ApacheCon 2013 SSO and Fine Grained Authorization in the Cloud

1. SSO and fine grainedauthorization in the cloud Oliver Wulff

2. Brief introduction Solution Architect Web Services (Axis, CXF, ) Security (WS-*, Kerberos, Web SSO, ) Corba Java / C# / C++ Apache CXF PMC member Talend Community Coder (coders.talend.com) http://owulff.blogspot.com [email protected] 3. Agenda Authentication & Authorizationin Web Applications Apache CXF Fediz Fediz and STS Use cases Relying Party IDP Fediz Roadmap 4. Authentication & Authorizationin Web Applications 5. Application Security 10 years ago SSO solution using Reverse Proxy Proprietary SSO token / protocol Same product at Reverse Proxy, ApplicationServer andcentral Security Service Security tokens validated byremote Security Server Role Based Access Control (Java, .NET API) User/ID management internal 6. Security Challenges Non IT company Buy vs build (non IT company) Applications hosted in the cloud SaaS for IT companies Integrate several IDM systems(B2B customers) Access to user information Network connectivity Replicating user information Reduce Security Code in the Application 7. Gaps Fine grained authorization (beyond RBAC) inapplication logic Tight coupling to custom security components andprotocols (central server, reverse proxy, proxy agent) Tight coupling to single user domain Lack of agility and riskdue to managing B2B users internally Different authentication mechanism in the application(container) Integration with Web Services StackMock testing 8. How to address that? Indirect Trust Relationship to Security Server Push user data to the application instead of pulling it Externalize Authentication to a Central server Lightweight Open Source component Industry standard based solution 9. WS-Federation OASIS Standard 2009 Security Token agnostic (SAML 1.1/2.0, ) Extends WS-Trust Browser and Web Services SSO PRP adapts Browser to WS-Trust No connectivity between Applicationand IDP required (Cloud) Claims/Attribute Based Access Control Supports several Authentication domains 10. WS-Trust Security Token Service 1. Consumer requests token from STS,presenting credentials (RST = Request SecurityToken) 2. STS verifies credentials and issues signedtoken 3. STS sends token back to consumer (RSTR =Request Security Token Response) 4. Consumer encloses token in message toservice provider (optionally signing message) 5. Service provider validates token (andsignature) 6. Service provider sends response to consumer WS-SecurityPolicy brings flexibility and transparency to service consumer 11. Apache CXF Fediz 12. Apache CXF Fediz Sub-project of Apache CXF project Work started mid of 2011 Community growing First release in June 2012 Current release 1.0.2 Finishing work for 1.1 13. Apache CXF FedizId e n tity P r o v id e r (ID P )S e c u r ity T o k e n S e r v ic e (S T S ) W S - F e d e r a tio nF e d iz ID P n tioS e c u r ity T o k e n s t ic a e nW S -T ru s tis s u e d b y S T S en Tok F e d iz S T Su thAU s e r M a c h in e B ro w s e r R e ly in g P a r ty (R P )Acces s WW e b A p p lic a tio nR eb eced A toir p p IDtlic P atio n F e d iz P lu g inH TTP S S e r v le t C o n ta in e r 14. Apache CXF Fediz2 ) S ig n In R e q u e s t 3 ) L o g inId e n tity P r o v id e rW eb U ser ID P / S T S 4 ) P o s t C r e d e n tia ls 5 ) S ig n In R e s p o n s e S A M L to k e n B ro w s e r T r u s t r e la t io n s h ipS ig n e d T o k e nN o C a ll to S T S 7 ) R e s o u r c e , S e t C o o k ie R e ly in g P a r ty 6 ) P o s t S ig n In R e s p o n s eE x . T o m c a t, W e b s p h e re ,A S P .N E T , e tc .1 ) H T T P G E T re s o u rc eR e d ir e c t to I D P 15. Apache CXF STS WS-Trust 1.3/1.4 SAML token creation WS-SecurityPolicy 1.3customizable RSTSubject, Audience,authenticationUsername/KerbAttributeStatements,eros/SAML token Claims support Security Bindings: Support for realms/securitySymmetric, Asymmetric, domainsTransport Identity Mapping Supported bindings Claims transformationIssue, validate, cancel, renew Advanced RST Token provider elementsKeyType, Entropy,SAML 1.1/2.0 (HOK, Bearer),AppliesTo,Custom,SecondaryParameters, Secure Conversation Intermediary Token encryption supportOnBehalfOf, ActAs Issue/validate supports Custom Claims dialectstoken transformation Batch processing (RSTC) 16. Fediz IDP / STS Username / password authentication User store (File, LDAP, JAAS) File store LDAPLoginModule Other JAAS Login Module Claims/Role store (File, LDAP) LdapClaimsHandler FileClaimsHandler custom SAML Token creation customizable Small footprint (Mock testing) Wiki http://cxf.apache.org/fediz-idp.html 17. Fediz Plugin WS-Federation 1.0/1.1/1.2 SAML 1.1 / 2.0 Tokens IDP trust typesChain Trust, Direct Trust Core Logic Container independent Supports Tomcat 7 WS-Federation Metadata publish Claims provided in FederationPrincipal Wiki http://cxf.apache.org/fediz-idp.html 18. Fediz Plugin ConfigurationConfig element DescriptionMetadataissuerIssuer URL PassiveRequestorEndpointrealm RealmTargetScopeauthenticationTypeAuthentication TypeNAroleURI Claim URI for rolesNAroleDelimiter Role Value Delimiter NAclaimTypesRequested Requested claims ClaimTypesRequestedhomeRealm Home Realm NAtokenValidators Security Token Validator NAsigningKeyKey for Metadata Metadata signaturesignature 19. Fediz Plugin Extensions (1/2) Customize Sign-In Request ConfigurationSignIn Request Callback object authenticationType wauthWAuthCallback homeRealmwhrHomeRealmCallback freshnesswfresh FreshnessCallback issuer N.A. IDPCallback Customize Security Token Validation 20. Fediz Plugin Extensions (2/2) Callback Handler implementation for Home RealmDiscoverypublic class MyCallbackHandler implements CallbackHandler {public void handle(Callback[] callbacks) throws {for (int i = 0; i < callbacks.length; i++) {if (callbacks[i] instanceof HomeRealmCallback) {HomeRealmCallback callback =(HomeRealmCallback) callbacks[i];HttpServletRequest request = callback.getRequest();String homeRealm = ...callback.setHomeRealm(homeRealm);} else {throw new UnsupportedCallbackException(callbacks[i],"Unrecognized Callback");}}}} Wiki http://cxf.apache.org/fediz-extensions.html 21. Fediz Interoperability Fediz IDP Adnovum IDP Microsoft ADFSFediz PluginASP.NET Fediz STS based on Apache CXF STS Apache CXF STS integrated into AdnovumIDP 22. Fediz and STS Use cases 23. STS: Use case Web SSO Fediz example simpleWebapphttps://localhost:8443/fedizhelloworld/secure/fedservlet 24. Standards WS-Federation 1.2 WS-Trust 1.3 SAML 2.0 OASIS Identity MetasystemCXF STS capabilities RST UsernameKerberos SAML 2.0 Bearer Claims from LDAP Claim data in AttributeStatementFederation plugin SAML token validation (WSS4J, OpenSAML) Creates security context 25. STS: Use case intermediaryFediz example wsclientWebapphttps://localhost:8443/fedizhelloworld/secure/service.jsp 26. Standards WS-Trust 1.3 SAML 2.0 WS-SecurityPolicy CXF STS capabilitiesCXF capabilities RST SAML token [4,6] Issued token assertion(WS-SecurityPolicy) SAML 2.0 Bearer [6] SecondaryParameters Custom Token [4] OnBehalfOf (BinarySecurityToken) Token caching Token transformation [4,6] Identity Mapping[4] OnBehalfOf [4,6] 27. Relying Party IDP 28. More than one Requestor IDP WS-Federation defines Requestorand Relying Party IDP RP IDP issues SAML token for applicationin a requestor independent format Integrate Requestor IDPs withoutaffecting application HomeRealm Discovery RP IDP federates Identities or Claims 29. Internal ID management Federate identitesR e q u e s to r Id P CXF IdentityMapperR e q u e s to r Id Pm y c o m p a n y .c o m Relationship: FederateIdentityAPACm y c o m p a n y .c o mEM EA R P - Id P H o m e r e a lm d is c o v e r y 3 Id P m y c o m p a n y .c o m 2B ro w s e rIn tr a n e t 1 R e ly in g P a r ty A p p lic a tio n C o n ta in e r Ex. Tom cat 30. Hyprid ID managementR e q u e s to r Id PF a b r ik a m .c o mIn te r n a lR e q u e s to r Id Pm y c o m p a n y .c o mR e q u e s to r Id PAPACB ro w s e rm y c o m p a n y .c o m3 f a b r ik a m .c o mEM EA R P -Id P2 H o m e r e a lm d is c o v e r y 3 Id P m y c o m p a n y .c o m 2B ro w s e rIn tr a n e t 1 1 R e ly in g P a r ty A p p lic a tio n C o n ta in e r Ex. Tom catFederate identities CXF IdentityMapper Relationship: FederateIdentity 31. External requestor IDPs (SaaS)R e q u e s to r Id PF a b r ik a m .c o mIn te r n a lR e q u e s to r Id Pm y c o m p a n y .c o mR e q u e s to r Id PAPACB ro w s e rm y c o m p a n y .c o m3 f a b r ik a m .c o mEM EA R P -Id P2 H o m e r e a lm d is c o v e r y 3 Id P m y c o m p a n y .c o m 2B ro w s e rIn tr a n e t 1 2B ro w s e ra d a ta m .c o m 1 R e ly in g P a r ty 1 A p p lic a tio n3 C o n ta in e r Ex. Tom catR e q u e s to r Id P Federate claims/attributes a d a ta m .c o m CXF ClaimsMapperE x te rn a l Relationship: FederateClaims 32. Fediz Roadmap WS-Federation support for RP-IDP (1.1) HomeRealm Discovery (1.1) SAML Profile (1.1+) Support encrypted SAML tokens (1.1) SAML Holder-Of-Key (1.1) Fediz Plugin support Karaf (1.1) Jetty (1.1) Spring Security (1.1) 33. More information Fediz websitehttp://cxf.apache.org/fediz.html Blogshttp://coheigea.blogspot.comhttp://www.dankulp.com/blog/http://sberyozkin.blogspot.comhttp://owulff.blogspot.com 34. Content Slides Level 1 Level 2 Level 3 Level 4 Level 5 35. Standards WS-Trust 1.3 SAML 2.0 Id e n tity P r o v id e r WS-SecurityPolicy< < S o la r is > >Id e n tit y S to r eId e n tity S to r e < < W in d o w s > >< < M a in f r a m e > > ID P< < N e v is > >CXF STS capabilities2 .1 LDAPRACFSTS 2 .2 RST SAML token [4,6] SAML 2.0 Bearer [6] 4 .1 Custom Token [4] (BinarySecurityToken) B u s in e s s S e r v ic e2 < < T o m c a t> > Token transformation [4,6]4 / 6 Identity Mapping[4]A p p lic a t io n J A X -R P C OnBehalfOf [4,6]Not CXFW e b A p p lic a tio n< < T o m c a t> > T )( BSCXF capabilitiesB ro w s e r53 A p p lic a tio n Issued token assertion(WS- 1J A X -W S B u s in e s s S e r v ic e SecurityPolicy)F e d e r a t io n _ _CXF< < O S G i K a ra f> > SecondaryParameters7 (S T )A p p lic a t io n OnBehalfOf J A X -W S Token cachingCXF

ApacheCon 2013 SSO and Fine Grained Authorization in the Cloud

Documents

Transcript of ApacheCon 2013 SSO and Fine Grained Authorization in the Cloud