Difference between revisions of "WISE-PaaS/Single Sign-On(SSO)"

From ESS-WIKI
Jump to: navigation, search
 
(76 intermediate revisions by 3 users not shown)
Line 1: Line 1:
 +
== Introduction ==
 +
 
<font color="#000000">Single Sign-On (SSO) is part of Advantech WISE-PaaS cloud solution and &nbsp;</font>plays an important role in the interoperability of Internet identity<font color="#000000">.</font>&nbsp;It provides a central login&nbsp;mechanism.
 
<font color="#000000">Single Sign-On (SSO) is part of Advantech WISE-PaaS cloud solution and &nbsp;</font>plays an important role in the interoperability of Internet identity<font color="#000000">.</font>&nbsp;It provides a central login&nbsp;mechanism.
  
<font color="#000000">OpenID Connect utilizes Keycloak which is&nbsp;an open source identity and access management for modern applications and services.</font>
+
WISE-PaaS/Single Sign-On<font color="#000000">&nbsp;utilizes Keycloak which is&nbsp;an open source identity and access management for modern applications and services.&nbsp;No need to deal with storing users or authenticating users. It's all available out of the box.</font>
 +
 
 +
== API Protocol Flow ==
 +
 
 +
The following is a basic standard workflow. It presents the key concept of Singn-On between each other.
 +
 
 +
[[File:OAuth abstract flow.png|RTENOTITLE]]
 +
 
 +
*User/Resource owner&nbsp;:&nbsp;Who authorizes others to access Protected Resource. If the role is human, it means the end-user.
 +
*Application/Client/Browser&nbsp;: An application ,client or a browser page represents the Resource Owner to access the Protected Resource.
 +
*Authorize Server&nbsp;:&nbsp;The server issues the Access Token after user are authenticated. (WISE-PaaS/Single Sign-On server)
 +
*Resource Server&nbsp;:&nbsp;The server hosting Protected Resource&nbsp;accept requests according to Access Token.
 +
 
 +
Here is a more detailed explanation of the steps in the diagram:
 +
 
 +
#The&nbsp;''application''&nbsp;requests authorization to access service resources from the&nbsp;''user''
 +
#If the&nbsp;''user''&nbsp;authorized the request, the&nbsp;''application''&nbsp;receives an authorization grant
 +
#The&nbsp;''application''&nbsp;requests an access token from the&nbsp;''authorization server''&nbsp;(API) by presenting authentication of its own identity, and the authorization grant
 +
#If the application identity is authenticated and the authorization grant is valid, the&nbsp;''authorization server''&nbsp;(API) issues an access token to the application. Authorization is complete.
 +
#The&nbsp;''application''&nbsp;requests the resource from the&nbsp;''resource server''&nbsp;(API) and presents the access token for authentication
 +
#If the access token is valid, the&nbsp;''resource server''&nbsp;(API) serves the resource to the&nbsp;''application''
  
 +
Another more detailed flow chart:
  
 +
[[File:Figure 1.png|RTENOTITLE]]
  
 
== Features Overview ==
 
== Features Overview ==
[Please describe]
+
 
 +
WISE-PaaS/Single Sign-On(SSO) which base on keycloak has the following features.
  
 
*Single-Sign On&nbsp;:&nbsp;Login once to multiple applications
 
*Single-Sign On&nbsp;:&nbsp;Login once to multiple applications
Line 20: Line 45:
 
*Clustering&nbsp;:&nbsp;For scalability and availability
 
*Clustering&nbsp;:&nbsp;For scalability and availability
  
*Themes&nbsp;:&nbsp;Customize look and feel
+
*Password Policies&nbsp;:&nbsp;Customize password policies
  
*Extensible&nbsp;:&nbsp;Customize through code
+
== Components ==
  
*Password Policies&nbsp;:&nbsp;Customize password policies
+
WISE-PaaS/Single Sign-On server plays as a public web server and provide client adapters to make&nbsp;it really easy to secure applications.&nbsp;
  
==API Protocol Flow==
+
*OpenID Connect Server&nbsp;:&nbsp;WISE-PaaS/Single Sign-On server follows standard Protocols include OpenID Connect, OAuth 2.0. and SAML 2.0, please reference server setting documents at document session.&nbsp;&nbsp;
[Please describe and add flow chart illustration]
+
*OpenID Connect Client&nbsp;:&nbsp;WISE-PaaS/Single Sign-On server provides generic OpenID Connect, please reference sample code at document session.&nbsp;&nbsp;
*User/Browser
+
*OAuth 2.0 Server&nbsp;:&nbsp; WISE-PaaS/Single Sign-On server follows standard Protocols include OpenID Connect, OAuth 2.0.&nbsp;and SAML 2.0,&nbsp;please reference server setting documents at document session.&nbsp;&nbsp;
*Application
+
*OAuth 2.0 Client&nbsp;:&nbsp;WISE-PaaS/Single Sign-On server provides generic OAuth 2.0 Client Connect, please reference sample code at document session.
*Authorize Server
 
*Resource Server
 
  
 
== Implementation ==
 
== Implementation ==
===Components===
 
[Please describe]
 
*OpenID Connect Server
 
*OpenID Connect Client
 
*OAuth 2.0 Server
 
*OAuth 2.0 Client
 
 
=== Apply a manager account for OpenID Central Server ===
 
 
''Please sen a request to [mailto:Jonathan.Lin@advantech.com.tw WISE-Paas/OpenID Connect service manager]&nbsp;by E-mail. And provide the following information''
 
 
*Service name&nbsp;: [''RMM''] as your&nbsp;realm.
 
*Client name&nbsp;: [''RMMClient''] a client definition for a app to login in.
 
*User registration&nbsp;: [''True/False''] Enable/Disable user registeration.
 
*Administrator account&nbsp;: [''RMMAdmin''] Use this account to manage this realm. The default password is same as account name. Change password after first login.
 
 
=== Setting your service on OpenID server ===
 
 
Open the [https://openidserver.redirectme.net:8443/auth/admin/ https://openidserver.redirectme.net:8443/auth/admin]&nbsp;and login with applied administrator account to&nbsp;config your realm before implement your client app.
 
 
[[File:OpenID login.png|RTENOTITLE]]
 
 
*(Essential) Public key&nbsp;:&nbsp;OpenID server generate a unique key for client app identification. Copy the public key to json setting file include in the client app .
 
 
[[File:OpenID public key.png|RTENOTITLE]]​
 
 
*(Essential) Valid Redirect URIs &&nbsp;Web Origins&nbsp;: Provide valid uri pattern for your client app. OpenID server would redirect to your client page while a successful login or logout. Your client page must be publicly accessible.
 
 
[[File:OpenID client list.png|RTENOTITLE]]
 
 
Click the "Client &nbsp;ID" to setting page
 
 
[[File:OpenID client setting.png|RTENOTITLE]]
 
 
*(Optional) User registration&nbsp;: Enable/Disable user self&nbsp;registration. If turn off, you would need to create accounts for login.
 
 
[[File:OpenID User.png|RTENOTITLE]]
 
 
=== Implement client codes ===
 
 
#''Copy the json , html sample code to your local web site.''
 
#''Modify json setting''
 
#''Once the test HTML page is opened, it is automatically directed to OpenID Connect Server.''
 
#While login success, it will automatically lead back to test page.
 
 
''&nbsp;''
 
 
== Sample code ==
 
 
OpenID.json&nbsp;: Replace realm,&nbsp;realm-public-key,&nbsp;client-id,&nbsp;resource according to realm setting
 
<pre>{
 
&nbsp; "realm": "RMM",
 
&nbsp; "realm-public-key":"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAgXyx5rl6laDJKt5vvz1lNYsrDgNHZKetagmr81IyvTuYpWQFwJwnai5pNQxfa6jgFBPiOg+pwD7jAfCgQghqWZFWVqPkL+Wt1PXEAXkg54yz9+oCrahsHZPoaQyWhTyf8StBqFUZurA7HkfRqPFINge5xo0jlkjVTcGUUTD/4HzEXc9tYdI1wqv9Ymd+eWG/uhYMu67DvzdNg/aIgxp5U7kYWZiyApjZH4ymP7fEWyFSSRSM/IwWKuW1Lc22w2nEU4RozZ5WF7QoOsjGB7ya62wwJN9UC+v+AgtUDy0VDkiDWruSz9pFQhTyWS1ITh9qoZerJdhu47eHPNKhoGVJpwIDAQAB",
 
&nbsp; "auth-server-url": "https://openidserver.redirectme.net:8443/auth",
 
&nbsp; "ssl-required": "all requests",
 
&nbsp; "client-id": "RMMClient",
 
&nbsp; "public-client": true,
 
&nbsp; "resource":"RMMClient"
 
}</pre>
 
 
TestOpenID.html&nbsp;: An example HTML login client for WISE-PaaSOpenID Connect
 
<pre>&lt;html&gt;
 
&lt;head&gt;
 
&nbsp; &nbsp; &lt;title&gt;Customer View Page&lt;/title&gt;
 
&nbsp; &nbsp; &lt;script src="https://openidserver.redirectme.net:8443/auth/js/keycloak.js"&gt;&lt;/script&gt;
 
&lt;/head&gt;
 
&lt;body bgcolor="#E3F6CE"&gt;
 
  
&lt;p&gt;Goto: &lt;a href="/product-portal"&gt;products&lt;/a&gt; | &lt;a href="#" onclick="keycloak.logout()"&gt;logout&lt;/a&gt; | &lt;a href="#" onclick="keycloak.accountManagement()"&gt;manage acct&lt;/a&gt;&lt;/p&gt;
+
WISE-PaaS&nbsp;provides a complete service for Single Sign-On. There are tree sections for developers to implement.
  
User &lt;b id="subject"&gt;&lt;/b&gt; made this request.
+
#'''Settings&nbsp;on'''&nbsp;'''WISE-PaaS/Single Sign-On server'''
&lt;p&gt;&lt;b&gt;User details (from &lt;span id="profileType"&gt;&lt;/span&gt;)&lt;/b&gt;&lt;/p&gt;
+
#*&nbsp;Apply a realm administrator account for WISE-PaaS/Single Sign-On server.&nbsp;Please sen a request to&nbsp;[mailto:Jonathan.Lin@advantech.com.tw WISE-PaaS/Single Sign-On service manager]&nbsp;by E-mail. And provide the following information
&lt;p&gt;Username: &lt;span id="username"&gt;&lt;/span&gt;&lt;/p&gt;
+
#*#''​''Service name&nbsp;: [''RMM''] as your&nbsp;realm.
&lt;p&gt;Email: &lt;span id="email"&gt;&lt;/span&gt;&lt;/p&gt;
+
#*#Client name&nbsp;: [''RMMClient''] a client definition for a app to login in.
&lt;p&gt;Full Name: &lt;span id="name"&gt;&lt;/span&gt;&lt;/p&gt;
+
#*#User registration&nbsp;: [''True/False''] Enable/Disable user registeration.
&lt;p&gt;First: &lt;span id="givenName"&gt;&lt;/span&gt;&lt;/p&gt;
+
#*#Administrator account&nbsp;: [''RMMAdmin''] Use this account to manage this realm. The default password is same as account name. Change password after first login
&lt;p&gt;Last: &lt;span id="familyName"&gt;&lt;/span&gt;&lt;/p&gt;
+
#*Setting your service on WISE-PaaS/Single Sign-On server
 +
#*#Login [https://openidserver.redirectme.net:8443/auth/admin/ WISE-PaaS Single Sign-On server]
 +
#*#Authorization Setting&nbsp;'''(Only if you want to enable authorization services. [[Media:User_Guide_Authorization_Setting.pdf|User Guide Authorization Setting&nbsp;]]&nbsp;)'''
 +
#*#*Enabled authorization on client&nbsp;setting.
 +
#*#*Create a Resource&nbsp;: Creating the resources that you want to protect.
 +
#*#*Create a Permission&nbsp;:&nbsp;A permission associates the object being protected and the policies that must be evaluated to decide whether access should be granted.
 +
#*#*Create a Role&nbsp;:&nbsp;Use this type of policy to define conditions for your permissions where a set of one or more roles is permitted to access an object.
 +
#*#*Create a User&nbsp;: Craete a login account for SSO with role mapping of client.
 +
#*#*Evaluate&nbsp;:&nbsp;When designing your policies, you can simulate authorization requests to test how your policies are being evaluated with a json format result.
 +
#*#Get Client App setting
 +
#*#*Realm Public Key&nbsp;: Get the public key from Realms setting-> [''Realm'']->Keys-> Public key.
 +
#*#*Client Credentials Secret&nbsp;: Get Secret from Clients->Credentials->Secret'''(Only if you want to enable authorization services, otherwise&nbsp;set "public-client" to&nbsp;true)'''
 +
#'''Application for end user'''
 +
#*Copy the json , html sample code to your local web site.
 +
#*Modify json setting.
 +
#*Once the test HTML page is opened, it is automatically directed to OpenID Connect Server.
 +
#*While login success, it will automatically lead back to test page with an access token.
 +
#'''Verify Access Token on Resource Server'''
 +
#*​​Decode JWT access token.
 +
#*Response to client according to user protected resources.
  
&lt;script&gt;
+
== Document ==
&nbsp; &nbsp; var keycloak = Keycloak('openid/keycloak.json');
 
&nbsp; &nbsp; var loadData = function () {
 
&nbsp; &nbsp; &nbsp; &nbsp; document.getElementById('subject').innerHTML = keycloak.subject;
 
&nbsp; &nbsp; &nbsp; &nbsp; if (keycloak.idToken) {
 
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; document.getElementById('profileType').innerHTML = 'IDToken';
 
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; document.getElementById('username').innerHTML = keycloak.idTokenParsed.preferred_username;
 
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; document.getElementById('email').innerHTML = keycloak.idTokenParsed.email;
 
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; document.getElementById('name').innerHTML = keycloak.idTokenParsed.name;
 
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; document.getElementById('givenName').innerHTML = keycloak.idTokenParsed.given_name;
 
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; document.getElementById('familyName').innerHTML = keycloak.idTokenParsed.family_name;
 
&nbsp; &nbsp; &nbsp; &nbsp; } else {
 
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; keycloak.loadUserProfile(function() {
 
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; document.getElementById('profileType').innerHTML = 'Account Service';
 
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; document.getElementById('username').innerHTML = keycloak.profile.username;
 
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; document.getElementById('email').innerHTML = keycloak.profile.email;
 
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; document.getElementById('name').innerHTML = keycloak.profile.firstName + ' ' + keycloak.profile.lastName;
 
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; document.getElementById('givenName').innerHTML = keycloak.profile.firstName;
 
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; document.getElementById('familyName').innerHTML = keycloak.profile.lastName;
 
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; }, function() {
 
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; document.getElementById('profileType').innerHTML = 'Failed to retrieve user details. Please enable claims or account role';
 
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; });
 
&nbsp; &nbsp; &nbsp; &nbsp; }
 
&nbsp; &nbsp; &nbsp; &nbsp; //loginjwt
 
&nbsp; &nbsp; };
 
&nbsp; &nbsp; var loadFailure = function () {
 
&nbsp; &nbsp; &nbsp; &nbsp; document.getElementById('customers').innerHTML = '&lt;b&gt;Failed to load data. &nbsp;Check console log&lt;/b&gt;';
 
&nbsp; &nbsp; };
 
&nbsp; &nbsp; var reloadData = function () {
 
&nbsp; &nbsp; &nbsp; &nbsp; keycloak.updateToken(10)
 
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; .success(loadData)
 
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; .error(function() {
 
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; document.getElementById('customers').innerHTML = '&lt;b&gt;Failed to load data. &nbsp;User is logged out.&lt;/b&gt;';
 
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; });
 
&nbsp; &nbsp; }
 
&nbsp; &nbsp; //keycloak.login({ redirectUri: &nbsp;'login-required' });
 
&nbsp; &nbsp; keycloak.init({ onLoad: 'login-required' })
 
&nbsp; &nbsp; &nbsp; &nbsp; .success(reloadData)
 
&nbsp; &nbsp; &nbsp; &nbsp; .error(function(errorData) {
 
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; document.getElementById('customers').innerHTML = '&lt;b&gt;Failed to load data. Error: ' + JSON.stringify(errorData) + '&lt;/b&gt;';
 
&nbsp; &nbsp; &nbsp; &nbsp; });
 
&lt;/script&gt;
 
  
&lt;br&gt;&lt;br&gt;
+
*[[WISE-PaaS/Single_Sign-On(SSO)_server_setting|WISE-PaaS/Single_Sign-On(SSO)_server_setting]]
&lt;button onclick="reloadData()"&gt;Reload data&lt;/button&gt;
+
*[[Application(Client)_Sample_code_(json)|Application(Client)_Sample_code_(json)]]
&lt;/body&gt;
+
*[[Application(Client)_Sample_code_without_Authorization_(json)|Application(Client)_Sample_code_without_Authorization_(json)]]
&lt;/html&gt;</pre>
+
*[[Application(Client)_Sample_code_(HTML)|Application(Client)_Sample_code_(HTML)]]
 +
*[[Resource_Server_jwt_Sample_code|Resource_Server_jwt_Sample_code]]

Latest revision as of 10:16, 17 January 2017

Introduction

Single Sign-On (SSO) is part of Advantech WISE-PaaS cloud solution and  plays an important role in the interoperability of Internet identity. It provides a central login mechanism.

WISE-PaaS/Single Sign-On utilizes Keycloak which is an open source identity and access management for modern applications and services. No need to deal with storing users or authenticating users. It's all available out of the box.

API Protocol Flow

The following is a basic standard workflow. It presents the key concept of Singn-On between each other.

RTENOTITLE

  • User/Resource owner : Who authorizes others to access Protected Resource. If the role is human, it means the end-user.
  • Application/Client/Browser : An application ,client or a browser page represents the Resource Owner to access the Protected Resource.
  • Authorize Server : The server issues the Access Token after user are authenticated. (WISE-PaaS/Single Sign-On server)
  • Resource Server : The server hosting Protected Resource accept requests according to Access Token.

Here is a more detailed explanation of the steps in the diagram:

  1. The application requests authorization to access service resources from the user
  2. If the user authorized the request, the application receives an authorization grant
  3. The application requests an access token from the authorization server (API) by presenting authentication of its own identity, and the authorization grant
  4. If the application identity is authenticated and the authorization grant is valid, the authorization server (API) issues an access token to the application. Authorization is complete.
  5. The application requests the resource from the resource server (API) and presents the access token for authentication
  6. If the access token is valid, the resource server (API) serves the resource to the application

Another more detailed flow chart:

RTENOTITLE

Features Overview

WISE-PaaS/Single Sign-On(SSO) which base on keycloak has the following features.

  • Single-Sign On : Login once to multiple applications
  • Standard Protocols : OpenID Connect, OAuth 2.0 and SAML 2.0
  • Centralized Management : For admins and users
  • Adapters : Secure applications and services easily
  • High Performance : Lightweight, fast and scalable
  • Clustering : For scalability and availability
  • Password Policies : Customize password policies

Components

WISE-PaaS/Single Sign-On server plays as a public web server and provide client adapters to make it really easy to secure applications. 

  • OpenID Connect Server : WISE-PaaS/Single Sign-On server follows standard Protocols include OpenID Connect, OAuth 2.0. and SAML 2.0, please reference server setting documents at document session.  
  • OpenID Connect Client : WISE-PaaS/Single Sign-On server provides generic OpenID Connect, please reference sample code at document session.  
  • OAuth 2.0 Server :  WISE-PaaS/Single Sign-On server follows standard Protocols include OpenID Connect, OAuth 2.0. and SAML 2.0, please reference server setting documents at document session.  
  • OAuth 2.0 Client : WISE-PaaS/Single Sign-On server provides generic OAuth 2.0 Client Connect, please reference sample code at document session.

Implementation

WISE-PaaS provides a complete service for Single Sign-On. There are tree sections for developers to implement.

  1. Settings on WISE-PaaS/Single Sign-On server
    •  Apply a realm administrator account for WISE-PaaS/Single Sign-On server. Please sen a request to WISE-PaaS/Single Sign-On service manager by E-mail. And provide the following information
      1. Service name : [RMM] as your realm.
      2. Client name : [RMMClient] a client definition for a app to login in.
      3. User registration : [True/False] Enable/Disable user registeration.
      4. Administrator account : [RMMAdmin] Use this account to manage this realm. The default password is same as account name. Change password after first login
    • Setting your service on WISE-PaaS/Single Sign-On server
      1. Login WISE-PaaS Single Sign-On server
      2. Authorization Setting (Only if you want to enable authorization services. User Guide Authorization Setting  )
        • Enabled authorization on client setting.
        • Create a Resource : Creating the resources that you want to protect.
        • Create a Permission : A permission associates the object being protected and the policies that must be evaluated to decide whether access should be granted.
        • Create a Role : Use this type of policy to define conditions for your permissions where a set of one or more roles is permitted to access an object.
        • Create a User : Craete a login account for SSO with role mapping of client.
        • Evaluate : When designing your policies, you can simulate authorization requests to test how your policies are being evaluated with a json format result.
      3. Get Client App setting
        • Realm Public Key : Get the public key from Realms setting-> [Realm]->Keys-> Public key.
        • Client Credentials Secret : Get Secret from Clients->Credentials->Secret(Only if you want to enable authorization services, otherwise set "public-client" to true)
  2. Application for end user
    • Copy the json , html sample code to your local web site.
    • Modify json setting.
    • Once the test HTML page is opened, it is automatically directed to OpenID Connect Server.
    • While login success, it will automatically lead back to test page with an access token.
  3. Verify Access Token on Resource Server
    • ​​Decode JWT access token.
    • Response to client according to user protected resources.

Document