Passwords are for Chumps
|
|
- Thomasine Watkins
- 8 years ago
- Views:
Transcription
1 Copyright 2014 Splunk Inc. Passwords are for Chumps David Veuve SE, Splunk
2 Who Am I?! David Veuve Sales Engineer for Major Accounts in Northern California! Former Splunk Customer (For 3 years, 3.x through 4.3)! Security Guy! Primary Author of Splunk Search Usage app! David on Splunk Answers 2
3 ! Why Single Sign On (SSO)?! SeUng up SSO on Windows! SeUng up SSO on Linux! SeUng up SSO via SAMLv2! A liwle something extra! Wrap up Agenda! All config files (where possible for Windows) will be posted to GitHub at the end of the presenta[on 3
4 Disclaimer During the course of this presenta[on, we may make forward- looking statements regarding future events or the expected performance of the company. We cau[on you that such statements reflect our current expecta[ons and es[mates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward- looking statements, please review our filings with the SEC. The forward- looking statements made in the this presenta[on are being made as of the [me and date of its live presenta[on. If reviewed a`er its live presenta[on, this presenta[on may not contain current or accurate informa[on. We do not assume any obliga[on to update any forward- looking statements we may make. In addi[on, any informa[on about our roadmap outlines our general product direc[on and is subject to change at any [me without no[ce. It is for informa[onal purposes only, and shall not be incorporated into any contract or other commitment. Splunk undertakes no obliga[on either to develop the features or func[onality described or to include any such feature or func[onality in a future release. 4
5 What is Wrong with Passwords! Diminish adop[on! Dispropor[onately discourage the users you really want Execu[ves/Managers, Business Users! Fundamentally insecure 5
6 Detail: Passwords are Fundamentally Insecure! People write them on post- it notes! People create simple ones! People type them into phishing websites! People reuse them across many websites hwp://xkcd.com/792/ hwp://xkcd.com/936/ 6
7 ! Easier adop[on! More secure Benefits of Single Sign On! Facilitates High Availability Search Head Pooling works bewer with SSO enabled ê Allows you to fail over without a user no[cing 7
8 Limita[ons of Splunk SSO! Single Sign On depends on an external proxy that will handle the authen[ca[on piece, and then pass the username in an HTTP header to Splunk! Even with Single Sign On handling authen[ca[on, we s[ll need an LDAP connec[on to assign users to individual roles. This is not typically an issue for internal deployments, but is a greater issue for SAML deployments Can cover standard roles [To be filled in] 8
9 Single Sign On - Defini[on! Single sign- on (SSO) is mechanism whereby a single ac6on of user authen6ca6on and authoriza6on can permit a user to access all computers and systems where he has access permission, without the need to enter mul6ple passwords hwp:// In prac[ce: Users are automa[cally logged in without typing in a password 9
10 Common Single Sign On Methods! Ac[ve Directory AD has supported SSO via NTLM and others for years! Kerberos Core to Ac[ve Directory and widely used in Linux / OSX! SAML Commonly used for online systems! Smart Card (or One Time Password) Can be implemented by one of the above, or a hook into Ac[ve Directory to intercept and service authen[ca[on accounts! Several others employing similar core theories 10
11 How to Decide Which Method! Windows Server Environment: Windows Authen[ca[on Easiest setup in my experience! Linux Server Environment: Kerberos S[ll easy! Splunk hosted via external cloud (or with 3 rd party SSO such as Okta, PingIden[ty, etc.): SAML Most Challenging approach! 3 rd Party Proxy / Load Balancer Likely Kerberos, but depends on product 11
12 Splunk Setup
13 1. Set up LDAP Authen[ca[on 2. Map LDAP Groups 3. Update server.conf 4. Update web.conf Splunk Setup Steps 13
14 LDAP Configura[on! Frequently done by Splunk Users hwp://docs.splunk.com/documenta[on/splunk/6.1.3/security/configureldapwithsplunkweb! From Splunk Web, Access Controls 14
15 server.conf and web.conf Setup! server.conf trustedip Indicates that the local splunkd will trust the user coming from splunkweb ê (Remember that indexers implicitly trust the search head, so this only happens on the search head)! web.conf trustedip Indicates that splunkweb will trust the user coming from your upstream proxy/other device SSOMode Indicates whether local logons are allowed remoteuser Indicates what header parameter the user string will be put into 15
16 Security Quick Tip! Limit the number of trusted IPs you have configured on splunkweb, as they will be able to masquerade as any user! If you have tools.proxy.on = true, and see your worksta[on s IP address in /debug/sso, turn off tools.proxy.on and don t add every worksta[on to the trustedip list 16
17 Demo Splunk Setup 17
18 Demo - Splunk LDAP Setup 18
19 Demo server.conf! server.conf Refers to the local splunkd Remember that splunkweb running on the same box will communicate with splunkd via
20 Demo web.conf! web.conf Refers to the local splunkweb SSOMode ê Permissive allows either SSO or direct access to splunkd ê Strict SSO only (cannot log in with local auth seungs if locked out, must modify via conf files) trustedip ê IP of Proxy remoteuser ê Parameter containing username tools.proxy.on ê Required for old versions of Apache. This is turned on in a bunch of examples, but for none of the systems I ve used has it actually been necessary 20
21 Windows Op[on
22 Core Technologies at Play! Func[oning Splunk Install! Ac[ve Directory Infrastructure! IIS Web Server (2012 R2 in my test, but known to work at least through 2008) Plarorm addons: ê ARR hwp:// request- rou[ng ê ISAPI Module ê ISAPI Filters Module Free Third Party ê ISAPI_Rewrite3 hwp:// Allows you to add authen[cated user name to header 22
23 High Level Process 1. Configure Authen[ca[on for IIS Site 2. Configure Reverse Proxy for IIS Site 3. Configure URL_Rewrite to empty Accept Encoding Workaround for UI quirk 4. Configure ISAPI_Rewrite3 to put REMOTE- USER header 23
24 Windows Authen[ca[on Diagram! Users will hit the IIS Server, which will authorize them via Integrated Windows Authen[ca[on! Requests will then be proxied to Splunk! Splunk will perform authoriza[on via LDAP Groups! Users will get a seamless authen[ca[on and authoriza[on experience, and be greeted by the Splunk page! 24
25 Challenges! By default, Splunk will use gzip encoding, but that doesn t work with IIS ARR rou[ng rules. As a result, we need to store the original Accept Encoding in a header, wipe it, and then replace it. That will be seen in the example! IIS does not support wri[ng the authen[cated user informa[on into a header. This is why we need the external ISAPI_Rewrite3 Lite module. Fortunately, we can use the free Lite module by offloading the rou[ng! (Neither of these issues exist on Linux, or should exist on 3 rd party proxies or load balancers) 25
26 Why Third Party (ISAPI_Rewrite3 Lite)! ISAPI_Rewrite3 by Helicon is a great way to port configura[ons over from Apache! In par[cular, it allows us to set a header a`er the authen[ca[on part completes, which is not possible out of the box with IIS! There are two versions of ISAPI_Rewrite3 free and commercial For this configura[on, we only need the free version. The commercial version adds addi[onal proxy capabili[es which are delivered by IIS ARR 26
27 Demo Enabling Authen[ca[on 27
28 Demo Enabling Reverse Proxy 28
29 Demo Configure URL Rewrite 29
30 Demo Workaround for URL Rewrite Quirk 30
31 Demo - Helicon 31
32 Demo Successful SSO Debug 32
33 Demo Successful Logon 33
34 Troubleshoo[ng! Wireshark Verify that communica[on to your search head has the proper field populated! Debug page hwp://youriisserver/debug/sso! IIS Detailed Debug Logs By default, IIS will only show you the major error code (e.g., 500). If you turn on detailed logs, it will also show the more detailed logs, e.g.: ê HTTP Error URL Rewrite Module Error. Outbound rewrite rules cannot be applied when the content of the HTTP response is encoded ("gzip") 34
35 Troubleshoo[ng with Wireshark! Capture relevant traffic (port 8000)! Then look for the actual headers being passed in the HTTP message 35
36 Troubleshoo[ng with Debug SSO! Great source for ensuring your seungs are correct! Look par[cularly for the SSO Mode, trustedips and the Remote user HTTP Header. This has to be the same as what is seen inwireshark! Hopefully your setup will lookjust like this 36
37 Troubleshoo[ng with IIS Logs! By default IIS logs aren t very helpful. While troubleshoo[ng, turn on detailed logs for your site! Just click on Error Logs, then Edit Feature SeUngs, then Detailed Logging 37
38 Linux Op[on
39 ! Working Splunk Installa[on! Linux Kerberos! Apache Web Server mod_auth_kerb mod_proxy mod_rewrite Core Technologies! Ac[ve Directory (or other Kerberos Store) 39
40 High Level Process! Create AD Service Account! Create keytab! Configure Linux Host Kerberos! Configure Apache to use mod_auth_kerb! Configure Apache to revers proxy using mod_proxy! Configure Request Header to set Remote User 40
41 Linux Authen[ca[on Diagram! Users will hit the Apache Server, which will authorize them via Kerberos to AD! Requests will then be proxied to Splunk! Splunk will perform authoriza[on via LDAP Groups! Users will get a seamless authen[ca[on and authoriza[on experience, and be greeted by the Splunk page! 41
42 Challenges! Biggest challenge with this approach is that there are many different sets of instruc[ons on the internet. This approach, end to end, worked in my environment 42
43 Demo Create AD User! Nothing complex about the user account can be anything 43
44 Demo Create Keytab! Copy- paste from internet. Note that this will reset the password! ktpass - princ {PRINCIPAL NAME} - mapuser {username@fqdn} - crypto {YourChoice} - ptype KRB5_NT_PRINCIPAL - pass {LookAtMyLongPassword} - out {Path\to\keytab} 44
45 Demo - Configure Linux Host Kerberos! Change the realm to your local realm! Note that this should probably match your users desktop config i.e., if they log into mydomain.local and you re hos[ng this site on mydomain.com, you will need to configure IE/Firefox/Chrome to try a kerberos Auth 45
46 Demo - Configure Apache to use auth_kerb! Change the realm and AuthName to your local realm/domain FQDN! Configure the Krb5KeyTab to where you copied the file over from your domain controller! KrbMethodK5Passwd allows users without kerberos to authen[cate via password! Require valid- user tells Apache that authen[ca[on is required 46
47 Demo - Configure Apache to Reverse Proxy! This leverages and requires mod_proxy to work, but is a prewy straighrorward config beyond that! The last two lines are the heart of the config behind the scenes, take anything going to myserver/* and send a parallel request to hwp:// :8000/*! If moun[ng your web path at a different directory, consider the root_endpoint seung! hwp:// splunk- with- ssl/ 47
48 Demo Configure Remote User Header! Unlike with Windows, here we can leverage a simple config to insert the remote user into the REMOTE- USER header! In seung this up, I tried several awempts to get the remote_user properly inserted this is the one that finally worked 48
49 Demo PuUng it all together! All the configura[on for my environment lives in /etc/hwpd/ conf.d/splunksso.conf! The en[re configura[on is here 49
50 Troubleshoo[ng! Paralleling the Windows troubleshoo[ng, there are three great tools for troubleshoo[ng on Linux: Apache Logs (hey, it s super easy to Splunk those!) Debug SSO Splunk Endpoint tcpdump 50
51 Troubleshoo[ng with Apache Logs! Make sure your keytab is in the right path!! Make sure your web server name matches your principal name! 51
52 Troubleshoo[ng with Debug SSO! Great source for ensuring your seungs are correct! Look par[cularly for the SSO Mode, trustedips and the Remote user HTTP Header. This has to be the same as what is seen in tcpdump! Hopefully your setup will look just like this 52
53 Troubleshoo[ng with tcpdump! Great to verify that the reverse proxy actually works and that the seungs are correct! Look par[cularly for the the Remote user HTTP Header 53
54 SAML Op[on
55 Core Technologies! Working Splunk Installa[on! Linux Host (CentOS 6.0 for this demo) yum install xmlsec1 xmlsec1- openssl xmlsec1- openssl- devel openssl hwpd mod_ssl Install EPEL on your RHEL- type box to get the xmlsec1s Lasso! Apache Web Server mod_auth_mellon! SAMLv2 Iden[ty Provider Recommend that to get started, you leverage a known working partner such as Okta (used here) or PingIden[ty. Then adapt to your own SAMLv2 55
56 High Level Process! Install host dependencies! Set up Iden[ty Provider (e.g., Okta/PingIden[ty/etc.)! Set up mellon config! Set up mod_auth_mellon config! Based almost completely on Paul Stout s excellent guide: hwp://blogs.splunk.com/2013/10/09/splunk- sso- using- saml- through- okta/ 56
57 SAMLv2 Authen[ca[on Diagram! Users will hit the Okta Server, which will authorize them and then forward them (via POST) to the Splunk server, which does not have to be accessible to Okta (can be behind the VPN)! Requests will then be proxied to Splunk! Splunk will perform authoriza[on via LDAP Groups! Users will get a seamless authen[ca[on and authoriza[on experience, and be greeted by the Splunk page! 57
58 Challenges! The provided versions of mod_auth_mellon / lasso only work for hwpd 2.2. There will be a conflict if you try to install on 2.4, and when I tried a newer version of mod_auth_mellon (0.7.0 instead of 0.5.0) it never worked, and never errored out Recommend that you set up first on 2.2 (RHEL or equivalent 5.x or 6.x, verify with hwpd - v) as it s a known working version! SAMLv2 is a notoriously finicky setup with lots of moving parts. Recommend that you start with a known working combina[on (e.g., Okta has a no- limit free version for a single app), then make incremental changes to move to your own implementa[on 58
59 On Groups! The major downside to SAMLv2 in Splunk is that it will only handle authen[ca[on. You will s[ll need to set up groups to handle authoriza[on, which would require an LDAP connec[on 59
60 Demo Install Host Dependencies! wget hwp://dl.fedoraproject.org/pub/epel/6/x86_64/epel- release- 6-8.noarch.rpm! rpm - ivh epel- release- 6-8.noarch.rpm! yum install hwpd xmlsec1 xmlsec1- openssl xmlsec1- openssl- devel mod_ssl openssl! Disable or tune selinux (/etc/selinux/config)! Set your hostname to match your principal name (e.g., splunk.dvsplunk.com)! wget hwps://dev.entrouvert.org/redhat/6/rpms/x86_64/lasso el6.x86_64.rpm! wget hwps://dev.entrouvert.org/redhat/6/rpms/x86_64/ mod_auth_mellon el6.x86_64.rpm! rpm - ivh lasso el6.x86_64.rpm! rpm - ivh mod_auth_mellon el6.x86_64.rpm 60
61 Demo Set up Iden[ty Provider (IdP)! Very easy with Okta Add Applica[on Provide URL Provide Default Relay State and username 61
62 Demo Grab IdP Metadata! Also very easy with Okta: 62
63 Demo Set up Mellon Config! Paul Stout s previously- linked- to guide includes a handy script that will set up the suppor[ng mellon files for Splunk: 63
64 Demo Set up mod_auth_mellon! The Mellon config is prewy straighrorward, and very copy- pasteable! For an explana[on of the ProxyPass configura[on, please see the Linux Config sec[on 64
65 Troubleshoo[ng! The recommended troubleshoo[ng tools for this configura[on are iden[cal to those for normal Linux systems: Apache Logs (hey, it s super easy to Splunk those!) Debug SSO Splunk Endpoint tcpdump 65
66 Troubleshoo[ng with Apache Logs! Make sure your keytab is in the right path!! Make sure your web server name matches your principal name! 66
67 Troubleshoo[ng with Debug SSO! Great source for ensuring your seungs are correct! Look par[cularly for the SSO Mode, trustedips and the Remote user HTTP Header. This has to be the same as what is seen in tcpdump! Hopefully your setup will look just like this 67
68 Troubleshoo[ng with tcpdump! Great to verify that the reverse proxy actually works and that the seungs are correct! Look par[cularly for the Remote user HTTP Header 68
69 Shameless Plug
70 Splunk Search Usage! Splunk Search Usage Analysis and Adop[on Tracking, with security reports! hwp:// 70
71 Wrap Up
72 Wrap Up! Three Op[ons for Single Sign On: Windows Web Server Easy Linux Web Server Easy SAML Achievable, recommend a packaged solu[on if you need this (e.g., Okta, PingIden[ty, etc.)! SSO gives you more security, greater adop[on, and less headache! You can probably set this up in your environment in < 1 hr! Check out the Splunk Search Usage app to bewer understand users and broaden adop[on! 72
73 ! That was a lot of material, right? Config Files GitHub! Get all the configs here: hwp:// sso hwp://xkcd.com/565/ 73
74 THANK YOU
Hunk & Elas=c MapReduce: Big Data Analy=cs on AWS
Copyright 2014 Splunk Inc. Hunk & Elas=c MapReduce: Big Data Analy=cs on AWS Dritan Bi=ncka BD Solu=ons Architecture Disclaimer During the course of this presenta=on, we may make forward looking statements
More informationArchitec;ng Splunk for High Availability and Disaster Recovery
Copyright 2014 Splunk Inc. Architec;ng Splunk for High Availability and Disaster Recovery Dritan Bi;ncka BD Solu;on Architecture Disclaimer During the course of this presenta;on, we may make forward- looking
More informationGeoff McGregor, Indiana University Integra(ng KC with CAS and LDAP 4/25/2012
2012 User Conference April 22-24, 2012 Atlanta, Georgia Together Toward Tomorrow Geoff McGregor, Indiana University Integra(ng KC with CAS and LDAP 4/25/2012 open source administration software for education!
More informationHow To Use Splunk For Android (Windows) With A Mobile App On A Microsoft Tablet (Windows 8) For Free (Windows 7) For A Limited Time (Windows 10) For $99.99) For Two Years (Windows 9
Copyright 2014 Splunk Inc. Splunk for Mobile Intelligence Bill Emme< Director, Solu?ons Marke?ng Panos Papadopoulos Director, Product Management Disclaimer During the course of this presenta?on, we may
More informationVoIP Security How to prevent eavesdropping on VoIP conversa8ons. Dmitry Dessiatnikov
VoIP Security How to prevent eavesdropping on VoIP conversa8ons Dmitry Dessiatnikov DISCLAIMER All informa8on in this presenta8on is provided for informa8on purposes only and in no event shall Security
More informationCMU s Transi+on from ISA 2006 to F5 s BIG- IP LTM/APM
CMU s Transi+on from ISA 2006 to F5 s BIG- IP LTM/APM About Me I m Josh and I m CMU s SharePoint Architect. (Hi Josh) Before CMU 4 years in LAMP/LAPP development & management The Center for Charter Schools
More informationSecuring Splunk with Single Sign On & SAML
Copyright 2015 Splunk Inc. Securing Splunk with Single Sign On & SAML Nachiket Mistry Sr. So=ware Engineer, Splunk Rama Gopalan Sr. So=ware Engineer, Splunk Disclaimer During the course of this presentajon,
More informationSetting up Single Sign-On (SSO) with SAP HANA and SAP BusinessObjects XI 4.0
Setting up Single Sign-On (SSO) with SAP HANA and SAP BusinessObjects XI 4.0 February 8, 2013 Version 1.0 Vishal Dhir Customer Solution Adoption (CSA) www.sap.com TABLE OF CONTENTS INTRODUCTION... 3 What
More informationIntroduction to the EIS Guide
Introduction to the EIS Guide The AirWatch Enterprise Integration Service (EIS) provides organizations the ability to securely integrate with back-end enterprise systems from either the AirWatch SaaS environment
More informationIntegrating OID with Active Directory and WNA
Integrating OID with Active Directory and WNA Hari Muthuswamy CTO, Eagle Business Solutions May 10, 2007 Suncoast Oracle User Group Tampa Convention Center What is SSO? Single Sign-On On (SSO) is a session/user
More informationGuide to SASL, GSSAPI & Kerberos v.6.0
SYMLABS VIRTUAL DIRECTORY SERVER Guide to SASL, GSSAPI & Kerberos v.6.0 Copyright 2011 www.symlabs.com Chapter 1 Introduction Symlabs has added support for the GSSAPI 1 authentication mechanism, which
More informationIceWarp Server - SSO (Single Sign-On)
IceWarp Server - SSO (Single Sign-On) Probably the most difficult task for me is to explain the new SSO feature of IceWarp Server. The reason for this is that I have only little knowledge about it and
More informationIncident Response Using Splunk for State and Local Governments
Copyright 2013 Splunk Inc. Incident Response Using Splunk for State and Local Governments Bert Hayes Solu=ons Engineer bert@splunk.com #splunkconf Legal No=ces During the course of this presenta=on, we
More informationZendesk SSO with Cloud Secure using MobileIron MDM Server and Okta
Zendesk SSO with Cloud Secure using MobileIron MDM Server and Okta Configuration Guide Product Release Document Revisions Published Date 1.0 1.0 May 2016 Pulse Secure, LLC 2700 Zanker Road, Suite 200 San
More informationArchitec;ng Splunk for High Availability and Disaster Recovery
Copyright 2013 Splunk Inc. Architec;ng Splunk for High Availability and Disaster Recovery Dritan Bi;ncka Professional Services #splunkconf Legal No;ces During the course of this presenta;on, we may make
More informationWhite Paper. Fabasoft on Linux - Preparation Guide for Community ENTerprise Operating System. Fabasoft Folio 2015 Update Rollup 2
White Paper Fabasoft on Linux - Preparation Guide for Community ENTerprise Operating System Fabasoft Folio 2015 Update Rollup 2 Copyright Fabasoft R&D GmbH, Linz, Austria, 2015. All rights reserved. All
More informationStep- by- Step guide to Configure Single sign- on for HTTP requests using SPNEGO web authentication
Step- by- Step guide to Configure Single sign- on for HTTP requests using SPNEGO web authentication Summary STEP- BY- STEP GUIDE TO CONFIGURE SINGLE SIGN- ON FOR HTTP REQUESTS USING SPNEGO WEB AUTHENTICATION
More informationSplunk for Networking and SDN
Copyright 2013 Splunk Inc. Splunk for Networking and SDN Stela Udovicic Senior Product Marke?ng Manager, Splunk #splunkconf Legal No?ces During the course of this presenta?on, we may make forward- looking
More informationConfiguring. Moodle. Chapter 82
Chapter 82 Configuring Moodle The following is an overview of the steps required to configure the Moodle Web application for single sign-on (SSO) via SAML. Moodle offers SP-initiated SAML SSO only. 1 Prepare
More informationSetting up Single Sign-On (SSO) with SAP HANA and SAP BusinessObjects XI 4.0
Setting up Single Sign-On (SSO) with SAP HANA and SAP BusinessObjects XI 4.0 June 14, 2013 Version 2.0 Vishal Dhir Customer Solution Adoption (CSA) www.sap.com TABLE OF CONTENTS INTRODUCTION... 3 What
More informationUsing Shibboleth for Single Sign- On
Using Shibboleth for Single Sign- On One Logon to Rule them all.. Kirk Yaros Director, Enterprise Services Mott Community College 1 Agenda Overview of Mott Overview of Shibboleth and Mott s Project Review
More informationFlexible Identity Federation
Flexible Identity Federation Quick start guide version 1.0.1 Publication history Date Description Revision 2015.09.23 initial release 1.0.0 2015.12.11 minor updates 1.0.1 Copyright Orange Business Services
More informationEnsure that your environment meets the requirements. Provision the OpenAM server in Active Directory, then generate keytab files.
This chapter provides information about the feature which allows end users to log into a Windows client machine on a Windows domain, then use certain Cisco Unified Communications Manager applications without
More informationThe following process allows you to configure exacqvision permissions and privileges for accounts that exist on an Active Directory server:
Ubuntu Linux Server & Client and Active Directory 1 Configuration The following process allows you to configure exacqvision permissions and privileges for accounts that exist on an Active Directory server:
More informationThe Pitfalls of Encrypted Networks in Banking Operations Compliance Success in two industry cases
The Pitfalls of Encrypted Networks in Banking Operations Compliance Success in two industry cases Elba Horta Regional Sales Manager, Southern Europe SSH Communica1ons Security elba.horta@ssh.com ENABLE,
More informationConfiguring Remote HANA System Connection for SAP Cloud for Analytics via Apache HTTP Server as Reverse Proxy
Configuring Remote HANA System Connection for SAP Cloud for Analytics via Apache HTTP Server as Reverse Proxy Author: Gopal Baddela, Senior BI Architect Archius Copyright Archius 2016 1 Table of Contents
More informationDEPLOYMENT GUIDE Version 1.0. Deploying the BIG-IP Edge Gateway for Layered Security and Acceleration Services
DEPLOYMENT GUIDE Version 1.0 Deploying the BIG-IP Edge Gateway for Layered Security and Acceleration Services Table of Contents Table of Contents Using the BIG-IP Edge Gateway for layered security and
More informationStream Deployments in the Real World: Enhance Opera?onal Intelligence Across Applica?on Delivery, IT Ops, Security, and More
Copyright 2015 Splunk Inc. Stream Deployments in the Real World: Enhance Opera?onal Intelligence Across Applica?on Delivery, IT Ops, Security, and More Stela Udovicic Sr. Product Marke?ng Manager Clayton
More informationSymplified I: Windows User Identity. Matthew McNew and Lex Hubbard
Symplified I: Windows User Identity Matthew McNew and Lex Hubbard Table of Contents Abstract 1 Introduction to the Project 2 Project Description 2 Requirements Specification 2 Functional Requirements 2
More informationGL550 - Enterprise Linux Security Administration
GL550 - Enterprise Linux Security Administration This highly technical course focuses on properly securing machines running the Linux operating systems. A broad range of general security techniques such
More informationSingle Sign On. Configuration Checklist for Single Sign On CHAPTER
CHAPTER 39 The single sign on feature allows end users to log into a Windows client machine on a Windows domain, then use certain Cisco Unified Communications Manager applications without signing on again.
More informationExternal Identity and Authentication Providers For Apache HTTP Server
External Identity and Authentication Providers For Apache HTTP Server Jan Pazdziora Principal Software Engineer Identity Management Engineering, Red Hat 17 th November 2014 Basic Authentication The only
More informationUsing Kerberos tickets for true Single Sign On
Using Kerberos tickets for true Single Sign On Table of Contents Introduction This document details the reasoning for, configuration of and experiences from the initial setup of Kerberos tickets for SSO
More informationENTERPRISE LINUX SECURITY ADMINISTRATION
ENTERPRISE LINUX SECURITY ADMINISTRATION COURSE DESCRIPTION: This highly technical course focuses on properly securing machines running the Linux operating systems. A broad range of general security techniques
More informationA Guide to New Features in Propalms OneGate 4.0
A Guide to New Features in Propalms OneGate 4.0 Propalms Ltd. Published April 2013 Overview This document covers the new features, enhancements and changes introduced in Propalms OneGate 4.0 Server (previously
More informationIdentity Management in Liferay Overview and Best Practices. Liferay Portal 6.0 EE
Identity Management in Liferay Overview and Best Practices Liferay Portal 6.0 EE Table of Contents Introduction... 1 IDENTITY MANAGEMENT HYGIENE... 1 Where Liferay Fits In... 2 How Liferay Authentication
More informationThis chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:
CHAPTER 1 SAML Single Sign-On This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections: Junos Pulse Secure Access
More informationConfiguring Sponsor Authentication
CHAPTER 4 Sponsors are the people who use Cisco NAC Guest Server to create guest accounts. Sponsor authentication authenticates sponsor users to the Sponsor interface of the Guest Server. There are five
More informationAgenda. How to configure
dlaw@esri.com Agenda Strongly Recommend: Knowledge of ArcGIS Server and Portal for ArcGIS Security in the context of ArcGIS Server/Portal for ArcGIS Access Authentication Authorization: securing web services
More informationIntegrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER
Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER Table of Contents Introduction.... 3 Requirements.... 3 Horizon Workspace Components.... 3 SAML 2.0 Standard.... 3 Authentication
More informationExternal and Federated Identities on the Web
External and Federated Identities on the Web Jan Pazdziora Sr. Principal Software Engineer Identity Management Special Projects, Red Hat 1 st October 2015 Scope and problem statement Applications get deployed
More informationSingle Sign On. Configuration Checklist for Single Sign On CHAPTER
CHAPTER 39 The single sign on feature allows end users to log into a Windows client machine on a Windows domain, then use certain Cisco Unified Communications Manager applications without signing on again.
More informationKaseya Fundamentals Workshop DAY ONE
Kaseya Fundamentals Workshop DAY ONE Developed by Kaseya University Powered by IT Scholars Kaseya Version 6.5 Last updated March, 2014 Day One Overview Kaseya System Architecture Workshop LAB environment
More informationApache web server: ConceI avanza0 (Lezione 2, Parte I) Emiliano Casalicchio (C) emiliano.casalicchio@uniroma1.it
Corso di Proge+azione di Re0 e Sistemi Informa0ci Apache web server: ConceI avanza0 (Lezione 2, Parte I) Emiliano Casalicchio emiliano.casalicchio@uniroma1.it Agenda ConceI e pra0ca sul Virtual hos0ng
More informationDIGIPASS Authentication for Check Point Security Gateways
DIGIPASS Authentication for Check Point Security Gateways With IDENTIKEY Server 2009 Integration VASCO Data Security. Guideline All rights reserved. Page 1 of 38 Disclaimer Disclaimer of Warranties and
More informationSAML 2.0 SSO Deployment with Okta
SAML 2.0 SSO Deployment with Okta Simplify Network Authentication by Using Thunder ADC as an Authentication Proxy DEPLOYMENT GUIDE Table of Contents Overview...3 The A10 Networks SAML 2.0 SSO Deployment
More informationHow To Install Ctera Agent On A Pc Or Macbook With Acedo (Windows) On A Macbook Or Macintosh (Windows Xp) On An Ubuntu 7.5.2 (Windows 7) On Pc Or Ipad
Deploying CTERA Agent via Microsoft Active Directory and Single Sign On Cloud Attached Storage September 2015 Version 5.0 Copyright 2009-2015 CTERA Networks Ltd. All rights reserved. No part of this document
More informationINTEGRATION GUIDE. IDENTIKEY Federation Server for Juniper SSL-VPN
INTEGRATION GUIDE IDENTIKEY Federation Server for Juniper SSL-VPN Disclaimer Disclaimer of Warranties and Limitation of Liabilities All information contained in this document is provided 'as is'; VASCO
More informationCollax Web Security. Howto. This howto describes the setup of a Web proxy server as Web content filter.
Collax Web Security Howto This howto describes the setup of a Web proxy server as Web content filter. Requirements Collax Business Server Collax Security Gateway Collax Platform Server including Collax
More informationTROUBLESHOOTING RSA ACCESS MANAGER SINGLE SIGN-ON FOR WEB-BASED APPLICATIONS
White Paper TROUBLESHOOTING RSA ACCESS MANAGER SINGLE SIGN-ON FOR WEB-BASED APPLICATIONS Abstract This white paper explains how to diagnose and troubleshoot issues in the RSA Access Manager single sign-on
More informationCrawl Proxy Installation and Configuration Guide
Crawl Proxy Installation and Configuration Guide Google Enterprise EMEA Google Search Appliance is able to natively crawl secure content coming from multiple sources using for instance the following main
More informationIntroduction to Mobile Access Gateway Installation
Introduction to Mobile Access Gateway Installation This document describes the installation process for the Mobile Access Gateway (MAG), which is an enterprise integration component that provides a secure
More informationAbout Me. #ccceu. @shapeblue. Software Architect with ShapeBlue Specialise in. 3 rd party integrations and features in CloudStack
Software Architect with ShapeBlue Specialise in. 3 rd party integrations and features in CloudStack About Me KVM, API, DB, Upgrades, SystemVM, Build system, various subsystems Contributor and Committer
More informationOracle9i Application Server: Options for Running Active Server Pages. An Oracle White Paper July 2001
Oracle9i Application Server: Options for Running Active Server Pages An Oracle White Paper July 2001 Oracle9i Application Server: Options for Running Active Server Pages PROBLEM SUMMARY...3 INTRODUCTION...3
More informationSAML single sign-on configuration overview
Chapter 46 Configurin uring Drupal Configure the Drupal Web-SAML application profile in Cloud Manager to set up single sign-on via SAML with a Drupal-based web application. Configuration also specifies
More informationIn Depth with Deployment Server Sanford Owings
Copyright 2014 Splunk Inc. In Depth with Deployment Server Sanford Owings Principal Consultant, Splunk Professional Services David Shpritz Security Consultant, Aplura, LLC Disclaimer During the course
More informationOkta/Dropbox Active Directory Integration Guide
Okta/Dropbox Active Directory Integration Guide Okta Inc. 301 Brannan Street, 3rd Floor San Francisco CA, 94107 info@okta.com 1-888- 722-7871 1 Table of Contents 1 Okta Directory Integration Edition for
More informationConnected Data. Connected Data requirements for SSO
Chapter 40 Configuring Connected Data The following is an overview of the steps required to configure the Connected Data Web application for single sign-on (SSO) via SAML. Connected Data offers both IdP-initiated
More informationSecurity Protocols: SSH. Michael E. Locasto University of Calgary
Security Protocols: SSH Michael E. Locasto University of Calgary Agenda Philosophy: data protec?on on the network Discussion of SSH SSH history Authen?ca?on Mechanisms SSH2 design overview / architecture
More informationApp Orchestration 2.5
Configuring NetScaler 10.5 Load Balancing with StoreFront 2.5.2 and NetScaler Gateway for Prepared by: James Richards Last Updated: August 20, 2014 Contents Introduction... 3 Configure the NetScaler load
More informationNETASQ SSO Agent Installation and deployment
NETASQ SSO Agent Installation and deployment Document version: 1.3 Reference: naentno_sso_agent Page 1 / 20 Copyright NETASQ 2013 General information 3 Principle 3 Requirements 3 Active Directory user
More informationHow To Use Netscaler As An Afs Proxy
Deployment Guide Guide to Deploying NetScaler as an Active Directory Federation Services Proxy Enabling seamless authentication for Office 365 use cases Table of Contents Introduction 3 ADFS proxy deployment
More informationInvest in security to secure investments. Breaking SAP Portal. Dmitry Chastuhin Principal Researcher at ERPScan
Invest in security to secure investments Breaking SAP Portal Dmitry Chastuhin Principal Researcher at ERPScan 1 About ERPScan The only 360- degree SAP Security solu8on - ERPScan Security Monitoring Suite
More informationHow To Connect A Gemalto To A Germanto Server To A Joniper Ssl Vpn On A Pb.Net 2.Net 3.5.1 (Net 2) On A Gmaalto.Com Web Server
Application Note: Integrate Juniper SSL VPN with Gemalto SA Server SASolutions@gemalto.com October 2007 www.gemalto.com Table of contents Table of contents... 2 Overview... 3 Architecture... 5 Configure
More information1. Introduction 2. Getting Started 3. Scenario 1 - Non-Replicated Cluster 4. Scenario 2 - Replicated Cluster 5. Conclusion
1. Introduction... 1 1.1. Non-Replicated Cluster... 1 1.2. Replicated Cluster... 2 1.3. Mixing Both Options... 3 2. Getting Started... 5 3. Scenario 1 - Non-Replicated Cluster... 6 3.1. JOSSO Agent Configuration...
More informationTIBCO Spotfire Web Player 6.0. Installation and Configuration Manual
TIBCO Spotfire Web Player 6.0 Installation and Configuration Manual Revision date: 12 November 2013 Important Information SOME TIBCO SOFTWARE EMBEDS OR BUNDLES OTHER TIBCO SOFTWARE. USE OF SUCH EMBEDDED
More informationAlex Wong Senior Manager - Product Management Bruce Ong Director - Product Management
Alex Wong Senior Manager - Product Management Bruce Ong Director - Product Management 1 Product Roadmap Disclaimer Any forward-looking indication of plans for products is preliminary and all future release
More informationCitrix Receiver for Mobile Devices Troubleshooting Guide
Citrix Receiver for Mobile Devices Troubleshooting Guide www.citrix.com Contents REQUIREMENTS...3 KNOWN LIMITATIONS...3 TROUBLESHOOTING QUESTIONS TO ASK...3 TROUBLESHOOTING TOOLS...4 BASIC TROUBLESHOOTING
More informationFileCloud Security FAQ
is currently used by many large organizations including banks, health care organizations, educational institutions and government agencies. Thousands of organizations rely on File- Cloud for their file
More informationNETASQ ACTIVE DIRECTORY INTEGRATION
NETASQ ACTIVE DIRECTORY INTEGRATION NETASQ ACTIVE DIRECTORY INTEGRATION RUNNING THE DIRECTORY CONFIGURATION WIZARD 2 VALIDATING LDAP CONNECTION 5 AUTHENTICATION SETTINGS 6 User authentication 6 Kerberos
More informationSecurity Provider Integration Kerberos Authentication
Security Provider Integration Kerberos Authentication 2015 Bomgar Corporation. All rights reserved worldwide. BOMGAR and the BOMGAR logo are trademarks of Bomgar Corporation; other trademarks shown are
More informationACE Management Server Deployment Guide VMware ACE 2.0
Technical Note ACE Management Server Deployment Guide VMware ACE 2.0 This technical note provides guidelines for the deployment of VMware ACE Management Servers, including capacity planning and best practices.
More informationMobile Applica,on and BYOD (Bring Your Own Device) Security Implica,ons to Your Business. Dmitry Dessiatnikov
Mobile Applica,on and BYOD (Bring Your Own Device) Security Implica,ons to Your Business Dmitry Dessiatnikov DISCLAIMER All informa,on in this presenta,on is provided for informa,on purposes only and in
More informationNetwork Performance Tools
Network Performance Tools Jeff Boote Internet2/R&D June 1, 2008 NANOG 43/ Brooklyn, NY Overview BWCTL OWAMP NDT/NPAD BWCTL: What is it? A resource alloca=on and scheduling daemon for arbitra=on of iperf
More informationEnabling single sign-on for Cognos 8/10 with Active Directory
Enabling single sign-on for Cognos 8/10 with Active Directory Overview QueryVision Note: Overview This document pulls together information from a number of QueryVision and IBM/Cognos material that are
More informationIntroduction to the Mobile Access Gateway
Introduction to the Mobile Access Gateway This document provides an overview of the AirWatch Mobile Access Gateway (MAG) architecture and security and explains how to enable MAG functionality in the AirWatch
More informationPerforce Helix Threat Detection OVA Deployment Guide
Perforce Helix Threat Detection OVA Deployment Guide OVA Deployment Guide 1 Introduction For a Perforce Helix Threat Analytics solution there are two servers to be installed: an analytics server (Analytics,
More informationSTABLE & SECURE BANK lab writeup. Page 1 of 21
STABLE & SECURE BANK lab writeup 1 of 21 Penetrating an imaginary bank through real present-date security vulnerabilities PENTESTIT, a Russian Information Security company has launched its new, eighth
More informationIMPLEMENTING SINGLE SIGN- ON USING SAML 2.0 ON JUNIPER NETWORKS MAG SERIES JUNOS PULSE GATEWAYS
APPLICATION NOTE IMPLEMENTING SINGLE SIGN- ON USING SAML 2.0 ON JUNIPER NETWORKS MAG SERIES JUNOS PULSE GATEWAYS SAML 2.0 combines encryption and digital signature verification across resources for a more
More informationqliqdirect Active Directory Guide
qliqdirect Active Directory Guide qliqdirect is a Windows Service with Active Directory Interface. qliqdirect resides in your network/server and communicates with qliqsoft cloud servers securely. qliqdirect
More informationWireless Networks: Network Protocols/Mobile IP
Wireless Networks: Network Protocols/Mobile IP Mo$va$on Data transfer Encapsula$on Security IPv6 Problems DHCP Adapted from J. Schiller, Mobile Communications 1 Mo$va$on for Mobile IP Rou$ng based on IP
More informationDualShield Authentication Platform
Quick Start Guide (Version 5.7) Copyright 2013 Deepnet Security Limited Copyright 2013, Deepnet Security. All Rights Reserved. Page 1 Trademarks Deepnet Unified Authentication, MobileID, QuickID, PocketID,
More informationClick Studios. Passwordstate. Installation Instructions
Passwordstate Installation Instructions This document and the information controlled therein is the property of Click Studios. It must not be reproduced in whole/part, or otherwise disclosed, without prior
More informationSetup Guide Access Manager 3.2 SP3
Setup Guide Access Manager 3.2 SP3 August 2014 www.netiq.com/documentation Legal Notice THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF A LICENSE
More informationDEPLOYMENT GUIDE Version 2.1. Deploying F5 with Microsoft SharePoint 2010
DEPLOYMENT GUIDE Version 2.1 Deploying F5 with Microsoft SharePoint 2010 Table of Contents Table of Contents Introducing the F5 Deployment Guide for Microsoft SharePoint 2010 Prerequisites and configuration
More informationEnabling Kerberos SSO in IBM Cognos Express on Windows Server 2008
Enabling Kerberos SSO in IBM Cognos Express on Windows Server 2008 Nature of Document: Guideline Product(s): IBM Cognos Express Area of Interest: Infrastructure 2 Copyright and Trademarks Licensed Materials
More informationSchoolBooking SSO Integration Guide
SchoolBooking SSO Integration Guide Before you start This guide has been written to help you configure SchoolBooking to operate with SSO (Single Sign on) Please treat this document as a reference guide,
More informationNovell Access Manager
Access Gateway Guide AUTHORIZED DOCUMENTATION Novell Access Manager 3.1 SP2 November 16, 2010 www.novell.com Novell Access Manager 3.1 SP2 Access Gateway Guide Legal Notices Novell, Inc., makes no representations
More informationDEPLOYMENT GUIDE Version 1.2. Deploying F5 with Oracle E-Business Suite 12
DEPLOYMENT GUIDE Version 1.2 Deploying F5 with Oracle E-Business Suite 12 Table of Contents Table of Contents Introducing the BIG-IP LTM Oracle E-Business Suite 12 configuration Prerequisites and configuration
More informationIntroductions. Christopher Cognetta Practice Manager Client Field Engineering Microsoft Dynamics CRM MVP chris.cognetta@tribridge.
Hosted by Introductions Christopher Cognetta Practice Manager Client Field Engineering Microsoft Dynamics CRM MVP chris.cognetta@tribridge.com CRMUG Chairperson Miami & Tampa Co Chair 250+ Dynamics CRM
More informationEmail/Endpoint Security and More Rondi Jamison
Email/Endpoint Security and More Rondi Jamison Sr. Marke)ng Manager - Enterprise Security Strategy Agenda 1 Why Symantec? 2 Partnership 3 APS2 Packages 4 What s next Copyright 2014 Symantec Corpora)on
More informationKerberos and Single Sign On with HTTP
Kerberos and Single Sign On with HTTP Joe Orton Senior Software Engineer, Red Hat Overview Introduction The Problem Current Solutions Future Solutions Conclusion Introduction WebDAV: common complaint of
More informationTIBCO Spotfire Platform IT Brief
Platform IT Brief This IT brief outlines features of the system: Communication security, load balancing and failover, authentication options, and recommended practices for licenses and access. It primarily
More informationDell One Identity Cloud Access Manager 8.0.1 - How to Configure Microsoft Office 365
Dell One Identity Cloud Access Manager 8.0.1 - How to Configure Microsoft Office 365 May 2015 This guide describes how to configure Microsoft Office 365 for use with Dell One Identity Cloud Access Manager
More informationENTERPRISE LINUX SECURITY ADMINISTRATION
ENTERPRISE LINUX SECURITY ADMINISTRATION This highly technical course focuses on properly securing machines running the Linux operating systems. A broad range of general security techniques such as packet
More informationv7.8.2 Release Notes for Websense Content Gateway
v7.8.2 Release Notes for Websense Content Gateway Topic 60086 Web Security Gateway and Gateway Anywhere 12-Mar-2014 These Release Notes are an introduction to Websense Content Gateway version 7.8.2. New
More informationIIS SECURE ACCESS FILTER 1.3
OTP SERVER INTEGRATION MODULE IIS SECURE ACCESS FILTER 1.3 Copyright, NordicEdge, 2006 www.nordicedge.se Copyright, 2006, Nordic Edge AB Page 1 of 14 1 Introduction 1.1 Overview Nordic Edge One Time Password
More informationTesting New Applications In The DMZ Using VMware ESX. Ivan Dell Era Software Engineer IBM
Testing New Applications In The DMZ Using VMware ESX Ivan Dell Era Software Engineer IBM Agenda Problem definition Traditional solution The solution with VMware VI Remote control through the firewall Problem
More informationSAP NetWeaver Fiori. For more information, see "Creating and enabling a trusted provider for Centrify" on page 108-10.
Chapter 108 Configuring SAP NetWeaver Fiori The following is an overview of the steps required to configure the SAP NetWeaver Fiori Web application for single sign-on (SSO) via SAML. SAP NetWeaver Fiori
More informationDell One Identity Cloud Access Manager 8.0.1 - How to Configure for SSO to SAP NetWeaver using SAML 2.0
Dell One Identity Cloud Access Manager 8.0.1 - How to Configure for SSO to SAP NetWeaver using SAML 2.0 May 2015 About this guide Prerequisites and requirements NetWeaver configuration Legal notices About
More information