opensso tech overview aquarium
DESCRIPTION
An Overview of OpenSSO, OpenSource Single-Sign On. At TheAquarium OnlineTRANSCRIPT
![Page 1: OpenSSO Tech Overview Aquarium](https://reader035.vdocuments.site/reader035/viewer/2022081514/555c2675d8b42a0b418b4d26/html5/thumbnails/1.jpg)
1
OpenSSO Overview
Sidharth MishraSun Microsystems, Inc.
1
![Page 2: OpenSSO Tech Overview Aquarium](https://reader035.vdocuments.site/reader035/viewer/2022081514/555c2675d8b42a0b418b4d26/html5/thumbnails/2.jpg)
2
Todays SSO Problems
1. How do I centralize SSO and security policy for my web applications?
2. How can I quickly connect with partners, SaaS providers, subsidiaries, acquisitions and affiliates?
3. How do I centralize SSO and security policy for my web services?
![Page 3: OpenSSO Tech Overview Aquarium](https://reader035.vdocuments.site/reader035/viewer/2022081514/555c2675d8b42a0b418b4d26/html5/thumbnails/3.jpg)
3
OpenSSO Enterprise
Single solution that solves ALL of SSO problemsWeb Single Sign On, Federation, and Secure Web services
![Page 4: OpenSSO Tech Overview Aquarium](https://reader035.vdocuments.site/reader035/viewer/2022081514/555c2675d8b42a0b418b4d26/html5/thumbnails/4.jpg)
Web SSO
![Page 5: OpenSSO Tech Overview Aquarium](https://reader035.vdocuments.site/reader035/viewer/2022081514/555c2675d8b42a0b418b4d26/html5/thumbnails/5.jpg)
5
OpenSSO EnterpriseHow does it work?
![Page 6: OpenSSO Tech Overview Aquarium](https://reader035.vdocuments.site/reader035/viewer/2022081514/555c2675d8b42a0b418b4d26/html5/thumbnails/6.jpg)
6
``
SSO And Access ControlAuthentication
• Standards-based, extensible authentication framework (JAAS based)
• Supports multiple pluggable Authentication mechanisms> LDAP, RADIUS, Certificate, SafeWord, RSA SecureID, Unix,
Windows NT, WindowsDesktopSSO (Kerberos), Anonymous, Membership (self-enrollment)
> Custom authentication mechanisms using the SPI
• Multi-factor Authentication (Chained Authenticaton Mechanisms)
• Multi-Level and Multi-Scheme Authentication
• Resource-based Authentication
![Page 7: OpenSSO Tech Overview Aquarium](https://reader035.vdocuments.site/reader035/viewer/2022081514/555c2675d8b42a0b418b4d26/html5/thumbnails/7.jpg)
7
SSO And Access ControlAuthorization
• Policy = Rules + Subjects + Conditions + Response Provider
> Rules – The resource to be protected (e.g. URL)
> Subjects – Who is allowed to access (User/Role/Group etc.)
> Condition – Extra Constraints (IP Address mask, authN level/scheme, time/day etc.)
> Response Provider – Additional Response data to be sent back to resource.
![Page 8: OpenSSO Tech Overview Aquarium](https://reader035.vdocuments.site/reader035/viewer/2022081514/555c2675d8b42a0b418b4d26/html5/thumbnails/8.jpg)
8
Solution: OpenSSO Web Access ManagementThree Tough Challenges. One Powerful Solution.
• Centralized server configuration
• Centralized agent configuration
• Agent and proxy modes
• AAA Identity Services
• Embedded directory server for user store and policy store
• XACML support for standards-based policy management
• Consumes and translates 3rd party tokens from all major WAM solutions
![Page 9: OpenSSO Tech Overview Aquarium](https://reader035.vdocuments.site/reader035/viewer/2022081514/555c2675d8b42a0b418b4d26/html5/thumbnails/9.jpg)
Federation
![Page 10: OpenSSO Tech Overview Aquarium](https://reader035.vdocuments.site/reader035/viewer/2022081514/555c2675d8b42a0b418b4d26/html5/thumbnails/10.jpg)
10
Federated Single Sign On
• Federation is built-in to OpenSSO Enterprise. No additional software needed.
• Federation for cross-domain application integration.> software-infrastructure independent. Sites only
agree on protocol version and binding type.
• Facilitates trusted relationships.> Creates tighter, more satisfying customer,
partner and employee relationships.> Extended existing and new revenue
opportunities.> Implement business models that generate
efficiencies and productivity gains.
![Page 11: OpenSSO Tech Overview Aquarium](https://reader035.vdocuments.site/reader035/viewer/2022081514/555c2675d8b42a0b418b4d26/html5/thumbnails/11.jpg)
11
Solution: OpenSSO FederationThree Tough Challenges. One Powerful Solution.
• The Fedlet, 8.5MB package that allows service providers to create fully configured trust networks based SAML 2 in minutes
• Multi-protocol Federation Hub, easily federate with any company regardless of what “federation language” they speak
• Virtual Federation Proxy, incorporate any number of legacy authentications with a single instance of OpenSSO
• Supports all major standards including SAML, WS-Federation, Liberty ID-FF, WS-Trust, WS-Security, and WS-Policy
• Coexists with other major WAM solutions and participates in federation.
![Page 12: OpenSSO Tech Overview Aquarium](https://reader035.vdocuments.site/reader035/viewer/2022081514/555c2675d8b42a0b418b4d26/html5/thumbnails/12.jpg)
Web Services Security
![Page 13: OpenSSO Tech Overview Aquarium](https://reader035.vdocuments.site/reader035/viewer/2022081514/555c2675d8b42a0b418b4d26/html5/thumbnails/13.jpg)
13
OpenSSO and Web Services Security
• Problem: > How do I support web services for my web
applications in various containers when it is handled differently container to container?
• What It Does?> Provides agents that can be deployed in containers
for consuming, processing and transforming security tokens including SAML
> Abstracts security from the application.> Agent allows standardization on security across
multiple containers (e.g. Sun, IBM, BEA etc.)– Implements container's authentication SPI (JSR 196)
– Secures SOAP request and validates SOAP response at WSC.
– Validates SOAP request and secures SOAP response at WSP.
Web ServiceProvider
Web ServiceClient
1
3SOAP(WSS)
Request
OpenSSO Server
4WSS/J2EE Agent
2
clientsdk
clientsdk
WSS Agent
5
![Page 14: OpenSSO Tech Overview Aquarium](https://reader035.vdocuments.site/reader035/viewer/2022081514/555c2675d8b42a0b418b4d26/html5/thumbnails/14.jpg)
14
Secure Token Service
• Problem: > How does the Web service verify the credentials
presented by the client?
• How It Works> An authenticated client requests token needed to
access web service provider. > The STS verifies the credentials presented by the
client, and then in response, it issues a security token that provides proof that the client has authenticated with the STS.
> The client presents the WS-I BSP based security token(User Name, X.509, SAML etc.) to the Web service.
> The Web service verifies that the token was issued by a trusted STS, which proves that the client has successfully authenticated with the STS.
Web ServiceProvider
Web ServiceClient
Security Token Service
1 Request
2
Issue Token(WS-Trust)3SOAP
(WSS)
![Page 15: OpenSSO Tech Overview Aquarium](https://reader035.vdocuments.site/reader035/viewer/2022081514/555c2675d8b42a0b418b4d26/html5/thumbnails/15.jpg)
15
Solution: OpenSSO Secure Web ServicesThree Tough Challenges. One Powerful Solution.
• Only standards-based solution that provides a pluggable, end-to-end secure web-services solution
• Standards based integration with Glassfish.
• SecurityToken Service that can be deployed as an Integrated, or standalone, solution
• Security Token Service that can handle token issuance, validation and translation via WS-Trust
• Policy enforcement point plugins for Weblogic, WebSphere, Tomcat and JBOSS
![Page 16: OpenSSO Tech Overview Aquarium](https://reader035.vdocuments.site/reader035/viewer/2022081514/555c2675d8b42a0b418b4d26/html5/thumbnails/16.jpg)
16
Identity ServicesProblem• How do I invoke and leverage OpenSSO
services (authN, authZ etc.) in a platform / language independent manner?
OpenSSO Identity Services
• Makes OpenSSO services and functionalities available in an easy-to-use set of Web Services accessible via SOAP and REST.
Benefits• Allows developers to easily invoke
OpenSSO services.
• Identity Access Layer provides abstraction so components can change without affecting applications.
• Agentless solution that does not require deployment of agent or proxy to protect a resource.
• Supports usage of the IDE of developer's choice> NetBeans, Eclipse, Visual Studio
Identity Services – Easily accessible, design approach independent.
![Page 17: OpenSSO Tech Overview Aquarium](https://reader035.vdocuments.site/reader035/viewer/2022081514/555c2675d8b42a0b418b4d26/html5/thumbnails/17.jpg)
17
Identity Services
Identity Services