Upload
startup-cursos
View
1.922
Download
0
Tags:
Embed Size (px)
DESCRIPTION
SAML 2.0, SSON
Citation preview
Open Source Identity Integration with OpenSSOApril 19, 2008
Pat PattersonFederation [email protected]/superpat
2
Agenda
• Web Access Management> The Problem> The Solution> How Does It Work?
• Federation> Single Sign-On Beyond a Single Enterprise> How Does It Work?
• OpenSSO> Project Overview
3
Typical Problems
• “Every application wants me to log in!”
• “I have too many passwords – my monitor is covered in Post-its!”
• “We're implementing Sarbanes-Oxley – we need to control access to applications!”
• “We need to access outsourced functions!”
• “Our partners need to access our applications!”
4
Web Access Management
• Simplest scenario is within a single organization• Factor authentication and authorization out of web
applications into web access management (WAM) solution
• Can use browser cookies within a DNS domain• Proxy or Agent architecture implements role-based
access control (RBAC)• Users get single sign-on, IT gets control
5
Single Sign-On Within an Organization
End User
SSO Server
Web ServerWeb Server
ApplicationServer
6
How It WorksBrowser Agent ApplicationSSO Server
GET hrapp/index.html
Redirect to SSO Server
Authenticate
Redirect to hrapp/index.html (with SSO cookie) GET hrapp/index.html
(with SSO cookie)
Is this user allowed to access hrapp/index.html?
Yes!Allow request to proceed
Application response
7
Web Access Management Products
• Sun Java System Access Manager> OpenSSO
• CA (Netegrity) SiteMinder Access Manager• IBM Tivoli Access Manager• Oracle (Oblix) Access Manager• Novell Access Maneger• JA-SIG CAS• JOSSO
8
Typical Problems
• “Every application wants me to log in!”
• “I have too many passwords – my monitor is covered in Post-its!”
• “We're implementing Sarbanes-Oxley – we need to control access to applications!”
• “We need to access outsourced functions!”
• “Our partners need to access our applications!”
9
Single Sign-on between Organizations
• Cookies no longer work> Need a more sophisticated protocol
• Can't mandate single vendor solution> Need standards for interoperability
10
Single Sign-On Standards
2002 2003 20052004 2006
WS-Federation1.1
LibertyFederation
=
SAML2
Shibboleth1.2
WS-Federation1.0
Shibboleth1.0,1.1
LibertyID-FF 1.1,1.2
SAML1.1
Liberty“Phase 1”
SAML1
11
SAML 2.0 Concepts
ProfilesCombining protocols, bindings, and
assertions to support a defined use case
BindingsMapping SAML protocols onto standard messaging or
communication protocols
MetadataIdP and SP
configuration data
AuthenticationContext
Detailed data on types and strengths
of authentication
ProtocolsRequest/response pairs for obtaining assertions
and doing ID management
AssertionsAuthentication, attribute and entitlement
information
12
SSO Across Organizations
End User
IdentityProvider
ServiceProvider
ServiceProvider
ServiceProvider
13
SAML 2.0 SSO BasicsBrowser Service ProviderIdentity Provider
GET hrapp/index.html
Redirect with SAML Request
Authenticate
HTML form with SAML Response
SAML Response
Response
Service Provider examines SAML Response and makes access control decision
SAML Authentication Request
14
SAML 2.0 Assertion(Abbreviated!)
<Assertion Version="2.0" ID="..." IssueInstant="2007-11-06T16:42:28Z"><Issuer>https://pat-pattersons-computer.local:8181/</Issuer><Signature>...</Signature><saml:Subject>
<saml:NameID Format="urn:oasis:...:persistent" ...>ZG0OZ3JWP9yduIQ1zFJbVVGHlQ9M
</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:...:bearer">
<saml:SubjectConfirmationData .../></saml:SubjectConfirmation>
</saml:Subject><saml:Conditions NotBefore="2007-11-06T16:42:28Z"
NotOnOrAfter="2007-11-06T16:52:28Z"><saml:AudienceRestriction>
<saml:Audience>https://pat-pattersons-computer.local/example-pat/
</saml:Audience></saml:AudienceRestriction>
</saml:Conditions><saml:AuthnStatement AuthnInstant="2007-11-06T16:42:28Z" ...>
<saml:AuthnContext><saml:AuthnContextClassRef>
urn:oasis:...:PasswordProtectedTransport</saml:AuthnContextClassRef>
</saml:AuthnContext></saml:AuthnStatement>
</saml:Assertion>
15
SAML 2.0 Adoption
• Sun, IBM, CA – all the usual suspects, except Microsoft• OpenSAML (Internet2)
> Java, C++
• OpenSSO (Sun)> Java, PHP, Ruby
• SimpleSAMLphp (Feide)• LASSO (Entr'ouvert)
> C/SWIG
• ZXID (Symlabs)> C/SWIG
globo
.com
16
Open Access.Open Federation.
What is OpenSSO?
• OpenSSO 1.0 == Federated Access Manager 8.0
• All FAM 8.0 builds available via OpenSSO
• Preview Features• Provide Feedback• Review code
security
17
OpenSSO Momentum
• In less than 2 years...> 650 project members at opensso.org> ~15 external committers> Consistently in Top 10* java.net projects by mail traffic
– * of over 3000 projects
• Production deployments> www.audi.co.uk
– 250,000 customer profiles> openid.sun.com
– OpenID for Sun employees> telenet.be
– Foundation for fine-grained authorization
.....go
v.br
18
OpenSSO Roadmap
Access Manager
Federation Manager
OpenSSO
OpenSSO 1.0 / FAM 8.0Summer 2008
OpenSSO 1.next / FAM 8.1
End of 2008
OpenSSO Federation
Q4CY06OpenSSO
Q3CY06
Access Manager 7.1
Q4CY06
Federation Manager 7.0
Q4CY05
19
• Centralized Agent Configuration & Deployment
• Centralized Configuration• XACML Request/Response• Wide choice of Application Servers
• Fedlet• Virtual Federation• Multi-Federation Protocol Hub• WS-Federation 1.1• 3rd Party WAM Interoperability
Access Management
Federation
OpenSSO 1.0
20
• Authentication as a service• Authorization as a service• Audit as a service• Attribute Query as a service• Secure Trust Authority• Web Services Security Plug-ins• SDK for Securing Web Services
Identity Services
OpenSSO 1.0
But that's not all...
21
• PHP SAML 2.0 SP implementation> Picked up by Feide (Norway)
• Ruby SAML 2.0 SP implementation• SAML 2.0 ECP test rig
• OpenID 1.1 Provider> Deployed at openid.sun.com
• PHP Client SDK implementation
• ActivIdentity 4Tress• Hitachi Finger Vein Biometric• Information Card (aka CardSpace)
SAML 2.0
OpenID
OpenSSO Extensionshttps://opensso.dev.java.net/public/extensions/
Client SDK
Authentication Modules
22
Participe!
Join Download
Subscribe Chat
Sign up at opensso.org
OpenSSO 1.0 Build 4
OpenSSO Mailing Listsdev, users, announce
#opensso on
freenode.net
23
• http://opensso.org/
• André Bechara video> http://tinyurl.com/6rugrm
• Superpatterns> http://blogs.sun.com/superpat/
• Virtual Daniel> http://blogs.sun.com/raskin/
OpenSSO
Pat's Blog
Resourceshttps://opensso.dev.java.net/public/extensions/
Daniel Raskin's Blog
SAML @ Globo.com
Pat PattersonFederation [email protected]/superpat
Open Source Identity Integration with OpenSSOApril 19, 2008