Single  sign-­‐on    using    

WSO2  Iden1ty  Server  

S.Uthaiyashankar  shankar@wso2.com  VP,  Engineering  

About  WSO2  •  Providing  the  only  complete  open  source  componen=zed  cloud  

pla?orm  –  Dedicated  to  removing  all  the  stumbling  blocks  to  enterprise  agility  –  Enabling  you  to  focus  on  business  logic  and  business  value    

•  Recognized  by  leading  analyst  firms  as  visionaries  and  leaders  –  Gartner  cites  WSO2  as  visionaries  in  all  3  categories  of    applica=on  

infrastructure  –  Forrester  places  WSO2  in  top  2  for  API  Management    

•  Global  corpora=on  with  offices  in  USA,  UK  &  Sri  Lanka  –  200+  employees  and  growing  

•  Business  model  of  selling  comprehensive  support  &  maintenance  for  our  products  

150+  globally  posi1oned  support  customers  

Topics  Covered…  

•  Importance  of  Single  Sign-­‐On  •  Single  Sign-­‐On  paWerns  •  Single  Sign-­‐On  support  in  WSO2  Iden=ty  Server  

The  Story  Begins…  

Something you know

That  is  not  the  End…  

Multiple User Stores

Problems…  

•  User  Perspec=ve:  – Different  username,  password  for  different  systems  •  Preferred  username  is  already  taken  •  Using  same  username/password  might  become  a  security  risk  

– Too  many  username,  password  – Loosing  possible  collabora=ons  

Problems…  

•  IT  Perspec=ve:  – Provisioning/De-­‐provisioning  users  – Audi=ng  user  ac=vi=es  – No  single  view  of  user  – Deploying  new  applica=ons  

Shared  User  Store  -­‐  Possible  Solu1on?  

Shared User Store

Problems…  

•  Mul=ple  logins  •  Cloud  Services  and  3rd  party  applica=ons  

Solu1on  

•  Federated  Iden=ty  and  Single  Sign-­‐On  

Service  Providers  Service  Providers  

Service  Providers  

Iden=ty  Provider  

Service  Providers  

Authen1ca1on  

Service  Consump1on  

Trust  

Single  Sign-­‐On  and  Federated  Iden1ty  

Central Authentication Service (CAS)

Single  Sign-­‐On  and  Federated  Iden1ty  •  Single  Iden=ty  •  Possibility  of  Collabora=on  between  applica=ons    

•  User  Convenience  •  Login  only  once  and  can  access  any  services  •  Easy  administra=on    – Provisioning,  de-­‐provisioning,  forget  password  

WSO2  Iden1ty  Server  

Key  Requirements  For  Iden1ty  Federa1on  Iden1ty  Management  and  Authen1ca1on    

•  Authen=ca=on  – Mul=-­‐Factor  Authen=ca=on  

•  Iden=ty  Management  – AWributes  /  Claims  

Key  Requirements  For  Iden1ty  Federa1on  Trust  Between  Domains  

•  Trust  – Pre-­‐established    •  Common  in  Enterprise  scenarios  

– Established  only  when  accessing  the  service    •  Common  in  web  scenarios  

•  Iden=ty  Provider  Discovery  

Key  Requirements  For  Iden1ty  Federa1on  Iden1ty  and  ARribute  Mapping  

•  Mapping  user  iden=ty  of  one  system  to  another  – Username  – Out  of  Band  – Pseudonym  •  Transient  •  Persistent  

•  Mapping  aWribute  names  in  different  systems  •  Mapping  aWribute  values  in  different  systems  

 

Key  Requirements  For  Iden1ty  Federa1on  ARribute  Exchange  

•  One  system  reques=ng  addi=onal  aWributes  from  another  system  

Protocols  and  Standards  •  OpenID  •  SAML2  Web  Browser  SSO  •  WS-­‐Trust  &  WS-­‐Federa=on  •  Kerberos  

OpenID  

hWp://openid.net/get-­‐an-­‐openid/  

OpenID  Iden1fiers  

•  Google  – hWps://profiles.google.com/YourGoogleID  

•  Blogger  – hWp://blogname.blogspot.com/  

•  MySpace  – hWp://www.myspace.com/username  

OpenID  

Iden=ty  Provider  

Service  Provider  A  

Provide  OpenID

 

Single  Sign-­‐On  Service  

1

2

4

5

4

Allow  Access  to  S

ervice  

Relying  Party  

Browser  Redir

ect  to  IdP  

Discover  Provider  (XRI  Resolu1on,  Yadis,  HTML  Based  Discovery)  

6

7

3 Create  shared  secret  

SAML2  Web  Browser  SSO  

SAML 2.0 Web Browser SSO Profile

SAML2  Web  Browser  SSO  

Iden=ty  Provider  

Service  Provider  A  

Access  Service

 

Single  Sign-­‐On  Service  

123

5

4

Allow  Access  to  S

ervice  

Trust  

Asser=on  Consumer  Service  

Browser  Redir

ect  to  IdP  

Select  Iden1ty  Provider  

6

7

WS-­‐Trust  Iden=ty  Provider  

Service  Provider  A  

Authen1ca1on

 (Username/x509

/etc.)  

Security  Token  Service  1 2

3

5

4 Verify  Token    (e.g.:  Check  signature)  

Security  Token

 

Trust  

WS-­‐Federa1on  Iden=ty  Provider  A  

Service  Provider  B  

Authen1ca1on  (Username/x509/etc.)  

Security  Token  Service  

1

2

3

5

4Verify  Token  A    (e.g.:  Check  signature)  

Security  Token  A  

Trust  

Domain  A  

Domain  B  

Iden=ty  Provider  B  

Security  Token  Service  

Trust  

6

7 Verify  Token  B    (e.g.:  Check  signature)  

8

Kerberos  

Iden=ty  Provider  (Key  Distribu=on  Center)  

Service  Provider  

UserName  

Authen=ca=on  Service  

1

2

3 Ticket  Gran1ng  Ticket  +  Authen1cator  

5 4Verify  Authen1cator  

Session  Key  +  Ticket  Gran1ng  Ticket  

Service  Shared  Key  

Ticket  Gran=ng  Service  

Security  Token  

6

7 Verify  Security  Token    

8

Some  Federa1on  PaRerns  Using  WSO2  Iden1ty  Server  

Token  Exchange  

IdP  Proxy  PaRern  

IdP  Proxy  PaRern  

IdP  Proxy  PaRern  

Ques1ons?  

Engage  with  WSO2  •  Helping  you  get  the  most  out  of  your  deployments  

•  From  project  evalua=on  and  incep=on  to  development  and  going  into  produc=on,  WSO2  is  your  partner  in  ensuring  100%  project  success