Upload
forgerock
View
1.729
Download
3
Embed Size (px)
DESCRIPTION
A Development session led by Technical Enablement Lead Bert Van Beeck
Citation preview
2013 Open Stack Identity Summit - France
Federation in practice
Applications and data within the firewall perimeter Users within the enterprise Difficult to roll out new services
OLD ACCESS CONTROL
Hanseatic League (Hansa) Trade Confederation Centuries 13th – 17th
Trading outside the walls • Secure • Membership agreement • Follow protocol
Partners
Outsourcing
Suppliers
Customers
Information, services and users outside the fireWALL
Federalism is a political concept in which a group of members are bound together by covenant (Latin: foedus, covenant*) with a governing representative head.
*Agreement
The dictionary
SChengen Area
It is a group of 26 European countries that have abolished passport and immigration controls at their common borders.
§ Present your security token at the entrance § Travel seamlessly within the area
Partners
Outsourcing
Suppliers
Customers
Commercial Applications
In-house dev applications
Legacy applications
Directory
Databases
Active Directory
Enterprise
FEDERATED IDENTITY
Is the means of linking a person´s electronic identity and attributes, stored across multiple distinct identity management systems
Benefits of Federated identity
• Provides Single Sign On for an enhanced user experience
• Share information across partners securely and privately
• Promote adoption of new services
• Reduces costs
• Cloud friendly
• Mobile friendly
SAML 2.0 Ws-federation ID-FF
Identity Federation Standards
10
Federation support REST/JSON
SOAP/XML
OpenAM"SAML 1.0" SAML 1.x" SAML 2.0!
ID-FF"
Shibboleth 1.0/1.1"
Shibboleth 2 (SAML2)"
WS-Federation 1.1"
ADFS"
ADFS2 (SAML 2)"
OAUTH 2.0!
OpenIDConnect!
WS-Federation 1.0"
Identity Provider, Asserting PARTY, IdP
Service Provider, Relaying party, Consumer, SP
Circle of Trust
Service Provider, Relaying party, Consumer, SP
Agreements principal
Authenticate Obtain Token
Present token Access resource
Identity Federation Actors
§ Enterprise connected to Cloud SaaS, partners, suppliers, etc § Customers using social authentication
SaaS
Private Cloud
Social
Partners Outsourcing
Suppliers
Commercial Applications
In-house dev applications
Legacy applications
Directory
Databases
Active Directory
Use Cases
§ SaaS/IDaas Providing services to Enterprises § Social authentication to SaaS and IDaaS
Multi-tenant IdP
Multi-tenant SP
Commercial Applications
In-house dev applications
Legacy applications
Directory
Databases
Active Directory
Use Cases
SaaS
Private Cloud
Social
14
Web App
Native App
Native App
Web App
Login App
RE
ST
O
Aut
h2
Ope
nID
Con
nect
Authentication
Authorization
Attribute Delivery
Federation
SSO
Token Persistence
Session Mgmt
OAuth2 Provider
OpenAM
Cloud
Enterprise
Mobile IAM for the Modern Web
SP to IdP Mesh
IdP
IdP
IdP
IdP
SP
SP
SP
IdP Proxy IdP
IdP
IdP
IdP
SP
SP
SP IdP
Proxy
Federation is more than SSO SAML 2.0
IdP, SP, IdP Proxy, Attribute Query Provider, Attribute Authority, Authentication Authority, XACML PEP, XACML PDP
WS-Federation IdP, SP
ID-FF IdP, SP
OAuth 2.0 RESTful Authorization protocol
OpenID Connect Uses OAUTH2 tokens, adds services
OpenAM + family OpenAM Full blown Federation OpenAM Fedlet
Lightweight SAML 2.0 SP OpenIG and Fedlet
Powerful combination of integration and SAML 2.0
Bridge SPE/SalesForce Bridge SAAS oriented federation/sync bridge, includes SAML 2.0 and OAUTH2.
19
Custom federation Policy Agent
Policy Agent
Fedlet
Rev
erse
P
roxy
App
licat
ion
App
licat
ion
App
licat
ion
App
licat
ion
OpenAM “Custom IDP”
SP IDP
Custom AuthN Module
State 1
Custom AuthN Module
State 2
Custom Post
Authentication Module
1
2 3
4
5
6
to achieve SSO to
Google Apps WordPress Office365
using SAML2
Walkthrough configure OpenAM
IDP
SP SP
Circle of Trust
demo.openam.org
SP
Federated Single Sign-On
2013 Open Stack Identity Summit - France
Federation in practice