SAML and OAUTH Technologies WebSphere Application Server

SAML and OAUTH Technologies WebSphere Application Server Bill O'Donnell STSM WebSphere Foundation Security Architect Session TAW-1701 Session TAW-1698

Please Note IBM s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM s sole discretion. Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision. The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for our products remains at our sole discretion. Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user s job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here. 2

About the Speaker Bill O'Donnell My email is bill.odonnell@us.ibm.com WebSphere Foundation Security Architect (Austin Labs) Responsible for: Security Architecture and Design for WebSphere Portfolio Security Architect for WebSphere Application Server Product Security Incident Response Team (PSIRT) for WebSphere and AIM brand Product Secure Engineering for WebSphere and AIM brand See my website at http://www.ibm.com/developerworks/websphere/zones/was/security/ 3

What are we going to talk about? SAML Overview SAML Web SSO Post Binding Profile SAML Web Services Token Profile OAUTH Overview 4

SAML Overview 5

What is SAML? Security Assertion Markup Language (SAML) OASIS XML-based standard Used to exchange authentication and authorization data between parties Identity Provider handles authentication and the creation and verification of SAML tokens. Service Provider accepts a SAML Token as an identity assertion SAML comprised of many (20+) profiles describing very specific uses cases on how to use SAML WebSphere Support Technical Exchange 6 6

Why SAML Web SSO? Growing popularity Client-based (browser) SSO solution Decoupling from the server allows greater ease of interoperability between cross-vendor products Relies on identity assertion rather than server-side authentication This means WAS does not need to be connected to the user registry at all WebSphere Support Technical Exchange 7 7

Common Usage Cases Target user registry not visible on WAS network SSO interoperability between WAS and non-was servers using the IdP as a common login portal SAML assertion is saved in the security Subject for down-stream calls IdP-agnostic, because all SAMLResponses and tokens must be formatted according to OASIS standards WebSphere Support Technical Exchange 8 8

SAML Highlights Web SSO Post Binding Profile Delivered in WAS Full Profile 7.0.0.23, 8.0.0.4, 8.5.0.0 SSO between WAS and non WAS servers Relies on a Identity Assertion rather than server side authentication Typically using an Identity Provider (IdP) Web Service Security Token Profile 1.1 Delivered in WAS Full Profile 7.0.0.9 and 8.0.0.0 and above Used by JAX-WS applications between WAS and non WAS servers Requires a Security Token Service such as TFIM or ADSM 9

SAML Web SSO Post Binding Profile 10

Basic Flow WebSphere Support Technical Exchange 11 11

Basic Flow Described 1. User accesses IdP Either directly, or through redirect via WAS TAI error page definition. WAS does NOT support SP-initiated SSO 2. IdP sends back SAMLResponse POST to WAS 3. ACSTrustAssociationInterceptor grabs the response 4. ACS TAI grabs the username attribute (NameId by default) and any other defined group membership attributes and passes them to the SP Depending on TAI config, SP may verify user and/or user s group membership in a repository, 5. SP uses that data to create an LTPA token SP is either the default WebSphereSamlSP at the /samlsps context, or a customer-implemented SP WebSphere Support Technical Exchange 12 12

Basic Flow continued WebSphere Support Technical Exchange 13 13

WAS Configuration - Enablement Update to 7.0.0.23 or 8.0.0.4 Install WebSphereSamlSP.ear or run installsamlacs.py script Enable ACS TAI via AdminTask.addSAMLTAISSO or add the class manually in ISC Import the IdP's FederationMetadata.xml using the AdminTask.importSAMLIdpMetadata command, or simply import its signer certificate Configure WAS to trust the IdP's realm Configure WAS security custom properties and ACSTAI custom properties WebSphere Support Technical Exchange 14 14

Example TAI properties WebSphere Support Technical Exchange 15 15

Authorization Group membership can be asserted in the SAMLResponse and/or grabbed from the WAS user registry Controlled by sso_<id>.sp.groupmap and sso<id>.sp.groupname Security role to user/group mappings defined in the normal fashion, but watch out for weird realm names. Purely asserted groups must be mapped manually, since the registry isn t searchable from the WAS ISC WebSphere Support Technical Exchange 16 16

SSL Transport- and message-layer encryption are both optional Best practice: the public key from the IdP be imported into WAS so that we can validate/trust the <Signature> Message-layer encryption can be enabled by providing the IdP with the WAS public key, and specifying the sso_<id>.sp.keystore, sso_<id>.sp.keypassword, and sso_<id>.sp.keyalias TAI custom props for the private key WebSphere Support Technical Exchange 17 17

Error Pages Unauthenticated requests are redirected based on sso_<id>.sp.login.error.page http://, https:// or MappingClassName Almost always want to set this to the same URL as sso_<id>.idp_<id>.singlesignonurl More complex deployments will want to implement the IdentityProviderMapping interface to allow for dynamic error pages Generates error page URL using the unauthenticated HttpServletRequest as input WebSphere Support Technical Exchange 18 18

Required Global Security properties WebSphere Support Technical Exchange 19 19

Web Services Security: SAML Token Profile 1.1 20

Web Service SAML single-sign-on and propagation A user authenticates to an STS and requests SAML tokens using the bearer(or sender-vouches) confirmation method. The user then uses SAML tokens to access a business services provider. The business services provider validates the SAML tokens and asserts the identity and attributes of the user based on the trust relationship between the provider and the issuing STS (or sender). The service provider request service from next service provider with propogated SAML token 21

Web Service SAML single-sign-on with holder-of-key 1 The user logs on with a Web browser using SPNEGO (or Form Login) and is authenticated. A JAAS subject is created. 2 The credential from the SPNEGO token is used to request a SAML token using WS-Trust. The token is signed with the trust server private key. 3 The signature of the SAML token is validated based on the trust relationship. The security credential is created using the attributes from the SAML token. The cryptographic key from the SAML token is used to decrypt the SOAP message. 22

SAML Assertion across multiple security domains This sample diagram shows three WebSphere Application Server security domains, each of which has its own user registry. Users in the two security domains on the left send Web services messages to access resources of the security domain on the right. Users send their identities in SAML tokens to identify themselves to the target security domain. A Web services provider will use the SAML user identity to create a security context without checking its own user registry. 23

Default SAML policyset and general bindings SAML-specific default policy sets and general bindings are provided when the SAML function is installed. These policy sets and sample general bindings are used to request SAML tokens from an external Security Token Service (STS), and to propagate SAML tokens to downstream Web services. Default policy sets: SAML11 Bearer WSHTTPS default SAML11 Bearer WSSecurity default SAML11 HoK Public WSSecurity default SAML11 HoK Symmetric WSSecurity default SAML20 Bearer WSHTTPS default SAML20 Bearer WSSecurity default SAML20 HoK Public WSSecurity default SAML20 HoK Symmetric WSSecurity default General bindings Saml Bearer Client sample Saml Bearer Provider sample Saml HoK Symmetric Client sample Saml HoK Symmetric Provider sample 24

Create,validate,parse,and request SAML using API Use the SAML library application programming interface (API), the SAMLTokenFactory, to configure token parameters, create a SAML token, and bind the created token to a service request. Use the SAML trust client API to send WS-Trust SOAP requests to the specified external Security Token Service (STS) to request, validate, or exchange an SAML token. 25

Additional WebSphere Product Resources Learn about upcoming WebSphere Support Technical Exchange webcasts, and access previously recorded presentations at: http://www.ibm.com/software/websphere/support/supp_tech.html Discover the latest trends in WebSphere Technology and implementation, participate in technically-focused briefings, webcasts and podcasts at: http://www.ibm.com/developerworks/websphere/community/ Join the Global WebSphere Community: http://www.websphereusergroup.org Access key product show-me demos and tutorials by visiting IBM Education Assistant: http://www.ibm.com/software/info/education/assistant View a webcast replay with step-by-step instructions for using the Service Request (SR) tool for submitting problems electronically: http://www.ibm.com/software/websphere/support/d2w.html Sign up to receive weekly technical My Notifications emails: http://www.ibm.com/software/support/einfo.html WebSphere Support Technical Exchange 26 26

OAUTH Overview 27

What is OAUTH? Open Authorization (Oauth) Provides a way for a client to access a server resource on behalf of the resource owner Provides a way for the end user to authorize a 3 rd party to their server resources without sharing their credentials Becoming popular in social computing space As an example, Facebook and Google leverages for accessing their public APIs. WebSphere Support Technical Exchange 28 28

Delegated Authorization Example Valet Key An access token which offers scope access to vehicle capabilities: Speed restriction Distance restriction 29 Cannot alter some car functions e.g. radio stations Will not open storage areas 29

Other non-technical examples Participant passcode vs leader passcode on a teleconference or web conference. Doctor s prescription A boarding pass Any other master key system such as those used by hotels and offices for room/cabinet access. 30 30

Example UseCase for OAUTH OAuth allows for resource sharing for social computing applications Scenario Alice wants to print her Google Picasa photos using a third party online photo printing service. Alice protects her Google Picasa photo albums using a password. Alice does not want to share her password. Using OAuth, Alice will grant access to the third party printing service the ability to read her photo. 03/28/11 31 IBM Confidential

Example user experience In this example, a client has a twitter account. The client application will be the online library example, and will tweet which books have been borrowed by the end-user to their twitter account. When borrowing a book for the first time (i.e. the client needs to establish an access token for the user), you are redirected to twitter for authorization. 32

Example user experience cont After authorization, the application can tweet using the access token The application can continue to use that access token until it expires If I login to twitter directly, I can see any tweets that were made on my behalf via API 33

OAuth 2.0 authorization code flow Classic three-legged OAuth with a resource owner, client and service provider. 1. The client (e.g. a web application) decides that access is required to the resource owner s private resources at a known service provider. 2. Client redirects the user to the authorization server to authorize access. 3. Service provider generates a onetime authorization code that is sent via redirect back to the client. 4. Client exchanges authorization code for an authorized access token [and refresh token]. 5. Client can [repeatedly] use the access token to obtain access to the private resources. 34

OAUTH 2.0 Highlights Delivered in WAS Full Profile 7.0.0.25, 8.0.0.5, and 8.5.0.1 and WAS Liberty Profile 8.5.0.2 WAS IBM Product Exploits Lotus Connections 35

OAUTH 2.0 Configuring Sample Liberty configuration in server.xml <!-- A simple OAuth provider definition. The filter determines which urls it will handle. One client is authorized to access the provider --> <oauthprovider id="sampleoauthprovider" filter="request-url%=protectedresource; request-url!=protectedresource/abc"> <localstore> <client name="client01" secret="{xor}ldo8ltor" displayname="client01" redirect="http://localhost:1234/oauthclient/redirect.jsp" enabled="true"/> </localstore> </oauthprovider> <!-- An OAuth provider can also have clients stored in a relational DB --> <oauthprovider id="dboauthprovider" filter="request-url%=oauthdbstore"> <databasestore datasourceref="oauthclientdatasource" /> </oauthprovider> <datasource id="oauthclientdatasource" jndiname="jdbc/oauth2db" jdbcdriverref="derbyembedded"> <properties.derby.embedded databasename="${shared.resource.dir}/data/oauthdb" createdatabase="create" /> </datasource> 36

For more information Configuring and using OAUTH from my security website OAUTH for WebSphere Application Server for Full WAS Profile Dd OAUTH for WebSphere Application Server for Liberty Profile dd 37

We love your Feedback! Don t forget to submit your Impact session and speaker feedback! Your feedback is very important to us we use it to improve next year s conference Go to the Impact 2013 SmartSite (http://impactsmartsite/com): Use the session ID number to locate the session Click the Take Survey link Submit your feedback 38

Legal Disclaimer IBM Corporation 2013. All Rights Reserved. The information contained in this publication is provided for informational purposes only. While efforts were made to verify the completeness and accuracy of the information contained in this publication, it is provided AS IS without warranty of any kind, express or implied. In addition, this information is based on IBM s current product plans and strategy, which are subject to change by IBM without notice. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this publication or any other materials. Nothing contained in this publication is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in this presentation may change at any time at IBM s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results. If the text contains performance statistics or references to benchmarks, insert the following language; otherwise delete: Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here. If the text includes any customer examples, please confirm we have prior written approval from such customer and insert the following language; otherwise delete: All customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics may vary by customer. Please review text for proper trademark attribution of IBM products. At first use, each product name must be the full name and include appropriate trademark symbols (e.g., IBM Lotus Sametime Unyte ). Subsequent references can drop IBM but should include the proper branding (e.g., Lotus Sametime Gateway, or WebSphere Application Server). Please refer to http://www.ibm.com/legal/copytrade.shtml for guidance on which trademarks require the or symbol. Do not use abbreviations for IBM product names in your presentation. All product names must be used as adjectives rather than nouns. Please list all of the trademarks that you use in your presentation as follows; delete any not included in your presentation. IBM, the IBM logo, Lotus, Lotus Notes, Notes, Domino, Quickr, Sametime, WebSphere, UC2, PartnerWorld and Lotusphere are trademarks of International Business Machines Corporation in the United States, other countries, or both. Unyte is a trademark of WebDialogs, Inc., in the United States, other countries, or both. If you reference Adobe in the text, please mark the first use and include the following; otherwise delete: Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries. If you reference Java in the text, please mark the first use and include the following; otherwise delete: Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. If you reference Microsoft and/or Windows in the text, please mark the first use and include the following, as applicable; otherwise delete: Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other countries, or both. If you reference Intel and/or any of the following Intel products in the text, please mark the first use and include those that you use as follows; otherwise delete: Intel, Intel Centrino, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. If you reference UNIX in the text, please mark the first use and include the following; otherwise delete: UNIX is a registered trademark of The Open Group in the United States and other countries. If you reference Linux in your presentation, please mark the first use and include the following; otherwise delete: Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. Other company, product, or service names may be trademarks or service marks of others. If the text/graphics include screenshots, no actual IBM employee names may be used (even your own), if your screenshots include fictitious company names (e.g., Renovations, Zeta Bank, Acme) please update and insert the following; otherwise delete: All references to [insert fictitious company name] refer to a fictitious company and are used for illustration purposes only.