Enterprise Single Sign On
-
Upload
wso2 -
Category
Technology
-
view
1.365 -
download
1
Transcript of Enterprise Single Sign On
![Page 1: Enterprise Single Sign On](https://reader035.fdocuments.net/reader035/viewer/2022081403/555c3b48d8b42a2c068b49af/html5/thumbnails/1.jpg)
Last Updated: Jun. 2014
Senior Software EngineerSuresh Attanayake
Enterprise Single Sign On : SAML, OpenID
Connect and more
![Page 2: Enterprise Single Sign On](https://reader035.fdocuments.net/reader035/viewer/2022081403/555c3b48d8b42a2c068b49af/html5/thumbnails/2.jpg)
2
About the Presenter(s)
๏ Suresh Attanayake is a Senior Software Engineer at WSO2 from the Solutions Architecture/ Technical Sales team. He is a former Identity Server team member and have been involved in various WSO2 customer projects around the globe.
![Page 3: Enterprise Single Sign On](https://reader035.fdocuments.net/reader035/viewer/2022081403/555c3b48d8b42a2c068b49af/html5/thumbnails/3.jpg)
3
About WSO2๏ Global enterprise, founded
in 2005 by acknowledged leaders in XML, web services technologies, standards and open source
๏ Provides only open source platform-as-a-service for private, public and hybrid cloud deployments
๏ All WSO2 products are 100% open source and released under the Apache License Version 2.0.
๏ Is an Active Member of OASIS, Cloud Security Alliance, OSGi Alliance, AMQP Working Group, OpenID Foundation and W3C.
๏ Driven by Innovation
๏ Launched first open source API Management solution in 2012
๏ Launched App Factory in 2Q 2013
๏ Launched Enterprise Store and first open source Mobile solution in 4Q 2013
![Page 4: Enterprise Single Sign On](https://reader035.fdocuments.net/reader035/viewer/2022081403/555c3b48d8b42a2c068b49af/html5/thumbnails/4.jpg)
4
What WSO2 delivers
![Page 5: Enterprise Single Sign On](https://reader035.fdocuments.net/reader035/viewer/2022081403/555c3b48d8b42a2c068b49af/html5/thumbnails/5.jpg)
5
Passwords
1)123456
2)password
3)12345678
4)qwerty
5)abc123
http://splashdata.com/press/worstpasswords2013.htm
![Page 6: Enterprise Single Sign On](https://reader035.fdocuments.net/reader035/viewer/2022081403/555c3b48d8b42a2c068b49af/html5/thumbnails/6.jpg)
6
Password Fatigue
๏ Use easy to remember passwords
๏ Use the same password
![Page 7: Enterprise Single Sign On](https://reader035.fdocuments.net/reader035/viewer/2022081403/555c3b48d8b42a2c068b49af/html5/thumbnails/7.jpg)
7
Single Sign On
๏ Single password to remember
๏ Use password only once
๏ Use password only at one place
๏ Ease of administration
๏ Enforce password/account policies
![Page 8: Enterprise Single Sign On](https://reader035.fdocuments.net/reader035/viewer/2022081403/555c3b48d8b42a2c068b49af/html5/thumbnails/8.jpg)
8
SSO Model
![Page 9: Enterprise Single Sign On](https://reader035.fdocuments.net/reader035/viewer/2022081403/555c3b48d8b42a2c068b49af/html5/thumbnails/9.jpg)
9
SAML2 Web Browser SSO Profile๏ XML based
๏ Web browser based
๏ Bindings:
๏ HTTP Redirect Binding
๏ HTTP POST Binding
๏ HTTP Artifact Binding
๏ Profiles:
๏ Single Logout Profile
๏ Attribute Profile
![Page 10: Enterprise Single Sign On](https://reader035.fdocuments.net/reader035/viewer/2022081403/555c3b48d8b42a2c068b49af/html5/thumbnails/10.jpg)
10
SAML2 Web Browser SSO
![Page 11: Enterprise Single Sign On](https://reader035.fdocuments.net/reader035/viewer/2022081403/555c3b48d8b42a2c068b49af/html5/thumbnails/11.jpg)
11
SAML2 <AuthnRequest>
![Page 12: Enterprise Single Sign On](https://reader035.fdocuments.net/reader035/viewer/2022081403/555c3b48d8b42a2c068b49af/html5/thumbnails/12.jpg)
12
SAML2 <Response>
![Page 13: Enterprise Single Sign On](https://reader035.fdocuments.net/reader035/viewer/2022081403/555c3b48d8b42a2c068b49af/html5/thumbnails/13.jpg)
13
OpenID
๏ Plain Text Key-Value pairs
๏ Web browser based
๏ Indirect communication:
๏ HTTP Redirection
๏ HTTP Form submission
๏ Features:
๏ OpenID Provider (IDP) discovery
๏ OpenID Attribute Exchange / OpenID Simple Registration
![Page 14: Enterprise Single Sign On](https://reader035.fdocuments.net/reader035/viewer/2022081403/555c3b48d8b42a2c068b49af/html5/thumbnails/14.jpg)
14
OpenID
![Page 15: Enterprise Single Sign On](https://reader035.fdocuments.net/reader035/viewer/2022081403/555c3b48d8b42a2c068b49af/html5/thumbnails/15.jpg)
15
OpenID Authentication Request
openid.ns:http://specs.openid.net/auth/2.0openid.claimed_id:https://localhost:9443/openid/sureshopenid.identity:https://localhost:9443/openid/sureshopenid.return_to:http://localhost:8081/openid-attribute-exchange/attexconsumer?is_id_res=trueopenid.realm:http://localhost:8081/openid-attribute-exchange/attexconsumer?is_id_res=trueopenid.assoc_handle:AOQobUfyfIM0vAz-VgjNgxnkimSyr3SUX7QvAVzeeM19NM7QmpeTXPTepi4rWCr6wkIyFDiqopenid.mode:checkid_setupopenid.ns.ext1:http://openid.net/srv/ax/1.0openid.ext1.mode:fetch_requestopenid.ext1.type.email:http://axschema.org/contact/emailopenid.ext1.type.firstname:http://axschema.org/namePerson/firstopenid.ext1.type.lastname:http://axschema.org/namePerson/lastopenid.ext1.type.country:http://axschema.org/contact/country/homeopenid.ext1.type.language:http://axschema.org/pref/languageopenid.ext1.required:email,firstname,lastname,country,language
![Page 16: Enterprise Single Sign On](https://reader035.fdocuments.net/reader035/viewer/2022081403/555c3b48d8b42a2c068b49af/html5/thumbnails/16.jpg)
16
OpenID Authentication Response
openid.op_endpoint:https://localhost:9443/openidserveropenid.signed:op_endpoint,claimed_id,identity,return_to,response_nonce,assoc_handle,ns.ext1,ext1.mode,ext1.type.firstname,ext1.value.firstname,ext1.type.email,ext1.value.email,ext1.type.language,ext1.value.language,ext1.type.lastname,ext1.value.lastnameopenid.ns.ext1:http://openid.net/srv/ax/1.0openid.sig:wyQi3eTjESAVWsHjPODQ2q7UUVMvNOTySTCvffmqd+A=is_id_res:trueopenid.response_nonce:2011-05-18T14:54:21Z0eugpxqu3Sv9Iwopenid.claimed_id:https://localhost:9443/openid/sureshopenid.ext1.value.lastname:Attnayakeopenid.ext1.value.firstname:Sureshopenid.assoc_handle:AOQobUfyfIM0vAz-VgjNgxnkimSyr3SUX7QvAVzeeM19NM7QmpeTXPTepi4rWCr6wkIyFDiqopenid.ext1.value.email:[email protected]:http://axschema.org/pref/languageopenid.ext1.type.lastname:http://axschema.org/namePerson/lastopenid.ext1.type.firstname:http://axschema.org/namePerson/firstopenid.ns:http://specs.openid.net/auth/2.0openid.identity:https://localhost:9443/openid/sureshopenid.ext1.type.email:http://axschema.org/contact/emailopenid.mode:id_resopenid.ext1.mode:fetch_responseopenid.ext1.value.language:en-USopenid.return_to:http://localhost:8081/openid-attribute-exchange/attexconsumer?is_id_res=true
![Page 17: Enterprise Single Sign On](https://reader035.fdocuments.net/reader035/viewer/2022081403/555c3b48d8b42a2c068b49af/html5/thumbnails/17.jpg)
17
OpenID Connect
๏ Built on top of OAuth2.0 framework
๏ Web browser based
๏ HTTP GET query params, HTTP POST request params and JSON
๏ Authentication Flows:
๏ Authorization Code flow
๏ Implicit flow
๏ Hybrid flow
๏ Features:
๏ OpenID Connect discovery
๏ OpenID Connect Dynamic Registration
๏ Session Management
![Page 18: Enterprise Single Sign On](https://reader035.fdocuments.net/reader035/viewer/2022081403/555c3b48d8b42a2c068b49af/html5/thumbnails/18.jpg)
18
OpenID Connect
![Page 19: Enterprise Single Sign On](https://reader035.fdocuments.net/reader035/viewer/2022081403/555c3b48d8b42a2c068b49af/html5/thumbnails/19.jpg)
19
OIDC Authentication Request
HTTP/1.1 302 Found Location: https://server.example.com/authorize? response_type=code &scope=openid%20profile%20email &client_id=s6BhdRkqt3 &state=af0ifjsldkj &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
![Page 20: Enterprise Single Sign On](https://reader035.fdocuments.net/reader035/viewer/2022081403/555c3b48d8b42a2c068b49af/html5/thumbnails/20.jpg)
20
OIDC Authentication Response
HTTP/1.1 302 Found Location: https://client.example.org/cb? code=SplxlOBeZQQYbYS6WxSbIA &state=af0ifjsldkj
![Page 21: Enterprise Single Sign On](https://reader035.fdocuments.net/reader035/viewer/2022081403/555c3b48d8b42a2c068b49af/html5/thumbnails/21.jpg)
21
OIDC Token Request
POST /token HTTP/1.1 Host: server.example.com Content-Type: application/x-www-form-urlencoded Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
![Page 22: Enterprise Single Sign On](https://reader035.fdocuments.net/reader035/viewer/2022081403/555c3b48d8b42a2c068b49af/html5/thumbnails/22.jpg)
22
OIDC Token Response
HTTP/1.1 200 OK Content-Type: application/json Cache-Control: no-store Pragma: no-cache
{ "access_token": "SlAV32hkKG", "token_type": "Bearer", "refresh_token": "8xLOxBtZp8", "expires_in": 3600, "id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjFlOWdkazcifQ.ewogImlzc yI6ICJodHRwOi8vc2VydmVyLmV4YW1wbGUuY29tIiwKICJzdWIiOiAiMjQ4Mjg5 NzYxMDAxIiwKICJhdWQiOiAiczZCaGRSa3F0MyIsCiAibm9uY2UiOiAibi0wUzZ fV3pBMk1qIiwKICJleHAiOiAxMzExMjgxOTcwLAogImlhdCI6IDEzMTEyODA5Nz AKfQ.ggW8hZ1EuVLuxNuuIJKX_V8a_OMXzR0EHR9R6jgdqrOOF4daGU96Sr_P6q Jp6IcmD3HP99Obi1PRs-cwh3LO-p146waJ8IhehcwL7F09JdijmBqkvPeB2T9CJ NqeGpe-gccMg4vfKjkM8FcGvnzZUN4_KSP0aAp1tOJ1zZwgjxqGByKHiOtX7Tpd QyHE5lcMiKPXfEIQILVq0pc_E2DzL7emopWoaoZTF_m0_N0YzFC6g6EJbOEoRoS K5hoDalrcvRYLSrQAZZKflyuVCyixEoV9GfNQC3_osjzw2PAithfubEEBLuVVk4 XUVrWOLrLl0nx7RkKU8NXNHq-rvKMzqg" }
![Page 23: Enterprise Single Sign On](https://reader035.fdocuments.net/reader035/viewer/2022081403/555c3b48d8b42a2c068b49af/html5/thumbnails/23.jpg)
23
OIDC IDToken
JWT header : {"alg":"RS256","kid":"1e9gdk7"}
JWT payload : { "iss": "http://server.example.com", "sub": "248289761001", "aud": "23k23k3434", "nonce": "n-0S6_WzA2Mj", "exp": 1311281970, "iat": 1311280970}
JWT Signature
![Page 24: Enterprise Single Sign On](https://reader035.fdocuments.net/reader035/viewer/2022081403/555c3b48d8b42a2c068b49af/html5/thumbnails/24.jpg)
24
UserInfo Request
GET /userinfo HTTP/1.1 Host: server.example.com Authorization: Bearer SlAV32hkKG
![Page 25: Enterprise Single Sign On](https://reader035.fdocuments.net/reader035/viewer/2022081403/555c3b48d8b42a2c068b49af/html5/thumbnails/25.jpg)
25
UserInfo Response
HTTP/1.1 200 OK Content-Type: application/json
{ "sub": "248289761001", "name": "Jane Doe", "given_name": "Jane", "family_name": "Doe", "preferred_username": "j.doe", "email": "[email protected]", "picture": "http://example.com/janedoe/me.jpg" }
![Page 26: Enterprise Single Sign On](https://reader035.fdocuments.net/reader035/viewer/2022081403/555c3b48d8b42a2c068b49af/html5/thumbnails/26.jpg)
26
WS-Trust
![Page 27: Enterprise Single Sign On](https://reader035.fdocuments.net/reader035/viewer/2022081403/555c3b48d8b42a2c068b49af/html5/thumbnails/27.jpg)
27
Kerberos
![Page 28: Enterprise Single Sign On](https://reader035.fdocuments.net/reader035/viewer/2022081403/555c3b48d8b42a2c068b49af/html5/thumbnails/28.jpg)
28
How to pick a technology
Examples:
1. How components interact with each other 2. Technologies preferred3. Existing systems and limitations 4. Platforms
![Page 29: Enterprise Single Sign On](https://reader035.fdocuments.net/reader035/viewer/2022081403/555c3b48d8b42a2c068b49af/html5/thumbnails/29.jpg)
29
Web Applications
![Page 30: Enterprise Single Sign On](https://reader035.fdocuments.net/reader035/viewer/2022081403/555c3b48d8b42a2c068b49af/html5/thumbnails/30.jpg)
30
Business Model
![Page 31: Enterprise Single Sign On](https://reader035.fdocuments.net/reader035/viewer/2022081403/555c3b48d8b42a2c068b49af/html5/thumbnails/31.jpg)
31
More Information !
๏ Include links to product downloads, white paper downloads , etc.
![Page 32: Enterprise Single Sign On](https://reader035.fdocuments.net/reader035/viewer/2022081403/555c3b48d8b42a2c068b49af/html5/thumbnails/32.jpg)
Contact us !