Web Identity Management

Anderson Liang

CTO, cacaFly

Nov. 24, 2010

Problems

2

Too many ids & passwords

Someone took my desired name

Duplicated profiles everywhere

Account management is hard

Users want

3

Single Identity

Roaming among sites

sign on once v.s. sign on every sites

Administrators want

4

“They” are the same guy?

Federated Identity

Portal

5

Portal

Hide & bridge everything behindProvide Sign On once experiences

What Enterprises have

There are a lot of solutions dealing with these problems for enterprises

Novell

Microsoft

IBM

Oracle

Sun Microsystems (acquired by Oracle)

Other ISVs

6

Portal w/ SSO & Identity Integration

Source: Novell Inc.

客戶

Portal+

NovellAccess

ManagerOracle DB

Web Server

MS AD

Sun iDS

Mail Server

NISDriver

eDirectory

Novell Identity Manager

LDAPDriver

JDBCDriver

ADDriver

FTP Server

合作夥伴

員工

帳號密碼

anderson********

8

Unified Management of Identity

Single Sign On Central Management Identity Integration

Source: Novell Inc.

9

Cover complete Identity Lifecycle

Promote

Relocate

New Project

Forget Passwo

rdPassword

Expired

Resource Access Control

PROVISIONAccount

Management

DE-PROVISION

AMIDM

Password Management

Source: Novell Inc.

What Open Web has

10

SAML (2002~)&

OpenID (2005~)

http://connectid.blogspot.com/2006/11/we-need-iiw-in-panama.html

What Open Web has

Open Stack (OpenID & more)

11

• Unencumbered, Cross-Platform Standards

• Open Source / Free Software Implementations

• No Single-Vendor "Lock-In”• Distributed Extensibility

http://developer.mozilla.org/presentations/sxsw2007/the_open_web/

Why sites accept external identities?

Enhance user engagement

Leverage social impressions

or

The “outside” identity belongs to the same real person, who has relationship with “inside” identity

12

Technically Speaking

13

We’re dealing with the problem:

“Authentication”

&

“Authorization”

among different sites

OpenID Introduction

Ref: http://www.slideshare.net/daveman692/open-id-overview-seoul-july-2007

What’s OpenID

Single sign-on for the web

Simple and light-weightnot going to replace your bank card pin

Easy to use and deploy

Built upon proven existing technologiesDNS, HTTP, SSL/TLS, Diffie-Hellman

Decentralizedno single point of failure in the protocol

User-Centric (not Site-Centric)

Free!15

An OpenID is a URI

URLs are globally unique and ubiquitous

OpenID allows proving ownership of an URI

People already have identity at URLs via blogs, photos, MySpace, FaceBook, DAUM, etc

16

My OpenID

17

How it works

18

Service Provider(IDP)

Consumer Application(Relying Party, RP)

End User

How it works?

1. Site fetches the HTML of my OpenID

2. Finds "openid.server“

3. Establishes a shared secret with the Provider

4. Redirects my browser to the Provider where I

authenticate and allow the OpenID login

5. Provider redirects my browser back to the site

with an OpenID response

6. Site verifies the signature and logs me in

19

Sign On in RP site

20

Redirect to IDP for authentication

21

Grant permission to RP site

22

Sign On process success!

23

Create OpenID on your own domain

24

in http://andersonlamp.hopto.org/index.php

How it works in detail

25http://www.openaselect.org/trac/openaselect/wiki/OpenID

Related Specifications

OpenID Authentication 1.1/2.0

OpenID Attribute Exchange (AX) 1.0

OpenID Provider Authentication Policy

Extension (PAPE) 1.0

OpenID Simple Registration Extension

(SReg) 1.0

Yadis Discovery Protocol

26

Demo: Yadis Discovery

Open Source OpenID Implementation

Test Sitesmyid.tw

myopenid.com

google

yahoo

27

myid.tw

28

myopenid.com

29

Google

30

blogspot

31

Yahoo

32

33

Is OpenID enough?

OpenID deal with the “Identity”, not the “resources”

Several extensions to enhance the authorization of accessing “resources”

34

OpenID Conversation

35http://www.slideshare.net/steveivy/openid-oauth-an-introduction

OAuth Conversation

36http://www.slideshare.net/steveivy/openid-oauth-an-introduction

OAuth Introduction

Ref: http://www.slideshare.net/rmetzler/identity-on-the-web-openid-vs-oauth

What’s OAuth?

Sharing your data without sharing your password

Site-Centric/Centralized

Registration-based

Secure API authentication

38

Role

39

• User own Resource at Service Provider

• Manually register Consumer at Service Provider

• User grants Consumer access to Resource

OAuth Flow

40http://oauth.net/core/diagram.png

Sign in with OAuth

41

Authenticate

42

Grant Access

43

Logged in

44

OpenID v.s. OAuth

OpenID

Sharing Identity

Decentralized

Consumer-Provider-Relationship: unknown

OAuth

Sharing Resources

Centralized

Consumer-Provider-Relationship: known

45

Google works

OpenID + OAuth

Google Account as OpenID

Everyone can pastehttps://www.google.com/accounts/o8/idand login as your OpenID

It will be discovered by RP as an server endpoint, trigger an id_select login process

You will be issued an OpenID ashttps://www.google.com/accounts/o8/id?id=AItOwk...nqJOSI

47from: http://www.slideshare.net/timdream/google-apps-account-as-openid

Google Account as OpenID

48

<?xml version="1.0" encoding="UTF-8"?><xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)"> <XRD> <Service priority="0"> <Type>http://specs.openid.net/auth/2.0/server</Type> <Type>http://openid.net/srv/ax/1.0</Type> <Type>http://specs.openid.net/extensions/ui/1.0/mode/popup</Type> <Type>http://specs.openid.net/extensions/ui/1.0/icon</Type> <Type>http://specs.openid.net/extensions/pape/1.0</Type> <URI>https://www.google.com/accounts/o8/ud</URI> </Service> </XRD>

</xrds:XRDS>

from: http://www.slideshare.net/timdream/google-apps-account-as-openid

OpenID + OAuth Dance

49from: http://code.google.com/intl/zh-TW/apis/accounts/docs/OpenID.html

“id_select” process?

New* in OpenID 2.0

Which is introduced back in 2007

Indicate that user wishes to use a specific OpenID

IdP, however he didn’t know/say his own OpenID

Therefore the “id_select” login process asks the

OpenID IdP to select an ID for the user.

The other login process being “signon” process

50

Yahoo

OpenID + OAuth

http://openid.yahoo.com/

52

Authenticate

53

Rename your OpenID

54

Yahoo Dance

55

Facebook

facebook & yelp !

57

Single Sign-On

Facebook enables you to remove the registration process for your site by enabling users to log in to your site with their Facebook account.

Once a user logs in to your site with his or her Facebook account, you can access the user's account information from Facebook, and the user is logged in to your site as long as he or she is logged in to Facebook.

http://developers.facebook.com/docs/guides/web#loginhttp://www.facebook.com/instantpersonalization/ 58

Register Your Resource (App)

59

http://developers.facebook.com/setup/

OAuth Authorization

60

https://graph.facebook.com/oauth/authorize?client_id=<your App ID>&redirect_uri=<redirect URL>

resource

Grant Access to the Resource (App)

61

This is a demo APP to show the usage of facebook social plugins

http://andersonlamp.hopto.org/?code=2.XX7JPLlnLnC26i_5ldohMQ__.3600.1290531600-702462107|7qT7yWTCm4CjglPkLQDT2NnsMVw

Get Access Token & Invoke Graph API

62

https://graph.facebook.com/oauth/access_token? client_id=<app id>& redirect_uri=<redirect url>& client_secret=<app secret>& code=<verification string>

access_token=1558827777************************4b20009d789d-100001*******************************LA44qC1NxGh-***

https://graph.facebook.com/me?access_token=...

Quick start with social plugins

http://developers.facebook.com/plugins

Like Button Like Box

Comments

Activity Feed Recommendations

FriendpileLogin ButtonLive Stream

63

Case Study

Redefine the Problems

How to achieve Identity Federation?

Web Single Sign OnHow to let users sign on once (on one site), and roam everywhere (on other sites), for a given period of time?

Examplesfacebook Like Button outside facebook

funP Push Button outside funP

Yam’s Identity in funP.com

65

facebook Like Button

66

funP Push Button

67

Sign On Yam

68

Sign On Yam Successed

69

Visit funP.com & Click Push Button

70

Ask Remote Identity

71

We have a valid session from Yam at this moment!

funP grant access w/o Sign On

72

Duration of the permission granted

User has choice to refuse to use the identity from Yam

Enter funP with Yam’s Identity

73

Click Push Button with Yam’s Identity

74

Redefine the Problems

How to achieve Identity Federation?

Identity Integration (Identity Acquisition)How to recognize different Web identities represents the same real identity?

cross-domain user account provisioning

cross-domain entitlement management

cross-domain user attribute exchange

ExamplesfunP – account acquisition from Yam

Jibjab.com – leverage facebook accounts

75

funP.com

76

Option 1: Clone Yam’s Identity

77

Option 1Option 2

Option 1:Create a funP Identity from Yam’s Identity

78

Option 2:Upgrade Yam’s Identity to funP Identity

79

Upgrade notice

Name the new identity

Option 2: Upgrade complete

80

Yam Identity’s replica in funP

81

Option 2: Acquire Yam’s Identity

82

Sign On funP

83

Go to acquire external accounts

Acquire Yam’s Identity

84

Acquire Yam’s Identity

Redirect to authenticate Yam’s Identity

85

Yam’s Authentication

86

Authenticated! Return to funP

87

User can abandon the acquired identity instead

Identity acquired! Ask for final confirmation

Identity acquisition complete

88

Compound Identity

89

Jibjab.com

90

Choose to Sign On w/ fb Identity

91

Redirect to Sign On with fb Identity

92

Grant fb permissions

93

Grant fb permission (again?)

94

Ask to merge fb Identity w/ Jibjab one

95

Signed in w/ fb Identity

96

Users have freedom to link to a jibjab account anytime

97

Remarks

OpenID is “Open” for “Users”

99http://www.slideshare.net/steveivy/openid-oauth-an-introduction

OAuth is “Open” for “Applications”

100http://www.slideshare.net/steveivy/openid-oauth-an-introduction

Q&A