saml and oauth technologies websphere application server€¦ · saml and oauth technologies...

© 2013 IBM Corporation

SAML and OAUTH Technologies WebSphere Application ServerBill O'DonnellSTSM – WebSphere Foundation Security Architect

Session TAW-1698Session TAW-1701

© 2013 IBM Corporation 2

Please Note

IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM’s sole discretion.

Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision.

The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for our products remains at our sole discretion.

Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user’s job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here.


About the Speaker

Bill O'Donnell – My email is [email protected]– WebSphere Foundation Security Architect (Austin Labs)– Responsible for:

• Security Architecture and Design for WebSphere Portfolio• Security Architect for WebSphere Application Server• Product Security Incident Response Team (PSIRT) for WebSphere

and AIM brand• Product Secure Engineering for WebSphere and AIM brand

– See my website at http://www.ibm.com/developerworks/websphere/zones/was/security/

mailto:[email protected]

http://www.ibm.com/developerworks/websphere/zones/was/security/




What are we going to talk about?

SAML Overview SAML Web SSO Post Binding Profile SAML Web Services Token Profile OAUTH Overview


SAML Overview

© 2013 IBM Corporation 6WebSphere® Support Technical Exchange 6

What is SAML?

Security Assertion Markup Language (SAML) – OASIS XML-based standard – Used to exchange authentication and authorization

data between parties• Identity Provider – handles authentication and the

creation and verification of SAML tokens. • Service Provider – accepts a SAML Token as an

identity assertion – SAML comprised of many (20+) “profiles” describing

very specific uses cases on how to use SAML


Why SAML Web SSO?

Growing popularity Client-based (browser) SSO solution Decoupling from the server allows greater ease of

interoperability between cross-vendor products Relies on identity assertion rather than server-side

authentication This means WAS does not need to be connected to

the user registry at all


Common Usage Cases

Target user registry not visible on WAS network SSO interoperability between WAS and non-WAS

servers using the IdP as a common login portal SAML assertion is saved in the security Subject for

down-stream calls IdP-agnostic, because all SAMLResponses and

tokens must be formatted according to OASIS standards


SAML Highlights

Web SSO Post Binding Profile − Delivered in WAS Full Profile 7.0.0.23, 8.0.0.4, 8.5.0.0− SSO between WAS and non WAS servers− Relies on a Identity Assertion rather than server side authentication− Typically using an Identity Provider (IdP)

Web Service Security Token Profile 1.1 − Delivered in WAS Full Profile 7.0.0.9 and 8.0.0.0 and above− Used by JAX-WS applications between WAS and non WAS servers− Requires a Security Token Service such as TFIM or ADSM


SAML Web SSO Post Binding Profile


Basic Flow


Basic Flow Described

1. User accesses IdP• Either directly, or through redirect via WAS TAI error page

definition. WAS does NOT support SP-initiated SSO2. IdP sends back SAMLResponse POST to WAS3. ACSTrustAssociationInterceptor grabs the response4. ACS TAI grabs the username attribute (NameId by default) and any

other defined group membership attributes and passes them to the SP

• Depending on TAI config, SP may verify user and/or user’s group membership in a repository,

5. SP uses that data to create an LTPA token• SP is either the default WebSphereSamlSP at the /samlsps

context, or a customer-implemented SP


Basic Flow continued


WAS Configuration - Enablement

Update to 7.0.0.23 or 8.0.0.4 Install WebSphereSamlSP.ear or run

installSamlACS.py script Enable ACS TAI via AdminTask.addSAMLTAISSO

or add the class manually in ISC Import the IdP's FederationMetadata.xml using the

AdminTask.importSAMLIdpMetadata command, or simply import its signer certificate

Configure WAS to trust the IdP's realm Configure WAS security custom properties and

ACSTAI custom properties


Example TAI properties


Authorization

Group membership can be asserted in the SAMLResponse and/or grabbed from the WAS user registry

Controlled by sso_<id>.sp.groupMap and sso<id>.sp.groupName

Security role to user/group mappings defined in the normal fashion, but watch out for “weird” realm names.

Purely asserted groups must be mapped manually, since the registry isn’t searchable from the WAS ISC


SSL

Transport- and message-layer encryption are both optional

Best practice: the public key from the IdP be imported into WAS so that we can validate/trust the <Signature>

Message-layer encryption can be enabled by providing the IdP with the WAS public key, and specifying the sso_<id>.sp.keyStore, sso_<id>.sp.keyPassword, and sso_<id>.sp.keyAlias TAI custom props for the private key


Error Pages

Unauthenticated requests are redirected based on sso_<id>.sp.login.error.page

http://, https:// or MappingClassName Almost always want to set this to the same URL as

sso_<id>.idp_<id>.SingleSignOnUrl More complex deployments will want to implement

the IdentityProviderMapping interface to allow for dynamic error pages

Generates error page URL using the unauthenticated HttpServletRequest as input


Required Global Security properties


Web Services Security: SAML Token Profile 1.1


Web Service SAML single-sign-on and propagationA user authenticates to an STS and requests SAML tokens using the bearer(or sender-vouches) confirmation method. The user then uses SAML tokens to access a business services provider. The business services provider validates the SAML tokens and asserts the identity and attributes of the user based on the trust relationship between the provider and the issuing STS (or sender). The service provider request service from next service provider with propogated SAML token


Web Service SAML single-sign-on with holder-of-key1 The user logs on with a Web browser using SPNEGO (or Form Login) and is authenticated. A JAAS subject is created.2 The credential from the SPNEGO token is used to request a SAML token using WS-Trust. The token is signed with the trust server private key.3 The signature of the SAML token is validated based on the trust relationship. The security credential is created using the attributes from the SAML token. The cryptographic key from the SAML token is used to decrypt the SOAP message.


SAML Assertion across multiple security domains

This sample diagram shows three WebSphere Application Server security domains, each of which has its own user registry. Users in the two security domains on the left send Web services messages to access resources of the security domain on the right. Users send their identities in SAML tokens to identify themselves to the target security domain. A Web services provider will use the SAML user identity to create a security context without checking its own user registry.


Default SAML policyset and general bindings

SAML-specific default policy sets and general bindings are provided when the SAML function is installed. These policy sets and sample general bindings are used to request SAML tokens from an external Security Token Service (STS), and to propagate SAML tokens to downstream Web services.

Default policy sets:− SAML11 Bearer WSHTTPS default− SAML11 Bearer WSSecurity default− SAML11 HoK Public WSSecurity default− SAML11 HoK Symmetric WSSecurity default− SAML20 Bearer WSHTTPS default− SAML20 Bearer WSSecurity default− SAML20 HoK Public WSSecurity default− SAML20 HoK Symmetric WSSecurity default

General bindings− Saml Bearer Client sample− Saml Bearer Provider sample− Saml HoK Symmetric Client sample− Saml HoK Symmetric Provider sample


Create,validate,parse,and request SAML using API

Use the SAML library application programming interface (API), the SAMLTokenFactory, to configure token parameters, create a SAML token, and bind the created token to a service request.

Use the SAML trust client API to send WS-Trust SOAP requests to the specified external Security Token Service (STS) to request, validate, or exchange an SAML token.


Additional WebSphere Product Resources Learn about upcoming WebSphere Support Technical Exchange webcasts, and access

previously recorded presentations at:http://www.ibm.com/software/websphere/support/supp_tech.html

Discover the latest trends in WebSphere Technology and implementation, participate in technically-focused briefings, webcasts and podcasts at:http://www.ibm.com/developerworks/websphere/community/

Join the Global WebSphere Community: http://www.websphereusergroup.org

Access key product show-me demos and tutorials by visiting IBM Education Assistant:http://www.ibm.com/software/info/education/assistant

View a webcast replay with step-by-step instructions for using the Service Request (SR) tool for submitting problems electronically:http://www.ibm.com/software/websphere/support/d2w.html

Sign up to receive weekly technical My Notifications emails:http://www.ibm.com/software/support/einfo.html

http://www.ibm.com/software/websphere/support/supp_tech.html

http://www.ibm.com/developerworks/websphere/community/

http://www.websphereusergroup.org/

http://www.websphereusergroup.org/

http://www.ibm.com/software/info/education/assistant

http://www.ibm.com/software/websphere/support/d2w.html

http://www.ibm.com/software/support/einfo.html


OAUTH Overview


What is OAUTH?

Open Authorization (Oauth)– Provides a way for a client to access a server

resource on behalf of the resource owner– Provides a way for the end user to authorize a 3rd

party to their server resources without sharing their credentials

– Becoming popular in social computing space• As an example, Facebook and Google leverages

for accessing their public APIs.


29

Delegated Authorization Example

Valet KeyAn access token which offers scope access to vehicle capabilities:

• Speed restriction

• Distance restriction

• Cannot alter some car functions • e.g. radio stations

• Will not open storage areas


30

Other non-technical examples

Participant passcode vs leader passcode on a teleconference or web conference.

Doctor’s prescription

A boarding pass

Any other master key system such as those used by hotels and offices for room/cabinet access.


IBM Confidential03/28/11

Example UseCase for OAUTH

• OAuth allows for resource sharing for social computing applications

• Scenario– Alice wants to print her Google Picasa

photos using a third party online photo printing service.

– Alice protects her Google Picasa photo albums using a password.

– Alice does not want to share her password.

– Using OAuth, Alice will grant access to the third party printing service the ability to read her photo.

© 2013 IBM Corporation32

Example user experience In this example, a client has a twitter account. The client application will

be the online library example, and will tweet which books have been borrowed by the end-user to their twitter account.

When borrowing a book for the first time (i.e. the client needs to establish an access token for the user), you are redirected to twitter for authorization.

© 2013 IBM Corporation33

Example user experience cont…

After authorization, the application can tweet using the access token

The application can continue to use that access token until it expires

If I login to twitter directly, I can see any tweets that were made on my behalf via API


OAuth 2.0 authorization code flow

1. The client (e.g. a web application) decides that access is required to the resource owner’s private resources at a known service provider.

2. Client redirects the user to the authorization server to authorize access.

3. Service provider generates a one-time authorization code that is sent via redirect back to the client.

4. Client exchanges authorization code for an authorized access token [and refresh token].

5. Client can [repeatedly] use the access token to obtain access to the private resources.

• Classic three-legged OAuth with a resource owner, client and service provider.


OAUTH 2.0 Highlights

Delivered in WAS Full Profile 7.0.0.25, 8.0.0.5, and 8.5.0.1 and WAS Liberty Profile 8.5.0.2 WAS

IBM Product Exploits − Lotus Connections

OAUTH 2.0 Configuring

Sample Liberty configuration in server.xml



<oauthProvider id="SampleOAuthProvider" filter="request-url%=protectedresource; request-url!=protectedresource/abc">

<localStore> <client name="client01" secret="{xor}LDo8LTor" displayname="client01" redirect="http://localhost:1234/oauthclient/redirect.jsp" enabled="true"/>

</localStore></oauthProvider>



<oauthProvider id="DBOAuthProvider" filter="request-url%=oauthdbstore"> <databaseStore dataSourceRef="OAuthClientDataSource" />

</oauthProvider>

<dataSource id="OAuthClientDataSource" jndiName="jdbc/OAuth2DB" jdbcDriverRef="DerbyEmbedded"> <properties.derby.embedded databaseName="${shared.resource.dir}/data/oAuthDB" createDatabase="create" /></dataSource>


For more information

Configuring and using OAUTH from my security website

‒ OAUTH for WebSphere Application Server for Full WAS Profile

Dd

‒ OAUTH for WebSphere Application Server for Liberty Profile

dd


We love your Feedback!

Don’t forget to submit your Impact session and speaker feedback!

•Your feedback is very important to us – we use it to improve next year’s conference

•Go to the Impact 2013 SmartSite (http://impactsmartsite/com):‒ Use the session ID number to locate the session‒ Click the “Take Survey” link‒ Submit your feedback

http://impactsmartsite/com

http://impactsmartsite/com


Legal Disclaimer

• © IBM Corporation 2013. All Rights Reserved.• The information contained in this publication is provided for informational purposes only. While efforts were made to verify the completeness and accuracy of the information contained

in this publication, it is provided AS IS without warranty of any kind, express or implied. In addition, this information is based on IBM’s current product plans and strategy, which are subject to change by IBM without notice. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this publication or any other materials. Nothing contained in this publication is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software.

• References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in this presentation may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results.

• If the text contains performance statistics or references to benchmarks, insert the following language; otherwise delete:Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here.

• If the text includes any customer examples, please confirm we have prior written approval from such customer and insert the following language; otherwise delete:All customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics may vary by customer.

• Please review text for proper trademark attribution of IBM products. At first use, each product name must be the full name and include appropriate trademark symbols (e.g., IBM Lotus® Sametime® Unyte™). Subsequent references can drop “IBM” but should include the proper branding (e.g., Lotus Sametime Gateway, or WebSphere Application Server). Please refer to http://www.ibm.com/legal/copytrade.shtml for guidance on which trademarks require the ® or ™ symbol. Do not use abbreviations for IBM product names in your presentation. All product names must be used as adjectives rather than nouns. Please list all of the trademarks that you use in your presentation as follows; delete any not included in your presentation. IBM, the IBM logo, Lotus, Lotus Notes, Notes, Domino, Quickr, Sametime, WebSphere, UC2, PartnerWorld and Lotusphere are trademarks of International Business Machines Corporation in the United States, other countries, or both. Unyte is a trademark of WebDialogs, Inc., in the United States, other countries, or both.

• If you reference Adobe® in the text, please mark the first use and include the following; otherwise delete:Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries.

• If you reference Java™ in the text, please mark the first use and include the following; otherwise delete:Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.

• If you reference Microsoft® and/or Windows® in the text, please mark the first use and include the following, as applicable; otherwise delete:Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other countries, or both.

• If you reference Intel® and/or any of the following Intel products in the text, please mark the first use and include those that you use as follows; otherwise delete:Intel, Intel Centrino, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

• If you reference UNIX® in the text, please mark the first use and include the following; otherwise delete:UNIX is a registered trademark of The Open Group in the United States and other countries.

• If you reference Linux® in your presentation, please mark the first use and include the following; otherwise delete:Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. Other company, product, or service names may be trademarks or service marks of others.

• If the text/graphics include screenshots, no actual IBM employee names may be used (even your own), if your screenshots include fictitious company names (e.g., Renovations, Zeta Bank, Acme) please update and insert the following; otherwise delete: All references to [insert fictitious company name] refer to a fictitious company and are used for illustration purposes only.

http://www.ibm.com/legal/copytrade.shtml

http://www.ibm.com/legal/copytrade.shtml

saml and oauth technologies websphere application server€¦ · saml and oauth technologies...

Documents