Suresh Attanayake's presentation discusses single sign-on (SSO) solutions including OpenID, SAML 2.0, and WS-Trust. It provides an overview of each standard including key entities, authentication flows, and how they address common SSO problems. It also demonstrates implementations of each using the WSO2 Identity Server product.
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Sso with the wso2 identity server
1. SSO With The WSO2 Identity Server
Suresh Attanayake
Software Engineer
2. About WSO2
• Providing the only complete open source componentized cloud
platform
– Dedicated to removing all the stumbling blocks to enterprise agility
– Enabling you to focus on business logic and business value
• Recognized by leading analyst firms as visionaries and leaders
– Gartner cites WSO2 as visionaries in all 3 categories of applica-
tion infrastructure
– Forrester places WSO2 in top 2 for API Management
• Global corporation with offices in USA, UK & Sri Lanka
– 200+ employees and growing
• Business model of selling comprehensive support & mainte-
nance for our products
4. Previous : A Walk Through SSO
● Problems with traditional authentication
● How SSO solves those problems
● Need for Open Standards
● Introduction to some open standards and how they
solve the common authentication problems
5. What we cover today
● OpenID
● SAML 2.0 Web Browser SSO
● WS- Trust
● Solutions
● Demos
6. OpenID
● Sign into multiple websites with the accounts you
already have.
– No need for new account creation
– Websites don't have to store passwords
● Users passwords are never shared with the
websites.
● Users can decide what information to be shared
with the websites dynamically
● Decentralized identity management
7. Entities
● OpenID Provider (OP)
– Central Authentication Service
● Relying Party (RP)
– Web Applications
● User Agent
– Web Browser
● User
11. Relying Parties
● Over 50,000 web sites
– http://wiki.openid.net/w/page/25453698/Gallery
● One billion user accounts
● Drupal, Wordpress and libraries
● Visit http://openid.net/
13. OpenID Authentication
1. User enters the OpenID Identifier and clicks login
at the Relying Party (RP).
2.RP performs discovery on the provided identifier.
3.RP creates an association with the OpenID
Provider (OP).
4.RP issues an Authentication Request to OP.
5.OP authenticates the user.
6.OP sends an Authentication Response to RP.
7.RP validates the authentication response.
8.RP grants or denies the access to the user.
14. Discovery
● The Process : The relying party uses the user supplied
identifier to look up necessary information to initiate
the OpenID protocol
● Information
– Version
– OP endpoint URL
– Claimed ID
● Discovery methods
– XRI Resolution
– Yadis
– HTML-Based recovery
15. Associations
● Process : Sharing a secrete (MAC key) between the
OpenID Provider and the Relying Party
● Association Types
– HMAC-SHA1
– HMAC-SHA256
● Association Session Types
– no-encryption
– DH-SHA1
– DH-SHA256
27. Profile Overview
1.User agent access a Service Provider.
2.Service Provider determines the Identity Provider.
3.Service Provider issues an <AuthnRequest> message
to the Identity Provider.
4.Identity Provider identifies the Principle.
5.Identity Provider issues a <Response> message to the
Service Provider.
6.Service Provider grants or denies the access to the
Principle.
32. Bindings
“Mapping of SAML request-response message
exchange onto standard message or communication
protocols are called SAML protocol bindings. ”
– HTTP Redirect Binding
– HTTP POST Binding
– HTTP Artifact Binding
33. Single Logout Profile
1.Service Provider issues a <LogoutRequest>.
2.Identity Provider determines Session Participants.
3.Identity Providers issues <LogoutRequest> to Session
Participants.
4.Session Participants send <LogoutRespone> to the
Identity Provider.
5.Identity Provider send a <LogoutResponse> to the
Single Logout initiator Service Provider.
37. What is not interesting about SAML
2.0 Web Browser SSO
● Its XML based
– serialization required
● Cryptographic operations
– Nightmare for scripting languages
39. WS-Trust Security Model
● Web Service require set of claims to be in the
incoming request message.
● If the incoming request message doesn't contain the
required claims, then the service should reject or
ignore the request.
● Built with
– Claims
– Policies
– Tokens