Open Source Identity Integration with OpenSSO April 19, 2008 Pat Patterson Federation Architect pat.patterson@sun.com blogs.sun.com/superpat
Agenda Web Access Management > The Problem > The Solution > How Does It Work? Federation > Single Sign-On Beyond a Single Enterprise > How Does It Work? OpenSSO > Project Overview 2
Typical Problems Every application wants me to log in! I have too many passwords my monitor is covered in Post-its! We're implementing Sarbanes-Oxley we need to control access to applications! We need to access outsourced functions! Our partners need to access our applications! 3
Web Access Management Simplest scenario is within a single organization Factor authentication and authorization out of web applications into web access management (WAM) solution Can use browser cookies within a DNS domain Proxy or Agent architecture implements role-based access control (RBAC) Users get single sign-on, IT gets control 4
Single Sign-On Within an Organization SSO Server Web Server Web Server End User Application Server 5
How It Works SSO Server Authenticate Browser Agent Application GET hrapp/index.html Redirect to SSO Server Redirect to hrapp/index.html (with SSO cookie) GET hrapp/index.html ( cookie (with SSO Is this user allowed to access hrapp/index.html? Yes! Application response Allow request to proceed 6
Web Access Management Products Sun Java System Access Manager > OpenSSO CA (Netegrity) SiteMinder Access Manager IBM Tivoli Access Manager Oracle (Oblix) Access Manager Novell Access Maneger JA-SIG CAS JOSSO 7
Typical Problems Every application wants me to log in! I have too many passwords my monitor is covered in Post-its! We're implementing Sarbanes-Oxley we need to control access to applications! We need to access outsourced functions! Our partners need to access our applications! 8
Single Sign-on between Organizations Cookies no longer work > Need a more sophisticated protocol Can't mandate single vendor solution > Need standards for interoperability 9
Single Sign-On Standards Liberty Phase 1 SAML1 Liberty ID-FF 1.1,1.2 SAML1.1 Liberty Federation = SAML2 Shibboleth 1.0,1.1 Shibboleth 1.2 WS-Federation 1.0 WS-Federation 1.1 2002 2003 2004 2005 2006 10
SAML 2.0 Concepts Profiles Combining protocols, bindings, and assertions to support a defined use case Bindings Mapping SAML protocols onto standard messaging or communication protocols Protocols Request/response pairs for obtaining assertions and doing ID management Assertions Authentication, attribute and entitlement information Authentication Context Detailed data on types and strengths of authentication Metadata IdP and SP configuration data 11
SSO Across Organizations Identity Provider Service Provider Service Provider End User Service Provider 12
SAML 2.0 SSO Basics Identity Provider Browser Service Provider GET hrapp/index.html Redirect with SAML Request SAML Authentication Request Authenticate HTML form with SAML Response Response SAML Response Service Provider examines SAML Response and makes access control decision 13
SAML 2.0 Assertion (Abbreviated!) <Assertion Version="2.0" ID="..." IssueInstant="2007-11-06T16:42:28Z"> <Issuer>https://pat-pattersons-computer.local:8181/</Issuer> <Signature>...</Signature> <saml:subject> <saml:nameid Format="urn:oasis:...:persistent"...> ZG0OZ3JWP9yduIQ1zFJbVVGHlQ9M </saml:nameid> <saml:subjectconfirmation Method="urn:oasis:...:bearer"> <saml:subjectconfirmationdata.../> </saml:subjectconfirmation> </saml:subject> <saml:conditions NotBefore="2007-11-06T16:42:28Z" NotOnOrAfter="2007-11-06T16:52:28Z"> <saml:audiencerestriction> <saml:audience> https://pat-pattersons-computer.local/example-pat/ </saml:audience> </saml:audiencerestriction> </saml:conditions> <saml:authnstatement AuthnInstant="2007-11-06T16:42:28Z"...> <saml:authncontext> <saml:authncontextclassref> urn:oasis:...:passwordprotectedtransport </saml:authncontextclassref> </saml:authncontext> </saml:authnstatement> </saml:assertion> 14
SAML 2.0 Adoption Sun, IBM, CA all the usual suspects, except Microsoft OpenSAML (Internet2) > Java, C++ OpenSSO (Sun) > Java, PHP, Ruby SimpleSAMLphp (Feide) LASSO (Entr'ouvert) > C/SWIG ZXID (Symlabs) > C/SWIG globo.com 15
What is OpenSSO? Open Access. Open Federation. OpenSSO 1.0 == Federated Access Manager 8.0 All FAM 8.0 builds available via OpenSSO Preview Features Provide Feedback Review code security 16
OpenSSO Momentum In less than 2 years... > 650 project members at opensso.org > ~15 external committers > Consistently in Top 10* java.net projects by mail traffic * of over 3000 projects Production deployments > www.audi.co.uk 250,000 customer profiles > openid.sun.com OpenID for Sun employees > telenet.be Foundation for fine-grained authorization...gov.br 17
OpenSSO Roadmap OpenSSO 1.0 / FAM 8.0 Summer 2008 OpenSSO OpenSSO Q3CY06 OpenSSO Federation Q4CY06 OpenSSO 1.next / FAM 8.1 End of 2008 Access Manager Access Manager 7.1 Q4CY06 Federation Manager Federation Manager 7.0 Q4CY05 18
OpenSSO 1.0 Access Management Centralized Agent Configuration & Deployment Centralized Configuration XACML Request/Response Wide choice of Application Servers Federation Fedlet Virtual Federation Multi-Federation Protocol Hub WS-Federation 1.1 3rd Party WAM Interoperability 19
OpenSSO 1.0 Identity Services Authentication as a service Authorization as a service Audit as a service Attribute Query as a service Secure Trust Authority Web Services Security Plug-ins SDK for Securing Web Services But that's not all... 20
OpenSSO Extensions https://opensso.dev.java.net/public/extensions/ SAML 2.0 OpenID Client SDK Authentication Modules PHP SAML 2.0 SP implementation > Picked up by Feide (Norway) Ruby SAML 2.0 SP implementation SAML 2.0 ECP test rig OpenID 1.1 Provider > Deployed at openid.sun.com PHP Client SDK implementation ActivIdentity 4Tress Hitachi Finger Vein Biometric Information Card (aka CardSpace) 21
Participe! Join Download Sign up at opensso.org OpenSSO 1.0 Build 4 Subscribe OpenSSO Mailing Lists dev, users, announce Chat #opensso on freenode.net 22
Resources https://opensso.dev.java.net/public/extensions/ OpenSSO http://opensso.org/ SAML @ Globo.com Pat's Blog Daniel Raskin's Blog André Bechara video > http://tinyurl.com/6rugrm Superpatterns > http://blogs.sun.com/superpat/ Virtual Daniel > http://blogs.sun.com/raskin/ 23
Open Source Identity Integration with OpenSSO April 19, 2008 Pat Patterson Federation Architect pat.patterson@sun.com blogs.sun.com/superpat