Practical Federated Identity
Use Cases From The Real World
Johann Nallathamby, Senior Software Engineer Selvaratnam Uthaiyashankar, Director-Cloud Solutions
What is Iden,ty • “the fact of being who or what a person or thing is”
• h3p://oxforddic8onaries.com/defini8on/english/iden8ty
• Who you are… • Why important?
• Whatever you do associated with your iden8ty
• Digital Iden8ty
Problems with Digital Iden,ty • Different Iden8ty in Different Applica8ons / Domains
– Remembering Password – Loosing possible collabora8on
Federated Iden,ty • “The agreements, standards, and technologies that make iden8ty and en8tlements portable across autonomous domains.” -‐ Burton Group
Service Providers Service Providers
Service Providers
Identity Provider
Service Providers
Authentication
Service Consumption
Trust
Key Requirements For Iden,ty Federa,on Iden,ty Management and Authen,ca,on
• Authen8ca8on – Mul8-‐Factor Authen8ca8on
• Iden8ty Management – A3ributes / Claims
Key Requirements For Iden,ty Federa,on Trust Between Domains
• Trust – Pre-‐established
• Common in Enterprise scenarios
– Established only when accessing the service • Common in web scenarios
• Iden8ty Provider Discovery
Key Requirements For Iden,ty Federa,on Iden,ty and AAribute Mapping
• Mapping user iden8ty of one system to another – Username – Out of Band – Pseudonym
• Transient • Persistent
• Mapping a3ribute names in different systems • Mapping a3ribute values in different systems
Key Requirements For Iden,ty Federa,on AAribute Exchange
• One system reques8ng addi8onal a3ributes from another system
Protocols and Standards • OpenID • SAML2 Web Browser SSO • WS-‐Trust & WS-‐Federa8on
OpenID
http://openid.net/get-an-openid/
OpenID Iden,fiers • Google
– h3ps://profiles.google.com/YourGoogleID
• Blogger – h3p://blogname.blogspot.com/
• MySpace – h3p://www.myspace.com/username
OpenID
Identity Provider
Service Provider A
Provide OpenID
Single Sign-On Service
1
2
4
5
4
Allow Access to Service
Relying Party
Browser Redirect to IdP
Discover Provider (XRI Resolution, Yadis, HTML Based Discovery)
6
7
3 Create shared secret
Demo -‐ OpenID
SAML2 Web Browser SSO
SAML 2.0 Web Browser SSO Profile
SAML2 Web Browser SSO
Identity Provider
Service Provider A
Access Service
Single Sign-On Service
123
5
4
Allow Access to Service
Trust
Assertion Consumer Service
Browser Redirect to IdP
Select Identity Provider
6
7
Demo – SAML2 Web Browser SSO
WS-‐Trust Identity Provider
Service Provider A
Authentication (Username/x509/etc.)
Security Token Service 1 2
3
5
4 Verify Token (e.g.: Check signature)
Security Token
Trust
Some Federa,on PaAerns Using WSO2 Iden,ty Server
Token Exchange
IdP Proxy PaAern
IdP Proxy PaAern
IdP Proxy PaAern
Resource STS PaAern
Client STS
Client Proxy Resource Proxy
Resource STS
OAuth AS
DMZ Proxy
STS
Federa,on for REST APIs
SaaS Applica,on with Trusted Iden,ty Providers
• SaaS Applica8on • Application deployed by the super-tenant • Application used by all the tenants • Application authorization logic written against shared roles • Tenant users physically only exist in the Identity Provider and not in the
Application server • The users’ attributes are with the Trusted Identity Provider
• Trusted Iden8ty Providers (Trusted IdPs) • Each tenant will have its own Trusted Identity Provider • The SaaS application will delegate authentication by redirecting the user to the
Trusted Identity Provider and then validate the signed token response with attributes.
• Identity Provider roles are mapped to shared roles in the application server and authorization logic is performed based on them.
SaaS Applica,on with Trusted Iden,ty Providers
WSO2 Iden,ty Server
Ques,ons?
Photos Credit • h3p://images.motoring.co.uk/images/newsImages/driving-‐licence-‐exchange-‐rules-‐8ghtened-‐52313-‐1.jpg
• h3p://www.vectors4all.net/preview/people-‐business-‐male-‐clip-‐art.jpg