Date post: | 19-Dec-2015 |
Category: |
Documents |
View: | 212 times |
Download: | 0 times |
December 19, 2006
Solving Web Single Sign-on with Standards and Open Source Solutions
Trey DrakeAssetWorld 2007
Albuquerque, New Mexico
November 2007
December 19, 2006
• “I have too many passwords – my monitor is covered in Post-its!”
• “We're implementing Sarbanes-Oxley – we need to control access to applications!”
• “We need to access outsourced functions!”• “Our partners need to access our applications!”
The Problems
December 19, 2006
Conflicting Pressures?
SecurityUser Convenience
Compliance
Interoperability
December 19, 2006
Web Single Sign-On• Simplest scenario is within one enterprise• Factor authentication and authorization out of web
applications into web access management (WAM) solution
• Can use browser cookies within a DNS domain• Proxy or Agent architecture implements role-based
access control (RBAC)• Users get single sign-on, IT gets control
December 19, 2006
SSO Within an Enterprise
End User
SSO Server
Web Server
Web Server
ApplicationServer
December 19, 2006
How it worksBrowser Agent ApplicationSSO Server
GET hrapp/index.html
Redirect to SSO Server
Authenticate
SSO cookieGET hrapp/index.html(with SSO cookie)
Is this user allowed to access hrapp/index.html?
Yes!
Allow request to proceed
Application response
December 19, 2006
Single Sign-on between Enterprises• Cookies no longer work
– Need a more sophisticated protocol
• Can't mandate single vendor solution– Need standards for interoperability
December 19, 2006
Single Sign-on Standards
2002
SAML1
Liberty“Phase 1”
2003
SAML1.1
LibertyID-FF 1.1,1.2
2005
SAML2
LibertyFederation
2004
=
Shibboleth1.2
2006
WS-Federation1.1
WS-Federation1.0
Shibboleth1.0,1.1
December 19, 2006
SAML 2.0 ConceptsProfiles
Combining protocols, bindings, and assertions to support a defined use case
Bindings Mapping SAML protocols onto standard
messaging or communication protocols
MetadataIdP and SP
configuration data
AuthenticationContext
Detailed data on types and
strengths of authentication
ProtocolsRequest/response pairs for obtaining assertions and doing ID management
AssertionsAuthentication, attribute, and
entitlement information
December 19, 2006
SSO Across Enterprises
End User
IdentityProvider
ServiceProvider
ServiceProvider
ServiceProvider
December 19, 2006
SAML SSO BasicsBrowser Service ProviderIdentity Provider
GET hrapp/index.html
Redirect with SAML Request
Authenticate
HTML form with SAML Response
SAML Response
Response
Service Provider examines SAML Response and makes access control decision
SAML Authentication Request
December 19, 2006
What about Web Services?
December 19, 2006
Typical Web Service Model
End UserWeb ServiceConsumer
Web ServiceProvider
December 19, 2006
Transport Level Security
End UserWeb ServiceConsumer
Web ServiceProvider
December 19, 2006
Transport-level Security != Identity• Difficult choice between
– No client authentication– Client authentication via certificates
• Scope of protection is limited to individual 'hops'• Even with client authentication, no real non-
repudiation due to difficulty of archiving and verifying message flow
• TLS/SSL is still essential for confidentiality and integrity at the transport level, but is not enough – we need a solution at the message level
December 19, 2006
Basic Web Services Security
End UserWeb ServiceConsumer
Web ServiceProvider
IdentityProvider
December 19, 2006
Message-level Security – Getting There
• Identity token carried in SOAP header– WS-Security, WS-I Basic Security Profile– Industry has converged on SAML Assertion as the
token
• SAML allows for bearer tokens, holder-of-key tokens, audience restrictions etc
• Token can be archived with message• But... restricting the audience to the immediate
recipient leaves us with similarly limited scope of protection – one hop
December 19, 2006
Requirements for Web Service Identity
• Identify the end user• Locate the service• Preserve identity
– Across multiple 'hops'– Across domain boundaries– Across vendors' products
• Using existing technologies and idioms• Maintaining privacy
December 19, 2006
Identity Web Services
End UserWeb ServiceConsumer
Web ServiceProvider
IdentityProvider
DiscoveryService
December 19, 2006
Scaling Out...
PrincipalWeb ServiceConsumer
Web ServiceProvider/
Consumer
IdentityProvider
DiscoveryService
Web ServiceProvider
Web ServiceProvider
December 19, 2006
Liberty Identity Web Services Framework (ID-WSF)
• Dynamic service discovery and addressing• Common web services transport mechanisms to
apply identity-aware message security• Abstractions and optimizations to allow anything –
including client devices – to host identity services• Unified data access/management model for
developers• Flexibility to develop arbitrary new services• User privacy through use of pseudonyms
December 19, 2006
Mapping to Products• Sun Java System Access Manager
– The 'whole stack' for identity web services - Identity Provider, Discovery Service, Service Provider etc etc etc
– Web Access Control, Single Sign-On, Federation– Version 7.1 includes substantial new
tooling support for both WS-I BSP and ID-WSF
• NetBeans Enterprise Pack
• Sun Java System Federation Manager– Service Provider
December 19, 2006
OpenSSO• Sun sponsored open source project• Basis for the next commercial product
– Sun Java System Federated Access Manager 8.0
• 500 project members, the vast majority outside Sun• Already deployed:
– Audi UK• 250,000 customer profiles• SSO across a raft of web apps
– SSOCircle• Identity Provider• SAML 2.0 to Google, OpenID
December 19, 2006
Resources• [email protected]
• OpenSSO—https://opensso.dev.java.net/
• Liberty Alliance—http://projectliberty.org
• Superpatterns—http://blogs.sun.com/superpat