0
Single	
  sign-­‐on	
  	
  
using	
  	
  
WSO2	
  Iden1ty	
  Server	
  

S.Uthaiyashankar	
  
shankar@wso2.com	
  
VP,	
  ...
About	
  WSO2	
  
•  Providing	
  the	
  only	
  complete	
  open	
  source	
  componen=zed	
  cloud	
  
pla?orm	
  

–  D...
150+	
  globally	
  posi1oned	
  support	
  customers	
  
Topics	
  Covered…	
  
•  Importance	
  of	
  Single	
  Sign-­‐On	
  
•  Single	
  Sign-­‐On	
  paWerns	
  
•  Single	
  S...
The	
  Story	
  Begins…	
  
That	
  is	
  not	
  the	
  End…	
  
Problems…	
  
•  User	
  Perspec=ve:	
  
–  Different	
  username,	
  password	
  for	
  different	
  
systems	
  
•  Prefer...
Problems…	
  
•  IT	
  Perspec=ve:	
  
–  Provisioning/De-­‐provisioning	
  users	
  
–  Audi=ng	
  user	
  ac=vi=es	
  
–...
Shared	
  User	
  Store	
  -­‐	
  Possible	
  Solu1on?	
  
Problems…	
  
•  Mul=ple	
  logins	
  
•  Cloud	
  Services	
  and	
  3rd	
  party	
  applica=ons	
  
Solu1on	
  
•  Federated	
  Iden=ty	
  and	
  Single	
  Sign-­‐On	
  
Authen1ca1on	
  

Iden=ty	
  Provider	
  

Trust	
  ...
Single	
  Sign-­‐On	
  and	
  Federated	
  Iden1ty	
  
Single	
  Sign-­‐On	
  and	
  Federated	
  Iden1ty	
  
•  Single	
  Iden=ty	
  
•  Possibility	
  of	
  Collabora=on	
  be...
WSO2	
  Iden1ty	
  Server	
  
Key	
  Requirements	
  For	
  Iden1ty	
  Federa1on	
  

Iden1ty	
  Management	
  and	
  Authen1ca1on	
  	
  
•  Authen=ca=...
Key	
  Requirements	
  For	
  Iden1ty	
  Federa1on	
  

Trust	
  Between	
  Domains	
  

•  Trust	
  
–  Pre-­‐established...
Key	
  Requirements	
  For	
  Iden1ty	
  Federa1on	
  

Iden1ty	
  and	
  ARribute	
  Mapping	
  
•  Mapping	
  user	
  id...
Key	
  Requirements	
  For	
  Iden1ty	
  Federa1on	
  

ARribute	
  Exchange	
  

•  One	
  system	
  reques=ng	
  addi=on...
Protocols	
  and	
  Standards	
  

• 
• 
• 
• 

OpenID	
  
SAML2	
  Web	
  Browser	
  SSO	
  
WS-­‐Trust	
  &	
  WS-­‐Fede...
OpenID	
  

hWp://openid.net/get-­‐an-­‐openid/	
  
OpenID	
  Iden1fiers	
  
•  Google	
  
–  hWps://profiles.google.com/YourGoogleID	
  

•  Blogger	
  
–  hWp://blogname.blog...
OpenID	
  
7
1

vic
	
  to	
  Ser
	
  Access
Allow

e	
  Ope
Provid

4

e	
  

2

Discover	
  Provider	
  (XRI	
  
Resolu1...
SAML2	
  Web	
  Browser	
  SSO	
  
SAML2	
  Web	
  Browser	
  SSO	
  
7
1

vic
	
  to	
  Ser
	
  Access
Allow

e	
  

Service	
  Provider	
  A	
  
Asser=on	
...
WS-­‐Trust	
  
1

.)	
  
9/etc
e/x50
m
serna
on	
  (U
n1ca1
Authe
ken	
  
rity	
  To
Secu

Iden=ty	
  Provider	
  
Securit...
WS-­‐Federa1on	
  
1

Authen1ca1on	
  (Username/x509/etc.)	
  
Security	
  Token	
  A	
  

2

Iden=ty	
  Provider	
  A	
  ...
Kerberos	
  
1

Session	
  Key	
  +	
  Ticket	
  Gran1ng	
  Ticket	
  

3

Iden=ty	
  Provider	
  (Key	
  
Distribu=on	
  ...
Some	
  Federa1on	
  PaRerns	
  Using	
  
WSO2	
  Iden1ty	
  Server	
  
Token	
  Exchange	
  
IdP	
  Proxy	
  PaRern	
  
IdP	
  Proxy	
  PaRern	
  
IdP	
  Proxy	
  PaRern	
  
Ques1ons?	
  
Engage	
  with	
  WSO2	
  
•  Helping	
  you	
  get	
  the	
  most	
  out	
  of	
  your	
  deployments	
  
•  From	
  proj...
Upcoming SlideShare
Loading in...5
×

Single sign on using WSO2 identity server

1,342

Published on

0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,342
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
76
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Transcript of "Single sign on using WSO2 identity server"

  1. 1. Single  sign-­‐on     using     WSO2  Iden1ty  Server   S.Uthaiyashankar   shankar@wso2.com   VP,  Engineering  
  2. 2. About  WSO2   •  Providing  the  only  complete  open  source  componen=zed  cloud   pla?orm   –  Dedicated  to  removing  all  the  stumbling  blocks  to  enterprise  agility   –  Enabling  you  to  focus  on  business  logic  and  business  value     •  Recognized  by  leading  analyst  firms  as  visionaries  and  leaders   –  Gartner  cites  WSO2  as  visionaries  in  all  3  categories  of    applica=on   infrastructure   –  Forrester  places  WSO2  in  top  2  for  API  Management     •  Global  corpora=on  with  offices  in  USA,  UK  &  Sri  Lanka   –  200+  employees  and  growing   •  Business  model  of  selling  comprehensive  support  &  maintenance   for  our  products  
  3. 3. 150+  globally  posi1oned  support  customers  
  4. 4. Topics  Covered…   •  Importance  of  Single  Sign-­‐On   •  Single  Sign-­‐On  paWerns   •  Single  Sign-­‐On  support  in  WSO2  Iden=ty   Server  
  5. 5. The  Story  Begins…  
  6. 6. That  is  not  the  End…  
  7. 7. Problems…   •  User  Perspec=ve:   –  Different  username,  password  for  different   systems   •  Preferred  username  is  already  taken   •  Using  same  username/password  might  become  a   security  risk   –  Too  many  username,  password   –  Loosing  possible  collabora=ons  
  8. 8. Problems…   •  IT  Perspec=ve:   –  Provisioning/De-­‐provisioning  users   –  Audi=ng  user  ac=vi=es   –  No  single  view  of  user   –  Deploying  new  applica=ons  
  9. 9. Shared  User  Store  -­‐  Possible  Solu1on?  
  10. 10. Problems…   •  Mul=ple  logins   •  Cloud  Services  and  3rd  party  applica=ons  
  11. 11. Solu1on   •  Federated  Iden=ty  and  Single  Sign-­‐On   Authen1ca1on   Iden=ty  Provider   Trust   Service  Consump1on   Service  Providers   Service  Providers   Service  Providers   Service  Providers  
  12. 12. Single  Sign-­‐On  and  Federated  Iden1ty  
  13. 13. Single  Sign-­‐On  and  Federated  Iden1ty   •  Single  Iden=ty   •  Possibility  of  Collabora=on  between   applica=ons     •  User  Convenience   •  Login  only  once  and  can  access  any  services   •  Easy  administra=on     –  Provisioning,  de-­‐provisioning,  forget  password  
  14. 14. WSO2  Iden1ty  Server  
  15. 15. Key  Requirements  For  Iden1ty  Federa1on   Iden1ty  Management  and  Authen1ca1on     •  Authen=ca=on   –  Mul=-­‐Factor  Authen=ca=on   •  Iden=ty  Management   –  AWributes  /  Claims  
  16. 16. Key  Requirements  For  Iden1ty  Federa1on   Trust  Between  Domains   •  Trust   –  Pre-­‐established     •  Common  in  Enterprise  scenarios   –  Established  only  when  accessing  the  service     •  Common  in  web  scenarios   •  Iden=ty  Provider  Discovery  
  17. 17. Key  Requirements  For  Iden1ty  Federa1on   Iden1ty  and  ARribute  Mapping   •  Mapping  user  iden=ty  of  one  system  to   another   –  Username   –  Out  of  Band   –  Pseudonym   •  Transient   •  Persistent   •  Mapping  aWribute  names  in  different  systems   •  Mapping  aWribute  values  in  different  systems  
  18. 18. Key  Requirements  For  Iden1ty  Federa1on   ARribute  Exchange   •  One  system  reques=ng  addi=onal  aWributes   from  another  system  
  19. 19. Protocols  and  Standards   •  •  •  •  OpenID   SAML2  Web  Browser  SSO   WS-­‐Trust  &  WS-­‐Federa=on   Kerberos  
  20. 20. OpenID   hWp://openid.net/get-­‐an-­‐openid/  
  21. 21. OpenID  Iden1fiers   •  Google   –  hWps://profiles.google.com/YourGoogleID   •  Blogger   –  hWp://blogname.blogspot.com/   •  MySpace   –  hWp://www.myspace.com/username  
  22. 22. OpenID   7 1 vic  to  Ser  Access Allow e  Ope Provid 4 e   2 Discover  Provider  (XRI   Resolu1on,  Yadis,  HTML   Based  Discovery)   Service  Provider  A   Relying  Party   nID      to  IdP direct ser  Re Brow 3 Create  shared  secret   6 5 4 Iden=ty  Provider   Single  Sign-­‐On   Service  
  23. 23. SAML2  Web  Browser  SSO  
  24. 24. SAML2  Web  Browser  SSO   7 1 vic  to  Ser  Access Allow e   Service  Provider  A   Asser=on   Consumer  Service   rvice   ess  Se Acc 3    to  IdP direct ser  Re Brow 6 2 Select  Iden1ty  Provider   Trust   5 4 Iden=ty  Provider   Single  Sign-­‐On   Service  
  25. 25. WS-­‐Trust   1 .)   9/etc e/x50 m serna on  (U n1ca1 Authe ken   rity  To Secu Iden=ty  Provider   Security  Token   Service   2 Trust   3 4 5 Verify  Token     (e.g.:  Check  signature)   Service  Provider  A  
  26. 26. WS-­‐Federa1on   1 Authen1ca1on  (Username/x509/etc.)   Security  Token  A   2 Iden=ty  Provider  A   Security  Token   Service   Trust   3 5 6 8 Domain  A   Domain  B   Iden=ty  Provider  B   Security  Token   Service   Trust   4 Verify  Token  A     (e.g.:  Check   signature)   Service  Provider  B   Verify  Token  B     7 (e.g.:  Check  signature)  
  27. 27. Kerberos   1 Session  Key  +  Ticket  Gran1ng  Ticket   3 Iden=ty  Provider  (Key   Distribu=on  Center)   UserName   2 Ticket  Gran1ng  Ticket  +  Authen1cator   5 Authen=ca=on   Service   Ticket  Gran=ng   Service   4 Security  Token   Verify  Authen1cator   6 8 Service  Shared  Key   Service  Provider   Verify  Security  Token   7  
  28. 28. Some  Federa1on  PaRerns  Using   WSO2  Iden1ty  Server  
  29. 29. Token  Exchange  
  30. 30. IdP  Proxy  PaRern  
  31. 31. IdP  Proxy  PaRern  
  32. 32. IdP  Proxy  PaRern  
  33. 33. Ques1ons?  
  34. 34. Engage  with  WSO2   •  Helping  you  get  the  most  out  of  your  deployments   •  From  project  evalua=on  and  incep=on  to  development  and  going   into  produc=on,  WSO2  is  your  partner  in  ensuring  100%  project   success  
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×