Open Source Identity Integration with OpenSSOApril 19, 2008

Pat PattersonFederation Architectpat.patterson@sun.comblogs.sun.com/superpat

2

Agenda

• Web Access Management> The Problem> The Solution> How Does It Work?

• Federation> Single Sign-On Beyond a Single Enterprise> How Does It Work?

• OpenSSO> Project Overview

3

Typical Problems

• “Every application wants me to log in!”

• “I have too many passwords – my monitor is covered in Post-its!”

• “We're implementing Sarbanes-Oxley – we need to control access to applications!”

• “We need to access outsourced functions!”

• “Our partners need to access our applications!”

4

Web Access Management

• Simplest scenario is within a single organization• Factor authentication and authorization out of web

applications into web access management (WAM) solution

• Can use browser cookies within a DNS domain• Proxy or Agent architecture implements role-based

access control (RBAC)• Users get single sign-on, IT gets control

5

Single Sign-On Within an Organization

End User

SSO Server

Web ServerWeb Server

ApplicationServer

6

How It WorksBrowser Agent ApplicationSSO Server

GET hrapp/index.html

Redirect to SSO Server

Authenticate

Redirect to hrapp/index.html (with SSO cookie) GET hrapp/index.html

(with SSO cookie)‏

Is this user allowed to access hrapp/index.html?

Yes!Allow request to proceed

Application response

7

Web Access Management Products

• Sun Java System Access Manager> OpenSSO

• CA (Netegrity) SiteMinder Access Manager• IBM Tivoli Access Manager• Oracle (Oblix) Access Manager• Novell Access Maneger• JA-SIG CAS• JOSSO

8

Typical Problems

• “Every application wants me to log in!”

• “I have too many passwords – my monitor is covered in Post-its!”

• “We're implementing Sarbanes-Oxley – we need to control access to applications!”

• “We need to access outsourced functions!”

• “Our partners need to access our applications!”

9

Single Sign-on between Organizations

• Cookies no longer work> Need a more sophisticated protocol

• Can't mandate single vendor solution> Need standards for interoperability

10

Single Sign-On Standards

2002 2003 20052004 2006

WS-Federation1.1

LibertyFederation

=

SAML2

Shibboleth1.2

WS-Federation1.0

Shibboleth1.0,1.1

LibertyID-FF 1.1,1.2

SAML1.1

Liberty“Phase 1”

SAML1

11

SAML 2.0 Concepts

ProfilesCombining protocols, bindings, and

assertions to support a defined use case

BindingsMapping SAML protocols onto standard messaging or

communication protocols

MetadataIdP and SP

configuration data

AuthenticationContext

Detailed data on types and strengths

of authentication

ProtocolsRequest/response pairs for obtaining assertions

and doing ID management

AssertionsAuthentication, attribute and entitlement

information

12

SSO Across Organizations

End User

IdentityProvider

ServiceProvider

ServiceProvider

ServiceProvider

13

SAML 2.0 SSO BasicsBrowser Service ProviderIdentity Provider

GET hrapp/index.html

Redirect with SAML Request

Authenticate

HTML form with SAML Response

SAML Response

Response

Service Provider examines SAML Response and makes access control decision

SAML Authentication Request

14

SAML 2.0 Assertion(Abbreviated!)

<Assertion Version="2.0" ID="..." IssueInstant="2007-11-06T16:42:28Z"><Issuer>https://pat-pattersons-computer.local:8181/</Issuer><Signature>...</Signature><saml:Subject>

<saml:NameID Format="urn:oasis:...:persistent" ...>ZG0OZ3JWP9yduIQ1zFJbVVGHlQ9M

</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:...:bearer">

<saml:SubjectConfirmationData .../></saml:SubjectConfirmation>

</saml:Subject><saml:Conditions NotBefore="2007-11-06T16:42:28Z"

NotOnOrAfter="2007-11-06T16:52:28Z"><saml:AudienceRestriction>

<saml:Audience>https://pat-pattersons-computer.local/example-pat/

</saml:Audience></saml:AudienceRestriction>

</saml:Conditions><saml:AuthnStatement AuthnInstant="2007-11-06T16:42:28Z" ...>

<saml:AuthnContext><saml:AuthnContextClassRef>

urn:oasis:...:PasswordProtectedTransport</saml:AuthnContextClassRef>

</saml:AuthnContext></saml:AuthnStatement>

</saml:Assertion>

15

SAML 2.0 Adoption

• Sun, IBM, CA – all the usual suspects, except Microsoft• OpenSAML (Internet2)

> Java, C++

• OpenSSO (Sun)> Java, PHP, Ruby

• SimpleSAMLphp (Feide)• LASSO (Entr'ouvert)

> C/SWIG

• ZXID (Symlabs)> C/SWIG

globo

.com

16

Open Access.Open Federation.

What is OpenSSO?

• OpenSSO 1.0 == Federated Access Manager 8.0

• All FAM 8.0 builds available via OpenSSO

• Preview Features• Provide Feedback• Review code

security

17

OpenSSO Momentum

• In less than 2 years...> 650 project members at opensso.org> ~15 external committers> Consistently in Top 10* java.net projects by mail traffic

– * of over 3000 projects

• Production deployments> www.audi.co.uk

– 250,000 customer profiles> openid.sun.com

– OpenID for Sun employees> telenet.be

– Foundation for fine-grained authorization

.....go

v.br

18

OpenSSO Roadmap

Access Manager

Federation Manager

OpenSSO

OpenSSO 1.0 / FAM 8.0Summer 2008

OpenSSO 1.next / FAM 8.1

End of 2008

OpenSSO Federation

Q4CY06OpenSSO

Q3CY06

Access Manager 7.1

Q4CY06

Federation Manager 7.0

Q4CY05

19

• Centralized Agent Configuration & Deployment

• Centralized Configuration• XACML Request/Response• Wide choice of Application Servers

• Fedlet• Virtual Federation• Multi-Federation Protocol Hub• WS-Federation 1.1• 3rd Party WAM Interoperability

Access Management

Federation

OpenSSO 1.0

20

• Authentication as a service• Authorization as a service• Audit as a service• Attribute Query as a service• Secure Trust Authority• Web Services Security Plug-ins• SDK for Securing Web Services

Identity Services

OpenSSO 1.0

But that's not all...

21

• PHP SAML 2.0 SP implementation> Picked up by Feide (Norway)

• Ruby SAML 2.0 SP implementation• SAML 2.0 ECP test rig

• OpenID 1.1 Provider> Deployed at openid.sun.com

• PHP Client SDK implementation

• ActivIdentity 4Tress• Hitachi Finger Vein Biometric• Information Card (aka CardSpace)

SAML 2.0

OpenID

OpenSSO Extensionshttps://opensso.dev.java.net/public/extensions/

Client SDK

Authentication Modules

22

Participe!

Join Download

Subscribe Chat

Sign up at opensso.org

OpenSSO 1.0 Build 4

OpenSSO Mailing Listsdev, users, announce

#opensso on

freenode.net

23

• http://opensso.org/

• André Bechara video> http://tinyurl.com/6rugrm

• Superpatterns> http://blogs.sun.com/superpat/

• Virtual Daniel> http://blogs.sun.com/raskin/

OpenSSO

Pat's Blog

Resourceshttps://opensso.dev.java.net/public/extensions/

Daniel Raskin's Blog

SAML @ Globo.com

Pat PattersonFederation Architectpat.patterson@sun.comblogs.sun.com/superpat

Open Source Identity Integration with OpenSSOApril 19, 2008