SlideShare a Scribd company logo

Single Sign-On (SSO) Fundamentals

Download as PPTX, PDF
Laxman Kumar
Laxman Kumar

Single Sign On (SSO) allows a user to authenticate once and gain access to multiple related systems without re-authenticating. SSO uses protocols like SAML and OAuth to issue authentication tokens after initial login. SAML is an XML-based standard that transfers user identity and attribute data between an identity provider and service provider using assertions. Metadata ensures secure transactions by allowing providers to look up authentication endpoints and validate digital signatures. The SSO workflow involves a user authenticating with an identity provider, which issues a token for the user to access a service provider. Major SSO providers include Microsoft, IBM, Red Hat, and ForgeRock.

1 of 27
Single Sign On (SSO) By Laxman Kumar
Agenda • Authentication / Authorization • Single Sign On • Why SSO • Protocols • SAML • Meta-data • Working principle • SSO providers • Demo
Authentication / authorization • Authentication Authentication verifies who you are. Two question arises. Example Who is the user lucky? Is the user lucky really who he represent himself to be?
Authentication / authorization • Authentication How can you authenticate ? Knowledge - Something You Know – password, four-digit pin number Possession - Something You Have - smart card, one-time SMS code Inherence - Something You Are - prove who you are using biometrics - fingerprint, voiceprint, or other unique physical feature. Multifactor authentication - e.g: Multi-Factor Authentication at the ATM, OTP
Authentication / authorization • Authorization Authorization verifies what you are authorized to do. Many questions arises. Is user lucky authorized to access resource called ABC ? Is user lucky authorized to perform operation XYZ ? Is user lucky authorized to perform operation P on resource R ? Is user lucky authorized to download or upload files ?
Single Sign On • Single sign-on (SSO) is a technique of access control of multiple related, but independent software systems. • Single sign-on (SSO) allows a person to authenticate once and gains access to all application without being prompted to log in again • Token is used to authenticate the user. • Token is issued to user on successful authentication which is stored in browser (cookie) and can be presented to websites as evidence of authentication.
Single Sign On Previous Technology SSO
Why SSO • User Perspective PROBLEM Too many credentials Multiple login Remembering too many password
Why SSO • IT Perspective PROBLEM Provisioning new accounts Password management Auditing user activity De-provisioning users Managing non-employee access
Why SSO • Eliminate the need for multiple usernames and passwords. • Allow users to manage a single set of corporate credentials. • Give users one-click access to all their applications from anywhere on any device. • Reduce IT help desk cost.
Protocols • SAML- Currently the most widely adopted standard for Web SSO. XML based. • OpenID Connect - Most promising successor to SAML. • Oauth- OAuth is an open standard for authorization. • Earlier protocols that are still in use should be deprecated: Kerberos, RADIUS, LDAP, OpenID 2, CAS...
Oauth • OAuth is an open standard for authorization. • OAuth 1.0 in 2010, OAuth 2.0 in 2012 • Authorize third-party access to their server resources without sharing their credentials • Works with HTTP. • OAUTH 2.0
OPENID • Open standard released in 2006 • Decentralised Single Sign-on for web • For consumer apps and services • Social networks • OpenID 2.0 used XML and a custom message signature scheme.
SAML • Security Assertion Markup Language (SAML). • OASIS open standard for representing and exchanging user identity, authentication, and attribute information. • XML based protocol. • Flexible to work with other protocols. • SAML 2.0
Anatomy of SAML • Assertions • Protocols • Bindings • Profiles
SAML 2.0 SAML Assertion • XML-formatted security token. • Used to transfer user identity and attribute information from the identity provider to a trusted service provider as part of the completion of a single sign-on request. SAML Assertion basically contains •<saml:Issuer> element ,contains the unique identifier of the identity provider •<ds:Signature> element, contains an integrity-preserving digital signature. •<saml:Subject> element, contains authenticated user information. •<saml:Conditions> element, contains conditions under which the assertion is to be considered valid •<saml:AuthnStatement> element, which describes the act of authentication • at the identity provider In words, the assertion encodes the following information: The assertion ("b07b804c-7c29-ea16-7300-4f3d6f7928ac") was issued at time "2004-12- 05T09:22:05Z" by identity provider (https://idp.example.org/SAML2) regarding subject (3f7b3dcf-1674-4ecd-92c8-1544f346baf8) exclusively for service provider (https://sp.example.com/SAML2). The authentication statement, in particular, asserts the following: The principal identified in the <saml:Subject> element was authenticated at time "2004-12- 05T09:22:00" by means of a password sent over a protected channel.
SAML 2.0 • Protocols – Describes how SAML elements are packaged within SAML request and response element. • Bindings - Mapping of a SAML protocol message onto standard messaging formats and/or communications protocol (Redirect , POST, SOAP Binding) • Profiles - Describes in detail how SAML assertions, protocols, and bindings combine to support a defined use case.
Meta-Data • Metadata is data that describes other data. • Metadata summarizes basic information about data. • It provides information about a certain item's content. • For example, an image may include metadata that describes how large the picture is, the color depth, the image resolution, when the image was created, and other data.
Meta-Data SAML 2.0 Metadata Question 1 How does the identity provider know the service provider is authentic and not some evil service provider trying to phish private information regarding the user? Answer The identity provider consults its list of trusted service providers in metadata before issuing an authentication response. Question 2. How does the identity provider know where to redirect the user with the authentication response? Answer The identity provider looks up a pre-arranged endpoint location of the service provider in metadata. Question 3 How does the service provider know that the authentication response came from a trusted identity provider? Answer The service provider validates the signature on the assertion using the public key of the identity provider from metadata. Metadata ensures a secure transaction between an identity provider and a service provider
Working principle Single Sign on include 3 parties. • User: Requests a service from the service provider. • Service Provider(SP): It servers the authenticated user request. For authentication it checks the ticket provided by SSO server. It also makes an access control decision. • Identity Provider(IDP) or SSO server: It authenticates the user and provide them the ticket.
Working principle
Working principle User Service Provider (SP) Identity Provider (IDP)/ SSO server User request for service to service provider Service Provider checks if user have any ticket. If user doesn’t have then service provider send user to IDP for authentication. Redirect user to Identity provider login page. User Redirected to SSO login page. IDP check user credentials and if correct then issue ticket to user User login with the login credentials And redirect user to service provider with ticket User is redirected to service provider with a copy of ticket SP checks the ticket and if it is a valid ticket SP allows the user to get in. Now SP checks whether the user is allowed to access the service requested for. Service request
Working principle User Service Provider (SP) Identity Provider (IDP)/ SSO server User is request for another service with a copy of ticket SP check the ticket validity and allows the user to get in if ticket is valid
SSO Providers
SSO PROVIDERS Provider Name Product Name Microsoft Active Directory Federation Services, Forefront Identity Manager IBM IBM Enterprise Identity Mapping, LTPA, IBM Tivoli Access Manager Red Hat FreeIPA, JBoss SSO, Keycloak Forge Rock OpenAM VMware myOneLogin Jasig CAS OneLogin Inc. One Login Ping Identity Ping Dock SSOCircle Public SSOCircle, IDPee
DEMO • SAML SSOCircle
Single Sign-On (SSO) Fundamentals

Recommended

SSO_Good_Bad_Ugly
SSO_Good_Bad_UglySSO_Good_Bad_Ugly
SSO_Good_Bad_UglySteve Markey
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloakGuy Marom
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectSecuring your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectManish Pandit
 
Mohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthMohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthfossmy
 
Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Anil Saldanha
 
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...CA API Management
 
CIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCloudIDSummit
 
Securing RESTful Payment APIs Using OAuth 2
Securing RESTful Payment APIs Using OAuth 2Securing RESTful Payment APIs Using OAuth 2
Securing RESTful Payment APIs Using OAuth 2Jonathan LeBlanc
 

Recommended

SSO_Good_Bad_Ugly
SSO_Good_Bad_UglySSO_Good_Bad_Ugly
SSO_Good_Bad_UglySteve Markey
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloakGuy Marom
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectSecuring your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectManish Pandit
 
Mohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthMohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthfossmy
 
Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Anil Saldanha
 
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...CA API Management
 
CIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCloudIDSummit
 
Securing RESTful Payment APIs Using OAuth 2
Securing RESTful Payment APIs Using OAuth 2Securing RESTful Payment APIs Using OAuth 2
Securing RESTful Payment APIs Using OAuth 2Jonathan LeBlanc
 
Claims Based Authentication A Beginners Guide
Claims Based Authentication A Beginners GuideClaims Based Authentication A Beginners Guide
Claims Based Authentication A Beginners GuidePhuong Nguyen
 
The Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API SecurityThe Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API SecurityStormpath
 
CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2scotttomilson
 
Shoot Me a Token: OpenAM as an OAuth2 Provider
Shoot Me a Token: OpenAM as an OAuth2 ProviderShoot Me a Token: OpenAM as an OAuth2 Provider
Shoot Me a Token: OpenAM as an OAuth2 ProviderForgeRock
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authenticationjeremysbrown
 
Security enforcement of Java Microservices with Apiman & Keycloak
Security enforcement of Java Microservices with Apiman & KeycloakSecurity enforcement of Java Microservices with Apiman & Keycloak
Security enforcement of Java Microservices with Apiman & KeycloakCharles Moulliard
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
Understanding Claim based Authentication
Understanding Claim based AuthenticationUnderstanding Claim based Authentication
Understanding Claim based AuthenticationMohammad Yousri
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectJonathan LeBlanc
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST securityIgor Bossenko
 
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler WebinarKeycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler Webinarmarcuschristie
 
Openid & Oauth: An Introduction
Openid & Oauth: An IntroductionOpenid & Oauth: An Introduction
Openid & Oauth: An IntroductionSteve Ivy
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemPrabath Siriwardena
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsJon Todd
 
CIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in ActionCIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in ActionCloudIDSummit
 
Foreman Single Sign-On Made Easy with Keycloak
Foreman Single Sign-On Made Easy with KeycloakForeman Single Sign-On Made Easy with Keycloak
Foreman Single Sign-On Made Easy with KeycloakNikhil Kathole
 
IdP, SAML, OAuth
IdP, SAML, OAuthIdP, SAML, OAuth
IdP, SAML, OAuthDan Brinkmann
 
OAuth in the new .NET world (OWIN)
OAuth in the new .NET world (OWIN)OAuth in the new .NET world (OWIN)
OAuth in the new .NET world (OWIN)Emad Alashi
 
OpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersOpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersSalesforce Developers
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...Brian Campbell
 
AD Authenticate All The Things
AD Authenticate All The ThingsAD Authenticate All The Things
AD Authenticate All The ThingsAlan Williams
 
SSO_Good_Bad_Ugly
SSO_Good_Bad_UglySSO_Good_Bad_Ugly
SSO_Good_Bad_UglySteve Markey
 

More Related Content

What's hot

Claims Based Authentication A Beginners Guide
Claims Based Authentication A Beginners GuideClaims Based Authentication A Beginners Guide
Claims Based Authentication A Beginners GuidePhuong Nguyen
 
The Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API SecurityThe Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API SecurityStormpath
 
CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2scotttomilson
 
Shoot Me a Token: OpenAM as an OAuth2 Provider
Shoot Me a Token: OpenAM as an OAuth2 ProviderShoot Me a Token: OpenAM as an OAuth2 Provider
Shoot Me a Token: OpenAM as an OAuth2 ProviderForgeRock
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authenticationjeremysbrown
 
Security enforcement of Java Microservices with Apiman & Keycloak
Security enforcement of Java Microservices with Apiman & KeycloakSecurity enforcement of Java Microservices with Apiman & Keycloak
Security enforcement of Java Microservices with Apiman & KeycloakCharles Moulliard
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
Understanding Claim based Authentication
Understanding Claim based AuthenticationUnderstanding Claim based Authentication
Understanding Claim based AuthenticationMohammad Yousri
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectJonathan LeBlanc
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST securityIgor Bossenko
 
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler WebinarKeycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler Webinarmarcuschristie
 
Openid & Oauth: An Introduction
Openid & Oauth: An IntroductionOpenid & Oauth: An Introduction
Openid & Oauth: An IntroductionSteve Ivy
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemPrabath Siriwardena
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsJon Todd
 
CIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in ActionCIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in ActionCloudIDSummit
 
Foreman Single Sign-On Made Easy with Keycloak
Foreman Single Sign-On Made Easy with KeycloakForeman Single Sign-On Made Easy with Keycloak
Foreman Single Sign-On Made Easy with KeycloakNikhil Kathole
 
OAuth in the new .NET world (OWIN)
OAuth in the new .NET world (OWIN)OAuth in the new .NET world (OWIN)
OAuth in the new .NET world (OWIN)Emad Alashi
 
OpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersOpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersSalesforce Developers
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...Brian Campbell
 

What's hot (20)

Claims Based Authentication A Beginners Guide
Claims Based Authentication A Beginners GuideClaims Based Authentication A Beginners Guide
Claims Based Authentication A Beginners Guide
 
The Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API SecurityThe Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API Security
 
CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2
 
Shoot Me a Token: OpenAM as an OAuth2 Provider
Shoot Me a Token: OpenAM as an OAuth2 ProviderShoot Me a Token: OpenAM as an OAuth2 Provider
Shoot Me a Token: OpenAM as an OAuth2 Provider
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authentication
 
Security enforcement of Java Microservices with Apiman & Keycloak
Security enforcement of Java Microservices with Apiman & KeycloakSecurity enforcement of Java Microservices with Apiman & Keycloak
Security enforcement of Java Microservices with Apiman & Keycloak
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
 
Understanding Claim based Authentication
Understanding Claim based AuthenticationUnderstanding Claim based Authentication
Understanding Claim based Authentication
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
 
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler WebinarKeycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
 
Openid & Oauth: An Introduction
Openid & Oauth: An IntroductionOpenid & Oauth: An Introduction
Openid & Oauth: An Introduction
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security Ecosystem
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTs
 
CIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in ActionCIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in Action
 
Foreman Single Sign-On Made Easy with Keycloak
Foreman Single Sign-On Made Easy with KeycloakForeman Single Sign-On Made Easy with Keycloak
Foreman Single Sign-On Made Easy with Keycloak
 
IdP, SAML, OAuth
IdP, SAML, OAuthIdP, SAML, OAuth
IdP, SAML, OAuth
 
OAuth in the new .NET world (OWIN)
OAuth in the new .NET world (OWIN)OAuth in the new .NET world (OWIN)
OAuth in the new .NET world (OWIN)
 
OpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersOpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for Beginners
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
 

Viewers also liked

AD Authenticate All The Things
AD Authenticate All The ThingsAD Authenticate All The Things
AD Authenticate All The ThingsAlan Williams
 
JavaOne 2015: 14 Key Lessons, you should learn
JavaOne 2015: 14 Key Lessons, you should learnJavaOne 2015: 14 Key Lessons, you should learn
JavaOne 2015: 14 Key Lessons, you should learnACA IT-Solutions
 
Keycloak で SSO #渋谷java
Keycloak で SSO #渋谷javaKeycloak で SSO #渋谷java
Keycloak で SSO #渋谷javaYoshimasa Tanabe
 
Sprint 38 review
Sprint 38 reviewSprint 38 review
Sprint 38 reviewManageIQ
 
Microservices with WildFly Swarm - JavaSI 2016
Microservices with WildFly Swarm - JavaSI 2016Microservices with WildFly Swarm - JavaSI 2016
Microservices with WildFly Swarm - JavaSI 2016Charles Moulliard
 
Writing Java EE microservices using WildFly Swarm
Writing Java EE microservices using WildFly SwarmWriting Java EE microservices using WildFly Swarm
Writing Java EE microservices using WildFly SwarmComsysto Reply GmbH
 
WildFly Swarm: Criando Microservices com Java EE 7
WildFly Swarm: Criando Microservices com Java EE 7WildFly Swarm: Criando Microservices com Java EE 7
WildFly Swarm: Criando Microservices com Java EE 7George Gastaldi
 
Security enforcement of Microservices with API Management
Security enforcement of Microservices with API ManagementSecurity enforcement of Microservices with API Management
Security enforcement of Microservices with API ManagementCharles Moulliard
 
WildFly Swarm - Rightsize Your Java EE Apps
WildFly Swarm - Rightsize Your Java EE AppsWildFly Swarm - Rightsize Your Java EE Apps
WildFly Swarm - Rightsize Your Java EE AppsYoshimasa Tanabe
 
Authentication - Alberto Bellotti - ManageIQ Design Summit 2016
Authentication - Alberto Bellotti - ManageIQ Design Summit 2016Authentication - Alberto Bellotti - ManageIQ Design Summit 2016
Authentication - Alberto Bellotti - ManageIQ Design Summit 2016ManageIQ
 
High Availability - Brett Thurber - ManageIQ Design Summit 2016
High Availability - Brett Thurber - ManageIQ Design Summit 2016High Availability - Brett Thurber - ManageIQ Design Summit 2016
High Availability - Brett Thurber - ManageIQ Design Summit 2016ManageIQ
 
Cloud Foundry Compared With Other PaaSes (Cloud Foundry Summit 2014)
Cloud Foundry Compared With Other PaaSes (Cloud Foundry Summit 2014)Cloud Foundry Compared With Other PaaSes (Cloud Foundry Summit 2014)
Cloud Foundry Compared With Other PaaSes (Cloud Foundry Summit 2014)VMware Tanzu
 
Cloud Foundry Technical Overview
Cloud Foundry Technical OverviewCloud Foundry Technical Overview
Cloud Foundry Technical Overviewcornelia davis
 
Eclipse Kapua messaging refactoring proposal
Eclipse Kapua messaging refactoring proposalEclipse Kapua messaging refactoring proposal
Eclipse Kapua messaging refactoring proposalHenryk Konsek
 

Viewers also liked (20)

AD Authenticate All The Things
AD Authenticate All The ThingsAD Authenticate All The Things
AD Authenticate All The Things
 
SSO_Good_Bad_Ugly
SSO_Good_Bad_UglySSO_Good_Bad_Ugly
SSO_Good_Bad_Ugly
 
Javantura v4 - Keycloak – instant login for your app - Marko Štrukelj
Javantura v4 - Keycloak – instant login for your app - Marko ŠtrukeljJavantura v4 - Keycloak – instant login for your app - Marko Štrukelj
Javantura v4 - Keycloak – instant login for your app - Marko Štrukelj
 
JavaOne 2015: 14 Key Lessons, you should learn
JavaOne 2015: 14 Key Lessons, you should learnJavaOne 2015: 14 Key Lessons, you should learn
JavaOne 2015: 14 Key Lessons, you should learn
 
Openshift v3-a-revolucao-dos-containers-3
Openshift v3-a-revolucao-dos-containers-3Openshift v3-a-revolucao-dos-containers-3
Openshift v3-a-revolucao-dos-containers-3
 
Keycloak で SSO #渋谷java
Keycloak で SSO #渋谷javaKeycloak で SSO #渋谷java
Keycloak で SSO #渋谷java
 
Sprint 38 review
Sprint 38 reviewSprint 38 review
Sprint 38 review
 
Microservices with WildFly Swarm - JavaSI 2016
Microservices with WildFly Swarm - JavaSI 2016Microservices with WildFly Swarm - JavaSI 2016
Microservices with WildFly Swarm - JavaSI 2016
 
Writing Java EE microservices using WildFly Swarm
Writing Java EE microservices using WildFly SwarmWriting Java EE microservices using WildFly Swarm
Writing Java EE microservices using WildFly Swarm
 
WildFly Swarm: Criando Microservices com Java EE 7
WildFly Swarm: Criando Microservices com Java EE 7WildFly Swarm: Criando Microservices com Java EE 7
WildFly Swarm: Criando Microservices com Java EE 7
 
Security enforcement of Microservices with API Management
Security enforcement of Microservices with API ManagementSecurity enforcement of Microservices with API Management
Security enforcement of Microservices with API Management
 
WildFly Swarm - Rightsize Your Java EE Apps
WildFly Swarm - Rightsize Your Java EE AppsWildFly Swarm - Rightsize Your Java EE Apps
WildFly Swarm - Rightsize Your Java EE Apps
 
Javantura v4 - What’s NOT new in modular Java - Milen Dyankov
Javantura v4 - What’s NOT new in modular Java - Milen DyankovJavantura v4 - What’s NOT new in modular Java - Milen Dyankov
Javantura v4 - What’s NOT new in modular Java - Milen Dyankov
 
Javantura v4 - (Spring)Boot your application on Red Hat middleware stack - Al...
Javantura v4 - (Spring)Boot your application on Red Hat middleware stack - Al...Javantura v4 - (Spring)Boot your application on Red Hat middleware stack - Al...
Javantura v4 - (Spring)Boot your application on Red Hat middleware stack - Al...
 
Authentication - Alberto Bellotti - ManageIQ Design Summit 2016
Authentication - Alberto Bellotti - ManageIQ Design Summit 2016Authentication - Alberto Bellotti - ManageIQ Design Summit 2016
Authentication - Alberto Bellotti - ManageIQ Design Summit 2016
 
High Availability - Brett Thurber - ManageIQ Design Summit 2016
High Availability - Brett Thurber - ManageIQ Design Summit 2016High Availability - Brett Thurber - ManageIQ Design Summit 2016
High Availability - Brett Thurber - ManageIQ Design Summit 2016
 
Javantura v4 - Cloud-native Architectures and Java - Matjaž B. Jurič
Javantura v4 - Cloud-native Architectures and Java - Matjaž B. JuričJavantura v4 - Cloud-native Architectures and Java - Matjaž B. Jurič
Javantura v4 - Cloud-native Architectures and Java - Matjaž B. Jurič
 
Cloud Foundry Compared With Other PaaSes (Cloud Foundry Summit 2014)
Cloud Foundry Compared With Other PaaSes (Cloud Foundry Summit 2014)Cloud Foundry Compared With Other PaaSes (Cloud Foundry Summit 2014)
Cloud Foundry Compared With Other PaaSes (Cloud Foundry Summit 2014)
 
Cloud Foundry Technical Overview
Cloud Foundry Technical OverviewCloud Foundry Technical Overview
Cloud Foundry Technical Overview
 
Eclipse Kapua messaging refactoring proposal
Eclipse Kapua messaging refactoring proposalEclipse Kapua messaging refactoring proposal
Eclipse Kapua messaging refactoring proposal
 

Similar to Single Sign-On (SSO) Fundamentals

JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...PROIDEA
 
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...apidays
 
Distributed Authorization with Open Policy Agent.pdf
Distributed Authorization with Open Policy Agent.pdfDistributed Authorization with Open Policy Agent.pdf
Distributed Authorization with Open Policy Agent.pdfNordic APIs
 
Single sign on assistant an authentication brokers
Single sign on assistant an authentication brokersSingle sign on assistant an authentication brokers
Single sign on assistant an authentication brokersFinalyear Projects
 
Identity Federation on JBossAS
Identity Federation on JBossASIdentity Federation on JBossAS
Identity Federation on JBossASRoger CARHUATOCTO
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportGaurav Sharma
 
Development of Digital Identity Systems
Development of Digital Identity Systems Development of Digital Identity Systems
Development of Digital Identity Systems Maganathin Veeraragaloo
 
Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)
Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)
Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)gemziebeth
 
Efficient and Secure Single Sign on Mechanism for Distributed Network
Efficient and Secure Single Sign on Mechanism for Distributed NetworkEfficient and Secure Single Sign on Mechanism for Distributed Network
Efficient and Secure Single Sign on Mechanism for Distributed NetworkIJERA Editor
 
Sso security&amp;business tool_2018_issa_infosecsummit_grant_reveal_final
Sso security&amp;business tool_2018_issa_infosecsummit_grant_reveal_finalSso security&amp;business tool_2018_issa_infosecsummit_grant_reveal_final
Sso security&amp;business tool_2018_issa_infosecsummit_grant_reveal_finalGrant Reveal
 
Data Synchronization Patterns in Mobile Application Design
Data Synchronization Patterns in Mobile Application DesignData Synchronization Patterns in Mobile Application Design
Data Synchronization Patterns in Mobile Application DesignEric Maxwell
 
Five Things You Gotta Know About Modern Identity
Five Things You Gotta Know About Modern IdentityFive Things You Gotta Know About Modern Identity
Five Things You Gotta Know About Modern IdentityMark Diodati
 
.NET Core, ASP.NET Core Course, Session 19
.NET Core, ASP.NET Core Course, Session 19 .NET Core, ASP.NET Core Course, Session 19
.NET Core, ASP.NET Core Course, Session 19aminmesbahi
 

Similar to Single Sign-On (SSO) Fundamentals (20)

Access management
Access managementAccess management
Access management
 
JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...
 
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
 
Distributed Authorization with Open Policy Agent.pdf
Distributed Authorization with Open Policy Agent.pdfDistributed Authorization with Open Policy Agent.pdf
Distributed Authorization with Open Policy Agent.pdf
 
Single sign on using SAML
Single sign on using SAML Single sign on using SAML
Single sign on using SAML
 
Single sign on assistant an authentication brokers
Single sign on assistant an authentication brokersSingle sign on assistant an authentication brokers
Single sign on assistant an authentication brokers
 
Identity Federation on JBossAS
Identity Federation on JBossASIdentity Federation on JBossAS
Identity Federation on JBossAS
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
 
Development of Digital Identity Systems
Development of Digital Identity Systems Development of Digital Identity Systems
Development of Digital Identity Systems
 
Two-factor Authentication
Two-factor AuthenticationTwo-factor Authentication
Two-factor Authentication
 
Cloud Identity Management
Cloud Identity ManagementCloud Identity Management
Cloud Identity Management
 
DIWD Concordia
DIWD ConcordiaDIWD Concordia
DIWD Concordia
 
Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)
Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)
Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)
 
Efficient and Secure Single Sign on Mechanism for Distributed Network
Efficient and Secure Single Sign on Mechanism for Distributed NetworkEfficient and Secure Single Sign on Mechanism for Distributed Network
Efficient and Secure Single Sign on Mechanism for Distributed Network
 
Ch08 Authentication
Ch08 AuthenticationCh08 Authentication
Ch08 Authentication
 
API Security with OAuth2.0.
API Security with OAuth2.0.API Security with OAuth2.0.
API Security with OAuth2.0.
 
Sso security&amp;business tool_2018_issa_infosecsummit_grant_reveal_final
Sso security&amp;business tool_2018_issa_infosecsummit_grant_reveal_finalSso security&amp;business tool_2018_issa_infosecsummit_grant_reveal_final
Sso security&amp;business tool_2018_issa_infosecsummit_grant_reveal_final
 
Data Synchronization Patterns in Mobile Application Design
Data Synchronization Patterns in Mobile Application DesignData Synchronization Patterns in Mobile Application Design
Data Synchronization Patterns in Mobile Application Design
 
Five Things You Gotta Know About Modern Identity
Five Things You Gotta Know About Modern IdentityFive Things You Gotta Know About Modern Identity
Five Things You Gotta Know About Modern Identity
 
.NET Core, ASP.NET Core Course, Session 19
.NET Core, ASP.NET Core Course, Session 19 .NET Core, ASP.NET Core Course, Session 19
.NET Core, ASP.NET Core Course, Session 19
 

Single Sign-On (SSO) Fundamentals

  • 1. Single Sign On (SSO) By Laxman Kumar
  • 2. Agenda • Authentication / Authorization • Single Sign On • Why SSO • Protocols • SAML • Meta-data • Working principle • SSO providers • Demo
  • 3. Authentication / authorization • Authentication Authentication verifies who you are. Two question arises. Example Who is the user lucky? Is the user lucky really who he represent himself to be?
  • 4. Authentication / authorization • Authentication How can you authenticate ? Knowledge - Something You Know – password, four-digit pin number Possession - Something You Have - smart card, one-time SMS code Inherence - Something You Are - prove who you are using biometrics - fingerprint, voiceprint, or other unique physical feature. Multifactor authentication - e.g: Multi-Factor Authentication at the ATM, OTP
  • 5. Authentication / authorization • Authorization Authorization verifies what you are authorized to do. Many questions arises. Is user lucky authorized to access resource called ABC ? Is user lucky authorized to perform operation XYZ ? Is user lucky authorized to perform operation P on resource R ? Is user lucky authorized to download or upload files ?
  • 6. Single Sign On • Single sign-on (SSO) is a technique of access control of multiple related, but independent software systems. • Single sign-on (SSO) allows a person to authenticate once and gains access to all application without being prompted to log in again • Token is used to authenticate the user. • Token is issued to user on successful authentication which is stored in browser (cookie) and can be presented to websites as evidence of authentication.
  • 7. Single Sign On Previous Technology SSO
  • 8. Why SSO • User Perspective PROBLEM Too many credentials Multiple login Remembering too many password
  • 9. Why SSO • IT Perspective PROBLEM Provisioning new accounts Password management Auditing user activity De-provisioning users Managing non-employee access
  • 10. Why SSO • Eliminate the need for multiple usernames and passwords. • Allow users to manage a single set of corporate credentials. • Give users one-click access to all their applications from anywhere on any device. • Reduce IT help desk cost.
  • 11. Protocols • SAML- Currently the most widely adopted standard for Web SSO. XML based. • OpenID Connect - Most promising successor to SAML. • Oauth- OAuth is an open standard for authorization. • Earlier protocols that are still in use should be deprecated: Kerberos, RADIUS, LDAP, OpenID 2, CAS...
  • 12. Oauth • OAuth is an open standard for authorization. • OAuth 1.0 in 2010, OAuth 2.0 in 2012 • Authorize third-party access to their server resources without sharing their credentials • Works with HTTP. • OAUTH 2.0
  • 13. OPENID • Open standard released in 2006 • Decentralised Single Sign-on for web • For consumer apps and services • Social networks • OpenID 2.0 used XML and a custom message signature scheme.
  • 14. SAML • Security Assertion Markup Language (SAML). • OASIS open standard for representing and exchanging user identity, authentication, and attribute information. • XML based protocol. • Flexible to work with other protocols. • SAML 2.0
  • 15. Anatomy of SAML • Assertions • Protocols • Bindings • Profiles
  • 16. SAML 2.0 SAML Assertion • XML-formatted security token. • Used to transfer user identity and attribute information from the identity provider to a trusted service provider as part of the completion of a single sign-on request. SAML Assertion basically contains •<saml:Issuer> element ,contains the unique identifier of the identity provider •<ds:Signature> element, contains an integrity-preserving digital signature. •<saml:Subject> element, contains authenticated user information. •<saml:Conditions> element, contains conditions under which the assertion is to be considered valid •<saml:AuthnStatement> element, which describes the act of authentication • at the identity provider In words, the assertion encodes the following information: The assertion ("b07b804c-7c29-ea16-7300-4f3d6f7928ac") was issued at time "2004-12- 05T09:22:05Z" by identity provider (https://idp.example.org/SAML2) regarding subject (3f7b3dcf-1674-4ecd-92c8-1544f346baf8) exclusively for service provider (https://sp.example.com/SAML2). The authentication statement, in particular, asserts the following: The principal identified in the <saml:Subject> element was authenticated at time "2004-12- 05T09:22:00" by means of a password sent over a protected channel.
  • 17. SAML 2.0 • Protocols – Describes how SAML elements are packaged within SAML request and response element. • Bindings - Mapping of a SAML protocol message onto standard messaging formats and/or communications protocol (Redirect , POST, SOAP Binding) • Profiles - Describes in detail how SAML assertions, protocols, and bindings combine to support a defined use case.
  • 18. Meta-Data • Metadata is data that describes other data. • Metadata summarizes basic information about data. • It provides information about a certain item's content. • For example, an image may include metadata that describes how large the picture is, the color depth, the image resolution, when the image was created, and other data.
  • 19. Meta-Data SAML 2.0 Metadata Question 1 How does the identity provider know the service provider is authentic and not some evil service provider trying to phish private information regarding the user? Answer The identity provider consults its list of trusted service providers in metadata before issuing an authentication response. Question 2. How does the identity provider know where to redirect the user with the authentication response? Answer The identity provider looks up a pre-arranged endpoint location of the service provider in metadata. Question 3 How does the service provider know that the authentication response came from a trusted identity provider? Answer The service provider validates the signature on the assertion using the public key of the identity provider from metadata. Metadata ensures a secure transaction between an identity provider and a service provider
  • 20. Working principle Single Sign on include 3 parties. • User: Requests a service from the service provider. • Service Provider(SP): It servers the authenticated user request. For authentication it checks the ticket provided by SSO server. It also makes an access control decision. • Identity Provider(IDP) or SSO server: It authenticates the user and provide them the ticket.
  • 22. Working principle User Service Provider (SP) Identity Provider (IDP)/ SSO server User request for service to service provider Service Provider checks if user have any ticket. If user doesn’t have then service provider send user to IDP for authentication. Redirect user to Identity provider login page. User Redirected to SSO login page. IDP check user credentials and if correct then issue ticket to user User login with the login credentials And redirect user to service provider with ticket User is redirected to service provider with a copy of ticket SP checks the ticket and if it is a valid ticket SP allows the user to get in. Now SP checks whether the user is allowed to access the service requested for. Service request
  • 23. Working principle User Service Provider (SP) Identity Provider (IDP)/ SSO server User is request for another service with a copy of ticket SP check the ticket validity and allows the user to get in if ticket is valid
  • 25. SSO PROVIDERS Provider Name Product Name Microsoft Active Directory Federation Services, Forefront Identity Manager IBM IBM Enterprise Identity Mapping, LTPA, IBM Tivoli Access Manager Red Hat FreeIPA, JBoss SSO, Keycloak Forge Rock OpenAM VMware myOneLogin Jasig CAS OneLogin Inc. One Login Ping Identity Ping Dock SSOCircle Public SSOCircle, IDPee