A Thousand Things You Always Wanted To Know About SSO But Never Dared Ask Oracle Code One. San Francisco. 24/10/2018 Luis Rodríguez Fernández 1 Agenda What’s this presentation about ? About your speaker About CERN About CERN openlab Why SSO? CERN SSO. Identity Provider CERN SSO. WS-Fed & SAML2 CERN SSO. OAUTH2 CERN SSO. What’s next? Take-aways Luis Rodríguez Fernández 2 What is this presentation about? ● SSO components – Identity Provider – Service Provider ● IdP high level implementation details SAML2 ● Focus on securing applications IDP WS-FED SP OAUTH2 ● SAML2, WS-Fed, Oauth2 (client credentials) ● Real Use Cases ● Open-source & commercial solutions ● Tips & Tricks Luis Rodríguez Fernández 3 Agenda What’s this presentation about ? About your speaker About CERN About CERN openlab Why SSO? CERN SSO. Identity Provider CERN SSO. WS-Fed & SAML2 CERN SSO. OAUTH2 CERN SSO. What’s next? Take-aways Luis Rodríguez Fernández 4 About your speaker ● Software Engineer ● Service Manager – Databases Applications Service ● Oracle WebLogic (~350 servers) ● Apache Tomcat (~40 servers) ● ~200 URLs ● From Spain (Asturias) Luis Rodríguez Fernández 5 Agenda What’s this presentation about ? About your speaker About CERN About CERN openlab Why SSO? CERN SSO. Identity Provider CERN SSO. WS-Fed & SAML2 CERN SSO. OAUTH2 CERN SSO. What’s next? Take-aways Luis Rodríguez Fernández 6 About CERN ● Fundamental Research – What’s the Universe made of ? – How did it start ? – What matter is made of ? ● Tools – Accelerators – Detectors ● Three pillars – Research – Innovation – Education ● Science for peace Luis Rodríguez Fernández 7 Agenda What’s this presentation about ? About your speaker About CERN About CERN openlab Why SSO? CERN SSO. Identity Provider CERN SSO. WS-Fed & SAML2 CERN SSO. OAUTH2 CERN SSO. What’s next? Take-aways Luis Rodríguez Fernández 8 About CERN openlab A public-private partnership between the research community and industry Luis Rodríguez Fernández 9 Agenda What’s this presentation about ? About your speaker About CERN About CERN openlab Why SSO? CERN SSO. Identity Provider CERN SSO. WS-Fed & SAML2 CERN SSO. OAUTH2 CERN SSO. What’s next? Take-aways Luis Rodríguez Fernández 10 Why SSO? Security Luis Rodríguez Fernández 11 Why SSO? Federation Luis Rodríguez Fernández 12 Why SSO? Unique pair of credentials Luis Rodríguez Fernández 13 Why SSO? Computer Security Officer Luis Rodríguez Fernández 14 Agenda What’s this presentation about ? About your speaker About CERN About CERN openlab Why SSO? CERN SSO. Identity Provider CERN SSO. WS-Fed & SAML2 CERN SSO. OAUTH2 CERN SSO. What’s next? Take-aways Luis Rodríguez Fernández 15 CERN SSO. IdP Luis Rodríguez Fernández 16 CERN SSO. IdP Luis Rodríguez Fernández 17 CERN SSO. IdP Luis Rodríguez Fernández 18 Agenda What’s this presentation about ? About your speaker About CERN About CERN openlab Why SSO? CERN SSO. Identity Provider CERN SSO. WS-Fed & SAML2 CERN SSO. OAUTH2 CERN SSO. What’s next? Take-aways Luis Rodríguez Fernández 19 CERN SSO. WS-Fed & SAML2 WS-Fed & SAML2 login ● Very Similar – WS-Fed ● No metadata exchange ● Simple Single Log Out – SAML2 ● Metadata exchange (keys) ● Single Log Out is hell ! ● Assertions : packages of information – « Luis belongs to CERN IT-DEP » – « He has been authenticated by login.cern.ch » ● Actors – User Agent : web browser – Service Provider : relying party – Identity Provider : asserting party ● Debugging – SAMLTracer Luis Rodríguez Fernández 20 CERN SSO. WS-Fed & SAML2 WS-Fed Single Logout ● Very Similar – WS-Fed ● No metadata exchange ● Simple Single Log Out – SAML2 ● Metadata exchange (keys) ● Single Log Out is hell ! ● Assertions : packages of information – « Luis belongs to CERN IT-DEP » – « He has been authenticated by login.cern.ch » ● Actors – User Agent : web browser – Service Provider : relying party – Identity Provider : asserting party Luis Rodríguez Fernández 21 CERN SSO. WS-Fed & SAML2 SAML2 Single Logout ● Very Similar – WS-Fed ● No metadata exchange ● Simple Single Log Out – SAML2 ● Metadata exchange (keys) ● Single Log Out is hell ! ● Assertions : packages of information – « Luis belongs to CERN IT-DEP » – « He has been authenticated by login.cern.ch » ● Actors – User Agent : web browser – Service Provider : relying party – Identity Provider : asserting party Luis Rodríguez Fernández 22 CERN SSO. WS-Fed & SAML2 WS-Fed @ CERN ● Shibboleth – Open-source ● Active community ● IdP & SP – Linux/Windows ● Apache httpd server ● IIS web server – Installation : ● Simple ● Modular – Assertions ● http headers – Header too big ! ● Security : front-end delegated – Tricky : ERROR XMLTooling.StorageService.MEMCACHE [7]: ● StorageService ● Memcache client, uf… Memcache::getMemcache: CONNECTION FAILURE – Single Log Out ● Simple ! Luis Rodríguez Fernández 23 CERN SSO. WS-Fed & SAML2 SAML2 @ CERN ● Oracle WebLogic – « Swiss army knife » ● WLST (jython) ● Console ● REST ● Cluster, Datasources ● JEE 7 compliant ● Multiple scenarios – Enterprise Apps – ORDS, APEX, PL/SQL – Proxy (HttpProxyServlet) – Embedded SAML2 module ● « Complex » configuration – « Easy » automate – Cluster : requires RDBMS ● IdP & SP ● Implementation gaps – Principal & role mapping – Single Log Out ● Some warnings – « /saml2 » context mandatory – « / » cookie path all apps in WLS ● One application per cluster Luis Rodríguez Fernández 24 CERN SSO. WS-Fed & SAML2 SAML2 @ CERN ● Keycloak – Open-source – Active Community – IdP & SP – Commercial Support (Red-Hat) ● RH-SSO (Red Hat Single Sign On) – Adapters ● Java: wildfly, tomcat, spring... ● Javascript – Tomcat 8.5,9 & Tomee ● Tomcat Valve – context.xml ● Servlet Filter – web.xml ● Some warnings – One keycloak conf per /context ● Opposite as Oracle WebLogic – Global Logout signature verification – Automation Luis Rodríguez Fernández 25 CERN SSO. WS-Fed & SAML2 SAML2/WS-FED @ CERN ● Other – spring-security – SimpleSAMLphp – Native implementations: ● Sharepoint Luis Rodríguez Fernández 26 CERN SSO. WS-Fed & SAML2 SAML2/WS-FED @ CERN ● Clients (no web browser) – CERN SSO cookie client ● Perl ● Python – Apache Jmeter Luis Rodríguez Fernández 27 Agenda What’s this presentation about ? About your speaker About CERN About CERN openlab Why SSO? CERN SSO. Identity Provider CERN SSO. WS-Fed & SAML2 CERN SSO. OAUTH2 CERN SSO. What’s next? Take-aways Luis Rodríguez Fernández 28 CERN SSO. OAUTH2 OAUTH2 in a nutshell ● Security Framework for Authorization ● Access tokens + HTTPS ● Actors (examples) : – Resource owner : end user – Resource server : API – Client : web site consuming API – Authorization Server ● Grant access with owner approval Luis Rodríguez Fernández 29 CERN SSO. OAUTH2 OAUTH2. Valet Parking analogy ● Car → protected resource ● Car owner → resource owner ● Car owner → authorization server ● Parking attendant → client ● Valet key → access token Luis Rodríguez Fernández 30 CERN SSO. OAUTH2 CERN SSO OAUTH2 Service ● Two roles : – Authorization Server : ● Authenticates users – Resource server. Endpoints : ● /api/User ● /api/Groups ● Client Credentials grant ● Server side applications ● Applications = OAUTH2 clients Luis Rodríguez Fernández 31 CERN SSO. OAUTH2 CERN SSO OAUTH2 Service ● Other clients: – Java ● Atlassian Jira – Javascript ● nile-sso-proxy ● Other OAUTH2 flow – Implicit client ● Oracle JET & ORDS Luis Rodríguez Fernández 32 Agenda What’s this presentation about ? About your speaker About CERN About CERN openlab Why SSO? CERN SSO. Identity Provider CERN SSO. WS-Fed & SAML2 CERN SSO. OAUTH2 CERN SSO. What’s next? Take-aways Luis Rodríguez Fernández 33 CERN SSO. WHAT’S NEXT? Luis Rodríguez Fernández 34 Agenda What’s this presentation about ? About your speaker About CERN About CERN openlab Why SSO? CERN SSO. Identity Provider CERN SSO. WS-Fed & SAML2 CERN SSO. OAUTH2 CERN SSO. What’s next? Take-aways Luis Rodríguez Fernández 35 Take aways ● Cloud services & third party systems – Common authentication layer becomes a must – Federation ● Challenges : – Authorization – Integration Luis Rodríguez Fernández 36 Take aways ● Other solutions – CAS – OpenAM ● SAML2 vs OAUTH2 vs OpenID Connect (OIDC) – SAML2 ● Mature ● Verbose ● SSO use case ● Web apps UI (web profile) ● Hard back-end integration – OAUTH2 ● Young ● Simple ● Access delegation use case ● Front end ● APIs – OpenID Connect ● OAUTH2 authentication – Access token – ID token ● JSON Web Token ● SSO use case ● When to use what ? Luis Rodríguez Fernández 37 QUESTIONS? [email protected] https://www.slideshare.net/gauchoproluanco/1000-thingsssocodeone-120528726 http://db-blog.web.cern.ch/ Luis Rodríguez Fernández 38 References. Clients ● CERN SSO Client Cookie ● https://linux.web.cern.ch/linux/docs/cernssocookie.shtml ● CERN SSO Python ● https://github.com/cerndb/cern-sso-python ● CERNDB JMETER TEST PLAN ● https://github.com/jdanielcano/cerndb-sw-jmeter-test-plan ● OAUTH2 Authz Service Java Demo Client ● https://gitlab.cern.ch/db/cern-oauth2-authz-service-client ● Nile SSO Proxy ● https://gitlab.cern.ch/db/nile-sso-proxy ● JET OAUTH2 ORDS client ● https://github.com/cerndb/jet-oauth2-ords Luis Rodríguez Fernández 39 References. WLS libraries ● Oracle WebLogic CERN SSO integration packages ● https://github.com/cerndb/wls-cern-sso Luis Rodríguez Fernández 40 References. Presentations ● UKOUG: Oracle WebLogic as a Service Provider for CERN Web Applications : APEX & JAVA EE ● https://openlab-archive-phases-iv-v.web.cern.ch/publications/presentations/weblogic-service-provider-cern-web -applications-apex-java-ee ● 6th Control System Cyber-Security Workshop (CS)2/HEP: 1000 Thousand
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages45 Page
-
File Size-