Download - Single sign on using WSO2 identity server
About WSO2 • Providing the only complete open source componen=zed cloud
pla?orm – Dedicated to removing all the stumbling blocks to enterprise agility – Enabling you to focus on business logic and business value
• Recognized by leading analyst firms as visionaries and leaders – Gartner cites WSO2 as visionaries in all 3 categories of applica=on
infrastructure – Forrester places WSO2 in top 2 for API Management
• Global corpora=on with offices in USA, UK & Sri Lanka – 200+ employees and growing
• Business model of selling comprehensive support & maintenance for our products
Topics Covered…
• Importance of Single Sign-‐On • Single Sign-‐On paWerns • Single Sign-‐On support in WSO2 Iden=ty Server
Problems…
• User Perspec=ve: – Different username, password for different systems • Preferred username is already taken • Using same username/password might become a security risk
– Too many username, password – Loosing possible collabora=ons
Problems…
• IT Perspec=ve: – Provisioning/De-‐provisioning users – Audi=ng user ac=vi=es – No single view of user – Deploying new applica=ons
Solu1on
• Federated Iden=ty and Single Sign-‐On
Service Providers Service Providers
Service Providers
Iden=ty Provider
Service Providers
Authen1ca1on
Service Consump1on
Trust
Single Sign-‐On and Federated Iden1ty • Single Iden=ty • Possibility of Collabora=on between applica=ons
• User Convenience • Login only once and can access any services • Easy administra=on – Provisioning, de-‐provisioning, forget password
Key Requirements For Iden1ty Federa1on Iden1ty Management and Authen1ca1on
• Authen=ca=on – Mul=-‐Factor Authen=ca=on
• Iden=ty Management – AWributes / Claims
Key Requirements For Iden1ty Federa1on Trust Between Domains
• Trust – Pre-‐established • Common in Enterprise scenarios
– Established only when accessing the service • Common in web scenarios
• Iden=ty Provider Discovery
Key Requirements For Iden1ty Federa1on Iden1ty and ARribute Mapping
• Mapping user iden=ty of one system to another – Username – Out of Band – Pseudonym • Transient • Persistent
• Mapping aWribute names in different systems • Mapping aWribute values in different systems
Key Requirements For Iden1ty Federa1on ARribute Exchange
• One system reques=ng addi=onal aWributes from another system
OpenID Iden1fiers
• Google – hWps://profiles.google.com/YourGoogleID
• Blogger – hWp://blogname.blogspot.com/
• MySpace – hWp://www.myspace.com/username
OpenID
Iden=ty Provider
Service Provider A
Provide OpenID
Single Sign-‐On Service
1
2
4
5
4
Allow Access to S
ervice
Relying Party
Browser Redir
ect to IdP
Discover Provider (XRI Resolu1on, Yadis, HTML Based Discovery)
6
7
3 Create shared secret
SAML2 Web Browser SSO
Iden=ty Provider
Service Provider A
Access Service
Single Sign-‐On Service
123
5
4
Allow Access to S
ervice
Trust
Asser=on Consumer Service
Browser Redir
ect to IdP
Select Iden1ty Provider
6
7
WS-‐Trust Iden=ty Provider
Service Provider A
Authen1ca1on
(Username/x509
/etc.)
Security Token Service 1 2
3
5
4 Verify Token (e.g.: Check signature)
Security Token
Trust
WS-‐Federa1on Iden=ty Provider A
Service Provider B
Authen1ca1on (Username/x509/etc.)
Security Token Service
1
2
3
5
4Verify Token A (e.g.: Check signature)
Security Token A
Trust
Domain A
Domain B
Iden=ty Provider B
Security Token Service
Trust
6
7 Verify Token B (e.g.: Check signature)
8
Kerberos
Iden=ty Provider (Key Distribu=on Center)
Service Provider
UserName
Authen=ca=on Service
1
2
3 Ticket Gran1ng Ticket + Authen1cator
5 4Verify Authen1cator
Session Key + Ticket Gran1ng Ticket
Service Shared Key
Ticket Gran=ng Service
Security Token
6
7 Verify Security Token
8