1 2 Previous Next 18 Replies Latest reply on Sep 30, 2007 10:29 AM by ws_dev2001

    Design of an Identity Management Framework for JBoss

    anil.saldhana

      I have seen a few proposals/articles on bridging SAML and J2EE and see that a majority of them are delving into the implementation details ie. to use JAAS/JACC to achieve SAML in J2EE (or JBoss).

      Clearly many of the writers behind the proposals have gotten excited about JAAS and JACC.

      At JBoss, IMHO if we are to build an Identity Management platform, we certainly will make use of JBossSX framework (read JAAS/JACC framework). But that is just an implementation detail.

      As far as I understand, SAML is a technology that is tied with webservices and security. It can provide SSO. The specification is not about implementation. It just provides guidelines to how the SSO framework should exist and the xml that goes back and forth between the provider/client/consumer etc.

      A generic Identity Management framework for JBoss should look outside SSO and JAAS and look at issues like Nonrepudiation, regulations compliance etc. SSO is just one piece of it.

      Certainly the contributing factors to this IDM framework will be the Web Services, Security, Clustering, Messaging and the Persistence layers. What else?? Some of the key pieces to achieving SAML at JBoss are being provided by the Web Services layer (with WS-Security, XML Schema Handling etc).

      If there are any generic proposals to achieving this Identity Management Framework, which I outlined above, I would be interested to read and learn. But I certainly would not enjoy writings that go deep into implementation. ;)

      Please do not forget that the clustering layer and the persistence layer are just as important as the security layer.


        • 1. Re: Design of an Identity Management Framework for JBoss
          tuisku

          Hi,

          I represent a group of Grid computing researchers. I'm probably not in the mainstream with my ideas, but here it goes ...

          We would like to see modular design that can be extended towards both Shibboleth and Liberty Alliance style use cases. I believe there has been a lot of convergence among these two in the SAML2 specs, but things like Identity federation (linking two accounts together) is missing from Shibboleth AFAIK.

          There are number of projects like GridShib, NetGate, EGEE that try to tie Grid SSO together with Web SSO using SAML. Taking into account the possible integration points is important for us:

          Federated User credential could be in form of a new PKIX Proxy Cert used in Globus style Grid services, that Services will request from the User

          Trusted Third Party attributes could be in form of Attribute Certificates attached to the Proxy Cert that services will use in the Virtual Organization based RBAC.

          The combined requirement that comes from these two, is that no matter what persistence layer is used in SAML2 Server, for us it would be important to be able syncronize the credential and attribute information between different forms: say SAML and PKI. Production Grid services will be quite long time supporting both mechanisms, not only SAML.

          The non-repudiation requirement in our mind will get a legal binding when Digital Signatures are used for AA. In Finland such a law has already been enforced. In that sense the SAML2 server should support Smart Card or Mobile Signature Service (MSS) (Wireless Identity Module embedded into Mobile Phone SIM) authentication methods. Latest Nokia phones (Series 80) even support the corresponding Liberty Protocols (Nokia Web Services Framework) natively.

          Cheers,

          Miika

          HIP@CERN

          • 2. Re: Design of an Identity Management Framework for JBoss
            starksm64

            Do you have anymore technical details/prototypes of the usecases are you talking about here?

            • 3. Re: Design of an Identity Management Framework for JBoss
              tuisku

              https://wiki.hip.fi/twiki/pub/Miika/WebHome/GridLib.jpg

              We have a prototype of following (pic above) Liberty-style
              Use Case. It's purpose is to bridge SAML enabled
              Web Services and Grid services, that do not currently
              overlap. However, SAML-callouts are being integrated
              to Grid service Auth & Autz components in projects like
              GridShib/Globus Toolkit 4 from beginning of the year.

              SSO with Grid enabled IDP
              -------------------------------
              IDP = Identity Provider
              SP = Service provider
              Auth = Authentication
              Autz = Authorization

              1) Client contacts SP, SP requests User to Auth
              2) Re-direct to IDP, User Auth to IDP, Liberty SSO
              3) Re-direct to SP, IDP Asserts User to SP with Liberty ID-FF
              4) Service request
              5) SP initiated Grid credential delegation from IDP
              6) Auth with Grid credential, service request

              Use case assumes that ...
              a) Varying levels of Client Auth possible, services impose
              the criteria on Auth level.
              b) Client does not need to know about Grid Auth,
              yet user restricts SP access to delegated Grid credential
              c) IDP functions also as a facade to Online Credential
              Repository (OCR) for User Grid crendentials
              d) Grid services do not need to be SAML compliant
              e) SP (eg. Portal) acts as a SAML-proxy & Delegation client
              f) Delegation embedded as Liberty ID-FF protocol extension

              /Miika

              HIP@CERN

              Related reading:

              GridShib
              http://gridshib.globus.org/documents.html

              EGEE Security Architecture DJRA3
              http://egee-jra3.web.cern.ch/egee-jra3/index.html

              EGEE Glite delegation
              https://edms.cern.ch/file/508598/1/EGEE-JRA3-TEC-508598-DlgJAPI-v0-1.pdf

              • 4. Re: Design of an Identity Management Framework for JBoss
                anil.saldhana

                The IDP can be generalized to a Identity Management Service running in a JBoss cluster.

                Looking at the image, I do not understand how the IDP is supposed to be grid enabled. All I see it uses the SP which is a facade to the grid. This is standard use case for SSO/Liberty.

                I know that Globus uses Web Services. Are they based on Axis?

                • 5. Re: Design of an Identity Management Framework for JBoss
                  tuisku

                  Globus Toolkit 4 (GT4), which is the latest, uses Web Services Resource Framework (WSRF), Globus Toolkit 3 (GT3) uses Open Grid Service Infrastructure (OGSI). Both of them are WS based on Axis. Toolkit's before GT3 are pre-WS. Time will tell weather GT4 style WS interfaces will stabilize. eScience Grid projects at CERN are not betting on them yet.

                  "Grid enabled IDP" maybe confusing. For me it means support for pre-WS Globus toolkits and Transport level Grid Security Infrastructure (GSI).
                  (http://www.globus.org/toolkit/docs/4.0/security/GT4-GSI-Overview.pdf)
                  Ideally the IDP provides the functionality of myProxy/GridLogon server
                  (http://grid.ncsa.uiuc.edu/myproxy/) as well.

                  Cheers,

                  Miika

                  HIP@CERN[/img]

                  • 6. Re: Design of an Identity Management Framework for JBoss
                    anil.saldhana

                    Task 1: Wafer thin library org.jboss.security.saml that is based on opensaml that can create saml requests/responses and auth stuff for username/password only.

                    Task 2: A web application that can act as an identity provider and can take in a query string of "?TARGET=url_of_service_provider&PARTNER=partnerid". This is the http/get. In this case, the web app shows a login screen, takes in the user credentials and then does custom auth and redirects back to the url provided in the TARGET with a SAMLResponse in the url..... (Web app will use the library created in task 1). The web app can check if the partnerid passed is a valid partner.

                    Second Phase:
                    Now the web app can take in a saml authentication request in the post data and do redirection back after authentication.....


                    Remember the service provider will use the library in task 1 to generate a saml request......

                    • 7. Re: Design of an Identity Management Framework for JBoss
                      anil.saldhana

                      There is a DOM2 utility for creating elements, obtaining child elements etc in the common package.

                      package org.jboss.util.xml;
                      public final class DOMUtils
                      


                      Use this for xml handling for saml requests/response etc...

                      • 8. Re: Design of an Identity Management Framework for JBoss
                        soshah

                        Here is my first cut at the SAML based library for SSO authentication

                        Please provide feedback on the SingleSignOn interface that can be used by clients of this library to produce SAML requests/response related to username and password based authentication

                        /*****************************************
                         * * *
                         * Distributable under LGPL license. *
                         * See terms of license at gnu.org. *
                         * *
                         *****************************************/
                        package org.jboss.security.saml;
                        
                        /**
                         * @author Sohil Shah - sohil.shah@jboss.com
                         *
                         */
                        public interface SingleSignOn
                        {
                         /**
                         * This method generates a SAML authentication request based on the supplied username and password
                         *
                         * @param username
                         * @param password
                         * @return
                         * @throws SSOException
                         */
                         public String generateAuthRequest(String username,String password)
                         throws SSOException;
                        
                         /**
                         * This method parses a SAML authentication request into a SSOUser domain object
                         *
                         * @param request
                         * @return
                         * @throws SSOException
                         */
                         public SSOUser parseAuthRequest(String request) throws SSOException;
                        
                         /**
                         * This method generates a SAML authentication response based on the supplied username, password, and the
                         * status of the authentication process
                         *
                         * @param username
                         * @param password
                         * @param success
                         * @return
                         * @throws SSOException
                         */
                         public String generateAuthResponse(String username,String password,boolean success)
                         throws SSOException;
                        
                         /**
                         * This method parses a SAML authentication response and produces an AuthResponse domain object
                         *
                         * @param response
                         * @return
                         * @throws SSOException
                         */
                         public AuthResponse parseAuthResponse(String response)
                         throws SSOException;
                        }
                        


                        As an implementation of this interface the library provides JBossSingleSignOn which leverages the OpenSAML version 1.1 behind the scenes.

                        • 9. Re: Design of an Identity Management Framework for JBoss
                          anil.saldhana

                          so far so good.

                          • 10. Re: Design of an Identity Management Framework for JBoss
                            anil.saldhana
                            • 11. Re: Design of an Identity Management Framework for JBoss
                              anil.saldhana

                              Sohil, lets expand on the two usecases we discussed earlier wrt Identity.

                              UseCase 1: Centralized IDP Authentication in a domain.

                              Details: All authentication is done at a central idp in a particular domain. The IDP sets a domain cookie for use within the domain. Any access to outside the domain, will need federation by the IDP/federation server entity.



                              Use Case 2: Local SP Authentication with federation by IDP.

                              Details: An SP can do its own authentication. Now if access is needed to another webapp in the same domain, will be provided (the second webapp will do its processing using the domain cookie). If access is needed to a resource outside the domain, federation is done either by the IDP or a seperate Federation Server entity operating in the domain.


                              Please edit this post to add in your details.

                              • 12. Re: Design of an Identity Management Framework for JBoss
                                soshah

                                A couple of questions about the Centralized IDP functionality.


                                1) Does this IDP functionality perform the same authentication for all the partners that connect to it or the authentication logic needs to be pluggable (at runtime) depending on the partner request?

                                The second one seems more flexible. I was thinking may be there should be a way to plug in custom authenticator based on the partner if one is found. If not, use the default authenticator.


                                btw- the authenticator actually uses the Identity Management classes for authentication and the wafer thin SAML library to generate responses.

                                • 13. Re: Design of an Identity Management Framework for JBoss
                                  lajoie

                                  SAML 2.0 allows for the functionality that you're talking about. SPs can request specific authentication contexts (metadata about authentication methods). The Shibboleth 2.0 IdP and SP will support this functioanlity as well.

                                  • 14. Re: Design of an Identity Management Framework for JBoss
                                    anil.saldhana
                                    1 2 Previous Next