sso with the wso2 identity server
DESCRIPTION
TRANSCRIPT
![Page 1: SSO with the WSO2 Identity Server](https://reader034.vdocument.in/reader034/viewer/2022050801/546fe8f2b4af9fb90a8b4587/html5/thumbnails/1.jpg)
SSO With The WSO2 Identity Server
Suresh AttanayakeSoftware Engineer
![Page 2: SSO with the WSO2 Identity Server](https://reader034.vdocument.in/reader034/viewer/2022050801/546fe8f2b4af9fb90a8b4587/html5/thumbnails/2.jpg)
About WSO2
• Providing the only complete open source componentized cloud platform
– Dedicated to removing all the stumbling blocks to enterprise agility– Enabling you to focus on business logic and business value
• Recognized by leading analyst firms as visionaries and leaders– Gartner cites WSO2 as visionaries in all 3 categories of applica-
tion infrastructure– Forrester places WSO2 in top 2 for API Management
• Global corporation with offices in USA, UK & Sri Lanka– 200+ employees and growing
• Business model of selling comprehensive support & mainte-nance for our products
![Page 3: SSO with the WSO2 Identity Server](https://reader034.vdocument.in/reader034/viewer/2022050801/546fe8f2b4af9fb90a8b4587/html5/thumbnails/3.jpg)
150+ globally positioned support customers
![Page 4: SSO with the WSO2 Identity Server](https://reader034.vdocument.in/reader034/viewer/2022050801/546fe8f2b4af9fb90a8b4587/html5/thumbnails/4.jpg)
Previous : A Walk Through SSO
● Problems with traditional authentication
● How SSO solves those problems
● Need for Open Standards
● Introduction to some open standards and how they solve the common authentication problems
![Page 5: SSO with the WSO2 Identity Server](https://reader034.vdocument.in/reader034/viewer/2022050801/546fe8f2b4af9fb90a8b4587/html5/thumbnails/5.jpg)
What we cover today
● OpenID
● SAML 2.0 Web Browser SSO
● WS- Trust
● Solutions
● Demos
![Page 6: SSO with the WSO2 Identity Server](https://reader034.vdocument.in/reader034/viewer/2022050801/546fe8f2b4af9fb90a8b4587/html5/thumbnails/6.jpg)
OpenID
● Sign into multiple websites with the accounts you already have.
– No need for new account creation
– Websites don't have to store passwords
● Users passwords are never shared with the websites.
● Users can decide what information to be shared with the websites dynamically
● Decentralized identity management
![Page 7: SSO with the WSO2 Identity Server](https://reader034.vdocument.in/reader034/viewer/2022050801/546fe8f2b4af9fb90a8b4587/html5/thumbnails/7.jpg)
Entities
● OpenID Provider (OP)
– Central Authentication Service
● Relying Party (RP)
– Web Applications
● User Agent
– Web Browser
● User
![Page 8: SSO with the WSO2 Identity Server](https://reader034.vdocument.in/reader034/viewer/2022050801/546fe8f2b4af9fb90a8b4587/html5/thumbnails/8.jpg)
OpenID Providers
![Page 9: SSO with the WSO2 Identity Server](https://reader034.vdocument.in/reader034/viewer/2022050801/546fe8f2b4af9fb90a8b4587/html5/thumbnails/9.jpg)
OpenID Identifiers
– https://profiles.google.com/YourGoogleID
● Blogger
– http://blogname.blogspot.com/
● MySpace
– http://www.myspace.com/username
![Page 10: SSO with the WSO2 Identity Server](https://reader034.vdocument.in/reader034/viewer/2022050801/546fe8f2b4af9fb90a8b4587/html5/thumbnails/10.jpg)
Relying Parties
![Page 11: SSO with the WSO2 Identity Server](https://reader034.vdocument.in/reader034/viewer/2022050801/546fe8f2b4af9fb90a8b4587/html5/thumbnails/11.jpg)
Relying Parties
● Over 50,000 web sites
– http://wiki.openid.net/w/page/25453698/Gallery
● One billion user accounts
● Drupal, Wordpress and libraries
● Visit http://openid.net/
![Page 12: SSO with the WSO2 Identity Server](https://reader034.vdocument.in/reader034/viewer/2022050801/546fe8f2b4af9fb90a8b4587/html5/thumbnails/12.jpg)
OpenID
![Page 13: SSO with the WSO2 Identity Server](https://reader034.vdocument.in/reader034/viewer/2022050801/546fe8f2b4af9fb90a8b4587/html5/thumbnails/13.jpg)
OpenID Authentication
1. User enters the OpenID Identifier and clicks login at the Relying Party (RP).
2.RP performs discovery on the provided identifier.
3.RP creates an association with the OpenID Provider (OP).
4.RP issues an Authentication Request to OP.
5.OP authenticates the user.
6.OP sends an Authentication Response to RP.
7.RP validates the authentication response.
8.RP grants or denies the access to the user.
![Page 14: SSO with the WSO2 Identity Server](https://reader034.vdocument.in/reader034/viewer/2022050801/546fe8f2b4af9fb90a8b4587/html5/thumbnails/14.jpg)
Discovery
● The Process : The relying party uses the user supplied identifier to look up necessary information to initiate the OpenID protocol
● Information
– Version
– OP endpoint URL
– Claimed ID
● Discovery methods
– XRI Resolution
– Yadis
– HTML-Based recovery
![Page 15: SSO with the WSO2 Identity Server](https://reader034.vdocument.in/reader034/viewer/2022050801/546fe8f2b4af9fb90a8b4587/html5/thumbnails/15.jpg)
Associations
● Process : Sharing a secrete (MAC key) between the OpenID Provider and the Relying Party
● Association Types
– HMAC-SHA1
– HMAC-SHA256
● Association Session Types
– no-encryption
– DH-SHA1
– DH-SHA256
![Page 16: SSO with the WSO2 Identity Server](https://reader034.vdocument.in/reader034/viewer/2022050801/546fe8f2b4af9fb90a8b4587/html5/thumbnails/16.jpg)
Authentication Request
● Contains
– Claimed ID
– Association handle
– Return to URL
– More
– Extensions (Attributes)
![Page 17: SSO with the WSO2 Identity Server](https://reader034.vdocument.in/reader034/viewer/2022050801/546fe8f2b4af9fb90a8b4587/html5/thumbnails/17.jpg)
Authentication Request
![Page 18: SSO with the WSO2 Identity Server](https://reader034.vdocument.in/reader034/viewer/2022050801/546fe8f2b4af9fb90a8b4587/html5/thumbnails/18.jpg)
Authentication Response
● Contains
– OP Endpoint
– Claimed ID
– Signature
– More
– Extensions (Attributes)
![Page 19: SSO with the WSO2 Identity Server](https://reader034.vdocument.in/reader034/viewer/2022050801/546fe8f2b4af9fb90a8b4587/html5/thumbnails/19.jpg)
Authentication Response
![Page 20: SSO with the WSO2 Identity Server](https://reader034.vdocument.in/reader034/viewer/2022050801/546fe8f2b4af9fb90a8b4587/html5/thumbnails/20.jpg)
Attribute exchange
● OpenID Attribute Exchange
● OpenID Simple Registration
![Page 21: SSO with the WSO2 Identity Server](https://reader034.vdocument.in/reader034/viewer/2022050801/546fe8f2b4af9fb90a8b4587/html5/thumbnails/21.jpg)
OpenID Demo with the WSO2 Identity Server
![Page 22: SSO with the WSO2 Identity Server](https://reader034.vdocument.in/reader034/viewer/2022050801/546fe8f2b4af9fb90a8b4587/html5/thumbnails/22.jpg)
Example Solution – Multiple Domains
![Page 23: SSO with the WSO2 Identity Server](https://reader034.vdocument.in/reader034/viewer/2022050801/546fe8f2b4af9fb90a8b4587/html5/thumbnails/23.jpg)
What OpenID is lacking
● Single Logout
● IDP initiated SSO
● Not utilizing SSL/TLS
![Page 24: SSO with the WSO2 Identity Server](https://reader034.vdocument.in/reader034/viewer/2022050801/546fe8f2b4af9fb90a8b4587/html5/thumbnails/24.jpg)
SAML 2.0 Web Browser SSO Profile
![Page 25: SSO with the WSO2 Identity Server](https://reader034.vdocument.in/reader034/viewer/2022050801/546fe8f2b4af9fb90a8b4587/html5/thumbnails/25.jpg)
Entities
● Identity Provider (IDP)
– Single Sign On Service
● Service Provider (SP)
– Assertion Consuming Service
● Principle
![Page 26: SSO with the WSO2 Identity Server](https://reader034.vdocument.in/reader034/viewer/2022050801/546fe8f2b4af9fb90a8b4587/html5/thumbnails/26.jpg)
SAML Web Browser SSO Profile
![Page 27: SSO with the WSO2 Identity Server](https://reader034.vdocument.in/reader034/viewer/2022050801/546fe8f2b4af9fb90a8b4587/html5/thumbnails/27.jpg)
Profile Overview
1.User agent access a Service Provider.
2.Service Provider determines the Identity Provider.
3.Service Provider issues an <AuthnRequest> message to the Identity Provider.
4. Identity Provider identifies the Principle.
5. Identity Provider issues a <Response> message to the Service Provider.
6.Service Provider grants or denies the access to the Principle.
![Page 28: SSO with the WSO2 Identity Server](https://reader034.vdocument.in/reader034/viewer/2022050801/546fe8f2b4af9fb90a8b4587/html5/thumbnails/28.jpg)
Identity Provider Discovery
● Implementation dependent
– Configuration
– Identity Provider Discovery Profile
![Page 29: SSO with the WSO2 Identity Server](https://reader034.vdocument.in/reader034/viewer/2022050801/546fe8f2b4af9fb90a8b4587/html5/thumbnails/29.jpg)
<AuthnRequest> message
![Page 30: SSO with the WSO2 Identity Server](https://reader034.vdocument.in/reader034/viewer/2022050801/546fe8f2b4af9fb90a8b4587/html5/thumbnails/30.jpg)
<AuthnResponse> message
![Page 31: SSO with the WSO2 Identity Server](https://reader034.vdocument.in/reader034/viewer/2022050801/546fe8f2b4af9fb90a8b4587/html5/thumbnails/31.jpg)
![Page 32: SSO with the WSO2 Identity Server](https://reader034.vdocument.in/reader034/viewer/2022050801/546fe8f2b4af9fb90a8b4587/html5/thumbnails/32.jpg)
Bindings
“Mapping of SAML request-response message exchange onto standard message or communication protocols are called SAML protocol bindings. ”
– HTTP Redirect Binding
– HTTP POST Binding
– HTTP Artifact Binding
![Page 33: SSO with the WSO2 Identity Server](https://reader034.vdocument.in/reader034/viewer/2022050801/546fe8f2b4af9fb90a8b4587/html5/thumbnails/33.jpg)
Single Logout Profile
1.Service Provider issues a <LogoutRequest>.
2.Identity Provider determines Session Participants.
3. Identity Providers issues <LogoutRequest> to Session Participants.
4.Session Participants send <LogoutRespone> to the Identity Provider.
5. Identity Provider send a <LogoutResponse> to the Single Logout initiator Service Provider.
![Page 34: SSO with the WSO2 Identity Server](https://reader034.vdocument.in/reader034/viewer/2022050801/546fe8f2b4af9fb90a8b4587/html5/thumbnails/34.jpg)
Single Logout Profile
![Page 35: SSO with the WSO2 Identity Server](https://reader034.vdocument.in/reader034/viewer/2022050801/546fe8f2b4af9fb90a8b4587/html5/thumbnails/35.jpg)
SAML 2.0 Web Browser SSO Demo with the WSO2 Identity Server
![Page 36: SSO with the WSO2 Identity Server](https://reader034.vdocument.in/reader034/viewer/2022050801/546fe8f2b4af9fb90a8b4587/html5/thumbnails/36.jpg)
Example Solution - Federation
![Page 37: SSO with the WSO2 Identity Server](https://reader034.vdocument.in/reader034/viewer/2022050801/546fe8f2b4af9fb90a8b4587/html5/thumbnails/37.jpg)
What is not interesting about SAML 2.0 Web Browser SSO
● Its XML based
– serialization required
● Cryptographic operations
– Nightmare for scripting languages
![Page 38: SSO with the WSO2 Identity Server](https://reader034.vdocument.in/reader034/viewer/2022050801/546fe8f2b4af9fb90a8b4587/html5/thumbnails/38.jpg)
WS- Trust
![Page 39: SSO with the WSO2 Identity Server](https://reader034.vdocument.in/reader034/viewer/2022050801/546fe8f2b4af9fb90a8b4587/html5/thumbnails/39.jpg)
WS-Trust Security Model
● Web Service require set of claims to be in the incoming request message.
● If the incoming request message doesn't contain the required claims, then the service should reject or ignore the request.
● Built with
– Claims
– Policies
– Tokens
![Page 40: SSO with the WSO2 Identity Server](https://reader034.vdocument.in/reader034/viewer/2022050801/546fe8f2b4af9fb90a8b4587/html5/thumbnails/40.jpg)
WS- Trust
![Page 41: SSO with the WSO2 Identity Server](https://reader034.vdocument.in/reader034/viewer/2022050801/546fe8f2b4af9fb90a8b4587/html5/thumbnails/41.jpg)
Security Token Service
● Issuing tokens
● Renewing tokens
● Validating tokens
● Token exchange
● Broker trust
![Page 42: SSO with the WSO2 Identity Server](https://reader034.vdocument.in/reader034/viewer/2022050801/546fe8f2b4af9fb90a8b4587/html5/thumbnails/42.jpg)
Tokens
● X509 public certificates
● XML based tokens (SAML)
● Kerberos shared-secrete tokens
● Digest passwords
![Page 43: SSO with the WSO2 Identity Server](https://reader034.vdocument.in/reader034/viewer/2022050801/546fe8f2b4af9fb90a8b4587/html5/thumbnails/43.jpg)
<wst:RequestSecurityToken>
![Page 44: SSO with the WSO2 Identity Server](https://reader034.vdocument.in/reader034/viewer/2022050801/546fe8f2b4af9fb90a8b4587/html5/thumbnails/44.jpg)
<wst:RequestSecurityTokenResponse>
![Page 45: SSO with the WSO2 Identity Server](https://reader034.vdocument.in/reader034/viewer/2022050801/546fe8f2b4af9fb90a8b4587/html5/thumbnails/45.jpg)
![Page 46: SSO with the WSO2 Identity Server](https://reader034.vdocument.in/reader034/viewer/2022050801/546fe8f2b4af9fb90a8b4587/html5/thumbnails/46.jpg)
WS-Trust Demo with the WSO2 Identity Server
![Page 47: SSO with the WSO2 Identity Server](https://reader034.vdocument.in/reader034/viewer/2022050801/546fe8f2b4af9fb90a8b4587/html5/thumbnails/47.jpg)
Example Solution – Token Exchange
![Page 48: SSO with the WSO2 Identity Server](https://reader034.vdocument.in/reader034/viewer/2022050801/546fe8f2b4af9fb90a8b4587/html5/thumbnails/48.jpg)
Example Solution – Bridged SSO
![Page 49: SSO with the WSO2 Identity Server](https://reader034.vdocument.in/reader034/viewer/2022050801/546fe8f2b4af9fb90a8b4587/html5/thumbnails/49.jpg)
Questions?
![Page 50: SSO with the WSO2 Identity Server](https://reader034.vdocument.in/reader034/viewer/2022050801/546fe8f2b4af9fb90a8b4587/html5/thumbnails/50.jpg)
Thank you