Title: A Client Middleware for Token-Based Unified Single Sign On to edugain
|
|
- Lionel Rich
- 8 years ago
- Views:
Transcription
1 Title: A Client Middleware for Token-Based Unified Single Sign On to edugain Sascha Neinert Computing Centre University of Stuttgart, Allmandring 30a, Stuttgart, Germany sascha.neinert@rus.uni-stuttgart.de Keywords Single Sign On, Identity Federation, eduroam, edugain, Identity Token Abstract This document presents a solution that offers a unified Single Sign On to users of the eduroam roaming infrastructure and of the GÉANT2 confederated authentication and authorization infrastructure, edugain. This is achieved by dedicated client middleware and a newly developed token-based profile for edugain. Introduction With Single Sign On (SSO), a user can be authenticated once and then access all resources and services he is entitled to, within one security domain. In an Identity Federation, a user can additionally access resources and services within any other security domain that is part of the federation s trust fabric. The main principle of a federation is to distinguish between providers of services and providers of identities. Thereby, a user can have one single virtual identity at home, and use this to access resources and services at other locations. Users accounts and attributes are managed at their trusted home institutions, in one place, and they are authenticated by their home institutions. The Service Providers have established agreements with the Identity Providers, trust their authentication and attribute information and base their authorization decisions on them. These authorization decisions decide whether or not the specific user can access a certain resource or service. A number of solutions for federated SSO have been developed or are already deployed. There are those for accessing web resources and web services, often based on the XML standard Security Assertion Markup Language (SAML). Other systems are focused on authentication for network resources, the Kerberos protocol being one important example. The presented approach is part of a federated Single Sign On for network resources, web resources and other service types. The first phase is authentication for network access performed via the eduroam [1] RADIUS infrastructure; it is described in [2]. This bootstraps a second phase that uses the acquired authentication information for accessing web resources and services. This second phase is a new tokenbased profile for edugain, the GÉANT2 Authorization and Authentication Infrastructure [3]. In the next section an overview of the proposed architecture for unified Single Sign On (usso) will be given. This architecture is based on identity tokens, managed by a new piece of client middleware as well as a new token-based profile for edugain. Next, related approaches for extending SSO middleware systems beyond browser-only will be shown, and their relation to the proposed approach will be explained. Finally, the implementation of the proposed approach will be presented and the concluding section will sum up what has been achieved and what work remains to be done. Overview of the Architecture This architecture for unified Single Sign On brings together two currently independent (con-)federation infrastructures, eduroam and edugain. Both are different in regard to the employed technologies: with 802.1X and EAP over RADIUS used in eduroam, and SAML over HTTP used in edugain. They also differ in the services they offer: network access at any visited institution, and access to web resources at some service provider anywhere. However, there are also two links as shown in figure 1: the user with his mobile device being one, and the Identity Provider (IdP) the other (the IdP could be a RADIUS connected to some data store, or a Shibboleth IdP connected possibly to the same data store).
2 Figure 1: unified SSO Overview As access to the network is a prerequisite to access any other resource or service, it is consequentially the first step. The eduroam infrastructure, which provides wireless network access for academic users roaming within Europe and beyond, is extended by components that generate an identity token at the home institution of a user and passes this token to the user during the last steps of the network authentication process. This identity token is called edutoken. The edutoken describes the fact that the user has been authenticated by a trusted entity of the federation and is to be used as a credential when accessing resources and services within that federation. The token contains information on, who has been authenticated, when the authentication was carried out, which method was used and who issued it. The format of the edutoken is SAML, as this is the native language of edugain. This standard is built to express such information in a flexible yet clearly defined manner. The edutoken consists of a signed SAML 1.1 [4] assertion containing one authentication statement. Optionally, an additional attribute statement can also be included. Token Manager For the encrypted storage of tokens and for making them available to be used for authentication when accessing resources and services, a new piece of client middleware is needed. This is called Token Manager. It receives the token coming from the eduroam authentication and provides a secure token store. The cookie store of the browser is not used for security reasons as well as the limitations of the user interface for handling this store s contents. The Token Manager can validate the edutoken, check that it has been digitally signed by a trusted authentication authority and that the token has not been modified and has a valid signature. Additionally, the Token Manager provides a graphical user interface enabling the end-user to manage his identity tokens and display their contents. The most important feature of the Token Manager is its interface that allows the tokens to be requested for token-based authentication to edugain. Profile for Token-based Authentication The edutoken is to be used for authentication of the user when he accesses a resource or service. This, for example, could be a simple website or a complex Grid service. The resource or service would be protected and some authentication would be enforced. edugain supports multiple authentication and authorization infrastructures (AAI), Shibboleth being one example. A user trying to access the service would be redirected by the responsible Service Provider (SP) to another entity acting as an Identity Provider (IdP). In the case of edugain, this is a remote Bridging Element (r-be). Usually the r-be would contact a home Bridging Element, possibly of another federation using another type of middleware. This would then talk in that federation s protocol and language to the user s home IdP. Now, this r-be is extended to support a new profile for token-based authentication. Figure 2 shows the sequence of messages for this new profile.
3 Figure 2: Profile for Authentication with the edutoken The user initially tries to access a resource or service at the SP. Then, as usual, a redirection occurs from the SP, optionally via a Where Are You From (WAYF) service, to the entity responsible for authentication in this case the extended r-be. This r-be sends a request for the token to the client. The request comes in the form of a signed JavaApplet, which is an active component to be executed within the user s browser. It requests the edutoken from the Token Manager via its interface. The available token is then send back in a reply to the r-be using the normal HTTP POST method. Any input of the user is not required during this process. The r-be then validates the edutoken to ensure that it has not been modified and that it comes from a trusted source within the (con-)federation. Next, a new assertion is generated in a format that the SP understands, which in the case of a Shibboleth SP is also SAML, though with specific restrictions concerning its age and audience. This assertion is sent to the SP. Upon successful authentication, the user is granted access. It is important to note that during this process, the user does not need to provide any credentials such as username and password just the token. Also, there is no need to contact the IdP of the home federation to request authentication. Related Work A number of related approaches exist that introduce a new piece of client middleware into the usual browseronly environments, each for different reasons. Three of these approaches are described as follows: SAML Enhanced Client SAML (Security Assertion Markup Language) is an OASIS standard that defines a format to express authentication and authorization information, the associated protocols and a number of profiles. The Enhanced Client or Proxy (ECP) Profile [5] specifies an entity that, in contrast to the more common Web SSO profile, has information about the Identity Provider (IdP) to be used. It could possibly be implemented as a browser plug-in. This obsoletes the discovery of the IdP, and thus requires less user interaction and the login process would appear more seamless to the end-user. The entity also supports a reversed HTTP binding for SOAP (PAOS). Thereby, a client that only can issue HTTP requests can use those to transport SOAP responses. The ECP capabilities are advertised in the HTTP header to a Service Provider (SP). PAOS is then used to initiate an AuthenticationRequest from the SP to the client. This then performs authentication at the IdP and responds with an AuthenticationResponse to the SP. One use case for an enhanced proxy would be a WAP gateway. The ECP profile would be an interesting alternative to the currently used profile if it was support by some of the more widely deployed software packages for federated AAI. It could be usso-enabled if modifications for receiving and processing the edutoken as a method of authentication were implemented. Liberty Advanced Client The Liberty Alliance [6] is a consortium of more than 100 commercial and also non-commercial members that developed several industrial standards for Identity Federation and identity-based web services. The Liberty
4 Advanced Client specification [7] is currently at draft status. It defines mechanisms by which so-called smart clients can consume and also provide web services whilst operating in disconnected mode. As these clients are active entities, they also have a ProviderID, although there are reasons for this ID not being unique. The client can be used for hoarding credentials, which are relatively long-lived assertions that were requested from an IdP. The client can advertise its capabilities using SAML 2.0 ECP and, during communication with some SP, use the available assertions for authentication. Benefits of such a client are: Firstly, the IdP need not be contacted - it may not be available or for reasons of privacy. Secondly, the assertions could be used as credentials for local applications e.g., a mail client. Finally, those assertions can be self-asserted ones if third party asserted identities are not required. Akogrimo IDToken Akogrimo (Access to Knowledge through the Grid in a Mobile Word) is an EC FP6 research project that developed combined services access across different layers [8] [9]. Its identity management infrastructure includes A4C (Authentication, Authorization, Accounting, Auditing, Charging) servers at the visited domains that are federated with SAML authorities at the home domains. During the network authentication phase, an IDToken is sent from the SAML authority to the user and stored on his mobile terminal. The IDToken is dynamic; besides a SAML Artifact it contains a serial number and a random number. Both are updated before each use of the IDToken and then it is digitally signed with the user s private key, to prevent replay attacks. The client middleware also provides a graphical user interface for selecting one of several identities, which can be registered in one or several Virtual Organizations. This approach provides cross-layer Single Sign On for network as well as Grid services in combination with multiple digital identities of one user. Such support for identities and attributes from multiple locations would be a valuable extension to the current usso prototype. This is also an example that clearly shows that basing the management of the identity tokens is not best situated within the browser if, for example, other transport protocols than HTTP are used or if other resources than only web-based ones are to be accessed. Implementation Details The proposed architecture has been implemented as a prototype and has been deployed in a test environment. All related middleware components are shown in figure 3. Each dashed box represents one hardware device and each solid box one software component. The arrows show which components communicates with each other. Figure 3: Middleware for usso In the following, all components are described. A more detailed description about the testbed and the performed validations is in [10]. Client Components The XSupplicant is the 802.1X supplicant of the Open1X project [11]. Version has been modified and extended by the University of Murcia to receive the edutoken inside an EAP TLV during the network authentication phase. The DameTokenManager is a stand-alone Java application for managing the edutoken(s). It provides a graphical user interface and allows the end-user to manage his token store. In the current implementation edutokens are stored as encrypted files, using the AES 128 algorithm. The token manager receives edutokens from the
5 modified XSupplicant and provides an interface allowing them to be requested when needed for authentication. This component is the link between the network authentication and the authentication for services. Firefox 2.0 is the browser used in this deployment for accessing any web resource. Sun s Java Runtime Environment is required for executing Java Applets within the browser. In the current deployment tests were performed using JRE 1.5. The DameTokenFetcher is a signed Java Applet. When the website that contains it is accessed, it is executed within the browser. It can request the edutoken from the DameTokenManager and send it using an HTTP POST to the DameTokenServlet. Server Components An unmodified Shibboleth 1.3 Service Provider was used for the performed tests. It is deployed on an Apache 2.0 HTTP Server. The apache web server enforces authentication via Shibboleth. The metadata of the Shibboleth SP contains an IDPSSODescriptor with the DameTokenServlet s URN, URL of the SSO Service and certificate information. The DameTokenServlet is a Java Servlet running on an Apache Tomcat 5.5. It is a modified and extended remote Bridging Element of the edugain infrastructure. The r-be currently modified is the one that connects to the Shibboleth [12] middleware. It can receive and validate edutokens, and send SAML assertions as from a Shibboleth Identity Provider towards the Shibboleth SP. The current implementation is based on edugain 0.6 that uses the opensaml libraries 1.2 and 2. Conclusion The presented approach links the authentication for network access, starting at OSI layer 2, to the authentication for services above OSI layer 4 and thereby enables a cross-layer, unified Single Sign On. Authentication for obtaining network access is performed via the infrastructure of eduroam, the European roaming confederation. A unified Single Sign On state is established that is valid for any resources within edugain, the European AAI that forms a confederation of existing national federations based on Shibboleth and other middleware. A homogenous IT infrastructure is not a requirement for the usso using the presented approach. Thanks to the use of the standardized Security Assertion Markup Language, bridging between several heterogeneous middlewares is markedly simplified. The developed components seamlessly interoperate with middleware for federated AAI, which is currently widely deployed and productively used within European academic environments and conforms to their requirements (defined in [13]). Unified Single Sign On is a feature that is mostly beneficial to the end-users. They use the specific authentication method only once, and are then signed on to the (con-)federation. This is more convenient and efficient but also more secure sensitive information has to be transmitted only once. Based on the idea of federated authentication and authorization, one virtual identity can suffice to access any resource within the federation, be that a local website or wireless network access in another country. In a user-centric approach as the presented one, the end-user can actively intervene in the process of authentication and the management of his virtual identity. The presented architecture and implementation will be further extended and refined in the future. Possibilities for interoperation with related approaches are expected to emerge. The validation for practical deployment as well as the application of this approach to recent service and Grid infrastructures is ongoing. Acknowledgements The results published in this paper were developed within the DAMe project [14], a sub project of the GÉANT2 joint research activity 5 that is co-funded by the European Commission within the Sixth R&D Framework Programme (FP6). The DAMe project is developed together with the University of Murcia (Spain), DFN (Germany), and RedIRIS (Spain). The author would like to thank all the partners involved in that project. References [1] eduroam Website, [2] Ó. Cánovas et al.: Deploying Authorization Mechanisms for Federated Services in eduroam (DAMe), Terena Networking Conference 2007, May 2007 [3] D. Lopez et al.: GÉANT2 Authorisation and Authentication Infrastructure (AAI) Architecture second edition, GÉANT2 Deliverable DJ5.2.2,2, April 2007 [4] E. Maler et al.: Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V1.1, OASIS Standard, September 2003 [5] J. Hughes et al.: Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0, OASIS Standard, March 2005 [6] Liberty Alliance Project Website,
6 [7] C. P. Cahill et al.: Liberty ID-WSF Advanced Client Technologies Overview. Version , Liberty Alliance Project, August 2007 [8] J. Jähnert et al.: The Mobile Grid Reference Architecture, Akogrimo Deliverable D3.1.3, October 2006 [9] F. Solsvik et al.: Final Integrated Services Design and Implementation Report, Akogrimo Deliverable D4.2.3, December 2006 [10] Ó. Cánovas, M. Sánchez, G. López, R. del Campo, S. Neinert: usso Architecture, GÉANT2 Deliverable DJ5.3.2, to appear [11] Open1X.org Website, [12] Shibboleth Website, Internet2, [13] B. Kerver et al.: Documentation on GÉANT2 unified Single Sign-On (usso) Requirements, GÉANT2 Deliverable DJ5.3.1, February [14] DAMe Project Website, Vitae Sascha Neinert studied computer science at the University of Stuttgart, Germany where he received the degree Dipl.-Inf. (Sep/2004). He worked as a software engineer for a medium sized software company in a number of projects targeting the automotive industry. He started working for the Communication Systems group of the University of Stuttgart computer centre 'RUS' in Nov/2006. He was involved in the Nexus project where he developed a location-based application for small mobile devices. Currently he is working on the EU project DAMe in the GÉANT2 context on the topics attribute-based network authorization, cross-layer unified Single Sign On and federated Identity Management.
DAMe Deploying Authorization Mechanisms for Federated Services in the eduroam Architecture
DAMe Deploying Authorization Mechanisms for Federated Services in the eduroam Architecture Sascha Neinert Marseille, 06.02.2008, Sascha Neinert, 06.02.2008 Seite 1 Overview Project Goals Partners Network
More informationA Federated Authorization and Authentication Infrastructure for Unified Single Sign On
A Federated Authorization and Authentication Infrastructure for Unified Single Sign On Sascha Neinert Computing Centre University of Stuttgart Allmandring 30a 70550 Stuttgart sascha.neinert@rus.uni-stuttgart.de
More informationLicia Florio Project Development Officer licia@terena.org www.terena.org Identity Federations in Europe
APAN Conference Honolulu, Hawaii 24 January 2008 Licia Florio Project Development Officer licia@terena.org www.terena.org Identity Federations in Europe Outline Networking Organisations in Europe Requirements
More informationFederations 101. An Introduction to Federated Identity Management. Peter Gietz, Martin Haase
Authentication and Authorisation for Research and Collaboration Federations 101 An Introduction to Federated Identity Management Peter Gietz, Martin Haase AARC NA2 Task 2 - Outreach and Dissemination DAASI
More informationPerceptive Experience Single Sign-On Solutions
Perceptive Experience Single Sign-On Solutions Technical Guide Version: 2.x Written by: Product Knowledge, R&D Date: January 2016 2016 Lexmark International Technology, S.A. All rights reserved. Lexmark
More informationSAML-Based SSO Solution
About SAML SSO Solution, page 1 SAML-Based SSO Features, page 2 Basic Elements of a SAML SSO Solution, page 2 SAML SSO Web Browsers, page 3 Cisco Unified Communications Applications that Support SAML SSO,
More informationAn Infocard-based proposal for unified SSO to eduroam
An Infocard-based proposal for unified SSO to eduroam Enrique de la Hoz, Antonio García, Diego López, Samuel Muñoz University of Alcala (Spain), RedIRIS (Spain) TNC2009, Málaga (Spain), June 9 th 2009
More informationFederated Identity Management Solutions
Federated Identity Management Solutions Jyri Kallela Helsinki University of Technology jkallela@cc.hut.fi Abstract Federated identity management allows users to access multiple services based on a single
More informationSTUDY ON IMPROVING WEB SECURITY USING SAML TOKEN
STUDY ON IMPROVING WEB SECURITY USING SAML TOKEN 1 Venkadesh.M M.tech, Dr.A.Chandra Sekar M.E., Ph.d MISTE 2 1 ResearchScholar, Bharath University, Chennai 73, India. venkadeshkumaresan@yahoo.co.in 2 Professor-CSC
More informationMasdar Institute Single Sign-On: Standards-based Identity Federation. John Mikhael ICT Department jmikhael@masdar.ac.ae
Masdar Institute Single Sign-On: Standards-based Identity Federation John Mikhael ICT Department jmikhael@masdar.ac.ae Agenda The case for Single Sign-On (SSO) Types of SSO Standards-based Identity Federation
More informationWebNow Single Sign-On Solutions
WebNow Single Sign-On Solutions Technical Guide ImageNow Version: 6.7. x Written by: Product Documentation, R&D Date: June 2015 2012 Perceptive Software. All rights reserved CaptureNow, ImageNow, Interact,
More informationSAML Federated Identity at OASIS
International Telecommunication Union SAML Federated Identity at OASIS Hal Lockhart BEA Systems Geneva, 5 December 2006 SAML and the OASIS SSTC o SAML: Security Assertion Markup Language A framework for
More informationShibboleth Identity Provider (IdP) Sebastian Rieger sebastian.rieger@gwdg.de
Shibboleth Identity Provider (IdP) Sebastian Rieger sebastian.rieger@gwdg.de Gesellschaft für wissenschaftliche Datenverarbeitung mbh Göttingen, Germany CLARIN AAI Hands On Workshop, 25.02.2009, Oxford
More informationOn A-Select and Federated Identity Management Systems
On A-Select and Federated Identity Management Systems Joost Reede August 4, 2007 Master s Thesis Information Systems Chair Computer Science Department University of Twente ii This thesis is supervised
More informationHow Single-Sign-On Improves The Usability Of Protected Services For Geospatial Data
2014 Fifth International Conference on Computing for Geospatial Research and Application How Single-Sign-On Improves The Usability Of Protected Services For Geospatial Data Andreas Matheus University of
More informationWeb Services Security: OpenSSO and Access Management for SOA. Sang Shin Java Technology Evangelist Sun Microsystems, Inc. javapassion.
Web Services Security: OpenSSO and Access Management for SOA Sang Shin Java Technology Evangelist Sun Microsystems, Inc. javapassion.com 1 Agenda Need for Identity-based Web services security Single Sign-On
More informationFlexible Identity Federation
Flexible Identity Federation Quick start guide version 1.0.1 Publication history Date Description Revision 2015.09.23 initial release 1.0.0 2015.12.11 minor updates 1.0.1 Copyright Orange Business Services
More informationSAP NetWeaver Single Sign-On. Product Management SAP NetWeaver Identity Management & Security June 2011
NetWeaver Single Sign-On Product Management NetWeaver Identity Management & Security June 2011 Agenda NetWeaver Single Sign-On: Solution overview Key benefits of single sign-on Solution positioning Identity
More informationSAML 2.0 SSO Deployment with Okta
SAML 2.0 SSO Deployment with Okta Simplify Network Authentication by Using Thunder ADC as an Authentication Proxy DEPLOYMENT GUIDE Table of Contents Overview...3 The A10 Networks SAML 2.0 SSO Deployment
More informationNew Single Sign-on Options for IBM Lotus Notes & Domino. 2012 IBM Corporation
New Single Sign-on Options for IBM Lotus Notes & Domino 2012 IBM Corporation IBM s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM s sole
More informationResearch and Implementation of Single Sign-On Mechanism for ASP Pattern *
Research and Implementation of Single Sign-On Mechanism for ASP Pattern * Bo Li, Sheng Ge, Tian-yu Wo, and Dian-fu Ma Computer Institute, BeiHang University, PO Box 9-32 Beijing 100083 Abstract Software
More informationComputer Systems Security 2013/2014. Single Sign-On. Bruno Maia ei09095@fe.up.pt. Pedro Borges ei09063@fe.up.pt
Computer Systems Security 2013/2014 Single Sign-On Bruno Maia ei09095@fe.up.pt Pedro Borges ei09063@fe.up.pt December 13, 2013 Contents 1 Introduction 2 2 Explanation of SSO systems 2 2.1 OpenID.................................
More informationFederated Identity Architectures
Federated Identity Architectures Uciel Fragoso-Rodriguez Instituto Tecnológico Autónomo de México, México {uciel@itam.mx} Maryline Laurent-Maknavicius CNRS Samovar UMR 5157, GET Institut National des Télécommunications,
More informationIdentity Management im Liberty Alliance Project
Rheinisch-Westfälische Technische Hochschule Aachen Lehrstuhl für Informatik IV Prof. Dr. rer. nat. Otto Spaniol Identity Management im Liberty Alliance Project Seminar: Datenkommunikation und verteilte
More informationРазработка программного обеспечения промежуточного слоя. TERENA BASNET Workshop, 16-17 November 2009 Joost van Dijk - SURFnet
Разработка программного обеспечения промежуточного слоя TERENA BASNET Workshop, 16-17 November 2009 Joost van Dijk - SURFnet Contents - SURFnet Middleware Services department: - eduroam, SURFfederatie,
More informationIdentity Federation Management to make Operational and Business Efficiency through SSO
2012 International Conference on Industrial and Intelligent Information (ICIII 2012) IPCSIT vol.31 (2012) (2012) IACSIT Press, Singapore Identity Federation Management to make Operational and Business
More informationSAML-Based SSO Solution
About SAML SSO Solution, page 1 SAML-Based SSO Features, page 2 Basic Elements of a SAML SSO Solution, page 2 SAML SSO Web Browsers, page 3 Cisco Unified Communications Applications that Support SAML SSO,
More informationHow To Use Saml 2.0 Single Sign On With Qualysguard
QualysGuard SAML 2.0 Single Sign-On Technical Brief Introduction Qualys provides its customer the option to use SAML 2.0 Single Sign On (SSO) authentication with their QualysGuard subscription. When implemented,
More informationThis chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:
CHAPTER 1 SAML Single Sign-On This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections: Junos Pulse Secure Access
More informationIVOA Single-Sign-On Profile: Authentication Mechanisms Version 2.0
International Virtual Observatory Alliance IVOA Single-Sign-On Profile: Authentication Mechanisms Version 2.0 IVOA Proposed Recommendation 20151029 Working group http://www.ivoa.net/twiki/bin/view/ivoa/ivoagridandwebservices
More informationInfocard and Eduroam. Enrique de la Hoz, Diego R. López, Antonio García, Samuel Muñoz
Infocard and Eduroam Enrique de la Hoz, Diego R. López, Antonio García, Samuel Muñoz Index Introduction to Infocard Infocard usage usso using Infocard in eduroam Questions Infocard Artifact with a unique
More informationEvaluation of different Open Source Identity management Systems
Evaluation of different Open Source Identity management Systems Ghasan Bhatti, Syed Yasir Imtiaz Linkoping s universitetet, Sweden [ghabh683, syeim642]@student.liu.se 1. Abstract Identity management systems
More informationSAML Security Analysis. Huang Zheng Xiong Jiaxi Ren Sijun
SAML Security Analysis Huang Zheng Xiong Jiaxi Ren Sijun outline The intorduction of SAML SAML use case The manner of SAML working Security risks on SAML Security policy on SAML Summary my course report
More informationBiometric Single Sign-on using SAML
Biometric Single Sign-on using SAML Architecture & Design Strategies Ramesh Nagappan CISSP Ramesh.Nagappan@sun.com 1 Setting Expectations What you can take away! Understand the importance of Single Sign-On
More informationOpenSSO: Cross Domain Single Sign On
OpenSSO: Cross Domain Single Sign On Version 0.1 History of versions Version Date Author(s) Changes 0.1 11/30/2006 Dennis Seah Contents Initial Draft. 1 Introduction 1 2 Single Domain Single Sign-On 2
More informationA Data Synchronization based Single Sign-on Schema Supporting Heterogeneous Systems and Multi-Management Mode
A Data Synchronization based Single Sign-on Schema Supporting Heterogeneous Systems and Multi-Management Mode Haojiang Gao 1 Beijing Northking Technology Co.,Ltd Zhongguancun Haidian Science Park Postdoctoral
More informationIntroduction to SAML
Introduction to THE LEADER IN API AND CLOUD GATEWAY TECHNOLOGY Introduction to Introduction In today s world of rapidly expanding and growing software development; organizations, enterprises and governments
More informationExtending DigiD to the Private Sector (DigiD-2)
TECHNISCHE UNIVERSITEIT EINDHOVEN Department of Mathematics and Computer Science MASTER S THESIS Extending DigiD to the Private Sector (DigiD-2) By Giorgi Moniava Supervisors: Eric Verheul (RU, PwC) L.A.M.
More informationBiometric Single Sign-on using SAML Architecture & Design Strategies
Biometric Single Sign-on using SAML Architecture & Design Strategies Ramesh Nagappan Java Technology Architect Sun Microsystems Ramesh.Nagappan@sun.com 1 Setting Expectations What you can take away! Understand
More informationJVA-122. Secure Java Web Development
JVA-122. Secure Java Web Development Version 7.0 This comprehensive course shows experienced developers of Java EE applications how to secure those applications and to apply best practices with regard
More informationIBM WebSphere Application Server
IBM WebSphere Application Server SAML 2.0 web single-sign-on 2012 IBM Corporation This presentation describes support for SAML 2.0 web browser Single Sign On profile included in IBM WebSphere Application
More informationSWIFT: Advanced identity management
SWIFT: Advanced identity management Elena Torroglosa, Alejandro Pérez, Gabriel López, Antonio F. Gómez-Skarmeta and Oscar Cánovas Department of Information and Communications Engineering University of
More informationnexus Hybrid Access Gateway
Product Sheet nexus Hybrid Access Gateway nexus Hybrid Access Gateway nexus Hybrid Access Gateway uses the inherent simplicity of virtual appliances to create matchless security, even beyond the boundaries
More informationSAML, The Liberty Alliance, and Federation* Eve Maler eve.maler@sun.com http://www.xmlgrrl.com/blog
SAML, The Liberty Alliance, and Federation* Eve Maler eve.maler@sun.com http://www.xmlgrrl.com/blog IIWb, Mountain View, CA, 4 December 2006 1 When you distribute identity tasks and information in the
More informationAuthentication Integration
Authentication Integration VoiceThread provides multiple authentication frameworks allowing your organization to choose the optimal method to implement. This document details the various available authentication
More informationUser and Machine Authentication and Authorization Infrastructure for Distributed Wireless Sensor Network Testbeds
J. Sens. Actuator Netw. 2013, 2, 109-121; doi:10.3390/jsan2010109 Article OPEN ACCESS Journal of Sensor and Actuator Networks ISSN 2224-2708 www.mdpi.com/journal/jsan User and Machine Authentication and
More informationToward campus portal with shibboleth middleware
Toward campus portal with shibboleth middleware Eisuke Ito and Masanori Nakakuni itou@cc.kyushu u.ac.jp, Kyushu University nak@fukuoka u.ac.jp, Fukuoka University Outline 1. Background 2. Shibboleth 3.
More informationAuthentication Methods
Authentication Methods Overview In addition to the OU Campus-managed authentication system, OU Campus supports LDAP, CAS, and Shibboleth authentication methods. LDAP users can be configured through the
More informationImplementation Guide SAP NetWeaver Identity Management Identity Provider
Implementation Guide SAP NetWeaver Identity Management Identity Provider Target Audience Technology Consultants System Administrators PUBLIC Document version: 1.10 2011-07-18 Document History CAUTION Before
More informationThe saga of WebFTS and Federated Identity
The saga of WebFTS and Federated Identity Andrey Kiryanov IT/SDC 15/12/2014 The Reason: 2 What is a Federated Identity? It is the means of linking a person's electronic identity and attributes, stored
More informationDEPLOYMENT GUIDE. SAML 2.0 Single Sign-on (SSO) Deployment Guide with Ping Identity
DEPLOYMENT GUIDE SAML 2.0 Single Sign-on (SSO) Deployment Guide with Ping Identity Table of Contents SAML Overview...3 Integration Topology...3 Deployment Requirements...4 Configuration Steps...4 Step
More informationImplementing Identity Provider on Mobile Phone
Implementing Identity Provider on Mobile Phone Tsuyoshi Abe, Hiroki Itoh, and Kenji Takahashi NTT Information Sharing Platform Laboratories, NTT Corporation 3-9-11 Midoricho, Musashino-shi, Tokyo 180-8585,
More informationAuthentication and Single Sign On
Contents 1. Introduction 2. Fronter Authentication 2.1 Passwords in Fronter 2.2 Secure Sockets Layer 2.3 Fronter remote authentication 3. External authentication through remote LDAP 3.1 Regular LDAP authentication
More informationCopyright: WhosOnLocation Limited
How SSO Works in WhosOnLocation About Single Sign-on By default, your administrators and users are authenticated and logged in using WhosOnLocation s user authentication. You can however bypass this and
More informationThe Primer: Nuts and Bolts of Federated Identity Management
The Primer: Nuts and Bolts of Federated Identity Management Overview For any IT department, it is imperative to understand how your organization can securely manage and control users identities. With so
More informationThe increasing popularity of mobile devices is rapidly changing how and where we
Mobile Security BACKGROUND The increasing popularity of mobile devices is rapidly changing how and where we consume business related content. Mobile workforce expectations are forcing organizations to
More informationESA EO Identify Management
ESA EO Identify Management The ESA EO IM Infrastructure & Services A. Baldi ESA: Andrea.Baldi@esa.int M. Leonardi ESA: m.leonardi@rheagroup.com 1 Issues @ ESA with legacy user management Users had multiple
More informationDigital Identity and Identity Management Technologies.
I. Agudo, Digital Identity and Identity Management Technologies, UPGRADE - The European Journal of the Informatics Professional, vol. 2010, pp. 6-12, 2010. NICS Lab. Publications: https://www.nics.uma.es/publications
More informationSecure the Web: OpenSSO
Secure the Web: OpenSSO Sang Shin, Technology Architect Sun Microsystems, Inc. javapassion.com Pat Patterson, Principal Engineer Sun Microsystems, Inc. blogs.sun.com/superpat 1 Agenda Need for identity-based
More informationCA Performance Center
CA Performance Center Single Sign-On User Guide 2.4 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation ) is
More informationSAML Security Option White Paper
Fujitsu mpollux SAML Security Option White Paper Fujitsu mpollux Version 2.1 February 2009 First Edition February 2009 The programs described in this document may only be used in accordance with the conditions
More informationIMPLEMENTING SINGLE SIGN- ON USING SAML 2.0 ON JUNIPER NETWORKS MAG SERIES JUNOS PULSE GATEWAYS
APPLICATION NOTE IMPLEMENTING SINGLE SIGN- ON USING SAML 2.0 ON JUNIPER NETWORKS MAG SERIES JUNOS PULSE GATEWAYS SAML 2.0 combines encryption and digital signature verification across resources for a more
More informationStep-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x
Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x Sverview Trust between SharePoint 2010 and ADFS 2.0 Use article Federated Collaboration with Shibboleth 2.0 and SharePoint 2010 Technologies
More informationHow to Extend Identity Security to Your APIs
How to Extend Identity Security to Your APIs Executive Overview The number of users and devices requesting access to applications is growing exponentially and enterprises are scrambling to adapt their
More informationSAML and OAUTH comparison
SAML and OAUTH comparison DevConf 2014, Brno JBoss by Red Hat Peter Škopek, pskopek@redhat.com, twitter: @pskopek Feb 7, 2014 Abstract SAML and OAuth are one of the most used protocols/standards for single
More informationFederated Identity Management
Federated Identity Management SWITCHaai Introduction Course Bern, 1. March 2013 Thomas Lenggenhager aai@switch.ch Overview What is Federated Identity Management? What is a Federation? The SWITCHaai Federation
More informationHow to Implement Enterprise SAML SSO
How to Implement Enterprise SSO THE LEADER IN API AND CLOUD GATEWAY TECHNOLOGY How to Implement Enterprise SSO Introduction Security Assertion Markup Language, or, provides numerous The advantages and
More informationWhy Identity Management. Identity Management. What We Cover. Role of Digital Identity. Digital Identity. Digital Identity (or network identity)
Why Identity Management Identity Management Claudiu Duma Identity crisis Privacy concerns Identity theft Terrorist threat Department of Computer and Information Science cladu@ida.liu.se What We Cover Digital
More informationSecurity Assertion Markup Language (SAML) 2.0 Technical Overview
2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 Security Assertion Markup Language (SAML) 2.0 Technical Overview Working Draft 03, 20 February 2005 Document identifier:
More informationIdentity opens the participation age. Dr. Rainer Eschrich. Program Manager Identity Management Sun Microsystems GmbH
Identity opens the participation age Open Web Single Sign- On und föderierte SSO Dr. Rainer Eschrich Program Manager Identity Management Sun Microsystems GmbH Agenda The Identity is the Network Driving
More informationShibboleth : An Open Source, Federated Single Sign-On System David E. Martin martinde@northwestern.edu
Shibboleth : An Open Source, Federated Single Sign-On System David E. Martin martinde@northwestern.edu International Center for Advanced Internet Research Outline Security Mechanisms Access Control Schemes
More informationAbout Me. #ccceu. @shapeblue. Software Architect with ShapeBlue Specialise in. 3 rd party integrations and features in CloudStack
Software Architect with ShapeBlue Specialise in. 3 rd party integrations and features in CloudStack About Me KVM, API, DB, Upgrades, SystemVM, Build system, various subsystems Contributor and Committer
More informationUsing SAML for Single Sign-On in the SOA Software Platform
Using SAML for Single Sign-On in the SOA Software Platform SOA Software Community Manager: Using SAML on the Platform 1 Policy Manager / Community Manager Using SAML for Single Sign-On in the SOA Software
More informationEnabling Federation and Web-Single Sign-On in Heterogeneous Landscapes with the Identity Provider and Security Token Service Supplied by SAP NetWeaver
Enabling Federation and Web-Single Sign-On in Heterogeneous Landscapes with the Identity Provider and Security Token Service Supplied by SAP NetWeaver SAP Product Management, SAP NetWeaver Identity Management
More informationIAM, Enterprise Directories and Shibboleth (oh my!)
IAM, Enterprise Directories and Shibboleth (oh my!) Gary Windham Senior Enterprise Systems Architect University Information Technology Services windhamg@email.arizona.edu What is IAM? Identity and Access
More information<Insert Picture Here> Oracle Security Developer Tools (OSDT) August 2008
Oracle Security Developer Tools (OSDT) August 2008 Items Introduction OSDT 10g Architecture Business Benefits Oracle Products Currently Using OSDT 10g OSDT 10g APIs Description OSDT
More informationWebLogic Server 7.0 Single Sign-On: An Overview
WebLogic Server 7.0 Single Sign-On: An Overview Today, a growing number of applications are being made available over the Web. These applications are typically comprised of different components, each of
More informationThe Primer: Nuts and Bolts of Federated Identity Management
The Primer: Nuts and Bolts of Federated Identity Management Executive Overview For any IT department, it is imperative to understand how your organization can securely manage and control users identities.
More informationWEB SERVICES SECURITY
WEB SERVICES SECURITY February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without
More informationOAuth Guide Release 6.0
[1]Oracle Communications Services Gatekeeper OAuth Guide Release 6.0 E50767-02 November 2015 Oracle Communications Services Gatekeeper OAuth Guide, Release 6.0 E50767-02 Copyright 2012, 2015, Oracle and/or
More informationLeveraging New Business Models with Identity Management An e-learning case study
Leveraging New Business Models with Identity Management An e-learning case study José M. del Álamo DIT, Universidad Politécnica de Madrid, Ciudad Universitaria s/n, 28040 Madrid, Spain jmdela@dit.upm.es,
More informationOpenHRE Security Architecture. (DRAFT v0.5)
OpenHRE Security Architecture (DRAFT v0.5) Table of Contents Introduction -----------------------------------------------------------------------------------------------------------------------2 Assumptions----------------------------------------------------------------------------------------------------------------------2
More informationTest Plan for Liberty Alliance SAML Test Event Test Criteria SAML 2.0
1 2 3 4 5 6 7 8 9 10 11 Test Plan for Liberty Alliance SAML Test Event Test Criteria SAML 2.0 Version 3.2.2 Editor: Kyle Meadors, Drummond Group Inc. Abstract: This document describes the test steps to
More informationShibboleth N-Tier Support. Chad La Joie chad.lajoie@switch.ch
Shibboleth N-Tier Support Chad La Joie chad.lajoie@switch.ch Agenda Use Case Terminology Shibboleth Solution Future Effort Resources 2 Use Case Current use case comes from University of Chicago University
More informationFederated Identity Management
Federated Identity Management SWITCHaai Team aai@switch.ch Agenda 2 What is Federated Identity Management? What is a Federation? The SWITCHaai Federation Interfederation Evolution of Identity Management
More informationSoftware Requirement Specification Web Services Security
Software Requirement Specification Web Services Security Federation Manager 7.5 Version 0.3 (Draft) Please send comments to: dev@opensso.dev.java.net This document is subject to the following license:
More informationMobile Security. Policies, Standards, Frameworks, Guidelines
Mobile Security Policies, Standards, Frameworks, Guidelines Guidelines for Managing and Securing Mobile Devices in the Enterprise (SP 800-124 Rev. 1) http://csrc.nist.gov/publications/drafts/800-124r1/draft_sp800-124-rev1.pdf
More informationIntroducing Shibboleth
workshop Introducing Shibboleth MPG-AAI Workshop Clarin Centers Prague 2009 2009-11-06 MPG-AAI MPG-AAI a MPG-wide Authentication & Authorization Infrastructure for access control to web-based resources
More informationIT@Intel. Improving Security and Productivity through Federation and Single Sign-on
White Paper Intel Information Technology Computer Manufacturing Security Improving Security and Productivity through Federation and Single Sign-on Intel IT has developed a strategy and process for providing
More informationAmeritas Single Sign-On (SSO) and Enterprise SAML Standard. Architectural Implementation, Patterns and Usage Guidelines
Ameritas Single Sign-On (SSO) and Enterprise SAML Standard Architectural Implementation, Patterns and Usage Guidelines 1 Background and Overview... 3 Scope... 3 Glossary of Terms... 4 Architecture Components...
More informationPingFederate. Salesforce Connector. Quick Connection Guide. Version 4.1
PingFederate Salesforce Connector Version 4.1 Quick Connection Guide 2011 Ping Identity Corporation. All rights reserved. PingFederate Salesforce Quick Connection Guide Version 4.1 June, 2011 Ping Identity
More informationCloud-based Identity and Access Control for Diagnostic Imaging Systems
Cloud-based Identity and Access Control for Diagnostic Imaging Systems Weina Ma and Kamran Sartipi Department of Electrical, Computer and Software Engineering University of Ontario Institute of Technology
More informationFederated Identity Management. Willem Elbers (MPI-TLA) EUDAT training
Federated Identity Management Willem Elbers (MPI-TLA) EUDAT training Date: 26 June 2012 Outline FIM and introduction to components Federation and metadata National Identity federations and inter federations
More informationE-LibUkr portal: Case study of Shibboleth and EZProxy in Ukraine.
E-LibUkr portal: Case study of Shibboleth and EZProxy in Ukraine. Yaroshenko Tetiana, yaroshenko[@]ukma.kiev.ua Introduction The Kyiv Mohyla Foundation of America and the National University of Kyiv Mohyla
More informationSecuring Enterprise: Employability and HR
1 Securing Enterprise: Employability and HR Federation and XACML as Security and Access Control Layer Open Standards Forum 2 Employability and HR Vertical Multiple Players - Excellent case for federation
More informationSAML SSO Configuration
SAML SSO Configuration Overview of Single Sign-, page 1 Benefits of Single Sign-, page 2 Overview of Setting Up SAML 2.0 Single Sign-, page 3 SAML 2.0 Single Sign- Differences Between Cloud-Based Meeting
More informationFederated Identity Management and Shibboleth. Noreen Hogan Asst. Director Enterprise Admin. Applications
Federated Identity Management and Shibboleth Noreen Hogan Asst. Director Enterprise Admin. Applications Federated Identity Management Management of digital identity/credentials (username/password) Access
More informationFederated AAA middleware and the QUT SSO environment
Federated AAA middleware and the QUT SSO environment Bradley Beddoes Senior Network Programmer AAA eview Project Manager b.beddoes@qut.edu.au Shaun Mangelsdorf Network Programmer s.mangelsdorf@qut.edu.au
More informationShibboLEAP Project. Final Report: School of Oriental and African Studies (SOAS) Colin Rennie
ShibboLEAP Project Final Report: School of Oriental and African Studies (SOAS) Colin Rennie May 2006 Shibboleth Implementation at SOAS Table of Contents Introduction What this document contains Who writes
More informationHow To Manage Identity On A Cloud (Cloud) With A User Id And A Password (Saas)
Integral Federated Identity Management for Cloud Computing Maicon Stihler, Altair Olivo Santin, Arlindo L. Marcon Jr. Graduate Program in Computer Science Pontifical Catholic University of Paraná Curitiba,
More information