Identity Federation Broker for Service Cloud
|
|
- George Hoover
- 8 years ago
- Views:
Transcription
1 2010 International Conference on Sciences Identity Federation Broker for Cloud He Yuan Huang 1, Bin Wang 1, Xiao Xi Liu 1, Jing Min Xu 1 1 IBM Research China {huanghey, wangbcrl, liuxx, xujingm}@cn.ibm.com Abstract. As the wide adoption of in-cloud services (e.g., software-as-a-service), some major identity related issues are brought up. For enterprises, it usually introduces additional cost and risk to manage identities in services. For service providers, typical pairwise identity federation solutions are not scalable to support single sign-on, service composition, etc. among services for large environment like service cloud. This paper proposes an identity federation broker that introduces a trusted third party as a trust broker to simplify the management of identity federation in a user centric manner. With this solution, the cost and risk of federated identity management for both enterprises and service providers could be significantly reduced. A detailed scenario implementation is given to demonstrate the feasibility of the solution. Moreover, the vulnerability analysis shows how the solution can resist the typical security attacks. Keywords: identity federation, service cloud. 1. Introduction Nowadays more and more enterprises turn their steps to services delivered by public clouds such as SaaS (software-as-a-service) for business and IT transformation. However, the use of in-cloud services usually introduces additional accounts for users who need to access to the services. This not only creates additional risks, but also increases the account management cost especially for those having a large number of in-cloud service users. Cross service access poses additional challenges that one service needs to be able to access to user's data managed by other services on behalf of the user. Federating identities between services seems to be a natural approach to addressing the challenges. However, the traditional (identity provider level) pairwise trust model leads to quadratic complexity of federation relationships and results in a heavy implementation and operation cost for service providers. In order to fully address above issues, this paper proposes an identity federation broker that introduces a trusted third party as a trust broker for establishing identity federation between services in-cloud or across clouds in a user centric approach. It provides identity management and identity federation services to enterprises and is able to federate with enterprise's existing identity systems if there are ones. The rest of the paper is organized as follows: in section 2, the motivations of the paper is introduced to illustrate the trust model and desired system properties of the proposed solution; section 3 gives the details of solution design; section 4 uses a concrete scenario implementation to demonstrate the feasibility of the solution; the vulnerability analysis in section 5 shows how the solution can resist the typical security attacks; section 6 lists related work and compares them with the proposed solution; section 7 summarizes the paper and introduces future work. 2. Motivation The management of trust relationship among parties (services or on-premise apps) is the foundation of a federation solution. Below discusses two typical trust models respectively. (Note that, the trust models discussed in this paper are identity provider level trust models, i.e., trust models among identity authorities.) Pairwise trust model. Most existing federation solutions, such as IBM Tivoli Federated Identity Manager [5], PingFederate [8], etc., are based on pairwise trust model. In this model, relationship and business trust between all /10 $ IEEE DOI /ICSS
2 interoperating participants is exclusively governed by signed business agreements. The strong trust established via business agreements is not technically extendable which results in the forming of closed communities [2]. With this trust model, to enable cross service access among in-cloud services, external services and on-premise apps, multi-lateral trust relationships should be established. For each trust relationship, involved parties need to get business agreement and technical agreement, which really cost a lot. Brokered trust model. Another typical trust model is brokered trust model. In this model, an intermediary is introduced. The business agreement between the service provider and the intermediary places trust in the intermediary, allowing it to act as an agent for the service provider and to establish trust paths to other parties [2]. Thus, with a trustable intermediary, transitive federation could be established dynamically and to a broader range of services. In other words, the cost for establishing multi-lateral trust relationship using pairwise trust model could be dramatically reduced using brokered trust model. Moreover, the trustable intermediary could potentially act as an arbitrator and solve the disputes about cross service access. As we know, the cloud is actually a trusted party for all the in-cloud services and enterprises. Furthermore, if external services want to get connected with the cloud, they should also trust the cloud. Thus, the cloud is a good candidate of intermediary for brokered trust model in this context. Considering both benefits and feasibility, we decide to adopt brokered trust model in our federation solution for service cloud. 3. Solution Based on the selected trust model and desired properties in previous section, we come up with the identity federation broker solution, which is composed of a broker server and a set of extensible gateway (or existing identity federation solution) deployed with services or on-premise apps. In this section, an overview of the solution is given to help readers have a quick knowledge of the solution. After that, detailed design for federated single sign-on is illustrated to help readers get in-depth understanding of the solution Solution Overview Figure 1 gives an overview of the identity federation broker solution we proposed. Fig. 1. Web Web s s /REST /REST In-Cloud In-Cloud Single Sign-On (SSO) Legend Secure Backend Call Broker Server / On-Premise Gateway External External Enterprise X Corporate Directory Gateway Plug-in Existing Federation Solution Overview of Identity Federation Broker for Cloud Basically, the solution is composed of several key parts: broker server, service/on-premise gateway, and gateway plug-in. The broker server, as the core of the solution, is in charge of managing & broking the cross service access The existing federation solution, deployed with service/on-premise app, is a pre-existing identity federation solution. In this case, service/on-premise gateway is not required. The service/on-premise gateway, deployed with service/on-premise app, is in charge of collaborating with broker server to delegate the request from/to service/on-premise app. The gateway plug-in, as extension of gateway, is in charge of adapting the gateway with characteristics of identity provider of service/on-premise app. In the following, we give an in-depth introduction of transitive federated single sign-on based on our solution. 116
3 3.2. Design for Transitive Federated Single Sign-On between s This section gives detailed description on how to enable transitive federated single sign-on between services with proposed solution. Firstly, the responsibilities for involved roles are introduced. Then, system components related with the federated single sign-on are introduced. Finally, a sequence diagram by extending Security Assertion Markup Language (SAML) version 2.0 Web SSO profile [1] is given to illustrate the detailed interaction flow during federated single sign-on. System Components. In this section, we focus on the system components related with transitive federated single sign-on. Fig. 2. Broker Token Broking Store Broker Server Info Info Store Transitive Federated Single Sign-on Related Components in Broker Server As shown in figure 2, the related components of broker server are as follows: Broker Token, which is in charge of generating SAML token to target in terms of request from gateway of source. Info, which returns gateway info and required identity attributes of a. Broking Store, which stores the transitive federation relationships for cross service access. Info Store, which stores gateway info and required identity attributes of a. Fig. 3. Credential Capturer SSO Gateway Authentication Credential Capturer Provider Assertion Consumer Transitive Federated Single Sign-on Related Components in Gateway As shown in figure 3, the related components of service gateway are as follows: SSO, which is in charge of getting SAML token to target from broker server and redirecting user to gateway of target. Credential Capturer, which is in charge of interacting with source service to capture credential of current authenticated user. Assertion Consumer, which is in charge of validating the token embedded in request and redirecting user to target. Authentication Provider, which is in charge of interacting with target to autologin user into the target. Interaction Sequence of Transitive Federated Single Sign-on. Basically, the interaction sequence can be divided into five phases: Phase One - the user logins source and triggered the SSO to target. Phase Two - the gateway of source interacts with source to get current authenticated user s credential. Phase Three - the gateway of source interacts with broker server to request SAML token for accessing target and get the endpoint of assertion consumer service on target side. The interaction steps in this phase are similar as the steps in SAML2 Web SSO Profile [1]. Phase Four - the gateway of target interacts with target to help user auto-authenticate with the target. Phase Five - the gateway of target redirects user to target. As the user has been auto-authenticated with the target, the target returns the expected resource to user. 4. Sample Scenario Below we use a detailed scenario to demonstrate how the proposed solution could work in real world Business Context CP is a trusted cloud provider, which hosts some third party business services, such as sales service provided by SF. COLL is another service provider, which offers a collection of online collaboration services, such as activity service, file & share service, outside the cloud. Both SF and COLL have established business partnership with CP. A small company, MyCompany, has subscribed both sales service and collaboration services for its salesperson. 117
4 From MyCompany s perspective, it would like to enable the federated single sign-on between these subscribed services to improve salesperson s productivity and reduce the cost of helpdesk Scenario Implementation In this scenario, the client admin of MyCompany can take full control over the federated single sign-on between sales service and collaboration services. Firstly, the admin needs to assign accounts of sales service and collaboration services to members of MyCompany. Table 1 shows the accounts assigned for Tom Li. Table 1. Tom s Account ID in Different s Name Sales Collaboration Account ID tom_li tom@mycompany.com Secondly, the admin simply create a cross service access between sales service and collaboration services as shown in Table 2: Table 2. Cross Access Configuration for Single Sign-on from Sales to Collaboration Fig. 5. Interaction Flow between Source Gateway and Source Figure 5 shows how gateway of sales service can get Tom s credential. Detailed steps are as follows: 1. Tom logins sales service as tom_li. 2. Tom clicks a link in sales app to navigate to activity app of collaboration service. 3. The WAS plug-in gets LTPA token of current authenticated user (Tom), and get his credential. 4. The WAS plug-in redirects Tom s credential to Gateway s credential capturer, which executes the following steps as depicted in sequence diagram of previous section. Source Target Cross Access Type Sales Collaboration Single Sign-On In the process aforementioned, the admin does not need to understand any security or federation related concepts. As federation is required for enabling single sign-on between these two services, the transitive federation between them is established transparently underlying. The basic interaction sequence of transitive federated single sign-on has been given before. To help readers get in-depth understanding on how to integrate gateway with services, detailed interaction flows between gateway and services are given as below. Fig. 6. Interaction Flow between Target Gateway and Target Figure 6 shows how gateway of collaboration service can help Tom access activity app without additional sign-on. The detailed steps are as follows. Note that, the previous steps are skipped here. 118
5 1. The authentication provider of gateway redirects Tom s credential in collaboration service to OpenID plug-in to autologin OpenID provider. 2. After autologin, the OpenID plug-in redirects Tom back to the gateway. 3. The gateway redirects user to activity app. The following steps just follow typical interaction flow between OpenID consumer app (activity app) and OpenID provider. As Tom has already autologined the OpenID provider, he can access activity app without additional sign-on. 5. Vulnerability Analysis Due to the nature of identity federation broker as a federation solution for service cloud, deliberating security consideration is critical to make the solution success. A detailed vulnerability analysis is conducted in this section for the transitive federated single sign-on between services based on our solution. In this analysis, typical security threats and possible countermeasures are illustrated. Note that, the interaction sequence from source gateway to target gateway is the same as typical SAML2 web SSO profile. For SAML2 Web SSO Profile, there is already an in-depth vulnerability analysis [10]. This section just focuses on the interactions between service gateway and broker server Attacks Denial-of- Attacks Threat: As handling token generation request in broker server or SSO request in service gateway is potentially a very expensive operation, broker and service gateway are susceptible to a denial of service (DOS) attack. Countermeasures: For token request to broker server, by restricting access to broker server to a set of known parties (trusted services), the risk of a DOS attack could be drastically reduced. More specifically, we could place the broker server inside a secured intranet and implement access rules at the router level. Man-in-the-Middle Attacks Threat: Man-in-the-middle attacks are particularly pernicious for the communication between service gateway and broker server. The MITM can relay requests, capture the returned SAML token, and relay back a false one. Countermeasures: A bilateral authentication system (e.g., HTTP over TLS/SSL with both server- and client-side certificates required) would allow both parties to determine that what they are seeing in a conversation actually came from the other party to the conversation. Replay Attacks Threat: Replay attacks amount to resubmission of the token request in order to get the SAML token to target service fraudulently. Countermeasures: In general, the best way to prevent replay attacks is to prevent the message capture in the first place. Some of the transport-level schemes (e.g., HTTP over TLS/SSL) used to provide in-transit confidentiality will accomplish this goal Collusions Collusion between two or more service providers Threat: two or more corrupted service providers can collude and mass-correlate the identities stored in their database. Countermeasures: As the transitive federation is established thru broker, and all the account linking work are done by users on broker and stored in broker, services could not cross-reference their databases. Collusion between broker provider and service provider Threat: broker provider and service provider can collude and mass-correlate the identities stored in their database. Countermeasures: The broker provider is actually the cloud provider. The assumption of identity federation broker solution is that broker server is the most trustable party of clients. Thus, we don t consider this kind of collusion in the solution. 119
6 6. Related Work There are a couple of well-known identity federation specifications and standards, such as Security Assertion Markup Language (SAML) [1], Liberty Identity Federation Framework (ID-FF) [3], WS-Federation [4], etc. While these protocols have defined well-organized interaction flows and assertion formats to support direct identity federation between two parties, there still lack of detailed interaction flows and assertion formats to support transitive (brokered) identity federation. One of the most popular identity federation products is IBM Tivoli Federated Identity Manager (TFIM) [5], which is based on open standards, such as SAML, WS-Federation, and etc. However, while TFIM adopts pairwise trust model, it does not provide support for brokered trust model. There are some other identity federation products, such as Oracle Identity Federation [6], Microsoft Geneva Server [7],, Microsoft.NET Access Control (ACS) of Azure [9], PingFederate [8], and etc. All these products do not support brokered trust model. 7. Future Work & Conclusion This paper proposes an identity federation solution, identity federation broker, to address the multi-lateral federations among in-cloud services, external services, and on-premise apps. The solution enables transitive federation based on brokered trust model. With transitive federation, service provider only needs to configure once to support potential federation with other services and on-premise apps. In the meanwhile, subscribers have full control over cross service access, which actually triggers configuration over transitive federation between services in a transparent way. Moreover, the solution is extensible to adapt to different kinds of identity federation protocols and identity management systems of services or on-premise apps. Potentially, the broker in the solution could act as an arbitrator to solve the disputes about cross service accesses. Currently, we have only implemented transitive federated single sign-on in the solution. In future, we will support more types of secure cross service access, such as secure web service call, etc. After that, we will conduct in-depth investigation on how to provide more desired properties, such as privacy, compliance, availability, etc. Moreover, we will apply the solution to real cases to gather feedbacks and requirements. References 1. Security Assertion Markup Language (SAML) V2.0 Technical Overview, stc-saml-tech-overview-2.0-cd-02.pdf 2. SAML Trust Model Guidelines, c-saml-trustmodels-2.0-draft-01.pdf 3. Liberty Alliance ID-FF 1.2 Specifications, 160/file/liberty-idff zip 4. Web s Federation Language (WS-Federation) Version 1.2 Specification, s-federation-1.2-spec-cs-01.doc 5. Federated Identity Management and Web s Security with IBM Tivoli Security Solutions, 6. Oracle Identity Federation White Paper, technology/products/id_mgmt/coreid_fed/pdf/identity_federati on_wp_10gr3.pdf 7. Microsoft Geneva, 8. PingFederate 6.0 White Paper, ils.cfm?customel_datapageid_1296= NET Access Control, Security and Privacy Considerations for the OASIS Security Assertion Markup Language (SAML) V2.0, r-2.0-os.pdf 120
Getting Started with AD/LDAP SSO
Getting Started with AD/LDAP SSO Active Directory and LDAP single sign- on (SSO) with Syncplicity Business Edition accounts allows companies of any size to leverage their existing corporate directories
More informationInteroperate in Cloud with Federation
Interoperate in Cloud with Federation - Leveraging federation standards can accelerate Cloud computing adoption by resolving vendor lock-in issues and facilitate On Demand business requirements Neha Mehrotra
More informationUSING FEDERATED AUTHENTICATION WITH M-FILES
M-FILES CORPORATION USING FEDERATED AUTHENTICATION WITH M-FILES VERSION 1.0 Abstract This article provides an overview of federated identity management and an introduction on using federated authentication
More informationNew Single Sign-on Options for IBM Lotus Notes & Domino. 2012 IBM Corporation
New Single Sign-on Options for IBM Lotus Notes & Domino 2012 IBM Corporation IBM s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM s sole
More informationFederated Identity Management Solutions
Federated Identity Management Solutions Jyri Kallela Helsinki University of Technology jkallela@cc.hut.fi Abstract Federated identity management allows users to access multiple services based on a single
More informationSAML and OAUTH comparison
SAML and OAUTH comparison DevConf 2014, Brno JBoss by Red Hat Peter Škopek, pskopek@redhat.com, twitter: @pskopek Feb 7, 2014 Abstract SAML and OAuth are one of the most used protocols/standards for single
More informationIdentity. Provide. ...to Office 365 & Beyond
Provide Identity...to Office 365 & Beyond Sponsored by shops around the world are increasingly turning to Office 365 Microsoft s cloud-based offering for email, instant messaging, and collaboration. A
More informationGet Success in Passing Your Certification Exam at first attempt!
Get Success in Passing Your Certification Exam at first attempt! Exam : C2150-575 Title : IBM Tivoli Federated Identity Manager V6.2.2 Implementation Version : Demo 1.What is the default file name of the
More informationEvaluation of different Open Source Identity management Systems
Evaluation of different Open Source Identity management Systems Ghasan Bhatti, Syed Yasir Imtiaz Linkoping s universitetet, Sweden [ghabh683, syeim642]@student.liu.se 1. Abstract Identity management systems
More informationFlexible Identity Federation
Flexible Identity Federation Quick start guide version 1.0.1 Publication history Date Description Revision 2015.09.23 initial release 1.0.0 2015.12.11 minor updates 1.0.1 Copyright Orange Business Services
More informationResearch and Implementation of Single Sign-On Mechanism for ASP Pattern *
Research and Implementation of Single Sign-On Mechanism for ASP Pattern * Bo Li, Sheng Ge, Tian-yu Wo, and Dian-fu Ma Computer Institute, BeiHang University, PO Box 9-32 Beijing 100083 Abstract Software
More informationIMPLEMENTING SINGLE SIGN- ON USING SAML 2.0 ON JUNIPER NETWORKS MAG SERIES JUNOS PULSE GATEWAYS
APPLICATION NOTE IMPLEMENTING SINGLE SIGN- ON USING SAML 2.0 ON JUNIPER NETWORKS MAG SERIES JUNOS PULSE GATEWAYS SAML 2.0 combines encryption and digital signature verification across resources for a more
More information000-575. IBM Tivoli Federated Identity Manager V6.2.2 Implementation. Version: Demo. Page <<1/10>>
000-575 IBM Tivoli Federated Identity Manager V6.2.2 Implementation Version: Demo Page 1.What is the default file name of the IBM Tivoli Directory Integrator log? A. tdi.log B. ibmdi.log C. ibmdisrv.log
More informationSAML SSO Configuration
SAML SSO Configuration Overview of Single Sign-, page 1 Benefits of Single Sign-, page 2 Overview of Setting Up SAML 2.0 Single Sign-, page 3 SAML 2.0 Single Sign- Differences Between Cloud-Based Meeting
More informationIntroduction to SAML
Introduction to THE LEADER IN API AND CLOUD GATEWAY TECHNOLOGY Introduction to Introduction In today s world of rapidly expanding and growing software development; organizations, enterprises and governments
More informationPROVIDING SINGLE SIGN-ON TO AMAZON EC2 APPLICATIONS FROM AN ON-PREMISES WINDOWS DOMAIN
PROVIDING SINGLE SIGN-ON TO AMAZON EC2 APPLICATIONS FROM AN ON-PREMISES WINDOWS DOMAIN CONNECTING TO THE CLOUD DAVID CHAPPELL DECEMBER 2009 SPONSORED BY AMAZON AND MICROSOFT CORPORATION CONTENTS The Challenge:
More informationMasdar Institute Single Sign-On: Standards-based Identity Federation. John Mikhael ICT Department jmikhael@masdar.ac.ae
Masdar Institute Single Sign-On: Standards-based Identity Federation John Mikhael ICT Department jmikhael@masdar.ac.ae Agenda The case for Single Sign-On (SSO) Types of SSO Standards-based Identity Federation
More informationWeb Access Management and Single Sign-On
Web Access Management and Single Sign-On Ronnie Dale Huggins In the old days of computing, a user would sit down at his or her workstation, login to the desktop, login to their email system, perhaps pull
More informationWhite Paper. McAfee Cloud Single Sign On Reviewer s Guide
White Paper McAfee Cloud Single Sign On Reviewer s Guide Table of Contents Introducing McAfee Cloud Single Sign On 3 Use Cases 3 Key Features 3 Provisioning and De-Provisioning 4 Single Sign On and Authentication
More informationmanaging SSO with shared credentials
managing SSO with shared credentials Introduction to Single Sign On (SSO) All organizations, small and big alike, today have a bunch of applications that must be accessed by different employees throughout
More informationThe Top 5 Federated Single Sign-On Scenarios
The Top 5 Federated Single Sign-On Scenarios Table of Contents Executive Summary... 1 The Solution: Standards-Based Federation... 2 Service Provider Initiated SSO...3 Identity Provider Initiated SSO...3
More informationNIST s Guide to Secure Web Services
NIST s Guide to Secure Web Services Presented by Gaspar Modelo-Howard and Ratsameetip Wita Secure and Dependable Web Services National Institute of Standards and Technology. Special Publication 800-95:
More informationExtend and Enhance AD FS
Extend and Enhance AD FS December 2013 Sponsored By Contents Extend and Enhance AD FS By Sean Deuby Introduction...2 Web Service SSO Architecture...3 AD FS Overview...5 Ping Identity Solutions...7 Synergy
More informationA Standards-based Mobile Application IdM Architecture
A Standards-based Mobile Application IdM Architecture Abstract Mobile clients are an increasingly important channel for consumers accessing Web 2.0 and enterprise employees accessing on-premise and cloud-hosted
More informationHP Software as a Service. Federated SSO Guide
HP Software as a Service Federated SSO Guide Document Release Date: July 2014 Legal Notices Warranty The only warranties for HP products and services are set forth in the express warranty statements accompanying
More informationUsing SAML for Single Sign-On in the SOA Software Platform
Using SAML for Single Sign-On in the SOA Software Platform SOA Software Community Manager: Using SAML on the Platform 1 Policy Manager / Community Manager Using SAML for Single Sign-On in the SOA Software
More informationGateway Apps - Security Summary SECURITY SUMMARY
Gateway Apps - Security Summary SECURITY SUMMARY 27/02/2015 Document Status Title Harmony Security summary Author(s) Yabing Li Version V1.0 Status draft Change Record Date Author Version Change reference
More informationSharePoint 2013 Business Connectivity Services Hybrid Overview
SharePoint 2013 Business Connectivity Services Hybrid Overview Christopher J Fox Microsoft Corporation November 2012 Applies to: SharePoint 2013, SharePoint Online Summary: A hybrid SharePoint environment
More informationUsing Entrust certificates with VPN
Entrust Managed Services PKI Using Entrust certificates with VPN Document issue: 1.0 Date of issue: May 2009 Copyright 2009 Entrust. All rights reserved. Entrust is a trademark or a registered trademark
More informationHow To Use Saml 2.0 Single Sign On With Qualysguard
QualysGuard SAML 2.0 Single Sign-On Technical Brief Introduction Qualys provides its customer the option to use SAML 2.0 Single Sign On (SSO) authentication with their QualysGuard subscription. When implemented,
More informationThe Challenges of Web single sign-on
Serge Vereecke Security Architect IBM Security Services serge_vereecke@be.ibm.com The Challenges of Web single sign-on GSE Event September 7, 2012 Agenda Single sign-on technology Why single sign-on Challenges
More informationOpenSSO: Cross Domain Single Sign On
OpenSSO: Cross Domain Single Sign On Version 0.1 History of versions Version Date Author(s) Changes 0.1 11/30/2006 Dennis Seah Contents Initial Draft. 1 Introduction 1 2 Single Domain Single Sign-On 2
More informationA Data Synchronization based Single Sign-on Schema Supporting Heterogeneous Systems and Multi-Management Mode
A Data Synchronization based Single Sign-on Schema Supporting Heterogeneous Systems and Multi-Management Mode Haojiang Gao 1 Beijing Northking Technology Co.,Ltd Zhongguancun Haidian Science Park Postdoctoral
More informationMid-Project Report August 14 th, 2012. Nils Dussart 0961540
Mid-Project Report August 14 th, 2012 Nils Dussart 0961540 CONTENTS Project Proposal... 3 Project title... 3 Faculty Advisor... 3 Project Scope and Individual Student Learning Goals... 3 Proposed Product
More informationEXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES
pingidentity.com EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES Best practices for identity federation in AWS Table of Contents Executive Overview 3 Introduction: Identity and Access Management in Amazon
More informationAllidm.com. SSO Introduction. Discovering IAM Solutions. Leading the IAM Training. @aidy_idm facebook/allidm
Discovering IAM Solutions Leading the IAM Training @aidy_idm facebook/allidm SSO Introduction Disclaimer and Acknowledgments The contents here are created as a own personal endeavor and thus does not reflect
More informationSAML 101. Executive Overview WHITE PAPER
SAML 101 Executive Overview Today s enterprise employees use an ever-increasing number of applications, both enterprise hosted and in the Cloud, to do their jobs. What s more, they are accessing those
More informationDelegation for On-boarding Federation Across Storage Clouds
Delegation for On-boarding Federation Across Storage Clouds Elliot K. Kolodner 1, Alexandra Shulman-Peleg 1, Gil Vernik 1, Ciro Formisano 2, and Massimo Villari 3 1 IBM Haifa Research Lab, Israel 2 Engineering
More informationAgenda. How to configure
dlaw@esri.com Agenda Strongly Recommend: Knowledge of ArcGIS Server and Portal for ArcGIS Security in the context of ArcGIS Server/Portal for ArcGIS Access Authentication Authorization: securing web services
More informationWHITEPAPER SAML ALONE IS NOT SECURE - HERE S HOW TO FIX IT
WHITEPAPER SAML ALONE IS NOT SECURE - HERE S HOW TO FIX IT Executive Overview SAML (Security Assertion Markup Language) is a standard that facilitates the exchange of security information. Developed by
More informationPingFederate. SSO Integration Overview
PingFederate SSO Integration Overview 2006-2012 Ping Identity Corporation. All rights reserved. PingFederate SSO Integration Overview Version 6.6 January, 2012 Ping Identity Corporation 1001 17th Street,
More informationAn Oracle White Paper Dec 2013. Oracle Access Management Security Token Service
An Oracle White Paper Dec 2013 Oracle Access Management Security Token Service Disclaimer The following is intended to outline our general product direction. It is intended for information purposes only,
More informationSingle Sign On (SSO) Implementation Manual. For Connect 5 & MyConnect Sites
Single Sign On (SSO) Implementation Manual For Connect 5 & MyConnect Sites Version 6 Release 5.7 September 2013 1 What is Blackboard Connect Single Sign On?... 3 How it Works... 3 Drawbacks to Using Single
More informationBringing Cloud Security Down to Earth. Andreas M Antonopoulos Senior Vice President & Founding Partner www.nemertes.com
Bringing Cloud Security Down to Earth Andreas M Antonopoulos Senior Vice President & Founding Partner www.nemertes.com Agenda About Nemertes Cloud Dynamics and Adoption Assessing Risk of Cloud Services
More informationFederated single sign-on (SSO) and identity management. Secure mobile access. Social identity integration. Automated user provisioning.
PingFederate We went with PingFederate because it s based on standards like SAML, which are important for a secure implementation. John Davidson Senior Product Manager, Opower PingFederate is the leading
More informationFederated Identity Architectures
Federated Identity Architectures Uciel Fragoso-Rodriguez Instituto Tecnológico Autónomo de México, México {uciel@itam.mx} Maryline Laurent-Maknavicius CNRS Samovar UMR 5157, GET Institut National des Télécommunications,
More informationDEMO ONLY VERSION. Easy CramBible Lab C90-02A. SOA Cloud Technology Concepts. ** Single-user License **
Easy CramBible Lab ** Single-user License ** C90-02A SOA Cloud Technology Concepts This copy can be only used by yourself for educational purposes Web: http://www.crambible.com/ E-mail: web@crambible.com
More informationCA Single Sign-On Migration Guide
CA Single Sign-On Migration Guide Web access management (WAM) systems have been a part of enterprises for decades. It is critical to control access and audit applications while reducing the friction for
More informationIntegrating Single Sign-on Across the Cloud By David Strom
Integrating Single Sign-on Across the Cloud By David Strom TABLE OF CONTENTS Introduction 1 Access Control: Web and SSO Gateways 2 Web Gateway Key Features 2 SSO Key Features 3 Conclusion 5 Author Bio
More informationSaaS at Pfizer. Challenges, Solutions, Recommendations. Worldwide Business Technology
SaaS at Pfizer Challenges, Solutions, Recommendations Agenda How are Cloud and SaaS different in practice? What does Pfizer s SaaS footprint look like? Identity is the Issue: Federation (SSO) and Provisioning/De-provisioning
More informationHow to Implement Enterprise SAML SSO
How to Implement Enterprise SSO THE LEADER IN API AND CLOUD GATEWAY TECHNOLOGY How to Implement Enterprise SSO Introduction Security Assertion Markup Language, or, provides numerous The advantages and
More informationEnhancing Web Application Security
Enhancing Web Application Security Using Another Authentication Factor Karen Lu and Asad Ali Gemalto, Inc. Technology & Innovations Austin, TX, USA Overview Introduction Current Statet Smart Cards Two-Factor
More informationFederated Identity in the Enterprise
www.css-security.com 425.216.0720 WHITE PAPER The proliferation of user accounts can lead to a lowering of the enterprise security posture as users record their account information in order to remember
More informationPingFederate. Salesforce Connector. Quick Connection Guide. Version 4.1
PingFederate Salesforce Connector Version 4.1 Quick Connection Guide 2011 Ping Identity Corporation. All rights reserved. PingFederate Salesforce Quick Connection Guide Version 4.1 June, 2011 Ping Identity
More informationSecurity as Architecture A fine grained multi-tiered containment strategy
1 Security as Architecture A fine grained multi-tiered containment strategy Andras R. Szakal IBM Distinguished Engineer Chief Software Architect, U.S. Federal SWG aszakal@us.ibm.com 2 Objectives Cybersecurity
More informationThe Primer: Nuts and Bolts of Federated Identity Management
The Primer: Nuts and Bolts of Federated Identity Management Executive Overview For any IT department, it is imperative to understand how your organization can securely manage and control users identities.
More informationAddressing threats to real-world identity management systems
Addressing threats to real-world identity management systems Wanpeng Li and Chris J Mitchell Information Security Group Royal Holloway, University of London Agenda Single sign-on and identity management
More informationSecurity solutions Executive brief. Understand the varieties and business value of single sign-on.
Security solutions Executive brief Understand the varieties and business value of single sign-on. August 2005 2 Contents 2 Executive overview 2 SSO delivers multiple business benefits 3 IBM helps companies
More informationThe Essential OAuth Primer: Understanding OAuth for Securing Cloud APIs
The Essential OAuth Primer: Understanding OAuth for Securing Cloud APIs Executive Overview A key technical underpinning of the Cloud is the Application Programming Interface (API). APIs provide consistent
More informationHOL9449 Access Management: Secure web, mobile and cloud access
HOL9449 Access Management: Secure web, mobile and cloud access Kanishk Mahajan Principal Product Manager, Oracle September, 2014 Copyright 2014, Oracle and/or its affiliates. All rights reserved. Oracle
More informationFlexible Identity Federation
Flexible Identity Federation Administration guide version 1.0.1 Publication history Date Description Revision 2015.09.24 initial release 1.0.0 2015.12.11 minor updates 1.0.1 Copyright Orange Business Services
More informationExtending DigiD to the Private Sector (DigiD-2)
TECHNISCHE UNIVERSITEIT EINDHOVEN Department of Mathematics and Computer Science MASTER S THESIS Extending DigiD to the Private Sector (DigiD-2) By Giorgi Moniava Supervisors: Eric Verheul (RU, PwC) L.A.M.
More informationHP Software as a Service
HP Software as a Service Software Version: 6.1 Federated SSO Document Release Date: August 2013 Legal Notices Warranty The only warranties for HP products and services are set forth in the express warranty
More informationIntegration Overview. Web Services and Single Sign On
Integration Overview Web Services and Single Sign On Table of Contents Overview...3 Quick Start 1-2-3...4 Single Sign-On...6 Background... 6 Setup... 6 Programming SSO... 7 Web Services API...8 What is
More informationDeploying RSA ClearTrust with the FirePass controller
Deployment Guide Deploying RSA ClearTrust with the FirePass Controller Deploying RSA ClearTrust with the FirePass controller Welcome to the FirePass RSA ClearTrust Deployment Guide. This guide shows you
More informationFinal Project Report December 9, 2012. Cloud-based Authentication with Native Client Server Applications. Nils Dussart 0961540
Final Project Report December 9, 2012 Cloud-based Authentication with Native Client Server Applications. Nils Dussart 0961540 CONTENTS Project Proposal... 4 Project title... 4 Faculty Advisor... 4 Introduction...
More informationIBM Tivoli Federated Identity Manager
IBM Tivoli Federated Identity Manager Employ user-centric federated access management to enable secure online business collaboration Highlights Enhance business-to-business and business-to-consumer collaborations
More informationService Updates and Enhancements
Service Updates and Enhancements May 8, 2013 McAfee understands that providing the tools for a trusted communication environment is our primary directive. Accomplishing this goal requires listening to
More informationSAML AS AN SSO STANDARD FOR CUSTOMER IDENTITY MANAGEMENT. How to Create a Frictionless, Secure Customer Identity Management Strategy
SAML AS AN SSO STANDARD FOR CUSTOMER IDENTITY MANAGEMENT How to Create a Frictionless, Secure Customer Identity Management Strategy PART 1: WHAT IS SAML? SAML in Context Security Assertion Markup Language
More informationDistributed Identity Management Model for Digital Ecosystems
International Conference on Emerging Security Information, Systems and Technologies Distributed Identity Management Model for Digital Ecosystems Hristo Koshutanski Computer Science Department University
More informationOIOSAML Rich Client to Browser Scenario Version 1.0
> OIOSAML Rich Client to Browser Scenario Version 1.0 Danish Agency for Digitization December 2011 Contents > 1 Introduction 4 1.1 Purpose 1.2 Background 4 4 2 Goals and Assumptions 5 3 Scenario Details
More informationSECUREAUTH IDP AND OFFICE 365
WHITEPAPER SECUREAUTH IDP AND OFFICE 365 STRONG AUTHENTICATION AND SINGLE SIGN-ON FOR THE CLOUD-BASED OFFICE SUITE EXECUTIVE OVERVIEW As more and more enterprises move to the cloud, it makes sense that
More information> Please fill your survey to be eligible for a prize draw. Only contact info is required for prize draw Survey portion is optional
Web Access Management May 2008 CA Canada Seminar > Please fill your survey to be eligible for a prize draw Only contact info is required for prize draw Survey portion is optional > How to Transform Tactical
More informationCA Nimsoft Service Desk
CA Nimsoft Service Desk Single Sign-On Configuration Guide 6.2.6 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation
More informationClosing the Biggest Security Hole in Web Application Delivery
WHITE PAPER DECEMBER 2014 Closing the Biggest Security Hole in Web Application Delivery Addressing Session Hijacking with CA Single Sign-On Enhanced Session Assurance with DeviceDNA Martin Yam CA Security
More informationOPENIAM ACCESS MANAGER. Web Access Management made Easy
OPENIAM ACCESS MANAGER Web Access Management made Easy TABLE OF CONTENTS Introduction... 3 OpenIAM Access Manager Overview... 4 Access Gateway... 4 Authentication... 5 Authorization... 5 Role Based Access
More informationAdd Microsoft Azure as the Federated Authenticator in WSO2 Identity Server
Add Microsoft Azure as the Federated Authenticator in WSO2 Identity Server This blog will explain how to use Microsoft Azure as a Federated Authenticator for WSO2 Identity Server 5.0.0. In this example
More informationWhy Identity Management. Identity Management. What We Cover. Role of Digital Identity. Digital Identity. Digital Identity (or network identity)
Why Identity Management Identity Management Claudiu Duma Identity crisis Privacy concerns Identity theft Terrorist threat Department of Computer and Information Science cladu@ida.liu.se What We Cover Digital
More informationEgnyte Single Sign-On (SSO) Installation for OneLogin
Egnyte Single Sign-On (SSO) Installation for OneLogin To set up Egnyte so employees can log in using SSO, follow the steps below to configure OneLogin and Egnyte to work with each other. 1. Set up OneLogin
More informationMicrosoft Office 365 Using SAML Integration Guide
Microsoft Office 365 Using SAML Integration Guide Revision A Copyright 2013 SafeNet, Inc. All rights reserved. All attempts have been made to make the information in this document complete and accurate.
More informationNCSU SSO. Case Study
NCSU SSO Case Study 2 2 NCSU Project Requirements and Goals NCSU Operating Environment Provide support for a number Apps and Programs Different vendors have their authentication databases End users must
More informationA SURVEY OF CLOUD COMPUTING: NETWORK BASED ISSUES PERFORMANCE AND ANALYSIS
A SURVEY OF CLOUD COMPUTING: NETWORK BASED ISSUES PERFORMANCE AND ANALYSIS *Dr Umesh Sehgal, #Shalini Guleria *Associate Professor,ARNI School of Computer Science,Arni University,KathagarhUmeshsehgalind@gmail.com
More informationSamsung KNOX EMM Authentication Services. SDK Quick Start Guide
Samsung KNOX EMM Authentication Services SDK Quick Start Guide June 2014 Legal notice This document and the software described in this document are furnished under and are subject to the terms of a license
More informationCisco ASA Adaptive Security Appliance Single Sign-On: Solution Brief
Guide Cisco ASA Adaptive Security Appliance Single Sign-On: Solution Brief October 2012 2012 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 21 Contents
More informationOn A-Select and Federated Identity Management Systems
On A-Select and Federated Identity Management Systems Joost Reede August 4, 2007 Master s Thesis Information Systems Chair Computer Science Department University of Twente ii This thesis is supervised
More informationPingFederate. Windows Live Cloud Identity Connector. User Guide. Version 1.0
Windows Live Cloud Identity Connector Version 1.0 User Guide 2011 Ping Identity Corporation. All rights reserved. Windows Live Cloud Identity Connector User Guide Version 1.0 April, 2011 Ping Identity
More informationThe increasing popularity of mobile devices is rapidly changing how and where we
Mobile Security BACKGROUND The increasing popularity of mobile devices is rapidly changing how and where we consume business related content. Mobile workforce expectations are forcing organizations to
More informationWhite paper December 2008. Addressing single sign-on inside, outside, and between organizations
White paper December 2008 Addressing single sign-on inside, outside, and between organizations Page 2 Contents 2 Overview 4 IBM Tivoli Unified Single Sign-On: Comprehensively addressing SSO 5 IBM Tivoli
More informationWeb Services Security: OpenSSO and Access Management for SOA. Sang Shin Java Technology Evangelist Sun Microsystems, Inc. javapassion.
Web Services Security: OpenSSO and Access Management for SOA Sang Shin Java Technology Evangelist Sun Microsystems, Inc. javapassion.com 1 Agenda Need for Identity-based Web services security Single Sign-On
More informationSAP NetWeaver Single Sign-On. Product Management SAP NetWeaver Identity Management & Security June 2011
NetWeaver Single Sign-On Product Management NetWeaver Identity Management & Security June 2011 Agenda NetWeaver Single Sign-On: Solution overview Key benefits of single sign-on Solution positioning Identity
More informationAND SUN OPENSSO MICROSOFT GENEVA SERVER ENABLING UNPRECEDENTED COLLABORATION ACROSS HETEROGENEOUS IT ENVIRONMENTS. White Paper May 2009.
MICROSOFT GENEVA SERVER AND SUN OPENSSO ENABLING UNPRECEDENTED COLLABORATION ACROSS HETEROGENEOUS IT ENVIRONMENTS White Paper May 2009 Abstract Interoperability between applications in heterogeneous technology
More informationSingle Sign-on. Overview. Using SSO with the Cisco WebEx and Cisco WebEx Meeting. Overview, page 1
Overview, page 1 Using SSO with the Cisco WebEx and Cisco WebEx Meeting Applications, page 1 Requirements, page 2 Configuration of in Cisco WebEx Messenger Administration Tool, page 3 Sample Installation
More informationFederation Proxy for Cross Domain Identity Federation
Proxy for Cross Domain Identity Makoto Hatakeyama NEC Corporation, Common Platform Software Res. Lab. 1753, Shimonumabe, Nakahara-Ku, Kawasaki, Kanagawa 211-8666, Japan +81-44-431-7663 m-hatake@ax.jp.nec.com
More informationNetwork-based Access Control
Chapter 4 Network-based Access Control 4.1 Rationale and Motivation Over the past couple of years, a multitude of authentication and access control technologies have been designed and implemented. Although
More informationIDDY. Case Study: Rearden Commerce Delivers SaaS Via Federation WINNER
2007 IDDY AWARD WINNER Case Study: Rearden Commerce Delivers SaaS Via Federation Thanks to federation, Rearden Commerce makes it easier than ever for corporate employees to book and manage travel arrangements.
More informationCloud Standards. Arlindo Dias IT Architect IBM Global Technology Services CLOSER 2102
Cloud Standards Arlindo Dias IT Architect IBM Global Technology Services CLOSER 2102 2011 IBM Corporation Agenda Overview on Cloud Standards Identity and Access Management Discussion 2 Overview on Cloud
More informationThe Primer: Nuts and Bolts of Federated Identity Management
The Primer: Nuts and Bolts of Federated Identity Management Overview For any IT department, it is imperative to understand how your organization can securely manage and control users identities. With so
More informationIdentity and Access Management (IAM) Across Cloud and On-premise Environments: Best Practices for Maintaining Security and Control
Identity and Access Management (IAM) Across Cloud and On-premise Environments: Best Practices for Maintaining Security and Control agility made possible Enterprises Are Leveraging Both On-premise and Off-premise
More informationDEPLOYMENT GUIDE. SAML 2.0 Single Sign-on (SSO) Deployment Guide with Ping Identity
DEPLOYMENT GUIDE SAML 2.0 Single Sign-on (SSO) Deployment Guide with Ping Identity Table of Contents SAML Overview...3 Integration Topology...3 Deployment Requirements...4 Configuration Steps...4 Step
More informationIdentity Federation Management to make Operational and Business Efficiency through SSO
2012 International Conference on Industrial and Intelligent Information (ICIII 2012) IPCSIT vol.31 (2012) (2012) IACSIT Press, Singapore Identity Federation Management to make Operational and Business
More information