The document discusses single sign-on (SSO) and fine-grained authorization in cloud applications. It covers authentication and authorization challenges, how standards like WS-Federation address these challenges, and how Apache CXF Fediz implements WS-Federation. Specifically, Fediz provides an identity provider (IDP), security token service (STS) and plugin to enable SSO and claims-based authorization in web apps running in different containers.
5. Application Security 10 years ago
● SSO solution using Reverse Proxy
● Proprietary SSO token / protocol
● Same product at Reverse Proxy, Application
Server andcentral Security Service
● Security tokens validated by
remote Security Server
● Role Based Access Control (Java, .NET API)
● User/ID management internal
6. Security Challenges
● Non IT company
– Buy vs build (non IT company)
– Applications hosted in the cloud
● SaaS for IT companies
● Integrate several IDM systems
(B2B customers)
● Access to user information
– Network connectivity
– Replicating user information
● Reduce Security Code in the Application
7. Gaps
● Fine grained authorization (beyond RBAC) in
application logic
● Tight coupling to custom security components and
protocols (central server, reverse proxy, proxy agent)
● Tight coupling to single user domain
● Lack of agility and risk
due to managing B2B users internally
● Different authentication mechanism in the application
(container)
● Integration with Web Services Stack
●
Mock testing
8. How to address that?
● Indirect Trust Relationship to Security Server
● Push user data to the application instead of pulling it
● Externalize Authentication to a Central server
● Lightweight Open Source component
● Industry standard based solution
9. WS-Federation
● OASIS Standard 2009
● Security Token agnostic (SAML 1.1/2.0, …)
● Extends WS-Trust
● Browser and Web Services SSO
● PRP adapts Browser to WS-Trust
● No connectivity between Application
and IDP required (Cloud)
● Claims/Attribute Based Access Control
● Supports several Authentication domains
10. WS-Trust Security Token Service
1. Consumer requests token from STS,
presenting credentials (RST = Request Security
Token)
2. STS verifies credentials and issues signed
token
3. STS sends token back to consumer (RSTR =
Request Security Token Response)
4. Consumer encloses token in message to
service provider (optionally signing message)
5. Service provider validates token (and
signature)
6. Service provider sends response to consumer
WS-SecurityPolicy brings flexibility
and transparency to service consumer
12. Apache CXF Fediz
● Sub-project of Apache CXF project
● Work started mid of 2011
● Community growing
● First release in June 2012
● Current release 1.0.2
● Finishing work for 1.1
13. Apache CXF Fediz
Id e n tity P r o v id e r (ID P )
S e c u r ity T o k e n S e r v ic e (S T S )
W S - F e d e r a tio n
F e d iz ID P
n
tio S e c u r ity T o k e n s
t ic a e n W S -T ru s t is s u e d b y S T S
en Tok F e d iz S T S
u th
A
U s e r M a c h in e
B ro w s e r
R e ly in g P a r ty (R P )
A
cc
es
s
W
W e b A p p lic a tio n
R
eb ec
ed
A to
ir
p p ID
t
lic P
at
io
n
F e d iz P lu g in
H TTP S
S e r v le t C o n ta in e r
14. Apache CXF Fediz
2 ) S ig n In R e q u e s t
3 ) L o g in Id e n tity P r o v id e r
W eb U ser
ID P / S T S
4 ) P o s t C r e d e n tia ls
5 ) S ig n In R e s p o n s e
S A M L to k e n
B ro w s e r T r u s t r e la t io n s h ip
S ig n e d T o k e n
N o C a ll to S T S
7 ) R e s o u r c e , S e t C o o k ie
R e ly in g P a r ty
6 ) P o s t S ig n In R e s p o n s e
E x . T o m c a t, W e b s p h e re ,
A S P .N E T , e tc .
1 ) H T T P G E T re s o u rc e
R e d ir e c t to I D P
18. Fediz Plugin Configuration
Config element Description Metadata
issuer Issuer URL PassiveRequestorEndpoint
realm Realm TargetScope
authenticationType Authentication Type NA
roleURI Claim URI for roles NA
roleDelimiter Role Value Delimiter NA
claimTypesRequested Requested claims ClaimTypesRequested
homeRealm Home Realm NA
tokenValidators Security Token Validator NA
signingKey Key for Metadata Metadata signature
signature
28. More than one Requestor IDP
● WS-Federation defines Requestor
and Relying Party IDP
● RP IDP issues SAML token for application
in a requestor independent format
● Integrate Requestor IDPs without
affecting application
● HomeRealm Discovery
● RP IDP federates Identities or Claims
29. Internal ID management
Federate identites
R e q u e s to r Id P
● CXF IdentityMapper
R e q u e s to r Id P
m y c o m p a n y .c o m ● Relationship: FederateIdentity
APAC
m y c o m p a n y .c o m
EM EA
R P - Id P
H o m e r e a lm
d is c o v e r y
3
Id P
m y c o m p a n y .c o m
2
B ro w s e r
In tr a n e t
1
R e ly in g P a r ty
A p p lic a tio n
C o n ta in e r
Ex. Tom cat
30. Hyprid ID management
R e q u e s to r Id P
F a b r ik a m .c o m
In te r n a l
R e q u e s to r Id P
m y c o m p a n y .c o m
R e q u e s to r Id P
APAC B ro w s e r
m y c o m p a n y .c o m
3 f a b r ik a m .c o m
EM EA
R P -Id P 2
H o m e r e a lm
d is c o v e r y
3
Id P
m y c o m p a n y .c o m
2
B ro w s e r
In tr a n e t 1
1
R e ly in g P a r ty
A p p lic a tio n
C o n ta in e r
Ex. Tom cat Federate identities
● CXF IdentityMapper
● Relationship: FederateIdentity
31. External requestor IDPs (SaaS)
R e q u e s to r Id P
F a b r ik a m .c o m
In te r n a l
R e q u e s to r Id P
m y c o m p a n y .c o m
R e q u e s to r Id P
APAC B ro w s e r
m y c o m p a n y .c o m
3 f a b r ik a m .c o m
EM EA
R P -Id P 2
H o m e r e a lm
d is c o v e r y
3
Id P
m y c o m p a n y .c o m
2
B ro w s e r
In tr a n e t 1 2
B ro w s e r
a d a ta m .c o m
1
R e ly in g P a r ty 1
A p p lic a tio n
3
C o n ta in e r
Ex. Tom cat
R e q u e s to r Id P
Federate claims/attributes a d a ta m .c o m
● CXF ClaimsMapper E x te rn a l
● Relationship: FederateClaims
32. Fediz Roadmap
● WS-Federation support for RP-IDP (1.1)
● HomeRealm Discovery (1.1)
● SAML Profile (1.1+)
● Support encrypted SAML tokens (1.1)
● SAML Holder-Of-Key (1.1)
● Fediz Plugin support
– Karaf (1.1)
– Jetty (1.1)
– Spring Security (1.1)
33. More information
● Fediz website
http://cxf.apache.org/fediz.html
● Blogs
http://coheigea.blogspot.com
http://www.dankulp.com/blog/
http://sberyozkin.blogspot.com
http://owulff.blogspot.com
35. Standards
● WS-Trust 1.3
● SAML 2.0
Id e n tity P r o v id e r
● WS-SecurityPolicy < < S o la r is > >
Id e n tit y S to r e Id e n tity S to r e
< < W in d o w s > > < < M a in f r a m e > >
ID P
< < N e v is > >
CXF STS capabilities
2 .1
LDAP RACF
STS 2 .2
RST SAML token [4,6]
<<CXF>>
●
● SAML 2.0 Bearer [6] 4 .1
● Custom Token [4]
(BinarySecurityToken) B u s in e s s S e r v ic e
2
< < T o m c a t> >
● Token transformation [4,6]
4 / 6
Identity Mapping[4]
A p p lic a t io n
● J A X -R P C
● OnBehalfOf [4,6] Not CXF
W e b A p p lic a tio n
< < T o m c a t> >
T )
( BS
CXF capabilities B ro w s e r
5
3 A p p lic a tio n
● Issued token assertion(WS- 1
J A X -W S
B u s in e s s S e r v ic e
SecurityPolicy) F e d e r a t io n _ _ CXF
< < O S G i K a ra f> >
● SecondaryParameters 7 (S T )
A p p lic a t io n
● OnBehalfOf J A X -W S
● Token caching CXF