Open sso fisl9.0

2,275 views

Published on

SAML 2.0, SSON

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,275
On SlideShare
0
From Embeds
0
Number of Embeds
547
Actions
Shares
0
Downloads
34
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Open sso fisl9.0

  1. 1. Open Source IdentityIntegration with OpenSSOApril 19, 2008Pat PattersonFederation Architectpat.patterson@sun.comblogs.sun.com/superpat
  2. 2. Agenda• Web Access Management > The Problem > The Solution > How Does It Work?• Federation > Single Sign-On Beyond a Single Enterprise > How Does It Work?• OpenSSO > Project Overview 2
  3. 3. Typical Problems• “Every application wants me to log in!”• “I have too many passwords – my monitor is covered in Post-its!”• “Were implementing Sarbanes-Oxley – we need to control access to applications!”• “We need to access outsourced functions!”• “Our partners need to access our applications!” 3
  4. 4. Web Access Management• Simplest scenario is within a single organization• Factor authentication and authorization out of web applications into web access management (WAM) solution• Can use browser cookies within a DNS domain• Proxy or Agent architecture implements role-based access control (RBAC)• Users get single sign-on, IT gets control 4
  5. 5. Single Sign-On Within an Organization Web Server Web Server SSO Server Application Server End User 5
  6. 6. How It WorksSSO Server Browser Agent Application GET hrapp/index.html Redirect to SSO Server Authenticate Redirect to hrapp/index.html (with SSO cookie) GET hrapp/index.html (with SSO cookie)‫‏‬ Is this user allowed to access hrapp/index.html? Yes! Allow request to proceed Application response 6
  7. 7. Web Access Management Products• Sun Java System Access Manager > OpenSSO• CA (Netegrity) SiteMinder Access Manager• IBM Tivoli Access Manager• Oracle (Oblix) Access Manager• Novell Access Maneger• JA-SIG CAS• JOSSO 7
  8. 8. Typical Problems• “Every application wants me to log in!”• “I have too many passwords – my monitor is covered in Post-its!”• “Were implementing Sarbanes-Oxley – we need to control access to applications!”• “We need to access outsourced functions!”• “Our partners need to access our applications!” 8
  9. 9. Single Sign-on between Organizations• Cookies no longer work > Need a more sophisticated protocol• Cant mandate single vendor solution > Need standards for interoperability 9
  10. 10. Single Sign-On Standards Liberty Liberty Liberty“Phase 1” ID-FF 1.1,1.2 Federation = SAML1 SAML1.1 SAML2 Shibboleth Shibboleth 1.0,1.1 1.2 WS-Federation WS-Federation 1.0 1.1 2002 2003 2004 2005 2006 10
  11. 11. SAML 2.0 Concepts Profiles Combining protocols, bindings, and assertions to support a defined use case Authentication Context Detailed data on Bindings types and strengths of authentication Mapping SAML protocols onto standard messaging or communication protocols Protocols Request/response pairs for obtaining assertions and doing ID management Metadata Assertions IdP and SP Authentication, attribute and entitlement configuration data information 11
  12. 12. SSO Across Organizations Service Service Provider Provider Identity Provider Service Provider End User 12
  13. 13. SAML 2.0 SSO Basics Identity Provider Browser Service Provider GET hrapp/index.html Redirect with SAML Request SAML Authentication Request Authenticate HTML form with SAML Response SAML Response Service Provider examines SAML Response and makes access Response control decision 13
  14. 14. SAML 2.0 Assertion(Abbreviated!)<Assertion Version="2.0" ID="..." IssueInstant="2007-11-06T16:42:28Z"> <Issuer>https://pat-pattersons-computer.local:8181/</Issuer> <Signature>...</Signature> <saml:Subject> <saml:NameID Format="urn:oasis:...:persistent" ...> ZG0OZ3JWP9yduIQ1zFJbVVGHlQ9M </saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:...:bearer"> <saml:SubjectConfirmationData .../> </saml:SubjectConfirmation> </saml:Subject> <saml:Conditions NotBefore="2007-11-06T16:42:28Z"NotOnOrAfter="2007-11-06T16:52:28Z"> <saml:AudienceRestriction> <saml:Audience> https://pat-pattersons-computer.local/example-pat/ </saml:Audience> </saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthnInstant="2007-11-06T16:42:28Z" ...> <saml:AuthnContext> <saml:AuthnContextClassRef> urn:oasis:...:PasswordProtectedTransport </saml:AuthnContextClassRef> </saml:AuthnContext> </saml:AuthnStatement></saml:Assertion> 14
  15. 15. SAML 2.0 Adoption• Sun, IBM, CA – all the usual suspects, except Microsoft• OpenSAML (Internet2) > Java, C++• OpenSSO (Sun) > Java, PHP, Ruby• SimpleSAMLphp (Feide) om• LASSO (Entrouvert) o.c > C/SWIG glob• ZXID (Symlabs) > C/SWIG 15
  16. 16. What is OpenSSO? • OpenSSO 1.0 == Federated Access Manager 8.0 • All FAM 8.0 builds available via OpenSSO Open Access. • Preview Features Open Federation. • Provide Feedback • Review code security 16
  17. 17. OpenSSO Momentum• In less than 2 years... > 650 project members at opensso.org > ~15 external committers > Consistently in Top 10* java.net projects by mail traffic – * of over 3000 projects• Production deployments > www.audi.co.uk – 250,000 customer profiles .br > openid.sun.com ov – OpenID for Sun employees .....g > telenet.be – Foundation for fine-grained authorization 17
  18. 18. OpenSSO Roadmap OpenSSO 1.0 / FAM 8.0 Summer 2008 OpenSSO OpenSSO 1.next / OpenSSO Federation FAM 8.1 Q3CY06 Q4CY06 End of 2008OpenSSO Access Manager 7.1 Q4CY06AccessManager Federation Manager 7.0 Q4CY05FederationManager 18
  19. 19. OpenSSO 1.0Access Management • Centralized Agent Configuration & Deployment • Centralized Configuration • XACML Request/Response • Wide choice of Application ServersFederation • Fedlet • Virtual Federation • Multi-Federation Protocol Hub • WS-Federation 1.1 • 3rd Party WAM Interoperability 19
  20. 20. OpenSSO 1.0Identity Services • Authentication as a service • Authorization as a service • Audit as a service • Attribute Query as a service • Secure Trust Authority • Web Services Security Plug-ins • SDK for Securing Web Services But thats not all... 20
  21. 21. OpenSSO Extensionshttps://opensso.dev.java.net/public/extensions/ • PHP SAML 2.0 SP implementation > Picked up by Feide (Norway)SAML 2.0 • Ruby SAML 2.0 SP implementation • SAML 2.0 ECP test rig • OpenID 1.1 ProviderOpenID > Deployed at openid.sun.comClient SDK • PHP Client SDK implementation • ActivIdentity 4TressAuthentication Modules • Hitachi Finger Vein Biometric • Information Card (aka CardSpace) 21
  22. 22. Participe! Join Download Sign up at OpenSSO 1.0 opensso.org Build 4 Subscribe Chat OpenSSO Mailing Lists #opensso on dev, users, announce freenode.net 22
  23. 23. Resourceshttps://opensso.dev.java.net/public/extensions/OpenSSO • http://opensso.org/SAML @ Globo.com • André Bechara video > http://tinyurl.com/6rugrmPats Blog • Superpatterns > http://blogs.sun.com/superpat/Daniel Raskins Blog • Virtual Daniel > http://blogs.sun.com/raskin/ 23
  24. 24. Open Source IdentityIntegration with OpenSSOApril 19, 2008Pat PattersonFederation Architectpat.patterson@sun.comblogs.sun.com/superpat

×