Single sign on using WSO2 identity server

2,286 views

Published on

0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,286
On SlideShare
0
From Embeds
0
Number of Embeds
28
Actions
Shares
0
Downloads
122
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Single sign on using WSO2 identity server

  1. 1. Single  sign-­‐on     using     WSO2  Iden1ty  Server   S.Uthaiyashankar   shankar@wso2.com   VP,  Engineering  
  2. 2. About  WSO2   •  Providing  the  only  complete  open  source  componen=zed  cloud   pla?orm   –  Dedicated  to  removing  all  the  stumbling  blocks  to  enterprise  agility   –  Enabling  you  to  focus  on  business  logic  and  business  value     •  Recognized  by  leading  analyst  firms  as  visionaries  and  leaders   –  Gartner  cites  WSO2  as  visionaries  in  all  3  categories  of    applica=on   infrastructure   –  Forrester  places  WSO2  in  top  2  for  API  Management     •  Global  corpora=on  with  offices  in  USA,  UK  &  Sri  Lanka   –  200+  employees  and  growing   •  Business  model  of  selling  comprehensive  support  &  maintenance   for  our  products  
  3. 3. 150+  globally  posi1oned  support  customers  
  4. 4. Topics  Covered…   •  Importance  of  Single  Sign-­‐On   •  Single  Sign-­‐On  paWerns   •  Single  Sign-­‐On  support  in  WSO2  Iden=ty   Server  
  5. 5. The  Story  Begins…  
  6. 6. That  is  not  the  End…  
  7. 7. Problems…   •  User  Perspec=ve:   –  Different  username,  password  for  different   systems   •  Preferred  username  is  already  taken   •  Using  same  username/password  might  become  a   security  risk   –  Too  many  username,  password   –  Loosing  possible  collabora=ons  
  8. 8. Problems…   •  IT  Perspec=ve:   –  Provisioning/De-­‐provisioning  users   –  Audi=ng  user  ac=vi=es   –  No  single  view  of  user   –  Deploying  new  applica=ons  
  9. 9. Shared  User  Store  -­‐  Possible  Solu1on?  
  10. 10. Problems…   •  Mul=ple  logins   •  Cloud  Services  and  3rd  party  applica=ons  
  11. 11. Solu1on   •  Federated  Iden=ty  and  Single  Sign-­‐On   Authen1ca1on   Iden=ty  Provider   Trust   Service  Consump1on   Service  Providers   Service  Providers   Service  Providers   Service  Providers  
  12. 12. Single  Sign-­‐On  and  Federated  Iden1ty  
  13. 13. Single  Sign-­‐On  and  Federated  Iden1ty   •  Single  Iden=ty   •  Possibility  of  Collabora=on  between   applica=ons     •  User  Convenience   •  Login  only  once  and  can  access  any  services   •  Easy  administra=on     –  Provisioning,  de-­‐provisioning,  forget  password  
  14. 14. WSO2  Iden1ty  Server  
  15. 15. Key  Requirements  For  Iden1ty  Federa1on   Iden1ty  Management  and  Authen1ca1on     •  Authen=ca=on   –  Mul=-­‐Factor  Authen=ca=on   •  Iden=ty  Management   –  AWributes  /  Claims  
  16. 16. Key  Requirements  For  Iden1ty  Federa1on   Trust  Between  Domains   •  Trust   –  Pre-­‐established     •  Common  in  Enterprise  scenarios   –  Established  only  when  accessing  the  service     •  Common  in  web  scenarios   •  Iden=ty  Provider  Discovery  
  17. 17. Key  Requirements  For  Iden1ty  Federa1on   Iden1ty  and  ARribute  Mapping   •  Mapping  user  iden=ty  of  one  system  to   another   –  Username   –  Out  of  Band   –  Pseudonym   •  Transient   •  Persistent   •  Mapping  aWribute  names  in  different  systems   •  Mapping  aWribute  values  in  different  systems  
  18. 18. Key  Requirements  For  Iden1ty  Federa1on   ARribute  Exchange   •  One  system  reques=ng  addi=onal  aWributes   from  another  system  
  19. 19. Protocols  and  Standards   •  •  •  •  OpenID   SAML2  Web  Browser  SSO   WS-­‐Trust  &  WS-­‐Federa=on   Kerberos  
  20. 20. OpenID   hWp://openid.net/get-­‐an-­‐openid/  
  21. 21. OpenID  Iden1fiers   •  Google   –  hWps://profiles.google.com/YourGoogleID   •  Blogger   –  hWp://blogname.blogspot.com/   •  MySpace   –  hWp://www.myspace.com/username  
  22. 22. OpenID   7 1 vic  to  Ser  Access Allow e  Ope Provid 4 e   2 Discover  Provider  (XRI   Resolu1on,  Yadis,  HTML   Based  Discovery)   Service  Provider  A   Relying  Party   nID      to  IdP direct ser  Re Brow 3 Create  shared  secret   6 5 4 Iden=ty  Provider   Single  Sign-­‐On   Service  
  23. 23. SAML2  Web  Browser  SSO  
  24. 24. SAML2  Web  Browser  SSO   7 1 vic  to  Ser  Access Allow e   Service  Provider  A   Asser=on   Consumer  Service   rvice   ess  Se Acc 3    to  IdP direct ser  Re Brow 6 2 Select  Iden1ty  Provider   Trust   5 4 Iden=ty  Provider   Single  Sign-­‐On   Service  
  25. 25. WS-­‐Trust   1 .)   9/etc e/x50 m serna on  (U n1ca1 Authe ken   rity  To Secu Iden=ty  Provider   Security  Token   Service   2 Trust   3 4 5 Verify  Token     (e.g.:  Check  signature)   Service  Provider  A  
  26. 26. WS-­‐Federa1on   1 Authen1ca1on  (Username/x509/etc.)   Security  Token  A   2 Iden=ty  Provider  A   Security  Token   Service   Trust   3 5 6 8 Domain  A   Domain  B   Iden=ty  Provider  B   Security  Token   Service   Trust   4 Verify  Token  A     (e.g.:  Check   signature)   Service  Provider  B   Verify  Token  B     7 (e.g.:  Check  signature)  
  27. 27. Kerberos   1 Session  Key  +  Ticket  Gran1ng  Ticket   3 Iden=ty  Provider  (Key   Distribu=on  Center)   UserName   2 Ticket  Gran1ng  Ticket  +  Authen1cator   5 Authen=ca=on   Service   Ticket  Gran=ng   Service   4 Security  Token   Verify  Authen1cator   6 8 Service  Shared  Key   Service  Provider   Verify  Security  Token   7  
  28. 28. Some  Federa1on  PaRerns  Using   WSO2  Iden1ty  Server  
  29. 29. Token  Exchange  
  30. 30. IdP  Proxy  PaRern  
  31. 31. IdP  Proxy  PaRern  
  32. 32. IdP  Proxy  PaRern  
  33. 33. Ques1ons?  
  34. 34. Engage  with  WSO2   •  Helping  you  get  the  most  out  of  your  deployments   •  From  project  evalua=on  and  incep=on  to  development  and  going   into  produc=on,  WSO2  is  your  partner  in  ensuring  100%  project   success  

×