enterprise openid sso oauth for google apps

Upload: frubakka

Post on 06-Apr-2018

245 views

Category:

Documents


0 download

TRANSCRIPT

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    1/103

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    2/103

    OpenID Single Sign On andOAuth Data Access for Google Apps

    Ryan Boyd @ryguyrgDave PrimmerMay 2010

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    3/103

    Why?

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    4/103

    View live notes and questions aboutthis session on Google Wave:

    http://bit.ly/magicwave

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    5/103

    Agenda

    TerminologyHistoryOpen Protocols

    OpenID user authenticationOAuth data access

    Hybrid authentication + data accessGoogle Apps MarketplaceCase Study - Evolution of 'SaaSy Payroll'Q&A

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    6/103

    SaaSy Payroll

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    7/103

    SaaSy Payroll

    Fictitious app for handling the payroll of SMBs

    Used by smart-lawfirm.com for their payroll

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    8/103

    Terminology

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    9/103

    Authentication and Authorization

    Authentication

    Goal: Secure knowledge of the identity of the user

    AuthorizationGoal: Appropriate access to resources, such asGoogle Data APIs (Calendar, Contacts, Docs, etc)

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    10/103

    History

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    11/103

    History (2001-2005)

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    12/103

    History (2006-2010)

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    13/103

    History (2006-2010)

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    14/103

    History (2006-2010)

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    15/103

    History (2006-2010)

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    16/103

    History (2006-2010)

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    17/103

    History (2006-2010)

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    18/103

    History (2006-2010)

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    19/103

    OpenID Federated Identity

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    20/103

    What do we mean by Federated Identity?

    Web applications(relying parties)

    accept the assertionof identity fromidentity providers,such as Google andYahoo.

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    21/103

    What information does OpenID provide an app?

    Identity of the user:

    http://smart-lawfirm.com/openid?id=0123456789Static each time the user visits the relying party webapplication

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    22/103

    "OpenID is a safe, faster, and easier

    way to log in to web sites."openid.net

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    23/103

    Safe, Faster and Easier

    Safe

    The user only enters their credentials one place:on the website of their OpenID provider

    FasterThe user is often already logged into their

    OpenID providerEasierThe user no longer needs to create and maintaina new account and credentials on every web site

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    24/103

    Discovery: Determining the OpenIDprovider for a user.

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    25/103

    OpenID Login Options

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    26/103

    OpenID Login Options

    http://www.google.com/accounts/o8/id

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    27/103

    Improved UX

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    28/103

    OpenID Demo with a Gmail account

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    29/103

    But... what if you want to use an

    OpenID on your own domainwithout a complicated URL toremember?

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    30/103

    Ideal User Experience: WebFinger

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    31/103

    Google Accounts versus Google Apps accounts

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    32/103

    Google Apps Login

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    33/103

    Discovering the OpenID Provider

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    34/103

    Format of the OpenID Identity

    Google consumer account (including Gmail accounts):

    https://www.google.com/accounts/o8/id?id=AItOawlTW-qs7L-bpYc0oxROHDQaFmQHyGRnaLM

    Google Apps account:

    http://smart-lawfirm.com/openid?id=0123456789

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    35/103

    Supported Extensions

    Provider Auth Policy Extension (PAPE)

    Allows a relying party to ask for security restrictionsOpenID User Interface Extension

    Enables pop-up UIOAuth Hybrid

    Enables getting both the user's identity and access tosome of the user's dataAttribute Exchange (AX)

    Provides additional info about the user

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    36/103

    Attribute Exchange (AX)

    Remember, without AX we only get a URI:

    http://smart-lawfirm.com/openid?id=0123456789We want more information to improve the user experience

    First NameLast Name

    E-mail AddressLanguage

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    37/103

    Attribute Exchange (AX) Trust

    Don't trust attributes without verification

    Whitelist trusted IDPsSame-origin policy for emailOne-time confirmation messages

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    38/103

    How it's done - OpenID Federated Identity

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    39/103

    Welcome Bob!ryan@smart-lawfir

    ***********

    Sounds complicated, but not hard in practice!

    OpenID Federated Identity

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    40/103

    Language Libraries

    Java OpenID4Java, Step2

    .NET DotNetOpenAuth

    PHPphp-openid,

    php-openid-apps-discovery

    Rubyruby-openid,

    ruby-openid-apps-discovery

    Any RPX, Ping Identity

    OpenID Libraries

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    41/103

    OAuth Data Access

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    42/103

    OAuth Terms

    Protected Resourceresides on server

    requires authorization

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    43/103

    OAuth Terms

    Protected Resourceresides on server

    requires authorization

    Resource Ownerowns protected resource

    approves access

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    44/103

    OAuth Terms

    Protected Resourceresides on server

    requires authorization

    Resource Ownerowns protected resource

    approves access

    Serverreceives http request

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    45/103

    OAuth Terms

    Protected Resourceresides on server

    requires authorization

    Resource Ownerowns protected resource

    approves access

    Serverreceives http request

    Client

    makes http request

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    46/103

    Old OAuth Terminology

    Pre 2009 Current

    Consumer Client

    Service Provider Server / Protected Resource

    User User / Resource Owner

    More Info: The Authoritative Guide to OAuth 1.0

    Now, with more RFC! http://www.rfc-editor.org/info/rfc5849

    http://hueniverse.com/oauth/guide/http://www.rfc-editor.org/info/rfc5849http://hueniverse.com/oauth/guide/
  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    47/103

    OAuth Components

    Key ManagementEstablishes trust between client and server

    Access ControlGrants done per-user, or for a whole Google Appsdomain.

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    48/103

    Basic steps to use OAuth

    Step 1 Client Registration

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    49/103

    SaaSy App - www.saasyapp.com

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    50/103

    SaaSy App - www.saasyapp.com

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    51/103

    Getting your OAuth client key and secret

    Step 1 - For the Developer:

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    52/103

    A Google Client App Registration Page

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    53/103

    Access Control

    Step 2 - For the Resource Owner:

    T t f A C t l

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    54/103

    Two types of Access Control

    Resource Owner: An entity capable of approving access to a

    protected resource.

    Sometimes the resource owner is not the same as the user

    Consumer Business

    Individual User isResource Owner

    Company Admin isResource Owner

    T t f A C t l

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    55/103

    Two types of Access Control

    Consumer Business

    Individual User isResource Owner

    Company Admin isResource Owner

    Three-LeggedOAuth

    Two-LeggedOAuth

    T t f A C t l

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    56/103

    Two types of Access Control

    Authorization usingbrowser redirection

    Requests pre-authorizedfor a group of users

    Individual prompted User not prompted

    Three-LeggedOAuth

    Two-LeggedOAuth

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    57/103

    Manage OAuth Client Data Access

    Approval for a group of users:

    G l A Ad i i t t A C t l

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    58/103

    Google Apps Administrator Access Control

    G l A Ad i i t t A C t l

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    59/103

    Google Apps Administrator Access Control

    G l A Ad i i t t A C t l

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    60/103

    Google Apps Administrator Access Control

    G l A Ad i i t t A C t l

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    61/103

    Google Apps Administrator Access Control

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    62/103

    Demo: Two-Legged OAuth cURL

    Step #3 Access the resource

    Two Legged OAuth

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    63/103

    Two-Legged OAuthWhat is it?

    An authenticated HTTP request. Very much like HTTPDigest Auth.

    Client has a role account name and password:consumer_key -> account name

    consumer_secret -> password

    Request param to indicate the [email protected]

    Some request attributes are bundled up and signed ina standard way. That's it.

    Two Legged OAuth

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    64/103

    Two-Legged OAuthWhy?

    You don't want to bother the user with approval

    The common Enterprise IT scenario

    Server to Server -- no browser involved

    Main trust relationship:

    Resource Owner (admin) tells the Server, via ACLto trust the client

    Permission stored in server ACL, not a token

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    65/103

    Three-legged OAuth

    The "other" style of authorization

    Three Legged OAuth

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    66/103

    Three-Legged OAuthWhat is it?

    Describes the access control delegation to a Client bya Resource Owner

    Redirection-Based Authorization

    The authorization flow is what most people think ofwhen they talk about OAuth. It is the process inwhich the user's browser is redirected to the serverto approve access

    Three Legged OAuth

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    67/103

    Three-Legged OAuthWhat is it?

    Adds an Access Token to the 2LO request during dataaccess that identifies the permission granted.

    "Joe gives the SaaSy Payroll client permission to write to Joe's Google

    Calendar."

    oauth_token=1%2FSTnrUiu8N4OQvrwEpsltnpYwFX5an2j2i-VAK5l_3No

    SaaSy App www saasyapp com

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    68/103

    SaaSy App - www.saasyapp.com

    SaaSy App www saasyapp com

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    69/103

    SaaSy App - www.saasyapp.com

    Authorization by Resource Owner

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    70/103

    Authorization by Resource Owner

    Authorization by Resource Owner

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    71/103

    Authorization by Resource Owner

    Three-Legged OAuth

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    72/103

    Three-Legged OAuthWhy?

    Appropriate for access grant by individual user(Also works for Apps users)

    User identity is opaque to client application

    Main trust relationship:

    User is the Resource Owner and trusts the clientapp with an Access Token

    OAuth 2

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    73/103

    OAuth 2

    Already? Why?

    Make it IETF standardAdd new use cases

    Avoid crypto!

    OAuth 1 + WRAP = OAuth 2

    Facebook has working OAuth 2 prototypes, MicrosoftAzure and Google have WRAP prototypes.

    http://tools.ietf.org/html/draft-ietf-oauth-v2

    http://tools.ietf.org/html/draft-ietf-oauth-v2http://tools.ietf.org/html/draft-ietf-oauth-v2
  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    74/103

    Hybrid OpenID + OAuth

    Hybrid OpenID + OAuth

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    75/103

    Hybrid OpenID + OAuth

    Identity and Data Access in 1 step

    Google Calendar

    Hybrid OpenID + OAuth

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    76/103

    Hybrid OpenID + OAuth

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    77/103

    Google Apps Marketplace

    Features: Simple installation flow

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    78/103

    Features: Simple installation flow

    Features: True Single Sign On

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    79/103

    Features: True Single Sign On

    SaaSy PayrollVideo

    Groups

    Features: True Single Sign On

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    80/103

    Features: True Single Sign On

    Features: True Single Sign On

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    81/103

    Features: True Single Sign On

    Features: 2-legged OAuth access to Data APIs

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    82/103

    Features: 2 legged OAuth access to Data APIs

    Features: 2-legged OAuth access to Data APIs

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    83/103

    Features: 2 legged OAuth access to Data APIs

    Consumer Key and Secret available in the Marketplace

    Features: 2-legged OAuth access to Data APIs

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    84/103

    gg

    Consumer Key and Secret available in the Marketplace

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    85/103

    Summary of Protocols

    Summary of Protocols

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    86/103

    y

    ClientLogin Don't use for new apps

    AuthSub Don't use for new apps

    3-Legged OAuth Access data for individual users

    2-Legged OAuth Access data for an entire Google Apps domain

    OpenID Access a user's identity. Can be used for Gmail

    OpenID withGoogle Apps

    extensions

    Access a user's identity for Google Apps accounts

    OpenID / OAuthHybrid

    On-board new users and get their data in one step

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    87/103

    Evolution of an Integrated App

    Evolution of 'SaaSy Payroll'

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    88/103

    y y

    email password

    [email protected] AxNAAFSnz

    Evolution of 'SaaSy Payroll'

    http://www.youtube.com/watch?v=BvjjnI0jb5Ahttp://www.youtube.com/watch?v=BvjjnI0jb5A
  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    89/103

    y y

    Evolution of 'SaaSy Payroll'

    http://www.youtube.com/watch?v=BvjjnI0jb5Ahttp://www.youtube.com/watch?v=BvjjnI0jb5A
  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    90/103

    y y

    email password token

    [email protected] AxNAAFSnz ZD1FNKL4

    Evolution of 'SaaSy Payroll'

    http://www.youtube.com/watch?v=53uqdkPxcIshttp://www.youtube.com/watch?v=53uqdkPxcIs
  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    91/103

    y y

    Evolution of 'SaaSy Payroll'

    http://www.youtube.com/watch?v=53uqdkPxcIshttp://www.youtube.com/watch?v=53uqdkPxcIs
  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    92/103

    y y

    email password openid token

    [email protected] AxNAAFSnz ----- ZD1FNKL4

    [email protected] ----- http://goo.com/1234 JFNB2ANS

    Evolution of 'SaaSy Payroll'

    http://www.youtube.com/watch?v=hV0IjdA3cZghttp://www.youtube.com/watch?v=hV0IjdA3cZg
  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    93/103

    Evolution of 'SaaSy Payroll'

    http://www.youtube.com/watch?v=hV0IjdA3cZg
  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    94/103

    email password openid token type secret

    [email protected] AxNAAFSnz ----- ZD1FNKL4 AS ----

    [email protected] ----- http://goo.com/1234 JFNB2ANS AS ----

    [email protected] ---- http://bar.com/6780 D2FNAF7D 3LO adfa123f

    Evolution of 'SaaSy Payroll'

    http://www.youtube.com/watch?v=ZA0NaiHzkSQhttp://www.youtube.com/watch?v=ZA0NaiHzkSQ
  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    95/103

    Evolution of 'SaaSy Payroll'

    http://www.youtube.com/watch?v=ZA0NaiHzkSQ
  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    96/103

    email password openid token type secret

    [email protected] AxNAAFSnz ----- ZD1FNKL4 AS ----

    [email protected] ----- http://goo.com/1234 JFNB2ANS ---- ----

    [email protected] ---- http://bar.com/6780 D2FNAF7D 3LO adfa123f

    kim@smart-lawfi ---- http://smb.com/123 ----- 2LO ----

    ryan@smart-law ---- http://smb.com/456 ----- 2LO ----

    dmb@smart-law ---- http://smb.com/789 ----- 2LO ----

    Evolution of 'SaaSy Payroll'

    http://www.youtube.com/watch?v=VB5NdqkmEwshttp://www.youtube.com/watch?v=VB5NdqkmEws
  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    97/103

    Evolution of 'SaaSy Payroll'

    http://www.youtube.com/watch?v=VB5NdqkmEws
  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    98/103

    Improved User Experience

    Easier on-boarding of usersAccess granted by appropriate resource owners

    Access to over 2 million businessesMultiple code paths

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    99/103

    Resources

    Resources

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    100/103

    Google Apps Marketplace:

    http://developer.googleapps.com/marketplaceTechnical docs on Google Apps:http://code.google.com/googleapps/Technical docs on OpenID and OAuth:http://code.google.com/apis/accounts/

    OAuth Playground:http://www.googlecodesamples.com/oauth_playground

    http://goog_1173348811/http://goog_897298849/http://goog_1173348811/http://goog_897298849/http://goog_897298847/http://goog_897298844/
  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    101/103

    Q & A

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    102/103

    Ask your questions on Google Wave:

    http://bit.ly/magicwave

  • 8/3/2019 Enterprise Openid Sso Oauth for Google Apps

    103/103