A Thousand Things You Always Wanted To Know About SSO But Never Dared Ask
Oracle Code One. San Francisco. 24/10/2018
Luis Rodríguez Fernández 1 Agenda
What’s this presentation about ?
About your speaker
About CERN
About CERN openlab
Why SSO?
CERN SSO. Identity Provider
CERN SSO. WS-Fed & SAML2
CERN SSO. OAUTH2
CERN SSO. What’s next?
Take-aways
Luis Rodríguez Fernández 2 What is this presentation about?
● SSO components – Identity Provider – Service Provider
● IdP high level implementation details SAML2 ● Focus on securing applications IDP WS-FED SP OAUTH2 ● SAML2, WS-Fed, Oauth2 (client credentials)
● Real Use Cases
● Open-source & commercial solutions
● Tips & Tricks
Luis Rodríguez Fernández 3 Agenda
What’s this presentation about ?
About your speaker
About CERN
About CERN openlab
Why SSO?
CERN SSO. Identity Provider
CERN SSO. WS-Fed & SAML2
CERN SSO. OAUTH2
CERN SSO. What’s next?
Take-aways
Luis Rodríguez Fernández 4 About your speaker
● Software Engineer ● Service Manager – Databases Applications Service ● Oracle WebLogic (~350 servers) ● Apache Tomcat (~40 servers) ● ~200 URLs
● From Spain (Asturias)
Luis Rodríguez Fernández 5 Agenda
What’s this presentation about ?
About your speaker
About CERN
About CERN openlab
Why SSO?
CERN SSO. Identity Provider
CERN SSO. WS-Fed & SAML2
CERN SSO. OAUTH2
CERN SSO. What’s next?
Take-aways
Luis Rodríguez Fernández 6 About CERN
● Fundamental Research – What’s the Universe made of ? – How did it start ? – What matter is made of ?
● Tools – Accelerators – Detectors
● Three pillars – Research – Innovation – Education
● Science for peace
Luis Rodríguez Fernández 7 Agenda
What’s this presentation about ?
About your speaker
About CERN
About CERN openlab
Why SSO?
CERN SSO. Identity Provider
CERN SSO. WS-Fed & SAML2
CERN SSO. OAUTH2
CERN SSO. What’s next?
Take-aways
Luis Rodríguez Fernández 8 About CERN openlab A public-private partnership between the research community and industry
Luis Rodríguez Fernández 9 Agenda
What’s this presentation about ?
About your speaker
About CERN
About CERN openlab
Why SSO?
CERN SSO. Identity Provider
CERN SSO. WS-Fed & SAML2
CERN SSO. OAUTH2
CERN SSO. What’s next?
Take-aways
Luis Rodríguez Fernández 10 Why SSO? Security
Luis Rodríguez Fernández 11 Why SSO? Federation
Luis Rodríguez Fernández 12 Why SSO? Unique pair of credentials
Luis Rodríguez Fernández 13 Why SSO? Computer Security Officer
Luis Rodríguez Fernández 14 Agenda
What’s this presentation about ?
About your speaker
About CERN
About CERN openlab
Why SSO?
CERN SSO. Identity Provider
CERN SSO. WS-Fed & SAML2
CERN SSO. OAUTH2
CERN SSO. What’s next?
Take-aways
Luis Rodríguez Fernández 15 CERN SSO. IdP
Luis Rodríguez Fernández 16 CERN SSO. IdP
Luis Rodríguez Fernández 17 CERN SSO. IdP
Luis Rodríguez Fernández 18 Agenda
What’s this presentation about ?
About your speaker
About CERN
About CERN openlab
Why SSO?
CERN SSO. Identity Provider
CERN SSO. WS-Fed & SAML2
CERN SSO. OAUTH2
CERN SSO. What’s next?
Take-aways
Luis Rodríguez Fernández 19 CERN SSO. WS-Fed & SAML2 WS-Fed & SAML2 login
● Very Similar – WS-Fed ● No metadata exchange ● Simple Single Log Out – SAML2 ● Metadata exchange (keys) ● Single Log Out is hell !
● Assertions : packages of information – « Luis belongs to CERN IT-DEP » – « He has been authenticated by login.cern.ch »
● Actors – User Agent : web browser – Service Provider : relying party – Identity Provider : asserting party
● Debugging – SAMLTracer
Luis Rodríguez Fernández 20 CERN SSO. WS-Fed & SAML2 WS-Fed Single Logout
● Very Similar – WS-Fed ● No metadata exchange ● Simple Single Log Out – SAML2 ● Metadata exchange (keys) ● Single Log Out is hell !
● Assertions : packages of information – « Luis belongs to CERN IT-DEP » – « He has been authenticated by login.cern.ch »
● Actors – User Agent : web browser – Service Provider : relying party – Identity Provider : asserting party
Luis Rodríguez Fernández 21 CERN SSO. WS-Fed & SAML2 SAML2 Single Logout
● Very Similar – WS-Fed ● No metadata exchange ● Simple Single Log Out – SAML2 ● Metadata exchange (keys) ● Single Log Out is hell !
● Assertions : packages of information – « Luis belongs to CERN IT-DEP » – « He has been authenticated by login.cern.ch »
● Actors – User Agent : web browser – Service Provider : relying party – Identity Provider : asserting party
Luis Rodríguez Fernández 22 CERN SSO. WS-Fed & SAML2 WS-Fed @ CERN
● Shibboleth – Open-source ● Active community ● IdP & SP – Linux/Windows ● Apache httpd server ● IIS web server – Installation : ● Simple ● Modular – Assertions ● http headers – Header too big ! ● Security : front-end delegated – Tricky : ERROR XMLTooling.StorageService.MEMCACHE [7]: ● StorageService ● Memcache client, uf… Memcache::getMemcache: CONNECTION FAILURE – Single Log Out ● Simple !
Luis Rodríguez Fernández 23 CERN SSO. WS-Fed & SAML2 SAML2 @ CERN
● Oracle WebLogic – « Swiss army knife » ● WLST (jython) ● Console ● REST ● Cluster, Datasources ● JEE 7 compliant ● Multiple scenarios – Enterprise Apps – ORDS, APEX, PL/SQL – Proxy (HttpProxyServlet) – Embedded SAML2 module ● « Complex » configuration – « Easy » automate – Cluster : requires RDBMS ● IdP & SP ● Implementation gaps – Principal & role mapping – Single Log Out ● Some warnings – « /saml2 » context mandatory – « / » cookie path all apps in WLS ● One application per cluster
Luis Rodríguez Fernández 24 CERN SSO. WS-Fed & SAML2 SAML2 @ CERN
● Keycloak – Open-source – Active Community – IdP & SP – Commercial Support (Red-Hat) ● RH-SSO (Red Hat Single Sign On) – Adapters ● Java: wildfly, tomcat, spring... ● Javascript – Tomcat 8.5,9 & Tomee ● Tomcat Valve – context.xml ● Servlet Filter – web.xml ● Some warnings – One keycloak conf per /context ● Opposite as Oracle WebLogic – Global Logout signature verification – Automation
Luis Rodríguez Fernández 25 CERN SSO. WS-Fed & SAML2 SAML2/WS-FED @ CERN
● Other – spring-security – SimpleSAMLphp – Native implementations: ● Sharepoint
Luis Rodríguez Fernández 26 CERN SSO. WS-Fed & SAML2 SAML2/WS-FED @ CERN
● Clients (no web browser) – CERN SSO cookie client ● Perl ● Python – Apache Jmeter
Luis Rodríguez Fernández 27 Agenda
What’s this presentation about ?
About your speaker
About CERN
About CERN openlab
Why SSO?
CERN SSO. Identity Provider
CERN SSO. WS-Fed & SAML2
CERN SSO. OAUTH2
CERN SSO. What’s next?
Take-aways
Luis Rodríguez Fernández 28 CERN SSO. OAUTH2 OAUTH2 in a nutshell
● Security Framework for Authorization ● Access tokens + HTTPS ● Actors (examples) : – Resource owner : end user – Resource server : API – Client : web site consuming API – Authorization Server ● Grant access with owner approval
Luis Rodríguez Fernández 29 CERN SSO. OAUTH2 OAUTH2. Valet Parking analogy
● Car → protected resource ● Car owner → resource owner ● Car owner → authorization server ● Parking attendant → client ● Valet key → access token
Luis Rodríguez Fernández 30 CERN SSO. OAUTH2 CERN SSO OAUTH2 Service
● Two roles : – Authorization Server : ● Authenticates users – Resource server. Endpoints : ● /api/User ● /api/Groups ● Client Credentials grant ● Server side applications ● Applications = OAUTH2 clients
Luis Rodríguez Fernández 31 CERN SSO. OAUTH2 CERN SSO OAUTH2 Service
● Other clients: – Java ● Atlassian Jira – Javascript ● nile-sso-proxy ● Other OAUTH2 flow – Implicit client ● Oracle JET & ORDS
Luis Rodríguez Fernández 32 Agenda
What’s this presentation about ?
About your speaker
About CERN
About CERN openlab
Why SSO?
CERN SSO. Identity Provider
CERN SSO. WS-Fed & SAML2
CERN SSO. OAUTH2
CERN SSO. What’s next?
Take-aways
Luis Rodríguez Fernández 33 CERN SSO. WHAT’S NEXT?
Luis Rodríguez Fernández 34 Agenda
What’s this presentation about ?
About your speaker
About CERN
About CERN openlab
Why SSO?
CERN SSO. Identity Provider
CERN SSO. WS-Fed & SAML2
CERN SSO. OAUTH2
CERN SSO. What’s next?
Take-aways
Luis Rodríguez Fernández 35 Take aways
● Cloud services & third party systems – Common authentication layer becomes a must – Federation ● Challenges : – Authorization – Integration
Luis Rodríguez Fernández 36 Take aways
● Other solutions – CAS – OpenAM
● SAML2 vs OAUTH2 vs OpenID Connect (OIDC) – SAML2 ● Mature ● Verbose ● SSO use case ● Web apps UI (web profile) ● Hard back-end integration – OAUTH2 ● Young ● Simple ● Access delegation use case ● Front end ● APIs – OpenID Connect ● OAUTH2 authentication – Access token – ID token ● JSON Web Token ● SSO use case
● When to use what ?
Luis Rodríguez Fernández 37 QUESTIONS?
[email protected] https://www.slideshare.net/gauchoproluanco/1000-thingsssocodeone-120528726 http://db-blog.web.cern.ch/
Luis Rodríguez Fernández 38 References. Clients
● CERN SSO Client Cookie
● https://linux.web.cern.ch/linux/docs/cernssocookie.shtml
● CERN SSO Python
● https://github.com/cerndb/cern-sso-python
● CERNDB JMETER TEST PLAN
● https://github.com/jdanielcano/cerndb-sw-jmeter-test-plan
● OAUTH2 Authz Service Java Demo Client
● https://gitlab.cern.ch/db/cern-oauth2-authz-service-client
● Nile SSO Proxy
● https://gitlab.cern.ch/db/nile-sso-proxy
● JET OAUTH2 ORDS client
● https://github.com/cerndb/jet-oauth2-ords
Luis Rodríguez Fernández 39 References. WLS libraries
● Oracle WebLogic CERN SSO integration packages
● https://github.com/cerndb/wls-cern-sso
Luis Rodríguez Fernández 40 References. Presentations
● UKOUG: Oracle WebLogic as a Service Provider for CERN Web Applications : APEX & JAVA EE
● https://openlab-archive-phases-iv-v.web.cern.ch/publications/presentations/weblogic-service-provider-cern-web -applications-apex-java-ee
● 6th Control System Cyber-Security Workshop (CS)2/HEP: 1000 Thousand Things…
● https://openlab-archive-phases-iv-v.web.cern.ch/publications/presentations/1000-things-you-always-want- know-about-sso-you-never-dare-ask
● Building Secure REST Architectures with ORDS
● https://openlab-archive-phases-iv-v.web.cern.ch/sites/openlab-archive-phases-iv-v.web.cern.ch/files/presentatio ns/building-secure-rest-architectures-with-ords.pdf
Luis Rodríguez Fernández 41 References. Blog entries
● Oracle WebLogic SAML2 Authorization
● https://db-blog.web.cern.ch/blog/luis-rodriguez-fernandez/2015-02-oracle-weblogic-saml2-authorization
● SSO For Oracle REST Data Services
● https://db-blog.web.cern.ch/blog/luis-rodriguez-fernandez/2017-04-sso-oracle-rest-dataservices
● Oracle JET, ORDS & OAUTH2
● https://db-blog.web.cern.ch/blog/luis-rodriguez-fernandez/2017-04-oracle-jet-ords-oauth2
● Java Web Application Based on OAUTH2
● https://db-blog.web.cern.ch/blog/emil-kleszcz/2016-08-java-web-application-based-oauth2
Luis Rodríguez Fernández 42 References. Documentation
● Oracle WebLogic Server 12.1.3. Configuring SAML2 Services – https://docs.oracle.com/middleware/1213/wls/SECMG/saml20.htm#SECMG279
● Shibboleth Service Provider – https://wiki.shibboleth.net/confluence/display/SP3/Home
● Keycloack SAML Java Adapters – https://www.keycloak.org/docs/latest/securing_apps/index.html#saml-2
Luis Rodríguez Fernández 43 Credits
● Open source image
● http://www.picserver.org/o/open-source.html
● Larry Ellison picture courtesy of Home Water Softener Reviews
● www.homewatersoftenerreviews.com
● CERN pictures
● https://press.cern/press-releases
● Potstit password pictures courtesy of Marco Verch
● https://www.flickr.com/photos/30478819@N08/29613520138
Luis Rodríguez Fernández 44 CERN OPENLAB CONTACTS
ALBERTO DI MEGLIO ANDREW PURCELL CERN openlab Head CERN openlab Communications Officer [email protected] [email protected]
MARIA GIRONE KRISTINA GUNNE CERN openlab CTO CERN openlab Administration/Finance Officer [email protected] [email protected]
FONS RADEMAKERS CERN openlab CRO [email protected]
www.cern.ch/openlab
Luis Rodríguez Fernández 45