This document discusses web identity management and single sign-on solutions. It begins by outlining problems with existing identity systems, such as having too many usernames and passwords. It then describes what users and administrators want, including a single identity that can be used across sites. Existing enterprise identity solutions are discussed, as well as open standards like SAML, OpenID, and OAuth. OpenID allows users to authenticate using an existing identity, while OAuth allows applications to access user resources like data. Case studies demonstrate how OpenID and OAuth can be used by sites like Google, Facebook, and others to provide single sign-on. The document concludes by discussing key differences between OpenID and OAuth.
6. What Enterprises have
There are a lot of solutions dealing with
these problems for enterprises
Novell
Microsoft
IBM
Oracle
Sun Microsystems (acquired by Oracle)
Other ISVs
6
7. Portal w/ SSO & Identity Integration
Source: Novell Inc.
客戶
Portal
+
Novell
Access
Manager
Oracle
DB
Web
Server
MS AD
Sun iDS
Mail Server
NIS
Driver
eDirectory
Novell
Identity
Manager
LDAP
Driver
JDBC
Driver
AD
Driver
FTP
Server
合作夥伴
員工
帳號
密碼
anderson
********
8. Unified Management of Identity
8
Single Sign On Central Management Identity Integration
Source: Novell Inc.
9. 9
Cover complete Identity Lifecycle
Promote
Relocate
New
Project
Forget
Password
Password
Expired
Resource
Access
Control
PROVISION Account
Management
DE-PROVISION
AM
IDM
Password
Management
Source: Novell Inc.
10. What Open Web has
10
SAML (2002~)
&
OpenID (2005~)
http://connectid.blogspot.com/2006/11/we-need-iiw-in-panama.html
11. What Open Web has
Open Stack (OpenID & more)
11
• Unencumbered, Cross-
Platform Standards
• Open Source / Free
Software Implementations
• No Single-Vendor "Lock-In”
• Distributed Extensibility
http://developer.mozilla.org/presentations/sxsw2007/the_open_web/
12. Why sites accept external identities?
Enhance user engagement
Leverage social impressions
or
The “outside” identity belongs to the same
real person, who has relationship with
“inside” identity
12
15. What’s OpenID
Single sign-on for the web
Simple and light-weight
not going to replace your bank card pin
Easy to use and deploy
Built upon proven existing technologies
DNS, HTTP, SSL/TLS, Diffie-Hellman
Decentralized
no single point of failure in the protocol
User-Centric (not Site-Centric)
Free!
15
16. An OpenID is a URI
URLs are globally
unique and ubiquitous
OpenID allows
proving ownership of
an URI
People already have
identity at URLs via
blogs, photos,
MySpace, FaceBook,
DAUM, etc
16
19. How it works?
1. Site fetches the HTML of my OpenID
2. Finds "openid.server“
3. Establishes a shared secret with the Provider
4. Redirects my browser to the Provider where I
authenticate and allow the OpenID login
5. Provider redirects my browser back to the site
with an OpenID response
6. Site verifies the signature and logs me in
19
47. Google Account as OpenID
Everyone can paste
https://www.google.com/accounts/o8/id
and login as your OpenID
It will be discovered by RP as an server
endpoint, trigger an id_select login process
You will be issued an OpenID as
https://www.google.com/accounts/o8/id?id=AItO
wk...nqJOSI
47from: http://www.slideshare.net/timdream/google-apps-account-as-openid
50. “id_select” process?
New* in OpenID 2.0
Which is introduced back in 2007
Indicate that user wishes to use a specific OpenID
IdP, however he didn’t know/say his own OpenID
Therefore the “id_select” login process asks the
OpenID IdP to select an ID for the user.
The other login process being “signon” process
50
58. Single Sign-On
Facebook enables you to remove the
registration process for your site by enabling
users to log in to your site with their
Facebook account.
Once a user logs in to your site with his or
her Facebook account, you can access the
user's account information from Facebook,
and the user is logged in to your site as long
as he or she is logged in to Facebook.
http://developers.facebook.com/docs/guides/web#login
http://www.facebook.com/instantpersonalization/ 58
61. Grant Access to the Resource
(App)
61
This is a demo APP to show the
usage of facebook social plugins
http://andersonlamp.hopto.org/?code=2.XX7JPLln
LnC26i_5ldohMQ__.3600.1290531600-
702462107|7qT7yWTCm4CjglPkLQDT2NnsMVw
63. Quick start with social plugins
http://developers.facebook.com/plugins
Like Button Like Box
Comments
Activity Feed Recommendations
FriendpileLogin ButtonLive Stream
63
65. Redefine the Problems
How to achieve Identity Federation?
Web Single Sign On
How to let users sign on once (on one site), and
roam everywhere (on other sites), for a given
period of time?
Examples
facebook Like Button outside facebook
funP Push Button outside funP
Yam’s Identity in funP.com
65
75. Redefine the Problems
How to achieve Identity Federation?
Identity Integration (Identity Acquisition)
How to recognize different Web identities
represents the same real identity?
cross-domain user account provisioning
cross-domain entitlement management
cross-domain user attribute exchange
Examples
funP – account acquisition from Yam
Jibjab.com – leverage facebook accounts
75