• Like
  • Save
OpenSSO Tech Overview Aquarium
Upcoming SlideShare
Loading in...5
×
 

OpenSSO Tech Overview Aquarium

on

  • 6,731 views

An Overview of OpenSSO, OpenSource Single-Sign On. At TheAquarium Online

An Overview of OpenSSO, OpenSource Single-Sign On. At TheAquarium Online

Statistics

Views

Total Views
6,731
Views on SlideShare
6,704
Embed Views
27

Actions

Likes
3
Downloads
196
Comments
1

1 Embed 27

http://www.slideshare.net 27

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel

11 of 1

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    OpenSSO Tech Overview Aquarium OpenSSO Tech Overview Aquarium Presentation Transcript

    • OpenSSO Overview Sidharth Mishra Sun Microsystems, Inc. 1
    • Todays SSO Problems 1. How do I centralize SSO and security policy for my web applications? 2. How can I quickly connect with partners, SaaS providers, subsidiaries, acquisitions and affiliates? 3. How do I centralize SSO and security policy for my web services? 2
    • OpenSSO Enterprise Single solution that solves ALL of SSO problems Web Single Sign On, Federation, and Secure Web services 3
    • Web SSO
    • OpenSSO Enterprise How does it work? 5
    • SSO And Access Control Authentication • Standards-based, extensible authentication framework (JAAS based) • Supports multiple pluggable Authentication mechanisms > LDAP, RADIUS, Certificate, SafeWord, RSA SecureID, Unix, Windows NT, WindowsDesktopSSO (Kerberos), Anonymous, Membership (self-enrollment) `` > Custom authentication mechanisms using the SPI • Multi-factor Authentication (Chained Authenticaton Mechanisms) • Multi-Level and Multi-Scheme Authentication • Resource-based Authentication 6
    • SSO And Access Control Authorization • Policy = Rules + Subjects + Conditions + Response Provider > Rules – The resource to be protected (e.g. URL) > Subjects – Who is allowed to access (User/Role/Group etc.) > Condition – Extra Constraints (IP Address mask, authN level/scheme, time/day etc.) > Response Provider – Additional Response data to be sent back to resource. 7
    • Solution: OpenSSO Web Access Management Three Tough Challenges. One Powerful Solution. Centralized server configuration • Centralized agent configuration • Agent and proxy modes • AAA Identity Services • Embedded directory server for user store and policy store • XACML support for standards-based policy management • Consumes and translates 3rd party tokens from all major • WAM solutions 8
    • Federation
    • Federated Single Sign On • Federation is built-in to OpenSSO Enterprise. No additional software needed. • Federation for cross-domain application integration. > software-infrastructure independent. Sites only agree on protocol version and binding type. • Facilitates trusted relationships. > Creates tighter, more satisfying customer, partner and employee relationships. > Extended existing and new revenue opportunities. > Implement business models that generate efficiencies and productivity gains. 10
    • Solution: OpenSSO Federation Three Tough Challenges. One Powerful Solution. • The Fedlet, 8.5MB package that allows service providers to create fully configured trust networks based SAML 2 in minutes • Multi-protocol Federation Hub, easily federate with any company regardless of what “federation language” they speak • Virtual Federation Proxy, incorporate any number of legacy authentications with a single instance of OpenSSO • Supports all major standards including SAML, WS-Federation, Liberty ID-FF, WS-Trust, WS-Security, and WS-Policy • Coexists with other major WAM solutions and participates in federation. 11
    • Web Services Security
    • OpenSSO and Web Services Security • Problem: WSS/J2EE Agent 4 > How do I support web services for my web clientsdk applications in various containers when it is Web Service handled differently container to container? Provider • What It Does? SOAP 5 3 (WSS) > Provides agents that can be deployed in containers 2 OpenSSO for consuming, processing and transforming Server WSS Agent security tokens including SAML clientsdk > Abstracts security from the application. > Agent allows standardization on security across Web Service multiple containers (e.g. Sun, IBM, BEA etc.) Client – Implements container's authentication SPI (JSR 196) 1 Request – Secures SOAP request and validates SOAP response at WSC. – Validates SOAP request and secures SOAP response at WSP. 13
    • Secure Token Service • Problem: > How does the Web service verify the credentials presented by the client? • How It Works Web Service Provider Issue Token > An authenticated client requests token needed to SOAP (WS-Trust) access web service provider. 3 (WSS) 2 > The STS verifies the credentials presented by the client, and then in response, it issues a security token that provides proof that the client has authenticated with the STS. > The client presents the WS-I BSP based security Security Token Web Service token(User Name, X.509, SAML etc.) to the Web Service Client service. 1 Request > The Web service verifies that the token was issued by a trusted STS, which proves that the client has successfully authenticated with the STS. 14
    • Solution: OpenSSO Secure Web Services Three Tough Challenges. One Powerful Solution. • Only standards-based solution that provides a pluggable, end-to-end secure web-services solution • Standards based integration with Glassfish. • SecurityToken Service that can be deployed as an Integrated, or standalone, solution • Security Token Service that can handle token issuance, validation and translation via WS-Trust • Policy enforcement point plugins for Weblogic, WebSphere, Tomcat and JBOSS 15
    • Identity Services Problem Benefits • How do I invoke and leverage OpenSSO • Allows developers to easily invoke services (authN, authZ etc.) in a platform / OpenSSO services. language independent manner? • Identity Access Layer provides abstraction OpenSSO Identity Services so components can change without affecting applications. • Makes OpenSSO services and functionalities available in an easy-to- • Agentless solution that does not require use set of Web Services accessible via deployment of agent or proxy to protect a SOAP and REST. resource. • Supports usage of the IDE of developer's choice > NetBeans, Eclipse, Visual Studio Identity Services – Easily accessible, design approach independent. 16
    • Identity Services Identity Services 17
    • Thank You. sid@sun.com 18