Securing Applications via Federated Identities (SAML, OAuth 2.0, OpenID)
Giriraj Sharma (~girirajsharma) |
Single sign-on (SSO) started it all. Organizations needed a way to unify authentication systems in the enterprise for easier management and better security. Single sign-on was widely adopted and provided a solution for keeping one repository of usernames and passwords that could be used transparently across several internal applications.
The problem? How to bring together user login information across many applications and platforms to simplify sign-on and increase security. The solution? Federated identities .
What is federated identity ?
Federated identity means linking and using the electronic identities a user has across several identity management systems. In simpler terms, an application does not necessarily need to obtain and store users’ credentials in order to authenticate them. Instead, the application can use an identity management system that is already storing a user’s electronic identity to authenticate the user—given, of course, that the application trusts that identity management system.
- SAML Security Assertion Markup Language (SAML) is a product of the OASIS Security Services Technical Committee. Dating from 2001, SAML is an XML-based open standard for exchanging authentication and authorization data between parties.
- OAuth OAuth 2.0 is the next evolution of the OAuth protocol which was originally created in late 2006. OAuth 2.0 focuses on client developer simplicity while providing specific authorization flows for web applications, desktop applications, mobile phones, and living room devices. This specification is being developed within the IETF OAuth WG and is based on the OAuth WRAP proposal.The final version of the spec can be found at http://tools.ietf.org/html/rfc6749. The talk will be mainly focused on OAuth.
- OpenID OpenID is an open standard sponsored by Facebook, Microsoft, Google, PayPal, Ping Identity, Symantec, and Yahoo. OpenID allows user to be authenticated using a third-party services called identity providers. Users can choose to use their preferred OpenID providers to log in to websites that accept the OpenID authentication scheme. The talk would be covering SAML and OpenID in general(brief) and focusing on OAuth 2.0 workflows in extreme details. It will also cover how most popular Open Source federation solutions such as JBoss Picketlink and KeyCloak support federated identities. The session is divided into segments and hence it can be adjusted for 40 minutes (talk) to 80 minutes (talk + Picketlink/Keycloak). I would very much prefer a slot of 80 minutes but it can adjusted as per constraints.
I am Giriraj Sharma, a final year undergraduate student from National Institute of Technology (NIT), Hamirpur, Himachal Pradesh, India pursuing my Bachelor of Technology (B.Tech) in Computer Science and Engineering and graduating in May 2015.
I am a student enthusiastic about competitive programming and building source code for free software applications (FOSS) that shall be committed, documented and released for the benefit of all. I am actively contributing since Jan 2014 to various open source projects under Red Hat JBoss Middleware (JBOSS Developer Framework) as a Google Summer of Code Student Developer specifically in Apache Licensed Open Source Security Domain Middlewares Picketlink and KeyCloak. I worked upon Public Key Infrastructure API and JOSE implementations (JWA, JWK, JWS , JWE AND JWT) and implemented them for JBoss Picketlink (GSoC 2014, JBoss Community). I also contribute to JBoss SSO SaaS KeyCloak since Jan 2015 as a part of GSoC 2015.