Suresh Attanayake is a senior software engineer at WSO2 who will present on enterprise single sign-on technologies including SAML, OpenID Connect, and WS-Trust. WSO2 is an open source software company that provides an integration platform. The presentation will cover common SSO standards and protocols, how they work, and factors to consider when selecting a technology for a given environment.

1. Last Updated: Jun. 2014
Senior Software Engineer
Suresh Attanayake
Enterprise Single
Sign On : SAML, OpenID
Connect and more

2. 2
About the Presenter(s)
๏ Suresh Attanayake is a
Senior Software Engineer
at WSO2 from the
Solutions Architecture/
Technical Sales team.
He is a former Identity
Server team member and
have been involved in
various WSO2 customer
projects around the globe.

3. 3
About WSO2
๏ Global enterprise, founded
in 2005 by acknowledged
leaders in XML, web
services technologies,
standards and open source
๏ Provides only open source
platform-as-a-service for
private, public and hybrid
cloud deployments
๏ All WSO2 products are
100% open source and
released under the Apache
License Version 2.0.
๏ Is an Active Member of
OASIS, Cloud Security
Alliance, OSGi Alliance,
AMQP Working Group,
๏ Driven by
Innovation
๏ Launched first open source
API Management solution
in 2012
๏ Launched App Factory in
2Q 2013
๏ Launched Enterprise Store
and first open source
Mobile solution in 4Q 2013

4. 4
What WSO2 delivers

5. 5
Passwords
1)123456
2)password
3)12345678
4)qwerty
5)abc123
http://splashdata.com/press/worstpasswords2013.htm

6. 6
Password Fatigue
๏ Use easy to remember passwords
๏ Use the same password

7. 7
Single Sign On
๏ Single password to remember
๏ Use password only once
๏ Use password only at one place
๏ Ease of administration
๏ Enforce password/account policies

8. 8
SSO Model

9. 9
SAML2 Web Browser SSO
Profile
๏ XML based
๏ Web browser based
๏ Bindings:
๏ HTTP Redirect Binding
๏ HTTP POST Binding
๏ HTTP Artifact Binding
๏ Profiles:
๏ Single Logout Profile

10. 10
SAML2 Web Browser SSO

11. 11
SAML2 <AuthnRequest>

12. 12
SAML2 <Response>

13. 13
OpenID
๏ Plain Text Key-Value pairs
๏ Web browser based
๏ Indirect communication:
๏ HTTP Redirection
๏ HTTP Form submission
๏ Features:
๏ OpenID Provider (IDP) discovery
๏ OpenID Attribute Exchange / OpenID Simple Registration

14. 14
OpenID

15. 15
OpenID Authentication
Request
openid.ns:http://specs.openid.net/auth/2.0
openid.claimed_id:https://localhost:9443/openid/suresh
openid.identity:https://localhost:9443/openid/suresh
openid.return_to:http://localhost:8081/openid-attribute-exchange/attexconsumer?
is_id_res=true
openid.realm:http://localhost:8081/openid-attribute-exchange/attexconsumer?
is_id_res=true
openid.assoc_handle:AOQobUfyfIM0vAz-
VgjNgxnkimSyr3SUX7QvAVzeeM19NM7QmpeTXPTepi4rWCr6wkIyFDiq
openid.mode:checkid_setup
openid.ns.ext1:http://openid.net/srv/ax/1.0
openid.ext1.mode:fetch_request
openid.ext1.type.email:http://axschema.org/contact/email
openid.ext1.type.firstname:http://axschema.org/namePerson/first
openid.ext1.type.lastname:http://axschema.org/namePerson/last
openid.ext1.type.country:http://axschema.org/contact/country/home
openid.ext1.type.language:http://axschema.org/pref/language
openid.ext1.required:email,firstname,lastname,country,language

16. 16
OpenID Authentication
Response
openid.op_endpoint:https://localhost:9443/openidserver
openid.signed:op_endpoint,claimed_id,identity,return_to,response_nonce,assoc_handle,ns.
ext1,ext1.mode,ext1.type.firstname,ext1.value.firstname,ext1.type.email,ext1.value.email
,ext1.type.language,ext1.value.language,ext1.type.lastname,ext1.value.lastname
openid.ns.ext1:http://openid.net/srv/ax/1.0
openid.sig:wyQi3eTjESAVWsHjPODQ2q7UUVMvNOTySTCvffmqd+A=is_id_res:true
openid.response_nonce:2011-05-18T14:54:21Z0eugpxqu3Sv9Iw
openid.claimed_id:https://localhost:9443/openid/suresh
openid.ext1.value.lastname:Attnayake
openid.ext1.value.firstname:Suresh
openid.assoc_handle:AOQobUfyfIM0vAz-
VgjNgxnkimSyr3SUX7QvAVzeeM19NM7QmpeTXPTepi4rWCr6wkIyFDiq
openid.ext1.value.email:suresh@wso2.com
openid.ext1.type.language:http://axschema.org/pref/language
openid.ext1.type.lastname:http://axschema.org/namePerson/last
openid.ext1.type.firstname:http://axschema.org/namePerson/first
openid.ns:http://specs.openid.net/auth/2.0
openid.identity:https://localhost:9443/openid/suresh
openid.ext1.type.email:http://axschema.org/contact/email
openid.mode:id_res
openid.ext1.mode:fetch_response
openid.ext1.value.language:en-US
openid.return_to:http://localhost:8081/openid-attribute-exchange/attexconsumer?
is_id_res=true

17. 17
OpenID Connect
๏ Built on top of OAuth2.0 framework
๏ Web browser based
๏ HTTP GET query params, HTTP POST request
params and JSON
๏ Authentication Flows:
๏ Authorization Code flow
๏ Implicit flow
๏ Hybrid flow

18. 18
OpenID Connect

19. 19
OIDC Authentication
Request
HTTP/1.1 302 Found
Location: https://server.example.com/authorize?
response_type=code
&scope=openid%20profile%20email
&client_id=s6BhdRkqt3
&state=af0ifjsldkj
&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb

20. 20
OIDC Authentication
Response
HTTP/1.1 302 Found
Location: https://client.example.org/cb?
code=SplxlOBeZQQYbYS6WxSbIA
&state=af0ifjsldkj

21. 21
OIDC Token Request
POST /token HTTP/1.1
Host: server.example.com
Content-Type: application/x-www-form-urlencoded
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA
&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb

22. 22
OIDC Token Response
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache
{
"access_token": "SlAV32hkKG",
"token_type": "Bearer",
"refresh_token": "8xLOxBtZp8",
"expires_in": 3600,
"id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjFlOWdkazcifQ.ewogImlzc
yI6ICJodHRwOi8vc2VydmVyLmV4YW1wbGUuY29tIiwKICJzdWIiOiAiMjQ4Mjg5
NzYxMDAxIiwKICJhdWQiOiAiczZCaGRSa3F0MyIsCiAibm9uY2UiOiAibi0wUzZ
fV3pBMk1qIiwKICJleHAiOiAxMzExMjgxOTcwLAogImlhdCI6IDEzMTEyODA5Nz
AKfQ.ggW8hZ1EuVLuxNuuIJKX_V8a_OMXzR0EHR9R6jgdqrOOF4daGU96Sr_P6q
Jp6IcmD3HP99Obi1PRs-cwh3LO-p146waJ8IhehcwL7F09JdijmBqkvPeB2T9CJ
NqeGpe-gccMg4vfKjkM8FcGvnzZUN4_KSP0aAp1tOJ1zZwgjxqGByKHiOtX7Tpd
QyHE5lcMiKPXfEIQILVq0pc_E2DzL7emopWoaoZTF_m0_N0YzFC6g6EJbOEoRoS
K5hoDalrcvRYLSrQAZZKflyuVCyixEoV9GfNQC3_osjzw2PAithfubEEBLuVVk4
XUVrWOLrLl0nx7RkKU8NXNHq-rvKMzqg"
}

23. 23
OIDC IDToken
JWT header : {"alg":"RS256","kid":"1e9gdk7"}
JWT payload : {
"iss": "http://server.example.com",
"sub": "248289761001",
"aud": "23k23k3434",
"nonce": "n-0S6_WzA2Mj",
"exp": 1311281970,
"iat": 1311280970
}
JWT Signature

24. 24
UserInfo Request
GET /userinfo HTTP/1.1
Host: server.example.com
Authorization: Bearer SlAV32hkKG

25. 25
UserInfo Response
HTTP/1.1 200 OK
Content-Type: application/json
{
"sub": "248289761001",
"name": "Jane Doe",
"given_name": "Jane",
"family_name": "Doe",
"preferred_username": "j.doe",
"email": "janedoe@example.com",
"picture": "http://example.com/janedoe/me.jpg"
}

26. 26
WS-Trust

27. 27
Kerberos

28. 28
How to pick a technology
Examples:
1. How components interact with each other
2. Technologies preferred
3. Existing systems and limitations
4. Platforms

29. 29
Web Applications

30. 30
Business Model

31. 31
More Information !
๏ Include links to product downloads, white
paper downloads , etc.

32. Contact
us !