Towards an Open Identity Infrastructure with OpenSSO. RMLL Nantes July 10 2009. Fulup Ar Foll Master Architect fulup@sun.com

Similar documents
Open Source Identity Integration with OpenSSO

OpenSSO: Simplify Your Single-Sign-On Needs. Sang Shin Java Technology Architect Sun Microsystems, inc. javapassion.com

Secure the Web: OpenSSO

THE NEW DIGITAL EXPERIENCE

OpenSSO Monitoring Euro User Groups Winter 2010

The Role of Identity Enabled Web Services in Cloud Computing

OpenAM. 1 open source 1 community experience distilled. Single Sign-On (SSO) tool for securing your web. applications in a fast and easy way

OPENIAM ACCESS MANAGER. Web Access Management made Easy

THE NEW DIGITAL EXPERIENCE

Enterprise Access Control Patterns For REST and Web APIs

Identity Management in Liferay Overview and Best Practices. Liferay Portal 6.0 EE

Web Applications Access Control Single Sign On

New Single Sign-on Options for IBM Lotus Notes & Domino IBM Corporation

OpenAM All-In-One solution to securely manage access to digital enterprise and customer services, anytime and anywhere.

GlassFish Security. open source community experience distilled. security measures. Secure your GlassFish installation, Web applications,

esoc SSA DC-I Part 1 - Single Sign-On and Access Management ICD

Federated Identity and Single Sign-On using CA API Gateway

SAML-Based SSO Solution

Access Management Analysis of some available solutions

OpenSSO: Cross Domain Single Sign On

Single Sign On In A CORBA-Based

Software Requirement Specification Web Services Security

Single Sign On. SSO & ID Management for Web and Mobile Applications

PingFederate. Windows Live Cloud Identity Connector. User Guide. Version 1.0

Administering Jive Mobile Apps

Egnyte Single Sign-On (SSO) Installation for OneLogin

Securing Enterprise: Employability and HR

Using SAML for Single Sign-On in the SOA Software Platform

The Challenges of Web single sign-on

SSO Plugin. Release notes. J System Solutions. Version 3.6

Agenda. How to configure

CA Single Sign-On Migration Guide

OpenID Single Sign On and OAuth Data Access for Google Apps. Ryan Dave Primmer May 2010

White Paper Cybercom & Axiomatics Joint Identity & Access Management (R)evolution

Copyright Pivotal Software Inc, of 10

CA SiteMinder. Implementation Guide. r12.0 SP2

A Standards-based Mobile Application IdM Architecture

Web Access Management and Single Sign-On

AAI for Mobile Apps How mobile Apps can use SAML Authentication and Attributes. Lukas Hämmerle

How To Manage Identity On A Cloud (Cloud) With A User Id And A Password (Saas)

Salesforce Opportunities Portlet Documentation v2

OAuth Guide Release 6.0

White Paper March 1, Integrating AR System with Single Sign-On (SSO) authentication systems

Integration Overview. Web Services and Single Sign On

This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:

Federated single sign-on (SSO) and identity management. Secure mobile access. Social identity integration. Automated user provisioning.

Flexible Identity Federation

> Please fill your survey to be eligible for a prize draw. Only contact info is required for prize draw Survey portion is optional

An Oracle White Paper Dec Oracle Access Management Security Token Service

The Role of Federation in Identity Management

Server based signature service. Overview

Connected Data. Connected Data requirements for SSO

Keeping access control while moving to the cloud. Presented by Zdenek Nejedly Computing & Communications Services University of Guelph

Administering Google Apps & Chromebooks for Education

JVA-122. Secure Java Web Development

Securing RESTful Web Services Using Spring and OAuth 2.0

Identity Management with Spring Security. Dave Syer, VMware, SpringOne 2011

Entitlements Access Management for Software Developers

SAML Authentication Quick Start Guide

Administering Jive for Outlook

Policy Guide Access Manager 3.1 SP5 January 2013

Add Microsoft Azure as the Federated Authenticator in WSO2 Identity Server

Centrify Mobile Authentication Services

OAuth 2.0 Developers Guide. Ping Identity, Inc th Street, Suite 100, Denver, CO

How To Get A Single Sign On (Sso)

Multi Factor Authentication API

How To Use Saml 2.0 Single Sign On With Qualysguard

Dell One Identity Cloud Access Manager How to Develop OpenID Connect Apps

Single Sign-On Implementation Guide

TrustedX: eidas Platform

Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x

Security As A Service Leveraged by Apache Projects. Oliver Wulff, Talend

Identity Federation: Bridging the Identity Gap. Michael Koyfman, Senior Global Security Solutions Architect

Identity, Privacy, and Data Protection in the Cloud XACML. David Brossard Product Manager, Axiomatics

SharePoint 2013 Logical Architecture

PROVIDING SINGLE SIGN-ON TO AMAZON EC2 APPLICATIONS FROM AN ON-PREMISES WINDOWS DOMAIN

Single Sign-On Implementation Guide

Onegini Token server / Web API Platform

Stronger Authentication with Biometric SSO

OAuth: Where are we going?

Single Sign-On Implementation Guide

IT Exam Training online / Bootcamp

Salesforce1 Mobile Security Guide

How to Extend your Identity Management Systems to use OAuth

Getting Started with AD/LDAP SSO

SAML-Based SSO Solution

IVOA Single Sign-On security

Configuring Single Sign-On from the VMware Identity Manager Service to Office 365

It is I, SAML. Ana Mandić Development Five Minutes Ltd

Kerberos and Single Sign On with HTTP

Bringing Cloud Security Down to Earth. Andreas M Antonopoulos Senior Vice President & Founding Partner

Security and ArcGIS Web Development. Heather Gonzago and Jeremy Bartley

Building Secure Applications. James Tedrick

TrustedX - PKI Authentication. Whitepaper

BOF2337 Open Source Identity and Access Management Expert Panel, Part II. 23 September :30p Hilton - Golden Gate 6/7/8 San Francisco CA

The increasing popularity of mobile devices is rapidly changing how and where we

An Approach to Achieve Delegation of Sensitive RESTful Resources on Storage Cloud

An Oracle White Paper Dec Oracle Access Management OAuth Service

Web Services Security: OpenSSO and Access Management for SOA. Sang Shin Java Technology Evangelist Sun Microsystems, Inc. javapassion.

Transcription:

Towards an Open Identity Infrastructure with OpenSSO RMLL Nantes July 10 2009 Fulup Ar Foll Master Architect fulup@sun.com 1

Towards an Open Identity Infrastructure with OpenSSO OpenSSO Overview > Integration with open source and beyond Integrating further what's new > SaaS integration Google > Fedlet for.net > Fine Grained Authorization > Secure RESTful web services Call to action Participate! 2

What is OpenSSO? Web Single Sign On Access Control Federation > SAML 2.0 > WS Federation Web Services > ID WSF > WS * > SOAP > REST 3

OpenSSO Facts 1000+ project members at opensso.org 125 committers (~25% external to Sun) Deployments all over the world 4

OpenSSO/Identity Community Days 1.0 March 2009 > New York City, USA (Community One East) 2.0 May 2009 > Munich, Germany (European Identity Conference) 3.0 June 2009 > San Francisco, USA (Community One West) Sun engineers, community meet, talk, present 'Unconference' format 5

OpenSSO Options OpenSSO Enterprise > Delivered every 12 15 months > Long term support hot patches/service packs OpenSSO Express > Delivered every 3 months > Medium term support Fixes in the trunk OpenSSO Periodic Builds > Binaries built every 2 3 days > Community support CVS : ) 6

An Open Identity Infrastructure OpenDS LDAP Active Dir Firefox Explorer - Opera 7

Software as a Service Integration Google Apps > Single sign on from an identity provider in your enterprise Users log in with their enterprise credentials > Single sign on handshake between identity provider and Google SAML 2.0 protocol > Valeo (France) in production since May 2009 Replacing Lotus Domino for 32,000 users What's New > Easy set up for SSO to Google Apps Just provide your domain name, cut and paste the rest 8

Fedlet for.net Existing Fedlet is a smash hit > Federation enables small service providers > Java JAR file and configuration > http://tinyurl.com/fedlet Next step:.net version > Same features and functionality as Java version >.Net ZIP file and configuration > http://blogs.sun.com/whalphin/entry/fedlet_for Try it out give feedback! 9

Fine Grained Authorization Existing policy engine works well, but was designed for URL's 'course grained authorization' > Scales to ~ 10,000 policies Demand for fine grained authorization entitlements > Scale to ~ 1,000,000 policies > XACML model Flexible deployment options > Colocate PEP, PDP > Embed OpenSSO 10

RESTful Identity Services in OpenSSO Evolution of previous, RPC style approach > Goal provide easy access to OpenSSO identity services from any programming language (previous APIs were Java/C only) > SOAP and 'REST like' SOAP emphasised REST like actually used by most developers 11

First Generation of Services Authentication Authorization Verification of user credentials Permission for user to access protected resource POST.../authenticate? username=demo&password=demo GET.../authorize?token=aaa& resource=bbb&action=ccc... Attributes Audit log Obtain attributes of users Perform log & audit operations GET.../attributes? token=aaa&attributes_names=cn POST.../log?appid=aaa& subjectid=bbb=cn&logname=... 12

OpenSSO REST simple security Authen/Authorization of callers to REST URLs > Course grained policy enforcement based on URL Fine grained authorization within the application logic > Examples: access to attributes, ability to log, etc. Session established & maintained after authentication > SSOToken: random string usually stored as cookie SSOToken passed in each request > As either cookie or query parameter Key parameters passed as query parameters 13

Pros for REST simple identity services Easy! Programming language agnostic > OpenSSO is not restricted to Java and C languages Can build loosely coupled systems > Liferay/WebSynergy 14

Cons of using simple identity services Need for client SDK? > Caching? How can consumer site cache the authorization decisions, user attributes, etc, from OpenSSO server? > Maybe a need for SDK. Exceptions? > Mapping of HTTP error codes and passing of error messages. 15

Lessons learned (simple identity services) Imperfect RESTful APIs > Current application not easy to convert to URL resources like REST Message authentication Requires user presence Consumer could masquerade as the user Token management Still useful > Allow access from any programming language > A step toward a more RESTful approach 16

Second Generation of Services Still under construction! First example is entitlement (fine grained authorization) > Pass in subject, action, resource > Get back allow/deny Secured by OAuth > Specifically designed to protect RESTful web services 17

OAuth overview Users securely share their resources in one service with another service without exposing credentials. Prototypical use case: user shares images from an image gallery with a photo printing service. Once user brokers issuance of token, it can be used on an ongoing basis. Think: session keys for consumer applications. Provides a very handy consumer authentication capability through the OAuth digital signature. 18

➊ User brokers issuance of access token Service Provider Consumer User agent (browser) User introduces service provider to consumer Authorization performed through browser redirects Standard user authentication with service provider Access token is issued to consumer on behalf of user 19

➋ Consumer accesses resource directly Consumer Service Provider Consumer signs requests with access token secret Service provider can enforce its own access controls Doesn't require constant user presence 20

Why consider OAuth over others? Mashups quickly evolve toward delegation model Aligns very well with REST (use of HTTP header) More secure than storing credentials everywhere Flexible access token management capability Already multiple client and server implementations Strong community now an IETF working group 21

Conclusion OpenSSO > provides an open source solution for authentication, authorization and beyond > integrates with other open source components such as GlassFish and Apache Web Server allowing a completely open source identity infrastructure > has hundreds of deployments, serving millions of users > has a thriving open source community Download OpenSSO today! 22

Resources OpenSSO http://opensso.org/ Pat Patterson's http://blogs.sun.com/superpat/ Daniel Raskin's http://blogs.sun.com/raskin/ Fulup Ar Foll http://www.fridu.org/fulup 23

Participez! Join Sign up at opensso.org Subscribe OpenSSO Mailing List users@opensso.dev.java.net Download OpenSSO 8.0 Express Build 7* Chat #opensso on freenode.net 24

Thank You. Fulup Ar Foll Master Architect fulup@sun.com 25

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information