Upload
wso2
View
1.363
Download
1
Tags:
Embed Size (px)
Citation preview
Last Updated: Jun. 2014
Senior Software EngineerSuresh Attanayake
Enterprise Single Sign On : SAML, OpenID
Connect and more
2
About the Presenter(s)
๏ Suresh Attanayake is a Senior Software Engineer at WSO2 from the Solutions Architecture/ Technical Sales team. He is a former Identity Server team member and have been involved in various WSO2 customer projects around the globe.
3
About WSO2๏ Global enterprise, founded
in 2005 by acknowledged leaders in XML, web services technologies, standards and open source
๏ Provides only open source platform-as-a-service for private, public and hybrid cloud deployments
๏ All WSO2 products are 100% open source and released under the Apache License Version 2.0.
๏ Is an Active Member of OASIS, Cloud Security Alliance, OSGi Alliance, AMQP Working Group, OpenID Foundation and W3C.
๏ Driven by Innovation
๏ Launched first open source API Management solution in 2012
๏ Launched App Factory in 2Q 2013
๏ Launched Enterprise Store and first open source Mobile solution in 4Q 2013
4
What WSO2 delivers
5
Passwords
1)123456
2)password
3)12345678
4)qwerty
5)abc123
http://splashdata.com/press/worstpasswords2013.htm
6
Password Fatigue
๏ Use easy to remember passwords
๏ Use the same password
7
Single Sign On
๏ Single password to remember
๏ Use password only once
๏ Use password only at one place
๏ Ease of administration
๏ Enforce password/account policies
8
SSO Model
9
SAML2 Web Browser SSO Profile๏ XML based
๏ Web browser based
๏ Bindings:
๏ HTTP Redirect Binding
๏ HTTP POST Binding
๏ HTTP Artifact Binding
๏ Profiles:
๏ Single Logout Profile
๏ Attribute Profile
10
SAML2 Web Browser SSO
11
SAML2 <AuthnRequest>
12
SAML2 <Response>
13
OpenID
๏ Plain Text Key-Value pairs
๏ Web browser based
๏ Indirect communication:
๏ HTTP Redirection
๏ HTTP Form submission
๏ Features:
๏ OpenID Provider (IDP) discovery
๏ OpenID Attribute Exchange / OpenID Simple Registration
14
OpenID
15
OpenID Authentication Request
openid.ns:http://specs.openid.net/auth/2.0openid.claimed_id:https://localhost:9443/openid/sureshopenid.identity:https://localhost:9443/openid/sureshopenid.return_to:http://localhost:8081/openid-attribute-exchange/attexconsumer?is_id_res=trueopenid.realm:http://localhost:8081/openid-attribute-exchange/attexconsumer?is_id_res=trueopenid.assoc_handle:AOQobUfyfIM0vAz-VgjNgxnkimSyr3SUX7QvAVzeeM19NM7QmpeTXPTepi4rWCr6wkIyFDiqopenid.mode:checkid_setupopenid.ns.ext1:http://openid.net/srv/ax/1.0openid.ext1.mode:fetch_requestopenid.ext1.type.email:http://axschema.org/contact/emailopenid.ext1.type.firstname:http://axschema.org/namePerson/firstopenid.ext1.type.lastname:http://axschema.org/namePerson/lastopenid.ext1.type.country:http://axschema.org/contact/country/homeopenid.ext1.type.language:http://axschema.org/pref/languageopenid.ext1.required:email,firstname,lastname,country,language
16
OpenID Authentication Response
openid.op_endpoint:https://localhost:9443/openidserveropenid.signed:op_endpoint,claimed_id,identity,return_to,response_nonce,assoc_handle,ns.ext1,ext1.mode,ext1.type.firstname,ext1.value.firstname,ext1.type.email,ext1.value.email,ext1.type.language,ext1.value.language,ext1.type.lastname,ext1.value.lastnameopenid.ns.ext1:http://openid.net/srv/ax/1.0openid.sig:wyQi3eTjESAVWsHjPODQ2q7UUVMvNOTySTCvffmqd+A=is_id_res:trueopenid.response_nonce:2011-05-18T14:54:21Z0eugpxqu3Sv9Iwopenid.claimed_id:https://localhost:9443/openid/sureshopenid.ext1.value.lastname:Attnayakeopenid.ext1.value.firstname:Sureshopenid.assoc_handle:AOQobUfyfIM0vAz-VgjNgxnkimSyr3SUX7QvAVzeeM19NM7QmpeTXPTepi4rWCr6wkIyFDiqopenid.ext1.value.email:[email protected]:http://axschema.org/pref/languageopenid.ext1.type.lastname:http://axschema.org/namePerson/lastopenid.ext1.type.firstname:http://axschema.org/namePerson/firstopenid.ns:http://specs.openid.net/auth/2.0openid.identity:https://localhost:9443/openid/sureshopenid.ext1.type.email:http://axschema.org/contact/emailopenid.mode:id_resopenid.ext1.mode:fetch_responseopenid.ext1.value.language:en-USopenid.return_to:http://localhost:8081/openid-attribute-exchange/attexconsumer?is_id_res=true
17
OpenID Connect
๏ Built on top of OAuth2.0 framework
๏ Web browser based
๏ HTTP GET query params, HTTP POST request params and JSON
๏ Authentication Flows:
๏ Authorization Code flow
๏ Implicit flow
๏ Hybrid flow
๏ Features:
๏ OpenID Connect discovery
๏ OpenID Connect Dynamic Registration
๏ Session Management
18
OpenID Connect
19
OIDC Authentication Request
HTTP/1.1 302 Found Location: https://server.example.com/authorize? response_type=code &scope=openid%20profile%20email &client_id=s6BhdRkqt3 &state=af0ifjsldkj &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
20
OIDC Authentication Response
HTTP/1.1 302 Found Location: https://client.example.org/cb? code=SplxlOBeZQQYbYS6WxSbIA &state=af0ifjsldkj
21
OIDC Token Request
POST /token HTTP/1.1 Host: server.example.com Content-Type: application/x-www-form-urlencoded Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
22
OIDC Token Response
HTTP/1.1 200 OK Content-Type: application/json Cache-Control: no-store Pragma: no-cache
{ "access_token": "SlAV32hkKG", "token_type": "Bearer", "refresh_token": "8xLOxBtZp8", "expires_in": 3600, "id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjFlOWdkazcifQ.ewogImlzc yI6ICJodHRwOi8vc2VydmVyLmV4YW1wbGUuY29tIiwKICJzdWIiOiAiMjQ4Mjg5 NzYxMDAxIiwKICJhdWQiOiAiczZCaGRSa3F0MyIsCiAibm9uY2UiOiAibi0wUzZ fV3pBMk1qIiwKICJleHAiOiAxMzExMjgxOTcwLAogImlhdCI6IDEzMTEyODA5Nz AKfQ.ggW8hZ1EuVLuxNuuIJKX_V8a_OMXzR0EHR9R6jgdqrOOF4daGU96Sr_P6q Jp6IcmD3HP99Obi1PRs-cwh3LO-p146waJ8IhehcwL7F09JdijmBqkvPeB2T9CJ NqeGpe-gccMg4vfKjkM8FcGvnzZUN4_KSP0aAp1tOJ1zZwgjxqGByKHiOtX7Tpd QyHE5lcMiKPXfEIQILVq0pc_E2DzL7emopWoaoZTF_m0_N0YzFC6g6EJbOEoRoS K5hoDalrcvRYLSrQAZZKflyuVCyixEoV9GfNQC3_osjzw2PAithfubEEBLuVVk4 XUVrWOLrLl0nx7RkKU8NXNHq-rvKMzqg" }
23
OIDC IDToken
JWT header : {"alg":"RS256","kid":"1e9gdk7"}
JWT payload : { "iss": "http://server.example.com", "sub": "248289761001", "aud": "23k23k3434", "nonce": "n-0S6_WzA2Mj", "exp": 1311281970, "iat": 1311280970}
JWT Signature
24
UserInfo Request
GET /userinfo HTTP/1.1 Host: server.example.com Authorization: Bearer SlAV32hkKG
25
UserInfo Response
HTTP/1.1 200 OK Content-Type: application/json
{ "sub": "248289761001", "name": "Jane Doe", "given_name": "Jane", "family_name": "Doe", "preferred_username": "j.doe", "email": "[email protected]", "picture": "http://example.com/janedoe/me.jpg" }
26
WS-Trust
27
Kerberos
28
How to pick a technology
Examples:
1. How components interact with each other 2. Technologies preferred3. Existing systems and limitations 4. Platforms
29
Web Applications
30
Business Model
31
More Information !
๏ Include links to product downloads, white paper downloads , etc.
Contact us !