Security As A Service Leveraged by Apache Projects Oliver Wulff, - - PowerPoint PPT Presentation

security as a service leveraged by apache projects
SMART_READER_LITE
LIVE PREVIEW

Security As A Service Leveraged by Apache Projects Oliver Wulff, - - PowerPoint PPT Presentation

Mar 30, 2024 223 likes •522 views

Security As A Service Leveraged by Apache Projects Oliver Wulff, Talend Application Security Landscape 11/19/14 2 Solution Building blocks Apache CXF Fediz Apache CXF Fediz Single Sign On (WS-Federation) Attribute Based Access

slide-1
SLIDE 1

Security As A Service Leveraged by Apache Projects

Oliver Wulff, Talend

slide-2
SLIDE 2

Application Security Landscape

11/19/14 2

slide-3
SLIDE 3

Solution Building blocks

  • Apache CXF Fediz

Apache CXF Fediz

  • Single Sign On (WS-Federation)
  • Attribute Based Access Control (SAML AttributeStatement)
  • Identity Provider and Application Server Plugin
  • Apache Syncope

Apache Syncope

  • IAM (User management, Attribute Management, Provisioning)
  • Connector LDAP
  • Apache DS

Apache DS

  • LDAP Server
  • PostgreSQL

PostgreSQL

  • Database for Syncope and Fediz IDP

11/19/14 3

slide-4
SLIDE 4

Solution Building blocks

Demo

Federation/SSO with Apache Tomcat Application

11/19/14 4

slide-5
SLIDE 5

Solution Building blocks

Apache CXF Fediz

11/19/14 5

slide-6
SLIDE 6

Apache CXF Fediz

  • Sub-project of Apache CXF project
  • Work started mid of 2011
  • Community growing
  • First release in June 2012
  • Current release 1.1.2
  • Finishing work for 1.2

11/19/14 6

slide-7
SLIDE 7

OASIS WS-Federation 1.2

  • OASIS Standard 2009
  • Security Token agnostic (SAML 1.1/2.0, …)
  • Extends OASIS WS-Trust
  • Browser and Web Services SSO
  • PRP adapts Browsers to WS-Trust
  • No connectivity between Application

and IDP required (Cloud)

  • Claims/Attribute Based Access Control
  • Supports several Authentication domains

11/19/14 7

slide-8
SLIDE 8

WS-Federation

11/19/14 8

Fediz IDP Fediz STS Relying Party (RP) Identity Provider (IDP) Security Token Service (STS) Servlet Container Web Application Fediz Plugin Browser User Machine WS-Federation WS-Trust HTTPS A c c e s s W e b A p p l i c a t i

  • n

R e d i r e c t t

  • I

D P Authentication Token

 

Security Tokens issued by STS

slide-9
SLIDE 9

Fediz Plugin

  • WS-Federation 1.0/1.1/1.2
  • SAML 1.1 / 2.0 Tokens
  • SAML-P support
  • IDP trust types

Chain Trust, Direct Trust

  • Core Logic Container independent
  • Supports Tomcat, Jetty, Karaf, Websphere

and Spring Security

  • WS-Federation Metadata
  • Claims provided in FederationPrincipal

11/19/14 9

slide-10
SLIDE 10

Fediz IDP/STS

  • Authentication: Username/password, Kerberos, X509
  • Spring Security (REST, Login)
  • Spring Web Flow
  • User Store:
  • File store (Mock testing)
  • LDAPLoginModule
  • Custom JAAS Login Module or custom WSS4J Validator
  • Claims/Role store:
  • LdapClaimsHandler
  • FileClaimsHandler (Mock testing)
  • SAML Token creation customizable

11/19/14 10

slide-11
SLIDE 11

New Features in Fediz 1.1

  • Fediz IDP refactored and leverages Spring Webflow
  • WS-Federation support for RP-IDP
  • HomeRealm Discovery
  • Kerberos support
  • Support encrypted SAML tokens
  • SAML Holder-Of-Key
  • New Containers supported: Karaf, Jetty, Spring Security and

IBM Websphere

  • Claim Mapping support with Apache Commons JEXL

11/19/14 11

slide-12
SLIDE 12

Fediz IDP Relying Party Home Realm Discovery

11/19/14 12

Browser IDP adatam.com IDP RPIDP Redirect: wtrealm='MyApplication' Relying Party SignInResponse, 'RP-IDP Token' wtrealm='MyApplication', optional whr wtrealm='RPIDP' SignInResponse SignInResponse, 'MyApplication Token' SignInResponse Redirect: wtrealm='RPIDP' Username/Password Challenge HomeRealm Discovery Claim Mapping

slide-13
SLIDE 13

Fediz Roadmap

  • Security Protocol pluggable in IDP (1.2)

WS-Federation, SAML-P, Oauth2, ...

  • IDP REST Interface (1.2)
  • Configure Claims, IDPs, Applications, Trusted IDPs
  • Fine grained security control
  • SAML-P support in Fediz plugin (1.2)
  • Fediz CXF Plugin (Security Protocols supported for JAX-RS)
  • OAuth 2
  • Launch Fediz IDP from Maven build (1.2)
  • Single Logout (1.2)

11/19/14 13

slide-14
SLIDE 14

REST Interface (1/3)

11/19/14 14

Resources

  • Idp
  • /idps
  • Claim
  • /claims
  • Many-to-many

(requestedClaims, offeredClaims)

  • Attribute on Relation
  • Application
  • /applications
  • many-to-many
  • TrustedIdp
  • /trustedIdps
  • many-to-many
slide-15
SLIDE 15

REST Interface (2/3)

  • Many-To-May Relationship

/applications POST|GET /applications/{realm} GET|PUT|DELETE /applications/{realm}/claims POST /applications/{realm}/claims/{claimType} DELETE

  • HTTP Error Codes (besides 200)
  • NoContent (204)
  • Error (500)
  • Created (201)
  • NotFound (404)
  • Content Type
  • XML
  • JSON

11/19/14 15

slide-16
SLIDE 16

REST Interface (3/3)

  • HTTP Headers
  • Location (newly created resources)
  • X-Application-Error-Code, X-Application-Error-Info
  • Query parameters (start, size, expand)
  • Hypermedia support? (href Attribute, link Element)
  • Security
  • Roles
  • Entitlements (CLAIM_LIST, CLAIM_CREATE, …,

ROLE_CREATE, ...)

11/19/14 16

slide-17
SLIDE 17

Solution Building blocks

Demo

Configure application using Fediz Configure application in Fediz IDP (REST) Federation/SSO with Apache Tomcat Application

11/19/14 17

slide-18
SLIDE 18

Solution Building blocks

Apache Syncope

11/19/14 18

slide-19
SLIDE 19

Identity Access Management

  • Who has/had access to What, When, How, and Why?

11/19/14 19

slide-20
SLIDE 20

Identity & Access Management

  • IAM is concerned with managing user data on systems and applications

during the entire life cycle

  • Involves user attributes, roles, resources, entitlements, etc.
  • Provisioning / Reconciliation
  • Synchronize user (account) data across identity stores and a broad range
  • f data sources, formats, meanings and purposes
  • Read user data from source systems
  • Write user data to target systems
  • Reporting / Auditing
  • Policy Enforcement (Segregation of Duty)

11/19/14 20

slide-21
SLIDE 21

IAM Product Architecture

11/19/14 21

slide-22
SLIDE 22

Apache Syncope Architecture (1/2)

11/19/14 22

slide-23
SLIDE 23

Apache Syncope Architecture (2/2)

  • Different Connector support (ConnId project)
  • Workflow customizable (based on Activiti)
  • User Schema definition
  • Propagation/Synchronization
  • Business Intelligence (Audit, Report)
  • REST API

11/19/14 23

slide-24
SLIDE 24

Apache Syncope - Schemas

  • Apply for User and Roles
  • Normal Attributes
  • Stored in Syncope DB
  • Propagaded and synchronized when selected
  • Derived Attributes
  • Combination of Attributes
  • JEXL Expression Language
  • Virtual Attributes
  • Not stored in Syncope DB
  • Lookup from remote resource
  • 11/19/14

24

FirstName = John LastName = Black FullName = FirstName + LastName FullName = John Black

slide-25
SLIDE 25

Apache Syncope – Attribute Mapping

11/19/14 25

slide-26
SLIDE 26

Apache Syncope - Workflow

11/19/14 26

slide-27
SLIDE 27

Solution Building blocks

Demo

IAM Syncope Federation/SSO with Apache Tomcat Application

11/19/14 27

slide-28
SLIDE 28

More information

  • Talend 4 www.talend.com
  • Apache Projects
  • Fediz 4 http://cxf.apache.org/fediz.html
  • Syncope 4 http://syncope.apache.org/
  • Blogs
  • http://coheigea.blogspot.com
  • http://www.dankulp.com/blog/
  • http://sberyozkin.blogspot.com
  • http://owulff.blogspot.com

11/19/14 28

slide-29
SLIDE 29

Thank You