lecture 20101124
DESCRIPTION
TRANSCRIPT
Web Identity Management
Anderson Liang
CTO, cacaFly
Nov. 24, 2010
Problems
2
Too many ids & passwords
Someone took my desired name
Duplicated profiles everywhere
Account management is hard
Users want
3
Single Identity
Roaming among sites
sign on once v.s. sign on every sites
Administrators want
4
“They” are the same guy?
Federated Identity
Portal
5
Portal
Hide & bridge everything behindProvide Sign On once experiences
What Enterprises have
There are a lot of solutions dealing with these problems for enterprises
Novell
Microsoft
IBM
Oracle
Sun Microsystems (acquired by Oracle)
Other ISVs
6
Portal w/ SSO & Identity Integration
Source: Novell Inc.
客戶
Portal+
NovellAccess
ManagerOracle DB
Web Server
MS AD
Sun iDS
Mail Server
NISDriver
eDirectory
Novell Identity Manager
LDAPDriver
JDBCDriver
ADDriver
FTP Server
合作夥伴
員工
帳號密碼
anderson********
8
Unified Management of Identity
Single Sign On Central Management Identity Integration
Source: Novell Inc.
9
Cover complete Identity Lifecycle
Promote
Relocate
New Project
Forget Passwo
rdPassword
Expired
Resource Access Control
PROVISIONAccount
Management
DE-PROVISION
AMIDM
Password Management
Source: Novell Inc.
What Open Web has
10
SAML (2002~)&
OpenID (2005~)
http://connectid.blogspot.com/2006/11/we-need-iiw-in-panama.html
What Open Web has
Open Stack (OpenID & more)
11
• Unencumbered, Cross-Platform Standards
• Open Source / Free Software Implementations
• No Single-Vendor "Lock-In”• Distributed Extensibility
http://developer.mozilla.org/presentations/sxsw2007/the_open_web/
Why sites accept external identities?
Enhance user engagement
Leverage social impressions
or
The “outside” identity belongs to the same real person, who has relationship with “inside” identity
12
Technically Speaking
13
We’re dealing with the problem:
“Authentication”
&
“Authorization”
among different sites
OpenID Introduction
Ref: http://www.slideshare.net/daveman692/open-id-overview-seoul-july-2007
What’s OpenID
Single sign-on for the web
Simple and light-weightnot going to replace your bank card pin
Easy to use and deploy
Built upon proven existing technologiesDNS, HTTP, SSL/TLS, Diffie-Hellman
Decentralizedno single point of failure in the protocol
User-Centric (not Site-Centric)
Free!15
An OpenID is a URI
URLs are globally unique and ubiquitous
OpenID allows proving ownership of an URI
People already have identity at URLs via blogs, photos, MySpace, FaceBook, DAUM, etc
16
My OpenID
17
How it works
18
Service Provider(IDP)
Consumer Application(Relying Party, RP)
End User
How it works?
1. Site fetches the HTML of my OpenID
2. Finds "openid.server“
3. Establishes a shared secret with the Provider
4. Redirects my browser to the Provider where I
authenticate and allow the OpenID login
5. Provider redirects my browser back to the site
with an OpenID response
6. Site verifies the signature and logs me in
19
Sign On in RP site
20
Redirect to IDP for authentication
21
Grant permission to RP site
22
Sign On process success!
23
Create OpenID on your own domain
24
in http://andersonlamp.hopto.org/index.php
How it works in detail
25http://www.openaselect.org/trac/openaselect/wiki/OpenID
Related Specifications
OpenID Authentication 1.1/2.0
OpenID Attribute Exchange (AX) 1.0
OpenID Provider Authentication Policy
Extension (PAPE) 1.0
OpenID Simple Registration Extension
(SReg) 1.0
Yadis Discovery Protocol
26
Demo: Yadis Discovery
Open Source OpenID Implementation
Test Sitesmyid.tw
myopenid.com
yahoo
27
myid.tw
28
myopenid.com
29
30
blogspot
31
Yahoo
32
33
Is OpenID enough?
OpenID deal with the “Identity”, not the “resources”
Several extensions to enhance the authorization of accessing “resources”
34
OpenID Conversation
35http://www.slideshare.net/steveivy/openid-oauth-an-introduction
OAuth Conversation
36http://www.slideshare.net/steveivy/openid-oauth-an-introduction
OAuth Introduction
Ref: http://www.slideshare.net/rmetzler/identity-on-the-web-openid-vs-oauth
What’s OAuth?
Sharing your data without sharing your password
Site-Centric/Centralized
Registration-based
Secure API authentication
38
Role
39
• User own Resource at Service Provider
• Manually register Consumer at Service Provider
• User grants Consumer access to Resource
OAuth Flow
40http://oauth.net/core/diagram.png
Sign in with OAuth
41
Authenticate
42
Grant Access
43
Logged in
44
OpenID v.s. OAuth
OpenID
Sharing Identity
Decentralized
Consumer-Provider-Relationship: unknown
OAuth
Sharing Resources
Centralized
Consumer-Provider-Relationship: known
45
Google works
OpenID + OAuth
Google Account as OpenID
Everyone can pastehttps://www.google.com/accounts/o8/idand login as your OpenID
It will be discovered by RP as an server endpoint, trigger an id_select login process
You will be issued an OpenID ashttps://www.google.com/accounts/o8/id?id=AItOwk...nqJOSI
47from: http://www.slideshare.net/timdream/google-apps-account-as-openid
Google Account as OpenID
48
<?xml version="1.0" encoding="UTF-8"?><xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)"> <XRD> <Service priority="0"> <Type>http://specs.openid.net/auth/2.0/server</Type> <Type>http://openid.net/srv/ax/1.0</Type> <Type>http://specs.openid.net/extensions/ui/1.0/mode/popup</Type> <Type>http://specs.openid.net/extensions/ui/1.0/icon</Type> <Type>http://specs.openid.net/extensions/pape/1.0</Type> <URI>https://www.google.com/accounts/o8/ud</URI> </Service> </XRD>
</xrds:XRDS>
from: http://www.slideshare.net/timdream/google-apps-account-as-openid
OpenID + OAuth Dance
49from: http://code.google.com/intl/zh-TW/apis/accounts/docs/OpenID.html
“id_select” process?
New* in OpenID 2.0
Which is introduced back in 2007
Indicate that user wishes to use a specific OpenID
IdP, however he didn’t know/say his own OpenID
Therefore the “id_select” login process asks the
OpenID IdP to select an ID for the user.
The other login process being “signon” process
50
Yahoo
OpenID + OAuth
http://openid.yahoo.com/
52
Authenticate
53
Rename your OpenID
54
Yahoo Dance
55
facebook & yelp !
57
Single Sign-On
Facebook enables you to remove the registration process for your site by enabling users to log in to your site with their Facebook account.
Once a user logs in to your site with his or her Facebook account, you can access the user's account information from Facebook, and the user is logged in to your site as long as he or she is logged in to Facebook.
http://developers.facebook.com/docs/guides/web#loginhttp://www.facebook.com/instantpersonalization/ 58
Register Your Resource (App)
59
http://developers.facebook.com/setup/
OAuth Authorization
60
https://graph.facebook.com/oauth/authorize?client_id=<your App ID>&redirect_uri=<redirect URL>
resource
Grant Access to the Resource (App)
61
This is a demo APP to show the usage of facebook social plugins
http://andersonlamp.hopto.org/?code=2.XX7JPLlnLnC26i_5ldohMQ__.3600.1290531600-702462107|7qT7yWTCm4CjglPkLQDT2NnsMVw
Get Access Token & Invoke Graph API
62
https://graph.facebook.com/oauth/access_token? client_id=<app id>& redirect_uri=<redirect url>& client_secret=<app secret>& code=<verification string>
access_token=1558827777************************4b20009d789d-100001*******************************LA44qC1NxGh-***
https://graph.facebook.com/me?access_token=...
Quick start with social plugins
http://developers.facebook.com/plugins
Like Button Like Box
Comments
Activity Feed Recommendations
FriendpileLogin ButtonLive Stream
63
Case Study
Redefine the Problems
How to achieve Identity Federation?
Web Single Sign OnHow to let users sign on once (on one site), and roam everywhere (on other sites), for a given period of time?
Examplesfacebook Like Button outside facebook
funP Push Button outside funP
Yam’s Identity in funP.com
65
facebook Like Button
66
funP Push Button
67
Sign On Yam
68
Sign On Yam Successed
69
Visit funP.com & Click Push Button
70
Ask Remote Identity
71
We have a valid session from Yam at this moment!
funP grant access w/o Sign On
72
Duration of the permission granted
User has choice to refuse to use the identity from Yam
Enter funP with Yam’s Identity
73
Click Push Button with Yam’s Identity
74
Redefine the Problems
How to achieve Identity Federation?
Identity Integration (Identity Acquisition)How to recognize different Web identities represents the same real identity?
cross-domain user account provisioning
cross-domain entitlement management
cross-domain user attribute exchange
ExamplesfunP – account acquisition from Yam
Jibjab.com – leverage facebook accounts
75
funP.com
76
Option 1: Clone Yam’s Identity
77
Option 1Option 2
Option 1:Create a funP Identity from Yam’s Identity
78
Option 2:Upgrade Yam’s Identity to funP Identity
79
Upgrade notice
Name the new identity
Option 2: Upgrade complete
80
Yam Identity’s replica in funP
81
Option 2: Acquire Yam’s Identity
82
Sign On funP
83
Go to acquire external accounts
Acquire Yam’s Identity
84
Acquire Yam’s Identity
Redirect to authenticate Yam’s Identity
85
Yam’s Authentication
86
Authenticated! Return to funP
87
User can abandon the acquired identity instead
Identity acquired! Ask for final confirmation
Identity acquisition complete
88
Compound Identity
89
Jibjab.com
90
Choose to Sign On w/ fb Identity
91
Redirect to Sign On with fb Identity
92
Grant fb permissions
93
Grant fb permission (again?)
94
Ask to merge fb Identity w/ Jibjab one
95
Signed in w/ fb Identity
96
Users have freedom to link to a jibjab account anytime
97
Remarks
OpenID is “Open” for “Users”
99http://www.slideshare.net/steveivy/openid-oauth-an-introduction
OAuth is “Open” for “Applications”
100http://www.slideshare.net/steveivy/openid-oauth-an-introduction
Q&A