SSO With The WSO2 Identity ServerSuresh AttanayakeSoftware Engineer
About WSO2• Providing the only complete open source componentized cloudplatform– Dedicated to removing all the stumbling blocks to enterprise agility– Enabling you to focus on business logic and business value• Recognized by leading analyst firms as visionaries and leaders– Gartner cites WSO2 as visionaries in all 3 categories of applica-tion infrastructure– Forrester places WSO2 in top 2 for API Management• Global corporation with offices in USA, UK & Sri Lanka– 200+ employees and growing• Business model of selling comprehensive support & mainte-nance for our products
Previous : A Walk Through SSO● Problems with traditional authentication● How SSO solves those problems● Need for Open Standards● Introduction to some open standards and how theysolve the common authentication problems
What we cover today● OpenID● SAML 2.0 Web Browser SSO● WS- Trust● Solutions● Demos
OpenID● Sign into multiple websites with the accounts youalready have.– No need for new account creation– Websites dont have to store passwords● Users passwords are never shared with thewebsites.● Users can decide what information to be sharedwith the websites dynamically● Decentralized identity management
Entities● OpenID Provider (OP)– Central Authentication Service● Relying Party (RP)– Web Applications● User Agent– Web Browser● User
OpenID Authentication1. User enters the OpenID Identifier and clicks loginat the Relying Party (RP).2.RP performs discovery on the provided identifier.3.RP creates an association with the OpenIDProvider (OP).4.RP issues an Authentication Request to OP.5.OP authenticates the user.6.OP sends an Authentication Response to RP.7.RP validates the authentication response.8.RP grants or denies the access to the user.
Discovery● The Process : The relying party uses the user suppliedidentifier to look up necessary information to initiatethe OpenID protocol● Information– Version– OP endpoint URL– Claimed ID● Discovery methods– XRI Resolution– Yadis– HTML-Based recovery
Associations● Process : Sharing a secrete (MAC key) between theOpenID Provider and the Relying Party● Association Types– HMAC-SHA1– HMAC-SHA256● Association Session Types– no-encryption– DH-SHA1– DH-SHA256
Authentication Request● Contains– Claimed ID– Association handle– Return to URL– More– Extensions (Attributes)
Profile Overview1.User agent access a Service Provider.2.Service Provider determines the Identity Provider.3.Service Provider issues an <AuthnRequest> messageto the Identity Provider.4.Identity Provider identifies the Principle.5.Identity Provider issues a <Response> message to theService Provider.6.Service Provider grants or denies the access to thePrinciple.
Bindings“Mapping of SAML request-response messageexchange onto standard message or communicationprotocols are called SAML protocol bindings. ”– HTTP Redirect Binding– HTTP POST Binding– HTTP Artifact Binding
Single Logout Profile1.Service Provider issues a <LogoutRequest>.2.Identity Provider determines Session Participants.3.Identity Providers issues <LogoutRequest> to SessionParticipants.4.Session Participants send <LogoutRespone> to theIdentity Provider.5.Identity Provider send a <LogoutResponse> to theSingle Logout initiator Service Provider.
WS-Trust Security Model● Web Service require set of claims to be in theincoming request message.● If the incoming request message doesnt contain therequired claims, then the service should reject orignore the request.● Built with– Claims– Policies– Tokens