SSO Solution Using OAuth and OpenID Connect for Defense Logistics Agency

This document outlines a Single Sign-On (SSO) solution utilizing OAuth and OpenID Connect for the Defense Logistics Agency's America’s Combat Logistics Support Agency. OAuth allows for token-based authentication, granting access to specific resources within the Procurement Integrated Enterprise Environment (PIEE) for a defined duration. OpenID Connect is used in conjunction with OAuth 2.0 to provide registered SSO client applications access to user information. The process involves user authorization through OAuth and information retrieval through OpenID. Trusted systems, client application registration, approval, and the SSO sequence are detailed in the document.

• SSO
• OAuth
• OpenID Connect
• Defense Logistics Agency
• Procurement

brynleigh Follow

Uploaded on Jul 31, 2024 | 1 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

Presentation Transcript

1. DEFENSE LOGISTICS AGENCY AMERICA S COMBAT LOGISTICS SUPPORT AGENCY PIEE (Procurement Integrated Enterprise Environment) Generic Single Sign On (SSO) WARFIGHTER FIRST

2. SSO Solution OAuth (Open Authentication) o OAuth is an open standard for authentication. o OAuth allows users to hand out tokens instead of credentials to their data hosted by a given service provider. o Each token grants access to a specific site (e.g. Wide Area Workflow e-Business Suite) for specific resources (e.g. user s first name, last name) and for a defined duration (e.g. the next 5 minutes). OpenID Connect o OpenID Connect is used in conjunction with OAuth 2.0 to allow registered SSO client applications access to user information from PIEE Applications. o OpenID requests must first be authorized by OAuth 2.0. o User Info can include: User ID, First Name, Last Name, Enabled Flag, DOD ID, Email Address, Title, and Organization. For more information about OpenID Connect, please visit http://openid.net/connect/ For more information about OAuth, please visit http://oauth.net/documentation/getting-started/ 2 WARFIGHTER FIRST

3. SSO Overview Trusted System OAuth to authorize user, then OpenID to retrieve info. SSO Client Application in PIEE Account Registration, Approval, and Single Sign On 3 WARFIGHTER FIRST

4. SSO Sequence Diagram User s Browser Trusted System Target PIEE Application Log onto Trusted System User Accesses the Trusted System Create Session User Clicks on the SSO Client Application User Requests access to the SSO Client Sends request to specified URL provided by client application Build OAuth authorization URL to User Send OAuth HTTP(S) redirect URL to user s browser User s Browser Receives URL Format of the URL request: <Trustedsys Sever URL>/portal/oauth2/authorize?response_type=code &client_id=<Provided client ID>&redirect_uri=<Client provided redirect URI> Browser Redirects to provided URL Validate provided Client ID Redirect to Trusted Sys Browse Receive Redirect From Trusted System Create Authorization Code Redirect to browser 4 WARFIGHTER FIRST

5. SSO Sequence Diagram User s Browser Trusted System Target PIEE Application Browser redirects to provided redirect URI in step 3 Browser redirects back to SSO client Receive authorization code Format of the URL response: <Client redirect URI>?code=<Trust generated authorization code> Build OAuth authorization request to Trusted System Validate POST Request received Send POST Request to Trust Sys POST Request must include a HTTP Authorization of base 64 encoded client ID and password provided to SSO client application (example: Authorization: Basic ZGFpY2xpZW50OIFhendzeEAx) POST Request URL format: <Trust Server URL>/portal/oauth2/ token?grant_type=authorization_code& code=<Authorization Code Provided>&redirect_uri=<Client redirect URI> Send POST Response to client Authorization JSON Data Format: { user_id : <userId> , expires_in : 300 , (seconds until access token expires) refresh_token : <refresh token> access_token : <access token> (token used to retrieve user information) } Create Authorization token JSON data Receive JSON Authorization token data 5 WARFIGHTER FIRST

6. SSO Sequence Diagram User s Browser Trusted Systems Target PIEE Application User JSON Data Format can include: { userId": <userId>", "roles":[ { <role particular information> } ], dodId": <EDPI Number>", "title": <user s title>", "organization": <user s organization> , "firstName": <first name>", "lastName": <last name>", "enabled":true, "email": <email address>", "phoneNumber": <phone number>", "dsnPhoneNumber": <DSN phone> } Note: this can change based on the SSO Client s needs Send Get Request to Trusted Sys Get Request URL format: <Trust Server URL>/userdata/ <provided user ID>?oauth_token= <provided access token> Validate the access token received Build request for user data (per OpenID Connect) Send response to client Build JSON response of User s Data Receive requested User JSON data 6 WARFIGHTER FIRST

7. SSO More Information For more information on interfacing with PIEE system SSO, you may view the document linked below for sample requests and detailed steps. 7 WARFIGHTER FIRST

8. Questions/Comments??? 8 WARFIGHTER FIRST