<Insert Picture Here> Single Sign-on a propagácia identít v heterogénnom prostredí

Transcription

1

2 <Insert Picture Here> Single Sign-on a propagácia identít v heterogénnom prostredí Marian Kuna, Technology Sales Consultant

3 <Insert Picture Here> Single Sign-On Wikipédia Single sign-on (SSO) je jednou zo súčastí riadenia prístupu k viacerým súvisiacim, ale nezávislým softvérovým systémom. Vďaka tomuto komponentu sa používateľ prihlási raz a získa prístup ku všetkým systémom bez nutnosti prihlasovania do každého z nich. SSO je postavené na centralizovanom autentifikačnom serveri, ktorý aplikácie a systémy využívajú za účelom autentifikácie

4 Prínosy Single Sign-On Potrebujem sa znova prihlásiť do Windows Deti, bežte pomôcť ockovi stlačiť ctrl-alt-del

5 Prínosy Single Sign-On Používateľský komfort Nie je potrebné pamätať si množstvo rôzných mien/hesiel Rýchlejší prístup k aplikáciám bez nutnosti autentifikácie Bezpečnosť Heslá na papieri Silná autentifikácia Náklady Tech. podpora/reset hesiel Efektivita používateľov Zákony, normy, nariadenia Centralizovaný reporting

6 Typy single sign-on Password Synchronization <Insert Picture Here> Perimeter Single Sign-on Web Single Sign-on X.509 authentication Server-based SSO, Identity Propagation Standards, Weblogic Security Framework SAML Kerberos Enterprise Single Sign-on

7 Password Synchronization <Insert Picture Here>

8 Password Synchronization Identity Management

9 Perimeter Single Single Sign-on <Insert Picture Here>

10 Perimeter SSO Web Server (app Proxy) Gateway 8 2 Application Server Protected Resources 6 DMZ 9 Firewall Firewall Access Server Resource Protection User Validation Token Validation 5, 7 User & Policy Store

11 Oracle Access Manager

12 Supported Authentication Mechanisms Form based authentication Basic authentication X.509 authentication OAAM virtual pad based authentication Kerberos based authentication (windows native authentication)

13 X.509 Client Authentication Two-way SSL Client Hello Server The quick brown fox jumps over the lazy dog rkvegms private The quick brown fox jumps over the lazy dog public

14 X.509 Client Authentication WebLogic Server and Database Oracle Fusion Middleware Securing Oracle WebLogic Server > 12 Configuring SSL Oracle Database Advanced Security Administrator's Guide > 8 Configuring Secure Sockets Layer Authentication Requires Oracle Advanced Security option

15 <Insert Picture Here> Server based Single Sign-on SAML Kerberos Identity Propagation

16 End to End Security Web Server (app Proxy) Application Server Message Queue Mainframe Application Client DB DB Point to Point Interactions End-to-end security

17 Identity Propagation User authenticates at the perimeter with an id and password Identity is propagated in many forms throughout the compute path http Basic Auth Web tier SSO token Portal Application SOA Business Process End User Service Bus DB connection Business Service Data Service DB

18 Common Security Standards WS-Policy WS-SecurityPolicy WS-ReliableMessaging SOAP & SwA WS-Security SAML Token Profile UsernameToken Profile Kerberos Token Profile WS-Trust WS-SecureConversation WS-Federation X.509 Token Profile XML XML Encryption KEY: XML Signature A B Std. B is based on Std. A SAML XACML CARML AAPML Web Service standards XML-based standards IP-based standards SPML Algorithms & protocols Kerberos Java standards IP HTTP TLS & SSL X.500 HTTPS LDAP Included in WS-I Basic Security Profile Included in WS-I Reliable Secure Profile Symmetric Key Algorithms: AES-(128,192,256), DES, 3-DES Message Digests: MD5, SHA-(1,2,3) PKI: X.509; RSA key encryption; RSA, DSA signature algorithms; PKCS Java SE/EE Platform Security: JCA, JCE, JAAS, JSSE, JGSS, Java SASL

19 WebLogic Server Security Framework

20 WebLogic Server Authentication Validates user credentials against identity store Identity store LDAP directories: Embedded, OID, OVD, iplanet, Open LDAP, Novell, Active Directory RDBMS (SQL, read only SQL, Custom DBMS) Identity Assertion Maps identities to users Token types Username/Password Certificate CSI v2 SAML SPNEGO

21 <Insert Picture Here> Server based Single Sign-on SAML

22 Web Services SOAP messages SOAP message SOAP Header SOAP Body Portal Application SOA Business Process Service Bus Business Service Data Service DB connection DB

23 SAML token SOAP message SOAP Header <saml: Assertion>... <saml:subject> <saml:nameid...> CN=Marian Kuna, OU=Sales, O=Oracle Slovensko </saml:nameid> </saml:subject>... <Signature> SOAP Body

24 Oracle Identity Federation Identity provider (IDP) is a service that hosts and/or provides identity information to other services Service Provider is responsible for offering the services to the end users

25 Oracle Identity Federation Industry s most complete implementation of federation standards Standards: SAML 1.0 / 1.1 / 2.0 Liberty Alliance ID-FF 1.1 /1.2 WS-Federation Liberty Alliance certification for Liberty ID-FF and SAML 2.0.

26 Oracle OpenSSO Fedlet Oracle OpenSSO Fedlet is a lightweight SP-only implementation of SAML 2.0 SSO protocols Can be used to SSO enable: Internal apps Partner apps Oracle Identity Federation OpenSSO 3 rd party Identity Provider.NET Fedlet Java Fedlet

27 <Insert Picture Here> Server based Single Sign-on Kerberos

28 Kerberos Project Athena was initiated in years of research passed before Kerberos was officially complete widely used as default authentication methods in popular operating systems Windows Unix Mac OS X

29 Kerberos

30 Kerberos

31 Kerberos

32 Kerberos WebLogic Server and Kerberos Oracle Fusion Middleware Securing Oracle WebLogic Server > 6 Configuring Single Sign-On with Microsoft Clients Define a principal in Active Directory to represent the WebLogic Server. Any client must be set up to use Windows Integrated authentication, sending a Kerberos ticket when available. In the security realm of the WebLogic domain, configure a Negotiate Identity Assertion provider

33 Kerberos Oracle Database and Kerberos Oracle Database Advanced Security Administrator's Guide > 7 Configuring Kerberos Authentication Requires Oracle Advanced Security option

34 <Insert Picture Here> Server based Single Sign-on Identity Propagation

35 Identity Propagation Application Users Identity Management Aplikácia marian.kuna/pwd app/pwd Databáza marian.kuna/pwd

36 Identity Propagation Enterprise User Security Identity Management OID Aplikácia marian.kuna/pwd Databáza marian.kuna/pwd

37 Enterprise User Security Spôsoby Implementácie OID MSAD Používateľ Oracle databáza Používatelia Business Role DB user DB Role Používatelia Skupiny

38 Enterprise User Security Spôsoby Implementácie OVD MSAD Používateľ Oracle databáza Používatelia Business Role DB user DB Role

39 Enterprise Single Sign-on <Insert Picture Here>

40 Oracle esso Logon Manager Oracle esso Suite Management Console LDAP, Doména, Databáza Windows Web sídla Mainframes (OS390, AS400) meno/heslo Oracle esso Logon Manager Java Extranet & Portal Autentifikácia PC/Desktop Sign-On

41 Oracle esso Authentication Manager Oracle esso AM MS CAPI smart cards SAFLINK Entrust PKI LDAP Multi-Auth Interface & Graded Auth Policies Auth API Auth API Oracle esso SM Oracle esso KM User Auth

42 Oracle esso Password Reset Reset Windows Logon Oracle esso Password Reset Server Audit, Reporting Doména Admin Oracle esso Suite Management Console

43 Oracle esso Provisioning Gateway Provisioning Sources Oracle Identity Manager (OIM) Applications & Custom Programs Data file and Manual Entry Password Oracle esso Provisioning GW Connectors Server SPML Windows Web Sites PKI Directory, Domain, Database Mainframes (OS390, AS400) Biometrics Credentials Java Token/ Smart card User Auth Oracle esso Logon Manager User s Desktop Extranet & Portal Application Sign-On

44 Oracle esso Kiosk Manager Oracle esso KM Windows LDAP Logon Session Monitor Time out Application Shutdown Keystroke submit Closure request Sign-off Web Apps, Extranet, Portal User Auth Process terminate Session (Initiate, Suspend, Terminate) Java Mainframes (OS390, AS400) Audit, Reporting

45