December 19, 2006

Solving Web Single Sign-on with Standards and Open Source Solutions

Trey DrakeAssetWorld 2007

Albuquerque, New Mexico

November 2007

December 19, 2006

• “I have too many passwords – my monitor is covered in Post-its!”

• “We're implementing Sarbanes-Oxley – we need to control access to applications!”

• “We need to access outsourced functions!”• “Our partners need to access our applications!”

The Problems

December 19, 2006

Conflicting Pressures?

SecurityUser Convenience

Compliance

Interoperability

December 19, 2006

Web Single Sign-On• Simplest scenario is within one enterprise• Factor authentication and authorization out of web

applications into web access management (WAM) solution

• Can use browser cookies within a DNS domain• Proxy or Agent architecture implements role-based

access control (RBAC)• Users get single sign-on, IT gets control

December 19, 2006

SSO Within an Enterprise

End User

SSO Server

Web Server

Web Server

ApplicationServer

December 19, 2006

How it worksBrowser Agent ApplicationSSO Server

GET hrapp/index.html

Redirect to SSO Server

Authenticate

SSO cookieGET hrapp/index.html(with SSO cookie)

Is this user allowed to access hrapp/index.html?

Yes!

Allow request to proceed

Application response

December 19, 2006

Single Sign-on between Enterprises• Cookies no longer work

– Need a more sophisticated protocol

• Can't mandate single vendor solution– Need standards for interoperability

December 19, 2006

Single Sign-on Standards

2002

SAML1

Liberty“Phase 1”

2003

SAML1.1

LibertyID-FF 1.1,1.2

2005

SAML2

LibertyFederation

2004

=

Shibboleth1.2

2006

WS-Federation1.1

WS-Federation1.0

Shibboleth1.0,1.1

December 19, 2006

SAML 2.0 ConceptsProfiles

Combining protocols, bindings, and assertions to support a defined use case

Bindings Mapping SAML protocols onto standard

messaging or communication protocols

MetadataIdP and SP

configuration data

AuthenticationContext

Detailed data on types and

strengths of authentication

ProtocolsRequest/response pairs for obtaining assertions and doing ID management

AssertionsAuthentication, attribute, and

entitlement information

December 19, 2006

SSO Across Enterprises

End User

IdentityProvider

ServiceProvider

ServiceProvider

ServiceProvider

December 19, 2006

SAML SSO BasicsBrowser Service ProviderIdentity Provider

GET hrapp/index.html

Redirect with SAML Request

Authenticate

HTML form with SAML Response

SAML Response

Response

Service Provider examines SAML Response and makes access control decision

SAML Authentication Request

December 19, 2006

What about Web Services?

December 19, 2006

Typical Web Service Model

End UserWeb ServiceConsumer

Web ServiceProvider

December 19, 2006

Transport Level Security

End UserWeb ServiceConsumer

Web ServiceProvider

December 19, 2006

Transport-level Security != Identity• Difficult choice between

– No client authentication– Client authentication via certificates

• Scope of protection is limited to individual 'hops'• Even with client authentication, no real non-

repudiation due to difficulty of archiving and verifying message flow

• TLS/SSL is still essential for confidentiality and integrity at the transport level, but is not enough – we need a solution at the message level

December 19, 2006

Basic Web Services Security

End UserWeb ServiceConsumer

Web ServiceProvider

IdentityProvider

December 19, 2006

Message-level Security – Getting There

• Identity token carried in SOAP header– WS-Security, WS-I Basic Security Profile– Industry has converged on SAML Assertion as the

token

• SAML allows for bearer tokens, holder-of-key tokens, audience restrictions etc

• Token can be archived with message• But... restricting the audience to the immediate

recipient leaves us with similarly limited scope of protection – one hop

December 19, 2006

Requirements for Web Service Identity

• Identify the end user• Locate the service• Preserve identity

– Across multiple 'hops'– Across domain boundaries– Across vendors' products

• Using existing technologies and idioms• Maintaining privacy

December 19, 2006

Identity Web Services

End UserWeb ServiceConsumer

Web ServiceProvider

IdentityProvider

DiscoveryService

December 19, 2006

Scaling Out...

PrincipalWeb ServiceConsumer

Web ServiceProvider/

Consumer

IdentityProvider

DiscoveryService

Web ServiceProvider

Web ServiceProvider

December 19, 2006

Liberty Identity Web Services Framework (ID-WSF)

• Dynamic service discovery and addressing• Common web services transport mechanisms to

apply identity-aware message security• Abstractions and optimizations to allow anything –

including client devices – to host identity services• Unified data access/management model for

developers• Flexibility to develop arbitrary new services• User privacy through use of pseudonyms

December 19, 2006

Mapping to Products• Sun Java System Access Manager

– The 'whole stack' for identity web services - Identity Provider, Discovery Service, Service Provider etc etc etc

– Web Access Control, Single Sign-On, Federation– Version 7.1 includes substantial new

tooling support for both WS-I BSP and ID-WSF

• NetBeans Enterprise Pack

• Sun Java System Federation Manager– Service Provider

December 19, 2006

OpenSSO• Sun sponsored open source project• Basis for the next commercial product

– Sun Java System Federated Access Manager 8.0

• 500 project members, the vast majority outside Sun• Already deployed:

– Audi UK• 250,000 customer profiles• SSO across a raft of web apps

– SSOCircle• Identity Provider• SAML 2.0 to Google, OpenID

December 19, 2006

Resources• treydrake@yahoo.com

• OpenSSO—https://opensso.dev.java.net/

• Liberty Alliance—http://projectliberty.org

• Superpatterns—http://blogs.sun.com/superpat