Suresh Attanayake's presentation discusses single sign-on (SSO) solutions including OpenID, SAML 2.0, and WS-Trust. It provides an overview of each standard including key entities, authentication flows, and how they address common SSO problems. It also demonstrates implementations of each using the WSO2 Identity Server product.

1. SSO With The WSO2 Identity Server
Suresh Attanayake
Software Engineer

2. About WSO2
• Providing the only complete open source componentized cloud
platform
– Dedicated to removing all the stumbling blocks to enterprise agility
– Enabling you to focus on business logic and business value
• Recognized by leading analyst firms as visionaries and leaders
– Gartner cites WSO2 as visionaries in all 3 categories of applica-
tion infrastructure
– Forrester places WSO2 in top 2 for API Management
• Global corporation with offices in USA, UK & Sri Lanka
– 200+ employees and growing
• Business model of selling comprehensive support & mainte-
nance for our products

3. 150+ globally positioned support customers

4. Previous : A Walk Through SSO
● Problems with traditional authentication
● How SSO solves those problems
● Need for Open Standards
● Introduction to some open standards and how they
solve the common authentication problems

5. What we cover today
● OpenID
● SAML 2.0 Web Browser SSO
● WS- Trust
● Solutions
● Demos

6. OpenID
● Sign into multiple websites with the accounts you
already have.
– No need for new account creation
– Websites don't have to store passwords
● Users passwords are never shared with the
websites.
● Users can decide what information to be shared
with the websites dynamically
● Decentralized identity management

7. Entities
● OpenID Provider (OP)
– Central Authentication Service
● Relying Party (RP)
– Web Applications
● User Agent
– Web Browser
● User

8. OpenID Providers

9. OpenID Identifiers
● Google
– https://profiles.google.com/YourGoogleID
● Blogger
– http://blogname.blogspot.com/
● MySpace
– http://www.myspace.com/username

10. Relying Parties

11. Relying Parties
● Over 50,000 web sites
– http://wiki.openid.net/w/page/25453698/Gallery
● One billion user accounts
● Drupal, Wordpress and libraries
● Visit http://openid.net/

12. OpenID

13. OpenID Authentication
1. User enters the OpenID Identifier and clicks login
at the Relying Party (RP).
2.RP performs discovery on the provided identifier.
3.RP creates an association with the OpenID
Provider (OP).
4.RP issues an Authentication Request to OP.
5.OP authenticates the user.
6.OP sends an Authentication Response to RP.
7.RP validates the authentication response.
8.RP grants or denies the access to the user.

14. Discovery
● The Process : The relying party uses the user supplied
identifier to look up necessary information to initiate
the OpenID protocol
● Information
– Version
– OP endpoint URL
– Claimed ID
● Discovery methods
– XRI Resolution
– Yadis
– HTML-Based recovery

15. Associations
● Process : Sharing a secrete (MAC key) between the
OpenID Provider and the Relying Party
● Association Types
– HMAC-SHA1
– HMAC-SHA256
● Association Session Types
– no-encryption
– DH-SHA1
– DH-SHA256

16. Authentication Request
● Contains
– Claimed ID
– Association handle
– Return to URL
– More
– Extensions (Attributes)

17. Authentication Request

18. Authentication Response
● Contains
– OP Endpoint
– Claimed ID
– Signature
– More
– Extensions (Attributes)

19. Authentication Response

20. Attribute exchange
● OpenID Attribute Exchange
● OpenID Simple Registration

21. OpenID Demo with the WSO2 Identity
Server

22. Example Solution – Multiple Domains

23. What OpenID is lacking
● Single Logout
● IDP initiated SSO
● Not utilizing SSL/TLS

24. SAML 2.0 Web Browser SSO Profile

25. Entities
● Identity Provider (IDP)
– Single Sign On Service
● Service Provider (SP)
– Assertion Consuming Service
● Principle

26. SAML Web Browser SSO Profile

27. Profile Overview
1.User agent access a Service Provider.
2.Service Provider determines the Identity Provider.
3.Service Provider issues an <AuthnRequest> message
to the Identity Provider.
4.Identity Provider identifies the Principle.
5.Identity Provider issues a <Response> message to the
Service Provider.
6.Service Provider grants or denies the access to the
Principle.

28. Identity Provider Discovery
● Implementation dependent
– Configuration
– Identity Provider Discovery Profile

29. <AuthnRequest> message

30. <AuthnResponse> message

32. Bindings
“Mapping of SAML request-response message
exchange onto standard message or communication
protocols are called SAML protocol bindings. ”
– HTTP Redirect Binding
– HTTP POST Binding
– HTTP Artifact Binding

33. Single Logout Profile
1.Service Provider issues a <LogoutRequest>.
2.Identity Provider determines Session Participants.
3.Identity Providers issues <LogoutRequest> to Session
Participants.
4.Session Participants send <LogoutRespone> to the
Identity Provider.
5.Identity Provider send a <LogoutResponse> to the
Single Logout initiator Service Provider.

34. Single Logout Profile

35. SAML 2.0 Web Browser SSO Demo
with the WSO2 Identity Server

36. Example Solution - Federation

37. What is not interesting about SAML
2.0 Web Browser SSO
● Its XML based
– serialization required
● Cryptographic operations
– Nightmare for scripting languages

38. WS- Trust

39. WS-Trust Security Model
● Web Service require set of claims to be in the
incoming request message.
● If the incoming request message doesn't contain the
required claims, then the service should reject or
ignore the request.
● Built with
– Claims
– Policies
– Tokens

40. WS- Trust

41. Security Token Service
● Issuing tokens
● Renewing tokens
● Validating tokens
● Token exchange
● Broker trust

42. Tokens
● X509 public certificates
● XML based tokens (SAML)
● Kerberos shared-secrete tokens
● Digest passwords

43. <wst:RequestSecurityToken>

44. <wst:RequestSecurityTokenResponse>

46. WS-Trust Demo with the WSO2
Identity Server

47. Example Solution – Token Exchange

48. Example Solution – Bridged SSO

49. Questions?

50. Thank you