This document discusses web identity management and single sign-on solutions. It begins by outlining problems with existing identity systems, such as having too many usernames and passwords. It then describes what users and administrators want, including a single identity that can be used across sites. Existing enterprise identity solutions are discussed, as well as open standards like SAML, OpenID, and OAuth. OpenID allows users to authenticate using an existing identity, while OAuth allows applications to access user resources like data. Case studies demonstrate how OpenID and OAuth can be used by sites like Google, Facebook, and others to provide single sign-on. The document concludes by discussing key differences between OpenID and OAuth.

1. Web Identity Management
Anderson Liang
CTO, cacaFly
Nov. 24, 2010

2. Problems
2
Too many ids & passwords
Someone took my desired name
Duplicated profiles everywhere
Account management is hard

3. Users want
3
Single Identity
Roaming among sites
sign on once v.s. sign on every sites

4. Administrators want
4
“They” are the same guy?
Federated Identity

5. Portal
5
Portal
Hide & bridge everything behind
Provide Sign On once experiences

6. What Enterprises have
There are a lot of solutions dealing with
these problems for enterprises
Novell
Microsoft
IBM
Oracle
Sun Microsystems (acquired by Oracle)
Other ISVs
6

7. Portal w/ SSO & Identity Integration
Source: Novell Inc.
客戶
Portal
+
Novell
Access
Manager
Oracle
DB
Web
Server
MS AD
Sun iDS
Mail Server
NIS
Driver
eDirectory
Novell
Identity
Manager
LDAP
Driver
JDBC
Driver
AD
Driver
FTP
Server
合作夥伴
員工
帳號
密碼
anderson
********

8. Unified Management of Identity
8
Single Sign On Central Management Identity Integration
Source: Novell Inc.

9. 9
Cover complete Identity Lifecycle
Promote
Relocate
New
Project
Forget
Password
Password
Expired
Resource
Access
Control
PROVISION Account
Management
DE-PROVISION
AM
IDM
Password
Management
Source: Novell Inc.

10. What Open Web has
10
SAML (2002~)
&
OpenID (2005~)
http://connectid.blogspot.com/2006/11/we-need-iiw-in-panama.html

11. What Open Web has
Open Stack (OpenID & more)
11
• Unencumbered, Cross-
Platform Standards
• Open Source / Free
Software Implementations
• No Single-Vendor "Lock-In”
• Distributed Extensibility
http://developer.mozilla.org/presentations/sxsw2007/the_open_web/

12. Why sites accept external identities?
Enhance user engagement
Leverage social impressions
or
The “outside” identity belongs to the same
real person, who has relationship with
“inside” identity
12

13. Technically Speaking
13
We’re dealing with the problem:
“Authentication”
&
“Authorization”
among different sites

14. OpenID Introduction
Ref: http://www.slideshare.net/daveman692/open-id-overview-seoul-july-2007

15. What’s OpenID
Single sign-on for the web
Simple and light-weight
not going to replace your bank card pin
Easy to use and deploy
Built upon proven existing technologies
DNS, HTTP, SSL/TLS, Diffie-Hellman
Decentralized
no single point of failure in the protocol
User-Centric (not Site-Centric)
Free!
15

16. An OpenID is a URI
URLs are globally
unique and ubiquitous
OpenID allows
proving ownership of
an URI
People already have
identity at URLs via
blogs, photos,
MySpace, FaceBook,
DAUM, etc
16

17. My OpenID
17

18. How it works
18
Service Provider
(IDP)
Consumer Application
(Relying Party, RP)
End User

19. How it works?
1. Site fetches the HTML of my OpenID
2. Finds "openid.server“
3. Establishes a shared secret with the Provider
4. Redirects my browser to the Provider where I
authenticate and allow the OpenID login
5. Provider redirects my browser back to the site
with an OpenID response
6. Site verifies the signature and logs me in
19

20. Sign On in RP site
20

21. Redirect to IDP for authentication
21

22. Grant permission to RP site
22

23. Sign On process success!
23

24. Create OpenID on your own domain
24
in http://andersonlamp.hopto.org/index.php

25. How it works in detail
25http://www.openaselect.org/trac/openaselect/wiki/OpenID

26. Related Specifications
OpenID Authentication 1.1/2.0
OpenID Attribute Exchange (AX) 1.0
OpenID Provider Authentication Policy
Extension (PAPE) 1.0
OpenID Simple Registration Extension
(SReg) 1.0
Yadis Discovery Protocol
26

27. Demo: Yadis Discovery
Open Source OpenID Implementation
Test Sites
myid.tw
myopenid.com
google
yahoo
27

28. myid.tw
28

29. myopenid.com
29

30. Google
30

31. blogspot
31

32. Yahoo
32

33. 33

34. Is OpenID enough?
OpenID deal with the “Identity”, not the
“resources”
Several extensions to enhance the
authorization of accessing “resources”
34

35. OpenID Conversation
35
http://www.slideshare.net/steveivy/openid-oauth-an-introduction

36. OAuth Conversation
36
http://www.slideshare.net/steveivy/openid-oauth-an-introduction

37. OAuth Introduction
Ref: http://www.slideshare.net/rmetzler/identity-on-the-web-openid-vs-oauth

38. What’s OAuth?
Sharing your data without sharing your
password
Site-Centric/Centralized
Registration-based
Secure API authentication
38

39. Role
39
•User own Resource
at Service Provider
•Manually register
Consumer at Service
Provider
•User grants
Consumer access to
Resource

40. OAuth Flow
40http://oauth.net/core/diagram.png

41. Sign in with OAuth
41

42. Authenticate
42

43. Grant Access
43

44. Logged in
44

45. OpenID v.s. OAuth
OpenID
Sharing Identity
Decentralized
Consumer-Provider-
Relationship: unknown
OAuth
Sharing Resources
Centralized
Consumer-Provider-
Relationship: known
45

46. Google works
OpenID + OAuth

47. Google Account as OpenID
Everyone can paste
https://www.google.com/accounts/o8/id
and login as your OpenID
It will be discovered by RP as an server
endpoint, trigger an id_select login process
You will be issued an OpenID as
https://www.google.com/accounts/o8/id?id=AItO
wk...nqJOSI
47from: http://www.slideshare.net/timdream/google-apps-account-as-openid

48. Google Account as OpenID
48
<?xml version="1.0" encoding="UTF-8"?>
<xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)">
<XRD>
<Service priority="0">
<Type>http://specs.openid.net/auth/2.0/server</Type>
<Type>http://openid.net/srv/ax/1.0</Type>
<Type>http://specs.openid.net/extensions/ui/1.0/mode/popup</Type>
<Type>http://specs.openid.net/extensions/ui/1.0/icon</Type>
<Type>http://specs.openid.net/extensions/pape/1.0</Type>
<URI>https://www.google.com/accounts/o8/ud</URI>
</Service>
</XRD>
</xrds:XRDS>
from: http://www.slideshare.net/timdream/google-apps-account-as-openid

49. OpenID + OAuth Dance
49
from: http://code.google.com/intl/zh-TW/apis/accounts/docs/OpenID.html

50. “id_select” process?
New* in OpenID 2.0
Which is introduced back in 2007
Indicate that user wishes to use a specific OpenID
IdP, however he didn’t know/say his own OpenID
Therefore the “id_select” login process asks the
OpenID IdP to select an ID for the user.
The other login process being “signon” process
50

51. Yahoo
OpenID + OAuth

52. http://openid.yahoo.com/
52

53. Authenticate
53

54. Rename your OpenID
54

55. Yahoo Dance
55

56. Facebook

57. facebook & yelp !
57

58. Single Sign-On
Facebook enables you to remove the
registration process for your site by enabling
users to log in to your site with their
Facebook account.
Once a user logs in to your site with his or
her Facebook account, you can access the
user's account information from Facebook,
and the user is logged in to your site as long
as he or she is logged in to Facebook.
http://developers.facebook.com/docs/guides/web#login
http://www.facebook.com/instantpersonalization/ 58

59. Register Your Resource (App)
59
http://developers.facebook.com/setup/

60. OAuth Authorization
60
https://graph.facebook.com/oauth/authorize?client_id=<your App ID>&redirect_uri=<redirect URL>
resource

61. Grant Access to the Resource
(App)
61
This is a demo APP to show the
usage of facebook social plugins
http://andersonlamp.hopto.org/?code=2.XX7JPLln
LnC26i_5ldohMQ__.3600.1290531600-
702462107|7qT7yWTCm4CjglPkLQDT2NnsMVw

62. Get Access Token & Invoke
Graph API
62
https://graph.facebook.com/oauth/access_token? client_id=<app id>&
redirect_uri=<redirect url>& client_secret=<app secret>& code=<verification string>
access_token=1558827777************************4b20009d789d-
100001*******************************LA44qC1NxGh-***
https://graph.facebook.com/me?access_token=...

63. Quick start with social plugins
http://developers.facebook.com/plugins
Like Button Like Box
Comments
Activity Feed Recommendations
FriendpileLogin ButtonLive Stream
63

64. Case Study

65. Redefine the Problems
How to achieve Identity Federation?
Web Single Sign On
How to let users sign on once (on one site), and
roam everywhere (on other sites), for a given
period of time?
Examples
facebook Like Button outside facebook
funP Push Button outside funP
Yam’s Identity in funP.com
65

66. facebook Like Button
66

67. funP Push Button
67

68. Sign On Yam
68

69. Sign On Yam Successed
69

70. Visit funP.com & Click Push Button
70

71. Ask Remote Identity
71
We have a valid
session from Yam
at this moment!

72. funP grant access w/o Sign On
72
Duration of the
permission granted
User has choice to
refuse to use the
identity from Yam

73. Enter funP with Yam’s Identity
73

74. Click Push Button with Yam’s Identity
74

75. Redefine the Problems
How to achieve Identity Federation?
Identity Integration (Identity Acquisition)
How to recognize different Web identities
represents the same real identity?
cross-domain user account provisioning
cross-domain entitlement management
cross-domain user attribute exchange
Examples
funP – account acquisition from Yam
Jibjab.com – leverage facebook accounts
75

76. funP.com
76

77. Option 1: Clone Yam’s Identity
77
Option 1
Option 2

78. Option 1:
Create a funP Identity from Yam’s Identity
78

79. Option 2:
Upgrade Yam’s Identity to funP Identity
79
Upgrade notice
Name the new
identity

80. Option 2: Upgrade complete
80

81. Yam Identity’s replica in funP
81

82. Option 2: Acquire Yam’s Identity
82

83. Sign On funP
83
Go to acquire
external accounts

84. Acquire Yam’s Identity
84
Acquire Yam’s
Identity

85. Redirect to authenticate Yam’s
Identity
85

86. Yam’s Authentication
86

87. Authenticated! Return to funP
87
User can abandon the
acquired identity instead
Identity acquired! Ask
for final confirmation

88. Identity acquisition complete
88

89. Compound Identity
89

90. Jibjab.com
90

91. Choose to Sign On w/ fb Identity
91

92. Redirect to Sign On with fb Identity
92

93. Grant fb permissions
93

94. Grant fb permission (again?)
94

95. Ask to merge fb Identity w/ Jibjab one
95

96. Signed in w/ fb Identity
96

97. Users have freedom to link to a
jibjab account anytime
97

98. Remarks

99. OpenID is “Open” for “Users”
99
http://www.slideshare.net/steveivy/openid-oauth-an-introduction

100. OAuth is “Open” for “Applications”
100
http://www.slideshare.net/steveivy/openid-oauth-an-introduction

101. Q&A