JBoss Middleware Security with Picketlink and Keycloak Kenneth Peeples, JBoss Technology Evangelist kpeeples@redhat.com www.ossmentor.com

Authentication Verification that the user’s identity is valid. Authentication is based on three factor types: ➔ What the user knows such as a password or PIN ➔ What the user has such as a token or Smart card ➔ What the user is (physically) such as a fingerprint or retina Authorization The granting of access rights to a user, program or process Auditing Providing an audit trail of user actions What are the three main processes of Security?

OASIS (Organization for the Advancement of Structured Information Standards) is a not-for-profit consortium that drives the development, convergence and adoption of open standards for the global information society. https://www.oasis-open.org/ What is OASIS?

OASIS Security Service (SAML- Security Assertion Markup Language) TC https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security OASIS eXtensible Access Control Markup Language (XACML) TC https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml OASIS Web Services Secure Exchange (WS-SX) TC https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=ws-sx What is OASIS (Continued)?

● The Security Assertion Markup Language (SAML), developed by the Security Services Technical Committee of OASIS, is an XML-based framework for communicating user authentication, entitlement, and attribute information. ● Security Assertion Markup Language (SAML) includes XML based assertions, protocols, bindings and profiles. https://www.oasis-open.org/committees/download.php/13525/s stc-saml-exec-overview-2.0-cd-01-2col.pdf What is SAML?

A user through a web browser requests a web resource protected by a SP. The SP, requiring the identity of the requesting user, issues an authentication request to a IdP through the user agent. What is an Identity Provider (IdP) and Service Provider(SP)?

WS-Trust defines the concept of a security token service (STS), a service that can issue, cancel, renew and validate security tokens, and specifies the format of security token request and response messages. What is Security Token Service (STS)?

XACML is an OASIS standard that describes both a policy language and an access control decision request/response language (both written in XML). The policy language is used to describe general access control requirements, and has standard extension points for defining new functions, data types, combining logic, etc. https://www.oasis-open.org/committees/download.php/2713/Brief_Introduction_t o_XACML.html What is XACML?

● PAP (Policy Administration Point) - Point which manages policies ● PDP (Policy Decision Point) - Point which evaluates and issues authorization decisions ● PEP (Policy Enforcement Point) - Point which intercepts user's access request to a resource and enforces PDP's decision. ● PIP (Policy Information Point) - Point which can provide external information to a PDP, such as LDAP attribute information. Actors involved with XACML?

What is the difference between SAML and OAuth? SAML (Security Assertion Markup Language) is an umbrella standard that encompasses profiles, bindings and constructs. https://www.oasis-open.org/committees/tc_home.php?wg_abbr ev=security OAuth (Open Authorization) An open protocol to allow secure authorization in a simple and standard method from web, mobile and desktop applications. http://oauth.net/

What is the difference between SAML and OAuth (Continued)? Token or Message Format ➔ SAML deals with XML as the data construct or token format ➔ OAuth tokens can be binary, JSON or SAML as explained in OAuth Bearer Tokens Transport ➔ SAML has Bindings that use HTTP. But there is no restriction on the transport format. You can use SOAP or JMS or any transport you want to use to send SAML tokens or messages ➔ OAuth uses HTTP exclusively. Scope ➔ SAML is typically used in Enterprise SSO scenarios - within an enterprise, enterprise to partner or enterprise to cloud scenarios. ➔ OAuth has been designed for use with applications on the internet, primarily for delegated authorization of internet resources. OAuth is designed for Internet Scale.

What is Picketlink? ● Security Framework for JavaEE Applications (Apache v2 License) ● First Class support for CDI ● Secures your beans, view layer, bean methods, REST endpoints, Servlets etc ● Simple API for managing Users, Roles, Groups ● Authenticate any way you want ● Permissions API for fine grained authorization ● Federation – SAML, WS-Trust, OpenID, OAuth ● Social Login with Facebook, Twitter and Google+

What is Keycloak? ● KeyCloak is an SSO server for web, mobile and rest applications ● KeyCloak is an OOTB server for : ➔ Authentication ➔ Authorization ➔ Centrally managing Application Users, Roles and Roles Mapping ➔ Social Login ● KeyCloak is deployable as a war, appliance or on OpenShift ● KeyCloak project is part of the PicketLink family

● Applications need to be secure. ● Applications need the following security features ➔ Authentication ➔ Authorization ➔ Management of Users, Roles and Groups ➔ Audit ➔ Social Login ➔ Single Sign On What is the problem space?

What is the solution? Two Options: Roll your own security with building blocks ➔ PicketLink is the choice and has a ton of quickstarts Out of the box solution with UI ➔ KeyCloak is the choice

KeyCloak Demo with EAP Steps are in the preconfigured-demo directory in the keycloak-war-dist-all.zip Step 1 Install the KeyCloak server on EAP Step 2 Boot KeyCloak Server Step 3 Import the demo Test Realm Step 4 Build and Deploy Examples Step 5 Login and observe Customer and Product Apps for SSO Step 6 Try the OAuth2 example KeyCloak Demo with OpenShift Step 1 Signup for a OpenShift account Step 2 Login to Openshift Step 3 Click on add application Step 4 Use Cartridge URL from doc and click next Step 5 Enter application name and choose medium gear Step 6 Make a note of the credentials for Wildfly Step 7 Click continue to the application and change the Admin account http://docs.jboss.org/keycloak/docs/1.0-beta-1/userguide/html/openshift.html How do I use KeyCloak?

How do I use Picketlink? ● Available in WildFly AS and JBoss EAP ➔ PicketLink versions and feature set may vary ● Getting Started Guide ➔ PicketLink Installer ➔ Maven Install - JBoss JDF BOM ● Large Number of Quickstarts ➔ Visit http://www.picketlink.org/ and click Quickstarts button

https://docs.jboss.org/author/display/PLINK/PicketLink+Quickstarts How do I use Picketlink (Continued)? Picketlink SSO Demo Step 1 Install EAP Step 2 Download and Install Picketlink Quickstarts Step 3 Modify standalone.xml for security domain Step 4 Start the Server Step 5 Browse to the applications

● Manage Users, Roles, Groups and more. ➔ Built-in support for storing identities in: ➢ File System ➢ Database (JPA) ➢ LDAP ➔ Well defined API for creating custom identity stores ➔ Powerful Query API ➔ Operations are via IdentityManager interface ➢ @Inject IdentityManager to your beans Picketlink - Identity Management

Picketlink - BYO Identity Model ● We provide optional ➔ Users, Roles, Groups classes. ➔ Default Relationships ➢ Group Membership, Group Role and Application Role ● Custom Identity Classes ● Custom Relationships ● Provides flexibility for your project

● Identity.login() ➔ Identity can be either ➢ Session (Stateful) scoped or ➢ Request (Stateless) scoped ● Authenticator can be app based or request based ➔ Support multiple auth mechanisms in one app (Password + OpenID) ● Support for various credential types provided. ● Driven by PicketLink IDM. Picketlink - Authentication

● Built in authentication support for ➔ FORM, BASIC, CLIENT-CERT (X509) and DIGEST styles ● Password Encoding ➔ Defaults to Salted Hash or BYO ● Mix and match Identity Stores ➔ Store Users in LDAP and Roles/Groups in DB Picketlink - Other IDM features

● Fine Grained Access Control for your applications ● Identity ➔ hasPermission methods ● Well defined API ➔ PermissionVoter ➢ hasPermission check: returns VotingResult ➔ PermissionResolver ➢ Resolves a permission among voters Picketlink - Permission API

● Fine Grained Access Control for your applications ● Drools based implementation ● PicketLink Camel Authorization uses Drools based Permission Impl Picketlink - Permission API – Drools Impl

● PicketLink has OASIS XACML v2 Engine ● Standards based fine grained authorization Picketlink - Authorization - XACML

● SAML Based SSO ➔ SAML v2.0 and v1.1 Support ➔ Web Browser SSO Profile ➔ Global Logout Profile ➔ Metadata Profile etc Picketlink - Authentication/Federation - SAML

● WS-Trust based Security Token Server (STS) ➔ SSO for Web Services ➔ Identity propagation to 3rd party systems Picketlink - Authentication/Federation

Picketlink - Authentication/Federation ● OpenID Support ➔ Build your relying party. ➔ Project CafeDwarf uses PL OpenID support. ● OAuth2 Support ➔ Build your authorization server, resource and token endpoints. ➔ Watch for more quick-starts/demo apps in the next few months

● Use third party authentication for your JavaEE applications ➔ Facebook Connect ➔ Twitter ➔ Google+ ➔ Others planned (LinkedIn,GitHub etc) Picketlink - Social Login

Picketlink and KeyCloak Roadmap ● Picketlink 2.6.Final Targeted around this summer ➔ Picketlink.org ● KeyCloak 1.0.Final Targeted around this summer ➔ Keycloak.org

References: http://docs.jboss.org/picketlink/2/latest/reference/html-single/ https://community.jboss.org/wiki/ProtectingEJBwebserviceswithXACMLAbeginnerstutori al https://community.jboss.org/wiki/SAMLWSIntegrationwithPicketLinkSTS http://server.dzone.com/articles/security-features-jboss-510-2 http://www.jboss.org/picketlink/Fed.html http://docs.jboss.org/keycloak/docs/1.0-beta-1/userguide/html/index.html http://architects.dzone.com/articles/saml-versus-oauth-which-one http://picketlink.org/presentations/decks/