Last Updated: Jun. 2014

Senior Software EngineerSuresh Attanayake

Enterprise Single Sign On : SAML, OpenID

Connect and more

2

About the Presenter(s)

๏ Suresh Attanayake is a Senior Software Engineer at WSO2 from the Solutions Architecture/ Technical Sales team. He is a former Identity Server team member and have been involved in various WSO2 customer projects around the globe.

3

About WSO2๏ Global enterprise, founded

in 2005 by acknowledged leaders in XML, web services technologies, standards and open source

๏ Provides only open source platform-as-a-service for private, public and hybrid cloud deployments

๏ All WSO2 products are 100% open source and released under the Apache License Version 2.0.

๏ Is an Active Member of OASIS, Cloud Security Alliance, OSGi Alliance, AMQP Working Group, OpenID Foundation and W3C.

๏ Driven by Innovation

๏ Launched first open source API Management solution in 2012

๏ Launched App Factory in 2Q 2013

๏ Launched Enterprise Store and first open source Mobile solution in 4Q 2013

4

What WSO2 delivers

5

Passwords

1)123456

2)password

3)12345678

4)qwerty

5)abc123

http://splashdata.com/press/worstpasswords2013.htm

6

Password Fatigue

๏ Use easy to remember passwords

๏ Use the same password

7

Single Sign On

๏ Single password to remember

๏ Use password only once

๏ Use password only at one place

๏ Ease of administration

๏ Enforce password/account policies

8

SSO Model

9

SAML2 Web Browser SSO Profile๏ XML based

๏ Web browser based

๏ Bindings:

๏ HTTP Redirect Binding

๏ HTTP POST Binding

๏ HTTP Artifact Binding

๏ Profiles:

๏ Single Logout Profile

๏ Attribute Profile

10

SAML2 Web Browser SSO

11

SAML2 <AuthnRequest>

12

SAML2 <Response>

13

OpenID

๏ Plain Text Key-Value pairs

๏ Web browser based

๏ Indirect communication:

๏ HTTP Redirection

๏ HTTP Form submission

๏ Features:

๏ OpenID Provider (IDP) discovery

๏ OpenID Attribute Exchange / OpenID Simple Registration

14

OpenID

15

OpenID Authentication Request

openid.ns:http://specs.openid.net/auth/2.0openid.claimed_id:https://localhost:9443/openid/sureshopenid.identity:https://localhost:9443/openid/sureshopenid.return_to:http://localhost:8081/openid-attribute-exchange/attexconsumer?is_id_res=trueopenid.realm:http://localhost:8081/openid-attribute-exchange/attexconsumer?is_id_res=trueopenid.assoc_handle:AOQobUfyfIM0vAz-VgjNgxnkimSyr3SUX7QvAVzeeM19NM7QmpeTXPTepi4rWCr6wkIyFDiqopenid.mode:checkid_setupopenid.ns.ext1:http://openid.net/srv/ax/1.0openid.ext1.mode:fetch_requestopenid.ext1.type.email:http://axschema.org/contact/emailopenid.ext1.type.firstname:http://axschema.org/namePerson/firstopenid.ext1.type.lastname:http://axschema.org/namePerson/lastopenid.ext1.type.country:http://axschema.org/contact/country/homeopenid.ext1.type.language:http://axschema.org/pref/languageopenid.ext1.required:email,firstname,lastname,country,language

16

OpenID Authentication Response

openid.op_endpoint:https://localhost:9443/openidserveropenid.signed:op_endpoint,claimed_id,identity,return_to,response_nonce,assoc_handle,ns.ext1,ext1.mode,ext1.type.firstname,ext1.value.firstname,ext1.type.email,ext1.value.email,ext1.type.language,ext1.value.language,ext1.type.lastname,ext1.value.lastnameopenid.ns.ext1:http://openid.net/srv/ax/1.0openid.sig:wyQi3eTjESAVWsHjPODQ2q7UUVMvNOTySTCvffmqd+A=is_id_res:trueopenid.response_nonce:2011-05-18T14:54:21Z0eugpxqu3Sv9Iwopenid.claimed_id:https://localhost:9443/openid/sureshopenid.ext1.value.lastname:Attnayakeopenid.ext1.value.firstname:Sureshopenid.assoc_handle:AOQobUfyfIM0vAz-VgjNgxnkimSyr3SUX7QvAVzeeM19NM7QmpeTXPTepi4rWCr6wkIyFDiqopenid.ext1.value.email:suresh@wso2.comopenid.ext1.type.language:http://axschema.org/pref/languageopenid.ext1.type.lastname:http://axschema.org/namePerson/lastopenid.ext1.type.firstname:http://axschema.org/namePerson/firstopenid.ns:http://specs.openid.net/auth/2.0openid.identity:https://localhost:9443/openid/sureshopenid.ext1.type.email:http://axschema.org/contact/emailopenid.mode:id_resopenid.ext1.mode:fetch_responseopenid.ext1.value.language:en-USopenid.return_to:http://localhost:8081/openid-attribute-exchange/attexconsumer?is_id_res=true

17

OpenID Connect

๏ Built on top of OAuth2.0 framework

๏ Web browser based

๏ HTTP GET query params, HTTP POST request params and JSON

๏ Authentication Flows:

๏ Authorization Code flow

๏ Implicit flow

๏ Hybrid flow

๏ Features:

๏ OpenID Connect discovery

๏ OpenID Connect Dynamic Registration

๏ Session Management

18

OpenID Connect

19

OIDC Authentication Request

HTTP/1.1 302 Found Location: https://server.example.com/authorize? response_type=code &scope=openid%20profile%20email &client_id=s6BhdRkqt3 &state=af0ifjsldkj &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb

20

OIDC Authentication Response

HTTP/1.1 302 Found Location: https://client.example.org/cb? code=SplxlOBeZQQYbYS6WxSbIA &state=af0ifjsldkj

21

OIDC Token Request

POST /token HTTP/1.1 Host: server.example.com Content-Type: application/x-www-form-urlencoded Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW

grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb

22

OIDC Token Response

HTTP/1.1 200 OK Content-Type: application/json Cache-Control: no-store Pragma: no-cache

{ "access_token": "SlAV32hkKG", "token_type": "Bearer", "refresh_token": "8xLOxBtZp8", "expires_in": 3600, "id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjFlOWdkazcifQ.ewogImlzc yI6ICJodHRwOi8vc2VydmVyLmV4YW1wbGUuY29tIiwKICJzdWIiOiAiMjQ4Mjg5 NzYxMDAxIiwKICJhdWQiOiAiczZCaGRSa3F0MyIsCiAibm9uY2UiOiAibi0wUzZ fV3pBMk1qIiwKICJleHAiOiAxMzExMjgxOTcwLAogImlhdCI6IDEzMTEyODA5Nz AKfQ.ggW8hZ1EuVLuxNuuIJKX_V8a_OMXzR0EHR9R6jgdqrOOF4daGU96Sr_P6q Jp6IcmD3HP99Obi1PRs-cwh3LO-p146waJ8IhehcwL7F09JdijmBqkvPeB2T9CJ NqeGpe-gccMg4vfKjkM8FcGvnzZUN4_KSP0aAp1tOJ1zZwgjxqGByKHiOtX7Tpd QyHE5lcMiKPXfEIQILVq0pc_E2DzL7emopWoaoZTF_m0_N0YzFC6g6EJbOEoRoS K5hoDalrcvRYLSrQAZZKflyuVCyixEoV9GfNQC3_osjzw2PAithfubEEBLuVVk4 XUVrWOLrLl0nx7RkKU8NXNHq-rvKMzqg" }

23

OIDC IDToken

JWT header : {"alg":"RS256","kid":"1e9gdk7"}

JWT payload : { "iss": "http://server.example.com", "sub": "248289761001", "aud": "23k23k3434", "nonce": "n-0S6_WzA2Mj", "exp": 1311281970, "iat": 1311280970}

JWT Signature

24

UserInfo Request

GET /userinfo HTTP/1.1 Host: server.example.com Authorization: Bearer SlAV32hkKG

25

UserInfo Response

HTTP/1.1 200 OK Content-Type: application/json

{ "sub": "248289761001", "name": "Jane Doe", "given_name": "Jane", "family_name": "Doe", "preferred_username": "j.doe", "email": "janedoe@example.com", "picture": "http://example.com/janedoe/me.jpg" }

26

WS-Trust

27

Kerberos

28

How to pick a technology

Examples:

1. How components interact with each other 2. Technologies preferred3. Existing systems and limitations 4. Platforms

29

Web Applications

30

Business Model

31

More Information !

๏ Include links to product downloads, white paper downloads , etc.

Contact us !