2013 Open Stack Identity Summit - France

Federation in practice

Applications and data within the firewall perimeter Users within the enterprise Difficult to roll out new services

OLD ACCESS CONTROL

Hanseatic League (Hansa) Trade Confederation Centuries 13th – 17th

Trading outside the walls •  Secure •  Membership agreement •  Follow protocol

Partners

Outsourcing

Suppliers

Customers

Information, services and users outside the fireWALL

Federalism is a political concept in which a group of members are bound together by covenant (Latin: foedus, covenant*) with a governing representative head.

*Agreement

The dictionary

SChengen Area

It is a group of 26 European countries that have abolished passport and immigration controls at their common borders.

§  Present your security token at the entrance §  Travel seamlessly within the area

Partners

Outsourcing

Suppliers

Customers

Commercial Applications

In-house dev applications

Legacy applications

Directory

Databases

Active Directory

Enterprise

FEDERATED IDENTITY

Is the means of linking a person´s electronic identity and attributes, stored across multiple distinct identity management systems

Benefits of Federated identity

•  Provides Single Sign On for an enhanced user experience

•  Share information across partners securely and privately

•  Promote adoption of new services

•  Reduces costs

•  Cloud friendly

•  Mobile friendly

SAML 2.0 Ws-federation ID-FF

Identity Federation Standards

10

Federation support REST/JSON

SOAP/XML

OpenAM"SAML 1.0" SAML 1.x" SAML 2.0!

ID-FF"

Shibboleth 1.0/1.1"

Shibboleth 2 (SAML2)"

WS-Federation 1.1"

ADFS"

ADFS2 (SAML 2)"

OAUTH 2.0!

OpenIDConnect!

WS-Federation 1.0"

Identity Provider, Asserting PARTY, IdP

Service Provider, Relaying party, Consumer, SP

Circle of Trust

Service Provider, Relaying party, Consumer, SP

Agreements principal

Authenticate Obtain Token

Present token Access resource

Identity Federation Actors

§  Enterprise connected to Cloud SaaS, partners, suppliers, etc §  Customers using social authentication

SaaS

Private Cloud

Social

Partners Outsourcing

Suppliers

Commercial Applications

In-house dev applications

Legacy applications

Directory

Databases

Active Directory

Use Cases

§  SaaS/IDaas Providing services to Enterprises §  Social authentication to SaaS and IDaaS

Multi-tenant IdP

Multi-tenant SP

Commercial Applications

In-house dev applications

Legacy applications

Directory

Databases

Active Directory

Use Cases

SaaS

Private Cloud

Social

14

Web App

Native App

Native App

Web App

Login App

RE

ST

O

Aut

h2

Ope

nID

Con

nect

Authentication

Authorization

Attribute Delivery

Federation

SSO

Token Persistence

Session Mgmt

OAuth2 Provider

OpenAM

Cloud

Enterprise

Mobile IAM for the Modern Web

SP to IdP Mesh

IdP

IdP

IdP

IdP

SP

SP

SP

IdP Proxy IdP

IdP

IdP

IdP

SP

SP

SP IdP

Proxy

Federation is more than SSO SAML 2.0

IdP, SP, IdP Proxy, Attribute Query Provider, Attribute Authority, Authentication Authority, XACML PEP, XACML PDP

WS-Federation IdP, SP

ID-FF IdP, SP

OAuth 2.0 RESTful Authorization protocol

OpenID Connect Uses OAUTH2 tokens, adds services

OpenAM + family OpenAM Full blown Federation OpenAM Fedlet

Lightweight SAML 2.0 SP OpenIG and Fedlet

Powerful combination of integration and SAML 2.0

Bridge SPE/SalesForce Bridge SAAS oriented federation/sync bridge, includes SAML 2.0 and OAUTH2.

19

Custom federation Policy Agent

Policy Agent

Fedlet

Rev

erse

P

roxy

App

licat

ion

App

licat

ion

App

licat

ion

App

licat

ion

OpenAM “Custom IDP”

SP IDP

Custom AuthN Module

State 1

Custom AuthN Module

State 2

Custom Post

Authentication Module

1

2 3

4

5

6

to achieve SSO to

Google Apps WordPress Office365

using SAML2

Walkthrough configure OpenAM

IDP

SP SP

Circle of Trust

demo.openam.org

SP

Federated Single Sign-On

2013 Open Stack Identity Summit - France

Federation in practice