From:
thedebtgroup
Views: 56
Comments: 0
Want To See If Paid Surveys Are For Real? Visit: http://c6d1ear742-k-i1ft2jc4kaz3c.hop.clickbank.net/?tid=CA1912
BerniceCain
(7 months ago)
Don't you recognize that it's high time to get the <a href="http://goodfinance-blog.com">loans</a>, which can realize your dreams.
Slide 1: Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Craig Dickson, Software Engineering Manager Naveen Nallannagari, Senior Consultant Behr Process Corporation www.behr.com
TS-4604
2007 JavaOneSM Conference | Session TS-4604 |
Slide 2: Goals of This Presentation
A Survey of Open-Source Solutions to Single Sign-on
Present a sample of the different open source based SSO solutions, critically compare and contrast them and provide tips on how to choose the right one to fit your needs.
2007 JavaOneSM Conference | Session TS-4604 |
2
Slide 3: Agenda
What is SSO? (briefly) Survey of the main Open Source players Head-to-Head Comparisons Summary Q&A
2007 JavaOneSM Conference | Session TS-4604 |
3
Slide 4: Agenda
What is SSO? Survey of the main Open Source players Head-to-Head Comparisons Summary Q&A
2007 JavaOneSM Conference | Session TS-4604 |
4
Slide 5: What is SSO?
It is definitely not …
“Every Single time you want to do something, you are going to have to Sign-On!” - Your Sys Admin
2007 JavaOneSM Conference | Session TS-4604 |
5
Slide 6: What is SSO?
This is more like it …
• Authenticate only once and access multiple resources • Improved user productivity • Improved developer productivity • Ease of administration
2007 JavaOneSM Conference | Session TS-4604 |
6
Slide 7: What is SSO?
But what about the downsides …
• Potentially creates a single point of attack
• Malicious types only need 1 set of credentials and they can do a lot of damage
• Can be very difficult to retrofit existing applications and infrastructure with an SSO solution
2007 JavaOneSM Conference | Session TS-4604 |
7
Slide 8: Agenda
What is SSO? Survey of the main Open Source players Head-to-Head Comparisons Summary Q&A
2007 JavaOneSM Conference | Session TS-4604 |
8
Slide 9: OpenSSO
Open Web SSO
• Mission of OpenSSO:
To provide an extensible implementation of identity services infrastructure that will facilitate Single Sign-On for web applications.
• From the java.net community • Focused on Web based Single Sign-On
• a common starting point for many identity management projects
2007 JavaOneSM Conference | Session TS-4604 |
9
Slide 10: OpenSSO
Continued … • Sun will make the following Sun Java™ System Access Manager modules freely available as part of OpenSSO:
• Authentication • Single-domain SSO • Web and Java 2 Platform, Enterprise Edition (J2EE™ platform) agents • Session Management • Policy • Console • Administration tools • Federation • Policy agents
2007 JavaOneSM Conference | Session TS-4604 | 10
Slide 11: OpenSSO
OpenSSO Architecture
2007 JavaOneSM Conference | Session TS-4604 |
11
Slide 12: OpenSSO
OpenSSO Configuration
• Open SSO is deployed as only one application
• opensso.war
• After installation, configuration (name of host, protocol etc) can be done at:
http://localhost:8080/opensso/configurator.jsp
• Realms have to be created
2007 JavaOneSM Conference | Session TS-4604 | 12
Slide 13: OpenSSO
OpenSSO Configuration
• agentadmin - install
• Installation of Agent (e.g. Tomcat) • Modify web.xml
<security-constraint> <web-resource-collection> <web-resource-name>Protected Resources</web-resource-name> </web-resource-collection> <auth-constraint> <role-name>id=teste, ou=role, dc=opensso, dc=java, dc=net</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/authentication/login.html</form-login-page> <form-error-page>/authentication/accessdenied.html</form-error-page> </form-login-config> </login-config> <security-roll id="test"> <role-name>id=test, ou=role, dc=opensso, dc=java, dc=net</role-name> </security-role>
<url-pattern>/secure/*</url-pattern>
2007 JavaOneSM Conference | Session TS-4604 |
13
Slide 14: JOSSO
Java Open Single Sign-On • Based on Java Authentication and Authorization Service (JAAS) • Uses web services implemented with Apache Axis as the distributed infrastructure • Uses Apache Struts and JavaServer Pages™ technology (JSP™ page) technology standards • Comes with a Reverse Proxy component that can be used to create n-tier Single Sign-On configurations
• Allows n-tier configurations using multiple strategies, including storing user information and credentials in LDAP, Databases and XML files
2007 JavaOneSM Conference | Session TS-4604 | 14
Slide 15: JOSSO
Continued …
• Implement and combine multiple authentication schemes with credential stores • Credential Stores are repositories for user credentials, to be used during the user authentication transaction • Can be configure to use (for example) certificatebased authentication scheme, obtaining user X.509 certificates from a database using Java DataBase Connectivity (JDBC™) software
2007 JavaOneSM Conference | Session TS-4604 | 15
Slide 16: JOSSO
JOSSO Architecture
2007 JavaOneSM Conference | Session TS-4604 |
16
Slide 17: JOSSO
JOSSO Configuration
• Integration of JOSSO with specific application Server (Tomcat or JBoss) • Integrating Java Web Application with JOSSO
2007 JavaOneSM Conference | Session TS-4604 |
17
Slide 18: JOSSO
JOSSO Configuration - Integration with Tomcat or JBoss • The Single Sign–on Gateway Configuration
●
• Configuration file: josso-gateway-config.xml
● ● ● ●
Authenticator Identity Manager Session Manager Audit Manager Event Manager
• Single Sign On Agent Configuration
• To check that a previously user logged in is authorized to access a web context • Configuration file to declare the concrete configuration files:
●
$CATALINA_HOME/bin/josso-config.xml
2007 JavaOneSM Conference | Session TS-4604 | 18
Slide 19: JOSSO
JOSSO Configuration - Integration with Tomcat or JBoss • Protect a Web Application
• Add to server.xml file
<Host> ... <Valve className="org.josso.tc50.agent.SSOAgentValve" debug="1"/> ... </Host>
• For each request to the /partner Web Context, the Single SignOn Agent will intercept it, assert the Single Sign-On session and obtain the user data from the Single Sign-On Gateway.
2007 JavaOneSM Conference | Session TS-4604 |
19
Slide 20: JOSSO
JOSSO Configuration - Integration with Tomcat or JBoss • Add a JAAS Realm
• In order to integrate the Single Sign-On Agent with the Single Sign-On Gateway a JAAS Tomcat Realm entry must be added to the server.xml. • jaas.conf file in the $CATALINA_HOME/conf directory with the following content:
josso { org.josso.tc50.agent.jaas.SSOGatewayLoginModule required debug=true; };
• Configure a JAAS Login Module
• The Login Module validates the session and obtains the corresponding user and role information by invoking the gateway identity management webservices.
2007 JavaOneSM Conference | Session TS-4604 |
20
Slide 21: JOSSO
JOSSO Configuration - Integration with Tomcat or JBoss
• Configure the Agent
<?xml version="1.0" encoding="ISO-8859-1" ?> <agent> <class>org.josso.tc50.agent.CatalinaSSOAgent</class> <gatewayLoginUrl>http://localhost:8080/josso/signon/login.do</gatewayLo ginUrl> <gatewayLogoutUrl>http://localhost:8080/josso/signon/logout.do</gateway LogoutUrl> <sessionAccessMinInterval>1000</sessionAccessMinInterval> <service-locator> <class>org.josso.gateway.WebserviceGatewayServiceLocator</class> <endpoint>localhost:8080</endpoint> </service-locator> <partner-apps> <partner-app> <context>/partner</context> </partner-app> </partner-apps> </agent>
2007 JavaOneSM Conference | Session TS-4604 |
21
Slide 22: JOSSO
JOSSO Configuration – Integration Java application with JOSSO
• Web application Security Constraints • Configured using three elements in web.xml • <login-config> element
• • <security-constraint> element <security-role> element
2007 JavaOneSM Conference | Session TS-4604 |
22
Slide 23: JOSSO
JOSSO Configuration – Integration Java application with JOSSO • Integrating Enterprise JavaBeans™ (EJB™) with JOSSO
• • The security constraints should be declared in the ejb-jar.xml file of the partner components based on the Enterprise JavaBeans specification (EJB components) For the user identity to be propagated to the EJB components tier, the jboss.xml file must set java:/jaas/josso as the security domain in the following way:
<?xml version="1.0" encoding="UTF-8"?> <jboss> <security-domain>java:/jaas/josso</security-domain> <enterprise-beans> <session> <ejb-name>PartnerComponentEJB</ejb-name> <jndi-name>josso/samples/PartnerComponentEJB</jndi-name> </session> </enterprise-beans> </jboss>
2007 JavaOneSM Conference | Session TS-4604 |
23
Slide 24: JA-SIG CAS
Central Authentication Service
• An open and well-documented protocol • A library of clients for Java technology, .NET, PHP, Perl, Apache, uPortal and others • Integrates with uPortal, BlueSocket, TikiWiki, Mule, Liferay, Moodle and others • Community documentation and implementation support • An extensive community of adopters
2007 JavaOneSM Conference | Session TS-4604 | 24
Slide 25: JA-SIG CAS
Continued … • The players involved
• • • • CAS (The Central Authentication Service) Service Proxy Target (or back-end service)
• CAS authentication make use of tickets, or opaque strings that prove some assertion to CAS. • CAS 2.0 uses the following tickets
• • • • • Ticket-granting cookie (TGC) Service ticket (ST) Proxy-granting ticket (PGT) Proxy-granting ticket IOU (PGTIOU) Proxy ticket (PT)
2007 JavaOneSM Conference | Session TS-4604 | 25
Slide 26: JA-SIG CAS
CAS Architecture
2007 JavaOneSM Conference | Session TS-4604 |
26
Slide 27: JA-SIG CAS
CAS Configuration
• Server Deployment • Client Configuration
2007 JavaOneSM Conference | Session TS-4604 |
27
Slide 28: JA-SIG CAS
CAS Configuration- Server Deployment
• Based on authentication scheme used
• password based • certificate based
• Need to implement Authentication Handler interface
2007 JavaOneSM Conference | Session TS-4604 |
28
Slide 29: JA-SIG CAS
CAS Configuration- Server Deployment • Example : Password based
public class UsernameLengthAuthnHandler implements AuthenticationHandler { public boolean authenticate(Credentials credentials) throws AuthenticationException { UsernamePasswordCredentials upCredentials = (UsernamePasswordCredentials) credentials; String username = upCredentials.getUsername(); String password = upCredentials.getPassword(); String correctPassword = Integer.toString(username.length()); return correctPassword.equals(password); } public boolean supports(Credentials credentials) { // we support credentials that bear usernames and passwords return credentials instanceof UsernamePasswordCredentials; } }
2007 JavaOneSM Conference | Session TS-4604 | 29
Slide 30: JA-SIG CAS
CAS Configuration- Server Deployment
• Customizing views
• The existing views can be changed (i.e. JSP pages to match the look and feel of the applications)
• Using LDAP for authentication
• Install the CAS LDAP authentication handler .jar file cas-server-ldap-{SOMETHING}.jar
• Include an LDAP library ("LdapTemplate" or "Spring LDAP") intoCAS server
2007 JavaOneSM Conference | Session TS-4604 | 30
Slide 31: JA-SIG CAS
CAS Configuration- Server Deployment
• Using X.509Certificates
• CAS provides customizations to the CAS webflow to retrieve certificates from the HttpServletRequest, package the certificates into Credentials CAS can understand and pass them into the CentralAuthenticationService service. • Provides an authentication handler to determine the validity of a certificate and if the credentials are authentic or not. • Provides sample resolvers to translate the credentials into a principal that client applications will understand.
2007 JavaOneSM Conference | Session TS-4604 |
31
Slide 32: JA-SIG CAS
CAS Configuration- Client
• Various Clients
• • • • • Java technology client JSP software client Uportal client Acegi as CAS client Perl, ASP.NET client etc.
2007 JavaOneSM Conference | Session TS-4604 |
32
Slide 33: JA-SIG CAS
CAS Configuration- Client
• Java technology Client Configuration • CASFilter configuration - Example
<web-app> ... <filter> <filter-name>CAS Filter</filter-name> <filter-class>edu.yale.its.tp.cas.client.filter.CASFilter</filter-class> <init-param> <param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name> <param-value>https://secure.its.yale.edu/cas/login</param-value> </init-param> <init-param> <param-name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name> <param-value>https://secure.its.yale.edu/cas/serviceValidate</param-value> </init-param> <init-param> <param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name> <param-value>your server name and port (e.g., www.yale.edu:8080)</paramvalue> </init-param> </filter> <filter-mapping> <filter-name>CAS Filter</filter-name> <url-pattern>/requires-cas-authetication/*</url-pattern> </filter-mapping> ... </web-app>
2007 JavaOneSM Conference | Session TS-4604 |
33
Slide 34: Agenda
What is SSO? Survey of the main Open Source players Head-to-Head Comparisons Summary Q&A
2007 JavaOneSM Conference | Session TS-4604 |
34
Slide 35: Head-to-Head Comparison
Retrofitting an existing application
• JOSSO
• No support for certain application servers • Does provide a plugin infrastructure to facilitate integration with other containers; you can base your own plugin on existing samples
• OpenSSO
• can fit into a multitude of application servers because of the availability of agents • These agents include Apache, Sun Java System Web Server, Microsoft IIS, Domino
35
2007 JavaOneSM Conference | Session TS-4604 |
Slide 36: Head-to-Head Comparison
Integration of non-Java applications
• JOSSO
• Uses web services for asserting user identity via SOAP • Allows the integration of non-Java applications (e.g. PHP, .NET etc.)
• CAS
• There are many client libraries to assist in “CASifying” applications • Examples include AuthCAS for Apache, a uPortal client, a Java technology Client, a PHP client and a Perl client
2007 JavaOneSM Conference | Session TS-4604 | 36
Slide 37: Head-to-Head Comparison
Customizability • JOSSO • CAS
• • • • Basic implementation includes only HTTPS Can be easily customized to be HTTP enabled Look and feel of login pages can be changed Comes with pluggable authenticators to validate against LDAP etc. • If your application server is not supported, need to customize by writing plugins
• OpenSSO
• Customizations can be done by writing Authentication modules • Authentication User Interface JSP pages can be customized by Realm, Locale, Client type or any Service of the SSO system
2007 JavaOneSM Conference | Session TS-4604 | 37
Slide 38: Head-to-Head Comparison
Ease of Deployment • CAS
• Involves deploying CAS Server (downloadable as a pre-built WAR file or can be customized) and a CAS client with each application
• JOSSO
• Involves Configuration of:
● ● ● ●
Single Sign-On Gateway the Authenticator the Identity Manager the Session Manager
• OpenSSO
• Deployable as a WAR file
2007 JavaOneSM Conference | Session TS-4604 | 38
Slide 39: Head-to-Head Comparison
Authentication for non-browser-based clients
• CAS
• Has Proxy Authentication support
• OpenSSO
• Does not have out-of-the-box support for CAS-like proxy authentication, however there are authentication APIs available to build one
• JOSSO
• Comes with a Reverse Proxy component that can be used to create n-tier Single Sign-On configurations
2007 JavaOneSM Conference | Session TS-4604 | 39
Slide 40: Head-to-Head Comparison
Support for web service security
• JASSO
• Can be used to secure web services but is limited due to the level of application server support
• CAS
• Supports web service security by protecting URLs
• OpenSSO
• Has started work related to web services security
2007 JavaOneSM Conference | Session TS-4604 |
40
Slide 41: Head-to-Head Comparison
Community support
• As all three are Open Source solutions, the support is in the form of project websites, community generated documentation, user forums and mailing lists • CAS, OpenSSO and JOSSO all have well managed user groups
2007 JavaOneSM Conference | Session TS-4604 |
41
Slide 42: Agenda
What is SSO? Survey of the main Open Source players Head-to-Head Comparisons Summary Q&A
2007 JavaOneSM Conference | Session TS-4604 |
42
Slide 43: How to Choose
Which horse for which course …
• There are multiple factors to consider when deciding on the SSO solution you need • All three are Open Source solutions, so licensing issues are removed • OpenSSO is a good choice if
• • • • • • • Using XML based file formats and language independent APIs is important Clustered environment support is required SSL mutual authentication is required You want to leverage all of the features of the Sun Java System Access Manager Your using a Spring based infrastructure with acegi Your using simple DB based credential management It supports your particular application server, otherwise additional development effort will be required
• CAS is a good choice if • JOSSO is a good choice if
2007 JavaOneSM Conference | Session TS-4604 |
43
Slide 44: Alternative Open Source Solutions
Some other horses to consider
• Atlassian Seraph
• http://opensource.atlassian.com/seraph
• Shibboleth
• http://shibboleth.internet2.edu
• CoSign
• http://www.umich.edu/~umweb/software/cosign
• Enterprise Sign-On Engine
• http://esoeproject.org/
2007 JavaOneSM Conference | Session TS-4604 | 44
Slide 45: For More Information
• OpenSSO Home Page • JOSSO Home Page • CAS Home Page • Wikipedia • SAML • Acegi
• http://www.josso.org/ • http://www.ja-sig.org/products/cas/ • http://en.wikipedia.org/wiki/Single_sign-on • http://www.oasis-open.org/committees/tc_home.php? wg_abbrev=security • http://www.acegisecurity.org/
45
• https://opensso.dev.java.net/
2007 JavaOneSM Conference | Session TS-4604 |
Slide 46: Agenda
What is SSO? Survey of the main Open Source players Head-to-Head Comparisons Summary Q&A
2007 JavaOneSM Conference | Session TS-4604 |
46
Slide 47: Q&A
Craig Dickson – cdickson@behr.com Naveen Nallannagari – nnallannagari@behr.com
2007 JavaOneSM Conference | Session TS-4604 |
47
Don't you recognize that it's high time to get the <a href="http://goodfinance-blog.com">loans</a>, which can realize your dreams.