opensso tech overview aquarium
DESCRIPTION
An Overview of OpenSSO, OpenSource Single-Sign On. At TheAquarium OnlineTRANSCRIPT
1
OpenSSO Overview
Sidharth MishraSun Microsystems, Inc.
1
2
Todays SSO Problems
1. How do I centralize SSO and security policy for my web applications?
2. How can I quickly connect with partners, SaaS providers, subsidiaries, acquisitions and affiliates?
3. How do I centralize SSO and security policy for my web services?
3
OpenSSO Enterprise
Single solution that solves ALL of SSO problemsWeb Single Sign On, Federation, and Secure Web services
Web SSO
5
OpenSSO EnterpriseHow does it work?
6
``
SSO And Access ControlAuthentication
• Standards-based, extensible authentication framework (JAAS based)
• Supports multiple pluggable Authentication mechanisms> LDAP, RADIUS, Certificate, SafeWord, RSA SecureID, Unix,
Windows NT, WindowsDesktopSSO (Kerberos), Anonymous, Membership (self-enrollment)
> Custom authentication mechanisms using the SPI
• Multi-factor Authentication (Chained Authenticaton Mechanisms)
• Multi-Level and Multi-Scheme Authentication
• Resource-based Authentication
7
SSO And Access ControlAuthorization
• Policy = Rules + Subjects + Conditions + Response Provider
> Rules – The resource to be protected (e.g. URL)
> Subjects – Who is allowed to access (User/Role/Group etc.)
> Condition – Extra Constraints (IP Address mask, authN level/scheme, time/day etc.)
> Response Provider – Additional Response data to be sent back to resource.
8
Solution: OpenSSO Web Access ManagementThree Tough Challenges. One Powerful Solution.
• Centralized server configuration
• Centralized agent configuration
• Agent and proxy modes
• AAA Identity Services
• Embedded directory server for user store and policy store
• XACML support for standards-based policy management
• Consumes and translates 3rd party tokens from all major WAM solutions
Federation
10
Federated Single Sign On
• Federation is built-in to OpenSSO Enterprise. No additional software needed.
• Federation for cross-domain application integration.> software-infrastructure independent. Sites only
agree on protocol version and binding type.
• Facilitates trusted relationships.> Creates tighter, more satisfying customer,
partner and employee relationships.> Extended existing and new revenue
opportunities.> Implement business models that generate
efficiencies and productivity gains.
11
Solution: OpenSSO FederationThree Tough Challenges. One Powerful Solution.
• The Fedlet, 8.5MB package that allows service providers to create fully configured trust networks based SAML 2 in minutes
• Multi-protocol Federation Hub, easily federate with any company regardless of what “federation language” they speak
• Virtual Federation Proxy, incorporate any number of legacy authentications with a single instance of OpenSSO
• Supports all major standards including SAML, WS-Federation, Liberty ID-FF, WS-Trust, WS-Security, and WS-Policy
• Coexists with other major WAM solutions and participates in federation.
Web Services Security
13
OpenSSO and Web Services Security
• Problem: > How do I support web services for my web
applications in various containers when it is handled differently container to container?
• What It Does?> Provides agents that can be deployed in containers
for consuming, processing and transforming security tokens including SAML
> Abstracts security from the application.> Agent allows standardization on security across
multiple containers (e.g. Sun, IBM, BEA etc.)– Implements container's authentication SPI (JSR 196)
– Secures SOAP request and validates SOAP response at WSC.
– Validates SOAP request and secures SOAP response at WSP.
Web ServiceProvider
Web ServiceClient
1
3SOAP(WSS)
Request
OpenSSO Server
4WSS/J2EE Agent
2
clientsdk
clientsdk
WSS Agent
5
14
Secure Token Service
• Problem: > How does the Web service verify the credentials
presented by the client?
• How It Works> An authenticated client requests token needed to
access web service provider. > The STS verifies the credentials presented by the
client, and then in response, it issues a security token that provides proof that the client has authenticated with the STS.
> The client presents the WS-I BSP based security token(User Name, X.509, SAML etc.) to the Web service.
> The Web service verifies that the token was issued by a trusted STS, which proves that the client has successfully authenticated with the STS.
Web ServiceProvider
Web ServiceClient
Security Token Service
1 Request
2
Issue Token(WS-Trust)3SOAP
(WSS)
15
Solution: OpenSSO Secure Web ServicesThree Tough Challenges. One Powerful Solution.
• Only standards-based solution that provides a pluggable, end-to-end secure web-services solution
• Standards based integration with Glassfish.
• SecurityToken Service that can be deployed as an Integrated, or standalone, solution
• Security Token Service that can handle token issuance, validation and translation via WS-Trust
• Policy enforcement point plugins for Weblogic, WebSphere, Tomcat and JBOSS
16
Identity ServicesProblem• How do I invoke and leverage OpenSSO
services (authN, authZ etc.) in a platform / language independent manner?
OpenSSO Identity Services
• Makes OpenSSO services and functionalities available in an easy-to-use set of Web Services accessible via SOAP and REST.
Benefits• Allows developers to easily invoke
OpenSSO services.
• Identity Access Layer provides abstraction so components can change without affecting applications.
• Agentless solution that does not require deployment of agent or proxy to protect a resource.
• Supports usage of the IDE of developer's choice> NetBeans, Eclipse, Visual Studio
Identity Services – Easily accessible, design approach independent.
17
Identity Services
Identity Services
