• No results found

Open Source Identity Integration with OpenSSO

N/A
N/A
Protected

Academic year: 2021

Share "Open Source Identity Integration with OpenSSO"

Copied!
24
0
0

Loading.... (view fulltext now)

Full text

(1)

Open Source Identity

Integration with OpenSSO

April 19, 2008

Pat Patterson

(2)

Agenda

• Web Access Management

> The Problem > The Solution

> How Does It Work?

• Federation

> Single Sign-On Beyond a Single Enterprise > How Does It Work?

• OpenSSO

(3)

Typical Problems

• “Every application wants me to log in!”

• “I have too many passwords – my monitor is covered in Post-its!”

• “We're implementing Sarbanes-Oxley – we need to control access to applications!”

(4)

Web Access Management

• Simplest scenario is within a single organization

• Factor authentication and authorization out of web applications into web access management (WAM) solution

• Can use browser cookies within a DNS domain

• Proxy or Agent architecture implements role-based access control (RBAC)

(5)

Single Sign-On Within an Organization

SSO Server Web Server Web Server Application Server

(6)

How It Works

Browser Agent Application SSO Server

GET hrapp/index.html Redirect to SSO Server Authenticate

Redirect to hrapp/index.html

(with SSO cookie) GET hrapp/index.html (with SSO cookie)‏

Is this user allowed to access hrapp/index.html? Yes!

Allow request to proceed Application response

(7)

Web Access Management Products

• Sun Java System Access Manager

> OpenSSO

• CA (Netegrity) SiteMinder Access Manager

• IBM Tivoli Access Manager

• Oracle (Oblix) Access Manager

• Novell Access Maneger

• JA-SIG CAS

(8)

Typical Problems

• “Every application wants me to log in!”

• “I have too many passwords – my monitor is covered in Post-its!”

• “We're implementing Sarbanes-Oxley – we need to control access to applications!”

• “We need to access outsourced functions!”

(9)

Single Sign-on between Organizations

• Cookies no longer work

> Need a more sophisticated protocol

• Can't mandate single vendor solution

(10)

Single Sign-On Standards

2002 2003 2004 2005 2006 WS-Federation 1.1 Liberty Federation = SAML2 Shibboleth 1.2 WS-Federation 1.0 Shibboleth 1.0,1.1 Liberty ID-FF 1.1,1.2 SAML1.1 Liberty “Phase 1” SAML1

(11)

SAML 2.0 Concepts

Profiles

Combining protocols, bindings, and assertions to support a defined use case

Bindings

Mapping SAML protocols onto standard messaging or communication protocols Metadata IdP and SP configuration data Authentication Context Detailed data on types and strengths

of authentication

Protocols

Request/response pairs for obtaining assertions and doing ID management

Assertions

Authentication, attribute and entitlement information

(12)

SSO Across Organizations

End User Identity

Provider

Service

Provider ProviderService

Service Provider

(13)

SAML 2.0 SSO Basics

Browser Service Provider Identity Provider

GET hrapp/index.html

Redirect with SAML Request

Authenticate

HTML form with SAML Response

SAML Response Service Provider examines SAML Response and SAML Authentication Request

(14)

SAML 2.0 Assertion

(Abbreviated!)

<Assertion Version="2.0" ID="..." IssueInstant="2007-11-06T16:42:28Z"> <Issuer>https://pat-pattersons-computer.local:8181/</Issuer> <Signature>...</Signature> <saml:Subject> <saml:NameID Format="urn:oasis:...:persistent" ...> ZG0OZ3JWP9yduIQ1zFJbVVGHlQ9M </saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:...:bearer"> <saml:SubjectConfirmationData .../> </saml:SubjectConfirmation> </saml:Subject> <saml:Conditions NotBefore="2007-11-06T16:42:28Z" NotOnOrAfter="2007-11-06T16:52:28Z"> <saml:AudienceRestriction> <saml:Audience> https://pat-pattersons-computer.local/example-pat/ </saml:Audience> </saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthnInstant="2007-11-06T16:42:28Z" ...> <saml:AuthnContext> <saml:AuthnContextClassRef> urn:oasis:...:PasswordProtectedTransport </saml:AuthnContextClassRef>

(15)

SAML 2.0 Adoption

• Sun, IBM, CA – all the usual suspects, except Microsoft

• OpenSAML (Internet2) > Java, C++ • OpenSSO (Sun) > Java, PHP, Ruby • SimpleSAMLphp (Feide) • LASSO (Entr'ouvert) > C/SWIG • ZXID (Symlabs) globo .com

(16)

Open Access. Open Federation. What is OpenSSO? • OpenSSO 1.0 == Federated Access Manager 8.0

• All FAM 8.0 builds

available via OpenSSO • Preview Features • Provide Feedback • Review code security

(17)

OpenSSO Momentum

• In less than 2 years...

> 650 project members at opensso.org > ~15 external committers

> Consistently in Top 10* java.net projects by mail traffic

– * of over 3000 projects

• Production deployments

> www.audi.co.uk

– 250,000 customer profiles

> openid.sun.com

– OpenID for Sun employees .....gov.b

(18)

OpenSSO Roadmap

Access Manager Federation Manager OpenSSO OpenSSO 1.0 / FAM 8.0 Summer 2008 OpenSSO 1.next / FAM 8.1 End of 2008 OpenSSO Federation Q4CY06 OpenSSO Q3CY06 Access Manager 7.1 Q4CY06 Federation Manager 7.0 Q4CY05

(19)

• Centralized Agent Configuration & Deployment

• Centralized Configuration

• XACML Request/Response

• Wide choice of Application Servers

• Fedlet

• Virtual Federation

• Multi-Federation Protocol Hub

• WS-Federation 1.1

Access Management

Federation

(20)

• Authentication as a service

• Authorization as a service

• Audit as a service

• Attribute Query as a service

• Secure Trust Authority

• Web Services Security Plug-ins

• SDK for Securing Web Services Identity Services

OpenSSO 1.0

(21)

PHP SAML 2.0 SP implementation > Picked up by Feide (Norway)

Ruby SAML 2.0 SP implementation

• SAML 2.0 ECP test rig

• OpenID 1.1 Provider > Deployed at openid.sun.com • PHP Client SDK implementation • ActivIdentity 4Tress SAML 2.0 OpenID

OpenSSO Extensions

https://opensso.dev.java.net/public/extensions/ Client SDK

(22)

Participe!

Join Download

Subscribe Chat

Sign up at

opensso.org OpenSSO 1.0 Build 4

OpenSSO Mailing Lists dev, users, announce

#opensso on

(23)

• http://opensso.org/

• André Bechara video

> http://tinyurl.com/6rugrm • Superpatterns > http://blogs.sun.com/superpat/ • Virtual Daniel OpenSSO Pat's Blog

Resources

https://opensso.dev.java.net/public/extensions/

Daniel Raskin's Blog SAML @ Globo.com

(24)

Pat Patterson

Federation Architect

pat.patterson@sun.com

Open Source Identity

Integration with OpenSSO

References

Related documents

D, Dean of Student Affairs, I, Cielo Sanchez, Vice President of CDUSG along with Gabriela Gomez (Secretary), Aracely Marin (Treasurer), and Nancy Juarez Fuertes (Staff Advisor)

In contrast to the mountainous region (where geographical barriers mitigate the number of these options, waste disposal is taking place mainly in rivers / creeks or

An examination of the monitoring programme leads to the conclusion that, in addition to microseismic monitoring, automatic hydraulic head measurements in deep drillholes and land

In the context of this specific controversy, opponent and proponent groups utilized the sociopolitical arena (in this case local newspapers and public hearings) to present

It summarises key events and issues in service provision for people with learning disabilities including exposés of poor/abusive practice and inquiries, policy development,

SAML 2.0 (from now on SAML) it’s a set of widely adopted standards and specification for authentication and authorization between different security domains. SAML is

It also indicates that less autonomous investments were made in the economy while the exchange rate shows a direct relationship, indicating that a higher the rate of exchange could

Coefficient of Variation = Standard deviation / Average score (5) Figure 31 presents the scatter plot of the Gini coefficient and the Coefficient of variation estimated with