Enterprise Single Sign On

1. Last Updated: Jun. 2014 Senior Software Engineer Suresh Attanayake Enterprise Single Sign On : SAML, OpenID Connect and more

2. 2 About the Presenter(s) ๏ Suresh Attanayake is a Senior Software Engineer at WSO2 from the Solutions Architecture/ Technical Sales team. He is a former Identity Server team member and have been involved in various WSO2 customer projects around the globe.

3. 3 About WSO2 ๏ Global enterprise, founded in 2005 by acknowledged leaders in XML, web services technologies, standards and open source ๏ Provides only open source platform-as-a-service for private, public and hybrid cloud deployments ๏ All WSO2 products are 100% open source and released under the Apache License Version 2.0. ๏ Is an Active Member of OASIS, Cloud Security Alliance, OSGi Alliance, AMQP Working Group, ๏ Driven by Innovation ๏ Launched first open source API Management solution in 2012 ๏ Launched App Factory in 2Q 2013 ๏ Launched Enterprise Store and first open source Mobile solution in 4Q 2013

4. 4 What WSO2 delivers

5. 5 Passwords 1)123456 2)password 3)12345678 4)qwerty 5)abc123 http://splashdata.com/press/worstpasswords2013.htm

6. 6 Password Fatigue ๏ Use easy to remember passwords ๏ Use the same password

7. 7 Single Sign On ๏ Single password to remember ๏ Use password only once ๏ Use password only at one place ๏ Ease of administration ๏ Enforce password/account policies

8. 8 SSO Model

9. 9 SAML2 Web Browser SSO Profile ๏ XML based ๏ Web browser based ๏ Bindings: ๏ HTTP Redirect Binding ๏ HTTP POST Binding ๏ HTTP Artifact Binding ๏ Profiles: ๏ Single Logout Profile

10. 10 SAML2 Web Browser SSO

11. 11 SAML2 <AuthnRequest>

12. 12 SAML2 <Response>

13. 13 OpenID ๏ Plain Text Key-Value pairs ๏ Web browser based ๏ Indirect communication: ๏ HTTP Redirection ๏ HTTP Form submission ๏ Features: ๏ OpenID Provider (IDP) discovery ๏ OpenID Attribute Exchange / OpenID Simple Registration

14. 14 OpenID

15. 15 OpenID Authentication Request openid.ns:http://specs.openid.net/auth/2.0 openid.claimed_id:https://localhost:9443/openid/suresh openid.identity:https://localhost:9443/openid/suresh openid.return_to:http://localhost:8081/openid-attribute-exchange/attexconsumer? is_id_res=true openid.realm:http://localhost:8081/openid-attribute-exchange/attexconsumer? is_id_res=true openid.assoc_handle:AOQobUfyfIM0vAz- VgjNgxnkimSyr3SUX7QvAVzeeM19NM7QmpeTXPTepi4rWCr6wkIyFDiq openid.mode:checkid_setup openid.ns.ext1:http://openid.net/srv/ax/1.0 openid.ext1.mode:fetch_request openid.ext1.type.email:http://axschema.org/contact/email openid.ext1.type.firstname:http://axschema.org/namePerson/first openid.ext1.type.lastname:http://axschema.org/namePerson/last openid.ext1.type.country:http://axschema.org/contact/country/home openid.ext1.type.language:http://axschema.org/pref/language openid.ext1.required:email,firstname,lastname,country,language

16. 16 OpenID Authentication Response openid.op_endpoint:https://localhost:9443/openidserver openid.signed:op_endpoint,claimed_id,identity,return_to,response_nonce,assoc_handle,ns. ext1,ext1.mode,ext1.type.firstname,ext1.value.firstname,ext1.type.email,ext1.value.email ,ext1.type.language,ext1.value.language,ext1.type.lastname,ext1.value.lastname openid.ns.ext1:http://openid.net/srv/ax/1.0 openid.sig:wyQi3eTjESAVWsHjPODQ2q7UUVMvNOTySTCvffmqd+A=is_id_res:true openid.response_nonce:2011-05-18T14:54:21Z0eugpxqu3Sv9Iw openid.claimed_id:https://localhost:9443/openid/suresh openid.ext1.value.lastname:Attnayake openid.ext1.value.firstname:Suresh openid.assoc_handle:AOQobUfyfIM0vAz- VgjNgxnkimSyr3SUX7QvAVzeeM19NM7QmpeTXPTepi4rWCr6wkIyFDiq openid.ext1.value.email:suresh@wso2.com openid.ext1.type.language:http://axschema.org/pref/language openid.ext1.type.lastname:http://axschema.org/namePerson/last openid.ext1.type.firstname:http://axschema.org/namePerson/first openid.ns:http://specs.openid.net/auth/2.0 openid.identity:https://localhost:9443/openid/suresh openid.ext1.type.email:http://axschema.org/contact/email openid.mode:id_res openid.ext1.mode:fetch_response openid.ext1.value.language:en-US openid.return_to:http://localhost:8081/openid-attribute-exchange/attexconsumer? is_id_res=true

17. 17 OpenID Connect ๏ Built on top of OAuth2.0 framework ๏ Web browser based ๏ HTTP GET query params, HTTP POST request params and JSON ๏ Authentication Flows: ๏ Authorization Code flow ๏ Implicit flow ๏ Hybrid flow

18. 18 OpenID Connect

19. 19 OIDC Authentication Request HTTP/1.1 302 Found Location: https://server.example.com/authorize? response_type=code &scope=openid%20profile%20email &client_id=s6BhdRkqt3 &state=af0ifjsldkj &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb

20. 20 OIDC Authentication Response HTTP/1.1 302 Found Location: https://client.example.org/cb? code=SplxlOBeZQQYbYS6WxSbIA &state=af0ifjsldkj

21. 21 OIDC Token Request POST /token HTTP/1.1 Host: server.example.com Content-Type: application/x-www-form-urlencoded Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb

22. 22 OIDC Token Response HTTP/1.1 200 OK Content-Type: application/json Cache-Control: no-store Pragma: no-cache { "access_token": "SlAV32hkKG", "token_type": "Bearer", "refresh_token": "8xLOxBtZp8", "expires_in": 3600, "id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjFlOWdkazcifQ.ewogImlzc yI6ICJodHRwOi8vc2VydmVyLmV4YW1wbGUuY29tIiwKICJzdWIiOiAiMjQ4Mjg5 NzYxMDAxIiwKICJhdWQiOiAiczZCaGRSa3F0MyIsCiAibm9uY2UiOiAibi0wUzZ fV3pBMk1qIiwKICJleHAiOiAxMzExMjgxOTcwLAogImlhdCI6IDEzMTEyODA5Nz AKfQ.ggW8hZ1EuVLuxNuuIJKX_V8a_OMXzR0EHR9R6jgdqrOOF4daGU96Sr_P6q Jp6IcmD3HP99Obi1PRs-cwh3LO-p146waJ8IhehcwL7F09JdijmBqkvPeB2T9CJ NqeGpe-gccMg4vfKjkM8FcGvnzZUN4_KSP0aAp1tOJ1zZwgjxqGByKHiOtX7Tpd QyHE5lcMiKPXfEIQILVq0pc_E2DzL7emopWoaoZTF_m0_N0YzFC6g6EJbOEoRoS K5hoDalrcvRYLSrQAZZKflyuVCyixEoV9GfNQC3_osjzw2PAithfubEEBLuVVk4 XUVrWOLrLl0nx7RkKU8NXNHq-rvKMzqg" }

23. 23 OIDC IDToken JWT header : {"alg":"RS256","kid":"1e9gdk7"} JWT payload : { "iss": "http://server.example.com", "sub": "248289761001", "aud": "23k23k3434", "nonce": "n-0S6_WzA2Mj", "exp": 1311281970, "iat": 1311280970 } JWT Signature

24. 24 UserInfo Request GET /userinfo HTTP/1.1 Host: server.example.com Authorization: Bearer SlAV32hkKG

25. 25 UserInfo Response HTTP/1.1 200 OK Content-Type: application/json { "sub": "248289761001", "name": "Jane Doe", "given_name": "Jane", "family_name": "Doe", "preferred_username": "j.doe", "email": "janedoe@example.com", "picture": "http://example.com/janedoe/me.jpg" }

26. 26 WS-Trust

27. 27 Kerberos

28. 28 How to pick a technology Examples: 1. How components interact with each other 2. Technologies preferred 3. Existing systems and limitations 4. Platforms

29. 29 Web Applications

30. 30 Business Model

31. 31 More Information ! ๏ Include links to product downloads, white paper downloads , etc.

32. Contact us !

Enterprise Single Sign On

Estás leyendo una previsualización.

Eche un vistazo a continuación

Enterprise Single Sign On

Más Contenido Relacionado

Presentaciones para usted (20)

A los espectadores también les gustó (12)

Similares a Enterprise Single Sign On (20)

Más de WSO2 (20)

Más reciente (20)