This document discusses identity management and single sign-on (SSO) within and between organizations. It introduces web access management and federation standards like SAML and WS-Federation that enable SSO beyond a single enterprise. OpenSSO is presented as an open source SSO solution that implements these standards and supports access management, federation, and identity services. The document encourages participation in the OpenSSO community and provides additional resources.

1. Open Source Identity
Integration with OpenSSO
April 19, 2008
Pat Patterson
Federation Architect
pat.patterson@sun.com
blogs.sun.com/superpat

2. Agenda
• Web Access Management
> The Problem
> The Solution
> How Does It Work?
• Federation
> Single Sign-On Beyond a Single Enterprise
> How Does It Work?
• OpenSSO
> Project Overview
2

3. Typical Problems
• “Every application wants me to log in!”
• “I have too many passwords – my monitor is
covered in Post-its!”
• “We're implementing Sarbanes-Oxley – we need to
control access to applications!”
• “We need to access outsourced functions!”
• “Our partners need to access our applications!”
3

4. Web Access Management
• Simplest scenario is within a single organization
• Factor authentication and authorization out of web
applications into web access management (WAM)
solution
• Can use browser cookies within a DNS domain
• Proxy or Agent architecture implements role-based
access control (RBAC)
• Users get single sign-on, IT gets control
4

5. Single Sign-On Within an Organization
Web Server
Web Server
SSO Server
Application
Server
End User
5

6. How It Works
SSO Server Browser Agent Application
GET hrapp/index.html
Redirect to SSO Server
Authenticate
Redirect to hrapp/index.html
(with SSO cookie)
GET hrapp/index.html
(with SSO cookie)‫‏‬
Is this user allowed to access hrapp/index.html?
Yes!
Allow request to proceed
Application response
6

7. Web Access Management Products
• Sun Java System Access Manager
> OpenSSO
• CA (Netegrity) SiteMinder Access Manager
• IBM Tivoli Access Manager
• Oracle (Oblix) Access Manager
• Novell Access Maneger
• JA-SIG CAS
• JOSSO
7

8. Typical Problems
• “Every application wants me to log in!”
• “I have too many passwords – my monitor is
covered in Post-its!”
• “We're implementing Sarbanes-Oxley – we need to
control access to applications!”
• “We need to access outsourced functions!”
• “Our partners need to access our applications!”
8

9. Single Sign-on between Organizations
• Cookies no longer work
> Need a more sophisticated protocol
• Can't mandate single vendor solution
> Need standards for interoperability
9

10. Single Sign-On Standards
Liberty Liberty Liberty
“Phase 1” ID-FF 1.1,1.2 Federation
=
SAML1 SAML1.1 SAML2
Shibboleth Shibboleth
1.0,1.1 1.2
WS-Federation WS-Federation
1.0 1.1
2002 2003 2004 2005 2006
10

11. SAML 2.0 Concepts
Profiles
Combining protocols, bindings, and
assertions to support a defined use case Authentication
Context
Detailed data on
Bindings types and strengths
of authentication
Mapping SAML protocols onto standard messaging or
communication protocols
Protocols
Request/response pairs for obtaining assertions
and doing ID management
Metadata
Assertions IdP and SP
Authentication, attribute and entitlement configuration data
information
11

12. SSO Across Organizations
Service Service
Provider Provider
Identity
Provider
Service
Provider
End User
12

13. SAML 2.0 SSO Basics
Identity Provider Browser Service Provider
GET hrapp/index.html
Redirect with SAML Request
SAML Authentication Request
Authenticate
HTML form with SAML Response
SAML Response Service Provider
examines SAML
Response and
makes access
Response control decision
13

14. SAML 2.0 Assertion
(Abbreviated!)
<Assertion Version="2.0" ID="..." IssueInstant="2007-11-06T16:42:28Z">
<Issuer>https://pat-pattersons-computer.local:8181/</Issuer>
<Signature>...</Signature>
<saml:Subject>
<saml:NameID Format="urn:oasis:...:persistent" ...>
ZG0OZ3JWP9yduIQ1zFJbVVGHlQ9M
</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:...:bearer">
<saml:SubjectConfirmationData .../>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions
NotBefore="2007-11-06T16:42:28Z"
NotOnOrAfter="2007-11-06T16:52:28Z">
<saml:AudienceRestriction>
<saml:Audience>
https://pat-pattersons-computer.local/example-pat/
</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2007-11-06T16:42:28Z" ...>
<saml:AuthnContext>
<saml:AuthnContextClassRef>
urn:oasis:...:PasswordProtectedTransport
</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
</saml:Assertion>
14

15. SAML 2.0 Adoption
• Sun, IBM, CA – all the usual suspects, except Microsoft
• OpenSAML (Internet2)
> Java, C++
• OpenSSO (Sun)
> Java, PHP, Ruby
• SimpleSAMLphp (Feide)
om
• LASSO (Entr'ouvert) o.c
> C/SWIG glob
• ZXID (Symlabs)
> C/SWIG
15

16. What is OpenSSO?
• OpenSSO 1.0 ==
Federated Access
Manager 8.0
• All FAM 8.0 builds
available via
OpenSSO
Open Access. • Preview Features
Open Federation. • Provide Feedback
• Review code
security
16

17. OpenSSO Momentum
• In less than 2 years...
> 650 project members at opensso.org
> ~15 external committers
> Consistently in Top 10* java.net projects by mail traffic
– * of over 3000 projects
• Production deployments
> www.audi.co.uk
– 250,000 customer profiles
.br
> openid.sun.com ov
– OpenID for Sun employees .....g
> telenet.be
– Foundation for fine-grained authorization
17

18. OpenSSO Roadmap
OpenSSO 1.0 / FAM 8.0
Summer 2008
OpenSSO OpenSSO 1.next /
OpenSSO Federation FAM 8.1
Q3CY06 Q4CY06 End of 2008
OpenSSO
Access
Manager 7.1
Q4CY06
Access
Manager
Federation
Manager 7.0
Q4CY05
Federation
Manager
18

19. OpenSSO 1.0
Access Management • Centralized Agent Configuration &
Deployment
• Centralized Configuration
• XACML Request/Response
• Wide choice of Application Servers
Federation • Fedlet
• Virtual Federation
• Multi-Federation Protocol Hub
• WS-Federation 1.1
• 3rd Party WAM Interoperability
19

20. OpenSSO 1.0
Identity Services • Authentication as a service
• Authorization as a service
• Audit as a service
• Attribute Query as a service
• Secure Trust Authority
• Web Services Security Plug-ins
• SDK for Securing Web Services
But that's not all...
20

21. OpenSSO Extensions
https://opensso.dev.java.net/public/extensions/
• PHP SAML 2.0 SP implementation
> Picked up by Feide (Norway)
SAML 2.0
• Ruby SAML 2.0 SP implementation
• SAML 2.0 ECP test rig
• OpenID 1.1 Provider
OpenID
> Deployed at openid.sun.com
Client SDK • PHP Client SDK implementation
• ActivIdentity 4Tress
Authentication Modules • Hitachi Finger Vein Biometric
• Information Card (aka CardSpace)
21

22. Participe!
Join Download
Sign up at OpenSSO 1.0
opensso.org Build 4
Subscribe Chat
OpenSSO Mailing Lists #opensso
on
dev, users, announce freenode.net
22

23. Resources
https://opensso.dev.java.net/public/extensions/
OpenSSO • http://opensso.org/
SAML @ Globo.com • André Bechara video
> http://tinyurl.com/6rugrm
Pat's Blog • Superpatterns
> http://blogs.sun.com/superpat/
Daniel Raskin's Blog • Virtual Daniel
> http://blogs.sun.com/raskin/
23

24. Open Source Identity
Integration with OpenSSO
April 19, 2008
Pat Patterson
Federation Architect
pat.patterson@sun.com
blogs.sun.com/superpat