Web Identity Management
Anderson Liang
CTO, cacaFly
Nov. 24, 2010
Problems
2
Too many ids & passwords
Someone took my desired name
Duplicated profiles everywhere
Account management is hard
Users want
3
Single Identity
Roaming among sites
sign on once v.s. sign on every sites
Administrators want
4
“They” are the same guy?
Federated Identity
Portal
5
Portal
Hide & bridge everything behind
Provide Sign On once experiences
What Enterprises have
There are a lot of solutions dealing with
these problems for enterprises
Novell
Microsoft
IBM
Oracle...
Portal w/ SSO & Identity Integration
Source: Novell Inc.
客戶
Portal
+
Novell
Access
Manager
Oracle
DB
Web
Server
MS AD
Sun ...
Unified Management of Identity
8
Single Sign On Central Management Identity Integration
Source: Novell Inc.
9
Cover complete Identity Lifecycle
Promote
Relocate
New
Project
Forget
Password
Password
Expired
Resource
Access
Control
...
What Open Web has
10
SAML (2002~)
&
OpenID (2005~)
http://connectid.blogspot.com/2006/11/we-need-iiw-in-panama.html
What Open Web has
Open Stack (OpenID & more)
11
• Unencumbered, Cross-
Platform Standards
• Open Source / Free
Software Im...
Why sites accept external identities?
Enhance user engagement
Leverage social impressions
or
The “outside” identity belong...
Technically Speaking
13
We’re dealing with the problem:
“Authentication”
&
“Authorization”
among different sites
OpenID Introduction
Ref: http://www.slideshare.net/daveman692/open-id-overview-seoul-july-2007
What’s OpenID
Single sign-on for the web
Simple and light-weight
not going to replace your bank card pin
Easy to use and d...
An OpenID is a URI
URLs are globally
unique and ubiquitous
OpenID allows
proving ownership of
an URI
People already have
i...
My OpenID
17
How it works
18
Service Provider
(IDP)
Consumer Application
(Relying Party, RP)
End User
How it works?
1. Site fetches the HTML of my OpenID
2. Finds "openid.server“
3. Establishes a shared secret with the Provi...
Sign On in RP site
20
Redirect to IDP for authentication
21
Grant permission to RP site
22
Sign On process success!
23
Create OpenID on your own domain
24
in http://andersonlamp.hopto.org/index.php
How it works in detail
25http://www.openaselect.org/trac/openaselect/wiki/OpenID
Related Specifications
OpenID Authentication 1.1/2.0
OpenID Attribute Exchange (AX) 1.0
OpenID Provider Authentication Pol...
Demo: Yadis Discovery
Open Source OpenID Implementation
Test Sites
myid.tw
myopenid.com
google
yahoo
27
myid.tw
28
myopenid.com
29
Google
30
blogspot
31
Yahoo
32
33
Is OpenID enough?
OpenID deal with the “Identity”, not the
“resources”
Several extensions to enhance the
authorization of ...
OpenID Conversation
35
http://www.slideshare.net/steveivy/openid-oauth-an-introduction
OAuth Conversation
36
http://www.slideshare.net/steveivy/openid-oauth-an-introduction
OAuth Introduction
Ref: http://www.slideshare.net/rmetzler/identity-on-the-web-openid-vs-oauth
What’s OAuth?
Sharing your data without sharing your
password
Site-Centric/Centralized
Registration-based
Secure API authe...
Role
39
•User own Resource
at Service Provider
•Manually register
Consumer at Service
Provider
•User grants
Consumer acces...
OAuth Flow
40http://oauth.net/core/diagram.png
Sign in with OAuth
41
Authenticate
42
Grant Access
43
Logged in
44
OpenID v.s. OAuth
OpenID
Sharing Identity
Decentralized
Consumer-Provider-
Relationship: unknown
OAuth
Sharing Resources
C...
Google works
OpenID + OAuth
Google Account as OpenID
Everyone can paste
https://www.google.com/accounts/o8/id
and login as your OpenID
It will be disc...
Google Account as OpenID
48
<?xml version="1.0" encoding="UTF-8"?>
<xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*(...
OpenID + OAuth Dance
49
from: http://code.google.com/intl/zh-TW/apis/accounts/docs/OpenID.html
“id_select” process?
New* in OpenID 2.0
Which is introduced back in 2007
Indicate that user wishes to use a specific OpenI...
Yahoo
OpenID + OAuth
http://openid.yahoo.com/
52
Authenticate
53
Rename your OpenID
54
Yahoo Dance
55
Facebook
facebook & yelp !
57
Single Sign-On
Facebook enables you to remove the
registration process for your site by enabling
users to log in to your s...
Register Your Resource (App)
59
http://developers.facebook.com/setup/
OAuth Authorization
60
https://graph.facebook.com/oauth/authorize?client_id=<your App ID>&redirect_uri=<redirect URL>
reso...
Grant Access to the Resource
(App)
61
This is a demo APP to show the
usage of facebook social plugins
http://andersonlamp....
Get Access Token & Invoke
Graph API
62
https://graph.facebook.com/oauth/access_token? client_id=<app id>&
redirect_uri=<re...
Quick start with social plugins
http://developers.facebook.com/plugins
Like Button Like Box
Comments
Activity Feed Recomme...
Case Study
Redefine the Problems
How to achieve Identity Federation?
Web Single Sign On
How to let users sign on once (on one site), ...
facebook Like Button
66
funP Push Button
67
Sign On Yam
68
Sign On Yam Successed
69
Visit funP.com & Click Push Button
70
Ask Remote Identity
71
We have a valid
session from Yam
at this moment!
funP grant access w/o Sign On
72
Duration of the
permission granted
User has choice to
refuse to use the
identity from Yam
Enter funP with Yam’s Identity
73
Click Push Button with Yam’s Identity
74
Redefine the Problems
How to achieve Identity Federation?
Identity Integration (Identity Acquisition)
How to recognize dif...
funP.com
76
Option 1: Clone Yam’s Identity
77
Option 1
Option 2
Option 1:
Create a funP Identity from Yam’s Identity
78
Option 2:
Upgrade Yam’s Identity to funP Identity
79
Upgrade notice
Name the new
identity
Option 2: Upgrade complete
80
Yam Identity’s replica in funP
81
Option 2: Acquire Yam’s Identity
82
Sign On funP
83
Go to acquire
external accounts
Acquire Yam’s Identity
84
Acquire Yam’s
Identity
Redirect to authenticate Yam’s
Identity
85
Yam’s Authentication
86
Authenticated! Return to funP
87
User can abandon the
acquired identity instead
Identity acquired! Ask
for final confirmat...
Identity acquisition complete
88
Compound Identity
89
Jibjab.com
90
Choose to Sign On w/ fb Identity
91
Redirect to Sign On with fb Identity
92
Grant fb permissions
93
Grant fb permission (again?)
94
Ask to merge fb Identity w/ Jibjab one
95
Signed in w/ fb Identity
96
Users have freedom to link to a
jibjab account anytime
97
Remarks
OpenID is “Open” for “Users”
99
http://www.slideshare.net/steveivy/openid-oauth-an-introduction
OAuth is “Open” for “Applications”
100
http://www.slideshare.net/steveivy/openid-oauth-an-introduction
Q&A
Upcoming SlideShare
Loading in …5
×

Lecture 20101124

1,748 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,748
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
36
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Lecture 20101124

  1. 1. Web Identity Management Anderson Liang CTO, cacaFly Nov. 24, 2010
  2. 2. Problems 2 Too many ids & passwords Someone took my desired name Duplicated profiles everywhere Account management is hard
  3. 3. Users want 3 Single Identity Roaming among sites sign on once v.s. sign on every sites
  4. 4. Administrators want 4 “They” are the same guy? Federated Identity
  5. 5. Portal 5 Portal Hide & bridge everything behind Provide Sign On once experiences
  6. 6. What Enterprises have There are a lot of solutions dealing with these problems for enterprises Novell Microsoft IBM Oracle Sun Microsystems (acquired by Oracle) Other ISVs 6
  7. 7. Portal w/ SSO & Identity Integration Source: Novell Inc. 客戶 Portal + Novell Access Manager Oracle DB Web Server MS AD Sun iDS Mail Server NIS Driver eDirectory Novell Identity Manager LDAP Driver JDBC Driver AD Driver FTP Server 合作夥伴 員工 帳號 密碼 anderson ********
  8. 8. Unified Management of Identity 8 Single Sign On Central Management Identity Integration Source: Novell Inc.
  9. 9. 9 Cover complete Identity Lifecycle Promote Relocate New Project Forget Password Password Expired Resource Access Control PROVISION Account Management DE-PROVISION AM IDM Password Management Source: Novell Inc.
  10. 10. What Open Web has 10 SAML (2002~) & OpenID (2005~) http://connectid.blogspot.com/2006/11/we-need-iiw-in-panama.html
  11. 11. What Open Web has Open Stack (OpenID & more) 11 • Unencumbered, Cross- Platform Standards • Open Source / Free Software Implementations • No Single-Vendor "Lock-In” • Distributed Extensibility http://developer.mozilla.org/presentations/sxsw2007/the_open_web/
  12. 12. Why sites accept external identities? Enhance user engagement Leverage social impressions or The “outside” identity belongs to the same real person, who has relationship with “inside” identity 12
  13. 13. Technically Speaking 13 We’re dealing with the problem: “Authentication” & “Authorization” among different sites
  14. 14. OpenID Introduction Ref: http://www.slideshare.net/daveman692/open-id-overview-seoul-july-2007
  15. 15. What’s OpenID Single sign-on for the web Simple and light-weight not going to replace your bank card pin Easy to use and deploy Built upon proven existing technologies DNS, HTTP, SSL/TLS, Diffie-Hellman Decentralized no single point of failure in the protocol User-Centric (not Site-Centric) Free! 15
  16. 16. An OpenID is a URI URLs are globally unique and ubiquitous OpenID allows proving ownership of an URI People already have identity at URLs via blogs, photos, MySpace, FaceBook, DAUM, etc 16
  17. 17. My OpenID 17
  18. 18. How it works 18 Service Provider (IDP) Consumer Application (Relying Party, RP) End User
  19. 19. How it works? 1. Site fetches the HTML of my OpenID 2. Finds "openid.server“ 3. Establishes a shared secret with the Provider 4. Redirects my browser to the Provider where I authenticate and allow the OpenID login 5. Provider redirects my browser back to the site with an OpenID response 6. Site verifies the signature and logs me in 19
  20. 20. Sign On in RP site 20
  21. 21. Redirect to IDP for authentication 21
  22. 22. Grant permission to RP site 22
  23. 23. Sign On process success! 23
  24. 24. Create OpenID on your own domain 24 in http://andersonlamp.hopto.org/index.php
  25. 25. How it works in detail 25http://www.openaselect.org/trac/openaselect/wiki/OpenID
  26. 26. Related Specifications OpenID Authentication 1.1/2.0 OpenID Attribute Exchange (AX) 1.0 OpenID Provider Authentication Policy Extension (PAPE) 1.0 OpenID Simple Registration Extension (SReg) 1.0 Yadis Discovery Protocol 26
  27. 27. Demo: Yadis Discovery Open Source OpenID Implementation Test Sites myid.tw myopenid.com google yahoo 27
  28. 28. myid.tw 28
  29. 29. myopenid.com 29
  30. 30. Google 30
  31. 31. blogspot 31
  32. 32. Yahoo 32
  33. 33. 33
  34. 34. Is OpenID enough? OpenID deal with the “Identity”, not the “resources” Several extensions to enhance the authorization of accessing “resources” 34
  35. 35. OpenID Conversation 35 http://www.slideshare.net/steveivy/openid-oauth-an-introduction
  36. 36. OAuth Conversation 36 http://www.slideshare.net/steveivy/openid-oauth-an-introduction
  37. 37. OAuth Introduction Ref: http://www.slideshare.net/rmetzler/identity-on-the-web-openid-vs-oauth
  38. 38. What’s OAuth? Sharing your data without sharing your password Site-Centric/Centralized Registration-based Secure API authentication 38
  39. 39. Role 39 •User own Resource at Service Provider •Manually register Consumer at Service Provider •User grants Consumer access to Resource
  40. 40. OAuth Flow 40http://oauth.net/core/diagram.png
  41. 41. Sign in with OAuth 41
  42. 42. Authenticate 42
  43. 43. Grant Access 43
  44. 44. Logged in 44
  45. 45. OpenID v.s. OAuth OpenID Sharing Identity Decentralized Consumer-Provider- Relationship: unknown OAuth Sharing Resources Centralized Consumer-Provider- Relationship: known 45
  46. 46. Google works OpenID + OAuth
  47. 47. Google Account as OpenID Everyone can paste https://www.google.com/accounts/o8/id and login as your OpenID It will be discovered by RP as an server endpoint, trigger an id_select login process You will be issued an OpenID as https://www.google.com/accounts/o8/id?id=AItO wk...nqJOSI 47from: http://www.slideshare.net/timdream/google-apps-account-as-openid
  48. 48. Google Account as OpenID 48 <?xml version="1.0" encoding="UTF-8"?> <xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)"> <XRD> <Service priority="0"> <Type>http://specs.openid.net/auth/2.0/server</Type> <Type>http://openid.net/srv/ax/1.0</Type> <Type>http://specs.openid.net/extensions/ui/1.0/mode/popup</Type> <Type>http://specs.openid.net/extensions/ui/1.0/icon</Type> <Type>http://specs.openid.net/extensions/pape/1.0</Type> <URI>https://www.google.com/accounts/o8/ud</URI> </Service> </XRD> </xrds:XRDS> from: http://www.slideshare.net/timdream/google-apps-account-as-openid
  49. 49. OpenID + OAuth Dance 49 from: http://code.google.com/intl/zh-TW/apis/accounts/docs/OpenID.html
  50. 50. “id_select” process? New* in OpenID 2.0 Which is introduced back in 2007 Indicate that user wishes to use a specific OpenID IdP, however he didn’t know/say his own OpenID Therefore the “id_select” login process asks the OpenID IdP to select an ID for the user. The other login process being “signon” process 50
  51. 51. Yahoo OpenID + OAuth
  52. 52. http://openid.yahoo.com/ 52
  53. 53. Authenticate 53
  54. 54. Rename your OpenID 54
  55. 55. Yahoo Dance 55
  56. 56. Facebook
  57. 57. facebook & yelp ! 57
  58. 58. Single Sign-On Facebook enables you to remove the registration process for your site by enabling users to log in to your site with their Facebook account. Once a user logs in to your site with his or her Facebook account, you can access the user's account information from Facebook, and the user is logged in to your site as long as he or she is logged in to Facebook. http://developers.facebook.com/docs/guides/web#login http://www.facebook.com/instantpersonalization/ 58
  59. 59. Register Your Resource (App) 59 http://developers.facebook.com/setup/
  60. 60. OAuth Authorization 60 https://graph.facebook.com/oauth/authorize?client_id=<your App ID>&redirect_uri=<redirect URL> resource
  61. 61. Grant Access to the Resource (App) 61 This is a demo APP to show the usage of facebook social plugins http://andersonlamp.hopto.org/?code=2.XX7JPLln LnC26i_5ldohMQ__.3600.1290531600- 702462107|7qT7yWTCm4CjglPkLQDT2NnsMVw
  62. 62. Get Access Token & Invoke Graph API 62 https://graph.facebook.com/oauth/access_token? client_id=<app id>& redirect_uri=<redirect url>& client_secret=<app secret>& code=<verification string> access_token=1558827777************************4b20009d789d- 100001*******************************LA44qC1NxGh-*** https://graph.facebook.com/me?access_token=...
  63. 63. Quick start with social plugins http://developers.facebook.com/plugins Like Button Like Box Comments Activity Feed Recommendations FriendpileLogin ButtonLive Stream 63
  64. 64. Case Study
  65. 65. Redefine the Problems How to achieve Identity Federation? Web Single Sign On How to let users sign on once (on one site), and roam everywhere (on other sites), for a given period of time? Examples facebook Like Button outside facebook funP Push Button outside funP Yam’s Identity in funP.com 65
  66. 66. facebook Like Button 66
  67. 67. funP Push Button 67
  68. 68. Sign On Yam 68
  69. 69. Sign On Yam Successed 69
  70. 70. Visit funP.com & Click Push Button 70
  71. 71. Ask Remote Identity 71 We have a valid session from Yam at this moment!
  72. 72. funP grant access w/o Sign On 72 Duration of the permission granted User has choice to refuse to use the identity from Yam
  73. 73. Enter funP with Yam’s Identity 73
  74. 74. Click Push Button with Yam’s Identity 74
  75. 75. Redefine the Problems How to achieve Identity Federation? Identity Integration (Identity Acquisition) How to recognize different Web identities represents the same real identity? cross-domain user account provisioning cross-domain entitlement management cross-domain user attribute exchange Examples funP – account acquisition from Yam Jibjab.com – leverage facebook accounts 75
  76. 76. funP.com 76
  77. 77. Option 1: Clone Yam’s Identity 77 Option 1 Option 2
  78. 78. Option 1: Create a funP Identity from Yam’s Identity 78
  79. 79. Option 2: Upgrade Yam’s Identity to funP Identity 79 Upgrade notice Name the new identity
  80. 80. Option 2: Upgrade complete 80
  81. 81. Yam Identity’s replica in funP 81
  82. 82. Option 2: Acquire Yam’s Identity 82
  83. 83. Sign On funP 83 Go to acquire external accounts
  84. 84. Acquire Yam’s Identity 84 Acquire Yam’s Identity
  85. 85. Redirect to authenticate Yam’s Identity 85
  86. 86. Yam’s Authentication 86
  87. 87. Authenticated! Return to funP 87 User can abandon the acquired identity instead Identity acquired! Ask for final confirmation
  88. 88. Identity acquisition complete 88
  89. 89. Compound Identity 89
  90. 90. Jibjab.com 90
  91. 91. Choose to Sign On w/ fb Identity 91
  92. 92. Redirect to Sign On with fb Identity 92
  93. 93. Grant fb permissions 93
  94. 94. Grant fb permission (again?) 94
  95. 95. Ask to merge fb Identity w/ Jibjab one 95
  96. 96. Signed in w/ fb Identity 96
  97. 97. Users have freedom to link to a jibjab account anytime 97
  98. 98. Remarks
  99. 99. OpenID is “Open” for “Users” 99 http://www.slideshare.net/steveivy/openid-oauth-an-introduction
  100. 100. OAuth is “Open” for “Applications” 100 http://www.slideshare.net/steveivy/openid-oauth-an-introduction
  101. 101. Q&A

×