OpenSSO Overview

Sidharth Mishra Sun Microsystems, Inc.

1

Todays SSO Problems

1. How do I centralize SSO and security policy for my web applications? 2. How can I quickly connect with partners, SaaS providers, subsidiaries, acquisitions and affiliates? 3. How do I centralize SSO and security policy for my web services?

OpenSSO Enterprise

Single solution that solves ALL of SSO problems

Web Single Sign On, Federation, and Secure Web services
3

Web SSO

OpenSSO Enterprise
How does it work?

SSO And Access Control

Authentication
Standards-based, extensible authentication framework (JAAS based) Supports multiple pluggable Authentication mechanisms
> LDAP, RADIUS, Certificate, SafeWord, RSA SecureID, Unix,

Windows NT, WindowsDesktopSSO (Kerberos), Anonymous, Membership (self-enrollment) `` > Custom authentication mechanisms using the SPI

Multi-factor Authentication (Chained Authenticaton Mechanisms) Multi-Level and Multi-Scheme Authentication Resource-based Authentication

SSO And Access Control

Authorization Policy = Rules + Subjects + Conditions + Response Provider
> Rules The resource to be protected (e.g.

URL) > Subjects Who is allowed to access (User/Role/Group etc.) > Condition Extra Constraints (IP Address mask, authN level/scheme, time/day etc.) > Response Provider Additional Response data to be sent back to resource.

Solution: OpenSSO Web Access Management

Three Tough Challenges. One Powerful Solution.

Centralized server configuration Centralized agent configuration Agent and proxy modes AAA Identity Services Embedded directory server for user store and policy store XACML support for standards-based policy management Consumes and translates 3rd party tokens from all major WAM solutions

Federation

Federated Single Sign On

Federation is built-in to OpenSSO Enterprise. No additional software needed. Federation for cross-domain application integration.
> software-infrastructure independent. Sites only

agree on protocol version and binding type.

Facilitates trusted relationships.

> Creates tighter, more satisfying customer,

partner and employee relationships. > Extended existing and new revenue opportunities. > Implement business models that generate efficiencies and productivity gains.
10

Solution: OpenSSO Federation

Three Tough Challenges. One Powerful Solution.

The Fedlet, 8.5MB package that allows service providers to create fully configured trust networks based SAML 2 in minutes Multi-protocol Federation Hub, easily federate with any company regardless of what federation language they speak Virtual Federation Proxy, incorporate any number of legacy authentications with a single instance of OpenSSO Supports all major standards including SAML, WS-Federation, Liberty ID-FF, WS-Trust, WS-Security, and WS-Policy Coexists with other major WAM solutions and participates in federation.

11

Web Services Security

OpenSSO and Web Services Security

Problem:
> How do I support web services for my web
WSS/J2EE Agent clientsdk

applications in various containers when it is handled differently container to container?

What It Does?

Web Service Provider

SOAP (WSS) > Provides agents that can be deployed in containers

5 2
WSS Agent clientsdk

for consuming, processing and transforming security tokens including SAML > Abstracts security from the application. > Agent allows standardization on security across multiple containers (e.g. Sun, IBM, BEA etc.)
Secures SOAP request and validates SOAP response at WSC. Validates SOAP request and secures SOAP response at WSP.

OpenSSO Server

Implements container's authentication SPI (JSR 196)

Web Service Client

1 Request

13

Secure Token Service

Problem:
> How does the Web service verify the credentials

presented by the client?

How It Works
> An authenticated client requests token needed to

Web Service Provider

access web service provider. > The STS verifies the credentials presented by the client, and then in response, it issues a security token that provides proof that the client has authenticated with the STS. > The client presents the WS-I BSP based security token(User Name, X.509, SAML etc.) to the Web service. > The Web service verifies that the token was issued by a trusted STS, which proves that the client has successfully authenticated with the STS.

SOAP (WSS)

Issue Token (WS-Trust)

Web Service Client

Security Token Service

1 Request

14

Solution: OpenSSO Secure Web Services

Three Tough Challenges. One Powerful Solution. Only standards-based solution that provides a pluggable, end-to-end secure web-services solution Standards based integration with Glassfish. SecurityToken Service that can be deployed as an Integrated, or standalone, solution Security Token Service that can handle token issuance, validation and translation via WS-Trust Policy enforcement point plugins for Weblogic, WebSphere, Tomcat and JBOSS

15

Identity Services
Problem
How do I invoke and leverage OpenSSO services (authN, authZ etc.) in a platform / language independent manner?

Benefits
Allows developers to easily invoke OpenSSO services. Identity Access Layer provides abstraction so components can change without affecting applications. Agentless solution that does not require deployment of agent or proxy to protect a resource. Supports usage of the IDE of developer's choice > NetBeans, Eclipse, Visual Studio

OpenSSO Identity Services

Makes OpenSSO services and functionalities available in an easy-touse set of Web Services accessible via SOAP and REST.

Identity Services Easily accessible, design approach independent.

16

Identity Services

Identity Services

17

Thank You.
sid@sun.com

18