SSO with the WSO2 Identity Server


Published on

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

SSO with the WSO2 Identity Server

  1. 1. SSO With The WSO2 Identity ServerSuresh AttanayakeSoftware Engineer
  2. 2. About WSO2• Providing the only complete open source componentized cloudplatform– Dedicated to removing all the stumbling blocks to enterprise agility– Enabling you to focus on business logic and business value• Recognized by leading analyst firms as visionaries and leaders– Gartner cites WSO2 as visionaries in all 3 categories of applica-tion infrastructure– Forrester places WSO2 in top 2 for API Management• Global corporation with offices in USA, UK & Sri Lanka– 200+ employees and growing• Business model of selling comprehensive support & mainte-nance for our products
  3. 3. 150+ globally positioned support customers
  4. 4. Previous : A Walk Through SSO● Problems with traditional authentication● How SSO solves those problems● Need for Open Standards● Introduction to some open standards and how theysolve the common authentication problems
  5. 5. What we cover today● OpenID● SAML 2.0 Web Browser SSO● WS- Trust● Solutions● Demos
  6. 6. OpenID● Sign into multiple websites with the accounts youalready have.– No need for new account creation– Websites dont have to store passwords● Users passwords are never shared with thewebsites.● Users can decide what information to be sharedwith the websites dynamically● Decentralized identity management
  7. 7. Entities● OpenID Provider (OP)– Central Authentication Service● Relying Party (RP)– Web Applications● User Agent– Web Browser● User
  8. 8. OpenID Providers
  9. 9. OpenID Identifiers● Google–● Blogger–● MySpace–
  10. 10. Relying Parties
  11. 11. Relying Parties● Over 50,000 web sites–● One billion user accounts● Drupal, Wordpress and libraries● Visit
  12. 12. OpenID
  13. 13. OpenID Authentication1. User enters the OpenID Identifier and clicks loginat the Relying Party (RP).2.RP performs discovery on the provided identifier.3.RP creates an association with the OpenIDProvider (OP).4.RP issues an Authentication Request to OP.5.OP authenticates the user.6.OP sends an Authentication Response to RP.7.RP validates the authentication response.8.RP grants or denies the access to the user.
  14. 14. Discovery● The Process : The relying party uses the user suppliedidentifier to look up necessary information to initiatethe OpenID protocol● Information– Version– OP endpoint URL– Claimed ID● Discovery methods– XRI Resolution– Yadis– HTML-Based recovery
  15. 15. Associations● Process : Sharing a secrete (MAC key) between theOpenID Provider and the Relying Party● Association Types– HMAC-SHA1– HMAC-SHA256● Association Session Types– no-encryption– DH-SHA1– DH-SHA256
  16. 16. Authentication Request● Contains– Claimed ID– Association handle– Return to URL– More– Extensions (Attributes)
  17. 17. Authentication Request
  18. 18. Authentication Response● Contains– OP Endpoint– Claimed ID– Signature– More– Extensions (Attributes)
  19. 19. Authentication Response
  20. 20. Attribute exchange● OpenID Attribute Exchange● OpenID Simple Registration
  21. 21. OpenID Demo with the WSO2 IdentityServer
  22. 22. Example Solution – Multiple Domains
  23. 23. What OpenID is lacking● Single Logout● IDP initiated SSO● Not utilizing SSL/TLS
  24. 24. SAML 2.0 Web Browser SSO Profile
  25. 25. Entities● Identity Provider (IDP)– Single Sign On Service● Service Provider (SP)– Assertion Consuming Service● Principle
  26. 26. SAML Web Browser SSO Profile
  27. 27. Profile Overview1.User agent access a Service Provider.2.Service Provider determines the Identity Provider.3.Service Provider issues an <AuthnRequest> messageto the Identity Provider.4.Identity Provider identifies the Principle.5.Identity Provider issues a <Response> message to theService Provider.6.Service Provider grants or denies the access to thePrinciple.
  28. 28. Identity Provider Discovery● Implementation dependent– Configuration– Identity Provider Discovery Profile
  29. 29. <AuthnRequest> message
  30. 30. <AuthnResponse> message
  31. 31. Bindings“Mapping of SAML request-response messageexchange onto standard message or communicationprotocols are called SAML protocol bindings. ”– HTTP Redirect Binding– HTTP POST Binding– HTTP Artifact Binding
  32. 32. Single Logout Profile1.Service Provider issues a <LogoutRequest>.2.Identity Provider determines Session Participants.3.Identity Providers issues <LogoutRequest> to SessionParticipants.4.Session Participants send <LogoutRespone> to theIdentity Provider.5.Identity Provider send a <LogoutResponse> to theSingle Logout initiator Service Provider.
  33. 33. Single Logout Profile
  34. 34. SAML 2.0 Web Browser SSO Demowith the WSO2 Identity Server
  35. 35. Example Solution - Federation
  36. 36. What is not interesting about SAML2.0 Web Browser SSO● Its XML based– serialization required● Cryptographic operations– Nightmare for scripting languages
  37. 37. WS- Trust
  38. 38. WS-Trust Security Model● Web Service require set of claims to be in theincoming request message.● If the incoming request message doesnt contain therequired claims, then the service should reject orignore the request.● Built with– Claims– Policies– Tokens
  39. 39. WS- Trust
  40. 40. Security Token Service● Issuing tokens● Renewing tokens● Validating tokens● Token exchange● Broker trust
  41. 41. Tokens● X509 public certificates● XML based tokens (SAML)● Kerberos shared-secrete tokens● Digest passwords
  42. 42. <wst:RequestSecurityToken>
  43. 43. <wst:RequestSecurityTokenResponse>
  44. 44. WS-Trust Demo with the WSO2Identity Server
  45. 45. Example Solution – Token Exchange
  46. 46. Example Solution – Bridged SSO
  47. 47. Questions?
  48. 48. Thank you