Architectural Design Patterns for SSO (Single Sign On) for SSO ...
Open sso fisl9.0
-
Upload
startup-cursos -
Category
Technology
-
view
1.921 -
download
0
description
Transcript of Open sso fisl9.0
![Page 1: Open sso fisl9.0](https://reader033.fdocuments.in/reader033/viewer/2022060110/555dbe70d8b42a68328b5bf3/html5/thumbnails/1.jpg)
Open Source Identity Integration with OpenSSOApril 19, 2008
Pat PattersonFederation [email protected]/superpat
![Page 2: Open sso fisl9.0](https://reader033.fdocuments.in/reader033/viewer/2022060110/555dbe70d8b42a68328b5bf3/html5/thumbnails/2.jpg)
2
Agenda
• Web Access Management> The Problem> The Solution> How Does It Work?
• Federation> Single Sign-On Beyond a Single Enterprise> How Does It Work?
• OpenSSO> Project Overview
![Page 3: Open sso fisl9.0](https://reader033.fdocuments.in/reader033/viewer/2022060110/555dbe70d8b42a68328b5bf3/html5/thumbnails/3.jpg)
3
Typical Problems
• “Every application wants me to log in!”
• “I have too many passwords – my monitor is covered in Post-its!”
• “We're implementing Sarbanes-Oxley – we need to control access to applications!”
• “We need to access outsourced functions!”
• “Our partners need to access our applications!”
![Page 4: Open sso fisl9.0](https://reader033.fdocuments.in/reader033/viewer/2022060110/555dbe70d8b42a68328b5bf3/html5/thumbnails/4.jpg)
4
Web Access Management
• Simplest scenario is within a single organization• Factor authentication and authorization out of web
applications into web access management (WAM) solution
• Can use browser cookies within a DNS domain• Proxy or Agent architecture implements role-based
access control (RBAC)• Users get single sign-on, IT gets control
![Page 5: Open sso fisl9.0](https://reader033.fdocuments.in/reader033/viewer/2022060110/555dbe70d8b42a68328b5bf3/html5/thumbnails/5.jpg)
5
Single Sign-On Within an Organization
End User
SSO Server
Web ServerWeb Server
ApplicationServer
![Page 6: Open sso fisl9.0](https://reader033.fdocuments.in/reader033/viewer/2022060110/555dbe70d8b42a68328b5bf3/html5/thumbnails/6.jpg)
6
How It WorksBrowser Agent ApplicationSSO Server
GET hrapp/index.html
Redirect to SSO Server
Authenticate
Redirect to hrapp/index.html (with SSO cookie) GET hrapp/index.html
(with SSO cookie)
Is this user allowed to access hrapp/index.html?
Yes!Allow request to proceed
Application response
![Page 7: Open sso fisl9.0](https://reader033.fdocuments.in/reader033/viewer/2022060110/555dbe70d8b42a68328b5bf3/html5/thumbnails/7.jpg)
7
Web Access Management Products
• Sun Java System Access Manager> OpenSSO
• CA (Netegrity) SiteMinder Access Manager• IBM Tivoli Access Manager• Oracle (Oblix) Access Manager• Novell Access Maneger• JA-SIG CAS• JOSSO
![Page 8: Open sso fisl9.0](https://reader033.fdocuments.in/reader033/viewer/2022060110/555dbe70d8b42a68328b5bf3/html5/thumbnails/8.jpg)
8
Typical Problems
• “Every application wants me to log in!”
• “I have too many passwords – my monitor is covered in Post-its!”
• “We're implementing Sarbanes-Oxley – we need to control access to applications!”
• “We need to access outsourced functions!”
• “Our partners need to access our applications!”
![Page 9: Open sso fisl9.0](https://reader033.fdocuments.in/reader033/viewer/2022060110/555dbe70d8b42a68328b5bf3/html5/thumbnails/9.jpg)
9
Single Sign-on between Organizations
• Cookies no longer work> Need a more sophisticated protocol
• Can't mandate single vendor solution> Need standards for interoperability
![Page 10: Open sso fisl9.0](https://reader033.fdocuments.in/reader033/viewer/2022060110/555dbe70d8b42a68328b5bf3/html5/thumbnails/10.jpg)
10
Single Sign-On Standards
2002 2003 20052004 2006
WS-Federation1.1
LibertyFederation
=
SAML2
Shibboleth1.2
WS-Federation1.0
Shibboleth1.0,1.1
LibertyID-FF 1.1,1.2
SAML1.1
Liberty“Phase 1”
SAML1
![Page 11: Open sso fisl9.0](https://reader033.fdocuments.in/reader033/viewer/2022060110/555dbe70d8b42a68328b5bf3/html5/thumbnails/11.jpg)
11
SAML 2.0 Concepts
ProfilesCombining protocols, bindings, and
assertions to support a defined use case
BindingsMapping SAML protocols onto standard messaging or
communication protocols
MetadataIdP and SP
configuration data
AuthenticationContext
Detailed data on types and strengths
of authentication
ProtocolsRequest/response pairs for obtaining assertions
and doing ID management
AssertionsAuthentication, attribute and entitlement
information
![Page 12: Open sso fisl9.0](https://reader033.fdocuments.in/reader033/viewer/2022060110/555dbe70d8b42a68328b5bf3/html5/thumbnails/12.jpg)
12
SSO Across Organizations
End User
IdentityProvider
ServiceProvider
ServiceProvider
ServiceProvider
![Page 13: Open sso fisl9.0](https://reader033.fdocuments.in/reader033/viewer/2022060110/555dbe70d8b42a68328b5bf3/html5/thumbnails/13.jpg)
13
SAML 2.0 SSO BasicsBrowser Service ProviderIdentity Provider
GET hrapp/index.html
Redirect with SAML Request
Authenticate
HTML form with SAML Response
SAML Response
Response
Service Provider examines SAML Response and makes access control decision
SAML Authentication Request
![Page 14: Open sso fisl9.0](https://reader033.fdocuments.in/reader033/viewer/2022060110/555dbe70d8b42a68328b5bf3/html5/thumbnails/14.jpg)
14
SAML 2.0 Assertion(Abbreviated!)
<Assertion Version="2.0" ID="..." IssueInstant="2007-11-06T16:42:28Z"><Issuer>https://pat-pattersons-computer.local:8181/</Issuer><Signature>...</Signature><saml:Subject>
<saml:NameID Format="urn:oasis:...:persistent" ...>ZG0OZ3JWP9yduIQ1zFJbVVGHlQ9M
</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:...:bearer">
<saml:SubjectConfirmationData .../></saml:SubjectConfirmation>
</saml:Subject><saml:Conditions NotBefore="2007-11-06T16:42:28Z"
NotOnOrAfter="2007-11-06T16:52:28Z"><saml:AudienceRestriction>
<saml:Audience>https://pat-pattersons-computer.local/example-pat/
</saml:Audience></saml:AudienceRestriction>
</saml:Conditions><saml:AuthnStatement AuthnInstant="2007-11-06T16:42:28Z" ...>
<saml:AuthnContext><saml:AuthnContextClassRef>
urn:oasis:...:PasswordProtectedTransport</saml:AuthnContextClassRef>
</saml:AuthnContext></saml:AuthnStatement>
</saml:Assertion>
![Page 15: Open sso fisl9.0](https://reader033.fdocuments.in/reader033/viewer/2022060110/555dbe70d8b42a68328b5bf3/html5/thumbnails/15.jpg)
15
SAML 2.0 Adoption
• Sun, IBM, CA – all the usual suspects, except Microsoft• OpenSAML (Internet2)
> Java, C++
• OpenSSO (Sun)> Java, PHP, Ruby
• SimpleSAMLphp (Feide)• LASSO (Entr'ouvert)
> C/SWIG
• ZXID (Symlabs)> C/SWIG
globo
.com
![Page 16: Open sso fisl9.0](https://reader033.fdocuments.in/reader033/viewer/2022060110/555dbe70d8b42a68328b5bf3/html5/thumbnails/16.jpg)
16
Open Access.Open Federation.
What is OpenSSO?
• OpenSSO 1.0 == Federated Access Manager 8.0
• All FAM 8.0 builds available via OpenSSO
• Preview Features• Provide Feedback• Review code
security
![Page 17: Open sso fisl9.0](https://reader033.fdocuments.in/reader033/viewer/2022060110/555dbe70d8b42a68328b5bf3/html5/thumbnails/17.jpg)
17
OpenSSO Momentum
• In less than 2 years...> 650 project members at opensso.org> ~15 external committers> Consistently in Top 10* java.net projects by mail traffic
– * of over 3000 projects
• Production deployments> www.audi.co.uk
– 250,000 customer profiles> openid.sun.com
– OpenID for Sun employees> telenet.be
– Foundation for fine-grained authorization
.....go
v.br
![Page 18: Open sso fisl9.0](https://reader033.fdocuments.in/reader033/viewer/2022060110/555dbe70d8b42a68328b5bf3/html5/thumbnails/18.jpg)
18
OpenSSO Roadmap
Access Manager
Federation Manager
OpenSSO
OpenSSO 1.0 / FAM 8.0Summer 2008
OpenSSO 1.next / FAM 8.1
End of 2008
OpenSSO Federation
Q4CY06OpenSSO
Q3CY06
Access Manager 7.1
Q4CY06
Federation Manager 7.0
Q4CY05
![Page 19: Open sso fisl9.0](https://reader033.fdocuments.in/reader033/viewer/2022060110/555dbe70d8b42a68328b5bf3/html5/thumbnails/19.jpg)
19
• Centralized Agent Configuration & Deployment
• Centralized Configuration• XACML Request/Response• Wide choice of Application Servers
• Fedlet• Virtual Federation• Multi-Federation Protocol Hub• WS-Federation 1.1• 3rd Party WAM Interoperability
Access Management
Federation
OpenSSO 1.0
![Page 20: Open sso fisl9.0](https://reader033.fdocuments.in/reader033/viewer/2022060110/555dbe70d8b42a68328b5bf3/html5/thumbnails/20.jpg)
20
• Authentication as a service• Authorization as a service• Audit as a service• Attribute Query as a service• Secure Trust Authority• Web Services Security Plug-ins• SDK for Securing Web Services
Identity Services
OpenSSO 1.0
But that's not all...
![Page 21: Open sso fisl9.0](https://reader033.fdocuments.in/reader033/viewer/2022060110/555dbe70d8b42a68328b5bf3/html5/thumbnails/21.jpg)
21
• PHP SAML 2.0 SP implementation> Picked up by Feide (Norway)
• Ruby SAML 2.0 SP implementation• SAML 2.0 ECP test rig
• OpenID 1.1 Provider> Deployed at openid.sun.com
• PHP Client SDK implementation
• ActivIdentity 4Tress• Hitachi Finger Vein Biometric• Information Card (aka CardSpace)
SAML 2.0
OpenID
OpenSSO Extensionshttps://opensso.dev.java.net/public/extensions/
Client SDK
Authentication Modules
![Page 22: Open sso fisl9.0](https://reader033.fdocuments.in/reader033/viewer/2022060110/555dbe70d8b42a68328b5bf3/html5/thumbnails/22.jpg)
22
Participe!
Join Download
Subscribe Chat
Sign up at opensso.org
OpenSSO 1.0 Build 4
OpenSSO Mailing Listsdev, users, announce
#opensso on
freenode.net
![Page 23: Open sso fisl9.0](https://reader033.fdocuments.in/reader033/viewer/2022060110/555dbe70d8b42a68328b5bf3/html5/thumbnails/23.jpg)
23
• http://opensso.org/
• André Bechara video> http://tinyurl.com/6rugrm
• Superpatterns> http://blogs.sun.com/superpat/
• Virtual Daniel> http://blogs.sun.com/raskin/
OpenSSO
Pat's Blog
Resourceshttps://opensso.dev.java.net/public/extensions/
Daniel Raskin's Blog
SAML @ Globo.com
![Page 24: Open sso fisl9.0](https://reader033.fdocuments.in/reader033/viewer/2022060110/555dbe70d8b42a68328b5bf3/html5/thumbnails/24.jpg)
Pat PattersonFederation [email protected]/superpat
Open Source Identity Integration with OpenSSOApril 19, 2008