • Allows developers to easily invoke services (authN, authZ etc.) in a platform / OpenSSO services. language independent manner? • Identity Access Layer provides abstraction OpenSSO Identity Services so components can change without affecting applications. • Makes OpenSSO services and functionalities available in an easy-to- • Agentless solution that does not require use set of Web Services accessible via deployment of agent or proxy to protect a SOAP and REST. resource. • Supports usage of the IDE of developer's choice > NetBeans, Eclipse, Visual Studio Identity Services – Easily accessible, design approach independent. 16
  17. 17. Identity Services Identity Services 17
  18. 18. Thank You. sid@sun.com 18

×