Verisign Identity Protection and OpenSSO
By bounds on Jun 09, 2008
I've owned a Paypal Security Key for some time now. I was recently asked by a customer if Sun Access Manager/OpenSSO can use Verisign Identity Protection, which is really what the Paypal key uses behind the scenes. The answer is YES! While OpenSSO doesn't have a ready out-of-the-box authentication module for VIP, its very easy to create one. I'm not sure if OpenSSO will ever add one since a large portion of VIP is Token Management. Which tokens are associated with which users is something I would consider out of the scope of OpenSSO. Even if we made it customizable with a configuration page, I can guarantee we won't cover every option. I'm planning on making a simple interface to try this, I'll post when I finish.
- Download all the Software you will need: Glassfish, Netbeans, OpenSSO, and VIP Test Drive. I used Glassfish V2U2, Netbeans 6.1, and OpenSSO v2 B4. I also used JDK 1.6u6
- Install the Software. I'll leave this exercise up to you, since I don't want to write all the install steps
- You'll need to create a Web Service reference from the vip_testdrive.wsdl. In Netbeans 6.1, go to the Services Tab, New WebService, and point to the WSDL file.
- Create the VIPWebServiceClient.java We only need the Validate method for Authentication. VIP provides a very rich set of services for enabling, disabling, and synchronizing tokens
- Create VIPPrincipal.java
- Create VIPLoginModule.xml
- Create VIPLoginModule.java. For my interface I only use Validate() and expect the end-user to provide username, tokenID, and the OTP. In a real deployment, you would most likely use the username to discover what Tokens are registered with the user. Then use that information so the user doesn't have to remember their tokenID. You may also notice that I'm not using a password. I really just wanted to prove that Access Manager/OpenSSO could integrate with VIP. So, THIS IS NOT 2-FACTOR AUTHENTICATION! You only get "Something you have" with this module. I'll leave it up to you to build the "Something you know". And NO, I don't consider username to be something you know.
- Move VIPLoginModule.xml to the config/auth/default directory
- Package the .class files into a jar file and place it in WEB-INF/lib
- You will need to add the Client Cert to the application server keystore. That was a pain in itself since java expects JKS type keys and VIP provided P12. I'll cover this in another post
- Restart Application Server
- Visit http://yourmachine.com/opensso/UI/Login?module=VIPLoginModule
- Generate a OTP using the VIP utils provided. The TokenID for this example is VSST57152657 and the OTP is 000138. This is a time based token. VIP also contains event based tokens.
- Once you've filled in the correct values, you should be authenticated to OpenSSO
ConclusionBuilding an Authentication Module for OpenSSO was easier than I thought. I spent most of my time trying to import the Client cert. The other issue I battled was Verisign's Web Service. It uses different URIs depending on what you are doing. These are NOT defined in the WSDL, but at run time. The Sample code they provide inserts them. For example /mgmt/soap is for activation or deactivation, and /val/soap is for validation. The VIP sample uses AXIS, but I wanted to use JAX-WS.
If you get a chance, I recommend getting the "Football" token for Paypal. Its a great second factor for security.