Using simplesamlphp as an identity provider
|
|
- Robert York
- 7 years ago
- Views:
Transcription
1 Andreas Åkre Solberg Table of Contents Thu Jun 19 08:20: simplesamlphp documentation... 1 Enabling the Identity Provider functionality... 1 Authentication modules... 1 Configuring the LDAP authentication module... 2 Configure the tlsclient authenticaiton module... 3 Configuring the multi-ldap authenticaiton module... 3 Setting up a SSL signing certificate... 4 Configuring metadata for an SAML 2.0 IdP... 4 Configuring SAML 2.0 IdP Hosted metadata... 4 Configuring SAML 2.0 SP Remote metadata... 6 Configuring metadata for a Shibboleth 1.3 IdP... 8 Test IdP... 9 Support... 9 A. Writing your own authentication module... 9 Authentication API... 9 simplesamlphp documentation This document is part of the simplesamlphp documentation suite. List of all simplesamlphp documentation [ This document assumes that you already have a installation of simplesamlphp. Before you continue, make sure all the required entries in the check list at the bottom is showing green light. Enabling the Identity Provider functionality Edit config.php, and enable either the SAML 2.0 IdP or the Shib 1.3 IdP, depending on your needs. By default, SAML 2.0 SP IdP functionality is enabled. Here is an example of SAML 2.0 IdP enabled: 'enable.saml20-sp' => false, 'enable.saml20-idp' => true, 'enable.shib13-sp' => false, 'enable.shib13-idp' => false, Authentication modules In the www/auth directory, each file represents an authentication module. The IdP hosted metadata configuration specifies which authentication module to use for that specific IdP. You can implement your own authentication module, see Appendix A, Writing your own authentication module. 1
2 These authentication modules are included: Using simplesamlphp auth/login.php auth/login-ldapmulti.php auth/login-feide.php auth/login-radius.php auth/login-auto.php This is the standard LDAP backend authentication module. It uses LDAP configuration from the config.php file. This authentication module lets you connect to multiple LDAPs depending on the home organization selected by the user. A multi-ldap module which looks up the users in LDAP, first searching for edupersonprincipalname. This authentication module will authenticate users against an RADIUS server instead of LDAP. This module will automatically login the user with some test details. You can use this to test the IdP functionality if you do not have This module is not completed yet. Work in progress. auth/login-cas-ldap.php Authentication via CAS, followed by attribute lookup in LDAP. auth/login-tlsclient.php Authentication via client certificates. (using the apache SSL module) Configuring the LDAP authentication module The LDAP module is found in auth/login.php. If you want to perform local authentication using this server, using the LDAP authentication plugin, the following parameters should be configured in config/ldap.php: auth.ldap.dnpattern: Which DN to bind to. %username% is replaced with the user name typed in. auth.ldap.hostname: Host name of the LDAP server auth.ldap.attributes: Search parameter to LDAP. List of attributes to be extracted. Set this option to null to retrieve all attributes available. auth.ldap.enable_tls: Will perform ldap_start_tls() after creation the connectino to the LDAP server. Searching for the user's DN It is possible to search for the DN of the user by matching the username provided by the user against one or more attributes. This feature is configured by the following options in config/ldap.php: auth.ldap.search.enable: Whether searching for the user's DN should be enabled. Set this to TRUE to enable searching. auth.ldap.search.base: The DN we should search for the user in. auth.ldap.search.attributes: The attributes we shoule match the username against. This can be a single attribute, in which case it should be a string, or multiple attributes, in which case it should be an array of strings. If this is multiple attributes, they will be joined into a search query with the following form: ( (<attr1>=<username>)(<attr2>=<username>)...) 2
3 auth.ldap.search.username: The user we should authenticate to the LDAP server as before searching. Leave this as NULL if it isn't necessary to authenticate to the server before searching. auth.ldap.search.password: The password for the user selected with the auth.ldap.search.username option. Example 1. Configuring LDAP for searching $config = array ( 'auth.ldap.hostname' => 'ldap.example.org', 'auth.ldap.attributes' => NULL, 'auth.ldap.enable_tls' => FALSE, /* Enable searching. */ 'auth.ldap.search.enable' => TRUE, /* The base DN for the search. */ 'auth.ldap.search.base' => 'cn=users,dc=example,dc=org', /* The user can authenticate using the uid or the address. */ 'auth.ldap.search.attributes' => array('uid', 'mail'), 'auth.ldap.search.username' => 'uid=authsearch,cn=server,dc=example,dc=org', 'auth.ldap.search.password' => 'secret', ); Configure the tlsclient authenticaiton module Configure apache like this: SSLEngine On SSLCertificateFile /etc/ssl/private/bridge.pem SSLCertificateKeyFile /etc/ssl/private/bridge.key SSLCertificateChainFile /etc/ssl/certs/sureserveredu.pem SSLOptions +StdEnvVars +ExportCertData KeepAliveTimeout 60 SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCACertificateFile "/etc/ssl/private/tlsclienttest-ca.crt" SSLVerifyClient optional SSLVerifyDepth 1 And, then configure the identity provider to use the authentication module: auth/logintlsclient.php. Configuring the multi-ldap authenticaiton module The module is found in auth/login-ldapmulti.php. Note Documentation will be added later. For now, contact the author. 3
4 Setting up a SSL signing certificate For test purposes, you can skip this section, and use the certificate included in the simplesamlphp distribution. For a production system, you must generate a new certificate for your IdP. Warning The certificate that follows the simplesamlphp distribution must NEVER be used in production, as the private key is also included in the package and can be downloaded by anyone. Here is an examples of openssl commands to generate a new key and a selfsigned certificate to use for signing SAML messages: openssl genrsa -des3 -out server2.key 1024 openssl rsa -in server2.key -out server2.pem openssl req -new -key server2.key -out server2.csr openssl x509 -req -days 60 -in server2.csr -signkey server2.key -out server2.crt The certificate above will be valid for 60 days. Note simplesamlphp will only work with RSA and not DSA certificates. Configuring metadata for an SAML 2.0 IdP To setup a SAML 2.0 IdP you must configure two metadata files: saml20-idp-hosted.php and saml20-sp-remote.php. Configuring SAML 2.0 IdP Hosted metadata This is the configuration of the IdP itself. Here is some example config: // The SAML entity ID is the index of this config. 'idp.example.org' => array( // The hostname of the server (VHOST) that this SAML entity will use. 'host' => 'sp.example.org', // X.509 key and certificate. Relative to the cert directory. 'privatekey' => 'server.pem', 'certificate' => 'server.crt', // Authentication plugin to use. login.php is the default one that uses LDAP. 'auth' => 'auth/login.php', 'authority' => 'login', ), Parameter details: 4
5 Mandatory metadata fields index in the $metadata array The entity ID of the IdP. In this example: idp.example.org. simplesamlphp supports dynamic entityids that matches a URL where simplesamlphp automatically generates metadata for the hosted entity. To enable this functionality, set the index to be DYNAMIC:1. The index needs to be unique, so when you have multiple entries, increase the integer after the colon. When the index DYNAMIC:1 is used, the resulting generated entity becomes something like: host privatekey certificate auth Host name of the server running this IdP. One of your metadata entries can have the value DEFAULT. A default entry will be used when no other entry matches the current hostname. Name of private key file in PEM format, in the certs directory. Name of certificate file in PEM format, in the certs directory. Which authentication module to use. Default: auth/login.php, the LDAP authentication module. Optional metadata fields privatekey_pass requireconsent authority attributemap attributealter userid.attribute AttributeNameFormat Passphrase for the private key. Set to true if you want to require user's consent each time attributes are sent to an SP. Who is authorized to create sessions for this IdP. Can be login for LDAP login module, or saml2 for SAML 2.0 SP. Specifying this parameter is highly recommended. Mapping table for translating attribute names. For further information, see the Advances Features document. Table of custom functions that injects or modifies attributes. For further information, see the Advances Features document. The attribute name of an attribute which uniquely identifies the user. This attribute is used if simplesamlphp needs to generate a persistent unique identifier for the user. This option can be set in both the IdP-hosted and the SP-remote metadata. The value in the sp-remote metadata has the highest priority. The default value is edupersonprincipalname. What value will be set in the Format field of attribute statements. This parameter can be configured multiple places, and the actual value used is fetched from metadata by the following priority: 1. SP Remote Metadata 2. IdP Hosted Metadata 5
6 3. Default value: urn:oasis:names:tc:saml:2.0:attrnameformat:basic Some examples of values specified in the SAML 2.0 Core Specification: urn:oasis:names:tc:saml:2.0:attrnameformat:unspecified urn:oasis:names:tc:saml:2.0:attrnameformat:uri (Used as default in Shibboleth 2.0) urn:oasis:names:tc:saml:2.0:attrnameformat:basic (Used as default in Sun Access Manager) You can define your own value. SingleSignOnService Override the default URL for the SingleSignOnService for this IdP. This is an absolute URL. The default value is <simplesamlphproot>/saml2/idp/ssoservice.php Note that this only changes the values in the generated metadata and in the messages sent to others. You must also configure your webserver to deliver this URL to the correct PHP page. SingleLogoutService Override the default URL for the SingleLogoutService for this IdP. This is an absolute URL. The default value is <simplesamlphproot>/saml2/idp/singlelogoutservice.php Fields for signing authentication requests Note that this only changes the values in the generated metadata and in the messages sent to others. You must also configure your webserver to deliver this URL to the correct PHP page. By default, simplesamlphp will not sign the HTTP-REDIRECT LogoutRequest. To activate signing, set the request.signing parameter to true. The signing will use the same privatekey/certificate as used for signing the AuthnResponse. request.signing Boolean, default false. Example 2. Example of configured signed requests 'request.signing' => true, Configuring SAML 2.0 SP Remote metadata In the file saml20-sp-remote.php, you configure all SPs that you trust. Here is an example: /* * Example simplesamlphp SAML 2.0 SP */ 'saml2sp.example.org' => array( 'AssertionConsumerService' => ' 6
7 'SingleLogoutService' 'attributes' 'name' ), => ' => array(' ', 'edupersonprincipalname'), => 'Example service provider', Parameter details: Mandatory metadata fields index in the $metadata array AssertionConsumerService Entity ID of the given SP. Here: saml2sp.example.org. URL of this SAML 2.0 endpoint. Ask the SP if you are uncertain. You may find the endpoint URL in SAML 2.0 metadata received from the SP. Optional metadata fields SingleLogoutService NameIDFormat SPNameQualifier AttributeNameFormat URL of this SAML 2.0 endpoint. Ask the SP if you are uncertain. You may find the endpoint URL in SAML 2.0 metadata received from the SP. Set it to the default: transient. SP NameQualifier for this SP. If not set, the IdP will set the SPNameQualifier to be the SP entity ID. What value will be set in the Format field of attribute statements. This parameter can be configured multiple places, and the actual value used is fetched from metadata by the following priority: 1. SP Remote Metadata 2. IdP Hosted Metadata 3. Default value: urn:oasis:names:tc:saml:2.0:attrnameformat:basic Some examples of values specified in the SAML 2.0 Core Specification: urn:oasis:names:tc:saml:2.0:attrnameformat:unspecified urn:oasis:names:tc:saml:2.0:attrnameformat:uri (Used as default in Shibboleth 2.0) urn:oasis:names:tc:saml:2.0:attrnameformat:basic (Used as default in Sun Access Manager) You can define your own value. base64attributes Boolean, default false: Perform base64 encoding of attributes sent to this SP. This parameter must be set according to what the SP expects. 7
8 simplesaml.nameidattribute attributemap attributealter attributes simplesaml.attributes name description request.signing certificate ForceAuthn assertion.enctyption sharedkey userid.attribute If the NameIDFormat is set to , then the address is extracted from the attribute with this name. E.g. if simplesaml.nameidattribute is set to uid, and the authentcation module provides an attribute named uid, this attribute value is set as the NameID. Mapping table for translating attribute names. For further information, see the Advances Features document. Table of custom functions that injects or modifies attributes. For further information, see the Advances Features document. Array of attributes sent to the SP. If this field is not set, the SP receives all attributes available at the IdP. Boolean, default true: Send an attribute statement to the SP. A descriptive name of the SP. (Used in the consent module) A longer description of the SP. (Not used) Boolean, default false. Defines whether this IdP should require signed requests from this SP. Name of certificate file for verifying the signature when request.signing is set to true. Set this true to force authentication when receiving authentication requests from this SP. The default is false. Boolean, default false. Defines whether this IdP shoul encrypt assertions to this SP. Used for optional symmetric encryption of assertions. Currently the algorithm is hardcoded to AES128_CBC/RIJNDAEL_128 which uses up to 128 bit for the passphrase/key. If you want to use a sessionkey which is encrypted by this idp's private key do not specify a sharedkey. The attribute name of an attribute which uniquely identifies the user. This attribute is used if simplesamlphp needs to generate a persistent unique identifier for the user. This option can be set in both the IdP-hosted and the SP-remote metadata. The value in the sp-remote metadata has the highest priority. The default value is edupersonprincipalname. signresponse The default behaviour of simplesamlphp is to sign the Assertion element in the SAML 2.0 response sent to SPs. This option allows you to override this behaviour on a per SP basis. Set this to TRUE to sign the Response element. FALSE will make the SP sign the Assertion. If this option is unset, the value from saml2.signresponse in config.php will be used. That value is FALSE by default. Configuring metadata for a Shibboleth 1.3 IdP In the file shib13-idp-hosted.php, you configure metadata for the Shibboleth 1.3 IdP. In the file shib13-sp-remote.php, you configurethe list of trusted SPs using the Shibboleth 1.3 protocol. This 8
9 Test IdP Using simplesamlphp configuration is very similar to configuring SAML 2.0 metadata; please find information in the previous chapter. To test the IdP, it is best to configure two hosts with simplesamlphp, and use the SP demo example to test the IdP. Tip Support To make the initial test up and running with minimal hassle, use the login-auto if you do not want to setup a user storage, and use the included certificate so you do not need to create a new one. If you need help to make this work, or want to discuss simplesamlphp with other users of the software, you are fortunate: Around simplesamlphp there is a great Open source community, and you are welcome to join! The forums are open for you to ask questions, contribute answers other further questions, request improvements or contribute with code or plugins of your own. simplesamlphp homepage (at Feide RnD) [ List of all available simplesamlphp documentation [ Join the simplesamlphp user's mailing list [ Visit and contribute to the simplesamlphp wiki [ A. Writing your own authentication module You can write your own authentication module. Just copy one of the files in the www/auth directory and play with it, then configure an IdP to use that module with the auth parameter in the metadata. The file must support incoming URL parameters, massage the session object with login state information and return to the RelayState, and that is all you need to do! Tip Instead of changing the code of the builtin authentication module, copy it into a new file and edit that. That way, your module will not be replaced or in conflict when you upgrade simplesamlphp to a newer version. Authentication API The authentication plugin should be placed in the auth directory. The following parameters must be accepted in the incomming URL: RelayState: URL where the user is sent after authentication within the plugin. RequestID: ID of an incomming request. 9
10 The initsso.php takes in addition the following parameters: idpentityid: This is the entityid of the IdP to authenticate with. This parameter is optional, if not set the default for this host will be used. spentityid: This is which SP config to use. This parameter is optional, if not set the default for this host will be used. In hosted IdP metadata there is a config parameter auth that will tell simplesaml which authentication plugin that can be used. Tip The authentication API is pretty basic. The easiest way to understand how it works is to look at one of the existing plugins that is located in the auth directory of your installation. 10
Federated Wikis Andreas Åkre Solberg andreas@uninett.no
Federated Wikis Andreas Åkre Solberg andreas@uninett.no Wikis in the beginning...in the beginning wikis were wide open. Great! - But then the spammers arrived. Password protected wikis Create yet another
More informationINTEGRATION GUIDE. DIGIPASS Authentication for SimpleSAMLphp using IDENTIKEY Federation Server
INTEGRATION GUIDE DIGIPASS Authentication for SimpleSAMLphp using IDENTIKEY Federation Server Disclaimer Disclaimer of Warranties and Limitation of Liabilities All information contained in this document
More informationSAML Authentication within Secret Server
SAML Authentication within Secret Server Secret Server allows the use of SAML Identity Provider (IdP) authentication instead of the normal authentication process for single sign-on (SSO). To do this, Secret
More informationMoodle and Office 365 Step-by-Step Guide: Federation using Active Directory Federation Services
Moodle and Office 365 Step-by-Step Guide: Federation using Active Directory Federation Services This document is provided as-is. Information and views expressed in this document, including URL and other
More informationOIOSAML 2.0 Toolkits Test results May 2009
OIOSAML 2.0 Toolkits Test results May 2009 5. September 2008 - Søren Peter Nielsen: - Lifted and modified from http://docs.google.com/a/nemsso.info/doc?docid=dfxj3xww_7d9xdf7gz&hl=en by Joakim Recht 12.
More informationAuthentication Methods
Authentication Methods Overview In addition to the OU Campus-managed authentication system, OU Campus supports LDAP, CAS, and Shibboleth authentication methods. LDAP users can be configured through the
More informationIntegration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Drupal
SafeNet Authentication Service Integration Guide Technical Manual Template Release 1.0, PN: 000-000000-000, Rev. A, March 2013, Copyright 2013 SafeNet, Inc. All rights reserved. 1 Document Information
More informationConfiguring. Moodle. Chapter 82
Chapter 82 Configuring Moodle The following is an overview of the steps required to configure the Moodle Web application for single sign-on (SSO) via SAML. Moodle offers SP-initiated SAML SSO only. 1 Prepare
More informationGlobalSign Enterprise Solutions Google Apps Authentication User Guide
GlobalSign Enterprise Solutions Google Apps Authentication User Guide Using EPKI for Google Apps for Business Single Sign-on and Secure Document Sharing v.1.1 1 Table of Contents Table of Contents... 2
More informationCERTIFICATE-BASED SINGLE SIGN-ON FOR EMC MY DOCUMENTUM FOR MICROSOFT OUTLOOK USING CA SITEMINDER
White Paper CERTIFICATE-BASED SINGLE SIGN-ON FOR EMC MY DOCUMENTUM FOR MICROSOFT OUTLOOK USING CA SITEMINDER Abstract This white paper explains the process of integrating CA SiteMinder with My Documentum
More informationLaboratory Exercises VI: SSL/TLS - Configuring Apache Server
University of Split, FESB, Croatia Laboratory Exercises VI: SSL/TLS - Configuring Apache Server Keywords: digital signatures, public-key certificates, managing certificates M. Čagalj, T. Perković {mcagalj,
More informationThis section describes how to use SSL Certificates with SOA Gateway running on Linux.
This section describes how to use with SOA Gateway running on Linux. Setup Introduction Step 1: Set up your own CA Step 2: SOA Gateway Server key and certificate Server Configuration Setup To enable the
More informationSAML single sign-on configuration overview
Chapter 46 Configurin uring Drupal Configure the Drupal Web-SAML application profile in Cloud Manager to set up single sign-on via SAML with a Drupal-based web application. Configuration also specifies
More informationAgenda. How to configure
dlaw@esri.com Agenda Strongly Recommend: Knowledge of ArcGIS Server and Portal for ArcGIS Security in the context of ArcGIS Server/Portal for ArcGIS Access Authentication Authorization: securing web services
More informationHow To Use Saml 2.0 Single Sign On With Qualysguard
QualysGuard SAML 2.0 Single Sign-On Technical Brief Introduction Qualys provides its customer the option to use SAML 2.0 Single Sign On (SSO) authentication with their QualysGuard subscription. When implemented,
More informationEnterprise SSL Support
01 Enterprise SSL Support This document describes the setup of SSL (Secure Sockets Layer) over HTTP for Enterprise clients, servers and integrations. 1. Overview Since the release of Enterprise version
More informationUsing custom certificates with Spectralink 8400 Series Handsets
Using custom certificates with Spectralink 8400 Series Handsets This technical bulletin explains how to create and use custom certificates with the Spectralink 8400 Series Handset. This technical bulletin
More informationConfiguring ADFS 3.0 to Communicate with WhosOnLocation SAML
Configuring ADFS 3.0 to Communicate with WhosOnLocation SAML --------------------------------------------------------------------------------------------------------------------------- Contents Overview...
More informationThis chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:
CHAPTER 1 SAML Single Sign-On This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections: Junos Pulse Secure Access
More informationCrypto Lab Public-Key Cryptography and PKI
SEED Labs 1 Crypto Lab Public-Key Cryptography and PKI Copyright c 2006-2014 Wenliang Du, Syracuse University. The development of this document is/was funded by three grants from the US National Science
More informationSecuritySpy Setting Up SecuritySpy Over SSL
SecuritySpy Setting Up SecuritySpy Over SSL Secure Sockets Layer (SSL) is a cryptographic protocol that provides secure communications on the internet. It uses two keys to encrypt data: a public key and
More informationADFS Integration Guidelines
ADFS Integration Guidelines Version 1.6 updated March 13 th 2014 Table of contents About This Guide 3 Requirements 3 Part 1 Configure Marcombox in the ADFS Environment 4 Part 2 Add Relying Party in ADFS
More informationViMP 3.0. SSL Configuration in Apache 2.2. Author: ViMP GmbH
ViMP 3.0 SSL Configuration in Apache 2.2 Author: ViMP GmbH Table of Contents Requirements...3 Create your own certificates with OpenSSL...4 Generate a self-signed certificate...4 Generate a certificate
More informationUser s guide. APACHE 2.0 + SSL Linux. Using non-qualified certificates with APACHE 2.0 + SSL Linux. version 1.3 UNIZETO TECHNOLOGIES S.A.
User s guide APACHE 2.0 + SSL Linux Using non-qualified certificates with APACHE 2.0 + SSL Linux version 1.3 Table of contents 1. PREFACE... 3 2. GENERATING CERTIFICATE... 3 2.1. GENERATING REQUEST FOR
More informationSingle Sign-On for the UQ Web
Single Sign-On for the UQ Web David Gwynne Infrastructure Architect, ITIG, EAIT Taxonomy Authentication - Verification that someone is who they claim to be - ie, only the relevant user
More informationLets get a federated identity. Intro to Federated Identity. Feide OpenIdP. Enter your email address. Do you have access to your email?
Lets get a feated identity Intro to Feated Identity EuroCAMP Training for APAN32 This work is licensed un a Creative Commons Attribution ShareAlike 3.0 Unported License. Do you have access to your email?
More informationGoogle Apps and Open Directory. Randy Saeks Twitter: @rsaeks http://www.techrecess.com
Google Apps and Open Directory Randy Saeks Twitter: @rsaeks http://www.techrecess.com Agenda Quick Google Apps Overview Structure Setup Preparing OD Configuration Q&A&S Resources http://techrecess.com/technical-papers/gapps/
More informationVMware Identity Manager Integration with Active Directory Federation Services 2.0
VMware Identity Manager Integration with Active Directory Federation Services 2.0 VMware Identity Manager J ULY 2015 V 2 Table of Contents Active Directory Federation Services... 2 Configuring AD FS Instance
More information365 Services. 1.1 Configuring Access Manager. 1.1.1 Prerequisite. 1.1.2 Adding the Office 365 Metadata. docsys (en) 2 August 2012
1 1Configuring Single Sign-On For Office 365 Services NetIQ Access Manager is compatible with Office 365 and provides single sign on access to Office 365 services. Single sign on access is supported for
More informationShibboleth Identity Provider (IdP) Sebastian Rieger sebastian.rieger@gwdg.de
Shibboleth Identity Provider (IdP) Sebastian Rieger sebastian.rieger@gwdg.de Gesellschaft für wissenschaftliche Datenverarbeitung mbh Göttingen, Germany CLARIN AAI Hands On Workshop, 25.02.2009, Oxford
More informationPuppet CA: Certificates explained. Thomas Gelf - PuppetCamp Düsseldorf 2014
Puppet CA: Certificates explained Thomas Gelf - PuppetCamp Düsseldorf 2014 Thomas Gelf, nice to meet you! joined NETWAYS in 2010 formerly more than ten years of... web (application) development routing/switching:
More informationLinux Deployment Guide. How to deploy Network Shutdown Module for Linux
Linux Deployment Guide How to deploy Network Shutdown Module for Linux 1 Contents 2 Introduction... 4 3 To Prepare your System for Install... 4 3.1 RedHat 5.9 i386 Command... 4 3.2 RedHat 5.9 x86_64 Command...
More informationSecuring Your Apache Web Server With a Thawte Digital Certificate
Contents Securing Your Apache Web Server With a Thawte Digital Certificate 1. Overview 2. Research 3. System requirements 4. Generate your private key 5. Generate your Certificate Signing Request 6. Using
More informationTo enable https for appliance
To enable https for appliance We have used openssl command to generate a key pair. The below image shows on how to generate key using the openssl command. SSH into appliance and login as root. Copy all
More informationSection 1, Configuring Access Manager, on page 1 Section 2, Configuring Office 365, on page 4 Section 3, Verifying Single Sign-On Access, on page 5
Configuring Single Sign-On For Office 365 Services NetIQ Access Manager is compatible with Microsoft Office 365 and provides single sign-on access to Office 365 services. Single sign-on access is supported
More informationPHP Integration Kit. Version 2.5.1. User Guide
PHP Integration Kit Version 2.5.1 User Guide 2012 Ping Identity Corporation. All rights reserved. PingFederate PHP Integration Kit User Guide Version 2.5.1 December, 2012 Ping Identity Corporation 1001
More informationApache Security with SSL Using Ubuntu
Apache Security with SSL Using Ubuntu These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license (http://creativecommons.org/licenses/by-nc/3.0/) Some SSL background
More informationZendesk SSO with Cloud Secure using MobileIron MDM Server and Okta
Zendesk SSO with Cloud Secure using MobileIron MDM Server and Okta Configuration Guide Product Release Document Revisions Published Date 1.0 1.0 May 2016 Pulse Secure, LLC 2700 Zanker Road, Suite 200 San
More informationSmart Card Authentication. Administrator's Guide
Smart Card Authentication Administrator's Guide October 2012 www.lexmark.com Contents 2 Contents Overview...4 Configuring the applications...5 Configuring printer settings for use with the applications...5
More informationOnly LDAP-synchronized users can access SAML SSO-enabled web applications. Local end users and applications users cannot access them.
This chapter provides information about the Security Assertion Markup Language (SAML) Single Sign-On feature, which allows administrative users to access certain Cisco Unified Communications Manager and
More informationImplementing HTTPS in CONTENTdm 6 September 5, 2012
Implementing HTTPS in CONTENTdm 6 This is an overview for CONTENTdm server administrators who want to configure their CONTENTdm Server and Website to make use of HTTPS. While the CONTENTdm Server has supported
More informationVMware Identity Manager Administration
VMware Identity Manager Administration VMware Identity Manager 2.6 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new
More informationSetup Guide Access Manager 3.2 SP3
Setup Guide Access Manager 3.2 SP3 August 2014 www.netiq.com/documentation Legal Notice THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF A LICENSE
More informationInstalling Apache as an HTTP Proxy to the local port of the Secure Agent s Process Server
Installing Apache as an HTTP Proxy to the local port of the Secure Agent s Process Server Technical Note Dated: 23 June 2015 Page 1 of 8 Overview This document describes how by installing an Apache HTTP
More informationCA Nimsoft Service Desk
CA Nimsoft Service Desk Single Sign-On Configuration Guide 6.2.6 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation
More informationUse Enterprise SSO as the Credential Server for Protected Sites
Webthority HOW TO Use Enterprise SSO as the Credential Server for Protected Sites This document describes how to integrate Webthority with Enterprise SSO version 8.0.2 or 8.0.3. Webthority can be configured
More informationF-Secure Messaging Security Gateway. Deployment Guide
F-Secure Messaging Security Gateway Deployment Guide TOC F-Secure Messaging Security Gateway Contents Chapter 1: Deploying F-Secure Messaging Security Gateway...3 1.1 The typical product deployment model...4
More informationApplication Note AN1502
Application Note AN1502 Generate SSL Certificates PowerPanel Business Edition User s Manual Rev. 1 2015/08/21 Rev. 13 2013/07/26 Content Generating SSL Certificates Overview... 3 Obtain a SSL Certificate
More informationUnifying Information Security. Implementing TLS on the CLEARSWIFT SECURE Email Gateway
Unifying Information Security Implementing TLS on the CLEARSWIFT SECURE Email Gateway Contents 1 Introduction... 3 2 Understanding TLS... 4 3 Clearswift s Application of TLS... 5 3.1 Opportunistic TLS...
More informationINTEGRATION GUIDE. DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server
INTEGRATION GUIDE DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server Disclaimer Disclaimer of Warranties and Limitation of Liabilities All information contained in this document is
More informationFederated Identity Management. Willem Elbers (MPI-TLA) EUDAT training
Federated Identity Management Willem Elbers (MPI-TLA) EUDAT training Date: 26 June 2012 Outline FIM and introduction to components Federation and metadata National Identity federations and inter federations
More informationIntegration of Shibboleth and (Web) Applications
workshop Integration of Shibboleth and (Web) Applications MPG-AAI Workshop Clarin Centers Prague 2009 2009-11-06 (Web) Application Protection Models Classical Application behind Shibboleth Standard Session
More informationAutomated Testing of SAML 2.0 Service Providers. Andreas Åkre Solberg UNINETT andreas@uninett.no http://rnd.feide.no
Automated Testing of SAML 2.0 Service Providers Andreas Åkre Solberg UNINETT andreas@uninett.no http://rnd.feide.no Background 0% of SAML 2.0 implementations do SAML 100% correct. SAML includes alot of
More informationApache 2 mod_ssl by example
Apache 2 mod_ssl by example ApacheCon 2005 Mads Toftum mads@apache.org Agenda Getting started Certificates Access control Proxy solutions Performance Building mod_ssl The Apache 1.3 + mod_ssl way Download
More informationApache, SSL and Digital Signatures Using FreeBSD
Apache, SSL and Digital Signatures Using FreeBSD AfNOG 2007 Unix System Administration April 26, 2007 Hervey Allen Network Startup Resource Center Some SSL background Invented by Netscape for secure commerce.
More informationVERALAB LDAP Configuration Guide
VERALAB LDAP Configuration Guide VeraLab Suite is a client-server application and has two main components: a web-based application and a client software agent. Web-based application provides access to
More informationSecurity Workshop. Apache + SSL exercises in Ubuntu. 1 Install apache2 and enable SSL 2. 2 Generate a Local Certificate 2
Security Workshop Apache + SSL exercises in Ubuntu Contents 1 Install apache2 and enable SSL 2 2 Generate a Local Certificate 2 3 Configure Apache to use the new certificate 4 4 Verify that http and https
More informationInstalling an SSL certificate on the InfoVaultz Cloud Appliance
Installing an SSL certificate on the InfoVaultz Cloud Appliance This document reviews the prerequisites and installation of an SSL certificate for the InfoVaultz Cloud Appliance. Please note that the installation
More informationFederating with Web Applications
Federating with Web Applications Janusz Ulawski HEAnet Ltd November 11, 2010 Agenda 1 Providing access to your WebApp 2 Federated Access Software with SAML 2.0 support 3 Federating your WebApp Shibboleth
More informationFERMILAB CENTRAL WEB HOSTING SINGLE SIGN ON (SSO) ON CWS LINUX WITH SAML AND MOD_AUTH_MELLON
FERMILAB CENTRAL WEB HOSTING SINGLE SIGN ON (SSO) ON CWS LINUX WITH SAML AND MOD_AUTH_MELLON Contents Information and Security Contacts:... 3 1. Introduction... 4 2. Installing Module... 4 3. Create Metadata
More informationesync - Receiving data over HTTPS
esync - Receiving data over HTTPS 1 Introduction Natively, the data transfer between ewon and esync is done over an HTTP link. However when esync is hosted on Internet, security must be taken in account
More informationSWITCH Resource Registry Guide
AAI Resource Registry Guide Authors: LH, TL AAI web page: http://www.switch.ch/ Contact: aai@switch.ch This guide is aimed at users of the SWITCH Resource Registry and is intended to serve as a complimentary
More informationFeide Technical Guide. Technical details for integrating a service into Feide
Feide Technical Guide Technical details for integrating a service into Feide May 2015 Document History Version Date Initials Comments 1.0 Nov 2009 TG First issue 1.2 Nov 2009 TG Added SLO description 1.3
More informationIntegrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER
Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER Table of Contents Introduction.... 3 Requirements.... 3 Horizon Workspace Components.... 3 SAML 2.0 Standard.... 3 Authentication
More informationSetting Up CAS with Ofbiz 5
1 of 11 20/01/2009 9:56 AM Setting Up CAS with Ofbiz 5 This wiki explains how to setup and test CAS-Ofbiz5 integration and testing on a Centos 5.2 box called "elachi". In this configuration Ofbiz and the
More informationT his feature is add-on service available to Enterprise accounts.
SAML Single Sign-On T his feature is add-on service available to Enterprise accounts. Are you already using an Identity Provider (IdP) to manage logins and access to the various systems your users need
More informationRunning Multiple Shibboleth IdP Instances on a Single Host
CESNET Technical Report 6/2013 Running Multiple Shibboleth IdP Instances on a Single Host IVAN NOVAKOV Received 10.12.2013 Abstract The article describes a way how multiple Shibboleth IdP instances may
More information2014 IBM Corporation
2014 IBM Corporation This is the 27 th Q&A event prepared by the IBM License Metric Tool Central Team (ICT) Currently we focus on version 9.x of IBM License Metric Tool (ILMT) The content of today s session
More informationSmart Card Authentication Client. Administrator's Guide
Smart Card Authentication Client Administrator's Guide April 2013 www.lexmark.com Contents 2 Contents Overview...3 Configuring Smart Card Authentication Client...4 Configuring printer settings for use
More informationQualtrics Single Sign-On Specification
Qualtrics Single Sign-On Specification Version: 2010-06-25 Contents Introduction... 2 Implementation Considerations... 2 Qualtrics has never been used by the organization... 2 Qualtrics has been used by
More informationIntegrating EJBCA and OpenSSO
Integrating EJBCA and OpenSSO EJBCA is an Enterprise PKI Certificate Authority issuing certificates to users, servers and devices. In an organization certificate can be used for strong authentication.
More informatione-cert (Server) User Guide For Apache Web Server
e-cert (Server) User Guide For Apache Web Server Revision Date: Sep 2015 Table of Content A. Guidelines for e-cert (Server) Applicant... 2 B. Generating Certificate Signing Request (CSR)... 3 C. Submitting
More informationSingle Sign-On Implementation Guide
Single Sign-On Implementation Guide Salesforce, Winter 16 @salesforcedocs Last updated: November 4, 2015 Copyright 2000 2015 salesforce.com, inc. All rights reserved. Salesforce is a registered trademark
More informationSingle Sign-on. Overview. Using SSO with the Cisco WebEx and Cisco WebEx Meeting. Overview, page 1
Overview, page 1 Using SSO with the Cisco WebEx and Cisco WebEx Meeting Applications, page 1 Requirements, page 2 Configuration of in Cisco WebEx Messenger Administration Tool, page 3 Sample Installation
More informationSAML Single-Sign-On (SSO)
C O L A B O R A T I V E I N N O V A T I O N M A N A G E M E N T Complete Feature Guide SAML Single-Sign-On (SSO) 1. Features This feature allows administrators to setup Single Sign-on (SSO) integration
More informationIntegrating Google Apps and Open Directory v10.5 Randy Saeks. rsaeks@gmail.com
IntegratingGoogleAppsand OpenDirectory v10.5 RandySaeks rsaeks@gmail.com TableofContents INTRODUCTION 3 REQUIREMENTS 4 LDAPUSERIMPORT 5 WEB BASEDSINGLE SIGNON 10 INSTALLINGSIMPLESAMLPHP 11 CONFIGURINGSIMPLESAMLPHPFOROPENDIRECTORY
More informationConfiguring Secure Socket Layer and Client-Certificate Authentication on SAS 9.3 Enterprise BI Server Systems That Use Oracle WebLogic 10.
Configuring Secure Socket Layer and Client-Certificate Authentication on SAS 9.3 Enterprise BI Server Systems That Use Oracle WebLogic 10.3 Table of Contents Overview... 1 Configuring One-Way Secure Socket
More informationSingle Sign-On Implementation Guide
Single Sign-On Implementation Guide Salesforce, Summer 15 @salesforcedocs Last updated: July 1, 2015 Copyright 2000 2015 salesforce.com, inc. All rights reserved. Salesforce is a registered trademark of
More information9.92 Using HTTPS for building secure web applications v 1.0
2006-12-19 LiTH 9.92 Using HTTPS for building secure web applications v 1.0 Jonas Krogell Abstract Today most websites on the Internet uses normal HTTP for displaying the data for the visitors/users. HTTP
More informationAuthentication and Single Sign On
Contents 1. Introduction 2. Fronter Authentication 2.1 Passwords in Fronter 2.2 Secure Sockets Layer 2.3 Fronter remote authentication 3. External authentication through remote LDAP 3.1 Regular LDAP authentication
More informationHOTPin Integration Guide: Salesforce SSO with Active Directory Federated Services
1 HOTPin Integration Guide: Salesforce SSO with Active Directory Federated Services Disclaimer Disclaimer of Warranties and Limitation of Liabilities All information contained in this document is provided
More informationCHAPTER 7 SSL CONFIGURATION AND TESTING
CHAPTER 7 SSL CONFIGURATION AND TESTING 7.1 Configuration and Testing of SSL Nowadays, it s very big challenge to handle the enterprise applications as they are much complex and it is a very sensitive
More informationCA Performance Center
CA Performance Center Single Sign-On User Guide 2.4 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation ) is
More informationHOWTO. Configure Nginx for SSL with DoD CAC Authentication on CentOS 6.3. Joshua Penton Geocent, LLC joshua.penton@geocent.com.
HOWTO Configure Nginx for SSL with DoD CAC Authentication on CentOS 6.3 Joshua Penton Geocent, LLC joshua.penton@geocent.com March 2013 Table of Contents Overview... 1 Prerequisites... 2 Install OpenSSL...
More informationConnecting Web and Kerberos Single Sign On
Connecting Web and Kerberos Single Sign On Rok Papež ARNES aaa-podpora@arnes.si Terena networking conference Malaga, Spain, 10.6.2009 Kerberos Authentication protocol (No) authorization Single Sign On
More informationCopyright: WhosOnLocation Limited
How SSO Works in WhosOnLocation About Single Sign-on By default, your administrators and users are authenticated and logged in using WhosOnLocation s user authentication. You can however bypass this and
More informationVMware Identity Manager Administration
VMware Identity Manager Administration VMware Identity Manager 2.4 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new
More informationUsing LDAP Authentication in a PowerCenter Domain
Using LDAP Authentication in a PowerCenter Domain 2008 Informatica Corporation Overview LDAP user accounts can access PowerCenter applications. To provide LDAP user accounts access to the PowerCenter applications,
More informationStep-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x
Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x Sverview Trust between SharePoint 2010 and ADFS 2.0 Use article Federated Collaboration with Shibboleth 2.0 and SharePoint 2010 Technologies
More informationIntroduction to Directory Services
Introduction to Directory Services Overview This document explains how AirWatch integrates with your organization's existing directory service such as Active Directory, Lotus Domino and Novell e-directory
More informationCreating and Managing Certificates for My webmethods Server. Version 8.2 and Later
Creating and Managing Certificates for My webmethods Server Version 8.2 and Later November 2011 Contents Introduction...4 Scope... 4 Assumptions... 4 Terminology... 4 File Formats... 5 Truststore Formats...
More informationhttp://cnmonitor.sourceforge.net CN=Monitor Installation and Configuration v2.0
1 Installation and Configuration v2.0 2 Installation...3 Prerequisites...3 RPM Installation...3 Manual *nix Installation...4 Setup monitoring...5 Upgrade...6 Backup configuration files...6 Disable Monitoring
More informationTIB 2.0 Administration Functions Overview
TIB 2.0 Administration Functions Overview Table of Contents 1. INTRODUCTION 4 1.1. Purpose/Background 4 1.2. Definitions, Acronyms and Abbreviations 4 2. OVERVIEW 5 2.1. Overall Process Map 5 3. ADMINISTRATOR
More informationCMDBuild Authentication (file auth.conf)
CMDBuild Authentication (file auth.conf) 1 Indice Introduction...3 1. Authentication type selection...3 auth.methods...3 serviceusers...3 force.ws.password.digest...3 2. Header authentication configuration...3
More informationComputer Services Documentation
Computer Services Documentation Shibboleth Documentation {Shibboleth & Google Apps Integration} John Paul Szkudlapski June 2010 Note: These case studies, prepared by member organisations of the UK federation,
More informationEncrypted Connections
EMu Documentation Encrypted Connections Document Version 1 EMu Version 4.0.03 www.kesoftware.com 2010 KE Software. All rights reserved. Contents SECTION 1 Encrypted Connections 1 How it works 2 Requirements
More informationMicrosoft 10972 - Administering the Web Server (IIS) Role of Windows Server
1800 ULEARN (853 276) www.ddls.com.au Microsoft 10972 - Administering the Web Server (IIS) Role of Windows Server Length 5 days Price $4169.00 (inc GST) Version B Overview This course provides students
More informationTenrox. Single Sign-On (SSO) Setup Guide. January, 2012. 2012 Tenrox. All rights reserved.
Tenrox Single Sign-On (SSO) Setup Guide January, 2012 2012 Tenrox. All rights reserved. About this Guide This guide provides a high-level technical overview of the Tenrox Single Sign-On (SSO) architecture,
More informationClearswift Information Governance
Clearswift Information Governance Implementing the CLEARSWIFT SECURE Encryption Portal on the CLEARSWIFT SECURE Email Gateway Version 1.10 02/09/13 Contents 1 Introduction... 3 2 How it Works... 4 3 Configuration
More informationShibboLEAP Project. Final Report: School of Oriental and African Studies (SOAS) Colin Rennie
ShibboLEAP Project Final Report: School of Oriental and African Studies (SOAS) Colin Rennie May 2006 Shibboleth Implementation at SOAS Table of Contents Introduction What this document contains Who writes
More information