open source identity integration with opensso
TRANSCRIPT
![Page 1: Open Source Identity Integration with OpenSSO](https://reader034.vdocuments.site/reader034/viewer/2022052523/55555175b4c9052b208b4cbe/html5/thumbnails/1.jpg)
Open Source Identity Integration with OpenSSOJuly 4th, 2008
Pat PattersonFederation [email protected]/superpat
![Page 2: Open Source Identity Integration with OpenSSO](https://reader034.vdocuments.site/reader034/viewer/2022052523/55555175b4c9052b208b4cbe/html5/thumbnails/2.jpg)
2
Agenda• Web Access Management
> The Problem> The Solution> How Does It Work?
• Federation> Single Sign-On Beyond a Single Enterprise> How Does It Work?
• OpenSSO> Project Overview
![Page 3: Open Source Identity Integration with OpenSSO](https://reader034.vdocuments.site/reader034/viewer/2022052523/55555175b4c9052b208b4cbe/html5/thumbnails/3.jpg)
3
Typical Problems• “Every application wants me to log in!”
• “I have too many passwords – my monitor is covered in Post-its!”
• “We're implementing Sarbanes-Oxley – we need to control access to applications!”
• “We need to access outsourced functions!”
• “Our partners need to access our applications!”
![Page 4: Open Source Identity Integration with OpenSSO](https://reader034.vdocuments.site/reader034/viewer/2022052523/55555175b4c9052b208b4cbe/html5/thumbnails/4.jpg)
4
Web Access Management• Simplest scenario is within a single organization• Factor authentication and authorization out of web
applications into web access management (WAM) solution
• Can use browser cookies within a DNS domain• Proxy or Agent architecture implements role-based
access control (RBAC)• Users get single sign-on, IT gets control
![Page 5: Open Source Identity Integration with OpenSSO](https://reader034.vdocuments.site/reader034/viewer/2022052523/55555175b4c9052b208b4cbe/html5/thumbnails/5.jpg)
5
Single Sign-On Within an Organization
End User
SSO Server
Web ServerWeb Server
ApplicationServer
![Page 6: Open Source Identity Integration with OpenSSO](https://reader034.vdocuments.site/reader034/viewer/2022052523/55555175b4c9052b208b4cbe/html5/thumbnails/6.jpg)
6
How It WorksBrowser Agent ApplicationSSO Server
GET hrapp/index.htmlRedirect to SSO Server
AuthenticateRedirect to hrapp/index.html (with SSO cookie) GET hrapp/index.html
(with SSO cookie)
Is this user allowed to access hrapp/index.html?Yes!
Allow request to proceedApplication response
![Page 7: Open Source Identity Integration with OpenSSO](https://reader034.vdocuments.site/reader034/viewer/2022052523/55555175b4c9052b208b4cbe/html5/thumbnails/7.jpg)
7
Web Access Management Products• Sun Java System Access Manager
> OpenSSO• CA (Netegrity) SiteMinder Access Manager• IBM Tivoli Access Manager• Oracle (Oblix) Access Manager• Novell Access Maneger• JA-SIG CAS• Spring Security (Acegi)• JOSSO
![Page 8: Open Source Identity Integration with OpenSSO](https://reader034.vdocuments.site/reader034/viewer/2022052523/55555175b4c9052b208b4cbe/html5/thumbnails/8.jpg)
8
Typical Problems• “Every application wants me to log in!”
• “I have too many passwords – my monitor is covered in Post-its!”
• “We're implementing Sarbanes-Oxley – we need to control access to applications!”
• “We need to access outsourced functions!”
• “Our partners need to access our applications!”
![Page 9: Open Source Identity Integration with OpenSSO](https://reader034.vdocuments.site/reader034/viewer/2022052523/55555175b4c9052b208b4cbe/html5/thumbnails/9.jpg)
9
Single Sign-on between Organizations
• Cookies no longer work> Need a more sophisticated protocol
• Can't mandate single vendor solution> Need standards for interoperability
![Page 10: Open Source Identity Integration with OpenSSO](https://reader034.vdocuments.site/reader034/viewer/2022052523/55555175b4c9052b208b4cbe/html5/thumbnails/10.jpg)
10
SSO Across Organizations
End User
IdentityProvider
ServiceProvider
ServiceProvider
ServiceProvider
![Page 11: Open Source Identity Integration with OpenSSO](https://reader034.vdocuments.site/reader034/viewer/2022052523/55555175b4c9052b208b4cbe/html5/thumbnails/11.jpg)
11
SAML 2.0 SSO BasicsBrowser Service ProviderIdentity Provider
GET hrapp/index.html
Redirect with SAML Request
Authenticate
HTML form with SAML Response
SAML Response
Response
Service Provider examines SAML Response and makes access control decision
SAML Authentication Request
![Page 12: Open Source Identity Integration with OpenSSO](https://reader034.vdocuments.site/reader034/viewer/2022052523/55555175b4c9052b208b4cbe/html5/thumbnails/12.jpg)
12
SAML 2.0 Assertion(Abbreviated!)<Assertion Version="2.0" ID="..." IssueInstant="2007-11-06T16:42:28Z">
<Issuer>https://pat-pattersons-computer.local:8181/</Issuer><Signature>...</Signature><saml:Subject>
<saml:NameID Format="urn:oasis:...:persistent" ...>ZG0OZ3JWP9yduIQ1zFJbVVGHlQ9M
</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:...:bearer">
<saml:SubjectConfirmationData .../></saml:SubjectConfirmation>
</saml:Subject><saml:Conditions NotBefore="2007-11-06T16:42:28Z" NotOnOrAfter="2007-11-06T16:52:28Z">
<saml:AudienceRestriction><saml:Audience>
https://pat-pattersons-computer.local/example-pat/</saml:Audience>
</saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2007-11-06T16:42:28Z" ...>
<saml:AuthnContext><saml:AuthnContextClassRef>
urn:oasis:...:PasswordProtectedTransport</saml:AuthnContextClassRef>
</saml:AuthnContext></saml:AuthnStatement>
</saml:Assertion>
![Page 13: Open Source Identity Integration with OpenSSO](https://reader034.vdocuments.site/reader034/viewer/2022052523/55555175b4c9052b208b4cbe/html5/thumbnails/13.jpg)
13
SAML 2.0 Adoption• Sun, IBM, CA – all the usual suspects, except Microsoft• OpenSAML (Internet2)
> Java, C++• OpenSSO (Sun)
> Java, PHP, Ruby• SimpleSAMLphp (Feide)• LASSO (Entr'ouvert)
> C/SWIG• ZXID (Symlabs)
> C/SWIG
![Page 14: Open Source Identity Integration with OpenSSO](https://reader034.vdocuments.site/reader034/viewer/2022052523/55555175b4c9052b208b4cbe/html5/thumbnails/14.jpg)
14
Open Access.Open Federation.
What is OpenSSO?
• OpenSSO 1.0 == Federated Access Manager 8.0
• All FAM 8.0 builds available via OpenSSO
• Preview Features• Provide Feedback• Review code
security
![Page 15: Open Source Identity Integration with OpenSSO](https://reader034.vdocuments.site/reader034/viewer/2022052523/55555175b4c9052b208b4cbe/html5/thumbnails/15.jpg)
15
OpenSSO Momentum• In less than 2 years...
> >700 project members at opensso.org> ~15 external committers> Consistently in Top 10* java.net projects by mail traffic
– * of over 3000 projects
• Production deployments> www.audi.co.uk
– 250,000 customer profiles> openid.sun.com
– OpenID for Sun employees> telenet.be
– Foundation for fine-grained authorization
![Page 16: Open Source Identity Integration with OpenSSO](https://reader034.vdocuments.site/reader034/viewer/2022052523/55555175b4c9052b208b4cbe/html5/thumbnails/16.jpg)
16
• PHP SAML 2.0 SP implementation> Picked up by Feide (Norway)
• Ruby SAML 2.0 SP implementation• SAML 2.0 ECP test rig
• OpenID 1.1 Provider> Deployed at openid.sun.com
• PHP Client SDK implementation
• ActivIdentity 4Tress• Hitachi Finger Vein Biometric• Information Card (aka CardSpace)
SAML 2.0
OpenID
OpenSSO Extensionshttps://opensso.dev.java.net/public/extensions/
Client SDK
Authentication Modules
![Page 17: Open Source Identity Integration with OpenSSO](https://reader034.vdocuments.site/reader034/viewer/2022052523/55555175b4c9052b208b4cbe/html5/thumbnails/17.jpg)
17
Demo
Deploy and Configure OpenSSOCreate an Identity Provider
SAML-enable a Service Provider...All in less than 10 minutes!
![Page 18: Open Source Identity Integration with OpenSSO](https://reader034.vdocuments.site/reader034/viewer/2022052523/55555175b4c9052b208b4cbe/html5/thumbnails/18.jpg)
18
DEMO
GO!!!
![Page 19: Open Source Identity Integration with OpenSSO](https://reader034.vdocuments.site/reader034/viewer/2022052523/55555175b4c9052b208b4cbe/html5/thumbnails/19.jpg)
19
Participez!Join Download
Subscribe Chat
Sign up at opensso.org
OpenSSO 1.0 Build 4
OpenSSO Mailing Listsdev, users, announce
#opensso on
freenode.net
![Page 20: Open Source Identity Integration with OpenSSO](https://reader034.vdocuments.site/reader034/viewer/2022052523/55555175b4c9052b208b4cbe/html5/thumbnails/20.jpg)
20
• http://opensso.org/
• http://wiki.opensso.org/
• Superpatterns> http://blogs.sun.com/superpat/
• Virtual Daniel> http://blogs.sun.com/raskin/
OpenSSO
Pat's Blog
Resourceshttps://opensso.dev.java.net/public/extensions/
Daniel Raskin's Blog
OpenSSO Wiki
![Page 21: Open Source Identity Integration with OpenSSO](https://reader034.vdocuments.site/reader034/viewer/2022052523/55555175b4c9052b208b4cbe/html5/thumbnails/21.jpg)
Pat PattersonFederation [email protected]/superpat
Open Source Identity Integration with OpenSSOJuly 4th, 2008