Open sso fisl9.0

AndreBechara 1,348 views 24 slides Apr 12, 2011
Slide 1
Slide 1 of 24
Slide 1
1
Slide 2
2
Slide 3
3
Slide 4
4
Slide 5
5
Slide 6
6
Slide 7
7
Slide 8
8
Slide 9
9
Slide 10
10
Slide 11
11
Slide 12
12
Slide 13
13
Slide 14
14
Slide 15
15
Slide 16
16
Slide 17
17
Slide 18
18
Slide 19
19
Slide 20
20
Slide 21
21
Slide 22
22
Slide 23
23
Slide 24
24

About This Presentation

SAML 2.0, SSON

Size: 867.8 KB
Language: en
Added: Apr 12, 2011
Slides: 24 pages

Slide Content

Open Source Identity
Integration with OpenSSO
April 19, 2008
Pat Patterson
Federation Architect
[email protected]
blogs.sun.com/superpat

2
Agenda
•Web Access Management
>The Problem
>The Solution
>How Does It Work?
•Federation
>Single Sign-On Beyond a Single Enterprise
>How Does It Work?
•OpenSSO
>Project Overview

3
Typical Problems
•“Every application wants me to log in!”
•“I have too many passwords – my monitor is
covered in Post-its!”
•“We're implementing Sarbanes-Oxley – we need to
control access to applications!”
•“We need to access outsourced functions!”
•“Our partners need to access our applications!”

4
Web Access Management
•Simplest scenario is within a single organization
•Factor authentication and authorization out of web
applications into web access management (WAM)
solution
•Can use browser cookies within a DNS domain
•Proxy or Agent architecture implements role-based
access control (RBAC)
•Users get single sign-on, IT gets control

5
Single Sign-On Within an Organization
End User
SSO Server
Web Server
Web Server
Application
Server

6
How It Works
Browser Agent ApplicationSSO Server
GET hrapp/index.html
Redirect to SSO Server
Authenticate
Redirect to hrapp/index.html
(with SSO cookie)
GET hrapp/index.html
(with SSO cookie)‏
Is this user allowed to access hrapp/index.html?
Yes!
Allow request to proceed
Application response

7
Web Access Management Products
•Sun Java System Access Manager
>OpenSSO
•CA (Netegrity) SiteMinder Access Manager
•IBM Tivoli Access Manager
•Oracle (Oblix) Access Manager
•Novell Access Maneger
•JA-SIG CAS
•JOSSO

8
Typical Problems
•“Every application wants me to log in!”
•“I have too many passwords – my monitor is
covered in Post-its!”
•“We're implementing Sarbanes-Oxley – we need to
control access to applications!”
•“We need to access outsourced functions!”
•“Our partners need to access our applications!”

9
Single Sign-on between Organizations
•Cookies no longer work
>Need a more sophisticated protocol
•Can't mandate single vendor solution
>Need standards for interoperability

10
Single Sign-On Standards
2002 2003 2005 2004 2006
WS-Federation
1.1
Liberty
Federation
=
SAML2
Shibboleth
1.2
WS-Federation
1.0
Shibboleth
1.0,1.1
Liberty
ID-FF 1.1,1.2
SAML1.1
Liberty
“Phase 1”
SAML1

11
SAML 2.0 Concepts
Profiles
Combining protocols, bindings, and
assertions to support a defined use case
Bindings
Mapping SAML protocols onto standard messaging or
communication protocols
Metadata
IdP and SP
configuration data
Authentication
Context
Detailed data on
types and strengths
of authentication
Protocols
Request/response pairs for obtaining assertions
and doing ID management
Assertions
Authentication, attribute and entitlement
information

12
SSO Across Organizations
End User
Identity
Provider
Service
Provider
Service
Provider
Service
Provider

13
SAML 2.0 SSO Basics
Browser Service ProviderIdentity Provider
GET hrapp/index.html
Redirect with SAML Request
Authenticate
HTML form with SAML Response
SAML Response
Response
Service Provider
examines SAML
Response and
makes access
control decision
SAML Authentication Request

14
SAML 2.0 Assertion
(Abbreviated!)
<Assertion Version="2.0" ID="..." IssueInstant="2007-11-06T16:42:28Z">
<Issuer>https://pat-pattersons-computer.local:8181/</Issuer>
<Signature>...</Signature>
<saml:Subject>
<saml:NameID Format="urn:oasis:...:persistent" ...>
ZG0OZ3JWP9yduIQ1zFJbVVGHlQ9M
</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:...:bearer">
<saml:SubjectConfirmationData .../>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions
NotBefore="2007-11-06T16:42:28Z"
NotOnOrAfter="2007-11-06T16:52:28Z">
<saml:AudienceRestriction>
<saml:Audience>
https://pat-pattersons-computer.local/example-pat/
</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2007-11-06T16:42:28Z" ...>
<saml:AuthnContext>
<saml:AuthnContextClassRef>
urn:oasis:...:PasswordProtectedTransport
</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
</saml:Assertion>

15
SAML 2.0 Adoption
•Sun, IBM, CA – all the usual suspects, except Microsoft
•OpenSAML (Internet2)
>Java, C++
•OpenSSO (Sun)
>Java, PHP, Ruby
•SimpleSAMLphp (Feide)
•LASSO (Entr'ouvert)
>C/SWIG
•ZXID (Symlabs)
>C/SWIG
globo.com

16
Open Access.
Open Federation.
What is OpenSSO?
•OpenSSO 1.0 ==
Federated Access
Manager 8.0
•All FAM 8.0 builds
available via
OpenSSO
•Preview Features
•Provide Feedback
•Review code
security

17
OpenSSO Momentum
•In less than 2 years...
>650 project members at opensso.org
>~15 external committers
>Consistently in Top 10* java.net projects by mail traffic
–* of over 3000 projects
•Production deployments
>www.audi.co.uk
–250,000 customer profiles
>openid.sun.com
–OpenID for Sun employees
>telenet.be
–Foundation for fine-grained authorization
.....gov.br

18
OpenSSO Roadmap
Access
Manager
Federation
Manager
OpenSSO
OpenSSO 1.0 / FAM 8.0
Summer 2008
OpenSSO 1.next /
FAM 8.1
End of 2008
OpenSSO
Federation
Q4CY06
OpenSSO
Q3CY06
Access
Manager 7.1
Q4CY06
Federation
Manager 7.0
Q4CY05

19
•Centralized Agent Configuration &
Deployment
•Centralized Configuration
•XACML Request/Response
•Wide choice of Application Servers
•Fedlet
•Virtual Federation
•Multi-Federation Protocol Hub
•WS-Federation 1.1
•3rd Party WAM Interoperability
Access Management
Federation
OpenSSO 1.0

20
•Authentication as a service
•Authorization as a service
•Audit as a service
•Attribute Query as a service
•Secure Trust Authority
•Web Services Security Plug-ins
•SDK for Securing Web Services
Identity Services
OpenSSO 1.0
But that's not all...

21
•PHP SAML 2.0 SP implementation
>Picked up by Feide (Norway)
•Ruby SAML 2.0 SP implementation
•SAML 2.0 ECP test rig
•OpenID 1.1 Provider
>Deployed at openid.sun.com
•PHP Client SDK implementation
•ActivIdentity 4Tress
•Hitachi Finger Vein Biometric
•Information Card (aka CardSpace)
SAML 2.0
OpenID
OpenSSO Extensions
https://opensso.dev.java.net/public/extensions/
Client SDK
Authentication Modules

22
Participe!
Join Download
Subscribe Chat
Sign up at
opensso.org
OpenSSO 1.0
Build 4
OpenSSO Mailing Lists
dev, users, announce
#opensso
on
freenode.net

23
•http://opensso.org/

•André Bechara video
>http://tinyurl.com/6rugrm

•Superpatterns
>http://blogs.sun.com/superpat/

•Virtual Daniel
>http://blogs.sun.com/raskin/
OpenSSO
Pat's Blog
Resources
https://opensso.dev.java.net/public/extensions/
Daniel Raskin's Blog
SAML @ Globo.com

Pat Patterson
Federation Architect
[email protected]
blogs.sun.com/superpat
Open Source Identity
Integration with OpenSSO
April 19, 2008
Tags
Categories
General
Download
Download Slideshow Get the original presentation file
Quick Actions
Statistics
  • Views 1,348
  • Slides 24
  • Favorites 1
  • Age 5348 days
Related Slideshows
Pray For The Peace Of Jerusalem and You Will Prosper 22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
32 views
Don_t_Waste_Your_Life_God.....powerpoint 26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
33 views
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf 31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
31 views
Fertility awareness methods for women in the society 14
Fertility awareness methods for women in the society
Isaiah47
30 views
Chapter 5 Arithmetic Functions Computer Organisation and Architecture 35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
27 views
syakira bhasa inggris (1) (1).pptx....... 5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
29 views
View More in This Category