2013 Open Stack Identity Summit - France

Federation in practice

Applications and data within the firewall perimeter Users within the enterprise Difficult to roll out new services

OLD ACCESS CONTROL

Hanseatic League (Hansa) Trade Confederation Centuries 13th 17th

Trading outside the walls ! Secure ! Membership agreement ! Follow protocol

Customers Outsourcing Partners Suppliers

Information, services and users outside the fireWALL

The dictionary
Federalism is a political concept in which a group of members are bound together by covenant (Latin: foedus, covenant*) with a governing representative head.
*Agreement

SChengen Area
It is a group of 26 European countries that have abolished passport and immigration controls at their common borders.

!! Present your security token at the entrance !! Travel seamlessly within the area

Customers Outsourcing
Databases

Commercial Applications In-house dev applications Legacy applications

Directory

FEDERATED IDENTITY

Active Directory

Enterprise

Partners Suppliers Is the means of linking a persons electronic identity and attributes, stored across multiple distinct identity management systems

Benefits of Federated identity

! Provides Single Sign On for an enhanced user experience ! Share information across partners securely and privately ! Promote adoption of new services ! Reduces costs ! Cloud friendly ! Mobile friendly

Identity Federation Standards

ID-FF

Ws-federation

SAML 2.0

Federation support
OAUTH 2.0! ID-FF" Shibboleth 1.0/1.1" Shibboleth 2#
(SAML2)"

OpenID" Connect!

REST/JSON

SAML 1.0"

SAML 1.x"

SAML 2.0! ADFS2"

(SAML 2)"

OpenAM"

WS-Federation 1.0"

WS-Federation 1.1" ADFS" SOAP/XML

10

Identity Federation Actors

Circle of Trust
Agreements Identity Provider, Asserting PARTY, IdP Authenticate Obtain Token principal

Service Provider, Relaying party, Consumer, SP

Service Provider, Relaying party, Consumer, SP

Present token Access resource

Use Cases
!! Enterprise connected to Cloud SaaS, partners, suppliers, etc !! Customers using social authentication
Social

Databases

Commercial Applications In-house dev applications Legacy applications

SaaS

Directory

Active Directory

Private Cloud Partners Outsourcing Suppliers

Use Cases
!! SaaS/IDaas Providing services to Enterprises !! Social authentication to SaaS and IDaaS
Social

Databases

Commercial Applications In-house dev applications Legacy applications

SaaS

Directory

Multi-tenant IdP

Active Directory

Private Cloud

Multi-tenant SP

Mobile IAM for the Modern Web

OpenAM
OpenID Connect Authentication Authorization Attribute Delivery Federation SSO Token Persistence Session Mgmt OAuth2 Provider
Native App Web App Native App Web App

Cloud

Login App

REST

OAuth2

Enterprise
14

SP to IdP Mesh
IdP SP IdP SP IdP SP IdP

IdP Proxy
IdP SP IdP SP SP

IdP Proxy

IdP IdP

Federation is more than SSO

SAML 2.0
IdP, SP, IdP Proxy, Attribute Query Provider, Attribute Authority, Authentication Authority, XACML PEP, XACML PDP

WS-Federation
IdP, SP

ID-FF
IdP, SP

OAuth 2.0
RESTful Authorization protocol

OpenID Connect
Uses OAUTH2 tokens, adds services

OpenAM + family
OpenAM
Full blown Federation

OpenAM Fedlet
Lightweight SAML 2.0 SP

OpenIG and Fedlet

Powerful combination of integration and SAML 2.0

Bridge SPE/SalesForce Bridge

SAAS oriented federation/sync bridge, includes SAML 2.0 and OAUTH2.

Custom federation
2
Application

1
Reverse Proxy
Policy Agent

Custom AuthN Module State 1

Application

OpenAM 6
Application

Custom IDP IDP

Custom AuthN Module State 2

SP

Policy Agent

Application

Fedlet

Custom Post Authentication Module

19

Walkthrough configure OpenAM

to achieve SSO to Google Apps WordPress Office365 using SAML2

Federated Single Sign-On

demo.openam.org

IDP
Circle of Trust

SP

SP

SP

2013 Open Stack Identity Summit - France

Federation in practice