OpenSSO: Simplify Your

Single-Sign-On Needs

Sang Shin
Java Technology Architect
Sun Microsystems, inc.
javapassion.com
1
Agenda
• Enterprise security needs
• What is OpenSSO?
• OpenSSO features
> SSO and Access Control
> Federated Single Sign On
> Web Services Security
> Identity Services
• OpenSSO Community
• Summary & Resources

2
Enterprise Identity-
based Security Needs

43
Enterprise SSO Challenges
• Within an organization - We need Single Sign-On
(SSO) within an organization
> “Every application wants me to log in!”
> “I have too many passwords – my monitor is covered in Post-
its!”
> “We're implementing Sarbanes-Oxley – we need to control
access to applications!”
• Outside of an organization - We need Federated SSO
across organizations
> “We need to access outsourced functions!”
> “Our partners need to access our applications!”

4
Enterprise Security Use Cases –
Within an Organization
• An employee retrieves his or her own salary
information
• A manager retrieves employee salary histories to
determine an individual’s merit raise

5
Enterprise Security Use Cases –
Outside of an Organization
• An engineer sends an internal URL for a
specification document to another engineer who
works for a partner company.
• A vendor submits an invoice to the company’s
accounting department.
• A corporate human resources administrator
accesses an outsourced benefits application.
• An administrative assistant adds a new hire to the
corporate database, triggering the company’s
health insurance provider to add the new hire to its
enrollment.
6
Enterprise Security Challenges
• Single Sign-On
• Access control
• Centralized policy management
• Provisioning and profiling
• Identity auditing
• Standards-based solution
• Easy to deploy and manage

7
What is OpenSSO?

108
What is OpenSSO?
• OpenSSO (http://opensso.org/) is a Sun
Microsystems-sponsored open source project
providing core identity functionality such as
> Single sign-on (SSO) and Access Control
> Federated SSO
> Web services security
> Identity Web services
• Sun OpenSSO Enterprise 8.0, the currently
shipping commercial product, is built from
OpenSSO

9
Identity Management Suite
Identity Manager Role Manager
• Automated Provisioning • Role Engineering
• Password Management • Role Maintenance
• Identity Synchronization • Role Certification
• Identity Auditing • Identity Compliance

OpenSSO Enterprise Directory Server

• Directory services
• Single Sign-on/Log-out • Virtual directory services
• Federation services • Security/failover services
• Authorization policies • Data distribution services
• Authentication modules

OpenDS
OpenSSO • Open Sourced
• Open Sourced • Next Generation
• Product codebase • Product codebase for
for Sun OpenSSO Sun OpenDS SE
Enterprise

3+ Billion Identities Under Management

10
OpenSSO
Architecture

11
14
OpenSSO Architecture
•

12
OpenSSO Architectural Roles
• Policy Agent
> Sits on the application/web server hosting the application
that needs to be protected
> Intercepts requests to protected resource and redirects
them to OpenSSO server

• OpenSSO Server
> Provides services like Authentication, Authorization,
Federation etc.
> Is contacted by the Policy Agent for these services
> Comes in a form of a single deploy'able Web application
(opensso.war)

13
SSO & Access Control
(Within an Enterprise)

14
18
How SSO Works (Within an
Enterprise)
• “Policy agents” are installed to
protect web resources (web Web User

sites or web-based
applications)
• “Policy agents” interact with Web
Agent Agent
Web

OpenSSO “policy server” to or or

Application
handle authentication, single Application
Server Server

sign-on, and authorization OpenSSO

requests Policy Server

Directory

15
SSO - Initial Login Process
1. Browser sends access request to
a protected resource the first time
- no SSO-Token is present 1 Web User

2. Agent intercepts the request, and 2

redirects it to OpenSSO server for 3
Authentication Web
Server Agent Agent Web
4 Server
3. OpenSSO server performs
authentication and then sends OpenSSO

back SSO-Token Server

4. Agent validates SSO-token and

allows access Directory

16
SSO - Subsequent Access
1.Page request (with SSO- Web User
token) to a 2nd protected
resource 1

2.Agent validates the Web

token - no login required Server Agent
2
Agent Web
Server

OpenSSO
Server

Directory

17
How SSO Works (Within an Enterprise) Again

18
Federated
Single Sign-On

19
24
Service Outsourcing Without
Federation (Multi-Login problem)

20
Service Outsourcing With Federation
(Single Sign-On)

21
Important Concepts in Federation
• Identity Provider (IDP)
> Performs authentication, access control
• Service Provider (SP)
> Provides services, resources
• Circle of Trust (CoT)
> A trust relationship exists between its members (IDP's, SP's)
> Must include at least one IDP
• Metadata
> SAML specifications describing the entities in a standard way

22
Use Case #1 of Federation
• University now uses Google gmail as their primary mail
system
> Students don't have to carry two email accounts
> University saves time and resource
• University still maintains the identity information, performs
authentication, authorization
> It plays the role of IDP
> Google plays the role of SP
• University might use external student loan processing service
for their students/alumni
> Forms a CoT

23
Use Cases of Federation
• Business organization let its employees to use Google App,
SalesForce.com
• Business organization let its employees to manage their 401K
through 3rd-party management company
• Business organization let its employees to manage their
healthcare through 3rd-party HMO's

24
Federated SSO (1 of 2)

2 User is
redirected to Identity
identity provider. Provider
User logs in.
3 User is
authenticated.

Web User

1 Service provider
sends SAML Service
authentication Provider
request to
identity provider
via HTTP redirect.

25
Federated SSO (2 of 2)
SAML response
4 message (to be
sent to the
service provider)
Identity
is returned Provider

Web User
5 SAML response
message is sent
to the service Service
provider Provider

26
Federated SSO Interaction

SAML request

SAML Response

27
Fedlet

28
34
What is Fedlet?
• A lightweight Service Provider (SP) implementation
which provide quick enablement of service providers
• Support minimal SSO-related needs in business
scenarios without the need for a full fledged Federation
product deployment
> Two guys working in a garage “Two-guy-ringtone” providing
ring tones to the Telecom company
• Administrator at IDP (Identity Provider) can use the
OpenSSO console to create a Fedlet zip file
> Telecom company as a IDP create a fedlet and give it to the
“Two-guy-ringtone” company

29
Fedlet: SP-Initiated SSO

30
Fedlet: IDP-Initiated SSO

31
 Demo:
Fedlet
www.javapassion.com/handsonlabs/opensso_basics/
(Demo Scenario in the Next Slide!)

32
Demo Setup
• Installation and configuration of OpenSSO server
> Single war file - opensso.war
> Simple configuration - only thing you have to provide is admin
and agent passwords
> Embedded DS (Directory Server) is used - no need to configure
DS
• Creation of IDP (Identity Provider) in a new CoT
> IDP performs authentication and access control policy check
> IDP maintains the user credentials in the embedded DS
• Creation of Fedlet
> Functions as a front-end SP (Service Provider)

33
Demo Scenario
• A user access a resource in a SP (Service Provider)
• The SP redirects the request to the IDP for authentication
• A user logs into IDP
• IDP authentications and redirects to SP
• SP allows access

34
Web Services
Security

35
42
Requirements for Web Service Identity
• Identify the end user and web service participant
• Preserve identity
> Across multiple 'hops' - end to end
> Across domain boundaries - beyond company boundary
> Across vendors' products - standards based
• Using existing standards and technologies
• Container plug-ins for runtime injection and validation of
Identity Tokens
> Glassfish, WebSphere, WebLogic; possibly Tomcat, JBOSS

36
Web Services Security
Secure Token Services
OpenSSO Enterprise OpenSSO Enterprise

Validate, issue and translate standards-based tokens and proprietary

tokens including Oracle Access Manager & CA Siteminder tokens

37
Security Token Service
How does it work?

38
Identity Services

39
47
Identity Services through OpenSSO

40
Identity Services
• Authentication, Authorization, Audit, and Provisioning (AAAP)
exposed as Services
• Focused on enabling developers, simplifying security
• Reusable AAAP services as building blocks for Business
Integration and Composite Applications
• Supported on developers IDEs of choice
> NetBeans, Eclipse, Visual Studio

41
Why Identity Services?
• AAAP are core services in any identity-enabled
application whether for security or personalization
• Injecting and consuming identity in applications
must get easier
> Runtime configuration for container as opposed to
building into application
• Essential elements for building a Secure Service
Oriented Architecture (SOA)

42
Why Identity Services?
• Developers:
> Aren’t focused on identity, not a core competency
> Want to focus on business logic, not the identity
implementation
> Need Identity Services exposed as basic building blocks
> Prefer building secure applications over security code

43
Available Identity Services
Authentication Authorization

Verification of User Credentials Permission for authenticated users

to access secured resources.
authenticate (username, authorize (Resource, Action,
password, uri)
=> Token Token) => boolean

Attributes Audit Log

Collection of the profiles of Ability to audit and record

authenticated users operations
attributes(List attrNames, log (AppToken, Token,
Token) => UserDetails Logname, Message)

44
OpenSSO
Community

45
54
OpenSSO Community
• In three years...
> 950+ project members at
opensso.org
> ~20 external committers

• Production
deployments
> Audi UK
250,000 customer profiles
> Telenet
Foundation for fine-grained
authorization
> CPqD
3000 users, 75 apps, 4
months!

46
OpenSSO Enterprise Options
• OpenSSO Express Build
> A community build that has undergone extensive automated
testing and moderate manual testing by Sun Quality
Assurance Engineering Team.
> Delivered every 3 months
• OpenSSO Commercial Build
> A community build that has undergone extensive manual and
automated testing by Sun Quality Assurance Engineering
Team.
> Delivered every 12 – 15 months

47
Summary &
Resources

48
60
OpenSSO Enterprise

One solution to solve ALL of your SSO problems

Web access management, Federation, and Secure Web services
49
Sun Identity: How We're Different ?
• Easiest identity Portfolio to deploy, configure and use in the
Simple market
• Highest Adoption Rate

• Only Supported Open Source Identity Suite in the

Open world
• Implement all Identity Relevant Standards (SAML,
XACML, ..)

• Most Scalable Identity Platform

Scalable • Can manage billions of users, roles, partners
• Internal and External

50
More Information
• OpenSSO Wiki
http://wiki.opensso.org/

• OpenSSO Project
http://www.opensso.org

• Sun Identity Management

http://www.sun.com/identity

51
Free Training Labs
• Five downloadable, self-paced labs
> deploy two Apache Tomcat servers
> SSL-enable them
> install a software load balancer
> install OpenSSO into the environment
> configure for session failover
• Includes virtual image containing
OpenSolaris, Glassfish, OpenSSO
and OpenDS
> Fast forward or rewind image using ZFS

• Go to OpenSSO.org and click on

Training (left sidebar)

52
THANK YOU!

Sang Shin
sang.shin@sun.com

53
55