Presentation is loading. Please wait.

Presentation is loading. Please wait.

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007."— Presentation transcript:

1 December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007

2 December 19, 2006 “I have too many passwords – my monitor is covered in Post-its!” “We're implementing Sarbanes-Oxley – we need to control access to applications!” “We need to access outsourced functions!” “Our partners need to access our applications!” The Problems

3 December 19, 2006 Conflicting Pressures? Security User Convenience Compliance Interoperability

4 December 19, 2006 Web Single Sign-On Simplest scenario is within one enterprise Factor authentication and authorization out of web applications into web access management (WAM) solution Can use browser cookies within a DNS domain Proxy or Agent architecture implements role-based access control (RBAC)‏ Users get single sign-on, IT gets control

5 December 19, 2006 SSO Within an Enterprise End User SSO Server Web Server Application Server

6 December 19, 2006 How it works BrowserAgentApplicationSSO Server GET hrapp/index.html Redirect to SSO Server Authenticate SSO cookie GET hrapp/index.html (with SSO cookie)‏ Is this user allowed to access hrapp/index.html? Yes! Allow request to proceed Application response

7 December 19, 2006 Single Sign-on between Enterprises Cookies no longer work –Need a more sophisticated protocol Can't mandate single vendor solution –Need standards for interoperability

8 December 19, 2006 Single Sign-on Standards 2002 SAML1 Liberty “Phase 1” 2003 SAML1.1 Liberty ID-FF 1.1,1.2 2005 SAML2 Liberty Federation 2004 = Shibboleth 1.2 2006 WS-Federation 1.1 WS-Federation 1.0 Shibboleth 1.0,1.1

9 December 19, 2006 SAML 2.0 Concepts Profiles Combining protocols, bindings, and assertions to support a defined use case Bindings Mapping SAML protocols onto standard messaging or communication protocols Metadata IdP and SP configuration data Authentication Context Detailed data on types and strengths of authentication Protocols Request/response pairs for obtaining assertions and doing ID management Assertions Authentication, attribute, and entitlement information

10 December 19, 2006 SSO Across Enterprises End User Identity Provider Service Provider

11 December 19, 2006 SAML SSO Basics BrowserService ProviderIdentity Provider GET hrapp/index.html Redirect with SAML Request Authenticate HTML form with SAML Response SAML Response Response Service Provider examines SAML Response and makes access control decision SAML Authentication Request

12 December 19, 2006 What about Web Services?

13 December 19, 2006 Typical Web Service Model End User Web Service Consumer Web Service Provider

14 December 19, 2006 Transport Level Security End User Web Service Consumer Web Service Provider

15 December 19, 2006 Transport-level Security != Identity Difficult choice between –No client authentication –Client authentication via certificates Scope of protection is limited to individual 'hops' Even with client authentication, no real non- repudiation due to difficulty of archiving and verifying message flow TLS/SSL is still essential for confidentiality and integrity at the transport level, but is not enough – we need a solution at the message level

16 December 19, 2006 Basic Web Services Security End User Web Service Consumer Web Service Provider Identity Provider

17 December 19, 2006 Message-level Security – Getting There Identity token carried in SOAP header –WS-Security, WS-I Basic Security Profile –Industry has converged on SAML Assertion as the token SAML allows for bearer tokens, holder-of-key tokens, audience restrictions etc Token can be archived with message But... restricting the audience to the immediate recipient leaves us with similarly limited scope of protection – one hop

18 December 19, 2006 Requirements for Web Service Identity Identify the end user Locate the service Preserve identity –Across multiple 'hops' –Across domain boundaries –Across vendors' products Using existing technologies and idioms Maintaining privacy

19 December 19, 2006 Identity Web Services End User Web Service Consumer Web Service Provider Identity Provider Discovery Service

20 December 19, 2006 Scaling Out... Principal Web Service Consumer Web Service Provider/ Consumer Identity Provider Discovery Service Web Service Provider

21 December 19, 2006 Liberty Identity Web Services Framework (ID-WSF)‏ Dynamic service discovery and addressing Common web services transport mechanisms to apply identity-aware message security Abstractions and optimizations to allow anything – including client devices – to host identity services Unified data access/management model for developers Flexibility to develop arbitrary new services User privacy through use of pseudonyms

22 December 19, 2006 Mapping to Products Sun Java System Access Manager –The 'whole stack' for identity web services - Identity Provider, Discovery Service, Service Provider etc etc etc –Web Access Control, Single Sign-On, Federation –Version 7.1 includes substantial new tooling support for both WS-I BSP and ID-WSF NetBeans Enterprise Pack Sun Java System Federation Manager –Service Provider

23 December 19, 2006 OpenSSO Sun sponsored open source project Basis for the next commercial product –Sun Java System Federated Access Manager 8.0 500 project members, the vast majority outside Sun Already deployed: –Audi UK 250,000 customer profiles SSO across a raft of web apps –SSOCircle Identity Provider SAML 2.0 to Google, OpenID

24 December 19, 2006 Resources treydrake@yahoo.com OpenSSO — https://opensso.dev.java.net/ Liberty Alliance — http://projectliberty.org Superpatterns — http://blogs.sun.com/superpat

Download ppt "December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007."

Similar presentations

Lousy Introduction into SWITCHaai

Lousy Introduction into SWITCHaai
A brief look at the WS-* framework Josh Howlett, JANET(UK) TF-EMC2 Prague, September 2007.

A brief look at the WS-* framework Josh Howlett, JANET(UK) TF-EMC2 Prague, September 2007.
Step Up Authentication in SAML (and XACML) Hal Lockhart February 6, 2014.

Step Up Authentication in SAML (and XACML) Hal Lockhart February 6, 2014.
OOI-CI–Ragouzis–2007.10.15 Ocean Observatories Initiative Cyberinfrastructure Component CI Design Workshop 17-19 October 2007.

OOI-CI–Ragouzis– Ocean Observatories Initiative Cyberinfrastructure Component CI Design Workshop October 2007.
Dispatcher Conditional Expression Static Request Filter Attribute Filter Portal 1 1 2 2 4 4 3,6 5 5 7 7 8 8 9 9 1010 1010 DNS Hello User Sample (Gateway)

Dispatcher Conditional Expression Static Request Filter Attribute Filter Portal , DNS Hello User Sample (Gateway)
Integration Considerations Greg Thompson April 20 th, 2006 Copyright © 2006, Credentica Inc. All Rights Reserved.

Integration Considerations Greg Thompson April 20 th, 2006 Copyright © 2006, Credentica Inc. All Rights Reserved.
Saml-v2_0-intro-dec051 Security Assertion Markup Language An Introduction to SAML 2.0 Tom Scavo NCSA.

Saml-v2_0-intro-dec051 Security Assertion Markup Language An Introduction to SAML 2.0 Tom Scavo NCSA.
Will Darby 91.514 5 April 2010.  What is Federated Security  Security Assertion Markup Language (SAML) Overview  Example Implementations  Alternative.

Will Darby April  What is Federated Security  Security Assertion Markup Language (SAML) Overview  Example Implementations  Alternative.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST 24-27 May 2005, Edinburgh.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
® Practical Approaches to Web Services Authentication 72nd OGC Technical Committee Frascati, Italy Fiona Culloch March 9, 2010 Sponsored and hosted by.

® Practical Approaches to Web Services Authentication 72nd OGC Technical Committee Frascati, Italy Fiona Culloch March 9, 2010 Sponsored and hosted by.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
Carl A. Foster.  What is SAML?  Security Assertion and Markup Language is an XML-based standard for exchanging authentication and authorization between.

Carl A. Foster.  What is SAML?  Security Assertion and Markup Language is an XML-based standard for exchanging authentication and authorization between.
Copyright B. Wilkinson, 2008. This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.
Data and Applications Security Developments and Directions Dr. Bhavani Thuraisingham The University of Texas at Dallas Single-Sign On and Federated Identity.

Data and Applications Security Developments and Directions Dr. Bhavani Thuraisingham The University of Texas at Dallas Single-Sign On and Federated Identity.
GFIPM Web Services Concept and Normative Standards GFIPM Delivery Team Meeting November 2011.

GFIPM Web Services Concept and Normative Standards GFIPM Delivery Team Meeting November 2011.
Shibboleth 2.0 : An Overview for Developers Scott Cantor The Ohio State University / Internet2 Scott Cantor The Ohio.

Shibboleth 2.0 : An Overview for Developers Scott Cantor The Ohio State University / Internet2 Scott Cantor The Ohio.

Similar presentations

Ads by Google