December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake...
-
date post
19-Dec-2015 -
Category
Documents
-
view
212 -
download
0
Transcript of December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake...
![Page 1: December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.](https://reader031.fdocuments.in/reader031/viewer/2022032800/56649d2c5503460f94a01884/html5/thumbnails/1.jpg)
December 19, 2006
Solving Web Single Sign-on with Standards and Open Source Solutions
Trey DrakeAssetWorld 2007
Albuquerque, New Mexico
November 2007
![Page 2: December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.](https://reader031.fdocuments.in/reader031/viewer/2022032800/56649d2c5503460f94a01884/html5/thumbnails/2.jpg)
December 19, 2006
• “I have too many passwords – my monitor is covered in Post-its!”
• “We're implementing Sarbanes-Oxley – we need to control access to applications!”
• “We need to access outsourced functions!”• “Our partners need to access our applications!”
The Problems
![Page 3: December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.](https://reader031.fdocuments.in/reader031/viewer/2022032800/56649d2c5503460f94a01884/html5/thumbnails/3.jpg)
December 19, 2006
Conflicting Pressures?
SecurityUser Convenience
Compliance
Interoperability
![Page 4: December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.](https://reader031.fdocuments.in/reader031/viewer/2022032800/56649d2c5503460f94a01884/html5/thumbnails/4.jpg)
December 19, 2006
Web Single Sign-On• Simplest scenario is within one enterprise• Factor authentication and authorization out of web
applications into web access management (WAM) solution
• Can use browser cookies within a DNS domain• Proxy or Agent architecture implements role-based
access control (RBAC)• Users get single sign-on, IT gets control
![Page 5: December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.](https://reader031.fdocuments.in/reader031/viewer/2022032800/56649d2c5503460f94a01884/html5/thumbnails/5.jpg)
December 19, 2006
SSO Within an Enterprise
End User
SSO Server
Web Server
Web Server
ApplicationServer
![Page 6: December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.](https://reader031.fdocuments.in/reader031/viewer/2022032800/56649d2c5503460f94a01884/html5/thumbnails/6.jpg)
December 19, 2006
How it worksBrowser Agent ApplicationSSO Server
GET hrapp/index.html
Redirect to SSO Server
Authenticate
SSO cookieGET hrapp/index.html(with SSO cookie)
Is this user allowed to access hrapp/index.html?
Yes!
Allow request to proceed
Application response
![Page 7: December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.](https://reader031.fdocuments.in/reader031/viewer/2022032800/56649d2c5503460f94a01884/html5/thumbnails/7.jpg)
December 19, 2006
Single Sign-on between Enterprises• Cookies no longer work
– Need a more sophisticated protocol
• Can't mandate single vendor solution– Need standards for interoperability
![Page 8: December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.](https://reader031.fdocuments.in/reader031/viewer/2022032800/56649d2c5503460f94a01884/html5/thumbnails/8.jpg)
December 19, 2006
Single Sign-on Standards
2002
SAML1
Liberty“Phase 1”
2003
SAML1.1
LibertyID-FF 1.1,1.2
2005
SAML2
LibertyFederation
2004
=
Shibboleth1.2
2006
WS-Federation1.1
WS-Federation1.0
Shibboleth1.0,1.1
![Page 9: December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.](https://reader031.fdocuments.in/reader031/viewer/2022032800/56649d2c5503460f94a01884/html5/thumbnails/9.jpg)
December 19, 2006
SAML 2.0 ConceptsProfiles
Combining protocols, bindings, and assertions to support a defined use case
Bindings Mapping SAML protocols onto standard
messaging or communication protocols
MetadataIdP and SP
configuration data
AuthenticationContext
Detailed data on types and
strengths of authentication
ProtocolsRequest/response pairs for obtaining assertions and doing ID management
AssertionsAuthentication, attribute, and
entitlement information
![Page 10: December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.](https://reader031.fdocuments.in/reader031/viewer/2022032800/56649d2c5503460f94a01884/html5/thumbnails/10.jpg)
December 19, 2006
SSO Across Enterprises
End User
IdentityProvider
ServiceProvider
ServiceProvider
ServiceProvider
![Page 11: December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.](https://reader031.fdocuments.in/reader031/viewer/2022032800/56649d2c5503460f94a01884/html5/thumbnails/11.jpg)
December 19, 2006
SAML SSO BasicsBrowser Service ProviderIdentity Provider
GET hrapp/index.html
Redirect with SAML Request
Authenticate
HTML form with SAML Response
SAML Response
Response
Service Provider examines SAML Response and makes access control decision
SAML Authentication Request
![Page 12: December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.](https://reader031.fdocuments.in/reader031/viewer/2022032800/56649d2c5503460f94a01884/html5/thumbnails/12.jpg)
December 19, 2006
What about Web Services?
![Page 13: December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.](https://reader031.fdocuments.in/reader031/viewer/2022032800/56649d2c5503460f94a01884/html5/thumbnails/13.jpg)
December 19, 2006
Typical Web Service Model
End UserWeb ServiceConsumer
Web ServiceProvider
![Page 14: December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.](https://reader031.fdocuments.in/reader031/viewer/2022032800/56649d2c5503460f94a01884/html5/thumbnails/14.jpg)
December 19, 2006
Transport Level Security
End UserWeb ServiceConsumer
Web ServiceProvider
![Page 15: December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.](https://reader031.fdocuments.in/reader031/viewer/2022032800/56649d2c5503460f94a01884/html5/thumbnails/15.jpg)
December 19, 2006
Transport-level Security != Identity• Difficult choice between
– No client authentication– Client authentication via certificates
• Scope of protection is limited to individual 'hops'• Even with client authentication, no real non-
repudiation due to difficulty of archiving and verifying message flow
• TLS/SSL is still essential for confidentiality and integrity at the transport level, but is not enough – we need a solution at the message level
![Page 16: December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.](https://reader031.fdocuments.in/reader031/viewer/2022032800/56649d2c5503460f94a01884/html5/thumbnails/16.jpg)
December 19, 2006
Basic Web Services Security
End UserWeb ServiceConsumer
Web ServiceProvider
IdentityProvider
![Page 17: December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.](https://reader031.fdocuments.in/reader031/viewer/2022032800/56649d2c5503460f94a01884/html5/thumbnails/17.jpg)
December 19, 2006
Message-level Security – Getting There
• Identity token carried in SOAP header– WS-Security, WS-I Basic Security Profile– Industry has converged on SAML Assertion as the
token
• SAML allows for bearer tokens, holder-of-key tokens, audience restrictions etc
• Token can be archived with message• But... restricting the audience to the immediate
recipient leaves us with similarly limited scope of protection – one hop
![Page 18: December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.](https://reader031.fdocuments.in/reader031/viewer/2022032800/56649d2c5503460f94a01884/html5/thumbnails/18.jpg)
December 19, 2006
Requirements for Web Service Identity
• Identify the end user• Locate the service• Preserve identity
– Across multiple 'hops'– Across domain boundaries– Across vendors' products
• Using existing technologies and idioms• Maintaining privacy
![Page 19: December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.](https://reader031.fdocuments.in/reader031/viewer/2022032800/56649d2c5503460f94a01884/html5/thumbnails/19.jpg)
December 19, 2006
Identity Web Services
End UserWeb ServiceConsumer
Web ServiceProvider
IdentityProvider
DiscoveryService
![Page 20: December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.](https://reader031.fdocuments.in/reader031/viewer/2022032800/56649d2c5503460f94a01884/html5/thumbnails/20.jpg)
December 19, 2006
Scaling Out...
PrincipalWeb ServiceConsumer
Web ServiceProvider/
Consumer
IdentityProvider
DiscoveryService
Web ServiceProvider
Web ServiceProvider
![Page 21: December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.](https://reader031.fdocuments.in/reader031/viewer/2022032800/56649d2c5503460f94a01884/html5/thumbnails/21.jpg)
December 19, 2006
Liberty Identity Web Services Framework (ID-WSF)
• Dynamic service discovery and addressing• Common web services transport mechanisms to
apply identity-aware message security• Abstractions and optimizations to allow anything –
including client devices – to host identity services• Unified data access/management model for
developers• Flexibility to develop arbitrary new services• User privacy through use of pseudonyms
![Page 22: December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.](https://reader031.fdocuments.in/reader031/viewer/2022032800/56649d2c5503460f94a01884/html5/thumbnails/22.jpg)
December 19, 2006
Mapping to Products• Sun Java System Access Manager
– The 'whole stack' for identity web services - Identity Provider, Discovery Service, Service Provider etc etc etc
– Web Access Control, Single Sign-On, Federation– Version 7.1 includes substantial new
tooling support for both WS-I BSP and ID-WSF
• NetBeans Enterprise Pack
• Sun Java System Federation Manager– Service Provider
![Page 23: December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.](https://reader031.fdocuments.in/reader031/viewer/2022032800/56649d2c5503460f94a01884/html5/thumbnails/23.jpg)
December 19, 2006
OpenSSO• Sun sponsored open source project• Basis for the next commercial product
– Sun Java System Federated Access Manager 8.0
• 500 project members, the vast majority outside Sun• Already deployed:
– Audi UK• 250,000 customer profiles• SSO across a raft of web apps
– SSOCircle• Identity Provider• SAML 2.0 to Google, OpenID
![Page 24: December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.](https://reader031.fdocuments.in/reader031/viewer/2022032800/56649d2c5503460f94a01884/html5/thumbnails/24.jpg)
December 19, 2006
Resources• [email protected]
• OpenSSO—https://opensso.dev.java.net/
• Liberty Alliance—http://projectliberty.org
• Superpatterns—http://blogs.sun.com/superpat