Enterprise Single Sign On

2,679 views

Published on

Published in: Technology
0 Comments
6 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,679
On SlideShare
0
From Embeds
0
Number of Embeds
249
Actions
Shares
0
Downloads
128
Comments
0
Likes
6
Embeds 0
No embeds

No notes for slide

Enterprise Single Sign On

  1. 1. Last Updated: Jun. 2014 Senior Software Engineer Suresh Attanayake Enterprise Single Sign On : SAML, OpenID Connect and more
  2. 2. 2 About the Presenter(s) ๏ Suresh Attanayake is a Senior Software Engineer at WSO2 from the Solutions Architecture/ Technical Sales team. He is a former Identity Server team member and have been involved in various WSO2 customer projects around the globe.
  3. 3. 3 About WSO2 ๏ Global enterprise, founded in 2005 by acknowledged leaders in XML, web services technologies, standards and open source ๏ Provides only open source platform-as-a-service for private, public and hybrid cloud deployments ๏ All WSO2 products are 100% open source and released under the Apache License Version 2.0. ๏ Is an Active Member of OASIS, Cloud Security Alliance, OSGi Alliance, AMQP Working Group, ๏ Driven by Innovation ๏ Launched first open source API Management solution in 2012 ๏ Launched App Factory in 2Q 2013 ๏ Launched Enterprise Store and first open source Mobile solution in 4Q 2013
  4. 4. 4 What WSO2 delivers
  5. 5. 5 Passwords 1)123456 2)password 3)12345678 4)qwerty 5)abc123 http://splashdata.com/press/worstpasswords2013.htm
  6. 6. 6 Password Fatigue ๏ Use easy to remember passwords ๏ Use the same password
  7. 7. 7 Single Sign On ๏ Single password to remember ๏ Use password only once ๏ Use password only at one place ๏ Ease of administration ๏ Enforce password/account policies
  8. 8. 8 SSO Model
  9. 9. 9 SAML2 Web Browser SSO Profile ๏ XML based ๏ Web browser based ๏ Bindings: ๏ HTTP Redirect Binding ๏ HTTP POST Binding ๏ HTTP Artifact Binding ๏ Profiles: ๏ Single Logout Profile
  10. 10. 10 SAML2 Web Browser SSO
  11. 11. 11 SAML2 <AuthnRequest>
  12. 12. 12 SAML2 <Response>
  13. 13. 13 OpenID ๏ Plain Text Key-Value pairs ๏ Web browser based ๏ Indirect communication: ๏ HTTP Redirection ๏ HTTP Form submission ๏ Features: ๏ OpenID Provider (IDP) discovery ๏ OpenID Attribute Exchange / OpenID Simple Registration
  14. 14. 14 OpenID
  15. 15. 15 OpenID Authentication Request openid.ns:http://specs.openid.net/auth/2.0 openid.claimed_id:https://localhost:9443/openid/suresh openid.identity:https://localhost:9443/openid/suresh openid.return_to:http://localhost:8081/openid-attribute-exchange/attexconsumer? is_id_res=true openid.realm:http://localhost:8081/openid-attribute-exchange/attexconsumer? is_id_res=true openid.assoc_handle:AOQobUfyfIM0vAz- VgjNgxnkimSyr3SUX7QvAVzeeM19NM7QmpeTXPTepi4rWCr6wkIyFDiq openid.mode:checkid_setup openid.ns.ext1:http://openid.net/srv/ax/1.0 openid.ext1.mode:fetch_request openid.ext1.type.email:http://axschema.org/contact/email openid.ext1.type.firstname:http://axschema.org/namePerson/first openid.ext1.type.lastname:http://axschema.org/namePerson/last openid.ext1.type.country:http://axschema.org/contact/country/home openid.ext1.type.language:http://axschema.org/pref/language openid.ext1.required:email,firstname,lastname,country,language
  16. 16. 16 OpenID Authentication Response openid.op_endpoint:https://localhost:9443/openidserver openid.signed:op_endpoint,claimed_id,identity,return_to,response_nonce,assoc_handle,ns. ext1,ext1.mode,ext1.type.firstname,ext1.value.firstname,ext1.type.email,ext1.value.email ,ext1.type.language,ext1.value.language,ext1.type.lastname,ext1.value.lastname openid.ns.ext1:http://openid.net/srv/ax/1.0 openid.sig:wyQi3eTjESAVWsHjPODQ2q7UUVMvNOTySTCvffmqd+A=is_id_res:true openid.response_nonce:2011-05-18T14:54:21Z0eugpxqu3Sv9Iw openid.claimed_id:https://localhost:9443/openid/suresh openid.ext1.value.lastname:Attnayake openid.ext1.value.firstname:Suresh openid.assoc_handle:AOQobUfyfIM0vAz- VgjNgxnkimSyr3SUX7QvAVzeeM19NM7QmpeTXPTepi4rWCr6wkIyFDiq openid.ext1.value.email:suresh@wso2.com openid.ext1.type.language:http://axschema.org/pref/language openid.ext1.type.lastname:http://axschema.org/namePerson/last openid.ext1.type.firstname:http://axschema.org/namePerson/first openid.ns:http://specs.openid.net/auth/2.0 openid.identity:https://localhost:9443/openid/suresh openid.ext1.type.email:http://axschema.org/contact/email openid.mode:id_res openid.ext1.mode:fetch_response openid.ext1.value.language:en-US openid.return_to:http://localhost:8081/openid-attribute-exchange/attexconsumer? is_id_res=true
  17. 17. 17 OpenID Connect ๏ Built on top of OAuth2.0 framework ๏ Web browser based ๏ HTTP GET query params, HTTP POST request params and JSON ๏ Authentication Flows: ๏ Authorization Code flow ๏ Implicit flow ๏ Hybrid flow
  18. 18. 18 OpenID Connect
  19. 19. 19 OIDC Authentication Request HTTP/1.1 302 Found Location: https://server.example.com/authorize? response_type=code &scope=openid%20profile%20email &client_id=s6BhdRkqt3 &state=af0ifjsldkj &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
  20. 20. 20 OIDC Authentication Response HTTP/1.1 302 Found Location: https://client.example.org/cb? code=SplxlOBeZQQYbYS6WxSbIA &state=af0ifjsldkj
  21. 21. 21 OIDC Token Request POST /token HTTP/1.1 Host: server.example.com Content-Type: application/x-www-form-urlencoded Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
  22. 22. 22 OIDC Token Response HTTP/1.1 200 OK Content-Type: application/json Cache-Control: no-store Pragma: no-cache { "access_token": "SlAV32hkKG", "token_type": "Bearer", "refresh_token": "8xLOxBtZp8", "expires_in": 3600, "id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjFlOWdkazcifQ.ewogImlzc yI6ICJodHRwOi8vc2VydmVyLmV4YW1wbGUuY29tIiwKICJzdWIiOiAiMjQ4Mjg5 NzYxMDAxIiwKICJhdWQiOiAiczZCaGRSa3F0MyIsCiAibm9uY2UiOiAibi0wUzZ fV3pBMk1qIiwKICJleHAiOiAxMzExMjgxOTcwLAogImlhdCI6IDEzMTEyODA5Nz AKfQ.ggW8hZ1EuVLuxNuuIJKX_V8a_OMXzR0EHR9R6jgdqrOOF4daGU96Sr_P6q Jp6IcmD3HP99Obi1PRs-cwh3LO-p146waJ8IhehcwL7F09JdijmBqkvPeB2T9CJ NqeGpe-gccMg4vfKjkM8FcGvnzZUN4_KSP0aAp1tOJ1zZwgjxqGByKHiOtX7Tpd QyHE5lcMiKPXfEIQILVq0pc_E2DzL7emopWoaoZTF_m0_N0YzFC6g6EJbOEoRoS K5hoDalrcvRYLSrQAZZKflyuVCyixEoV9GfNQC3_osjzw2PAithfubEEBLuVVk4 XUVrWOLrLl0nx7RkKU8NXNHq-rvKMzqg" }
  23. 23. 23 OIDC IDToken JWT header : {"alg":"RS256","kid":"1e9gdk7"} JWT payload : { "iss": "http://server.example.com", "sub": "248289761001", "aud": "23k23k3434", "nonce": "n-0S6_WzA2Mj", "exp": 1311281970, "iat": 1311280970 } JWT Signature
  24. 24. 24 UserInfo Request GET /userinfo HTTP/1.1 Host: server.example.com Authorization: Bearer SlAV32hkKG
  25. 25. 25 UserInfo Response HTTP/1.1 200 OK Content-Type: application/json { "sub": "248289761001", "name": "Jane Doe", "given_name": "Jane", "family_name": "Doe", "preferred_username": "j.doe", "email": "janedoe@example.com", "picture": "http://example.com/janedoe/me.jpg" }
  26. 26. 26 WS-Trust
  27. 27. 27 Kerberos
  28. 28. 28 How to pick a technology Examples: 1. How components interact with each other 2. Technologies preferred 3. Existing systems and limitations 4. Platforms
  29. 29. 29 Web Applications
  30. 30. 30 Business Model
  31. 31. 31 More Information ! ๏ Include links to product downloads, white paper downloads , etc.
  32. 32. Contact us !

×