Web Services Security: OpenSSO and Access Management for SOA. Sang Shin Java Technology Evangelist Sun Microsystems, Inc. javapassion.

Size: px
Start display at page:

Download "Web Services Security: OpenSSO and Access Management for SOA. Sang Shin Java Technology Evangelist Sun Microsystems, Inc. javapassion."

Transcription

1 Web Services Security: OpenSSO and Access Management for SOA Sang Shin Java Technology Evangelist Sun Microsystems, Inc. javapassion.com 1

2 Agenda Need for Identity-based Web services security Single Sign-On (SSO) within an enterprise SSO across enterprises (Federated SSO) Use case scenario Identity Services OpenSSO 2

3 Need for Identity-Based Web Services Security

4 Transport Level Security End User Web Service Consumer Web Service Provider 4

5 Transport Level Security!= Identity Difficult choice between > No client authentication > Client authentication via certificates Scope of protection is limited to individual 'hops' Even with client authentication, no real non-repudiation due to difficulty of archiving and verifying message flow TLS/SSL is still essential for confidentiality and integrity at the transport level, but is not enough we need a solution at the message level 5

6 Basic Web Services Security Identity Provider End User Web Service Consumer Web Service Provider 6

7 Message Level Security Getting There Identity token carried in SOAP header > WS-Security, WS-I Basic Security Profile > Industry has converged on SAML Assertion as the token SAML allows for bearer tokens, holder-of-key tokens, audience restrictions etc Token can be archived with message But... restricting the audience to the immediate recipient leaves us with similarly limited scope of protection one hop 7

8 Requirements for Web Service Identity Identify the end user Locate the service Preserve identity > Across multiple 'hops' > Across domain boundaries > Across vendors' products Using existing technologies and idioms Maintaining privacy 8

9 Identity Web Services Identity Provider Discovery Service End User Web Service Consumer Web Service Provider 9

10 Scaling Out Identity Provider Discovery Service Web Service Provider Principal Web Service Consumer Web Service Provider/ Consumer Web Service Provider 10

11 Single Sign On (SSO) Mechanism Within an Enterprise

12 Enterprise Problems Every application wants me to log in! I have too many passwords my monitor is covered in Post-its! We're implementing Sarbanes-Oxley we need to control access to applications! We need to access outsourced functions! Our partners need to access our applications! 12

13 Web Access Management Simplest scenario is intra-enterprise Factor authentication and authorization out of web applications into web access management (WAM) solution Can use browser cookies within a DNS domain Proxy or Agent architecture implements role-based access control (RBAC) Benefits > Users get single sign-on > IT gets control 13

14 SSO Within an Enterprise Web Server Web Server SSO Server Application Server End User 14

15 How It Works SSO Server Browser Agent GET hrapp/index.html Application Redirect to SSO Server Authenticate SSO cookie GET hrapp/index.html (with SSO cookie) Is this user allowed to access hrapp/index.html? Yes! Allow request to proceed Application response 15

16 Sun Access Manager as SSO Solution Within an Enterprise

17 Web Access Management Products Sun Java System Access Manager > OpenSSO based CA (Netegrity) SiteMinder Access Manager IBM Tivoli Access Manager Oracle (Oblix) Access Manager Novell Access Maneger JA-SIG CAS JOSSO 17

18 How Access Manager Works Intercept access to a (web) resource Authenticate the user (lots of ways to do this) Issue a token (HTTP session cookie) Repeat: > > > > Intercept access to resource Use token to authorize access based on policies Provide identity attributes & data to resource Log everything that happens Until session expires or user logs out 18

19 How Access Manager Works Access Manager agents are installed to protect web resources (web sites or web-based applications) Agents interact with Access Manager policy server to handle authentication, single sign-on, and authorization requests Web User Web Agen or Applicationt Server Web or Agen Applicatio t n Server Access Manager Policy Server Directory 19

20 Login Process Initial Sign-On Process 1) Page request, but no SSOToken 2) Redirect to authentication page 3) Redirect back to original page/resource (with SSOToken) 4) Agent validates token 1 Web User 2 Web Server 3 Agen t 4 Agen t Web Server Access Manager Policy Server Directory 20

21 Web Single Sign-On (simple version) Accessing subsequent sites or applications: 1) Page request (with SSOToken) 2) Agent validates token Variations on this for sites in different DNS domains and federation (not explained or depicted here) Web User 1 Web Server Agen t 2 Agen t Web Server Access Manager Policy Server Directory 21

22 Access Manager Architecture Web Browser HTTP(S) C Applications Web / Application Server Web / J2EE Container Java Applications SDK Policy Agent Distributed Auth SDK XML/HTTP(S) HTTP(S) XML/HTTP(S) Web / J2EE Container Access Manager Services Java Applications SDK Java APIs Access Manager APIs Admin CLI (XML) Access Manager Framework SPI (Service Provider Interface) Plugin Modules Custom Plugin Modules Plugin Modules Provided by Sun Java System Access Manager Custom Plugin Modules Sun Java System Directory Server Java APIs 22

23 Enterprise Problems Every application wants me to log in! I have too many passwords my monitor is covered in Post-its! We're implementing Sarbanes-Oxley we need to control access to applications! We need to access outsourced functions! Our partners need to access our applications! 23

24 Single Sign On Across Enterprises (Federated SSO)

25 Single Sign-On Across Enterprises (Federated SSO) Cookies no longer work > Need a more sophisticated protocol Can't mandate single vendor solution > Need standards for interoperability 25

26 Single Sign-On Standards Liberty Phase 1 Liberty Federation Liberty ID-FF 1.1,1.2 = SAML1 SAML1.1 Shibboleth 1.0,1.1 SAML2 Shibboleth 1.2 WS-Federation WS-Federation

27 SAML 2.0 Concepts Profiles Combining protocols, bindings, and assertions to support a defined use case Bindings Mapping SAML protocols onto standard messaging or communication protocols Authentication Context Detailed data on types and strengths of authentication Protocols Request/response pairs for obtaining assertions and doing ID management Assertions Authentication, attribute and entitlement information Metadata IdP and SP configuration data 27

28 SSO Across Enterprises (Federated SSO) Service Provider Service Provider Identity Provider Service Provider End User 28

29 Federated SSO (via SAML) Identity Provider Browser Service Provider GET hrapp/index.html Redirect with SAML Request SAML Authentication Request Authenticate HTML form with SAML Response SAML Response Response Service Provider examines SAML Response and makes access control decision 29

30 The Federated SSO Concept Log in Web User Be recognized Excite.com (Authentication authority) Pets.com (Relying party) 30

31 Federated SSO Example (1 of 2) 2 User is redirected to Identity Provider. User logs in. Authentication Authority (IdP) 3 User is authenticated. Web User 1 Service Provider uses HTTP redirect or form post to Identity Provider. Relying Party (SP) 31

32 Federated SSO Example (2 of 2) 4 Redirect back to the Service Provider with a nonce embedded in the URL. Authentication Authority 6 Web User 5 Relying party receives nonce in the redirect process. Relying party invokes SAML-based web service to obtain an authentication assertion. Relying Party 32

33 SAML 2.0 Assertion (Abbreviated!) <Assertion Version="2.0" ID="..." IssueInstant=" T16:42:28Z"> <Issuer> <Signature>...</Signature> <saml:subject> <saml:nameid Format="urn:oasis:...:persistent"...> ZG0OZ3JWP9yduIQ1zFJbVVGHlQ9M </saml:nameid> <saml:subjectconfirmation Method="urn:oasis:...:bearer"> <saml:subjectconfirmationdata.../> </saml:subjectconfirmation> </saml:subject> <saml:conditions NotBefore=" T16:42:28Z" NotOnOrAfter=" T16:52:28Z"> <saml:audiencerestriction> <saml:audience> </saml:audience> </saml:audiencerestriction> </saml:conditions> <saml:authnstatement AuthnInstant=" T16:42:28Z"...> <saml:authncontext> <saml:authncontextclassref> urn:oasis:...:passwordprotectedtransport </saml:authncontextclassref> </saml:authncontext> </saml:authnstatement> </saml:assertion> 33

34 SAML 2.0 Adoption Sun, IBM, CA all the usual suspects, except Microsoft OpenSSO (Sun) > Java, PHP, Ruby OpenSAML (Internet2) > Java, C++ SimpleSAMLphp (Feide) LASSO (Entr'ouvert) > C/SWIG ZXID (Symlabs) > C/SWIG 34

35 Liberty Identity Web Services Framework (ID-WSF) Dynamic service discovery and addressing Common web services transport mechanisms to apply identity-aware message security Abstractions and optimizations to allow anything including client devices to host identity services Unified data access/management model for developers Flexibility to develop arbitrary new services User privacy through use of pseudonyms 35

36 ID-WSF 2.0 February 2005 October 2006 SAML 2.0 > Bootstrap from SAML 2.0 single sign-on > SAML 2.0 tokens People Service > End user group, role management > Cross-provider principal references Subscription, notification > Building on Data Services Template (DST) specification 36

37 Identity Services

38 Identity Services Authentication, Authorization, Audit, and Provisioning (AAAP) exposed as Services Focused on enabling developers, simplifying security Container plug-ins for runtime injection and validation of Identity Tokens > Glassfish, WebSphere, WebLogic; possibly Tomcat, JBOSS Reusable AAAP services as building blocks for Business Integration and Composite Applications Supported on developers IDEs of choice > NetBeans, Eclipse, Visual Studio 38

39 Why Identity Services? AAAP are core services in any identity-enabled application whether for security or personalization Injecting and consuming identity in applications must get easier > Runtime configuration for container as opposed to building into application Essential elements for building a Secure Service Oriented Architecture (SOA) 39

40 Why Identity Services? Developers: > > > > Aren t focused on identity, not a core competency Need Identity Services exposed as basic building blocks Want to focus on business logic, not the identity implementation Prefer writing secure applications over security code 40

41 OpenSSO

42 What is OpenSSO? Provides an extensible implementation of an identity services infrastructure that will facilitate single sign-on for web applications hosted on web servers and application servers. Provides open, standards-based authentication and policy-based authorization with a single, unified framework Based on Sun Java System Access Manager/Federation Manager codebase Delivered as a simple WAR file that can be deployed in minutes. 42

43 What's in OpenSSO? 3 main features > Authentication & Single Sign-On > Centralized Authorization Services (Access Control) > Federation Provides the following: > > > > > > User Session Management Authentication Service Policy-based Authorization Service SAML Service Federation Service Logging Service 43

44 Identity Services through OpenSSO 44

45 OpenSSO Architecture Integrated Console Authentication Management Authentication Admin Utilities Policy Management Federation Management Authorization CLI Single Sign-on Access Manager Server Web Policy Agents Authentication Service Policy Service Session Service SAML Service Identity Repository Service Realms Delegation Service Logging Services Liberty Service J2EE Policy Agents WS Security Agents Client SDK Data Store AM Information Tree Identity Repository 45

46 Loan Processing Use Case Scenario Loan Requestor Loan Request JSP Composite Application Loan Request Loan Processor Jane requesting for Loan WSDL WSDL WSDL WSDL Access Manager Server Integrated Console Web Policy Agents Authentication Service Policy Service Session Service SAML Service Identity Repository Service Realms Delegation Service Logging Services Liberty Service J2EE Policy Agents WS Security Agents Client SDK 46

47 Participate! OpenSSO web site - > Join now! Downloads > Try it out! Mailing Lists > dev, users, announce IRC Channel - #opensso > Real-time > On-line community 47

48 Web Services Security: OpenSSO and Access Management for SOA Sang Shin Java Technology Evangelist Sun Microsystems, Inc. javapassion.com 48 48

49 Example Use Case Scenario

50 Example: Loan Processing Application Loan Requestor Loan Request JSP Composite Application Loan Request Loan Processor Jane requesting for Loan YES/NO Ship Notice Is Loan Approved Ship Notice 50

51 Example: Loan Processing Application 1.User Authentication at JSP 2.Secure Web Service Communication from JSP to CA > User Identity must be forwarded to CA 3.CA must authenticate web service request 4.CA may authorize the operation 5.CA may obtain the identity's profile 6.CA's outbound service call(s) to Loan Processor(s) > Secure the communication > Identity Federation 51

52 Requirements for Web Service Identity Identify the Principal Locate the Service Preserve Identity > Across multiple hops > Across domain boundaries > Across vendors' products Using existing technologies and idioms Maintaining privacy 52

53 Authentication Service User Credential Validation Loan Requestor > Username & Password > Liberty ID-WSF Authentication Service > X.509 > Kerberos > Generic Callbacks Security Token Generation & Validation > Liberty Discovery Service > WS-Trust (STS) > Kerberos Loan Request JSP Composite Application Jane requesting for Loan Authentication Service 53

54 Authorization Service Based on Authenticated Identity Access Control Policies XACML Fine-grain policies Loan Requestor JSP Composite Loan Request Loan Processor Application AuthZ Service AuthZ Service 54

55 Provisioning Service User Provisioning & Self-registration User Profile Management Workflow Loan Requestor SPML Loan Request JSP CompositeLoan Request Loan Processor Application Jane requesting for Loan Identity Store Identity Store 55

56 Federated Identities Account Linking Liberty ID-FF SAML v2 WS-Federation Loan Requestor JSP Composite Loan Request Loan Processor Application Identity Store Account Federation Identity Store 56

57 Configuration Mechanisms Using APIs (product specific APIs) WSIT, JSR 196 (Java Authentication Service Provider Interface for Containers) Plugin Policy Agent plugin for standard Application Servers JAX-WS Handlers Servlet filter 57

58 Container Plugins Loan Requestor Loan Request JSP Composite Application Loan Request Loan Processor Jane requesting for Loan User Authentication * Set Subject * Self Registration * Profile Management *... * Authenticate Request * Message Integrity * Authorize Request * Set Subject *... * Secure Web Service * Message Integrity * Confidentiality * Profile Attributes *... * 58

Open Source Identity Integration with OpenSSO

Open Source Identity Integration with OpenSSO Open Source Identity Integration with OpenSSO April 19, 2008 Pat Patterson Federation Architect pat.patterson@sun.com blogs.sun.com/superpat Agenda Web Access Management > The Problem > The Solution >

More information

Secure the Web: OpenSSO

Secure the Web: OpenSSO Secure the Web: OpenSSO Sang Shin, Technology Architect Sun Microsystems, Inc. javapassion.com Pat Patterson, Principal Engineer Sun Microsystems, Inc. blogs.sun.com/superpat 1 Agenda Need for identity-based

More information

OpenSSO: Simplify Your Single-Sign-On Needs. Sang Shin Java Technology Architect Sun Microsystems, inc. javapassion.com

OpenSSO: Simplify Your Single-Sign-On Needs. Sang Shin Java Technology Architect Sun Microsystems, inc. javapassion.com OpenSSO: Simplify Your Single-Sign-On Needs Sang Shin Java Technology Architect Sun Microsystems, inc. javapassion.com 1 Agenda Enterprise security needs What is OpenSSO? OpenSSO features > > > > SSO and

More information

Software Requirement Specification Web Services Security

Software Requirement Specification Web Services Security Software Requirement Specification Web Services Security Federation Manager 7.5 Version 0.3 (Draft) Please send comments to: dev@opensso.dev.java.net This document is subject to the following license:

More information

Federated Identity Management Solutions

Federated Identity Management Solutions Federated Identity Management Solutions Jyri Kallela Helsinki University of Technology jkallela@cc.hut.fi Abstract Federated identity management allows users to access multiple services based on a single

More information

Identity Management in Liferay Overview and Best Practices. Liferay Portal 6.0 EE

Identity Management in Liferay Overview and Best Practices. Liferay Portal 6.0 EE Identity Management in Liferay Overview and Best Practices Liferay Portal 6.0 EE Table of Contents Introduction... 1 IDENTITY MANAGEMENT HYGIENE... 1 Where Liferay Fits In... 2 How Liferay Authentication

More information

Ameritas Single Sign-On (SSO) and Enterprise SAML Standard. Architectural Implementation, Patterns and Usage Guidelines

Ameritas Single Sign-On (SSO) and Enterprise SAML Standard. Architectural Implementation, Patterns and Usage Guidelines Ameritas Single Sign-On (SSO) and Enterprise SAML Standard Architectural Implementation, Patterns and Usage Guidelines 1 Background and Overview... 3 Scope... 3 Glossary of Terms... 4 Architecture Components...

More information

An Oracle White Paper Dec 2013. Oracle Access Management Security Token Service

An Oracle White Paper Dec 2013. Oracle Access Management Security Token Service An Oracle White Paper Dec 2013 Oracle Access Management Security Token Service Disclaimer The following is intended to outline our general product direction. It is intended for information purposes only,

More information

Interoperable Provisioning in a Distributed World

Interoperable Provisioning in a Distributed World Interoperable Provisioning in a Distributed World Mark Diodati, Burton Group Ramesh Nagappan, Sun Microsystems Sampo Kellomaki, SymLabs 02/08/07 IAM 302 Contacts Mark Diodati (mdiodati@burtongroup.com)

More information

Secure Identity Propagation Using WS- Trust, SAML2, and WS-Security 12 Apr 2011 IBM Impact

Secure Identity Propagation Using WS- Trust, SAML2, and WS-Security 12 Apr 2011 IBM Impact Secure Identity Propagation Using WS- Trust, SAML2, and WS-Security 12 Apr 2011 IBM Impact Robert C. Broeckelmann Jr., Enterprise Middleware Architect Ryan Triplett, Middleware Security Architect Requirements

More information

Masdar Institute Single Sign-On: Standards-based Identity Federation. John Mikhael ICT Department jmikhael@masdar.ac.ae

Masdar Institute Single Sign-On: Standards-based Identity Federation. John Mikhael ICT Department jmikhael@masdar.ac.ae Masdar Institute Single Sign-On: Standards-based Identity Federation John Mikhael ICT Department jmikhael@masdar.ac.ae Agenda The case for Single Sign-On (SSO) Types of SSO Standards-based Identity Federation

More information

Biometric Single Sign-on using SAML

Biometric Single Sign-on using SAML Biometric Single Sign-on using SAML Architecture & Design Strategies Ramesh Nagappan CISSP Ramesh.Nagappan@sun.com 1 Setting Expectations What you can take away! Understand the importance of Single Sign-On

More information

SAML-Based SSO Solution

SAML-Based SSO Solution About SAML SSO Solution, page 1 SAML-Based SSO Features, page 2 Basic Elements of a SAML SSO Solution, page 2 SAML SSO Web Browsers, page 3 Cisco Unified Communications Applications that Support SAML SSO,

More information

New Single Sign-on Options for IBM Lotus Notes & Domino. 2012 IBM Corporation

New Single Sign-on Options for IBM Lotus Notes & Domino. 2012 IBM Corporation New Single Sign-on Options for IBM Lotus Notes & Domino 2012 IBM Corporation IBM s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM s sole

More information

OpenAM All-In-One solution to securely manage access to digital enterprise and customer services, anytime and anywhere.

OpenAM All-In-One solution to securely manage access to digital enterprise and customer services, anytime and anywhere. OpenAM All-In-One solution to securely manage access to digital enterprise and customer services, anytime and anywhere. OpenAM, the only all-in-one open source access management solution, provides the

More information

Allidm.com. SSO Introduction. Discovering IAM Solutions. Leading the IAM Training. @aidy_idm facebook/allidm

Allidm.com. SSO Introduction. Discovering IAM Solutions. Leading the IAM Training. @aidy_idm facebook/allidm Discovering IAM Solutions Leading the IAM Training @aidy_idm facebook/allidm SSO Introduction Disclaimer and Acknowledgments The contents here are created as a own personal endeavor and thus does not reflect

More information

Authentication Methods

Authentication Methods Authentication Methods Overview In addition to the OU Campus-managed authentication system, OU Campus supports LDAP, CAS, and Shibboleth authentication methods. LDAP users can be configured through the

More information

Perceptive Experience Single Sign-On Solutions

Perceptive Experience Single Sign-On Solutions Perceptive Experience Single Sign-On Solutions Technical Guide Version: 2.x Written by: Product Knowledge, R&D Date: January 2016 2016 Lexmark International Technology, S.A. All rights reserved. Lexmark

More information

Internet Single Sign-On Systems

Internet Single Sign-On Systems Internet Single Sign-On Systems Radovan SEMANČÍK nlight, s.r.o. Súľovská 34, 812 05 Bratislava, Slovak Republic semancik@nlight.sk Abstract. This document describes the requirements and general principles

More information

Implementation Guide SAP NetWeaver Identity Management Identity Provider

Implementation Guide SAP NetWeaver Identity Management Identity Provider Implementation Guide SAP NetWeaver Identity Management Identity Provider Target Audience Technology Consultants System Administrators PUBLIC Document version: 1.10 2011-07-18 Document History CAUTION Before

More information

Single Sign On. SSO & ID Management for Web and Mobile Applications

Single Sign On. SSO & ID Management for Web and Mobile Applications Single Sign On and ID Management Single Sign On SSO & ID Management for Web and Mobile Applications Presenter: Manish Harsh Program Manager for Developer Marketing Platforms of NVIDIA (Visual Computing

More information

PingFederate. SSO Integration Overview

PingFederate. SSO Integration Overview PingFederate SSO Integration Overview 2006-2012 Ping Identity Corporation. All rights reserved. PingFederate SSO Integration Overview Version 6.6 January, 2012 Ping Identity Corporation 1001 17th Street,

More information

CA Adapter. Installation and Configuration Guide for Windows. r2.2.9

CA Adapter. Installation and Configuration Guide for Windows. r2.2.9 CA Adapter Installation and Configuration Guide for Windows r2.2.9 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation

More information

Federated Identity in the Enterprise

Federated Identity in the Enterprise www.css-security.com 425.216.0720 WHITE PAPER The proliferation of user accounts can lead to a lowering of the enterprise security posture as users record their account information in order to remember

More information

Single Sign On In A CORBA-Based

Single Sign On In A CORBA-Based Single Sign On In A CORBA-Based Based Distributed System Igor Balabine IONA Security Architect Outline A standards-based framework approach to the Enterprise application security Security framework example:

More information

Securely Managing and Exposing Web Services & Applications

Securely Managing and Exposing Web Services & Applications Securely Managing and Exposing Web Services & Applications Philip M Walston VP Product Management Layer 7 Technologies Layer 7 SecureSpan Products Suite of security and networking products to address the

More information

OPENIAM ACCESS MANAGER. Web Access Management made Easy

OPENIAM ACCESS MANAGER. Web Access Management made Easy OPENIAM ACCESS MANAGER Web Access Management made Easy TABLE OF CONTENTS Introduction... 3 OpenIAM Access Manager Overview... 4 Access Gateway... 4 Authentication... 5 Authorization... 5 Role Based Access

More information

Extending DigiD to the Private Sector (DigiD-2)

Extending DigiD to the Private Sector (DigiD-2) TECHNISCHE UNIVERSITEIT EINDHOVEN Department of Mathematics and Computer Science MASTER S THESIS Extending DigiD to the Private Sector (DigiD-2) By Giorgi Moniava Supervisors: Eric Verheul (RU, PwC) L.A.M.

More information

Federated Identity Architectures

Federated Identity Architectures Federated Identity Architectures Uciel Fragoso-Rodriguez Instituto Tecnológico Autónomo de México, México {uciel@itam.mx} Maryline Laurent-Maknavicius CNRS Samovar UMR 5157, GET Institut National des Télécommunications,

More information

Title: A Client Middleware for Token-Based Unified Single Sign On to edugain

Title: A Client Middleware for Token-Based Unified Single Sign On to edugain Title: A Client Middleware for Token-Based Unified Single Sign On to edugain Sascha Neinert Computing Centre University of Stuttgart, Allmandring 30a, 70550 Stuttgart, Germany e-mail: sascha.neinert@rus.uni-stuttgart.de

More information

Biometric Single Sign-on using SAML Architecture & Design Strategies

Biometric Single Sign-on using SAML Architecture & Design Strategies Biometric Single Sign-on using SAML Architecture & Design Strategies Ramesh Nagappan Java Technology Architect Sun Microsystems Ramesh.Nagappan@sun.com 1 Setting Expectations What you can take away! Understand

More information

NetworkingPS Federated Identity Solution Solutions Overview

NetworkingPS Federated Identity Solution Solutions Overview NetworkingPS Federated Identity Solution Solutions Overview OVERVIEW As the global marketplace continues to expand, new and innovating ways of conducting business are becoming a necessity in order for

More information

THE NEW DIGITAL EXPERIENCE

THE NEW DIGITAL EXPERIENCE steffo.weber@oracle.com SECURING THE NEW DIGITAL EXPERIENCE Dr Steffo Weber, Oracle BridgFilling the UX gap for mobile enterprise applications. May,-2014 Latest Entries Protecting IDPs from malformed SAML

More information

This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:

This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections: CHAPTER 1 SAML Single Sign-On This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections: Junos Pulse Secure Access

More information

WebNow Single Sign-On Solutions

WebNow Single Sign-On Solutions WebNow Single Sign-On Solutions Technical Guide ImageNow Version: 6.7. x Written by: Product Documentation, R&D Date: June 2015 2012 Perceptive Software. All rights reserved CaptureNow, ImageNow, Interact,

More information

Single Sign-on (SSO) technologies for the Domino Web Server

Single Sign-on (SSO) technologies for the Domino Web Server Single Sign-on (SSO) technologies for the Domino Web Server Jane Marcus December 7, 2011 2011 IBM Corporation Welcome Participant Passcode: 4297643 2011 IBM Corporation 2 Agenda USA Toll Free (866) 803-2145

More information

Trusting XBRL: Using the Liberty Web Services Framework to Secure and Authenticate XBRL Documents

Trusting XBRL: Using the Liberty Web Services Framework to Secure and Authenticate XBRL Documents Trusting XBRL: Using the Liberty Web Services Framework to Secure and Authenticate XBRL Documents Farrukh Najmi and Eve Maler farrukh.najmi@sun.com, eve.maler@sun.com Sun Microsystems, Inc. Goals for today's

More information

CA SiteMinder. Implementation Guide. r12.0 SP2

CA SiteMinder. Implementation Guide. r12.0 SP2 CA SiteMinder Implementation Guide r12.0 SP2 This documentation and any related computer software help programs (hereinafter referred to as the "Documentation") are for your informational purposes only

More information

THE NEW DIGITAL EXPERIENCE

THE NEW DIGITAL EXPERIENCE steffo.weber@oracle.com maximilian.liesegang@esentri.com SECURING THE NEW DIGITAL EXPERIENCE Steffo Weber, Oracle & Max Liesegang, esentri BridgFilling the UX gap for mobile enterprise applications. May,-2014

More information

OpenSSO: Cross Domain Single Sign On

OpenSSO: Cross Domain Single Sign On OpenSSO: Cross Domain Single Sign On Version 0.1 History of versions Version Date Author(s) Changes 0.1 11/30/2006 Dennis Seah Contents Initial Draft. 1 Introduction 1 2 Single Domain Single Sign-On 2

More information

Identity Server Guide Access Manager 4.0

Identity Server Guide Access Manager 4.0 Identity Server Guide Access Manager 4.0 June 2014 www.netiq.com/documentation Legal Notice THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF

More information

Enabling Federation and Web-Single Sign-On in Heterogeneous Landscapes with the Identity Provider and Security Token Service Supplied by SAP NetWeaver

Enabling Federation and Web-Single Sign-On in Heterogeneous Landscapes with the Identity Provider and Security Token Service Supplied by SAP NetWeaver Enabling Federation and Web-Single Sign-On in Heterogeneous Landscapes with the Identity Provider and Security Token Service Supplied by SAP NetWeaver SAP Product Management, SAP NetWeaver Identity Management

More information

SAML, The Liberty Alliance, and Federation* Eve Maler eve.maler@sun.com http://www.xmlgrrl.com/blog

SAML, The Liberty Alliance, and Federation* Eve Maler eve.maler@sun.com http://www.xmlgrrl.com/blog SAML, The Liberty Alliance, and Federation* Eve Maler eve.maler@sun.com http://www.xmlgrrl.com/blog IIWb, Mountain View, CA, 4 December 2006 1 When you distribute identity tasks and information in the

More information

Federated Identity and Single Sign-On using CA API Gateway

Federated Identity and Single Sign-On using CA API Gateway WHITE PAPER DECEMBER 2014 Federated Identity and Single Sign-On using Federation for websites, Web services, APIs and the Cloud K. Scott Morrison VP Engineering and Chief Architect 2 WHITE PAPER: FEDERATED

More information

SAP NetWeaver Single Sign-On. Product Management SAP NetWeaver Identity Management & Security June 2011

SAP NetWeaver Single Sign-On. Product Management SAP NetWeaver Identity Management & Security June 2011 NetWeaver Single Sign-On Product Management NetWeaver Identity Management & Security June 2011 Agenda NetWeaver Single Sign-On: Solution overview Key benefits of single sign-on Solution positioning Identity

More information

Access Management Analysis of some available solutions

Access Management Analysis of some available solutions Access Management Analysis of some available solutions Enterprise Security & Risk Management May 2015 Authors: Yogesh Kumar Sharma, Kinshuk De, Dr. Sundeep Oberoi Access Management - Analysis of some available

More information

IMPLEMENTING SINGLE SIGN- ON USING SAML 2.0 ON JUNIPER NETWORKS MAG SERIES JUNOS PULSE GATEWAYS

IMPLEMENTING SINGLE SIGN- ON USING SAML 2.0 ON JUNIPER NETWORKS MAG SERIES JUNOS PULSE GATEWAYS APPLICATION NOTE IMPLEMENTING SINGLE SIGN- ON USING SAML 2.0 ON JUNIPER NETWORKS MAG SERIES JUNOS PULSE GATEWAYS SAML 2.0 combines encryption and digital signature verification across resources for a more

More information

Novell Access Manager

Novell Access Manager Novell Access Manager Product Overview Kiran Mova Agenda Introduction Architecture IDP AG SSL VPN Administration Console How it works? Web SSO Federation SSO Protect HTTP Resources Protect non-http Resources

More information

T-Check in Technologies for Interoperability: Web Services and Security Single Sign-On

T-Check in Technologies for Interoperability: Web Services and Security Single Sign-On T-Check in Technologies for Interoperability: Web Services and Security Single Sign-On Lutz Wrage Soumya Simanta Grace A. Lewis Saul Jaspan December 2007 TECHNICAL NOTE CMU/SEI-2008-TN-026 Integration

More information

Authentication Integration

Authentication Integration Authentication Integration VoiceThread provides multiple authentication frameworks allowing your organization to choose the optimal method to implement. This document details the various available authentication

More information

Crawl Proxy Installation and Configuration Guide

Crawl Proxy Installation and Configuration Guide Crawl Proxy Installation and Configuration Guide Google Enterprise EMEA Google Search Appliance is able to natively crawl secure content coming from multiple sources using for instance the following main

More information

New Generation of Liberty. for Enterprise. Fulup Ar Foll, Sun Microsystems Fulup@sun.com

New Generation of Liberty. for Enterprise. Fulup Ar Foll, Sun Microsystems Fulup@sun.com New Generation of Liberty TEG Federated Progress Architecture Update for Enterprise Fulup Ar Foll, Sun Microsystems fulup@sun.com 1 Identity Framework Problematic User Seamless (nothing is too simple)

More information

This Working Paper provides an introduction to the web services security standards.

This Working Paper provides an introduction to the web services security standards. International Civil Aviation Organization ATNICG WG/8-WP/12 AERONAUTICAL TELECOMMUNICATION NETWORK IMPLEMENTATION COORDINATION GROUP EIGHTH WORKING GROUP MEETING (ATNICG WG/8) Christchurch New Zealand

More information

Identity opens the participation age. Dr. Rainer Eschrich. Program Manager Identity Management Sun Microsystems GmbH

Identity opens the participation age. Dr. Rainer Eschrich. Program Manager Identity Management Sun Microsystems GmbH Identity opens the participation age Open Web Single Sign- On und föderierte SSO Dr. Rainer Eschrich Program Manager Identity Management Sun Microsystems GmbH Agenda The Identity is the Network Driving

More information

Introduction to Oracle WebLogic. Presented by: Fatna Belqasmi, PhD, Researcher at Ericsson

Introduction to Oracle WebLogic. Presented by: Fatna Belqasmi, PhD, Researcher at Ericsson Introduction to Oracle WebLogic Presented by: Fatna Belqasmi, PhD, Researcher at Ericsson Agenda Overview Download and installation A concrete scenario using the real product Hints for the project Overview

More information

JVA-122. Secure Java Web Development

JVA-122. Secure Java Web Development JVA-122. Secure Java Web Development Version 7.0 This comprehensive course shows experienced developers of Java EE applications how to secure those applications and to apply best practices with regard

More information

FTP-Stream Integrating Active Directory Federation Services

FTP-Stream Integrating Active Directory Federation Services FTP-Stream Integrating Active Directory Federation Services 1 Overview Active Directory Federation Services (ADFS) is a standards-based service that allows the secure sharing of identity information between

More information

Stronger Authentication with Biometric SSO

Stronger Authentication with Biometric SSO Stronger Authentication with Biometric SSO using OpenSSO Enterprise and BiObex TM Ramesh Nagappan Sun Microsystems, Burlington, MA ramesh.nagappan@sun.com http://www.coresecuritypatterns.com/blogs Setting

More information

The Top 5 Federated Single Sign-On Scenarios

The Top 5 Federated Single Sign-On Scenarios The Top 5 Federated Single Sign-On Scenarios Table of Contents Executive Summary... 1 The Solution: Standards-Based Federation... 2 Service Provider Initiated SSO...3 Identity Provider Initiated SSO...3

More information

Liberty Alliance. What's After Federation. Fulup Ar Foll Master Architect Sun Microsystems

Liberty Alliance. What's After Federation. Fulup Ar Foll Master Architect Sun Microsystems Liberty Alliance What's After Federation Fulup Ar Foll Master Architect Sun Microsystems What's About Federation Federation of providers (CoT), a group of entities providing services who signed agreement,

More information

White Paper Cybercom & Axiomatics Joint Identity & Access Management (R)evolution

White Paper Cybercom & Axiomatics Joint Identity & Access Management (R)evolution White Paper Cybercom & Axiomatics Joint Identity & Access Management (R)evolution Federation and Attribute Based Access Control Page 2 Realization of the IAM (R)evolution Executive Summary Many organizations

More information

Federated single sign-on (SSO) and identity management. Secure mobile access. Social identity integration. Automated user provisioning.

Federated single sign-on (SSO) and identity management. Secure mobile access. Social identity integration. Automated user provisioning. PingFederate We went with PingFederate because it s based on standards like SAML, which are important for a secure implementation. John Davidson Senior Product Manager, Opower PingFederate is the leading

More information

Using SAML for Single Sign-On in the SOA Software Platform

Using SAML for Single Sign-On in the SOA Software Platform Using SAML for Single Sign-On in the SOA Software Platform SOA Software Community Manager: Using SAML on the Platform 1 Policy Manager / Community Manager Using SAML for Single Sign-On in the SOA Software

More information

Oracle WebLogic Foundation of Oracle Fusion Middleware. Lawrence Manickam Toyork Systems Inc www.toyork.com http://ca.linkedin.

Oracle WebLogic Foundation of Oracle Fusion Middleware. Lawrence Manickam Toyork Systems Inc www.toyork.com http://ca.linkedin. Oracle WebLogic Foundation of Oracle Fusion Middleware Lawrence Manickam Toyork Systems Inc www.toyork.com http://ca.linkedin.com/in/lawrence143 History of WebLogic WebLogic Inc started in 1995 was a company

More information

Securing WebFOCUS A Primer. Bob Hoffman Information Builders

Securing WebFOCUS A Primer. Bob Hoffman Information Builders Securing WebFOCUS A Primer Bob Hoffman Information Builders 1 Agenda Gain an understanding of the WebFOCUS Architecture Where can security be implemented? Review the internal WebFOCUS repository and resource

More information

The Challenges of Web single sign-on

The Challenges of Web single sign-on Serge Vereecke Security Architect IBM Security Services serge_vereecke@be.ibm.com The Challenges of Web single sign-on GSE Event September 7, 2012 Agenda Single sign-on technology Why single sign-on Challenges

More information

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Copyright 2012, Oracle and/or its affiliates. All rights reserved. 1 OTM and SOA Mark Hagan Principal Software Engineer Oracle Product Development Content What is SOA? What is Web Services Security? Web Services Security in OTM Futures 3 PARADIGM 4 Content What is SOA?

More information

CA Single Sign-On Migration Guide

CA Single Sign-On Migration Guide CA Single Sign-On Migration Guide Web access management (WAM) systems have been a part of enterprises for decades. It is critical to control access and audit applications while reducing the friction for

More information

IBM WebSphere Application Server

IBM WebSphere Application Server IBM WebSphere Application Server SAML 2.0 web single-sign-on 2012 IBM Corporation This presentation describes support for SAML 2.0 web browser Single Sign On profile included in IBM WebSphere Application

More information

SCUR203 Why Do We Need Security Standards?

SCUR203 Why Do We Need Security Standards? SCUR203 Why Do We Need Security Standards? Cristina Buchholz Product Security, SAP Learning Objectives As a result of this workshop, you will be able to: Recognize the need for standardization Understand

More information

Distributed Identity Management Model for Digital Ecosystems

Distributed Identity Management Model for Digital Ecosystems International Conference on Emerging Security Information, Systems and Technologies Distributed Identity Management Model for Digital Ecosystems Hristo Koshutanski Computer Science Department University

More information

NetIQ Access Manager. Developer Kit 3.2. May 2012

NetIQ Access Manager. Developer Kit 3.2. May 2012 NetIQ Access Manager Developer Kit 3.2 May 2012 Legal Notice THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF A LICENSE AGREEMENT OR A NON DISCLOSURE

More information

Security Services. Benefits. The CA Advantage. Overview

Security Services. Benefits. The CA Advantage. Overview PRODUCT BRIEF: CA SITEMINDER FEDERATION SECURITY SERVICES CA SiteMinder Federation Security Services CA SITEMINDER FEDERATION SECURITY SERVICES EXTENDS THE WEB SINGLE SIGN-ON EXPERIENCE PROVIDED BY CA

More information

Securing Enterprise: Employability and HR

Securing Enterprise: Employability and HR 1 Securing Enterprise: Employability and HR Federation and XACML as Security and Access Control Layer Open Standards Forum 2 Employability and HR Vertical Multiple Players - Excellent case for federation

More information

Flexible Identity Federation

Flexible Identity Federation Flexible Identity Federation Quick start guide version 1.0.1 Publication history Date Description Revision 2015.09.23 initial release 1.0.0 2015.12.11 minor updates 1.0.1 Copyright Orange Business Services

More information

Integrating IBM Cognos 8 BI with 3rd Party Auhtentication Proxies

Integrating IBM Cognos 8 BI with 3rd Party Auhtentication Proxies Guideline Integrating IBM Cognos 8 BI with 3rd Party Auhtentication Proxies Product(s): IBM Cognos 8 BI Area of Interest: Security Integrating IBM Cognos 8 BI with 3rd Party Auhtentication Proxies 2 Copyright

More information

Introduction to SAML

Introduction to SAML Introduction to THE LEADER IN API AND CLOUD GATEWAY TECHNOLOGY Introduction to Introduction In today s world of rapidly expanding and growing software development; organizations, enterprises and governments

More information

SAML-Based SSO Solution

SAML-Based SSO Solution About SAML SSO Solution, page 1 SAML-Based SSO Features, page 2 Basic Elements of a SAML SSO Solution, page 2 SAML SSO Web Browsers, page 3 Cisco Unified Communications Applications that Support SAML SSO,

More information

Identity Federation Management to make Operational and Business Efficiency through SSO

Identity Federation Management to make Operational and Business Efficiency through SSO 2012 International Conference on Industrial and Intelligent Information (ICIII 2012) IPCSIT vol.31 (2012) (2012) IACSIT Press, Singapore Identity Federation Management to make Operational and Business

More information

The Primer: Nuts and Bolts of Federated Identity Management

The Primer: Nuts and Bolts of Federated Identity Management The Primer: Nuts and Bolts of Federated Identity Management Overview For any IT department, it is imperative to understand how your organization can securely manage and control users identities. With so

More information

DirX Access V8.4. Web Access Management and Identity Federation. Technical Data Sheet

DirX Access V8.4. Web Access Management and Identity Federation. Technical Data Sheet Technical Data Sheet DirX Access V8.4 Web Access Management and Identity Federation DirX Access is a comprehensive, cloud-ready, scalable, and highly available access management solution providing policy-based

More information

SAML SSO Configuration

SAML SSO Configuration SAML SSO Configuration Overview of Single Sign-, page 1 Benefits of Single Sign-, page 2 Overview of Setting Up SAML 2.0 Single Sign-, page 3 SAML 2.0 Single Sign- Differences Between Cloud-Based Meeting

More information

The Role of Federation in Identity Management

The Role of Federation in Identity Management The Role of Federation in Identity Management August 19, 2008 Andrew Latham Solutions Architect Identity Management 1 The Role of Federation in Identity Management Agenda Federation Backgrounder Federation

More information

Enabling SAML for Dynamic Identity Federation Management

Enabling SAML for Dynamic Identity Federation Management Enabling SAML for Dynamic Identity Federation Management Patricia Arias, Florina Almenárez, Andrés Marín and Daniel Díaz-Sánchez University Carlos III of Madrid http://pervasive.gast.it.uc3m.es/ WMNC 2009

More information

Single Sign-on. Overview. Using SSO with the Cisco WebEx and Cisco WebEx Meeting. Overview, page 1

Single Sign-on. Overview. Using SSO with the Cisco WebEx and Cisco WebEx Meeting. Overview, page 1 Overview, page 1 Using SSO with the Cisco WebEx and Cisco WebEx Meeting Applications, page 1 Requirements, page 2 Configuration of in Cisco WebEx Messenger Administration Tool, page 3 Sample Installation

More information

The Primer: Nuts and Bolts of Federated Identity Management

The Primer: Nuts and Bolts of Federated Identity Management The Primer: Nuts and Bolts of Federated Identity Management Executive Overview For any IT department, it is imperative to understand how your organization can securely manage and control users identities.

More information

OpenAM. 1 open source 1 community experience distilled. Single Sign-On (SSO) tool for securing your web. applications in a fast and easy way

OpenAM. 1 open source 1 community experience distilled. Single Sign-On (SSO) tool for securing your web. applications in a fast and easy way OpenAM Written and tested with OpenAM Snapshot 9 the Single Sign-On (SSO) tool for securing your web applications in a fast and easy way Indira Thangasamy [ PUBLISHING 1 open source 1 community experience

More information

About Me. #ccceu. @shapeblue. Software Architect with ShapeBlue Specialise in. 3 rd party integrations and features in CloudStack

About Me. #ccceu. @shapeblue. Software Architect with ShapeBlue Specialise in. 3 rd party integrations and features in CloudStack Software Architect with ShapeBlue Specialise in. 3 rd party integrations and features in CloudStack About Me KVM, API, DB, Upgrades, SystemVM, Build system, various subsystems Contributor and Committer

More information

How To Configure The Jasig Casa Single Sign On On A Workstation On Ahtml.Org On A Server On A Microsoft Server On An Ubuntu 7.5.3 (Windows) On A Linux Computer On A Raspberry V

How To Configure The Jasig Casa Single Sign On On A Workstation On Ahtml.Org On A Server On A Microsoft Server On An Ubuntu 7.5.3 (Windows) On A Linux Computer On A Raspberry V Configuring CAS-based SSO with ActiveVOS on Apache Tomcat Technical Note Version: 1.3 Dated: August 2013 2013 Informatica Corporation ActiveVOS is a trademark of Informatica, Inc. All other company and

More information

Using Shibboleth for Single Sign- On

Using Shibboleth for Single Sign- On Using Shibboleth for Single Sign- On One Logon to Rule them all.. Kirk Yaros Director, Enterprise Services Mott Community College 1 Agenda Overview of Mott Overview of Shibboleth and Mott s Project Review

More information

IONA Security Platform

IONA Security Platform IONA Security Platform February 22, 2002 Igor Balabine, PhD IONA Security Architect Copyright IONA Technologies 2001 End 2 Anywhere Agenda IONA Security Platform (isp) architecture Integrating with Enterprise

More information

On A-Select and Federated Identity Management Systems

On A-Select and Federated Identity Management Systems On A-Select and Federated Identity Management Systems Joost Reede August 4, 2007 Master s Thesis Information Systems Chair Computer Science Department University of Twente ii This thesis is supervised

More information

Why Identity Management. Identity Management. What We Cover. Role of Digital Identity. Digital Identity. Digital Identity (or network identity)

Why Identity Management. Identity Management. What We Cover. Role of Digital Identity. Digital Identity. Digital Identity (or network identity) Why Identity Management Identity Management Claudiu Duma Identity crisis Privacy concerns Identity theft Terrorist threat Department of Computer and Information Science cladu@ida.liu.se What We Cover Digital

More information

How To Use Saml 2.0 Single Sign On With Qualysguard

How To Use Saml 2.0 Single Sign On With Qualysguard QualysGuard SAML 2.0 Single Sign-On Technical Brief Introduction Qualys provides its customer the option to use SAML 2.0 Single Sign On (SSO) authentication with their QualysGuard subscription. When implemented,

More information

SAML Security Option White Paper

SAML Security Option White Paper Fujitsu mpollux SAML Security Option White Paper Fujitsu mpollux Version 2.1 February 2009 First Edition February 2009 The programs described in this document may only be used in accordance with the conditions

More information

How To Get A Single Sign On (Sso)

How To Get A Single Sign On (Sso) Single Sign-On Vijay Kumar, CISSP Agenda What is Single Sign-On (SSO) Advantages of SSO Types of SSO Examples Case Study Summary What is SSO Single sign-on is a user/session authentication process that

More information

SAML 2.0 SSO Deployment with Okta

SAML 2.0 SSO Deployment with Okta SAML 2.0 SSO Deployment with Okta Simplify Network Authentication by Using Thunder ADC as an Authentication Proxy DEPLOYMENT GUIDE Table of Contents Overview...3 The A10 Networks SAML 2.0 SSO Deployment

More information

SOA, case Google. Faculty of technology management 07.12.2009 Information Technology Service Oriented Communications CT30A8901.

SOA, case Google. Faculty of technology management 07.12.2009 Information Technology Service Oriented Communications CT30A8901. Faculty of technology management 07.12.2009 Information Technology Service Oriented Communications CT30A8901 SOA, case Google Written by: Sampo Syrjäläinen, 0337918 Jukka Hilvonen, 0337840 1 Contents 1.

More information

> Please fill your survey to be eligible for a prize draw. Only contact info is required for prize draw Survey portion is optional

> Please fill your survey to be eligible for a prize draw. Only contact info is required for prize draw Survey portion is optional Web Access Management May 2008 CA Canada Seminar > Please fill your survey to be eligible for a prize draw Only contact info is required for prize draw Survey portion is optional > How to Transform Tactical

More information

SAML Federated Identity at OASIS

SAML Federated Identity at OASIS International Telecommunication Union SAML Federated Identity at OASIS Hal Lockhart BEA Systems Geneva, 5 December 2006 SAML and the OASIS SSTC o SAML: Security Assertion Markup Language A framework for

More information