T2

Web2.0
OpenID

November 15 2007

Web2.0
•
ID

•

•

2
Copyright © 2007 Sun Microsystems K.K.

Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 1

Web2.0

•
•
•

•
•
•

•

•
3

Copyright © 2007 Sun Microsystems K.K. All Rights Reserved.

•

• Web ID
• SAML
• OpenID
• CardSpace
• Liberty Alliance Project
Concorida
• OpenSSO

4


5


2004 ( )

6


ID /

ID /

7


/

USB

IC
8


9


• OASIS SAML (Security Assertion Markup Language)
• Liberty Alliance
b
●
●

a
●

@ A

Web

10


11

Web

•
Web

• Web

•
Web

12


ID = identification
•
•

•
•

•
>
>
>
>

13


• XML
>
>
•
>
•

>
>
>
>

14


Web ID

15

web

• Web
ID Web
>

:
•
:
•
Web :
•
•

16


blog

ID
•

17

TypePad blog

ID TypePad
•

18


Sun

SSO
•

>
>
• My Sun ID

19

Blogspot blog (Google Account )

• Check out http://TrayTable.blogspot.com!
20


Amazon

21

jyte.com ProoveMe OpenID

22


jyte :ProtectNetwork SAML ID /
OpenID

23

CardSpace

24


SSOCircle

25


•
>
>
>
>
• Web
>
>

>
•
>

26


• Identification:
>
>
• Authentication:
>
> RP

• Authorization:
ID ID Authz
>
Identity Relying party
(web application
provider
or community)
(login site)
Authn

Browser
(or other interface)

User
27


provider (web application
or community)
(login site)

Browser

User

28


or community)
(login site)

Rrelying Party

Browser

User

29


or community)
(login site)

. ..

Browser

User

30


SSO
Identity
Identity
Provider
Provider

Authenticate
when asked
Authenticate
2
1
1
2
Attempt
Access Service
access Service
successfully Provider 3 Provider
Succeed
in attempt

IdP-vs-SP-init

• Lois Idp • Lois SP(RP)
• Lois SP(RP)

• SP(RP) IdP
31

SSO

• SSO +
> IdP RP
•
IP
>
RP
–

•
SSO
>
IdP
–

• Circle of Trust (CoT)
•
>

32


CoT (Circle of Trust : )
(IdP)

A
B
H

C
G

D
F
SP
E
•
CoT •
•
•SLA
•
33

Idp discover)

•
SSO RP (RP-initiate) IdP
>

> Identity Relying party
IdP
– or community)
(login site)

GUI
–
IdP
–
– RP IdP (CoT)
–
–
IdP
–

34


SSO :
IdP / RP )
•

•

>
–

70-80%
•
SLA
>
>
>
>

quot;How long has THAT been there?quot;
35

:

• ID(Identifier)
(personally identifiable
>
information (PII))
>
•
> Email , .
> RP
–

36


•
RP
>
RP
–
•

• Identity 2.0 Web 2.0 Web

(Lightweight identity)
>
ID
( publishable ID)
•

37

:“me generation”

ID
•
>
> wiki
> Web2.0
ID
>
•

Web
>
> RP
> Web

38


2:“Trust no one”
IdP RP
•
IdP
RP
•

or community)
(login site)

Browser

User

39

3: “Do What I mean”

•
...
>
>
>
•

>
> SSO

•

>
>

40


41


SAML OpenID
Comprehensive use Simple use case
● ●
“Me generation”
case coverage coverage
● Comprehensive
Strong on IdP
●

challenge solutions, discovery but weak
except IdP discovery on other challenges
● Can be deployed to
● The very definition

do any user “Do what I mean” of “me generation”
philosophy
centricity
type
Consistent user
“Trust no one”,
experience,
XML message
“me generation”
formats
in part

CardSpace
“Smart client” component
●

● Addresses web

authentication challenges
● The very definition of

“trust no one”

42


SAML

43

SAML ?

•
“an XML-based framework for marshaling security and identity
information and exchanging it across domain boundaries”
•
> SAML V2.0 Liberty ID-FF
>
•

> B2B, B2C, G2C...
•
Google Search Appliance...
>

44


•
(SSO)
>
> Distributed transaction
> Authorization Service

• SAML 1.x SSO
• SAML = Security Assertion Markup Language

45

SAML

•
• SAML subject” statement”
:
> Authentication
> Attribute
> Authorization decision
• SAML
•
•
• XML

46
46


SAML
Operational modes for Metadata to
IdP SP Enhanced
IdP SP ...
use in conformance describe provider
Lite Lite client
testing and RFPs abilities and needs

Profiles combining binding, Web browser
Enhanced IdP Single
... Custom
assertion, and protocol use SSO client SSO discovery logout
to support defined use cases

Protocols to get
Assertion Authentication Name ID Single
... Custom
assertions and query/request request management logout
do identity mgmt
Authentication
Attribute
context classes
profiles
to describe types of
for interpreting
authentication
attrib semantics
performed/desired

Authentication Attribute Authz decision
Assertions of authn, attribute,
Custom
statement statement statement
and entitlement information

HTTP HTTP HTTP SAML
SOAP over
Bindings onto standard
PAOS Custom
HTTP redirect POST artifact URI
communications protocols

47


• Issuer ID timestamp
• Assertion ID
• Subject
> Name security domain
>
Conditions”
•
> SAML conditions

condition:
>
• “advice”
>
•

48
48


<saml:Assertion
MajorVersion=“1” MinorVersion=“0”
AssertionID=“128.9.167.32.12345678”
Issuer=“Smith Corporation“
IssueInstant=“2001-12-03T10:02:00Z”>
<saml:Conditions
NotBefore=“2001-12-03T10:00:00Z”
NotOnOrAfter=“2001-12-03T10:05:00Z”>
<saml:AudienceRestrictionCondition>
<saml:Audience>…URI…</saml:Audience>
</saml:AudienceRestrictionCondition>
</saml:Conditions>
<saml:Advice>
…a variety of elements can go here…
</saml:Advice>
…statements go here…
</saml:Assertion>

49
49


• Public Key – XML Signature
• Smartcard
• Internet Protocol
• Smartcard PKI
• Internet Protocol Password
• Software PKI
• Kerberos
• Telephony
• Mobile One Factor Unregistered
• Nomadic Telephony
• Mobile Two Factor Unregistered
• Personalized Telephony
• Mobile One Factor Contract
• Authenticated Telephony
• Mobile Two Factor Contract
• Secure Remote Password
• Password
• SSL/TLS Cert-Based Client Authentication
• Password Protected Transport
• Time Sync Token
• Previous Session
• Unspecified
• Public Key – X.509
• Your own customised classes...
• Public Key – PGP
• Public Key – SPKI

50


:
web browser SSO
SSO
•
federation
•

Profiles combining binding, Web browser
assertion, and protocol use
SSO

Protocols to get Authentication
assertions and request
do identity mgmt

Assertions of authn, attribute, Authentication
and entitlement information statement

Bindings onto standard HTTP HTTP HTTP
communications protocols redirect POST artifact

51

SAML :SP-initiated/redirect/POST

Service Provider Identity Provider
sp.example.com idp.example.org

Resource

Assertion Single
Access Consumer Sign-On
check Service Service

2 3
7 5
IdP discovery can
be by special cookie,
Challenge
Access
or any other means Redirect with GET using
for
resource? <AuthnRequest> <AuthnRequest>
credentials
Signed
POST signed User
Supply <Response>
<Response> login
resource in HTML form
6
1 4

User or UA action
Browser
User or UA action

52


:IdP-initiated/POST


Resource
Single
Assertion Access
Sign-On
Consumer check
Service
Service

1
4
6

Select Challenge
remote for
resource credentials
Signed User
POST signed <Response>
Supply login
<Response> in HTML form
resource
2
3
5

User or UA action

Browser

53

: enhanced client / proxy SSO

•

Profiles combining binding,
Enhanced
assertion, and protocol use
client SSO

Protocols to get
Authentication
assertions and
request
do identity mgmt

Assertions of authn, attribute, Authentication
and entitlement information statement

Bindings onto standard SOAP over
PAOS
communications protocols HTTP

54


ECP

Resource

Assertion Single

2
6 4
Signed
<AuthnRequest>
<Response>
in SOAP request
in PAOS
Access
response
resource
Signed
<Response>
Supply <AuthnRequest>
in SOAP
resource in PAOS request
response
1 3
5

EnhancedClient SOAP intermediary
or Enhanced Proxy

55

SSO +

Prepare to book hotel logged in
Prepare to rent car logged in
Book flight logged in
as johnd; accept offer of
as jdoe; accept offer of
as johndoe
federation with AirlineInc.com
federation with AirlineInc.com

AirlineInc.com CarRental.com HotelBooking.com

Agree on azqu3H7 for referring to Joe
(neither knows the ID used on other side)

Agree on f78q9c0 for referring to Joe
(neither knows the ID used on the other side)

56


SP IDP ID
●

●

●

Opaque Handle
User
●

Browser

Identity
Authentication Service
Provider
Service
UserID = Jsmith
App
Provider
Password = Rigol3tt0!
UserID = Joe OpaqueHandle = XYZ
Password = CaRm3N
OpaqueHandle = XYZ

Liberty Federation
(Linking of Accounts)

57

Local ID IdP Linked ID Linked ID SP Local ID
jdoe Airline 61611 61611 Cars john
jdoe Bank 71711 61612 Hotels john
mlamb Airline 81811 61621 Cars mary

Persistent pseudonym
Identity Identity
(NameID=”61611”) and attributes
store store

cars.example.com airline.example.com

Resource

Assertion Single

2 6
10 8 4
Pass along
User User
Access signed
login login
Pass
resource <Response>
as jdoe along as john
Convey <AuthnRequest>
<AuthnRequest>
asking for Convey signed
Challenge Challenge
Supply persistent <Response>
for credentials; for
resource pseudonym about 61611
opt-in? credentials
1 3
7
9 5

Browser

User with local ID john at airline.example.com
and local ID jdoe at cars.example.com
58


:
• Mon.Service-Public.fr
•

•

59

Google Apps

Google Apps Education Edition
2.5
Google

Google Provisioning API
SAML Single Sign-On(SSO) API
Provisioning API Google Apps
SSO
IT Google
Web 2.0 API
Google Apps Education Edition

http://www.google.co.jp/a/help/intl/ja/edu/customers/nihon_university.html

60


SAML
• Federated identity :
IdP RP
•
•

• Web

ECP
•
• IdP discovery: cookie
: IdP IdP
•

:
•
: (Liberty Alliance
•
)

61


OpenID

62


63

OpenID ?

•
“an open, decentralized, free framework for user-centric digital identity”
• Web
URL (or XRI) namespace
>

Web
>
•
>
• “Web 2.0”
wiki SNS
>

64


OpenID
• OpenID
>
ID
> OpenID comsumer) (RP) OpenID
ID (IdP) URL
XRI
Web Page URL XRI
>

ID
•

> Simple Registration extension
email
>

65

OpenID (V1.1)

•
Sign up ID
• <link rel=“...”> magic Web
RP
URL OpenID
• sign on OpenID RP
• RP
• OP (OpenID Provider) confirmation (
RP
OpenID RP
•

• See http://simonwillison.net/2006/openid-screencast/

66


OpenID – (part 1)

jyte.com
claimid.com (my IdP)

67

OpenID – (part 2)

claimid.com

jyte.com
transparent

68


Project concordia
projectconcordia.org
OpenID
openid.sun.com

openid.sun.com
URL

openid.sun.com
projectconcordia.org

69

SP-initiated simplified sign-on with OpenID

OpenID Consumer RP OpenID Provider (OP)
Optionally
(e.g. projectconcordia.org) (e.g. prooveme.com)
set up
symmetric
session
5
4 key (can be
remembered
Discovers for future
OP thru interactions)
OpenID
resolution

7
10 2 6 9
User
login
POST
OpenID
Access Authentication
site? response
Display (and maybe Challenge
Redirect
OpenID Simple Reg
Allow for
to OP
prompt attributes)
access credentials
page sent with
8
3
1 GET or POST

User or UA action
Browser
User or UA action

70


OpenID

• “ digerati”
•
•

Sources : USA Today (March, 2007), GoogleTrends (April, 2007), Technorati (April, 2007)
71

OpenID ( )

prooveme.co
m

http://openiddirectory.com/
72


OpenID SSO

• RP
+

ID) Web
•
+ IdP
IdP
– ( IdP
)
–

SSO

73

OpenID

• OpenID
SSO
>
– OpenID (identity
federation)
> OpenID

• SSO OpenID

>

OpenID ID
>
> Web E-Mail

74


OpenID
• ID
> ProtectNetwork.com (also gives “SAML IDs”), MyOpenID.com,
ProoveMe.com...
> AOL http://openid.aol.com/screenname
> Sun openid.sun.com
Web
•

shita.com
>

• OpenID

75

OpenID2.0 1.X

• OpenID 2.0 ( 1.1
):
> XRI XRDS
> IdP-initiated ( RP )
( OpenID
>
)
One-time OpenID
>
•
>
>
>
>

76


OpenID
•
> http://wiki.openid.net/OpenID_Phishing_Brainstorm
•
URL URL
>
Consumer
> http://wiki.openid.net//Replay_Attack_Prevention

• reputation

77

AOL reputation

• AOL OpenID (10/30/2007):
> 1. myopenid.com
> 2. claimid.com
> 3. livejournal.com
> 4. verisignlabs.com
> 5. myvauthid.com
> 6. openid.sun.com
> 7. myvidoop.com
> 8. signon.com
> 9. idtail.com
> 10. xlogon.net
> 11. idproxy.net
> 12. typekey.com
> 13. sxipper.com
14. alwaysknownas.com
>
> 15. myID.net
78


SAML OpenID
• OpenID Web
> URL

UI
>
>

• SAML OpenID
*
IdP discovery
>
> FOSS ( wrapper hard cording
)
• SAML circles of trust”
SLA
>
• * http://blogs.sun.com/superpat/entry/yadis%2Fxri_identifier_resolution_with_saml,
http://www.protectnetwork.com, and http://www.ssocircle.com
79

OpenID

• Federated identity : simplified sign-on ID

me generation” OpenID
•
do what I mean” (not “trust no one”)
•
Diffie-Hellman
• Web
•
• IdP discovery: IdP
:
•
:
•
: IdP,RP
•

80


CardSpace

81

Windows CardSpace ?

•
“a Microsoft .NET Framework version 3.0 component that provides
the consistent user experience required by the identity metasystem”
•

– Card selector trust no one” IdP/RP
– claim
• Web
–
– OS
–

82


CardSpace
identity selector
•
IdP STS)
>
managed cards
Idp claim
–
CoT namespace
claim self-asserted card
>
IdP identity selector
–

RP
•
> RP IdP
RP

83

CardSpace RP-initiated simplified

sign-on Information card-accepting RP STS that is a
managed-card
identity provider (IP)
for particular card

6
2
9
Authn and
Access Convey
request
resource? claims to RP
claims from
appropriate
IP based on
Send
card selection
RP
Supply policy
resource Send claims
reqmts
8 5
1

Match RP policy requirements 7 Optionally encrypt claims for RP
3
to available IP policy capabilities
Card 1 Card 2 ...
CardSpace
identity
4 Select one card out of those available that match policy
selector
intersection and select any optional claims asked for

User action
84


T2

Recomendados

Recomendados

Más contenido relacionado

Más de TH Schee

Más de TH Schee (20)

Último

Último (20)

T2