Enhancing cloud applications by using external authentication services
After you complete this section, you should understand: Terminology such as authentication, identity, and ID token The benefits of external authentication The logical flow for secure external authentication How to configure and use IBM Single Sign On service as a broker to authenticate with multiple identity source types 2
Handling user passwords how hard can it be? Managing credentials within your application is a bad idea! Storing passwords in a database poses security risks Extra work to get it right => writing code with no value add Burden of password management inside your application Ensuring passwords have appropriate quality and lifetimes Secure reset process => writing code with no value add Force users to remember(?) another set of credentials They don t! A compromise of your application could have far reaching consequences Can t integrate well with other applications and services You need a different way to authenticate users! 3
Terminology End-user: A person. Entity: Something with a distinct existence, such as an end-user. Identity: A set of attributes related to an entity. Authentication: A process used to obtain significant confidence to bind an entity to an identity. Authorization: A process where permission is granted for a request by an entity based on a role, policy, or specific grant. Identity provider: A service capable of authenticating an end-user and providing claims of identity to a client. Id token: A token that contains claims from an authentication event. Access token: Cryptographic data that confirms a link between entity and identity. Client or relying party: A consumer of identity provider authentications of an entity, such as a web application. Single sign on: Re-use of an authenticated identity from a provider across multiple applications without additional interaction by the end-user. Reference: OpenID Connect Specification: http://openid.net/specs/openid-connect-core-1_0.html
Benefits of external authentication Users don t need to manage another set of credentials Externalize password management including resets to another service Externalize password quality and policy management Eliminates need for the application to store passwords or hashed passwords Streamlines access to your application when the user is already authenticated by an identity provider Improves security by using an established trust relationship The user holds an established identity with the ID provider, usually confirmed by multiple-factor authentication or issued by his or her enterprise
Sources of external authentication services Identity and access management sources: Enterprise Directory (LDAP) Cloud-based identity providers Social media login services (OAuth, OAuth2, OpenID) By using an external authentication service, applications can also exploit complex authentication methods, including two-factor and biometric. On-premises directory As a service (IDaaS) Social media 6
External authentication high-level flow Generalized interaction diagram for external authentication: all flows use HTTPS Identity Provider (IdP): Facebook, Google, etc. End-user Web browser Relying party (RP) application User response Redirect to IdP (orig_url /protected + callback on RP) Challenge user Request /protected Check request for valid session access token 7
IBM Single Sign On service in Bluemix Configure and control external authentication for web applications Apps use OpenID Connect client to interact with the service Configuration examples for Java and Node.js Apps don t require knowledge of interface to external identity source SSO service control panel supports multiple identity sources o Social media sites (Facebook, Google, LinkedIn) o Cloud directory identity source o SAML enterprise identity source Identity Bridge appliance for LDAP SSO service user login panel uses templates for customization 8
Authentication flow of IBM Single Sign On Identity Providers Social IDs 4 Providerspecific 5 1 Application (Identity Consumer) 3 6 2 Liberty In-cloud directory LDAP 7 Declarative J2EE Security Built-in OpenID Connect support Configured automatically during application staging Onpremises directory SAML SSO service instance (authentication broker) OpenID Connect 1. The application checks for valid session from the user request. 2. If no valid session, the application contacts SSO using OpenID Connect. 3. SSO prompts the user to choose an identity provider, then forwards the request. 4. The identity provider presents the login page to the user. 5. The user authenticates with the provider. 6. The provider places identity claims in id token sent to SSO. 7. SSO returns identity claims including authentication realm and the access token to application. 9 Uses standard node OpenID Connect passport module Example integration code included in documentation
Configuring SSO: high-level steps 1. Add the Single Sign On service to the dashboard. 2. Select the identity source or sources to configure. 3. Configure the settings for identity source. 4. Bind the SSO service to the application and access the Integrate tab to download the Node.js module. 5. Add the integration code into the application. Implement an authentication callback. Node.js and Java samples are provided; others use an OpenID Connect client-compatible library. 6. Provide the callback URL and specify one or more configured identity sources by using the service Integrate tab. 7. Redeploy the application and access a protected URL. 10
Related links IBM Bluemix documentation: Getting started with Single Sign On https://www.ng.bluemix.net/docs/services/singlesignon/index.html OpenID Connect reference specification http://openid.net/specs/openid-connect-core-1_0.html 11