Identity Federation Broker for Service Cloud

Size: px
Start display at page:

Download "Identity Federation Broker for Service Cloud"

Transcription

1 2010 International Conference on Sciences Identity Federation Broker for Cloud He Yuan Huang 1, Bin Wang 1, Xiao Xi Liu 1, Jing Min Xu 1 1 IBM Research China {huanghey, wangbcrl, liuxx, Abstract. As the wide adoption of in-cloud services (e.g., software-as-a-service), some major identity related issues are brought up. For enterprises, it usually introduces additional cost and risk to manage identities in services. For service providers, typical pairwise identity federation solutions are not scalable to support single sign-on, service composition, etc. among services for large environment like service cloud. This paper proposes an identity federation broker that introduces a trusted third party as a trust broker to simplify the management of identity federation in a user centric manner. With this solution, the cost and risk of federated identity management for both enterprises and service providers could be significantly reduced. A detailed scenario implementation is given to demonstrate the feasibility of the solution. Moreover, the vulnerability analysis shows how the solution can resist the typical security attacks. Keywords: identity federation, service cloud. 1. Introduction Nowadays more and more enterprises turn their steps to services delivered by public clouds such as SaaS (software-as-a-service) for business and IT transformation. However, the use of in-cloud services usually introduces additional accounts for users who need to access to the services. This not only creates additional risks, but also increases the account management cost especially for those having a large number of in-cloud service users. Cross service access poses additional challenges that one service needs to be able to access to user's data managed by other services on behalf of the user. Federating identities between services seems to be a natural approach to addressing the challenges. However, the traditional (identity provider level) pairwise trust model leads to quadratic complexity of federation relationships and results in a heavy implementation and operation cost for service providers. In order to fully address above issues, this paper proposes an identity federation broker that introduces a trusted third party as a trust broker for establishing identity federation between services in-cloud or across clouds in a user centric approach. It provides identity management and identity federation services to enterprises and is able to federate with enterprise's existing identity systems if there are ones. The rest of the paper is organized as follows: in section 2, the motivations of the paper is introduced to illustrate the trust model and desired system properties of the proposed solution; section 3 gives the details of solution design; section 4 uses a concrete scenario implementation to demonstrate the feasibility of the solution; the vulnerability analysis in section 5 shows how the solution can resist the typical security attacks; section 6 lists related work and compares them with the proposed solution; section 7 summarizes the paper and introduces future work. 2. Motivation The management of trust relationship among parties (services or on-premise apps) is the foundation of a federation solution. Below discusses two typical trust models respectively. (Note that, the trust models discussed in this paper are identity provider level trust models, i.e., trust models among identity authorities.) Pairwise trust model. Most existing federation solutions, such as IBM Tivoli Federated Identity Manager [5], PingFederate [8], etc., are based on pairwise trust model. In this model, relationship and business trust between all /10 $ IEEE DOI /ICSS

2 interoperating participants is exclusively governed by signed business agreements. The strong trust established via business agreements is not technically extendable which results in the forming of closed communities [2]. With this trust model, to enable cross service access among in-cloud services, external services and on-premise apps, multi-lateral trust relationships should be established. For each trust relationship, involved parties need to get business agreement and technical agreement, which really cost a lot. Brokered trust model. Another typical trust model is brokered trust model. In this model, an intermediary is introduced. The business agreement between the service provider and the intermediary places trust in the intermediary, allowing it to act as an agent for the service provider and to establish trust paths to other parties [2]. Thus, with a trustable intermediary, transitive federation could be established dynamically and to a broader range of services. In other words, the cost for establishing multi-lateral trust relationship using pairwise trust model could be dramatically reduced using brokered trust model. Moreover, the trustable intermediary could potentially act as an arbitrator and solve the disputes about cross service access. As we know, the cloud is actually a trusted party for all the in-cloud services and enterprises. Furthermore, if external services want to get connected with the cloud, they should also trust the cloud. Thus, the cloud is a good candidate of intermediary for brokered trust model in this context. Considering both benefits and feasibility, we decide to adopt brokered trust model in our federation solution for service cloud. 3. Solution Based on the selected trust model and desired properties in previous section, we come up with the identity federation broker solution, which is composed of a broker server and a set of extensible gateway (or existing identity federation solution) deployed with services or on-premise apps. In this section, an overview of the solution is given to help readers have a quick knowledge of the solution. After that, detailed design for federated single sign-on is illustrated to help readers get in-depth understanding of the solution Solution Overview Figure 1 gives an overview of the identity federation broker solution we proposed. Fig. 1. Web Web s s /REST /REST In-Cloud In-Cloud Single Sign-On (SSO) Legend Secure Backend Call Broker Server / On-Premise Gateway External External Enterprise X Corporate Directory Gateway Plug-in Existing Federation Solution Overview of Identity Federation Broker for Cloud Basically, the solution is composed of several key parts: broker server, service/on-premise gateway, and gateway plug-in. The broker server, as the core of the solution, is in charge of managing & broking the cross service access The existing federation solution, deployed with service/on-premise app, is a pre-existing identity federation solution. In this case, service/on-premise gateway is not required. The service/on-premise gateway, deployed with service/on-premise app, is in charge of collaborating with broker server to delegate the request from/to service/on-premise app. The gateway plug-in, as extension of gateway, is in charge of adapting the gateway with characteristics of identity provider of service/on-premise app. In the following, we give an in-depth introduction of transitive federated single sign-on based on our solution. 116

3 3.2. Design for Transitive Federated Single Sign-On between s This section gives detailed description on how to enable transitive federated single sign-on between services with proposed solution. Firstly, the responsibilities for involved roles are introduced. Then, system components related with the federated single sign-on are introduced. Finally, a sequence diagram by extending Security Assertion Markup Language (SAML) version 2.0 Web SSO profile [1] is given to illustrate the detailed interaction flow during federated single sign-on. System Components. In this section, we focus on the system components related with transitive federated single sign-on. Fig. 2. Broker Token Broking Store Broker Server Info Info Store Transitive Federated Single Sign-on Related Components in Broker Server As shown in figure 2, the related components of broker server are as follows: Broker Token, which is in charge of generating SAML token to target in terms of request from gateway of source. Info, which returns gateway info and required identity attributes of a. Broking Store, which stores the transitive federation relationships for cross service access. Info Store, which stores gateway info and required identity attributes of a. Fig. 3. Credential Capturer SSO Gateway Authentication Credential Capturer Provider Assertion Consumer Transitive Federated Single Sign-on Related Components in Gateway As shown in figure 3, the related components of service gateway are as follows: SSO, which is in charge of getting SAML token to target from broker server and redirecting user to gateway of target. Credential Capturer, which is in charge of interacting with source service to capture credential of current authenticated user. Assertion Consumer, which is in charge of validating the token embedded in request and redirecting user to target. Authentication Provider, which is in charge of interacting with target to autologin user into the target. Interaction Sequence of Transitive Federated Single Sign-on. Basically, the interaction sequence can be divided into five phases: Phase One - the user logins source and triggered the SSO to target. Phase Two - the gateway of source interacts with source to get current authenticated user s credential. Phase Three - the gateway of source interacts with broker server to request SAML token for accessing target and get the endpoint of assertion consumer service on target side. The interaction steps in this phase are similar as the steps in SAML2 Web SSO Profile [1]. Phase Four - the gateway of target interacts with target to help user auto-authenticate with the target. Phase Five - the gateway of target redirects user to target. As the user has been auto-authenticated with the target, the target returns the expected resource to user. 4. Sample Scenario Below we use a detailed scenario to demonstrate how the proposed solution could work in real world Business Context CP is a trusted cloud provider, which hosts some third party business services, such as sales service provided by SF. COLL is another service provider, which offers a collection of online collaboration services, such as activity service, file & share service, outside the cloud. Both SF and COLL have established business partnership with CP. A small company, MyCompany, has subscribed both sales service and collaboration services for its salesperson. 117

4 From MyCompany s perspective, it would like to enable the federated single sign-on between these subscribed services to improve salesperson s productivity and reduce the cost of helpdesk Scenario Implementation In this scenario, the client admin of MyCompany can take full control over the federated single sign-on between sales service and collaboration services. Firstly, the admin needs to assign accounts of sales service and collaboration services to members of MyCompany. Table 1 shows the accounts assigned for Tom Li. Table 1. Tom s Account ID in Different s Name Sales Collaboration Account ID tom_li Secondly, the admin simply create a cross service access between sales service and collaboration services as shown in Table 2: Table 2. Cross Access Configuration for Single Sign-on from Sales to Collaboration Fig. 5. Interaction Flow between Source Gateway and Source Figure 5 shows how gateway of sales service can get Tom s credential. Detailed steps are as follows: 1. Tom logins sales service as tom_li. 2. Tom clicks a link in sales app to navigate to activity app of collaboration service. 3. The WAS plug-in gets LTPA token of current authenticated user (Tom), and get his credential. 4. The WAS plug-in redirects Tom s credential to Gateway s credential capturer, which executes the following steps as depicted in sequence diagram of previous section. Source Target Cross Access Type Sales Collaboration Single Sign-On In the process aforementioned, the admin does not need to understand any security or federation related concepts. As federation is required for enabling single sign-on between these two services, the transitive federation between them is established transparently underlying. The basic interaction sequence of transitive federated single sign-on has been given before. To help readers get in-depth understanding on how to integrate gateway with services, detailed interaction flows between gateway and services are given as below. Fig. 6. Interaction Flow between Target Gateway and Target Figure 6 shows how gateway of collaboration service can help Tom access activity app without additional sign-on. The detailed steps are as follows. Note that, the previous steps are skipped here. 118

5 1. The authentication provider of gateway redirects Tom s credential in collaboration service to OpenID plug-in to autologin OpenID provider. 2. After autologin, the OpenID plug-in redirects Tom back to the gateway. 3. The gateway redirects user to activity app. The following steps just follow typical interaction flow between OpenID consumer app (activity app) and OpenID provider. As Tom has already autologined the OpenID provider, he can access activity app without additional sign-on. 5. Vulnerability Analysis Due to the nature of identity federation broker as a federation solution for service cloud, deliberating security consideration is critical to make the solution success. A detailed vulnerability analysis is conducted in this section for the transitive federated single sign-on between services based on our solution. In this analysis, typical security threats and possible countermeasures are illustrated. Note that, the interaction sequence from source gateway to target gateway is the same as typical SAML2 web SSO profile. For SAML2 Web SSO Profile, there is already an in-depth vulnerability analysis [10]. This section just focuses on the interactions between service gateway and broker server Attacks Denial-of- Attacks Threat: As handling token generation request in broker server or SSO request in service gateway is potentially a very expensive operation, broker and service gateway are susceptible to a denial of service (DOS) attack. Countermeasures: For token request to broker server, by restricting access to broker server to a set of known parties (trusted services), the risk of a DOS attack could be drastically reduced. More specifically, we could place the broker server inside a secured intranet and implement access rules at the router level. Man-in-the-Middle Attacks Threat: Man-in-the-middle attacks are particularly pernicious for the communication between service gateway and broker server. The MITM can relay requests, capture the returned SAML token, and relay back a false one. Countermeasures: A bilateral authentication system (e.g., HTTP over TLS/SSL with both server- and client-side certificates required) would allow both parties to determine that what they are seeing in a conversation actually came from the other party to the conversation. Replay Attacks Threat: Replay attacks amount to resubmission of the token request in order to get the SAML token to target service fraudulently. Countermeasures: In general, the best way to prevent replay attacks is to prevent the message capture in the first place. Some of the transport-level schemes (e.g., HTTP over TLS/SSL) used to provide in-transit confidentiality will accomplish this goal Collusions Collusion between two or more service providers Threat: two or more corrupted service providers can collude and mass-correlate the identities stored in their database. Countermeasures: As the transitive federation is established thru broker, and all the account linking work are done by users on broker and stored in broker, services could not cross-reference their databases. Collusion between broker provider and service provider Threat: broker provider and service provider can collude and mass-correlate the identities stored in their database. Countermeasures: The broker provider is actually the cloud provider. The assumption of identity federation broker solution is that broker server is the most trustable party of clients. Thus, we don t consider this kind of collusion in the solution. 119

6 6. Related Work There are a couple of well-known identity federation specifications and standards, such as Security Assertion Markup Language (SAML) [1], Liberty Identity Federation Framework (ID-FF) [3], WS-Federation [4], etc. While these protocols have defined well-organized interaction flows and assertion formats to support direct identity federation between two parties, there still lack of detailed interaction flows and assertion formats to support transitive (brokered) identity federation. One of the most popular identity federation products is IBM Tivoli Federated Identity Manager (TFIM) [5], which is based on open standards, such as SAML, WS-Federation, and etc. However, while TFIM adopts pairwise trust model, it does not provide support for brokered trust model. There are some other identity federation products, such as Oracle Identity Federation [6], Microsoft Geneva Server [7],, Microsoft.NET Access Control (ACS) of Azure [9], PingFederate [8], and etc. All these products do not support brokered trust model. 7. Future Work & Conclusion This paper proposes an identity federation solution, identity federation broker, to address the multi-lateral federations among in-cloud services, external services, and on-premise apps. The solution enables transitive federation based on brokered trust model. With transitive federation, service provider only needs to configure once to support potential federation with other services and on-premise apps. In the meanwhile, subscribers have full control over cross service access, which actually triggers configuration over transitive federation between services in a transparent way. Moreover, the solution is extensible to adapt to different kinds of identity federation protocols and identity management systems of services or on-premise apps. Potentially, the broker in the solution could act as an arbitrator to solve the disputes about cross service accesses. Currently, we have only implemented transitive federated single sign-on in the solution. In future, we will support more types of secure cross service access, such as secure web service call, etc. After that, we will conduct in-depth investigation on how to provide more desired properties, such as privacy, compliance, availability, etc. Moreover, we will apply the solution to real cases to gather feedbacks and requirements. References 1. Security Assertion Markup Language (SAML) V2.0 Technical Overview, stc-saml-tech-overview-2.0-cd-02.pdf 2. SAML Trust Model Guidelines, c-saml-trustmodels-2.0-draft-01.pdf 3. Liberty Alliance ID-FF 1.2 Specifications, 160/file/liberty-idff zip 4. Web s Federation Language (WS-Federation) Version 1.2 Specification, s-federation-1.2-spec-cs-01.doc 5. Federated Identity Management and Web s Security with IBM Tivoli Security Solutions, 6. Oracle Identity Federation White Paper, technology/products/id_mgmt/coreid_fed/pdf/identity_federati on_wp_10gr3.pdf 7. Microsoft Geneva, 8. PingFederate 6.0 White Paper, ils.cfm?customel_datapageid_1296= NET Access Control, 10. Security and Privacy Considerations for the OASIS Security Assertion Markup Language (SAML) V2.0, r-2.0-os.pdf 120

Getting Started with AD/LDAP SSO

Getting Started with AD/LDAP SSO Getting Started with AD/LDAP SSO Active Directory and LDAP single sign- on (SSO) with Syncplicity Business Edition accounts allows companies of any size to leverage their existing corporate directories

More information

Interoperate in Cloud with Federation

Interoperate in Cloud with Federation Interoperate in Cloud with Federation - Leveraging federation standards can accelerate Cloud computing adoption by resolving vendor lock-in issues and facilitate On Demand business requirements Neha Mehrotra

More information

USING FEDERATED AUTHENTICATION WITH M-FILES

USING FEDERATED AUTHENTICATION WITH M-FILES M-FILES CORPORATION USING FEDERATED AUTHENTICATION WITH M-FILES VERSION 1.0 Abstract This article provides an overview of federated identity management and an introduction on using federated authentication

More information

New Single Sign-on Options for IBM Lotus Notes & Domino. 2012 IBM Corporation

New Single Sign-on Options for IBM Lotus Notes & Domino. 2012 IBM Corporation New Single Sign-on Options for IBM Lotus Notes & Domino 2012 IBM Corporation IBM s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM s sole

More information

Federated Identity Management Solutions

Federated Identity Management Solutions Federated Identity Management Solutions Jyri Kallela Helsinki University of Technology jkallela@cc.hut.fi Abstract Federated identity management allows users to access multiple services based on a single

More information

SAML and OAUTH comparison

SAML and OAUTH comparison SAML and OAUTH comparison DevConf 2014, Brno JBoss by Red Hat Peter Škopek, pskopek@redhat.com, twitter: @pskopek Feb 7, 2014 Abstract SAML and OAuth are one of the most used protocols/standards for single

More information

Evaluation of different Open Source Identity management Systems

Evaluation of different Open Source Identity management Systems Evaluation of different Open Source Identity management Systems Ghasan Bhatti, Syed Yasir Imtiaz Linkoping s universitetet, Sweden [ghabh683, syeim642]@student.liu.se 1. Abstract Identity management systems

More information

Research and Implementation of Single Sign-On Mechanism for ASP Pattern *

Research and Implementation of Single Sign-On Mechanism for ASP Pattern * Research and Implementation of Single Sign-On Mechanism for ASP Pattern * Bo Li, Sheng Ge, Tian-yu Wo, and Dian-fu Ma Computer Institute, BeiHang University, PO Box 9-32 Beijing 100083 Abstract Software

More information

Identity. Provide. ...to Office 365 & Beyond

Identity. Provide. ...to Office 365 & Beyond Provide Identity...to Office 365 & Beyond Sponsored by shops around the world are increasingly turning to Office 365 Microsoft s cloud-based offering for email, instant messaging, and collaboration. A

More information

Get Success in Passing Your Certification Exam at first attempt!

Get Success in Passing Your Certification Exam at first attempt! Get Success in Passing Your Certification Exam at first attempt! Exam : C2150-575 Title : IBM Tivoli Federated Identity Manager V6.2.2 Implementation Version : Demo 1.What is the default file name of the

More information

Flexible Identity Federation

Flexible Identity Federation Flexible Identity Federation Quick start guide version 1.0.1 Publication history Date Description Revision 2015.09.23 initial release 1.0.0 2015.12.11 minor updates 1.0.1 Copyright Orange Business Services

More information

000-575. IBM Tivoli Federated Identity Manager V6.2.2 Implementation. Version: Demo. Page <<1/10>>

000-575. IBM Tivoli Federated Identity Manager V6.2.2 Implementation. Version: Demo. Page <<1/10>> 000-575 IBM Tivoli Federated Identity Manager V6.2.2 Implementation Version: Demo Page 1.What is the default file name of the IBM Tivoli Directory Integrator log? A. tdi.log B. ibmdi.log C. ibmdisrv.log

More information

Introduction to SAML

Introduction to SAML Introduction to THE LEADER IN API AND CLOUD GATEWAY TECHNOLOGY Introduction to Introduction In today s world of rapidly expanding and growing software development; organizations, enterprises and governments

More information

SAML SSO Configuration

SAML SSO Configuration SAML SSO Configuration Overview of Single Sign-, page 1 Benefits of Single Sign-, page 2 Overview of Setting Up SAML 2.0 Single Sign-, page 3 SAML 2.0 Single Sign- Differences Between Cloud-Based Meeting

More information

IMPLEMENTING SINGLE SIGN- ON USING SAML 2.0 ON JUNIPER NETWORKS MAG SERIES JUNOS PULSE GATEWAYS

IMPLEMENTING SINGLE SIGN- ON USING SAML 2.0 ON JUNIPER NETWORKS MAG SERIES JUNOS PULSE GATEWAYS APPLICATION NOTE IMPLEMENTING SINGLE SIGN- ON USING SAML 2.0 ON JUNIPER NETWORKS MAG SERIES JUNOS PULSE GATEWAYS SAML 2.0 combines encryption and digital signature verification across resources for a more

More information

PROVIDING SINGLE SIGN-ON TO AMAZON EC2 APPLICATIONS FROM AN ON-PREMISES WINDOWS DOMAIN

PROVIDING SINGLE SIGN-ON TO AMAZON EC2 APPLICATIONS FROM AN ON-PREMISES WINDOWS DOMAIN PROVIDING SINGLE SIGN-ON TO AMAZON EC2 APPLICATIONS FROM AN ON-PREMISES WINDOWS DOMAIN CONNECTING TO THE CLOUD DAVID CHAPPELL DECEMBER 2009 SPONSORED BY AMAZON AND MICROSOFT CORPORATION CONTENTS The Challenge:

More information

Masdar Institute Single Sign-On: Standards-based Identity Federation. John Mikhael ICT Department jmikhael@masdar.ac.ae

Masdar Institute Single Sign-On: Standards-based Identity Federation. John Mikhael ICT Department jmikhael@masdar.ac.ae Masdar Institute Single Sign-On: Standards-based Identity Federation John Mikhael ICT Department jmikhael@masdar.ac.ae Agenda The case for Single Sign-On (SSO) Types of SSO Standards-based Identity Federation

More information

Web Access Management and Single Sign-On

Web Access Management and Single Sign-On Web Access Management and Single Sign-On Ronnie Dale Huggins In the old days of computing, a user would sit down at his or her workstation, login to the desktop, login to their email system, perhaps pull

More information

White Paper. McAfee Cloud Single Sign On Reviewer s Guide

White Paper. McAfee Cloud Single Sign On Reviewer s Guide White Paper McAfee Cloud Single Sign On Reviewer s Guide Table of Contents Introducing McAfee Cloud Single Sign On 3 Use Cases 3 Key Features 3 Provisioning and De-Provisioning 4 Single Sign On and Authentication

More information

managing SSO with shared credentials

managing SSO with shared credentials managing SSO with shared credentials Introduction to Single Sign On (SSO) All organizations, small and big alike, today have a bunch of applications that must be accessed by different employees throughout

More information

NIST s Guide to Secure Web Services

NIST s Guide to Secure Web Services NIST s Guide to Secure Web Services Presented by Gaspar Modelo-Howard and Ratsameetip Wita Secure and Dependable Web Services National Institute of Standards and Technology. Special Publication 800-95:

More information

The Top 5 Federated Single Sign-On Scenarios

The Top 5 Federated Single Sign-On Scenarios The Top 5 Federated Single Sign-On Scenarios Table of Contents Executive Summary... 1 The Solution: Standards-Based Federation... 2 Service Provider Initiated SSO...3 Identity Provider Initiated SSO...3

More information

Gateway Apps - Security Summary SECURITY SUMMARY

Gateway Apps - Security Summary SECURITY SUMMARY Gateway Apps - Security Summary SECURITY SUMMARY 27/02/2015 Document Status Title Harmony Security summary Author(s) Yabing Li Version V1.0 Status draft Change Record Date Author Version Change reference

More information

Extend and Enhance AD FS

Extend and Enhance AD FS Extend and Enhance AD FS December 2013 Sponsored By Contents Extend and Enhance AD FS By Sean Deuby Introduction...2 Web Service SSO Architecture...3 AD FS Overview...5 Ping Identity Solutions...7 Synergy

More information

A Standards-based Mobile Application IdM Architecture

A Standards-based Mobile Application IdM Architecture A Standards-based Mobile Application IdM Architecture Abstract Mobile clients are an increasingly important channel for consumers accessing Web 2.0 and enterprise employees accessing on-premise and cloud-hosted

More information

SharePoint 2013 Business Connectivity Services Hybrid Overview

SharePoint 2013 Business Connectivity Services Hybrid Overview SharePoint 2013 Business Connectivity Services Hybrid Overview Christopher J Fox Microsoft Corporation November 2012 Applies to: SharePoint 2013, SharePoint Online Summary: A hybrid SharePoint environment

More information

Using SAML for Single Sign-On in the SOA Software Platform

Using SAML for Single Sign-On in the SOA Software Platform Using SAML for Single Sign-On in the SOA Software Platform SOA Software Community Manager: Using SAML on the Platform 1 Policy Manager / Community Manager Using SAML for Single Sign-On in the SOA Software

More information

HP Software as a Service. Federated SSO Guide

HP Software as a Service. Federated SSO Guide HP Software as a Service Federated SSO Guide Document Release Date: July 2014 Legal Notices Warranty The only warranties for HP products and services are set forth in the express warranty statements accompanying

More information

QualysGuard SAML 2.0 Single Sign-On. Technical Brief

QualysGuard SAML 2.0 Single Sign-On. Technical Brief QualysGuard SAML 2.0 Single Sign-On Technical Brief Introduction Qualys provides its customer the option to use SAML 2.0 Single Sign On (SSO) authentication with their QualysGuard subscription. When implemented,

More information

OpenSSO: Cross Domain Single Sign On

OpenSSO: Cross Domain Single Sign On OpenSSO: Cross Domain Single Sign On Version 0.1 History of versions Version Date Author(s) Changes 0.1 11/30/2006 Dennis Seah Contents Initial Draft. 1 Introduction 1 2 Single Domain Single Sign-On 2

More information

The Challenges of Web single sign-on

The Challenges of Web single sign-on Serge Vereecke Security Architect IBM Security Services serge_vereecke@be.ibm.com The Challenges of Web single sign-on GSE Event September 7, 2012 Agenda Single sign-on technology Why single sign-on Challenges

More information

Using Entrust certificates with VPN

Using Entrust certificates with VPN Entrust Managed Services PKI Using Entrust certificates with VPN Document issue: 1.0 Date of issue: May 2009 Copyright 2009 Entrust. All rights reserved. Entrust is a trademark or a registered trademark

More information

Mid-Project Report August 14 th, 2012. Nils Dussart 0961540

Mid-Project Report August 14 th, 2012. Nils Dussart 0961540 Mid-Project Report August 14 th, 2012 Nils Dussart 0961540 CONTENTS Project Proposal... 3 Project title... 3 Faculty Advisor... 3 Project Scope and Individual Student Learning Goals... 3 Proposed Product

More information

A Data Synchronization based Single Sign-on Schema Supporting Heterogeneous Systems and Multi-Management Mode

A Data Synchronization based Single Sign-on Schema Supporting Heterogeneous Systems and Multi-Management Mode A Data Synchronization based Single Sign-on Schema Supporting Heterogeneous Systems and Multi-Management Mode Haojiang Gao 1 Beijing Northking Technology Co.,Ltd Zhongguancun Haidian Science Park Postdoctoral

More information

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES pingidentity.com EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES Best practices for identity federation in AWS Table of Contents Executive Overview 3 Introduction: Identity and Access Management in Amazon

More information

Agenda. How to configure

Agenda. How to configure dlaw@esri.com Agenda Strongly Recommend: Knowledge of ArcGIS Server and Portal for ArcGIS Security in the context of ArcGIS Server/Portal for ArcGIS Access Authentication Authorization: securing web services

More information

Allidm.com. SSO Introduction. Discovering IAM Solutions. Leading the IAM Training. @aidy_idm facebook/allidm

Allidm.com. SSO Introduction. Discovering IAM Solutions. Leading the IAM Training. @aidy_idm facebook/allidm Discovering IAM Solutions Leading the IAM Training @aidy_idm facebook/allidm SSO Introduction Disclaimer and Acknowledgments The contents here are created as a own personal endeavor and thus does not reflect

More information

Delegation for On-boarding Federation Across Storage Clouds

Delegation for On-boarding Federation Across Storage Clouds Delegation for On-boarding Federation Across Storage Clouds Elliot K. Kolodner 1, Alexandra Shulman-Peleg 1, Gil Vernik 1, Ciro Formisano 2, and Massimo Villari 3 1 IBM Haifa Research Lab, Israel 2 Engineering

More information

SAML 101. Executive Overview WHITE PAPER

SAML 101. Executive Overview WHITE PAPER SAML 101 Executive Overview Today s enterprise employees use an ever-increasing number of applications, both enterprise hosted and in the Cloud, to do their jobs. What s more, they are accessing those

More information

Federated single sign-on (SSO) and identity management. Secure mobile access. Social identity integration. Automated user provisioning.

Federated single sign-on (SSO) and identity management. Secure mobile access. Social identity integration. Automated user provisioning. PingFederate We went with PingFederate because it s based on standards like SAML, which are important for a secure implementation. John Davidson Senior Product Manager, Opower PingFederate is the leading

More information

Bringing Cloud Security Down to Earth. Andreas M Antonopoulos Senior Vice President & Founding Partner www.nemertes.com

Bringing Cloud Security Down to Earth. Andreas M Antonopoulos Senior Vice President & Founding Partner www.nemertes.com Bringing Cloud Security Down to Earth Andreas M Antonopoulos Senior Vice President & Founding Partner www.nemertes.com Agenda About Nemertes Cloud Dynamics and Adoption Assessing Risk of Cloud Services

More information

An Oracle White Paper Dec 2013. Oracle Access Management Security Token Service

An Oracle White Paper Dec 2013. Oracle Access Management Security Token Service An Oracle White Paper Dec 2013 Oracle Access Management Security Token Service Disclaimer The following is intended to outline our general product direction. It is intended for information purposes only,

More information

PingFederate. SSO Integration Overview

PingFederate. SSO Integration Overview PingFederate SSO Integration Overview 2006-2012 Ping Identity Corporation. All rights reserved. PingFederate SSO Integration Overview Version 6.6 January, 2012 Ping Identity Corporation 1001 17th Street,

More information

WHITEPAPER SAML ALONE IS NOT SECURE - HERE S HOW TO FIX IT

WHITEPAPER SAML ALONE IS NOT SECURE - HERE S HOW TO FIX IT WHITEPAPER SAML ALONE IS NOT SECURE - HERE S HOW TO FIX IT Executive Overview SAML (Security Assertion Markup Language) is a standard that facilitates the exchange of security information. Developed by

More information

Integrating Single Sign-on Across the Cloud By David Strom

Integrating Single Sign-on Across the Cloud By David Strom Integrating Single Sign-on Across the Cloud By David Strom TABLE OF CONTENTS Introduction 1 Access Control: Web and SSO Gateways 2 Web Gateway Key Features 2 SSO Key Features 3 Conclusion 5 Author Bio

More information

CA Single Sign-On Migration Guide

CA Single Sign-On Migration Guide CA Single Sign-On Migration Guide Web access management (WAM) systems have been a part of enterprises for decades. It is critical to control access and audit applications while reducing the friction for

More information

Single Sign On (SSO) Implementation Manual. For Connect 5 & MyConnect Sites

Single Sign On (SSO) Implementation Manual. For Connect 5 & MyConnect Sites Single Sign On (SSO) Implementation Manual For Connect 5 & MyConnect Sites Version 6 Release 5.7 September 2013 1 What is Blackboard Connect Single Sign On?... 3 How it Works... 3 Drawbacks to Using Single

More information

Federated Identity Architectures

Federated Identity Architectures Federated Identity Architectures Uciel Fragoso-Rodriguez Instituto Tecnológico Autónomo de México, México {uciel@itam.mx} Maryline Laurent-Maknavicius CNRS Samovar UMR 5157, GET Institut National des Télécommunications,

More information

DEMO ONLY VERSION. Easy CramBible Lab C90-02A. SOA Cloud Technology Concepts. ** Single-user License **

DEMO ONLY VERSION. Easy CramBible Lab C90-02A. SOA Cloud Technology Concepts. ** Single-user License ** Easy CramBible Lab ** Single-user License ** C90-02A SOA Cloud Technology Concepts This copy can be only used by yourself for educational purposes Web: http://www.crambible.com/ E-mail: web@crambible.com

More information

Enhancing Web Application Security

Enhancing Web Application Security Enhancing Web Application Security Using Another Authentication Factor Karen Lu and Asad Ali Gemalto, Inc. Technology & Innovations Austin, TX, USA Overview Introduction Current Statet Smart Cards Two-Factor

More information

SaaS at Pfizer. Challenges, Solutions, Recommendations. Worldwide Business Technology

SaaS at Pfizer. Challenges, Solutions, Recommendations. Worldwide Business Technology SaaS at Pfizer Challenges, Solutions, Recommendations Agenda How are Cloud and SaaS different in practice? What does Pfizer s SaaS footprint look like? Identity is the Issue: Federation (SSO) and Provisioning/De-provisioning

More information

How to Implement Enterprise SAML SSO

How to Implement Enterprise SAML SSO How to Implement Enterprise SSO THE LEADER IN API AND CLOUD GATEWAY TECHNOLOGY How to Implement Enterprise SSO Introduction Security Assertion Markup Language, or, provides numerous The advantages and

More information

Security solutions Executive brief. Understand the varieties and business value of single sign-on.

Security solutions Executive brief. Understand the varieties and business value of single sign-on. Security solutions Executive brief Understand the varieties and business value of single sign-on. August 2005 2 Contents 2 Executive overview 2 SSO delivers multiple business benefits 3 IBM helps companies

More information

The Primer: Nuts and Bolts of Federated Identity Management

The Primer: Nuts and Bolts of Federated Identity Management The Primer: Nuts and Bolts of Federated Identity Management Executive Overview For any IT department, it is imperative to understand how your organization can securely manage and control users identities.

More information

Security as Architecture A fine grained multi-tiered containment strategy

Security as Architecture A fine grained multi-tiered containment strategy 1 Security as Architecture A fine grained multi-tiered containment strategy Andras R. Szakal IBM Distinguished Engineer Chief Software Architect, U.S. Federal SWG aszakal@us.ibm.com 2 Objectives Cybersecurity

More information

PingFederate. Salesforce Connector. Quick Connection Guide. Version 4.1

PingFederate. Salesforce Connector. Quick Connection Guide. Version 4.1 PingFederate Salesforce Connector Version 4.1 Quick Connection Guide 2011 Ping Identity Corporation. All rights reserved. PingFederate Salesforce Quick Connection Guide Version 4.1 June, 2011 Ping Identity

More information

HOL9449 Access Management: Secure web, mobile and cloud access

HOL9449 Access Management: Secure web, mobile and cloud access HOL9449 Access Management: Secure web, mobile and cloud access Kanishk Mahajan Principal Product Manager, Oracle September, 2014 Copyright 2014, Oracle and/or its affiliates. All rights reserved. Oracle

More information

Federated Identity in the Enterprise

Federated Identity in the Enterprise www.css-security.com 425.216.0720 WHITE PAPER The proliferation of user accounts can lead to a lowering of the enterprise security posture as users record their account information in order to remember

More information

Extending DigiD to the Private Sector (DigiD-2)

Extending DigiD to the Private Sector (DigiD-2) TECHNISCHE UNIVERSITEIT EINDHOVEN Department of Mathematics and Computer Science MASTER S THESIS Extending DigiD to the Private Sector (DigiD-2) By Giorgi Moniava Supervisors: Eric Verheul (RU, PwC) L.A.M.

More information

Addressing threats to real-world identity management systems

Addressing threats to real-world identity management systems Addressing threats to real-world identity management systems Wanpeng Li and Chris J Mitchell Information Security Group Royal Holloway, University of London Agenda Single sign-on and identity management

More information

AND SUN OPENSSO MICROSOFT GENEVA SERVER ENABLING UNPRECEDENTED COLLABORATION ACROSS HETEROGENEOUS IT ENVIRONMENTS. White Paper May 2009.

AND SUN OPENSSO MICROSOFT GENEVA SERVER ENABLING UNPRECEDENTED COLLABORATION ACROSS HETEROGENEOUS IT ENVIRONMENTS. White Paper May 2009. MICROSOFT GENEVA SERVER AND SUN OPENSSO ENABLING UNPRECEDENTED COLLABORATION ACROSS HETEROGENEOUS IT ENVIRONMENTS White Paper May 2009 Abstract Interoperability between applications in heterogeneous technology

More information

Final Project Report December 9, 2012. Cloud-based Authentication with Native Client Server Applications. Nils Dussart 0961540

Final Project Report December 9, 2012. Cloud-based Authentication with Native Client Server Applications. Nils Dussart 0961540 Final Project Report December 9, 2012 Cloud-based Authentication with Native Client Server Applications. Nils Dussart 0961540 CONTENTS Project Proposal... 4 Project title... 4 Faculty Advisor... 4 Introduction...

More information

Deploying RSA ClearTrust with the FirePass controller

Deploying RSA ClearTrust with the FirePass controller Deployment Guide Deploying RSA ClearTrust with the FirePass Controller Deploying RSA ClearTrust with the FirePass controller Welcome to the FirePass RSA ClearTrust Deployment Guide. This guide shows you

More information

IBM Tivoli Federated Identity Manager

IBM Tivoli Federated Identity Manager IBM Tivoli Federated Identity Manager Employ user-centric federated access management to enable secure online business collaboration Highlights Enhance business-to-business and business-to-consumer collaborations

More information

HP Software as a Service

HP Software as a Service HP Software as a Service Software Version: 6.1 Federated SSO Document Release Date: August 2013 Legal Notices Warranty The only warranties for HP products and services are set forth in the express warranty

More information

OIOSAML Rich Client to Browser Scenario Version 1.0

OIOSAML Rich Client to Browser Scenario Version 1.0 > OIOSAML Rich Client to Browser Scenario Version 1.0 Danish Agency for Digitization December 2011 Contents > 1 Introduction 4 1.1 Purpose 1.2 Background 4 4 2 Goals and Assumptions 5 3 Scenario Details

More information

SAML AS AN SSO STANDARD FOR CUSTOMER IDENTITY MANAGEMENT. How to Create a Frictionless, Secure Customer Identity Management Strategy

SAML AS AN SSO STANDARD FOR CUSTOMER IDENTITY MANAGEMENT. How to Create a Frictionless, Secure Customer Identity Management Strategy SAML AS AN SSO STANDARD FOR CUSTOMER IDENTITY MANAGEMENT How to Create a Frictionless, Secure Customer Identity Management Strategy PART 1: WHAT IS SAML? SAML in Context Security Assertion Markup Language

More information

Service Updates and Enhancements

Service Updates and Enhancements Service Updates and Enhancements May 8, 2013 McAfee understands that providing the tools for a trusted communication environment is our primary directive. Accomplishing this goal requires listening to

More information

Distributed Identity Management Model for Digital Ecosystems

Distributed Identity Management Model for Digital Ecosystems International Conference on Emerging Security Information, Systems and Technologies Distributed Identity Management Model for Digital Ecosystems Hristo Koshutanski Computer Science Department University

More information

Integration Overview. Web Services and Single Sign On

Integration Overview. Web Services and Single Sign On Integration Overview Web Services and Single Sign On Table of Contents Overview...3 Quick Start 1-2-3...4 Single Sign-On...6 Background... 6 Setup... 6 Programming SSO... 7 Web Services API...8 What is

More information

> Please fill your survey to be eligible for a prize draw. Only contact info is required for prize draw Survey portion is optional

> Please fill your survey to be eligible for a prize draw. Only contact info is required for prize draw Survey portion is optional Web Access Management May 2008 CA Canada Seminar > Please fill your survey to be eligible for a prize draw Only contact info is required for prize draw Survey portion is optional > How to Transform Tactical

More information

Single-Sign-On between On-Premises and the Cloud: Leveraging Windows Azure Active Directory to authenticate custom solutions and Apps

Single-Sign-On between On-Premises and the Cloud: Leveraging Windows Azure Active Directory to authenticate custom solutions and Apps Sofia Event Center 14-15 May 2014 Single-Sign-On between On-Premises and the Cloud: Leveraging Windows Azure Active Directory to authenticate custom solutions and Apps Radi Atanassov SharePoint MCM & MVP

More information

Closing the Biggest Security Hole in Web Application Delivery

Closing the Biggest Security Hole in Web Application Delivery WHITE PAPER DECEMBER 2014 Closing the Biggest Security Hole in Web Application Delivery Addressing Session Hijacking with CA Single Sign-On Enhanced Session Assurance with DeviceDNA Martin Yam CA Security

More information

SECUREAUTH IDP AND OFFICE 365

SECUREAUTH IDP AND OFFICE 365 WHITEPAPER SECUREAUTH IDP AND OFFICE 365 STRONG AUTHENTICATION AND SINGLE SIGN-ON FOR THE CLOUD-BASED OFFICE SUITE EXECUTIVE OVERVIEW As more and more enterprises move to the cloud, it makes sense that

More information

On the Application of Trust and Reputation Management and User-centric Techniques for Identity Management Systems

On the Application of Trust and Reputation Management and User-centric Techniques for Identity Management Systems On the Application of Trust and Reputation Management and User-centric Techniques for Identity Management Systems Ginés Dólera Tormo Security Group NEC Laboratories Europe Email: gines.dolera@neclab.eu

More information

CA Nimsoft Service Desk

CA Nimsoft Service Desk CA Nimsoft Service Desk Single Sign-On Configuration Guide 6.2.6 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation

More information

Egnyte Single Sign-On (SSO) Installation for OneLogin

Egnyte Single Sign-On (SSO) Installation for OneLogin Egnyte Single Sign-On (SSO) Installation for OneLogin To set up Egnyte so employees can log in using SSO, follow the steps below to configure OneLogin and Egnyte to work with each other. 1. Set up OneLogin

More information

OPENIAM ACCESS MANAGER. Web Access Management made Easy

OPENIAM ACCESS MANAGER. Web Access Management made Easy OPENIAM ACCESS MANAGER Web Access Management made Easy TABLE OF CONTENTS Introduction... 3 OpenIAM Access Manager Overview... 4 Access Gateway... 4 Authentication... 5 Authorization... 5 Role Based Access

More information

A SURVEY OF CLOUD COMPUTING: NETWORK BASED ISSUES PERFORMANCE AND ANALYSIS

A SURVEY OF CLOUD COMPUTING: NETWORK BASED ISSUES PERFORMANCE AND ANALYSIS A SURVEY OF CLOUD COMPUTING: NETWORK BASED ISSUES PERFORMANCE AND ANALYSIS *Dr Umesh Sehgal, #Shalini Guleria *Associate Professor,ARNI School of Computer Science,Arni University,KathagarhUmeshsehgalind@gmail.com

More information

Add Microsoft Azure as the Federated Authenticator in WSO2 Identity Server

Add Microsoft Azure as the Federated Authenticator in WSO2 Identity Server Add Microsoft Azure as the Federated Authenticator in WSO2 Identity Server This blog will explain how to use Microsoft Azure as a Federated Authenticator for WSO2 Identity Server 5.0.0. In this example

More information

The Essential OAuth Primer: Understanding OAuth for Securing Cloud APIs

The Essential OAuth Primer: Understanding OAuth for Securing Cloud APIs The Essential OAuth Primer: Understanding OAuth for Securing Cloud APIs Executive Overview A key technical underpinning of the Cloud is the Application Programming Interface (API). APIs provide consistent

More information

Federated Identity and Trust Management

Federated Identity and Trust Management Redpaper Axel Buecker Paul Ashley Neil Readshaw Federated Identity and Trust Management Introduction The cost of managing the life cycle of user identities is very high. Most organizations have to manage

More information

Microsoft Office 365 Using SAML Integration Guide

Microsoft Office 365 Using SAML Integration Guide Microsoft Office 365 Using SAML Integration Guide Revision A Copyright 2013 SafeNet, Inc. All rights reserved. All attempts have been made to make the information in this document complete and accurate.

More information

Cisco ASA Adaptive Security Appliance Single Sign-On: Solution Brief

Cisco ASA Adaptive Security Appliance Single Sign-On: Solution Brief Guide Cisco ASA Adaptive Security Appliance Single Sign-On: Solution Brief October 2012 2012 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 21 Contents

More information

Why Identity Management. Identity Management. What We Cover. Role of Digital Identity. Digital Identity. Digital Identity (or network identity)

Why Identity Management. Identity Management. What We Cover. Role of Digital Identity. Digital Identity. Digital Identity (or network identity) Why Identity Management Identity Management Claudiu Duma Identity crisis Privacy concerns Identity theft Terrorist threat Department of Computer and Information Science cladu@ida.liu.se What We Cover Digital

More information

NCSU SSO. Case Study

NCSU SSO. Case Study NCSU SSO Case Study 2 2 NCSU Project Requirements and Goals NCSU Operating Environment Provide support for a number Apps and Programs Different vendors have their authentication databases End users must

More information

SAP NetWeaver Single Sign-On. Product Management SAP NetWeaver Identity Management & Security June 2011

SAP NetWeaver Single Sign-On. Product Management SAP NetWeaver Identity Management & Security June 2011 NetWeaver Single Sign-On Product Management NetWeaver Identity Management & Security June 2011 Agenda NetWeaver Single Sign-On: Solution overview Key benefits of single sign-on Solution positioning Identity

More information

On A-Select and Federated Identity Management Systems

On A-Select and Federated Identity Management Systems On A-Select and Federated Identity Management Systems Joost Reede August 4, 2007 Master s Thesis Information Systems Chair Computer Science Department University of Twente ii This thesis is supervised

More information

The increasing popularity of mobile devices is rapidly changing how and where we

The increasing popularity of mobile devices is rapidly changing how and where we Mobile Security BACKGROUND The increasing popularity of mobile devices is rapidly changing how and where we consume business related content. Mobile workforce expectations are forcing organizations to

More information

White paper December 2008. Addressing single sign-on inside, outside, and between organizations

White paper December 2008. Addressing single sign-on inside, outside, and between organizations White paper December 2008 Addressing single sign-on inside, outside, and between organizations Page 2 Contents 2 Overview 4 IBM Tivoli Unified Single Sign-On: Comprehensively addressing SSO 5 IBM Tivoli

More information

Samsung KNOX EMM Authentication Services. SDK Quick Start Guide

Samsung KNOX EMM Authentication Services. SDK Quick Start Guide Samsung KNOX EMM Authentication Services SDK Quick Start Guide June 2014 Legal notice This document and the software described in this document are furnished under and are subject to the terms of a license

More information

Web Services Security: OpenSSO and Access Management for SOA. Sang Shin Java Technology Evangelist Sun Microsystems, Inc. javapassion.

Web Services Security: OpenSSO and Access Management for SOA. Sang Shin Java Technology Evangelist Sun Microsystems, Inc. javapassion. Web Services Security: OpenSSO and Access Management for SOA Sang Shin Java Technology Evangelist Sun Microsystems, Inc. javapassion.com 1 Agenda Need for Identity-based Web services security Single Sign-On

More information

Single Sign-on. Overview. Using SSO with the Cisco WebEx and Cisco WebEx Meeting. Overview, page 1

Single Sign-on. Overview. Using SSO with the Cisco WebEx and Cisco WebEx Meeting. Overview, page 1 Overview, page 1 Using SSO with the Cisco WebEx and Cisco WebEx Meeting Applications, page 1 Requirements, page 2 Configuration of in Cisco WebEx Messenger Administration Tool, page 3 Sample Installation

More information

PingFederate. Windows Live Cloud Identity Connector. User Guide. Version 1.0

PingFederate. Windows Live Cloud Identity Connector. User Guide. Version 1.0 Windows Live Cloud Identity Connector Version 1.0 User Guide 2011 Ping Identity Corporation. All rights reserved. Windows Live Cloud Identity Connector User Guide Version 1.0 April, 2011 Ping Identity

More information

Network-based Access Control

Network-based Access Control Chapter 4 Network-based Access Control 4.1 Rationale and Motivation Over the past couple of years, a multitude of authentication and access control technologies have been designed and implemented. Although

More information

The Primer: Nuts and Bolts of Federated Identity Management

The Primer: Nuts and Bolts of Federated Identity Management The Primer: Nuts and Bolts of Federated Identity Management Overview For any IT department, it is imperative to understand how your organization can securely manage and control users identities. With so

More information

CLAIMS-BASED IDENTITY FOR WINDOWS

CLAIMS-BASED IDENTITY FOR WINDOWS CLAIMS-BASED IDENTITY FOR WINDOWS TECHNOLOGIES AND SCENARIOS DAVID CHAPPELL FEBRUARY 2011 SPONSORED BY MICROSOFT CORPORATION CONTENTS Understanding Claims-Based Identity... 3 The Problem: Working with

More information

IDDY. Case Study: Rearden Commerce Delivers SaaS Via Federation WINNER

IDDY. Case Study: Rearden Commerce Delivers SaaS Via Federation WINNER 2007 IDDY AWARD WINNER Case Study: Rearden Commerce Delivers SaaS Via Federation Thanks to federation, Rearden Commerce makes it easier than ever for corporate employees to book and manage travel arrangements.

More information

Cloud Standards. Arlindo Dias IT Architect IBM Global Technology Services CLOSER 2102

Cloud Standards. Arlindo Dias IT Architect IBM Global Technology Services CLOSER 2102 Cloud Standards Arlindo Dias IT Architect IBM Global Technology Services CLOSER 2102 2011 IBM Corporation Agenda Overview on Cloud Standards Identity and Access Management Discussion 2 Overview on Cloud

More information