Title: A Client Middleware for Token-Based Unified Single Sign On to edugain

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Title: A Client Middleware for Token-Based Unified Single Sign On to edugain"

Transcription

1 Title: A Client Middleware for Token-Based Unified Single Sign On to edugain Sascha Neinert Computing Centre University of Stuttgart, Allmandring 30a, Stuttgart, Germany Keywords Single Sign On, Identity Federation, eduroam, edugain, Identity Token Abstract This document presents a solution that offers a unified Single Sign On to users of the eduroam roaming infrastructure and of the GÉANT2 confederated authentication and authorization infrastructure, edugain. This is achieved by dedicated client middleware and a newly developed token-based profile for edugain. Introduction With Single Sign On (SSO), a user can be authenticated once and then access all resources and services he is entitled to, within one security domain. In an Identity Federation, a user can additionally access resources and services within any other security domain that is part of the federation s trust fabric. The main principle of a federation is to distinguish between providers of services and providers of identities. Thereby, a user can have one single virtual identity at home, and use this to access resources and services at other locations. Users accounts and attributes are managed at their trusted home institutions, in one place, and they are authenticated by their home institutions. The Service Providers have established agreements with the Identity Providers, trust their authentication and attribute information and base their authorization decisions on them. These authorization decisions decide whether or not the specific user can access a certain resource or service. A number of solutions for federated SSO have been developed or are already deployed. There are those for accessing web resources and web services, often based on the XML standard Security Assertion Markup Language (SAML). Other systems are focused on authentication for network resources, the Kerberos protocol being one important example. The presented approach is part of a federated Single Sign On for network resources, web resources and other service types. The first phase is authentication for network access performed via the eduroam [1] RADIUS infrastructure; it is described in [2]. This bootstraps a second phase that uses the acquired authentication information for accessing web resources and services. This second phase is a new tokenbased profile for edugain, the GÉANT2 Authorization and Authentication Infrastructure [3]. In the next section an overview of the proposed architecture for unified Single Sign On (usso) will be given. This architecture is based on identity tokens, managed by a new piece of client middleware as well as a new token-based profile for edugain. Next, related approaches for extending SSO middleware systems beyond browser-only will be shown, and their relation to the proposed approach will be explained. Finally, the implementation of the proposed approach will be presented and the concluding section will sum up what has been achieved and what work remains to be done. Overview of the Architecture This architecture for unified Single Sign On brings together two currently independent (con-)federation infrastructures, eduroam and edugain. Both are different in regard to the employed technologies: with 802.1X and EAP over RADIUS used in eduroam, and SAML over HTTP used in edugain. They also differ in the services they offer: network access at any visited institution, and access to web resources at some service provider anywhere. However, there are also two links as shown in figure 1: the user with his mobile device being one, and the Identity Provider (IdP) the other (the IdP could be a RADIUS connected to some data store, or a Shibboleth IdP connected possibly to the same data store).

2 Figure 1: unified SSO Overview As access to the network is a prerequisite to access any other resource or service, it is consequentially the first step. The eduroam infrastructure, which provides wireless network access for academic users roaming within Europe and beyond, is extended by components that generate an identity token at the home institution of a user and passes this token to the user during the last steps of the network authentication process. This identity token is called edutoken. The edutoken describes the fact that the user has been authenticated by a trusted entity of the federation and is to be used as a credential when accessing resources and services within that federation. The token contains information on, who has been authenticated, when the authentication was carried out, which method was used and who issued it. The format of the edutoken is SAML, as this is the native language of edugain. This standard is built to express such information in a flexible yet clearly defined manner. The edutoken consists of a signed SAML 1.1 [4] assertion containing one authentication statement. Optionally, an additional attribute statement can also be included. Token Manager For the encrypted storage of tokens and for making them available to be used for authentication when accessing resources and services, a new piece of client middleware is needed. This is called Token Manager. It receives the token coming from the eduroam authentication and provides a secure token store. The cookie store of the browser is not used for security reasons as well as the limitations of the user interface for handling this store s contents. The Token Manager can validate the edutoken, check that it has been digitally signed by a trusted authentication authority and that the token has not been modified and has a valid signature. Additionally, the Token Manager provides a graphical user interface enabling the end-user to manage his identity tokens and display their contents. The most important feature of the Token Manager is its interface that allows the tokens to be requested for token-based authentication to edugain. Profile for Token-based Authentication The edutoken is to be used for authentication of the user when he accesses a resource or service. This, for example, could be a simple website or a complex Grid service. The resource or service would be protected and some authentication would be enforced. edugain supports multiple authentication and authorization infrastructures (AAI), Shibboleth being one example. A user trying to access the service would be redirected by the responsible Service Provider (SP) to another entity acting as an Identity Provider (IdP). In the case of edugain, this is a remote Bridging Element (r-be). Usually the r-be would contact a home Bridging Element, possibly of another federation using another type of middleware. This would then talk in that federation s protocol and language to the user s home IdP. Now, this r-be is extended to support a new profile for token-based authentication. Figure 2 shows the sequence of messages for this new profile.

3 Figure 2: Profile for Authentication with the edutoken The user initially tries to access a resource or service at the SP. Then, as usual, a redirection occurs from the SP, optionally via a Where Are You From (WAYF) service, to the entity responsible for authentication in this case the extended r-be. This r-be sends a request for the token to the client. The request comes in the form of a signed JavaApplet, which is an active component to be executed within the user s browser. It requests the edutoken from the Token Manager via its interface. The available token is then send back in a reply to the r-be using the normal HTTP POST method. Any input of the user is not required during this process. The r-be then validates the edutoken to ensure that it has not been modified and that it comes from a trusted source within the (con-)federation. Next, a new assertion is generated in a format that the SP understands, which in the case of a Shibboleth SP is also SAML, though with specific restrictions concerning its age and audience. This assertion is sent to the SP. Upon successful authentication, the user is granted access. It is important to note that during this process, the user does not need to provide any credentials such as username and password just the token. Also, there is no need to contact the IdP of the home federation to request authentication. Related Work A number of related approaches exist that introduce a new piece of client middleware into the usual browseronly environments, each for different reasons. Three of these approaches are described as follows: SAML Enhanced Client SAML (Security Assertion Markup Language) is an OASIS standard that defines a format to express authentication and authorization information, the associated protocols and a number of profiles. The Enhanced Client or Proxy (ECP) Profile [5] specifies an entity that, in contrast to the more common Web SSO profile, has information about the Identity Provider (IdP) to be used. It could possibly be implemented as a browser plug-in. This obsoletes the discovery of the IdP, and thus requires less user interaction and the login process would appear more seamless to the end-user. The entity also supports a reversed HTTP binding for SOAP (PAOS). Thereby, a client that only can issue HTTP requests can use those to transport SOAP responses. The ECP capabilities are advertised in the HTTP header to a Service Provider (SP). PAOS is then used to initiate an AuthenticationRequest from the SP to the client. This then performs authentication at the IdP and responds with an AuthenticationResponse to the SP. One use case for an enhanced proxy would be a WAP gateway. The ECP profile would be an interesting alternative to the currently used profile if it was support by some of the more widely deployed software packages for federated AAI. It could be usso-enabled if modifications for receiving and processing the edutoken as a method of authentication were implemented. Liberty Advanced Client The Liberty Alliance [6] is a consortium of more than 100 commercial and also non-commercial members that developed several industrial standards for Identity Federation and identity-based web services. The Liberty

4 Advanced Client specification [7] is currently at draft status. It defines mechanisms by which so-called smart clients can consume and also provide web services whilst operating in disconnected mode. As these clients are active entities, they also have a ProviderID, although there are reasons for this ID not being unique. The client can be used for hoarding credentials, which are relatively long-lived assertions that were requested from an IdP. The client can advertise its capabilities using SAML 2.0 ECP and, during communication with some SP, use the available assertions for authentication. Benefits of such a client are: Firstly, the IdP need not be contacted - it may not be available or for reasons of privacy. Secondly, the assertions could be used as credentials for local applications e.g., a mail client. Finally, those assertions can be self-asserted ones if third party asserted identities are not required. Akogrimo IDToken Akogrimo (Access to Knowledge through the Grid in a Mobile Word) is an EC FP6 research project that developed combined services access across different layers [8] [9]. Its identity management infrastructure includes A4C (Authentication, Authorization, Accounting, Auditing, Charging) servers at the visited domains that are federated with SAML authorities at the home domains. During the network authentication phase, an IDToken is sent from the SAML authority to the user and stored on his mobile terminal. The IDToken is dynamic; besides a SAML Artifact it contains a serial number and a random number. Both are updated before each use of the IDToken and then it is digitally signed with the user s private key, to prevent replay attacks. The client middleware also provides a graphical user interface for selecting one of several identities, which can be registered in one or several Virtual Organizations. This approach provides cross-layer Single Sign On for network as well as Grid services in combination with multiple digital identities of one user. Such support for identities and attributes from multiple locations would be a valuable extension to the current usso prototype. This is also an example that clearly shows that basing the management of the identity tokens is not best situated within the browser if, for example, other transport protocols than HTTP are used or if other resources than only web-based ones are to be accessed. Implementation Details The proposed architecture has been implemented as a prototype and has been deployed in a test environment. All related middleware components are shown in figure 3. Each dashed box represents one hardware device and each solid box one software component. The arrows show which components communicates with each other. Figure 3: Middleware for usso In the following, all components are described. A more detailed description about the testbed and the performed validations is in [10]. Client Components The XSupplicant is the 802.1X supplicant of the Open1X project [11]. Version has been modified and extended by the University of Murcia to receive the edutoken inside an EAP TLV during the network authentication phase. The DameTokenManager is a stand-alone Java application for managing the edutoken(s). It provides a graphical user interface and allows the end-user to manage his token store. In the current implementation edutokens are stored as encrypted files, using the AES 128 algorithm. The token manager receives edutokens from the

5 modified XSupplicant and provides an interface allowing them to be requested when needed for authentication. This component is the link between the network authentication and the authentication for services. Firefox 2.0 is the browser used in this deployment for accessing any web resource. Sun s Java Runtime Environment is required for executing Java Applets within the browser. In the current deployment tests were performed using JRE 1.5. The DameTokenFetcher is a signed Java Applet. When the website that contains it is accessed, it is executed within the browser. It can request the edutoken from the DameTokenManager and send it using an HTTP POST to the DameTokenServlet. Server Components An unmodified Shibboleth 1.3 Service Provider was used for the performed tests. It is deployed on an Apache 2.0 HTTP Server. The apache web server enforces authentication via Shibboleth. The metadata of the Shibboleth SP contains an IDPSSODescriptor with the DameTokenServlet s URN, URL of the SSO Service and certificate information. The DameTokenServlet is a Java Servlet running on an Apache Tomcat 5.5. It is a modified and extended remote Bridging Element of the edugain infrastructure. The r-be currently modified is the one that connects to the Shibboleth [12] middleware. It can receive and validate edutokens, and send SAML assertions as from a Shibboleth Identity Provider towards the Shibboleth SP. The current implementation is based on edugain 0.6 that uses the opensaml libraries 1.2 and 2. Conclusion The presented approach links the authentication for network access, starting at OSI layer 2, to the authentication for services above OSI layer 4 and thereby enables a cross-layer, unified Single Sign On. Authentication for obtaining network access is performed via the infrastructure of eduroam, the European roaming confederation. A unified Single Sign On state is established that is valid for any resources within edugain, the European AAI that forms a confederation of existing national federations based on Shibboleth and other middleware. A homogenous IT infrastructure is not a requirement for the usso using the presented approach. Thanks to the use of the standardized Security Assertion Markup Language, bridging between several heterogeneous middlewares is markedly simplified. The developed components seamlessly interoperate with middleware for federated AAI, which is currently widely deployed and productively used within European academic environments and conforms to their requirements (defined in [13]). Unified Single Sign On is a feature that is mostly beneficial to the end-users. They use the specific authentication method only once, and are then signed on to the (con-)federation. This is more convenient and efficient but also more secure sensitive information has to be transmitted only once. Based on the idea of federated authentication and authorization, one virtual identity can suffice to access any resource within the federation, be that a local website or wireless network access in another country. In a user-centric approach as the presented one, the end-user can actively intervene in the process of authentication and the management of his virtual identity. The presented architecture and implementation will be further extended and refined in the future. Possibilities for interoperation with related approaches are expected to emerge. The validation for practical deployment as well as the application of this approach to recent service and Grid infrastructures is ongoing. Acknowledgements The results published in this paper were developed within the DAMe project [14], a sub project of the GÉANT2 joint research activity 5 that is co-funded by the European Commission within the Sixth R&D Framework Programme (FP6). The DAMe project is developed together with the University of Murcia (Spain), DFN (Germany), and RedIRIS (Spain). The author would like to thank all the partners involved in that project. References [1] eduroam Website, [2] Ó. Cánovas et al.: Deploying Authorization Mechanisms for Federated Services in eduroam (DAMe), Terena Networking Conference 2007, May 2007 [3] D. Lopez et al.: GÉANT2 Authorisation and Authentication Infrastructure (AAI) Architecture second edition, GÉANT2 Deliverable DJ5.2.2,2, April 2007 [4] E. Maler et al.: Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V1.1, OASIS Standard, September 2003 [5] J. Hughes et al.: Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0, OASIS Standard, March 2005 [6] Liberty Alliance Project Website,

6 [7] C. P. Cahill et al.: Liberty ID-WSF Advanced Client Technologies Overview. Version , Liberty Alliance Project, August 2007 [8] J. Jähnert et al.: The Mobile Grid Reference Architecture, Akogrimo Deliverable D3.1.3, October 2006 [9] F. Solsvik et al.: Final Integrated Services Design and Implementation Report, Akogrimo Deliverable D4.2.3, December 2006 [10] Ó. Cánovas, M. Sánchez, G. López, R. del Campo, S. Neinert: usso Architecture, GÉANT2 Deliverable DJ5.3.2, to appear [11] Open1X.org Website, [12] Shibboleth Website, Internet2, [13] B. Kerver et al.: Documentation on GÉANT2 unified Single Sign-On (usso) Requirements, GÉANT2 Deliverable DJ5.3.1, February [14] DAMe Project Website, Vitae Sascha Neinert studied computer science at the University of Stuttgart, Germany where he received the degree Dipl.-Inf. (Sep/2004). He worked as a software engineer for a medium sized software company in a number of projects targeting the automotive industry. He started working for the Communication Systems group of the University of Stuttgart computer centre 'RUS' in Nov/2006. He was involved in the Nexus project where he developed a location-based application for small mobile devices. Currently he is working on the EU project DAMe in the GÉANT2 context on the topics attribute-based network authorization, cross-layer unified Single Sign On and federated Identity Management.

A Federated Authorization and Authentication Infrastructure for Unified Single Sign On

A Federated Authorization and Authentication Infrastructure for Unified Single Sign On A Federated Authorization and Authentication Infrastructure for Unified Single Sign On Sascha Neinert Computing Centre University of Stuttgart Allmandring 30a 70550 Stuttgart sascha.neinert@rus.uni-stuttgart.de

More information

DAMe Deploying Authorization Mechanisms for Federated Services in the eduroam Architecture

DAMe Deploying Authorization Mechanisms for Federated Services in the eduroam Architecture DAMe Deploying Authorization Mechanisms for Federated Services in the eduroam Architecture Sascha Neinert Marseille, 06.02.2008, Sascha Neinert, 06.02.2008 Seite 1 Overview Project Goals Partners Network

More information

Licia Florio Project Development Officer licia@terena.org www.terena.org Identity Federations in Europe

Licia Florio Project Development Officer licia@terena.org www.terena.org Identity Federations in Europe APAN Conference Honolulu, Hawaii 24 January 2008 Licia Florio Project Development Officer licia@terena.org www.terena.org Identity Federations in Europe Outline Networking Organisations in Europe Requirements

More information

Federations 101. An Introduction to Federated Identity Management. Peter Gietz, Martin Haase

Federations 101. An Introduction to Federated Identity Management. Peter Gietz, Martin Haase Authentication and Authorisation for Research and Collaboration Federations 101 An Introduction to Federated Identity Management Peter Gietz, Martin Haase AARC NA2 Task 2 - Outreach and Dissemination DAASI

More information

SAML-Based SSO Solution

SAML-Based SSO Solution About SAML SSO Solution, page 1 SAML-Based SSO Features, page 2 Basic Elements of a SAML SSO Solution, page 2 SAML SSO Web Browsers, page 3 Cisco Unified Communications Applications that Support SAML SSO,

More information

Perceptive Experience Single Sign-On Solutions

Perceptive Experience Single Sign-On Solutions Perceptive Experience Single Sign-On Solutions Technical Guide Version: 2.x Written by: Product Knowledge, R&D Date: January 2016 2016 Lexmark International Technology, S.A. All rights reserved. Lexmark

More information

An Infocard-based proposal for unified SSO to eduroam

An Infocard-based proposal for unified SSO to eduroam An Infocard-based proposal for unified SSO to eduroam Enrique de la Hoz, Antonio García, Diego López, Samuel Muñoz University of Alcala (Spain), RedIRIS (Spain) TNC2009, Málaga (Spain), June 9 th 2009

More information

STUDY ON IMPROVING WEB SECURITY USING SAML TOKEN

STUDY ON IMPROVING WEB SECURITY USING SAML TOKEN STUDY ON IMPROVING WEB SECURITY USING SAML TOKEN 1 Venkadesh.M M.tech, Dr.A.Chandra Sekar M.E., Ph.d MISTE 2 1 ResearchScholar, Bharath University, Chennai 73, India. venkadeshkumaresan@yahoo.co.in 2 Professor-CSC

More information

Federated Identity Management Solutions

Federated Identity Management Solutions Federated Identity Management Solutions Jyri Kallela Helsinki University of Technology jkallela@cc.hut.fi Abstract Federated identity management allows users to access multiple services based on a single

More information

Flexible Identity Federation

Flexible Identity Federation Flexible Identity Federation Quick start guide version 1.0.1 Publication history Date Description Revision 2015.09.23 initial release 1.0.0 2015.12.11 minor updates 1.0.1 Copyright Orange Business Services

More information

Masdar Institute Single Sign-On: Standards-based Identity Federation. John Mikhael ICT Department jmikhael@masdar.ac.ae

Masdar Institute Single Sign-On: Standards-based Identity Federation. John Mikhael ICT Department jmikhael@masdar.ac.ae Masdar Institute Single Sign-On: Standards-based Identity Federation John Mikhael ICT Department jmikhael@masdar.ac.ae Agenda The case for Single Sign-On (SSO) Types of SSO Standards-based Identity Federation

More information

SAML Federated Identity at OASIS

SAML Federated Identity at OASIS International Telecommunication Union SAML Federated Identity at OASIS Hal Lockhart BEA Systems Geneva, 5 December 2006 SAML and the OASIS SSTC o SAML: Security Assertion Markup Language A framework for

More information

WebNow Single Sign-On Solutions

WebNow Single Sign-On Solutions WebNow Single Sign-On Solutions Technical Guide ImageNow Version: 6.7. x Written by: Product Documentation, R&D Date: June 2015 2012 Perceptive Software. All rights reserved CaptureNow, ImageNow, Interact,

More information

SAP NetWeaver Single Sign-On. Product Management SAP NetWeaver Identity Management & Security June 2011

SAP NetWeaver Single Sign-On. Product Management SAP NetWeaver Identity Management & Security June 2011 NetWeaver Single Sign-On Product Management NetWeaver Identity Management & Security June 2011 Agenda NetWeaver Single Sign-On: Solution overview Key benefits of single sign-on Solution positioning Identity

More information

Introduction to Identity Management. Sam Lee, Outblaze Ltd.

Introduction to Identity Management. Sam Lee, Outblaze Ltd. Introduction to Identity Management Sam Lee, Outblaze Ltd. Agenda Background Identity Management Single Sign-On Federation Future s Identity management Conclusions 2 Background Why identity management?

More information

New Single Sign-on Options for IBM Lotus Notes & Domino. 2012 IBM Corporation

New Single Sign-on Options for IBM Lotus Notes & Domino. 2012 IBM Corporation New Single Sign-on Options for IBM Lotus Notes & Domino 2012 IBM Corporation IBM s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM s sole

More information

Shibboleth Identity Provider (IdP) Sebastian Rieger sebastian.rieger@gwdg.de

Shibboleth Identity Provider (IdP) Sebastian Rieger sebastian.rieger@gwdg.de Shibboleth Identity Provider (IdP) Sebastian Rieger sebastian.rieger@gwdg.de Gesellschaft für wissenschaftliche Datenverarbeitung mbh Göttingen, Germany CLARIN AAI Hands On Workshop, 25.02.2009, Oxford

More information

SAML 2.0 SSO Deployment with Okta

SAML 2.0 SSO Deployment with Okta SAML 2.0 SSO Deployment with Okta Simplify Network Authentication by Using Thunder ADC as an Authentication Proxy DEPLOYMENT GUIDE Table of Contents Overview...3 The A10 Networks SAML 2.0 SSO Deployment

More information

How Single-Sign-On Improves The Usability Of Protected Services For Geospatial Data

How Single-Sign-On Improves The Usability Of Protected Services For Geospatial Data 2014 Fifth International Conference on Computing for Geospatial Research and Application How Single-Sign-On Improves The Usability Of Protected Services For Geospatial Data Andreas Matheus University of

More information

On A-Select and Federated Identity Management Systems

On A-Select and Federated Identity Management Systems On A-Select and Federated Identity Management Systems Joost Reede August 4, 2007 Master s Thesis Information Systems Chair Computer Science Department University of Twente ii This thesis is supervised

More information

Web Services Security: OpenSSO and Access Management for SOA. Sang Shin Java Technology Evangelist Sun Microsystems, Inc. javapassion.

Web Services Security: OpenSSO and Access Management for SOA. Sang Shin Java Technology Evangelist Sun Microsystems, Inc. javapassion. Web Services Security: OpenSSO and Access Management for SOA Sang Shin Java Technology Evangelist Sun Microsystems, Inc. javapassion.com 1 Agenda Need for Identity-based Web services security Single Sign-On

More information

This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:

This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections: CHAPTER 1 SAML Single Sign-On This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections: Junos Pulse Secure Access

More information

IDP Installer Overview

IDP Installer Overview IDP Installer Overview Facilitating access to the CAF ecosystem Wendy Petersen November 2013 CANARIE Ottawa Outline CAF services overview Eduroam infrastructure Shibboleth infrastructure Deployment challenges

More information

QualysGuard SAML 2.0 Single Sign-On. Technical Brief

QualysGuard SAML 2.0 Single Sign-On. Technical Brief QualysGuard SAML 2.0 Single Sign-On Technical Brief Introduction Qualys provides its customer the option to use SAML 2.0 Single Sign On (SSO) authentication with their QualysGuard subscription. When implemented,

More information

Research and Implementation of Single Sign-On Mechanism for ASP Pattern *

Research and Implementation of Single Sign-On Mechanism for ASP Pattern * Research and Implementation of Single Sign-On Mechanism for ASP Pattern * Bo Li, Sheng Ge, Tian-yu Wo, and Dian-fu Ma Computer Institute, BeiHang University, PO Box 9-32 Beijing 100083 Abstract Software

More information

Identity Management im Liberty Alliance Project

Identity Management im Liberty Alliance Project Rheinisch-Westfälische Technische Hochschule Aachen Lehrstuhl für Informatik IV Prof. Dr. rer. nat. Otto Spaniol Identity Management im Liberty Alliance Project Seminar: Datenkommunikation und verteilte

More information

IVOA Single-Sign-On Profile: Authentication Mechanisms Version 2.0

IVOA Single-Sign-On Profile: Authentication Mechanisms Version 2.0 International Virtual Observatory Alliance IVOA Single-Sign-On Profile: Authentication Mechanisms Version 2.0 IVOA Proposed Recommendation 20151029 Working group http://www.ivoa.net/twiki/bin/view/ivoa/ivoagridandwebservices

More information

SAML-Based SSO Solution

SAML-Based SSO Solution About SAML SSO Solution, page 1 SAML-Based SSO Features, page 2 Basic Elements of a SAML SSO Solution, page 2 SAML SSO Web Browsers, page 3 Cisco Unified Communications Applications that Support SAML SSO,

More information

Evaluation of different Open Source Identity management Systems

Evaluation of different Open Source Identity management Systems Evaluation of different Open Source Identity management Systems Ghasan Bhatti, Syed Yasir Imtiaz Linkoping s universitetet, Sweden [ghabh683, syeim642]@student.liu.se 1. Abstract Identity management systems

More information

Computer Systems Security 2013/2014. Single Sign-On. Bruno Maia ei09095@fe.up.pt. Pedro Borges ei09063@fe.up.pt

Computer Systems Security 2013/2014. Single Sign-On. Bruno Maia ei09095@fe.up.pt. Pedro Borges ei09063@fe.up.pt Computer Systems Security 2013/2014 Single Sign-On Bruno Maia ei09095@fe.up.pt Pedro Borges ei09063@fe.up.pt December 13, 2013 Contents 1 Introduction 2 2 Explanation of SSO systems 2 2.1 OpenID.................................

More information

Biometric Single Sign-on using SAML

Biometric Single Sign-on using SAML Biometric Single Sign-on using SAML Architecture & Design Strategies Ramesh Nagappan CISSP Ramesh.Nagappan@sun.com 1 Setting Expectations What you can take away! Understand the importance of Single Sign-On

More information

Identity Federation Management to make Operational and Business Efficiency through SSO

Identity Federation Management to make Operational and Business Efficiency through SSO 2012 International Conference on Industrial and Intelligent Information (ICIII 2012) IPCSIT vol.31 (2012) (2012) IACSIT Press, Singapore Identity Federation Management to make Operational and Business

More information

Infocard and Eduroam. Enrique de la Hoz, Diego R. López, Antonio García, Samuel Muñoz

Infocard and Eduroam. Enrique de la Hoz, Diego R. López, Antonio García, Samuel Muñoz Infocard and Eduroam Enrique de la Hoz, Diego R. López, Antonio García, Samuel Muñoz Index Introduction to Infocard Infocard usage usso using Infocard in eduroam Questions Infocard Artifact with a unique

More information

SAML Security Analysis. Huang Zheng Xiong Jiaxi Ren Sijun

SAML Security Analysis. Huang Zheng Xiong Jiaxi Ren Sijun SAML Security Analysis Huang Zheng Xiong Jiaxi Ren Sijun outline The intorduction of SAML SAML use case The manner of SAML working Security risks on SAML Security policy on SAML Summary my course report

More information

Разработка программного обеспечения промежуточного слоя. TERENA BASNET Workshop, 16-17 November 2009 Joost van Dijk - SURFnet

Разработка программного обеспечения промежуточного слоя. TERENA BASNET Workshop, 16-17 November 2009 Joost van Dijk - SURFnet Разработка программного обеспечения промежуточного слоя TERENA BASNET Workshop, 16-17 November 2009 Joost van Dijk - SURFnet Contents - SURFnet Middleware Services department: - eduroam, SURFfederatie,

More information

Federated Identity Architectures

Federated Identity Architectures Federated Identity Architectures Uciel Fragoso-Rodriguez Instituto Tecnológico Autónomo de México, México {uciel@itam.mx} Maryline Laurent-Maknavicius CNRS Samovar UMR 5157, GET Institut National des Télécommunications,

More information

A Data Synchronization based Single Sign-on Schema Supporting Heterogeneous Systems and Multi-Management Mode

A Data Synchronization based Single Sign-on Schema Supporting Heterogeneous Systems and Multi-Management Mode A Data Synchronization based Single Sign-on Schema Supporting Heterogeneous Systems and Multi-Management Mode Haojiang Gao 1 Beijing Northking Technology Co.,Ltd Zhongguancun Haidian Science Park Postdoctoral

More information

nexus Hybrid Access Gateway

nexus Hybrid Access Gateway Product Sheet nexus Hybrid Access Gateway nexus Hybrid Access Gateway nexus Hybrid Access Gateway uses the inherent simplicity of virtual appliances to create matchless security, even beyond the boundaries

More information

OpenSSO: Cross Domain Single Sign On

OpenSSO: Cross Domain Single Sign On OpenSSO: Cross Domain Single Sign On Version 0.1 History of versions Version Date Author(s) Changes 0.1 11/30/2006 Dennis Seah Contents Initial Draft. 1 Introduction 1 2 Single Domain Single Sign-On 2

More information

DEPLOYMENT GUIDE. SAML 2.0 Single Sign-on (SSO) Deployment Guide with Ping Identity

DEPLOYMENT GUIDE. SAML 2.0 Single Sign-on (SSO) Deployment Guide with Ping Identity DEPLOYMENT GUIDE SAML 2.0 Single Sign-on (SSO) Deployment Guide with Ping Identity Table of Contents SAML Overview...3 Integration Topology...3 Deployment Requirements...4 Configuration Steps...4 Step

More information

Extending DigiD to the Private Sector (DigiD-2)

Extending DigiD to the Private Sector (DigiD-2) TECHNISCHE UNIVERSITEIT EINDHOVEN Department of Mathematics and Computer Science MASTER S THESIS Extending DigiD to the Private Sector (DigiD-2) By Giorgi Moniava Supervisors: Eric Verheul (RU, PwC) L.A.M.

More information

SWIFT: Advanced identity management

SWIFT: Advanced identity management SWIFT: Advanced identity management Elena Torroglosa, Alejandro Pérez, Gabriel López, Antonio F. Gómez-Skarmeta and Oscar Cánovas Department of Information and Communications Engineering University of

More information

Implementation Guide SAP NetWeaver Identity Management Identity Provider

Implementation Guide SAP NetWeaver Identity Management Identity Provider Implementation Guide SAP NetWeaver Identity Management Identity Provider Target Audience Technology Consultants System Administrators PUBLIC Document version: 1.10 2011-07-18 Document History CAUTION Before

More information

Biometric Single Sign-on using SAML Architecture & Design Strategies

Biometric Single Sign-on using SAML Architecture & Design Strategies Biometric Single Sign-on using SAML Architecture & Design Strategies Ramesh Nagappan Java Technology Architect Sun Microsystems Ramesh.Nagappan@sun.com 1 Setting Expectations What you can take away! Understand

More information

Authentication Methods

Authentication Methods Authentication Methods Overview In addition to the OU Campus-managed authentication system, OU Campus supports LDAP, CAS, and Shibboleth authentication methods. LDAP users can be configured through the

More information

SAML, The Liberty Alliance, and Federation* Eve Maler eve.maler@sun.com http://www.xmlgrrl.com/blog

SAML, The Liberty Alliance, and Federation* Eve Maler eve.maler@sun.com http://www.xmlgrrl.com/blog SAML, The Liberty Alliance, and Federation* Eve Maler eve.maler@sun.com http://www.xmlgrrl.com/blog IIWb, Mountain View, CA, 4 December 2006 1 When you distribute identity tasks and information in the

More information

Introduction to SAML

Introduction to SAML Introduction to THE LEADER IN API AND CLOUD GATEWAY TECHNOLOGY Introduction to Introduction In today s world of rapidly expanding and growing software development; organizations, enterprises and governments

More information

ESA EO Identify Management

ESA EO Identify Management ESA EO Identify Management The ESA EO IM Infrastructure & Services A. Baldi ESA: Andrea.Baldi@esa.int M. Leonardi ESA: m.leonardi@rheagroup.com 1 Issues @ ESA with legacy user management Users had multiple

More information

CA Performance Center

CA Performance Center CA Performance Center Single Sign-On User Guide 2.4 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation ) is

More information

JVA-122. Secure Java Web Development

JVA-122. Secure Java Web Development JVA-122. Secure Java Web Development Version 7.0 This comprehensive course shows experienced developers of Java EE applications how to secure those applications and to apply best practices with regard

More information

IBM WebSphere Application Server

IBM WebSphere Application Server IBM WebSphere Application Server SAML 2.0 web single-sign-on 2012 IBM Corporation This presentation describes support for SAML 2.0 web browser Single Sign On profile included in IBM WebSphere Application

More information

Implementing Identity Provider on Mobile Phone

Implementing Identity Provider on Mobile Phone Implementing Identity Provider on Mobile Phone Tsuyoshi Abe, Hiroki Itoh, and Kenji Takahashi NTT Information Sharing Platform Laboratories, NTT Corporation 3-9-11 Midoricho, Musashino-shi, Tokyo 180-8585,

More information

The Primer: Nuts and Bolts of Federated Identity Management

The Primer: Nuts and Bolts of Federated Identity Management The Primer: Nuts and Bolts of Federated Identity Management Overview For any IT department, it is imperative to understand how your organization can securely manage and control users identities. With so

More information

Authentication Integration

Authentication Integration Authentication Integration VoiceThread provides multiple authentication frameworks allowing your organization to choose the optimal method to implement. This document details the various available authentication

More information

SAML 2.0 Refresher. Víctor Aké Oslo, Norway August Identity and Federation Architect

SAML 2.0 Refresher. Víctor Aké Oslo, Norway August Identity and Federation Architect SAML 2.0 Refresher Víctor Aké Oslo, Norway August 2008 http://www.projectliberty.org Identity and Federation Architect victor.ake@sun.com SAML 2 What is it? What does it do? How does it work? SAML2 components

More information

Identity opens the participation age. Dr. Rainer Eschrich. Program Manager Identity Management Sun Microsystems GmbH

Identity opens the participation age. Dr. Rainer Eschrich. Program Manager Identity Management Sun Microsystems GmbH Identity opens the participation age Open Web Single Sign- On und föderierte SSO Dr. Rainer Eschrich Program Manager Identity Management Sun Microsystems GmbH Agenda The Identity is the Network Driving

More information

User and Machine Authentication and Authorization Infrastructure for Distributed Wireless Sensor Network Testbeds

User and Machine Authentication and Authorization Infrastructure for Distributed Wireless Sensor Network Testbeds J. Sens. Actuator Netw. 2013, 2, 109-121; doi:10.3390/jsan2010109 Article OPEN ACCESS Journal of Sensor and Actuator Networks ISSN 2224-2708 www.mdpi.com/journal/jsan User and Machine Authentication and

More information

WebLogic Server 7.0 Single Sign-On: An Overview

WebLogic Server 7.0 Single Sign-On: An Overview WebLogic Server 7.0 Single Sign-On: An Overview Today, a growing number of applications are being made available over the Web. These applications are typically comprised of different components, each of

More information

Using SAML for Single Sign-On in the SOA Software Platform

Using SAML for Single Sign-On in the SOA Software Platform Using SAML for Single Sign-On in the SOA Software Platform SOA Software Community Manager: Using SAML on the Platform 1 Policy Manager / Community Manager Using SAML for Single Sign-On in the SOA Software

More information

The Primer: Nuts and Bolts of Federated Identity Management

The Primer: Nuts and Bolts of Federated Identity Management The Primer: Nuts and Bolts of Federated Identity Management Executive Overview For any IT department, it is imperative to understand how your organization can securely manage and control users identities.

More information

Shibboleth N-Tier Support. Chad La Joie chad.lajoie@switch.ch

Shibboleth N-Tier Support. Chad La Joie chad.lajoie@switch.ch Shibboleth N-Tier Support Chad La Joie chad.lajoie@switch.ch Agenda Use Case Terminology Shibboleth Solution Future Effort Resources 2 Use Case Current use case comes from University of Chicago University

More information

OpenHRE Security Architecture. (DRAFT v0.5)

OpenHRE Security Architecture. (DRAFT v0.5) OpenHRE Security Architecture (DRAFT v0.5) Table of Contents Introduction -----------------------------------------------------------------------------------------------------------------------2 Assumptions----------------------------------------------------------------------------------------------------------------------2

More information

Federated Identity Management

Federated Identity Management Federated Identity Management SWITCHaai Introduction Course Bern, 1. March 2013 Thomas Lenggenhager aai@switch.ch Overview What is Federated Identity Management? What is a Federation? The SWITCHaai Federation

More information

Toward campus portal with shibboleth middleware

Toward campus portal with shibboleth middleware Toward campus portal with shibboleth middleware Eisuke Ito and Masanori Nakakuni itou@cc.kyushu u.ac.jp, Kyushu University nak@fukuoka u.ac.jp, Fukuoka University Outline 1. Background 2. Shibboleth 3.

More information

SAML Security Option White Paper

SAML Security Option White Paper Fujitsu mpollux SAML Security Option White Paper Fujitsu mpollux Version 2.1 February 2009 First Edition February 2009 The programs described in this document may only be used in accordance with the conditions

More information

SAML and OAUTH comparison

SAML and OAUTH comparison SAML and OAUTH comparison DevConf 2014, Brno JBoss by Red Hat Peter Škopek, pskopek@redhat.com, twitter: @pskopek Feb 7, 2014 Abstract SAML and OAuth are one of the most used protocols/standards for single

More information

SAML Authentication Quick Start Guide

SAML Authentication Quick Start Guide SAML Authentication Quick Start Guide Powerful Authentication Management for Service Providers and Enterprises Authentication Service Delivery Made EASY Copyright 2013 SafeNet, Inc. All rights reserved.

More information

Digital Identity and Identity Management Technologies.

Digital Identity and Identity Management Technologies. I. Agudo, Digital Identity and Identity Management Technologies, UPGRADE - The European Journal of the Informatics Professional, vol. 2010, pp. 6-12, 2010. NICS Lab. Publications: https://www.nics.uma.es/publications

More information

Federated Identity Management

Federated Identity Management Federated Identity Management SWITCHaai Team aai@switch.ch Agenda 2 What is Federated Identity Management? What is a Federation? The SWITCHaai Federation Interfederation Evolution of Identity Management

More information

IT@Intel. Improving Security and Productivity through Federation and Single Sign-on

IT@Intel. Improving Security and Productivity through Federation and Single Sign-on White Paper Intel Information Technology Computer Manufacturing Security Improving Security and Productivity through Federation and Single Sign-on Intel IT has developed a strategy and process for providing

More information

Secure the Web: OpenSSO

Secure the Web: OpenSSO Secure the Web: OpenSSO Sang Shin, Technology Architect Sun Microsystems, Inc. javapassion.com Pat Patterson, Principal Engineer Sun Microsystems, Inc. blogs.sun.com/superpat 1 Agenda Need for identity-based

More information

The saga of WebFTS and Federated Identity

The saga of WebFTS and Federated Identity The saga of WebFTS and Federated Identity Andrey Kiryanov IT/SDC 15/12/2014 The Reason: 2 What is a Federated Identity? It is the means of linking a person's electronic identity and attributes, stored

More information

How to Implement Enterprise SAML SSO

How to Implement Enterprise SAML SSO How to Implement Enterprise SSO THE LEADER IN API AND CLOUD GATEWAY TECHNOLOGY How to Implement Enterprise SSO Introduction Security Assertion Markup Language, or, provides numerous The advantages and

More information

Mobile Security. Policies, Standards, Frameworks, Guidelines

Mobile Security. Policies, Standards, Frameworks, Guidelines Mobile Security Policies, Standards, Frameworks, Guidelines Guidelines for Managing and Securing Mobile Devices in the Enterprise (SP 800-124 Rev. 1) http://csrc.nist.gov/publications/drafts/800-124r1/draft_sp800-124-rev1.pdf

More information

IMPLEMENTING SINGLE SIGN- ON USING SAML 2.0 ON JUNIPER NETWORKS MAG SERIES JUNOS PULSE GATEWAYS

IMPLEMENTING SINGLE SIGN- ON USING SAML 2.0 ON JUNIPER NETWORKS MAG SERIES JUNOS PULSE GATEWAYS APPLICATION NOTE IMPLEMENTING SINGLE SIGN- ON USING SAML 2.0 ON JUNIPER NETWORKS MAG SERIES JUNOS PULSE GATEWAYS SAML 2.0 combines encryption and digital signature verification across resources for a more

More information

Copyright: WhosOnLocation Limited

Copyright: WhosOnLocation Limited How SSO Works in WhosOnLocation About Single Sign-on By default, your administrators and users are authenticated and logged in using WhosOnLocation s user authentication. You can however bypass this and

More information

Leveraging New Business Models with Identity Management An e-learning case study

Leveraging New Business Models with Identity Management An e-learning case study Leveraging New Business Models with Identity Management An e-learning case study José M. del Álamo DIT, Universidad Politécnica de Madrid, Ciudad Universitaria s/n, 28040 Madrid, Spain jmdela@dit.upm.es,

More information

IAM, Enterprise Directories and Shibboleth (oh my!)

IAM, Enterprise Directories and Shibboleth (oh my!) IAM, Enterprise Directories and Shibboleth (oh my!) Gary Windham Senior Enterprise Systems Architect University Information Technology Services windhamg@email.arizona.edu What is IAM? Identity and Access

More information

Authentication and Single Sign On

Authentication and Single Sign On Contents 1. Introduction 2. Fronter Authentication 2.1 Passwords in Fronter 2.2 Secure Sockets Layer 2.3 Fronter remote authentication 3. External authentication through remote LDAP 3.1 Regular LDAP authentication

More information

OAuth Guide Release 6.0

OAuth Guide Release 6.0 [1]Oracle Communications Services Gatekeeper OAuth Guide Release 6.0 E50767-02 November 2015 Oracle Communications Services Gatekeeper OAuth Guide, Release 6.0 E50767-02 Copyright 2012, 2015, Oracle and/or

More information

Intro to Federated Identity

Intro to Federated Identity Intro to Federated Identity EuroCAMP Training This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License. 1 Lets get a federated identity Do you have access to your email?

More information

Software Requirement Specification Web Services Security

Software Requirement Specification Web Services Security Software Requirement Specification Web Services Security Federation Manager 7.5 Version 0.3 (Draft) Please send comments to: dev@opensso.dev.java.net This document is subject to the following license:

More information

Security Assertion Markup Language (SAML) 2.0 Technical Overview

Security Assertion Markup Language (SAML) 2.0 Technical Overview 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 Security Assertion Markup Language (SAML) 2.0 Technical Overview Working Draft 03, 20 February 2005 Document identifier:

More information

ShibboLEAP Project. Final Report: School of Oriental and African Studies (SOAS) Colin Rennie

ShibboLEAP Project. Final Report: School of Oriental and African Studies (SOAS) Colin Rennie ShibboLEAP Project Final Report: School of Oriental and African Studies (SOAS) Colin Rennie May 2006 Shibboleth Implementation at SOAS Table of Contents Introduction What this document contains Who writes

More information

Enabling Federation and Web-Single Sign-On in Heterogeneous Landscapes with the Identity Provider and Security Token Service Supplied by SAP NetWeaver

Enabling Federation and Web-Single Sign-On in Heterogeneous Landscapes with the Identity Provider and Security Token Service Supplied by SAP NetWeaver Enabling Federation and Web-Single Sign-On in Heterogeneous Landscapes with the Identity Provider and Security Token Service Supplied by SAP NetWeaver SAP Product Management, SAP NetWeaver Identity Management

More information

Ameritas Single Sign-On (SSO) and Enterprise SAML Standard. Architectural Implementation, Patterns and Usage Guidelines

Ameritas Single Sign-On (SSO) and Enterprise SAML Standard. Architectural Implementation, Patterns and Usage Guidelines Ameritas Single Sign-On (SSO) and Enterprise SAML Standard Architectural Implementation, Patterns and Usage Guidelines 1 Background and Overview... 3 Scope... 3 Glossary of Terms... 4 Architecture Components...

More information

Why Identity Management. Identity Management. What We Cover. Role of Digital Identity. Digital Identity. Digital Identity (or network identity)

Why Identity Management. Identity Management. What We Cover. Role of Digital Identity. Digital Identity. Digital Identity (or network identity) Why Identity Management Identity Management Claudiu Duma Identity crisis Privacy concerns Identity theft Terrorist threat Department of Computer and Information Science cladu@ida.liu.se What We Cover Digital

More information

Introducing Shibboleth

Introducing Shibboleth workshop Introducing Shibboleth MPG-AAI Workshop Clarin Centers Prague 2009 2009-11-06 MPG-AAI MPG-AAI a MPG-wide Authentication & Authorization Infrastructure for access control to web-based resources

More information

About Me. #ccceu. @shapeblue. Software Architect with ShapeBlue Specialise in. 3 rd party integrations and features in CloudStack

About Me. #ccceu. @shapeblue. Software Architect with ShapeBlue Specialise in. 3 rd party integrations and features in CloudStack Software Architect with ShapeBlue Specialise in. 3 rd party integrations and features in CloudStack About Me KVM, API, DB, Upgrades, SystemVM, Build system, various subsystems Contributor and Committer

More information

The increasing popularity of mobile devices is rapidly changing how and where we

The increasing popularity of mobile devices is rapidly changing how and where we Mobile Security BACKGROUND The increasing popularity of mobile devices is rapidly changing how and where we consume business related content. Mobile workforce expectations are forcing organizations to

More information

Enhancing Web Application Security

Enhancing Web Application Security Enhancing Web Application Security Using Another Authentication Factor Karen Lu and Asad Ali Gemalto, Inc. Technology & Innovations Austin, TX, USA Overview Introduction Current Statet Smart Cards Two-Factor

More information

Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x

Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x Sverview Trust between SharePoint 2010 and ADFS 2.0 Use article Federated Collaboration with Shibboleth 2.0 and SharePoint 2010 Technologies

More information

Integral Federated Identity Management for Cloud Computing

Integral Federated Identity Management for Cloud Computing Integral Federated Identity Management for Cloud Computing Maicon Stihler, Altair Olivo Santin, Arlindo L. Marcon Jr. Graduate Program in Computer Science Pontifical Catholic University of Paraná Curitiba,

More information

How to Extend Identity Security to Your APIs

How to Extend Identity Security to Your APIs How to Extend Identity Security to Your APIs Executive Overview The number of users and devices requesting access to applications is growing exponentially and enterprises are scrambling to adapt their

More information

WEB SERVICES SECURITY

WEB SERVICES SECURITY WEB SERVICES SECURITY February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without

More information

INUVIKA OPEN VIRTUAL DESKTOP ENTERPRISE

INUVIKA OPEN VIRTUAL DESKTOP ENTERPRISE INUVIKA OPEN VIRTUAL DESKTOP ENTERPRISE SAML 2.0 CONFIGURATION GUIDE Roy Heaton David Pham-Van Version 1.1 Published March 23, 2015 This document describes how to configure OVD to use SAML 2.0 for user

More information

Federation Proxy for Cross Domain Identity Federation

Federation Proxy for Cross Domain Identity Federation Proxy for Cross Domain Identity Makoto Hatakeyama NEC Corporation, Common Platform Software Res. Lab. 1753, Shimonumabe, Nakahara-Ku, Kawasaki, Kanagawa 211-8666, Japan +81-44-431-7663 m-hatake@ax.jp.nec.com

More information

AAI for Mobile Apps How mobile Apps can use SAML Authentication and Attributes. Lukas Hämmerle lukas.haemmerle@switch.ch

AAI for Mobile Apps How mobile Apps can use SAML Authentication and Attributes. Lukas Hämmerle lukas.haemmerle@switch.ch AAI for Mobile Apps How mobile Apps can use SAML Authentication and Attributes Lukas Hämmerle lukas.haemmerle@switch.ch Berne, 13. August 2014 Introduction App by University of St. Gallen Universities

More information

IAM Application Integration Guide

IAM Application Integration Guide IAM Application Integration Guide Date 03/02/2015 Version 0.1 DOCUMENT INFORMATIE Document Title IAM Application Integration Guide File Name IAM_Application_Integration_Guide_v0.1_SBO.docx Subject Document

More information

Test Plan for Liberty Alliance SAML Test Event Test Criteria SAML 2.0

Test Plan for Liberty Alliance SAML Test Event Test Criteria SAML 2.0 1 2 3 4 5 6 7 8 9 10 11 Test Plan for Liberty Alliance SAML Test Event Test Criteria SAML 2.0 Version 3.2.2 Editor: Kyle Meadors, Drummond Group Inc. Abstract: This document describes the test steps to

More information