SlideShare ist ein Scribd-Unternehmen logo

Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6

Kenneth Peeples
Kenneth Peeples

Summit 2013 on Picketlink

TechnologieBusiness
1 von 44
Downloaden Sie, um offline zu lesen
Authentication/Authorization Services with SAML & XACML with JBoss Enterprise Application Platform 6 Tony Stafford, SPAWAR ISSE Kenny Peeples, Red Hat Architect Date 06/29/2012
Speaker Introductions Tony Stafford • Space and Naval Warfare Systems Center (SPAWAR) Atlantic Cybersecurity Division • Information Systems Security Engineer for emerging technologies for Cloud, Mobile and SOA • Lead for Marine Corp, Navy and Intelligence Community projects Kenneth Peeples • Red Hat Senior Architect for Public sector projects (DHS, Navy, Marine Corp, FBI, NSA, etc) • C|HFI and Security+ certified • OASIS Member, SAML, XACML and AMQP Technical Committees XACML and AMQP Technical Committees
Agenda Challenges Governance Authentication (AuthN) Authorization (AuthZ) OASIS Standards SAML Standard XACML Standard Picketlink in JBoss EAP 6 Web Single-Sign On and Authorization Example
Authentication & Authorization – An Enterprise Challenge • Security is difficult to implement • Application / service developers interviewed reported they spent between 15-20% of their time building security into their software • The more complex, the more prone to human error • Security creates repeat of labor • Each application creating one-off solutions • Interoperability considerations with System of Systems • Security policies are often vague and hard to interpret • Decomposing IA non-functional requirements into technical implementation takes a lot of time and effort
Strategic Solutions – Building a Roadmap  Security Governance  Policies  Standards  Technological Implementation  Single Sign-On  Open Standard  Interoperable  Authorization  Policy Driven  Tailored to Enterprise Needs
Governance – Waiting is the Hardest Part  Common Governance Challenges  Vague or Undefined  What does the technical implementation of the bureaucratic policy look like?  Standards identification  Specifications  Identity  Authentication  Role or Attribute definition  Broad Enterprise Needs  How does my system fit into the overall architecture?  What does my system need to interoperate with?
Digital Policy Lifecycle – People to Machines Output System Configurations Network Configurations Access Controls Organizational / Capability Area Formal Language Natural Language Policies Enterprise Federated Local Governance Documentation Technical Implementation Implementing Group Authentication & Authorization
SAML & XACML – Killing Many Birds with Two Stones  SAML  Open Identity and Authentication Standard  Managed by OASIS  Extensible  XACML  Open Authorization Standard  Managed by OASIS  Extensible  Mapping  Standardize SAML & XACML  Decompose universal Roles or Attributes
Authentication (AuthN) and Authorization (AuthZ) What is Authentication? Verification that the user’s identity is valid. Authentication is based on three factor types: • What the user knows such as a password or PIN • What the user has such as a token or Smart card • What the user is (physically) such as a fingerprint or retina What is Authorization? The granting of access rights to a user, program or process
What is OASIS? OASIS (Organization for the Advancement of Structured Information Standards) is a not-for-profit consortium that drives the development, convergence and adoption of open standards for the global information society. OASIS promotes industry consensus and produces worldwide standards for security, Cloud computing, SOA, Web services, the Smart Grid, electronic publishing, emergency management, and other areas. OASIS open standards offer the potential to lower cost, stimulate innovation, grow global markets, and protect the right of free choice of technology. https://www.oasis-open.org/
What is OASIS (Continued)? OASIS Security Service (SAML- Security Assertion Markup Language) TC • Defining and maintaining a standard, XML-based framework for creating and exchanging security information between online partners • https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security OASIS eXtensible Access Control Markup Language (XACML) TC • Representing and evaluating access control policies • https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml OASIS Web Services Secure Exchange (WS-SX) TC • Defining WS-Security extensions and policies to enable the trusted exchange of multiple SOAP messages • The WS-Trust specification defines extensions that build on WS-Security to provide a framework for requesting and issuing security tokens. • https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=ws-sx
What is SAML? The Security Assertion Markup Language (SAML), developed by the Security Services Technical Committee of OASIS, is an XML-based framework for communicating user authentication, entitlement, and attribute information. Security Assertion Markup Language (SAML) includes XML based assertions, protocols, bindings and profiles. http://docs.oasis-open.org/security/saml/v2.0/saml-core- 2.0-os.pdf
SAML Components SAML Core includes syntax for assertions and protocols. SAML Assertions include statements made by an authority. SAML Protocol describes the manner in which assertions are requested and received. SAML Binding maps SAML messages to standard messaging/communication protocols. SAML Profile is a use case using a collection of assertions, protocols and bindings. http://saml.xml.org/saml-specifications
SAML Assertions SAML Assertions include statements made by an authority. Three different types of assertions: • Authentication Assertion - Subject was authenticated by specified method at specified time • Attribute Assertion - Subject is associated with one or more supplied attributes • Authorization Decision Assertion - Subject has been granted/denied access to the specified resource
SAML Assertion Example 1: <saml:Assertion xmlns:saml=”urn:oasis:names:tc:SAML:2.0:assertion” 2: Version="2.0" 3: IssueInstant="2005-01-31T12:00:00Z"> 4: <saml:Issuer Format=urn:oasis:names:SAML:2.0:nameid-format:entity> 5: http://idp.example.org 6: </saml:Issuer> 7: <saml:Subject> 8: <saml:NameID 9: Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"> 10: j.doe@example.com 11: </saml:NameID> 12: </saml:Subject> 13: <saml:Conditions 14: NotBefore="2005-01-31T12:00:00Z" 15: NotOnOrAfter="2005-01-31T12:10:00Z"> 16: </saml:Conditions> 17: <saml:AuthnStatement 18: AuthnInstant="2005-01-31T12:00:00Z" SessionIndex="67775277772"> 19: <saml:AuthnContext> 20: <saml:AuthnContextClassRef> 21: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport 22: </saml:AuthnContextClassRef> 23: </saml:AuthnContext> 24: </saml:AuthnStatement> 25: </saml:Assertion>
What is an Identity Provider (IDP)? The Identity Provider authenticates the user and provides an authentication token to the service provider. The identity provider authenticates the user through one of the authentication types. The identity provider handles the management of user identities in order to free the service provider from this responsibility.
What is a Service Provider (SP)? A service provider is a application that provides services to the end user. Service providers do not authenticate users but instead request authentication decisions from an identity provider.
What is a Security Token Service (STS)? WS-Trust defines the concept of a security token service (STS), a service that can issue, cancel, renew and validate security tokens, and specifies the format of security token request and response messages.
Web Browser SAML SSO Profile
What is XACML? XACML is an OASIS standard that describes both a policy language and an access control decision request/response language (both written in XML). The policy language is used to describe general access control requirements, and has standard extension points for defining new functions, data types, combining logic, etc. The request/response language lets you form a query to ask whether or not a given action should be allowed, and interpret the result. The response always includes an answer about whether the request should be allowed using one of four values: Permit, Deny, Indeterminate (an error occurred or some required value was missing, so a decision cannot be made) or Not Applicable (the request can't be answered by this service). http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-core-spec-os.pdf
Actors within the XACML Domain PAP (Policy Administration Point) - Point which manages policies PDP (Policy Decision Point) - Point which evaluates and issues authorization decisions PEP (Policy Enforcement Point) - Point which intercepts user's access request to a resource and enforces PDP's decision. PIP (Policy Information Point) - Point which can provide external information to a PDP, such as LDAP attribute information.
XACML Elements XACML Policies • A PolicySet contains one or more policies • A Policy contains a set of rules (Permit or Deny) applicable to a Target (Resource, Subject and Action). • A Rule has one or more Conditions. • A Condition is a Boolean function. XACML Request • Contains details on the subject, resource and action. Decision (Permit, Deny, Not Applicable, Indeterminate) can be based on • Resource Properties • Subject Attributes • Action • Environmental Conditions (Date/Time, IP Address etc) • Combining Algorithms (Policy Combining and Rule Combining)
Data Flow Model for XACML The Policy Enforcement Point (PEP) acts as an interceptor. In the component or container where an access decision is to be made, the PEP will create an XACML request based on various parameters of the call. It then asks the PDP for an access decision. The PDP will use one or more policies to make an access decision.
XACML Policy 1:<?xml version="1.0" encoding="UTF-8"?> 2: <Policy xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os" 3: xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 4: xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os 5: access_control-xacml-2.0-policy-schema-os.xsd" 6: PolicyId="urn:oasis:names:tc:xacml:2.0:jboss-test:XV:policy" 7: RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides"> 8: <Description> Policy for Subject RBAC</Description> 9: <Target/> 10: <Rule RuleId="urn:oasis:names:tc:xacml:2.0:jboss-test:XVI:rule" 11: Effect="Permit"> 12: <Description> 13: jduke can read or write resource information when he has a role of ServletUserRole 14: </Description> 15: <Target> 16: <Subjects> 17: <Subject> 18: <SubjectMatch 19: MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> 20: <AttributeValue 21: DataType="http://www.w3.org/2001/XMLSchema#string">jduke</AttributeValue> 22: <SubjectAttributeDesignator 23: AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" 24: DataType="http://www.w3.org/2001/XMLSchema#string"/> 25: </SubjectMatch> 26: <SubjectMatch 27: MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> 28: <AttributeValue 29: DataType="http://www.w3.org/2001/XMLSchema#string">ServletUserRole</AttributeValue> 30: <SubjectAttributeDesignator 31: AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" 32: DataType="http://www.w3.org/2001/XMLSchema#string"/> 33: </SubjectMatch> 34: </Subject> 35: </Subjects>
XACML Policy (Continued) 1: <Resources> 2: <Resource> 3: <ResourceMatch 4: MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal"> 5: <AttributeValue 6: DataType="http://www.w3.org/2001/XMLSchema#anyURI">/xacml-subjectrole/test</AttributeValue> 7: <ResourceAttributeDesignator 8: AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id“ 9: DataType="http://www.w3.org/2001/XMLSchema#anyURI"/> 10: </ResourceMatch> 11: </Resource> 12: </Resources> 13: <Actions> 14: <Action> 15: <ActionMatch 16: MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> 17: <AttributeValue 18: DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue> 19: <ActionAttributeDesignator 20: AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id“ 21: DataType="http://www.w3.org/2001/XMLSchema#string"/> 22: </ActionMatch> 23: </Action> 24: <Action> 25: <ActionMatch 26: MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> 27: <AttributeValue 28: DataType="http://www.w3.org/2001/XMLSchema#string">write</AttributeValue> 29: <ActionAttributeDesignator 30: AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id“ 31: DataType="http://www.w3.org/2001/XMLSchema#string"/> 32: </ActionMatch> 33: </Action> 34: </Actions> 35: </Target> 36: </Rule> 37: </Policy>
XACML Request 1: <Request> 2: <Subject SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"> 3: <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" 4: DataType="http://www.w3.org/2001/XMLSchema#string" 5: Issuer="jboss.org"> 6: <AttributeValue>jduke</AttributeValue> 7: </Attribute> 8: <Attribute AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" 9: DataType="http://www.w3.org/2001/XMLSchema#string" Issuer="jboss.org"> 10: <AttributeValue>ServletUserRole</AttributeValue> 11: </Attribute> 12: </Subject> 13: <Resource> 14: <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 15: DataType="http://www.w3.org/2001/XMLSchema#anyURI"> 16: <AttributeValue>http://localhost:8080/xacml-subjectrole/test</AttributeValue></Attribute> 17: </Resource> 18: <Action> 19: <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" 20: DataType="http://www.w3.org/2001/XMLSchema#string" 21: Issuer="jboss.org"> 22: <AttributeValue>read</AttributeValue> 23: </Attribute> 24: </Action> 25: <Environment> 26: <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time" 27: DataType="http://www.w3.org/2001/XMLSchema#dateTime"> 28: <AttributeValue>20011-10-18T01:38:32.687000000-05:00</AttributeValue> 29: </Attribute> 30: </Environment> 31: </Request>
XACML Response 1: <Response> 2: <Result ResourceId=“http://localhost:8080/xacml-subjectrole/test"> 3: <Decision>Permit</Decision> 4: <Status> 5: <StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/> 6: </Status> 7: </Result> 8: </Response>
Picketlink within JBoss EAP 6 Picketlink is fully supported in EAP 6 Documentation - https://docs.jboss.org/author/display/PLINK/Home Components – IDP, STS, PEP, PDP Subprojects – IDM, Federated Identity, AuthZ, XACML, Negotiation http://www.jboss.org/picketlink
Picketlink with JBoss EAP 6 (Continued) The Picketlink Module is included with EAP ${jboss.home.dir}/modules/org/picketlink The configuration (module.xml) and jar (picketlink-core- 2.1.1.Final.jar and picketlink-jbas7-2.1.1.Final.jar) files are located within the main folder. The module.xml should contain <module xmlns="urn:jboss:module:1.1" name="org.picketlink"> <resources> <resource-root path="picketlink-core-2.1.1.Final.jar"/> <resource-root path="picketlink-jbas7-2.1.1.Final.jar"/> </resources> <dependencies> ... </dependencies> </module>
Quickstarts • SAML Examples • WS-Trust Security Token Service • XACML Examples • Deploying and Running on AS https://docs.jboss.org/author/display/PLINK/PicketLink+Q uickstarts
Web Application SSO with SAML Example Demonstration of Sales and Employee Web Applications (Service Providers - SP) and SAML SSO with the Identity Provider (IDP) Relevant wars • Idp.war – Identity Provider • picketlink-sts.war – WS-Trust implementation • sales-post.war - BindingType="POST" • employee.war - BindingType="REDIRECT"
Identity Provider Login
picketlink.xml (IDP) 1: <PicketLink xmlns="urn:picketlink:identity-federation:config:2.1"> 2: <PicketLinkIDP xmlns="urn:picketlink:identity-federation:config:2.1"> 3: <IdentityURL>${idp.url::http://localhost:8080/idp/}</IdentityURL> 4: <Trust> 5: <Domains>localhost,jboss.com,jboss.org,amazonaws.com</Domains> 6: </Trust> 7: </PicketLinkIDP> 8: <Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1"> 9: <Handler 10: class="org.picketlink.identity.federation.web.handlers.saml2.SAML2IssuerTrustHandler" /> 11: <Handler 12: class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" /> 13: <Handler 14: class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler“ /> 15: <Handler 16: class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" /> 17: </Handlers> 18: </PicketLink>
picketlink.xml (Web Applications) 1:<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1"> 2: <PicketLinkSP xmlns="urn:picketlink:identity-federation:config:1.0" 3: ServerEnvironment="tomcat" BindingType="POST"> 4: <IdentityURL>${idp.url::http://localhost:8080/idp/}</IdentityURL> 5: <ServiceURL>${sales-post.url::http://localhost:8080/sales-post/}</ServiceURL> 6: </PicketLinkSP> 7: <Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1"> 8: <Handler 9: class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler“ /> 10: <Handler 11: class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" /> 12: <Handler 13: class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" /> 14: </Handlers> 15:</PicketLink>
jboss-web.xml 1: <?xml version="1.0" encoding="UTF-8"?> 2: <jboss-web> 3: <security-domain>sp</security-domain> 4: <context-root>sales-post</context-root> 5: <valve> 6: <class- name>org.picketlink.identity.federation.bindings.tomcat.sp.ServiceProviderAuthenticat or</class-name> 7: </valve> 8: </jboss-web>
standalone.xml 1: <security-domain name="idp" cache-type="default"> 2: <authentication> 3: <login-module code="UsersRoles" flag="required"> 4: <module-option name="usersProperties" value="users.properties"/> 5: <module-option name="rolesProperties" value="roles.properties"/> 6: </login-module> 7: </authentication> 8: </security-domain> 9: <security-domain name="picketlink-sts" cache-type="default"> 10: <authentication> 11: <login-module code="UsersRoles" flag="required"> 12: <module-option name="usersProperties" value="users.properties"/> 13: <module-option name="rolesProperties" value="roles.properties"/> 14: </login-module> 15: </authentication> 16: </security-domain> 17: <security-domain name="sp" cache-type="default"> 18: <authentication> 19: <login-module code="org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule" flag="required"/> 20: </authentication> 21: </security-domain> 22: <security-domain name="xacml-test" cache-type="default"> 23: <authentication> 24: <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required"/> 25: </authentication> 26: <authorization> 27: <policy-module code="org.jboss.security.authorization.modules.XACMLAuthorizationModule" flag="required"/> 28: </authorization> 29: </security-domain>
jboss-deployment-structure.xml 1: <jboss-deployment-structure> 2: <deployment> 3: <!-- Add picketlink module dependency --> 4: <dependencies> 5: <module name="org.picketlink" /> 6: </dependencies> 7: </deployment> 8:</jboss-deployment-structure>
Web Application XACML Authorization Example Demonstration of the use of the PEP and PDP with the Web Application xacml-subjectrole Relevant wars • xacml-subjectrole.war
jbossxacml-config.xml 1: <ns:jbosspdp xmlns:ns="urn:jboss:xacml:2.0"> 2: <ns:Policies> 3: <ns:Policy> 4: <ns:Location>jboss-xacml-policy.xml</ns:Location> 5: </ns:Policy> 6: </ns:Policies> 7: <ns:Locators> 8: <ns:Locator Name="org.jboss.security.xacml.locators.JBossPolicySetLocator"/> 9: <ns:Locator Name="org.jboss.security.xacml.locators.JBossPolicyLocator"/> 10: </ns:Locators> 11: </ns:jbosspdp>
jboss-web.xml 1: <!DOCTYPE jboss-web PUBLIC "-//JBoss//DTD Web Application 2.4//EN" "http://www.jboss.org/j2ee/dtd/jboss-web_4_0.dtd"> 2: <jboss-web> 3: <security-domain>java:/jaas/xacml-test</security-domain> 4: </jboss-web>
Additional References https://community.jboss.org/wiki/ProtectingEJBwebservic eswithXACMLAbeginnerstutorial https://community.jboss.org/wiki/SAMLWSIntegrationwith PicketLinkSTS http://server.dzone.com/articles/security-features-jboss- 510-2 http://www.jboss.org/picketlink/Fed.html
Contact Information Tony Stafford, SPAWAR ISSE tony.stafford@navy.mil Kenny Peeples, Red Hat Architect kpeeples@redhat.com
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6

Empfohlen

Introduction to PicketLink
Introduction to PicketLinkIntroduction to PicketLink
Introduction to PicketLinkJBUG London
 
Java EE Application Security With PicketLink
Java EE Application Security With PicketLinkJava EE Application Security With PicketLink
Java EE Application Security With PicketLinkpigorcraveiro
 
Securing Applications With Picketlink
Securing Applications With PicketlinkSecuring Applications With Picketlink
Securing Applications With PicketlinkAnil Saldanha
 
Security in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missingSecurity in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missingMasoud Kalali
 
Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Anil Saldanha
 
Authentication and Single Sing on
Authentication and Single Sing onAuthentication and Single Sing on
Authentication and Single Sing onguest648519
 
CAS Enhancement
CAS EnhancementCAS Enhancement
CAS EnhancementGuo Albert
 
From 0 to Spring Security 4.0
From 0 to Spring Security 4.0From 0 to Spring Security 4.0
From 0 to Spring Security 4.0robwinch
 

Empfohlen

Introduction to PicketLink
Introduction to PicketLinkIntroduction to PicketLink
Introduction to PicketLinkJBUG London
 
Java EE Application Security With PicketLink
Java EE Application Security With PicketLinkJava EE Application Security With PicketLink
Java EE Application Security With PicketLinkpigorcraveiro
 
Securing Applications With Picketlink
Securing Applications With PicketlinkSecuring Applications With Picketlink
Securing Applications With PicketlinkAnil Saldanha
 
Security in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missingSecurity in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missingMasoud Kalali
 
Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Anil Saldanha
 
Authentication and Single Sing on
Authentication and Single Sing onAuthentication and Single Sing on
Authentication and Single Sing onguest648519
 
CAS Enhancement
CAS EnhancementCAS Enhancement
CAS EnhancementGuo Albert
 
From 0 to Spring Security 4.0
From 0 to Spring Security 4.0From 0 to Spring Security 4.0
From 0 to Spring Security 4.0robwinch
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0Mika Koivisto
 
LASCON 2017: SAML v. OpenID v. Oauth
LASCON 2017: SAML v. OpenID v. OauthLASCON 2017: SAML v. OpenID v. Oauth
LASCON 2017: SAML v. OpenID v. OauthMike Schwartz
 
Alfresco: Implementing secure single sign on (SSO) with OpenSAML
Alfresco: Implementing secure single sign on (SSO) with OpenSAMLAlfresco: Implementing secure single sign on (SSO) with OpenSAML
Alfresco: Implementing secure single sign on (SSO) with OpenSAMLJ V
 
Presentation sso design_security
Presentation sso design_securityPresentation sso design_security
Presentation sso design_securityMarco Morana
 
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-onFast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-onCraig Dickson
 
JavaEE Security
JavaEE SecurityJavaEE Security
JavaEE SecurityAlex Kim
 
IdP, SAML, OAuth
IdP, SAML, OAuthIdP, SAML, OAuth
IdP, SAML, OAuthDan Brinkmann
 
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)SSO using CAS + two-factor authentication (PyGrunn 2014 talk)
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)Artur Barseghyan
 
Octopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EEOctopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EERudy De Busscher
 
SAML 101
SAML 101SAML 101
SAML 101Echoworx
 
Identity Management Overview: CAS and Shibboleth
Identity Management Overview: CAS and ShibbolethIdentity Management Overview: CAS and Shibboleth
Identity Management Overview: CAS and ShibbolethAndrew Petro
 
Keycloak Single Sign-On
Keycloak Single Sign-OnKeycloak Single Sign-On
Keycloak Single Sign-OnRavi Yasas
 
The Client is not always right! How to secure OAuth authentication from your...
The Client is not always right! How to secure OAuth authentication from your...The Client is not always right! How to secure OAuth authentication from your...
The Client is not always right! How to secure OAuth authentication from your...Mike Schwartz
 
Saml in cloud
Saml in cloudSaml in cloud
Saml in cloudNagraj Rao
 
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-On
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-OnFast and Free SSO: A Survey of Open-Source Solutions to Single Sign-On
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-Onelliando dias
 
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Hermann Burgmeier
 
Deciphering 'Claims-based Identity'
Deciphering 'Claims-based Identity'Deciphering 'Claims-based Identity'
Deciphering 'Claims-based Identity'Oliver Pfaff
 
Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Vladimir Dzhuvinov
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectSecuring your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectManish Pandit
 
Jasig Central Authentication Service in Ten Minutes
Jasig Central Authentication Service in Ten MinutesJasig Central Authentication Service in Ten Minutes
Jasig Central Authentication Service in Ten MinutesAndrew Petro
 
SAML Smackdown
SAML SmackdownSAML Smackdown
SAML SmackdownPat Patterson
 
SAML Protocol Overview
SAML Protocol OverviewSAML Protocol Overview
SAML Protocol OverviewMike Schwartz
 

Weitere ähnliche Inhalte

Was ist angesagt?

Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0Mika Koivisto
 
LASCON 2017: SAML v. OpenID v. Oauth
LASCON 2017: SAML v. OpenID v. OauthLASCON 2017: SAML v. OpenID v. Oauth
LASCON 2017: SAML v. OpenID v. OauthMike Schwartz
 
Alfresco: Implementing secure single sign on (SSO) with OpenSAML
Alfresco: Implementing secure single sign on (SSO) with OpenSAMLAlfresco: Implementing secure single sign on (SSO) with OpenSAML
Alfresco: Implementing secure single sign on (SSO) with OpenSAMLJ V
 
Presentation sso design_security
Presentation sso design_securityPresentation sso design_security
Presentation sso design_securityMarco Morana
 
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-onFast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-onCraig Dickson
 
JavaEE Security
JavaEE SecurityJavaEE Security
JavaEE SecurityAlex Kim
 
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)SSO using CAS + two-factor authentication (PyGrunn 2014 talk)
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)Artur Barseghyan
 
Octopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EEOctopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EERudy De Busscher
 
Identity Management Overview: CAS and Shibboleth
Identity Management Overview: CAS and ShibbolethIdentity Management Overview: CAS and Shibboleth
Identity Management Overview: CAS and ShibbolethAndrew Petro
 
Keycloak Single Sign-On
Keycloak Single Sign-OnKeycloak Single Sign-On
Keycloak Single Sign-OnRavi Yasas
 
The Client is not always right! How to secure OAuth authentication from your...
The Client is not always right! How to secure OAuth authentication from your...The Client is not always right! How to secure OAuth authentication from your...
The Client is not always right! How to secure OAuth authentication from your...Mike Schwartz
 
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-On
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-OnFast and Free SSO: A Survey of Open-Source Solutions to Single Sign-On
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-Onelliando dias
 
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Hermann Burgmeier
 
Deciphering 'Claims-based Identity'
Deciphering 'Claims-based Identity'Deciphering 'Claims-based Identity'
Deciphering 'Claims-based Identity'Oliver Pfaff
 
Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Vladimir Dzhuvinov
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectSecuring your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectManish Pandit
 
Jasig Central Authentication Service in Ten Minutes
Jasig Central Authentication Service in Ten MinutesJasig Central Authentication Service in Ten Minutes
Jasig Central Authentication Service in Ten MinutesAndrew Petro
 

Was ist angesagt? (20)

Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0
 
LASCON 2017: SAML v. OpenID v. Oauth
LASCON 2017: SAML v. OpenID v. OauthLASCON 2017: SAML v. OpenID v. Oauth
LASCON 2017: SAML v. OpenID v. Oauth
 
Alfresco: Implementing secure single sign on (SSO) with OpenSAML
Alfresco: Implementing secure single sign on (SSO) with OpenSAMLAlfresco: Implementing secure single sign on (SSO) with OpenSAML
Alfresco: Implementing secure single sign on (SSO) with OpenSAML
 
Presentation sso design_security
Presentation sso design_securityPresentation sso design_security
Presentation sso design_security
 
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-onFast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
 
JavaEE Security
JavaEE SecurityJavaEE Security
JavaEE Security
 
IdP, SAML, OAuth
IdP, SAML, OAuthIdP, SAML, OAuth
IdP, SAML, OAuth
 
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)SSO using CAS + two-factor authentication (PyGrunn 2014 talk)
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)
 
Octopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EEOctopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EE
 
SAML 101
SAML 101SAML 101
SAML 101
 
Identity Management Overview: CAS and Shibboleth
Identity Management Overview: CAS and ShibbolethIdentity Management Overview: CAS and Shibboleth
Identity Management Overview: CAS and Shibboleth
 
Keycloak Single Sign-On
Keycloak Single Sign-OnKeycloak Single Sign-On
Keycloak Single Sign-On
 
The Client is not always right! How to secure OAuth authentication from your...
The Client is not always right! How to secure OAuth authentication from your...The Client is not always right! How to secure OAuth authentication from your...
The Client is not always right! How to secure OAuth authentication from your...
 
Saml in cloud
Saml in cloudSaml in cloud
Saml in cloud
 
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-On
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-OnFast and Free SSO: A Survey of Open-Source Solutions to Single Sign-On
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-On
 
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
 
Deciphering 'Claims-based Identity'
Deciphering 'Claims-based Identity'Deciphering 'Claims-based Identity'
Deciphering 'Claims-based Identity'
 
Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectSecuring your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID Connect
 
Jasig Central Authentication Service in Ten Minutes
Jasig Central Authentication Service in Ten MinutesJasig Central Authentication Service in Ten Minutes
Jasig Central Authentication Service in Ten Minutes
 

Andere mochten auch

SAML Protocol Overview
SAML Protocol OverviewSAML Protocol Overview
SAML Protocol OverviewMike Schwartz
 
White Paper: Saml as an SSO Standard for Customer Identity Management
White Paper: Saml as an SSO Standard for Customer Identity ManagementWhite Paper: Saml as an SSO Standard for Customer Identity Management
White Paper: Saml as an SSO Standard for Customer Identity ManagementGigya
 
SSO IN/With Drupal and Identitiy Management
SSO IN/With Drupal and Identitiy ManagementSSO IN/With Drupal and Identitiy Management
SSO IN/With Drupal and Identitiy ManagementManish Harsh
 
DaaS/IaaS Forum Moscow - Najat Messaoud
DaaS/IaaS Forum Moscow - Najat MessaoudDaaS/IaaS Forum Moscow - Najat Messaoud
DaaS/IaaS Forum Moscow - Najat MessaoudDenis Gundarev
 
BriForum 2013 Chicago - Citrix Troubleshooting - Denis Gundarev
BriForum 2013 Chicago - Citrix Troubleshooting - Denis GundarevBriForum 2013 Chicago - Citrix Troubleshooting - Denis Gundarev
BriForum 2013 Chicago - Citrix Troubleshooting - Denis GundarevDenis Gundarev
 
Briforum 2011 Chicago
Briforum 2011 ChicagoBriforum 2011 Chicago
Briforum 2011 ChicagoDan Brinkmann
 
RSA Europe: Future of Cloud Identity
RSA Europe: Future of Cloud IdentityRSA Europe: Future of Cloud Identity
RSA Europe: Future of Cloud IdentityMike Schwartz
 
DaaS/IaaS Forum Moscow - Ivo Murris
DaaS/IaaS Forum Moscow - Ivo MurrisDaaS/IaaS Forum Moscow - Ivo Murris
DaaS/IaaS Forum Moscow - Ivo MurrisDenis Gundarev
 
RUCUG: 9. Sergey Khalyapin: Представляем XenDesktop 5
RUCUG: 9. Sergey Khalyapin: Представляем XenDesktop 5RUCUG: 9. Sergey Khalyapin: Представляем XenDesktop 5
RUCUG: 9. Sergey Khalyapin: Представляем XenDesktop 5Denis Gundarev
 
Cloud Identity: A Recipe for Higher Education
Cloud Identity: A Recipe for Higher EducationCloud Identity: A Recipe for Higher Education
Cloud Identity: A Recipe for Higher EducationMike Schwartz
 
ID Next 2013 Keynote Slides by Mike Schwartz
ID Next 2013 Keynote Slides by Mike SchwartzID Next 2013 Keynote Slides by Mike Schwartz
ID Next 2013 Keynote Slides by Mike SchwartzMike Schwartz
 
Who Are You? From Meat to Electrons - SXSW 2014
Who Are You? From Meat to Electrons - SXSW 2014Who Are You? From Meat to Electrons - SXSW 2014
Who Are You? From Meat to Electrons - SXSW 2014Mike Schwartz
 
DaaS/IaaS Forum Moscow - Chris Rogers
DaaS/IaaS Forum Moscow - Chris RogersDaaS/IaaS Forum Moscow - Chris Rogers
DaaS/IaaS Forum Moscow - Chris RogersDenis Gundarev
 
Mule security - saml
Mule security - samlMule security - saml
Mule security - samlcharan teja R
 
RUCUG: 6. Fabian Kienle - NetScaler and Branch Repeater for Hyper-V
RUCUG: 6. Fabian Kienle - NetScaler and Branch Repeater for Hyper-VRUCUG: 6. Fabian Kienle - NetScaler and Branch Repeater for Hyper-V
RUCUG: 6. Fabian Kienle - NetScaler and Branch Repeater for Hyper-VDenis Gundarev
 
Citrix Internals: Tracing, Debugging & Troubleshooting
Citrix Internals: Tracing, Debugging & TroubleshootingCitrix Internals: Tracing, Debugging & Troubleshooting
Citrix Internals: Tracing, Debugging & TroubleshootingDenis Gundarev
 

Andere mochten auch (19)

SAML Smackdown
SAML SmackdownSAML Smackdown
SAML Smackdown
 
SAML Protocol Overview
SAML Protocol OverviewSAML Protocol Overview
SAML Protocol Overview
 
White Paper: Saml as an SSO Standard for Customer Identity Management
White Paper: Saml as an SSO Standard for Customer Identity ManagementWhite Paper: Saml as an SSO Standard for Customer Identity Management
White Paper: Saml as an SSO Standard for Customer Identity Management
 
SSO IN/With Drupal and Identitiy Management
SSO IN/With Drupal and Identitiy ManagementSSO IN/With Drupal and Identitiy Management
SSO IN/With Drupal and Identitiy Management
 
Single sign on
Single sign onSingle sign on
Single sign on
 
DaaS/IaaS Forum Moscow - Najat Messaoud
DaaS/IaaS Forum Moscow - Najat MessaoudDaaS/IaaS Forum Moscow - Najat Messaoud
DaaS/IaaS Forum Moscow - Najat Messaoud
 
BriForum 2013 Chicago - Citrix Troubleshooting - Denis Gundarev
BriForum 2013 Chicago - Citrix Troubleshooting - Denis GundarevBriForum 2013 Chicago - Citrix Troubleshooting - Denis Gundarev
BriForum 2013 Chicago - Citrix Troubleshooting - Denis Gundarev
 
Briforum 2011 Chicago
Briforum 2011 ChicagoBriforum 2011 Chicago
Briforum 2011 Chicago
 
RSA Europe: Future of Cloud Identity
RSA Europe: Future of Cloud IdentityRSA Europe: Future of Cloud Identity
RSA Europe: Future of Cloud Identity
 
DaaS/IaaS Forum Moscow - Ivo Murris
DaaS/IaaS Forum Moscow - Ivo MurrisDaaS/IaaS Forum Moscow - Ivo Murris
DaaS/IaaS Forum Moscow - Ivo Murris
 
The Tools I Use
The Tools I UseThe Tools I Use
The Tools I Use
 
RUCUG: 9. Sergey Khalyapin: Представляем XenDesktop 5
RUCUG: 9. Sergey Khalyapin: Представляем XenDesktop 5RUCUG: 9. Sergey Khalyapin: Представляем XenDesktop 5
RUCUG: 9. Sergey Khalyapin: Представляем XenDesktop 5
 
Cloud Identity: A Recipe for Higher Education
Cloud Identity: A Recipe for Higher EducationCloud Identity: A Recipe for Higher Education
Cloud Identity: A Recipe for Higher Education
 
ID Next 2013 Keynote Slides by Mike Schwartz
ID Next 2013 Keynote Slides by Mike SchwartzID Next 2013 Keynote Slides by Mike Schwartz
ID Next 2013 Keynote Slides by Mike Schwartz
 
Who Are You? From Meat to Electrons - SXSW 2014
Who Are You? From Meat to Electrons - SXSW 2014Who Are You? From Meat to Electrons - SXSW 2014
Who Are You? From Meat to Electrons - SXSW 2014
 
DaaS/IaaS Forum Moscow - Chris Rogers
DaaS/IaaS Forum Moscow - Chris RogersDaaS/IaaS Forum Moscow - Chris Rogers
DaaS/IaaS Forum Moscow - Chris Rogers
 
Mule security - saml
Mule security - samlMule security - saml
Mule security - saml
 
RUCUG: 6. Fabian Kienle - NetScaler and Branch Repeater for Hyper-V
RUCUG: 6. Fabian Kienle - NetScaler and Branch Repeater for Hyper-VRUCUG: 6. Fabian Kienle - NetScaler and Branch Repeater for Hyper-V
RUCUG: 6. Fabian Kienle - NetScaler and Branch Repeater for Hyper-V
 
Citrix Internals: Tracing, Debugging & Troubleshooting
Citrix Internals: Tracing, Debugging & TroubleshootingCitrix Internals: Tracing, Debugging & Troubleshooting
Citrix Internals: Tracing, Debugging & Troubleshooting
 

Ähnlich wie Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6

The WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmasThe WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmassureshattanayake
 
The WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmas The WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmas WSO2
 
The WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmasThe WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmassureshattanayake
 
Security architecture best practices for saas applications
Security architecture best practices for saas applicationsSecurity architecture best practices for saas applications
Security architecture best practices for saas applicationskanimozhin
 
Security and information assurance
Security and information assuranceSecurity and information assurance
Security and information assurancebdemchak
 
Techcello hp-arch workshop
Techcello hp-arch workshopTechcello hp-arch workshop
Techcello hp-arch workshopkanimozhin
 
Building multi tenant highly secured applications on .net for any cloud - dem...
Building multi tenant highly secured applications on .net for any cloud - dem...Building multi tenant highly secured applications on .net for any cloud - dem...
Building multi tenant highly secured applications on .net for any cloud - dem...kanimozhin
 
From Cisco ACS to ISE
From Cisco ACS to ISE From Cisco ACS to ISE
From Cisco ACS to ISE Mahzad Zahedi
 
Security Architecture Best Practices for SaaS Applications
Security Architecture Best Practices for SaaS ApplicationsSecurity Architecture Best Practices for SaaS Applications
Security Architecture Best Practices for SaaS ApplicationsTechcello
 
dist-access. access control in distributed systemspdf
dist-access. access control in distributed systemspdfdist-access. access control in distributed systemspdf
dist-access. access control in distributed systemspdfNohaNagy5
 
Axiomatics webinar 13 june 2013 shared
Axiomatics webinar 13 june 2013 sharedAxiomatics webinar 13 june 2013 shared
Axiomatics webinar 13 june 2013 sharedFinn Frisch
 
Deploying Next Generation Firewalling with ASA - CX
Deploying Next Generation Firewalling with ASA - CXDeploying Next Generation Firewalling with ASA - CX
Deploying Next Generation Firewalling with ASA - CXCisco Canada
 
Application Security in the Cloud - Best Practices
Application Security in the Cloud - Best PracticesApplication Security in the Cloud - Best Practices
Application Security in the Cloud - Best PracticesRightScale
 
Policy enabling your services - using elastic dynamic authorization to contro...
Policy enabling your services - using elastic dynamic authorization to contro...Policy enabling your services - using elastic dynamic authorization to contro...
Policy enabling your services - using elastic dynamic authorization to contro...David Brossard
 
Free and open cloud security posture monitoring
Free and open cloud security posture monitoringFree and open cloud security posture monitoring
Free and open cloud security posture monitoringElasticsearch
 
API Security in a Microservice Architecture
API Security in a Microservice ArchitectureAPI Security in a Microservice Architecture
API Security in a Microservice ArchitectureMatt McLarty
 
(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the CloudAmazon Web Services
 
Iam suite introduction
Iam suite introductionIam suite introduction
Iam suite introductionwardell henley
 

Ähnlich wie Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6 (20)

The WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmasThe WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmas
 
The WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmas The WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmas
 
The WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmasThe WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmas
 
Security architecture best practices for saas applications
Security architecture best practices for saas applicationsSecurity architecture best practices for saas applications
Security architecture best practices for saas applications
 
Security and information assurance
Security and information assuranceSecurity and information assurance
Security and information assurance
 
Techcello hp-arch workshop
Techcello hp-arch workshopTechcello hp-arch workshop
Techcello hp-arch workshop
 
Building multi tenant highly secured applications on .net for any cloud - dem...
Building multi tenant highly secured applications on .net for any cloud - dem...Building multi tenant highly secured applications on .net for any cloud - dem...
Building multi tenant highly secured applications on .net for any cloud - dem...
 
From Cisco ACS to ISE
From Cisco ACS to ISE From Cisco ACS to ISE
From Cisco ACS to ISE
 
Security Architecture Best Practices for SaaS Applications
Security Architecture Best Practices for SaaS ApplicationsSecurity Architecture Best Practices for SaaS Applications
Security Architecture Best Practices for SaaS Applications
 
dist-access. access control in distributed systemspdf
dist-access. access control in distributed systemspdfdist-access. access control in distributed systemspdf
dist-access. access control in distributed systemspdf
 
Axiomatics webinar 13 june 2013 shared
Axiomatics webinar 13 june 2013 sharedAxiomatics webinar 13 june 2013 shared
Axiomatics webinar 13 june 2013 shared
 
Presentation
PresentationPresentation
Presentation
 
Deploying Next Generation Firewalling with ASA - CX
Deploying Next Generation Firewalling with ASA - CXDeploying Next Generation Firewalling with ASA - CX
Deploying Next Generation Firewalling with ASA - CX
 
Application Security in the Cloud - Best Practices
Application Security in the Cloud - Best PracticesApplication Security in the Cloud - Best Practices
Application Security in the Cloud - Best Practices
 
Intorduction to Datapower
Intorduction to DatapowerIntorduction to Datapower
Intorduction to Datapower
 
Policy enabling your services - using elastic dynamic authorization to contro...
Policy enabling your services - using elastic dynamic authorization to contro...Policy enabling your services - using elastic dynamic authorization to contro...
Policy enabling your services - using elastic dynamic authorization to contro...
 
Free and open cloud security posture monitoring
Free and open cloud security posture monitoringFree and open cloud security posture monitoring
Free and open cloud security posture monitoring
 
API Security in a Microservice Architecture
API Security in a Microservice ArchitectureAPI Security in a Microservice Architecture
API Security in a Microservice Architecture
 
(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud
 
Iam suite introduction
Iam suite introductionIam suite introduction
Iam suite introduction
 

Mehr von Kenneth Peeples

Data Virtualization Primer -
Data Virtualization Primer -Data Virtualization Primer -
Data Virtualization Primer -Kenneth Peeples
 
Data Virtualization Primer - Introduction
Data Virtualization Primer - IntroductionData Virtualization Primer - Introduction
Data Virtualization Primer - IntroductionKenneth Peeples
 
Connect to the IoT with a lightweight protocol MQTT
Connect to the IoT with a lightweight protocol MQTTConnect to the IoT with a lightweight protocol MQTT
Connect to the IoT with a lightweight protocol MQTTKenneth Peeples
 
Maximize information exchange in your enterprise with AMQP
Maximize information exchange in your enterprise with AMQPMaximize information exchange in your enterprise with AMQP
Maximize information exchange in your enterprise with AMQPKenneth Peeples
 
Integration intervention: Get your apps and data up to speed
Integration intervention: Get your apps and data up to speedIntegration intervention: Get your apps and data up to speed
Integration intervention: Get your apps and data up to speedKenneth Peeples
 
Big data insights with Red Hat JBoss Data Virtualization
Big data insights with Red Hat JBoss Data VirtualizationBig data insights with Red Hat JBoss Data Virtualization
Big data insights with Red Hat JBoss Data VirtualizationKenneth Peeples
 
Understanding and Using Client JBoss A-MQ APIs
Understanding and Using Client JBoss A-MQ APIsUnderstanding and Using Client JBoss A-MQ APIs
Understanding and Using Client JBoss A-MQ APIsKenneth Peeples
 
Using Red Hat JBoss Fuse on OpenShift
Using Red Hat JBoss Fuse on OpenShiftUsing Red Hat JBoss Fuse on OpenShift
Using Red Hat JBoss Fuse on OpenShiftKenneth Peeples
 
Service Lifecycle Management with Fuse Service Works
Service Lifecycle Management with Fuse Service WorksService Lifecycle Management with Fuse Service Works
Service Lifecycle Management with Fuse Service WorksKenneth Peeples
 
Big Data and Data Virtualization
Big Data and Data VirtualizationBig Data and Data Virtualization
Big Data and Data VirtualizationKenneth Peeples
 
Simplify your integrations with Apache Camel
Simplify your integrations with Apache CamelSimplify your integrations with Apache Camel
Simplify your integrations with Apache CamelKenneth Peeples
 
Fuse Service Works Design Time Governance and S-RAMP
Fuse Service Works Design Time Governance and S-RAMPFuse Service Works Design Time Governance and S-RAMP
Fuse Service Works Design Time Governance and S-RAMPKenneth Peeples
 
Sap webinar-briefing-sep-2013-final
Sap webinar-briefing-sep-2013-finalSap webinar-briefing-sep-2013-final
Sap webinar-briefing-sep-2013-finalKenneth Peeples
 
CamelOne 2013 Karaf A-MQ Camel CXF Security
CamelOne 2013 Karaf A-MQ Camel CXF SecurityCamelOne 2013 Karaf A-MQ Camel CXF Security
CamelOne 2013 Karaf A-MQ Camel CXF SecurityKenneth Peeples
 

Mehr von Kenneth Peeples (19)

dvprimer-architecture
dvprimer-architecturedvprimer-architecture
dvprimer-architecture
 
dvprimer-concepts
dvprimer-conceptsdvprimer-concepts
dvprimer-concepts
 
Data Virtualization Primer -
Data Virtualization Primer -Data Virtualization Primer -
Data Virtualization Primer -
 
Data Virtualization Primer - Introduction
Data Virtualization Primer - IntroductionData Virtualization Primer - Introduction
Data Virtualization Primer - Introduction
 
Connect to the IoT with a lightweight protocol MQTT
Connect to the IoT with a lightweight protocol MQTTConnect to the IoT with a lightweight protocol MQTT
Connect to the IoT with a lightweight protocol MQTT
 
Maximize information exchange in your enterprise with AMQP
Maximize information exchange in your enterprise with AMQPMaximize information exchange in your enterprise with AMQP
Maximize information exchange in your enterprise with AMQP
 
Integration intervention: Get your apps and data up to speed
Integration intervention: Get your apps and data up to speedIntegration intervention: Get your apps and data up to speed
Integration intervention: Get your apps and data up to speed
 
Big data insights with Red Hat JBoss Data Virtualization
Big data insights with Red Hat JBoss Data VirtualizationBig data insights with Red Hat JBoss Data Virtualization
Big data insights with Red Hat JBoss Data Virtualization
 
Understanding and Using Client JBoss A-MQ APIs
Understanding and Using Client JBoss A-MQ APIsUnderstanding and Using Client JBoss A-MQ APIs
Understanding and Using Client JBoss A-MQ APIs
 
Using Red Hat JBoss Fuse on OpenShift
Using Red Hat JBoss Fuse on OpenShiftUsing Red Hat JBoss Fuse on OpenShift
Using Red Hat JBoss Fuse on OpenShift
 
Service Lifecycle Management with Fuse Service Works
Service Lifecycle Management with Fuse Service WorksService Lifecycle Management with Fuse Service Works
Service Lifecycle Management with Fuse Service Works
 
SOA Summit 2014
SOA Summit 2014SOA Summit 2014
SOA Summit 2014
 
Big Data and Data Virtualization
Big Data and Data VirtualizationBig Data and Data Virtualization
Big Data and Data Virtualization
 
Simplify your integrations with Apache Camel
Simplify your integrations with Apache CamelSimplify your integrations with Apache Camel
Simplify your integrations with Apache Camel
 
Fuse Service Works Design Time Governance and S-RAMP
Fuse Service Works Design Time Governance and S-RAMPFuse Service Works Design Time Governance and S-RAMP
Fuse Service Works Design Time Governance and S-RAMP
 
JDV Big Data Webinar v2
JDV Big Data Webinar v2JDV Big Data Webinar v2
JDV Big Data Webinar v2
 
Sap webinar-briefing-sep-2013-final
Sap webinar-briefing-sep-2013-finalSap webinar-briefing-sep-2013-final
Sap webinar-briefing-sep-2013-final
 
Bitmoney Demonstration
Bitmoney DemonstrationBitmoney Demonstration
Bitmoney Demonstration
 
CamelOne 2013 Karaf A-MQ Camel CXF Security
CamelOne 2013 Karaf A-MQ Camel CXF SecurityCamelOne 2013 Karaf A-MQ Camel CXF Security
CamelOne 2013 Karaf A-MQ Camel CXF Security
 

Kürzlich hochgeladen

TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxfnnc6jmgwh
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024TopCSSGallery
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...itnewsafrica
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 

Kürzlich hochgeladen (20)

TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App Framework
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 

Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6

  • 1.
  • 2. Authentication/Authorization Services with SAML & XACML with JBoss Enterprise Application Platform 6 Tony Stafford, SPAWAR ISSE Kenny Peeples, Red Hat Architect Date 06/29/2012
  • 3. Speaker Introductions Tony Stafford • Space and Naval Warfare Systems Center (SPAWAR) Atlantic Cybersecurity Division • Information Systems Security Engineer for emerging technologies for Cloud, Mobile and SOA • Lead for Marine Corp, Navy and Intelligence Community projects Kenneth Peeples • Red Hat Senior Architect for Public sector projects (DHS, Navy, Marine Corp, FBI, NSA, etc) • C|HFI and Security+ certified • OASIS Member, SAML, XACML and AMQP Technical Committees XACML and AMQP Technical Committees
  • 4. Agenda Challenges Governance Authentication (AuthN) Authorization (AuthZ) OASIS Standards SAML Standard XACML Standard Picketlink in JBoss EAP 6 Web Single-Sign On and Authorization Example
  • 5. Authentication & Authorization – An Enterprise Challenge • Security is difficult to implement • Application / service developers interviewed reported they spent between 15-20% of their time building security into their software • The more complex, the more prone to human error • Security creates repeat of labor • Each application creating one-off solutions • Interoperability considerations with System of Systems • Security policies are often vague and hard to interpret • Decomposing IA non-functional requirements into technical implementation takes a lot of time and effort
  • 6. Strategic Solutions – Building a Roadmap  Security Governance  Policies  Standards  Technological Implementation  Single Sign-On  Open Standard  Interoperable  Authorization  Policy Driven  Tailored to Enterprise Needs
  • 7. Governance – Waiting is the Hardest Part  Common Governance Challenges  Vague or Undefined  What does the technical implementation of the bureaucratic policy look like?  Standards identification  Specifications  Identity  Authentication  Role or Attribute definition  Broad Enterprise Needs  How does my system fit into the overall architecture?  What does my system need to interoperate with?
  • 8. Digital Policy Lifecycle – People to Machines Output System Configurations Network Configurations Access Controls Organizational / Capability Area Formal Language Natural Language Policies Enterprise Federated Local Governance Documentation Technical Implementation Implementing Group Authentication & Authorization
  • 9. SAML & XACML – Killing Many Birds with Two Stones  SAML  Open Identity and Authentication Standard  Managed by OASIS  Extensible  XACML  Open Authorization Standard  Managed by OASIS  Extensible  Mapping  Standardize SAML & XACML  Decompose universal Roles or Attributes
  • 10. Authentication (AuthN) and Authorization (AuthZ) What is Authentication? Verification that the user’s identity is valid. Authentication is based on three factor types: • What the user knows such as a password or PIN • What the user has such as a token or Smart card • What the user is (physically) such as a fingerprint or retina What is Authorization? The granting of access rights to a user, program or process
  • 11. What is OASIS? OASIS (Organization for the Advancement of Structured Information Standards) is a not-for-profit consortium that drives the development, convergence and adoption of open standards for the global information society. OASIS promotes industry consensus and produces worldwide standards for security, Cloud computing, SOA, Web services, the Smart Grid, electronic publishing, emergency management, and other areas. OASIS open standards offer the potential to lower cost, stimulate innovation, grow global markets, and protect the right of free choice of technology. https://www.oasis-open.org/
  • 12. What is OASIS (Continued)? OASIS Security Service (SAML- Security Assertion Markup Language) TC • Defining and maintaining a standard, XML-based framework for creating and exchanging security information between online partners • https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security OASIS eXtensible Access Control Markup Language (XACML) TC • Representing and evaluating access control policies • https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml OASIS Web Services Secure Exchange (WS-SX) TC • Defining WS-Security extensions and policies to enable the trusted exchange of multiple SOAP messages • The WS-Trust specification defines extensions that build on WS-Security to provide a framework for requesting and issuing security tokens. • https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=ws-sx
  • 13. What is SAML? The Security Assertion Markup Language (SAML), developed by the Security Services Technical Committee of OASIS, is an XML-based framework for communicating user authentication, entitlement, and attribute information. Security Assertion Markup Language (SAML) includes XML based assertions, protocols, bindings and profiles. http://docs.oasis-open.org/security/saml/v2.0/saml-core- 2.0-os.pdf
  • 14. SAML Components SAML Core includes syntax for assertions and protocols. SAML Assertions include statements made by an authority. SAML Protocol describes the manner in which assertions are requested and received. SAML Binding maps SAML messages to standard messaging/communication protocols. SAML Profile is a use case using a collection of assertions, protocols and bindings. http://saml.xml.org/saml-specifications
  • 15. SAML Assertions SAML Assertions include statements made by an authority. Three different types of assertions: • Authentication Assertion - Subject was authenticated by specified method at specified time • Attribute Assertion - Subject is associated with one or more supplied attributes • Authorization Decision Assertion - Subject has been granted/denied access to the specified resource
  • 16. SAML Assertion Example 1: <saml:Assertion xmlns:saml=”urn:oasis:names:tc:SAML:2.0:assertion” 2: Version="2.0" 3: IssueInstant="2005-01-31T12:00:00Z"> 4: <saml:Issuer Format=urn:oasis:names:SAML:2.0:nameid-format:entity> 5: http://idp.example.org 6: </saml:Issuer> 7: <saml:Subject> 8: <saml:NameID 9: Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"> 10: j.doe@example.com 11: </saml:NameID> 12: </saml:Subject> 13: <saml:Conditions 14: NotBefore="2005-01-31T12:00:00Z" 15: NotOnOrAfter="2005-01-31T12:10:00Z"> 16: </saml:Conditions> 17: <saml:AuthnStatement 18: AuthnInstant="2005-01-31T12:00:00Z" SessionIndex="67775277772"> 19: <saml:AuthnContext> 20: <saml:AuthnContextClassRef> 21: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport 22: </saml:AuthnContextClassRef> 23: </saml:AuthnContext> 24: </saml:AuthnStatement> 25: </saml:Assertion>
  • 17. What is an Identity Provider (IDP)? The Identity Provider authenticates the user and provides an authentication token to the service provider. The identity provider authenticates the user through one of the authentication types. The identity provider handles the management of user identities in order to free the service provider from this responsibility.
  • 18. What is a Service Provider (SP)? A service provider is a application that provides services to the end user. Service providers do not authenticate users but instead request authentication decisions from an identity provider.
  • 19. What is a Security Token Service (STS)? WS-Trust defines the concept of a security token service (STS), a service that can issue, cancel, renew and validate security tokens, and specifies the format of security token request and response messages.
  • 20. Web Browser SAML SSO Profile
  • 21. What is XACML? XACML is an OASIS standard that describes both a policy language and an access control decision request/response language (both written in XML). The policy language is used to describe general access control requirements, and has standard extension points for defining new functions, data types, combining logic, etc. The request/response language lets you form a query to ask whether or not a given action should be allowed, and interpret the result. The response always includes an answer about whether the request should be allowed using one of four values: Permit, Deny, Indeterminate (an error occurred or some required value was missing, so a decision cannot be made) or Not Applicable (the request can't be answered by this service). http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-core-spec-os.pdf
  • 22. Actors within the XACML Domain PAP (Policy Administration Point) - Point which manages policies PDP (Policy Decision Point) - Point which evaluates and issues authorization decisions PEP (Policy Enforcement Point) - Point which intercepts user's access request to a resource and enforces PDP's decision. PIP (Policy Information Point) - Point which can provide external information to a PDP, such as LDAP attribute information.
  • 23. XACML Elements XACML Policies • A PolicySet contains one or more policies • A Policy contains a set of rules (Permit or Deny) applicable to a Target (Resource, Subject and Action). • A Rule has one or more Conditions. • A Condition is a Boolean function. XACML Request • Contains details on the subject, resource and action. Decision (Permit, Deny, Not Applicable, Indeterminate) can be based on • Resource Properties • Subject Attributes • Action • Environmental Conditions (Date/Time, IP Address etc) • Combining Algorithms (Policy Combining and Rule Combining)
  • 24. Data Flow Model for XACML The Policy Enforcement Point (PEP) acts as an interceptor. In the component or container where an access decision is to be made, the PEP will create an XACML request based on various parameters of the call. It then asks the PDP for an access decision. The PDP will use one or more policies to make an access decision.
  • 25. XACML Policy 1:<?xml version="1.0" encoding="UTF-8"?> 2: <Policy xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os" 3: xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 4: xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os 5: access_control-xacml-2.0-policy-schema-os.xsd" 6: PolicyId="urn:oasis:names:tc:xacml:2.0:jboss-test:XV:policy" 7: RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides"> 8: <Description> Policy for Subject RBAC</Description> 9: <Target/> 10: <Rule RuleId="urn:oasis:names:tc:xacml:2.0:jboss-test:XVI:rule" 11: Effect="Permit"> 12: <Description> 13: jduke can read or write resource information when he has a role of ServletUserRole 14: </Description> 15: <Target> 16: <Subjects> 17: <Subject> 18: <SubjectMatch 19: MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> 20: <AttributeValue 21: DataType="http://www.w3.org/2001/XMLSchema#string">jduke</AttributeValue> 22: <SubjectAttributeDesignator 23: AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" 24: DataType="http://www.w3.org/2001/XMLSchema#string"/> 25: </SubjectMatch> 26: <SubjectMatch 27: MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> 28: <AttributeValue 29: DataType="http://www.w3.org/2001/XMLSchema#string">ServletUserRole</AttributeValue> 30: <SubjectAttributeDesignator 31: AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" 32: DataType="http://www.w3.org/2001/XMLSchema#string"/> 33: </SubjectMatch> 34: </Subject> 35: </Subjects>
  • 26. XACML Policy (Continued) 1: <Resources> 2: <Resource> 3: <ResourceMatch 4: MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal"> 5: <AttributeValue 6: DataType="http://www.w3.org/2001/XMLSchema#anyURI">/xacml-subjectrole/test</AttributeValue> 7: <ResourceAttributeDesignator 8: AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id“ 9: DataType="http://www.w3.org/2001/XMLSchema#anyURI"/> 10: </ResourceMatch> 11: </Resource> 12: </Resources> 13: <Actions> 14: <Action> 15: <ActionMatch 16: MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> 17: <AttributeValue 18: DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue> 19: <ActionAttributeDesignator 20: AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id“ 21: DataType="http://www.w3.org/2001/XMLSchema#string"/> 22: </ActionMatch> 23: </Action> 24: <Action> 25: <ActionMatch 26: MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> 27: <AttributeValue 28: DataType="http://www.w3.org/2001/XMLSchema#string">write</AttributeValue> 29: <ActionAttributeDesignator 30: AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id“ 31: DataType="http://www.w3.org/2001/XMLSchema#string"/> 32: </ActionMatch> 33: </Action> 34: </Actions> 35: </Target> 36: </Rule> 37: </Policy>
  • 27. XACML Request 1: <Request> 2: <Subject SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"> 3: <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" 4: DataType="http://www.w3.org/2001/XMLSchema#string" 5: Issuer="jboss.org"> 6: <AttributeValue>jduke</AttributeValue> 7: </Attribute> 8: <Attribute AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" 9: DataType="http://www.w3.org/2001/XMLSchema#string" Issuer="jboss.org"> 10: <AttributeValue>ServletUserRole</AttributeValue> 11: </Attribute> 12: </Subject> 13: <Resource> 14: <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 15: DataType="http://www.w3.org/2001/XMLSchema#anyURI"> 16: <AttributeValue>http://localhost:8080/xacml-subjectrole/test</AttributeValue></Attribute> 17: </Resource> 18: <Action> 19: <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" 20: DataType="http://www.w3.org/2001/XMLSchema#string" 21: Issuer="jboss.org"> 22: <AttributeValue>read</AttributeValue> 23: </Attribute> 24: </Action> 25: <Environment> 26: <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time" 27: DataType="http://www.w3.org/2001/XMLSchema#dateTime"> 28: <AttributeValue>20011-10-18T01:38:32.687000000-05:00</AttributeValue> 29: </Attribute> 30: </Environment> 31: </Request>
  • 28. XACML Response 1: <Response> 2: <Result ResourceId=“http://localhost:8080/xacml-subjectrole/test"> 3: <Decision>Permit</Decision> 4: <Status> 5: <StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/> 6: </Status> 7: </Result> 8: </Response>
  • 29. Picketlink within JBoss EAP 6 Picketlink is fully supported in EAP 6 Documentation - https://docs.jboss.org/author/display/PLINK/Home Components – IDP, STS, PEP, PDP Subprojects – IDM, Federated Identity, AuthZ, XACML, Negotiation http://www.jboss.org/picketlink
  • 30. Picketlink with JBoss EAP 6 (Continued) The Picketlink Module is included with EAP ${jboss.home.dir}/modules/org/picketlink The configuration (module.xml) and jar (picketlink-core- 2.1.1.Final.jar and picketlink-jbas7-2.1.1.Final.jar) files are located within the main folder. The module.xml should contain <module xmlns="urn:jboss:module:1.1" name="org.picketlink"> <resources> <resource-root path="picketlink-core-2.1.1.Final.jar"/> <resource-root path="picketlink-jbas7-2.1.1.Final.jar"/> </resources> <dependencies> ... </dependencies> </module>
  • 31. Quickstarts • SAML Examples • WS-Trust Security Token Service • XACML Examples • Deploying and Running on AS https://docs.jboss.org/author/display/PLINK/PicketLink+Q uickstarts
  • 32. Web Application SSO with SAML Example Demonstration of Sales and Employee Web Applications (Service Providers - SP) and SAML SSO with the Identity Provider (IDP) Relevant wars • Idp.war – Identity Provider • picketlink-sts.war – WS-Trust implementation • sales-post.war - BindingType="POST" • employee.war - BindingType="REDIRECT"
  • 34. picketlink.xml (IDP) 1: <PicketLink xmlns="urn:picketlink:identity-federation:config:2.1"> 2: <PicketLinkIDP xmlns="urn:picketlink:identity-federation:config:2.1"> 3: <IdentityURL>${idp.url::http://localhost:8080/idp/}</IdentityURL> 4: <Trust> 5: <Domains>localhost,jboss.com,jboss.org,amazonaws.com</Domains> 6: </Trust> 7: </PicketLinkIDP> 8: <Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1"> 9: <Handler 10: class="org.picketlink.identity.federation.web.handlers.saml2.SAML2IssuerTrustHandler" /> 11: <Handler 12: class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" /> 13: <Handler 14: class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler“ /> 15: <Handler 16: class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" /> 17: </Handlers> 18: </PicketLink>
  • 35. picketlink.xml (Web Applications) 1:<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1"> 2: <PicketLinkSP xmlns="urn:picketlink:identity-federation:config:1.0" 3: ServerEnvironment="tomcat" BindingType="POST"> 4: <IdentityURL>${idp.url::http://localhost:8080/idp/}</IdentityURL> 5: <ServiceURL>${sales-post.url::http://localhost:8080/sales-post/}</ServiceURL> 6: </PicketLinkSP> 7: <Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1"> 8: <Handler 9: class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler“ /> 10: <Handler 11: class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" /> 12: <Handler 13: class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" /> 14: </Handlers> 15:</PicketLink>
  • 36. jboss-web.xml 1: <?xml version="1.0" encoding="UTF-8"?> 2: <jboss-web> 3: <security-domain>sp</security-domain> 4: <context-root>sales-post</context-root> 5: <valve> 6: <class- name>org.picketlink.identity.federation.bindings.tomcat.sp.ServiceProviderAuthenticat or</class-name> 7: </valve> 8: </jboss-web>
  • 37. standalone.xml 1: <security-domain name="idp" cache-type="default"> 2: <authentication> 3: <login-module code="UsersRoles" flag="required"> 4: <module-option name="usersProperties" value="users.properties"/> 5: <module-option name="rolesProperties" value="roles.properties"/> 6: </login-module> 7: </authentication> 8: </security-domain> 9: <security-domain name="picketlink-sts" cache-type="default"> 10: <authentication> 11: <login-module code="UsersRoles" flag="required"> 12: <module-option name="usersProperties" value="users.properties"/> 13: <module-option name="rolesProperties" value="roles.properties"/> 14: </login-module> 15: </authentication> 16: </security-domain> 17: <security-domain name="sp" cache-type="default"> 18: <authentication> 19: <login-module code="org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule" flag="required"/> 20: </authentication> 21: </security-domain> 22: <security-domain name="xacml-test" cache-type="default"> 23: <authentication> 24: <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required"/> 25: </authentication> 26: <authorization> 27: <policy-module code="org.jboss.security.authorization.modules.XACMLAuthorizationModule" flag="required"/> 28: </authorization> 29: </security-domain>
  • 38. jboss-deployment-structure.xml 1: <jboss-deployment-structure> 2: <deployment> 3: <!-- Add picketlink module dependency --> 4: <dependencies> 5: <module name="org.picketlink" /> 6: </dependencies> 7: </deployment> 8:</jboss-deployment-structure>
  • 39. Web Application XACML Authorization Example Demonstration of the use of the PEP and PDP with the Web Application xacml-subjectrole Relevant wars • xacml-subjectrole.war
  • 40. jbossxacml-config.xml 1: <ns:jbosspdp xmlns:ns="urn:jboss:xacml:2.0"> 2: <ns:Policies> 3: <ns:Policy> 4: <ns:Location>jboss-xacml-policy.xml</ns:Location> 5: </ns:Policy> 6: </ns:Policies> 7: <ns:Locators> 8: <ns:Locator Name="org.jboss.security.xacml.locators.JBossPolicySetLocator"/> 9: <ns:Locator Name="org.jboss.security.xacml.locators.JBossPolicyLocator"/> 10: </ns:Locators> 11: </ns:jbosspdp>
  • 41. jboss-web.xml 1: <!DOCTYPE jboss-web PUBLIC "-//JBoss//DTD Web Application 2.4//EN" "http://www.jboss.org/j2ee/dtd/jboss-web_4_0.dtd"> 2: <jboss-web> 3: <security-domain>java:/jaas/xacml-test</security-domain> 4: </jboss-web>
  • 43. Contact Information Tony Stafford, SPAWAR ISSE tony.stafford@navy.mil Kenny Peeples, Red Hat Architect kpeeples@redhat.com