Implementing Single Sign On in Java Technologybased

Implementing Single Sign On in Java Technologybased Web Services Rima Patel Sriganesh Technology Evangelist Sun Microsystems, Inc.

Why Am I Here? Well Because I Hate to sign-on tens of times for using hundreds of different services, online 2

Presentation Goal Understand SAML, a technology, that enables open and interoperable design and implementation of Single Sign-On (SSO) functionality in web services 3

Learning Objectives As a result of this presentation, you will be able to: Understand what is SSO and its enabling technology, i.e., SAML Know various SSO use cases and scenarios Know how to implement SSO in web services using SAML 4

Speaker s Qualifications Rima is a Technology Evangelist at Sun Microsystems rima.patel@sun.com Rima publishes on EvangCentral http://www.sun.com/developers/evangcentral Rima speaks frequently on the J2EE platform, Sun ONE Web Services technology and XML Security, at conferences around the globe Rima is a Sun Certified Programmer for the Java Platform 5

Agenda, for the Next Hour SSO in web services Security Assertions Markup Language SAML: A closer look SAML SSO scenarios Implementing SSO, by example Summary and Resources 6

SSO in Web Services

What Is SSO, Anyway? SSO represents the ability of a user To authenticate in one domain And use resources in another domain WITHOUT re-authenticating 8

SSO Web Services A Generic Use Case Authenticates Source Security Info. Passed No Re-Authentication Destination Source and Destination may belong to a Federation 9

Now, We Know That SSO Is Not New But a Million Dollar Question Is: Does the existing SSO infrastructure let us create interoperable and cost-effective SSO services? 10

Although the Answer to Previous Question Is, No We do see an enabling technology emerging on the horizon! 11

Security Assertions Markup Language (SAML)

SAML XML Framework for exchanging security information over the internet Standardization efforts carried out within Security Services Technical Committee at OASIS Based on merger of two competing security efforts viz. S2ML and AuthML 13

Where Exactly Does SAML Help? It enables different security services systems to INTEROPERATE It does not define any new approaches towards authentication/authorization 14

Where Is SAML Headed? Roadmap SAML 1.0 Specification Set (Committee Working Draft) has been released as of Feb, 2002 SAML 1.0 Committee specification submission to OASIS is due by March, 2002 Java Specification Request 155 (JSR-155) defines a standard Java API for SAML 15

Where Is SAML Headed? Industry Traction Used in security services implementation of Internet2 Sun (Network Identity/iPlanet DSAME) Entrust (GetAccess portal) Systinet (WASP Secure Identity) Securant (RSA Cleartrust) Entegrity (AssureAccess) Netegrity (AffiliateMinder) 16

What Does SAML Define? SAML specification is a set of documents that define Assertions and Request/Response Protocol Bindings and Profiles Security considerations while using SAML Conformance guidelines and Test suite Use cases and Requirements 17

SAML: A Closer Look Assertions and Protocol Bindings and Profiles

Assertions Declaration of a certain fact about a Subject for e.g., User, Code, etc. Issued by SAML Authorities 19

Types of Assertions Attribute Assertions Authentication Assertions Authorization Assertions 20

SAML Architecture SAML Request SAML Assertion Response Relying Party Issuing Authority Creates Assertion SAML Assertion SOAP HTTP 21

Who Would Possibly Play as Issuing Authorities? Third-party Security Services Providers Microsoft for its Passport initiative XNSORG for its Web Identity Platform DotGNU for its Virtual Identity Platform 22

Who Would Possibly Play as Issuing Authorities? Businesses acting as Security Services Providers within Federations AOL, AMEX, VISA, American Airlines, Play as Authorities for asserting security information pertaining to their respective users Using Liberty Alliance technologies 23

Assertion Common Elements Issuer and issuance timestamp Assertion ID Subject Name and Security Domain Optionally subject s authentication data Advice Additional information provided by issuing authority 24

Assertion Common Elements (Cont.) Conditions under which an assertion is valid Assertion Validity Period NotBefore and NotOnOrAfter Audience restrictions Target restrictions Application-specific conditions 25

Protocol for Requesting/ Receiving Assertions TRUSTED Issuing Authority SAML Assertion Request SAML Assertion Response Relying Party 26

Request for Authentication Assertion Sent by relying party to Issuing Authority, to assert that Subject S is authenticated 27

CAUTION Assertions are made about acts of authentication that have ALREADY occurred SAML does not include requirements or specifications for these acts of authentication 28

Example Request for Authentication Assertion <samlp:request MajorVersion= 1 MinorVersion= 0 RequestID= 123.45.678.90.12345678"> <samlp:authenticationquery> <saml:subject> <saml:nameidentifier SecurityDomain= sun.com Name= rimap /> </saml:subject> </samlp:authenticationquery> </samlp:request> 29

Authentication Assertion An Issuing Authority asserts that Subject S Was authenticated by means M At time T 30

Example of Authentication Assertion <samlp:response MajorVersion= 1 MinorVersion= 0 RequestID= 128.14.234.20.90123456 InResponseTo= 123.45.678.90.12345678 StatusCode= Success > <saml:assertion MajorVersion= 1 MinorVersion= 0 AssertionID= 123.45.678.90.12345678 Issuer= Sun Microsystems, Inc. IssueInstant= 2002-01-14T10:00:23Z > <saml:conditions NotBefore= 2002-01-14T10:00:30Z NotAfter= 2002-01-14T10:15:00Z /> 31

Example of Authentication Assertion (Cont.) <saml:authenticationstatement AuthenticationMethod= Password AuthenticationInstant= 2001-01-14T10:00:20Z > <saml:subject> <saml:nameidentifier SecurityDomain= sun.com Name= rimap /> </saml:subject> </saml:authenticationstatement> </saml:assertion> </samlp:response> 32

Request for Attribute Assertion Sent by relying party to Issuing Authority, to assert The value of Attributes A, B, For a subject S 33

Example Request for Attribute Assertion <samlp:request...> <samlp:attributequery> <saml:subject> <saml:nameidentifier SecurityDomain= sun.com Name= rimap /> </saml:subject> <saml:attributedesignator AttributeName= Employee_ID AttributeNamespace= sun.com > </saml:attributedesignator> </samlp:attributequery> </samlp:request> 34

Attribute Assertion An Issuing Authority asserts that Subject S Is associated with attributes A, B, With values a, b, 35

Example of Attribute Assertion <samlp:response...> 36 <saml:assertion...> <saml:conditions.../> <saml:attributestatement> <saml:subject> <saml:nameidentifier SecurityDomain= sun.com Name= rimap /> </saml:subject> <saml:attribute AttributeName= Employee_ID AttributeNamespace= sun.com > <saml:attributevalue> 123456 </saml:attributevalue> </saml:attribute> </saml:attributestatement> </saml:assertion> </samlp:response>

Request for Authorization Assertion Sent by relying party to Issuing Authority, to assert whether Subject S Is allowed access of type D To Resource R Given the Evidence E Evidence is an assertion on which Issuing Party relies while making authorization decision Evidence is optional 37

Example Request for Authorization Assertion <samlp:request...> 38 <samlp:authorizationdecisionquery Resource= http://hewitt.com/sunflex/benefits > <saml:subject> <saml:nameidentifier SecurityDomain= http://sun.com Name= rimap /> </saml:subject> <saml:actions Namespace= http://sun.com > <saml:action>read_benefits</saml:action> <saml:action>change_benefits</saml:action> </saml:actions> <saml:evidence> <saml:assertion>...some assertion... </saml:assertion> </saml:evidence> </samlp:authorizationquery> </samlp:request>

Authorization Decision Assertion An Issuing Authority asserts that Request for a particular access by subject S To resource R Has resulted in the authorization decision D On the basis of given evidence E (if present) 39

Example of Authorization Decision Assertion <saml:response...> <saml:assertion...> <saml:conditions.../> <saml:authorizationdecisionstatement Decision= Permit Resource= http://hewitt.com/sunflex/benefits > <saml:subject> <saml:nameidentifier SecurityDomain= sun.com Name= rimap /> </saml:subject> </saml:authorizationstatement> </saml:assertion> </samlp:response> 40

Producer and Consumer Model for Assertions Credentials Collector Authentication Authority Attribute Authority Policy Decision Point (PDP) SAML Authentication Assertion Attribute Assertion Authorization Assertion System Entity Application Request Policy Enforcement Point (PEP) 41

SAML and Extensibility Applications can Define specific Assertions Exchange Assertions using specific request/response protocol However, extensibility comes at the cost of Interoperability 42

SAML: A Closer Look Assertions and Protocol Bindings and Profiles

SAML Bindings Binding is Way to transport SAML requests and responses Defined by mapping SAML message exchange to messaging or communication protocol SOAP-over-HTTP binding is defined 44

SOAP-Over-HTTP Binding for SAML SAML SOAP-Over-HTTP Binding SOAP Header SOAP Body SAML Request/Response SOAP Message 45

SAML Profiles Profile describes A way to embed and extract SAML assertions into a framework or protocol Currently defined are Web Browser SSO profiles Draft Profiles SAML Profile for XML DSIG 46

Web Browser SSO Profiles Supports SSO scenarios in web services delivered through browsers Two ways to convey assertion information Browser/artifact Browser/POST 47

Browser/Artifact Profile Supports SSO scenarios in which When a user accesses secured resource on destination site An artifact (reference) is sent along with the request Artifact is used to de-reference real assertion 48

Browser/POST Profile Supports SSO scenarios in which assertions are Exchanged as part of HTML form POST-ed to destination site on submitting the form 49

SAML SSO Scenarios Pull Model Push Model Third-party Security Service

SSO Web Services Pull Model Scenario Part I Employee (System Entity) Sunweb.central (Auth. And Attr. Authority) Hewitt.com/sunflex/benefits (PEP/PDP) 1. Authenticates 2. Chooses Benefits Link 3.1 Provides Auth. Reference 3.2 Redirects to Hewitt.com 4.1 Requests Benefits Mgmt. Service 4.2 Provides Auth. Reference 51

SSO Web Services Pull Model Scenario Part II Employee (System Entity) Sunweb.central (Auth. And Attr. Authority) Hewitt.com/sunflex/benefits (PEP/PDP) 5. Requests SAML Auth. Assertion 6. Provides SAML Auth. Assertion 7. Provides Access To Benefits Mgmt. Service 52

SSO Web Services Push Model Scenario Part I Employee (System Entity) Sunweb.central (Auth. And Attr. Authority) Hewitt.com/sunflex/benefits (PEP/PDP) 1. Authenticates 2. Chooses Benefits Link 3. Pushes Auth. And Attr. Assertion 4. Provides Authz. Assertion Reference 53

SSO Web Services Push Model Scenario Part II Employee (System Entity) Sunweb.central (Auth. And Attr. Authority) Hewitt.com/sunflex/benefits (PEP/PDP) 5.1 Provides Authz. Reference 5.2 Redirects To Hewitt.com 6.1 Requests Benefits Mgmt. Service 6.2 Provides Authz. Assertion Reference 7. Provides Access To Benefits Mgmt. Service 54

SSO Web Services Third-Party Security Service Scenario Part I Consumer (System Entity) AOL Magic Carpet (Security Service) Travelocity.com (PEP/PDP) 1. Authenticates 2. Provides Auth. And Attr. Assertion Reference 3.1 Requests For Booking Vacation Itinerary 3.2 Provides Auth. And Attr. Assertion References 55

SSO Web Services Third-Party Security Service Scenario Part II Consumer (System Entity) AOL Magic Carpet (Security Service) Travelocity.com (PEP/PDP) 4. Requests Auth. And Attr. Assertions 5. Provides Auth. And Attr. Assertion 6. Lets The Consumer Book Vacation Itinerary 56

SSO Web Services Third-Party Security Service Scenario Part III Consumer (System Entity) Travelocity.com (PEP/PDP) Vacationpurchase.com (PEP/PDP) 7. Clicks On Link For vacationpurchase.com 8. Forwards Auth. And Attr. Assertion 9. Provides Authz. Assertion Reference 57

SSO Web Services Third-Party Security Service Scenario Part IV Consumer (System Entity) Travelocity.com (PEP/PDP) Vacationpurchase.com (PEP/PDP) 10.1 Forwards Authz. Assertion Reference 10.2 Redirects To vacationpurchase.com 11.1 Requests The Secured Resource 11.2 Provides Authz. Assertion Reference 12. Customer Is Allowed To Purchase Vacation Goodies! 58

Implementing SAML by Example

SSO Web Services Pull Model Scenario Part I Employee (System Entity) Sunweb.central (Auth. And Attr. Authority) Hewitt.com/sunflex/benefits (PEP/PDP) 1. Authenticates 2. Chooses Benefits Link 3.1 Provides Auth. Reference 3.2 Redirects to Hewitt.com 4.1 Requests Benefits Mgmt. Service 4.2 Provides Auth. Reference 60

SSO Web Services Pull Model Scenario Part II Employee (System Entity) Sunweb.central (Auth. And Attr. Authority) Hewitt.com/sunflex/benefits (PEP/PDP) 5. Requests SAML Auth. Assertion 6. Provides SAML Auth. Assertion 7. Provides Access To Benefits Mgmt. Service 61

SSO Between Sun and Hewitt Service Interaction Diagram Sun.com Employee Hewitt.com 62

SSO Between Sun and Hewitt Service Interaction Diagram Sun.com Employee 1 Login (JSP) Hewitt.com 63

SSO Between Sun and Hewitt Service Interaction Diagram Sun.com Employee 1 2 Employee Assistant (JSP/Servlet) Login (JSP) Hewitt.com 64

SSO Between Sun and Hewitt Service Interaction Diagram Sun.com Employee 1 2 Login (JSP) Employee Assistant (JSP/Servlet) 3 ForwardTo Hewitt (Servlet) Hewitt.com 65

SSO Between Sun and Hewitt Service Interaction Diagram Sun.com Employee 1 2 Login (JSP) Employee Assistant (JSP/Servlet) 3 ForwardTo Hewitt (Servlet) 4 HewittEntry (Servlet) Hewitt.com 66

SSO Between Sun and Hewitt Service Interaction Diagram Sun.com 1 Login (JSP) SunAssert (JAXM Service) Employee 2 5 Employee Assistant (JSP/Servlet) 3 ForwardTo Hewitt (Servlet) 4 HewittEntry (Servlet) Hewitt.com 67

SSO Between Sun and Hewitt Service Interaction Diagram Sun.com 1 Login (JSP) SunAssert (JAXM Service) Employee 2 5 Employee Assistant (JSP/Servlet) 3 ForwardTo Hewitt (Servlet) 4 6 HewittEntry (Servlet) Hewitt.com 68

SSO Between Sun and Hewitt Service Interaction Diagram Sun.com 1 Login (JSP) SunAssert (JAXM Service) Employee 2 5 7 Employee Assistant (JSP/Servlet) 3 ForwardTo Hewitt (Servlet) 4 6 HewittEntry (Servlet) Hewitt.com 69

SSO Between Sun and Hewitt Service Interaction Diagram Sun.com 1 Login (JSP) SunAssert (JAXM Service) Employee 2 5 7 Employee Assistant (JSP/Servlet) 3 ForwardTo Hewitt (Servlet) 4 6 8 SunFlex (JSP/Servlet) HewittEntry (Servlet) Hewitt.com 70

ForwardToHewitt (Cont.) Sample Implementation (Using iplanet DSAME SAML Impl.) public void doget(...) { //Generate the Assertion for this user Assertion objassertion = getassertion (request.getremoteuser()); //Write the assertion to your store (a filesystem, say) and //return a reference (a random number) to this assertion AssertionArtifact objartifact = createassertionartifact (objassertion, "Sun.Com", "Hewitt.Com"); String sreference = objartifact.getassertionartifact(); //Now time for redirecting the user to HewittEntry servlet, //with assertion reference response.sendredirect("http://hewitt.com/hewittentry? SAMLart = " + sreference); } 71

ForwardToHewitt Sample Implementation (Using iplanet DSAME SAML Impl.) public Assertion getassertion(...) { //Create SAML Conditions under which this assertion is valid Conditions objconditions = new Conditions (StartDate, EndDate); //Add Audience Restriction Condition, if any objconditions.addaudiencerestrictioncondition (objaudience); //Add Target Restricton Condition, if any objconditions.addtargetrestrictioncondition (objtarget); //Create the Subject relevant to this assertion NameIdentifier nameidentifier = new NameIdentifier(sSecurityDomain, susername); Subject objsubject = new Subject(NameIdentifier); //Now make an Authentication Statement AuthenticationStatement objauthstmt = new AuthenticationStatement("Password", new Date(), objsubject); 72

ForwardToHewitt (Cont.) Sample Implementation (Using iplanet DSAME SAML Impl.) //Now build Attribute Assertion Attribute attribute = new Attribute("Department", "sun.com", DepartmentValue); List attributelist = new HashList(); attributelist.add(attribute); AttributeStatement objattrstmt = new AttributeStatement(attributeList, objsubject); //Now build an Assertion containing above AssertionStatements String sissuer = "Sun Microsystems, Inc."; Set objstmts = new HashSet(); objstmts.add(objauthstmt); objstmts.add(objattrstmt); Assertion objassertion = new Assertion(AssertionID, sissuer, new Data(), objconditions, objstmts); } return objassertion; 73

HewittEntry Sample Implementation (Using iplanet DSAME SAML Impl.) public void doget(...) { //Extract the value of request parameter "SAMLart" String sreference = request.getparameters("samlart"); //Now populate a SOAP message consisting of this reference //and send it synchronously to SunAssert JAXM Service //(sun.com/partners/sunassert) in order to get the actual //assertion... SOAPMessage objassertionsoapmsg = objsoapconnection.call(objrequestsoapmessage, objurlendpoint); //Now the returned AssertionSOAPMsg consist of Assertions. So //get hold of the Assertion element from the SOAP message //body and populate the SAML Assertion... Assertion objassertion = new Assertion (objsoapassertionlistelement); 74

HewittEntry (Cont.) Sample Implementation (Using iplanet DSAME SAML Impl.) //Once you have Assertion, check for its validity boolean bvalid = isassertionvalid(spartner,objassertion); //If everything is okay then redirect the user to Benefits //(hewitt.com/sunflex) response.sendredirect("http://hewitt.com/sunflex"); } 75

HewittEntry (Cont.) Sample Implementation (Using iplanet DSAME SAML Impl.) public boolean isassertionvalid(string FromPartner, Assertion objassertion) { //Make sure that the assertion is coming from a valid partner... //Check the date and time of these assertions Conditions objconditions = objassertion.getconditions(); boolean bvalid = objconditions.checkdatevalidity(new Date()); //Now check whether you are one of the intended audiences boolean bvalid = objconditions.checkaudience (Audience); //Finally return the result of validity check return bvalid; } 76

SunAssert (JAXMServlet) Sample Implementation (Using iplanet DSAME SAML Impl.) public SOAPMessage onmessage (SOAPMessage objincomingsoapmsg) { //Extract the SOAP Body first and then extract the assertion //reference from the incoming SOAP message's body SOAPElement objreference = extractelement (objincomingsoapbody, "AssertionArtifact"); //Now retrieve the Assertion corresponding to this reference //from your assertion store (i.e. Your filesystem) 77... //Now populate your response SOAP message's body with this //assertion objresponsesoapbody.addbodyelement( objresponsesoapenv.createname ("Assertion", null, null));... //Now time to send the response SOAP message to the callee return objresponsesoapmsg; }

Summary and Resources

Summary SAML is one available solution to enable SSO in web services in an interoperable way SAML implementations are available JSR-155 aims to provide a standard API for writing Java technology-based SAML services 79

Resources Official OASIS SAML resource center http://www.oasis-open.org/committees/security/ For iplanet DSAME Implementation http://www.iplanet.com Lots of whitepapers and SAML implementation http://www.netegrity.com SAML Community website http://www.saml.org SAML @ XML Cover pages http://xml.coverpages.org/saml.html 80

One Thing You Can Do Right Away Is Ask yourself, Are my service consumers signing-in for TENS of times? If yes, then start thinking about SAML! 81