A Data Synchronization based Single Sign-on Schema Supporting Heterogeneous Systems and Multi-Management Mode
|
|
- Alan Dixon
- 8 years ago
- Views:
Transcription
1 A Data Synchronization based Single Sign-on Schema Supporting Heterogeneous Systems and Multi-Management Mode Haojiang Gao 1 Beijing Northking Technology Co.,Ltd Zhongguancun Haidian Science Park Postdoctoral Workstation 2 Department of Automation Tsinghua University, Beijing, P.R.China ahustphd@yahoo.com.cn Abstract Single sign-on (SSO) solutions are classified into several modes and the flaws of each mode are pointed out in the paper. To overcome these drawbacks, a support heterogeneous systems and multi-management mode SSO (SHM-SSO) schema is proposed. Data modeling and data synchronization strategy is used in the schema to ensure subsystems run well while the Authentication Center (AC) fails and decline the intrusion into the existing systems. The schema has the advantages of agility, flexibility and anti-ac failure. It not only simplifies system management, but also protects user privacy. The schema has been put into use in a national bank in China, and exhibited satisfactory properties. Keywords-SSO; System Integration; Identity Management; Heterogeneous Systems; Data Synchronization I. INTRODUCTION With the development of IT technology, generally there are many information systems in the enterprises. These systems have their own user information management and authentication mechanism. Every user needs to remember and input his certificate into all systems, which is not only complicated, but also dangerous if the certificates are lost or disclosed. At the same time, system administrators need to do configuration in every system when employee entry or demission happens, which is inconvenient and has serious security weakness. So system integration and a portal are needed to support unified certification. In addition, with the development of B2B (Business to Business), enterprise alliance needs to lift enterprise barrier and serve customers with one portal. To satisfy these demands, more and more research focuses on single sign-on (SSO) [1-13]. SSO is a solution of access control that enables a user to log in once and gain access to the resources of multiple software systems without being prompted to log in again. But the existing SSO solutions are not perfect enough to be optimal in terms of performance, security, stability, and scale of transformation of the existing systems. In addition, few studies are concerned about C/S architecture system integration. Section 2 of this paper classifies the SSO solutions, and discusses their advantages and disadvantages. To overcome the disadvantages, section 3 designs a new SSO schema, and states its properties. Section 4 analyzes the security of the Tianyuan Xiao Department of Automation Tsinghua University Beijing, P.R.China xty-dau@mail.tsinghua.edu.cn SSO schema. Section 5 gives an application example in a national bank in China. Section 6 draws the conclusions. II. CURRENT SITUATION OF SSO RESEARCH A. SAML Security Assertion Markup Language (SAML) is an XML-based standard for exchanging authentication and authorization data between security domains [2-4], that is, between an identity provider (a producer of assertions) and a service provider (a consumer of assertions). Assertion is a statement that does not need to be proved. The SAML assertion includes authentication assertion, attribute assertion, and authorization assertion. The single most important problem that SAML is trying to solve is the Web Browser Single Sign-On problem. SAML has been used in many web single sign-on solutions. But SAML has many disadvantages. Reference [2] points out that SAML lacks standardized mechanisms for metadata exchange, which brings many problems in practice. B. SSO solutions classification In terms of identity management mode [5-7], SSO solutions can be classified into two types. One type is identity-centric management mode (ICMM), such as Microsoft s Passport, which manages all users information in SSO Center. And the other type is liberty alliance mode (LAM), such as SAML-based Liberty Alliance Project, in which every system has its own identity management and the mapping of user accounts between systems is established. The advantage of ICMM is convenient system management. The flaw of ICMM is that it can not protect user privacy [8], because the enterprise who does identity-centric management may disclose other enterprise s userinfo. Moreover, Passport has Single Failure problem, and all systems can not work when SSO Center collapses. The advantage of LAM is that it can protect user privacy while its disadvantage is that system management is complicated and error-prone. In terms of authorization means, SSO solutions can be classified into two types. One is respective authorization mode. Each system can hold their authorization, and the SSO client or center needs to input user password as a ghostwriter. And the other type is trust transplant mode. If user has been authenticated in one system, then other systems will trust the authentication and let the user do operation. The former has 623
2 the advantages of small scale transformation, but its disadvantage is ghostwriting password. The advantage of the latter mode is that it does not need ghostwriting password. The flaw of the latter mode is not only that little user information is transferred, but also that it needs big scale transformation of original system. Besides the above flaws in these SSO solutions [9], we find that a few papers orient on C/S architecture system while most focus on web applications [10], and seldom consider single failure of SSO center. To overcome these disadvantages, this paper will combine the advantages of the above solutions and adopt the concept of SAML to design a set of SSO schema, which is named as support heterogeneous systems and multi-management mode SSO (SHM-SSO). The application of SHM-SSO in a China national bank will also be stated. III. SHM-SSO SCHEMA DESIGN There are many software systems in big enterprises. For example, one China national bank has dozens of applications. Each system has its own identity management, which has caused much inconvenience. So it s increasingly necessary to adopt identity-centric management. However, in enterprise alliance, enterprise does not hope to disclose their user information to other enterprises. To satisfy these demands, the SHM-SSO schema is designed to support both identitycentric management mode among the same enterprise and liberty alliance mode among alliance enterprises. On authorization, the SHM-SSO schema will also combine respective authorization mode among the same enterprise and trust transplant mode among alliance enterprises. As is previously mentioned, the identity-centric management will be used within the same enterprise, but the problem comes to how to implement respective authorization. The solution is data synchronization. A. data synchronization strategy Firstly, a system named system integration center is set up, which includes identity management center and authorization center. Identity management center manages all users information in the enterprise, even the user roles in each system, and creates data model to gain data standardization and regularization. It can ensure the consistency of data, and simplify system management. Subsystem administrators do not need to do user information management in subsystems again. And then data synchronization method is adopted to transmit the user data from identity management center to other subsystems. By data synchronization, the data of the user who has subsystem roles, including encrypted user password, will be transmitted to the corresponding subsystem. Then subsystem will convert the received standardization data to its local characteristics data type and store them into database. It should be noted that user accounts mapping data between systems is not stored in system integration center so as to simplify system management. System integration center provides the unified identifier, such as user ID number. Subsystems match the same user in their own database by the unified identifier. A universal plug-ins has been developed to implement the data synchronization function, which can be nested into subsystems and subsystems only need to implement some simple interface. The interface is used to convert the received standardization data to its local characteristics data type. And the code of writing and reading database in subsystems can be preserved. So it makes almost no intrusion into the existing systems. Web services technology is used in data synchronization. System integration center is web services provider [11], and subsystem is web services client. As is illustrated in Fig.1, each subsystem pulls and stores relative data on a regular time schedule, and puts the user data into workflow systems it uses. Moreover, once the data changes, the identity management center will notice the relative subsystem to synchronize the changed data immediately. Then a pull and push data synchronization has been implemented. Chaotic encryption algorithm is used to protect the data synchronization communication [12]. Specially, the function of data synchronization and SSO is designed and coded as an SSO component, which can be nested into subsystems, and subsystems only need to implement some simple interface. Why is data synchronization used? The reasons are as follows. (1)Subsystems need to record user operation log, and the user table in database will be used by some foreign keys. (2) Subsystems statistics need use of organization table and user table. (3) Subsystems do authentication in their own way. If no relative data is available, subsystem need big scale transformation. Thereby identity-centric management and respective authorization is the first choice. As for enterprises alliance, to protect user privacy, the choice will be changed into trust transplant in which trust is transplanted between authorization centers. B. supporting heterogeneous systems and domain-crossed SSO communication According to the concept of SAML, the SSO communication procedures among one enterprise s systems are as follows. (1)As is shown in Fig.2, user submits his certificate and logs in authentication center (AC). (2) AC creates an encrypted authentication token and sores it into the user s session and cookie. (3) The user requests service of target system (subsystem). (4) Target system detects that the user has not logged in. Then it generates a random number, and stores it into the user s session. (5) The target system redirects the user to AC and requests authentication assertion. (6) AC extracts and decodes authentication token from user s session or cookie, then checks its validity. If the token is verified, AC responds authentication assertion and attributes assertion (maybe encrypted password) to the target system by encrypted URL. (7) The target system accepts and decodes the assertion, and checks the validity of the assertion and the random number in the user s session.iftheyare valid, it removes the random number form user session, and loads the user information and roles from its own database into the user s session. (8) Then the target system shows the pages that the user requested in step (3). After that, when the user request the same target system, it will show response 624
3 directly without asking the AC for authentication assertion until the session times out. If target system is based on C/S architecture, it is needed to set up a middle web server, which includes the SSO component and provides a JSP page nested with a Java applet. Then SSO communication steps will have the following changes. In step (3), user requests the JSP page. In step (7), the SSO component will attain the authentication assertion and attribute assertion. In step (8), the Java applet will be responded to user, and it will connect to the middle server immediately and gets username and password. Java applet is signed by middle server, so it cans startup the C/S client application and input user account and password as a ghostwriter. Experimental verification shows that the communication steps are feasible. Fig.3 shows the SSO communication steps between alliance enterprises by trust transplant. (1)User logs in enterprise1 s AC1. (2) AC1 creates an encrypted authentication token and sores it into the user s session and cookie. (3) The user requests service of target system (subsystem) which belongs to enterprise2. (4) The target system detects that the user has not logged in. Then it generates a random number, and stores it into the user s session. (5) The target system redirects the user to AC2 and requests authentication assertion. (6) AC2 does not find its SSO token, and redirects user to AC1. (7) AC1 extracts and decodes authentication token from user s session or cookie, and checks its validity. If the token is valid, AC1 creates another random token, and sends it to AC2. (8)AC2 accepts the token, and requests AC1 for SAML assertion with the token. (9) AC1 checks the validity of the token and sends encryptedsamlassertiontoac2.(10)ac2decodesthe assertion and extracts the user info. If the user does not exist in AC2, it will save the user s information to database, and notices relative subsystems to do data synchronization. (11) AC2 redirects user to the target system with authentication assertion. (12) The target system accepts and decodes the assertion. (13) The target system shows response. C. features of SHM-SSO schema The SHM-SSO schema has the following advantages. (1) It can implement SSO between heterogeneous systems. (2) It supports multi-management mode, and has the advantages of both identity-centric management mode and liberty alliance mode. And it satisfies the demand of data centralization in the same enterprise and privacy protection between enterprises. (3) Flexibility. The authentication trust can be transplanted between authentication centers. (4) Easy to integration legacy systems. The authentication and authorization code of legacy system can be reserved. (5) It has excellent ability of anti single point of failure. Even when the authentication center collapses, the subsystems can work on. This is because every subsystem stores user data. (6) Loosely coupled relationship between authentication center and subsystems brings convenience of development of new subsystem. However, the SHM-SSO schema uses data synchronization. But as standard data model has been set up and a universal data synchronization plug-ins has been developed to be nested into each subsystem, data synchronization does not cause much inconvenience. IV. SECURITY ANALYSIS OF SHM-SSO SCHEMA The communication showed in Fig.2 and Fig.3 is secure for the following reasons. To begin with, system integration center is separated from subsystems, so SSL protection can be added to the whole domain of the system integration center. Besides, steps (2), (5), (6) in Fig.2 and steps (2), (5), (6), (7), (8), (9), (11) in Fig.3 use chaotic encryption algorithm and random number check [12]. And these measures can protect message far away from theft and distort. Replay attack can also be prevented by the following reasons. (1) Each assertion has set validity duration, which is often 30 minutes. (2) Target system has set random number in user s session before assertion request, and will check the random number in the user s session and assertion before accepting an assertion. In addition, it will remove the random number from the user s session. So replay attack can not work. For the same reason, the schema can prevent Man-inthe-Middle Attacks [13]. The data synchronization is also secure. This is because that the communication is protected by chaotic encryption. Furthermore, user password is encrypted separately and there is no decryption algorithm given for the systems, and so the password can not be decrypted. V. APPLICATION EXAMPLE A financial system based on the SHM-SSO schema has been put into use in a China national bank in September, 2008, which has about 20 province s users. The user logs in through SSO Center and then menus of subsystems that he can access are listed. In the process, SSO Center kicks off thesameuser s login in other places and other user s login in thesamebrowser. The SSO Center also has function of single log-out. Once user clicks log out button, SSO Center will remove the user s session and cookie, and notice every subsystem that he accessed to log out the user. Moreover, even if user forgets to click log out button, the SSO Center will log out the user when following conditions are met: (1) User has logged out all subsystem that he has accessed or his session times out in all these subsystems. (2) His session in SSO Center times out. When SSO Center has a breakdown or a new subsystem is being developed, subsystem administrator only needs to set the attribute of SSO-function-enable to false, and then the subsystem can run independently. Furthermore, user can log in the subsystem with his certificate in the SSO Center. The SHM-SSO schema implements centric and unified management of identity, organization and user-role. It has eliminated inter-system inconsistent data, reduced administrative costs, simplified the operation, improved the productivity and security, and has good scalability and disaster recovery ability. These properties satisfy the customers. 625
4 VI. CONCLUSIONS Application practice has proved that the proposed SHM- SSO schema has the advantages of agility, flexibility and anti-ac failure. It has implemented centric data management in each enterprise and privacy protection between enterprises. Furthermore, it can integrate both B/S architecture system and C/S architecture system. Data synchronization mechanism enables SSO Center to make almost no intrusion into the existing systems, and enables subsystem to work while the SSO Center fails, which shows good disaster recovery ability. Furthermore, its excellent performance in the national bank in China implicates potential future application of the schema in many big enterprises. ACKNOWLEDGMENT We thank the supports and grants of Zhongguancun Haidian Science Park Postdoctoral Workstation. REFERENCES [1] A. Volchkov, Revisiting single sign-on a pragmatic approach in a new context, IT Professional, vol. 3, no.1, pp , [2] P. Harding, L. Johansson, and N. Klingenstein, Dynamic security assertion markup language: Simplifying single sign-on, IEEE Security and Privacy, vol. 6, no. 2, pp , [3] E. Vullings, J. Dalziel, and M. Buchhorn, Secure federated authentication and authorisation to GRID portal applications using SAML and XACML, Journal of Research and Practice in Information Technology, vol. 39, no. 2, pp , [4] H. Tschofenig, R. Falk, J. Peterson, J. Hodges, D. Sicker, and J. Polk, Using SAML to protect the Session Initiation Protocol (SIP), IEEE Network, vol. 20, no. 5, pp , [5] G. Goth, Identity management, Access specs are rolling along, IEEE Internet Computing, vol. 9,no. 1, pp. 9-11, [6] D.A. Buell, and R. Sandhu, Identity Management, IEEE Internet Computing, vol. 7, no. 6, pp , [7] V. Poursalidis, and C. Nikolaou, Towards a person-centric identity management infrastructure (IMI), Computer Systems Science and Engineering, vol. 22, no. 5, pp , [8] P. Birgit, Privacy in enterprise identity federation - policies for Liberty 2 single sign on, Information Security Technical Report, vol. 9, no. 1, pp , [9] T. David, Biometrics and single sign-on, Biometric Technology Today, vol. 13, no. 8, pp. 8-9, [10] S. Chu, D.N. Good, M.R. Mamajek, and D.J. Washington, Webbased single sign-on solutions: an SSO product matrix, Computer Security Journal, vol. 16, no. 1, pp , [11] D. Zheng, S. Tang, and S. Li, Web Services single sign-on protocol and formal analysis on it, Journal of Circuits, Systems and Computers, vol. 14, no. 5, pp , [12] H. Gao, Y. Zhang, S. Liang, and D. Li, A New Chaotic Algorithm for Image Encryption, Chaos, Solitons and Fractals, vol. 29, no.2, pp , [13] P. Birgit, and W. Michael, Analysis of Liberty Single-Sign-on with Enabled Clients, IEEE Internet Computing, vol. 7, no. 6, pp , Figure 1. Data Synchronization 626
5 Figure 2. SHM-SSO Schema Timing Chart Figure 3. Enterprise Alliance SHM-SSO Schema Timing Chart 627
Research and Implementation of Single Sign-On Mechanism for ASP Pattern *
Research and Implementation of Single Sign-On Mechanism for ASP Pattern * Bo Li, Sheng Ge, Tian-yu Wo, and Dian-fu Ma Computer Institute, BeiHang University, PO Box 9-32 Beijing 100083 Abstract Software
More informationEvaluation of different Open Source Identity management Systems
Evaluation of different Open Source Identity management Systems Ghasan Bhatti, Syed Yasir Imtiaz Linkoping s universitetet, Sweden [ghabh683, syeim642]@student.liu.se 1. Abstract Identity management systems
More informationSCAS: AN IMPROVED SINGLE SIGN-ON MODEL BASE ON CAS
SCAS: AN IMPROVED SINGLE SIGN-ON MODEL BASE ON CAS 1,2 XIANG LIYUN, 1 FANG ZHIYI, 1 SUN HONGYU 1 College of Computer Science and Technology, Jilin University, Changchun, China 2 Department of Computer
More informationTitle: A Client Middleware for Token-Based Unified Single Sign On to edugain
Title: A Client Middleware for Token-Based Unified Single Sign On to edugain Sascha Neinert Computing Centre University of Stuttgart, Allmandring 30a, 70550 Stuttgart, Germany e-mail: sascha.neinert@rus.uni-stuttgart.de
More informationThis chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:
CHAPTER 1 SAML Single Sign-On This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections: Junos Pulse Secure Access
More informationIdentity Federation Broker for Service Cloud
2010 International Conference on Sciences Identity Federation Broker for Cloud He Yuan Huang 1, Bin Wang 1, Xiao Xi Liu 1, Jing Min Xu 1 1 IBM Research China {huanghey, wangbcrl, liuxx, xujingm}@cn.ibm.com
More informationINUVIKA OPEN VIRTUAL DESKTOP ENTERPRISE
INUVIKA OPEN VIRTUAL DESKTOP ENTERPRISE SAML 2.0 CONFIGURATION GUIDE Roy Heaton David Pham-Van Version 1.1 Published March 23, 2015 This document describes how to configure OVD to use SAML 2.0 for user
More informationNew Single Sign-on Options for IBM Lotus Notes & Domino. 2012 IBM Corporation
New Single Sign-on Options for IBM Lotus Notes & Domino 2012 IBM Corporation IBM s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM s sole
More informationStep-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x
Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x Sverview Trust between SharePoint 2010 and ADFS 2.0 Use article Federated Collaboration with Shibboleth 2.0 and SharePoint 2010 Technologies
More informationCA Performance Center
CA Performance Center Single Sign-On User Guide 2.4 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation ) is
More informationSAML-Based SSO Solution
About SAML SSO Solution, page 1 SAML-Based SSO Features, page 2 Basic Elements of a SAML SSO Solution, page 2 SAML SSO Web Browsers, page 3 Cisco Unified Communications Applications that Support SAML SSO,
More informationTenrox. Single Sign-On (SSO) Setup Guide. January, 2012. 2012 Tenrox. All rights reserved.
Tenrox Single Sign-On (SSO) Setup Guide January, 2012 2012 Tenrox. All rights reserved. About this Guide This guide provides a high-level technical overview of the Tenrox Single Sign-On (SSO) architecture,
More informationArchitecture Guidelines Application Security
Executive Summary These guidelines describe best practice for application security for 2 or 3 tier web-based applications. It covers the use of common security mechanisms including Authentication, Authorisation
More informationComputer Systems Security 2013/2014. Single Sign-On. Bruno Maia ei09095@fe.up.pt. Pedro Borges ei09063@fe.up.pt
Computer Systems Security 2013/2014 Single Sign-On Bruno Maia ei09095@fe.up.pt Pedro Borges ei09063@fe.up.pt December 13, 2013 Contents 1 Introduction 2 2 Explanation of SSO systems 2 2.1 OpenID.................................
More informationEnhancing Web Application Security
Enhancing Web Application Security Using Another Authentication Factor Karen Lu and Asad Ali Gemalto, Inc. Technology & Innovations Austin, TX, USA Overview Introduction Current Statet Smart Cards Two-Factor
More informationIdentity Federation Management to make Operational and Business Efficiency through SSO
2012 International Conference on Industrial and Intelligent Information (ICIII 2012) IPCSIT vol.31 (2012) (2012) IACSIT Press, Singapore Identity Federation Management to make Operational and Business
More informationGetting Started with AD/LDAP SSO
Getting Started with AD/LDAP SSO Active Directory and LDAP single sign- on (SSO) with Syncplicity Business Edition accounts allows companies of any size to leverage their existing corporate directories
More informationCopyright: WhosOnLocation Limited
How SSO Works in WhosOnLocation About Single Sign-on By default, your administrators and users are authenticated and logged in using WhosOnLocation s user authentication. You can however bypass this and
More informationCA Nimsoft Service Desk
CA Nimsoft Service Desk Single Sign-On Configuration Guide 6.2.6 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation
More informationOpenSSO: Cross Domain Single Sign On
OpenSSO: Cross Domain Single Sign On Version 0.1 History of versions Version Date Author(s) Changes 0.1 11/30/2006 Dennis Seah Contents Initial Draft. 1 Introduction 1 2 Single Domain Single Sign-On 2
More informationSAML-Based SSO Solution
About SAML SSO Solution, page 1 SAML-Based SSO Features, page 2 Basic Elements of a SAML SSO Solution, page 2 SAML SSO Web Browsers, page 3 Cisco Unified Communications Applications that Support SAML SSO,
More informationAuthentication Methods
Authentication Methods Overview In addition to the OU Campus-managed authentication system, OU Campus supports LDAP, CAS, and Shibboleth authentication methods. LDAP users can be configured through the
More informationGENERAL OVERVIEW OF VARIOUS SSO SYSTEMS: ACTIVE DIRECTORY, GOOGLE & FACEBOOK
Antti Pyykkö, Mikko Malinen, Oskari Miettinen GENERAL OVERVIEW OF VARIOUS SSO SYSTEMS: ACTIVE DIRECTORY, GOOGLE & FACEBOOK TJTSE54 Assignment 29.4.2008 Jyväskylä University Department of Computer Science
More informationConfiguring Single Sign-On from the VMware Identity Manager Service to Office 365
Configuring Single Sign-On from the VMware Identity Manager Service to Office 365 VMware Identity Manager JULY 2015 V1 Table of Contents Overview... 2 Passive and Active Authentication Profiles... 2 Adding
More informationOnly LDAP-synchronized users can access SAML SSO-enabled web applications. Local end users and applications users cannot access them.
This chapter provides information about the Security Assertion Markup Language (SAML) Single Sign-On feature, which allows administrative users to access certain Cisco Unified Communications Manager and
More informationSAML Security Option White Paper
Fujitsu mpollux SAML Security Option White Paper Fujitsu mpollux Version 2.1 February 2009 First Edition February 2009 The programs described in this document may only be used in accordance with the conditions
More informationThe increasing popularity of mobile devices is rapidly changing how and where we
Mobile Security BACKGROUND The increasing popularity of mobile devices is rapidly changing how and where we consume business related content. Mobile workforce expectations are forcing organizations to
More informationWHITEPAPER. SECUREAUTH 2-FACTOR AS A SERVICE 2FaaS
WHITEPAPER SECUREAUTH 2-FACTOR AS A SERVICE 2FaaS EXECUTIVE OVERVIEW 2-Factor as a Service (2FaaS) is a 100% cloud-hosted authentication solution that offers flexible security without compromising user
More informationTable of Contents. Page 1 of 6 (Last updated 30 July 2015)
Table of Contents What is Connect?... 2 Physical Access Controls... 2 User Access Controls... 3 Systems Architecture... 4 Application Development... 5 Business Continuity Management... 5 Other Operational
More informationConfiguring ADFS 3.0 to Communicate with WhosOnLocation SAML
Configuring ADFS 3.0 to Communicate with WhosOnLocation SAML --------------------------------------------------------------------------------------------------------------------------- Contents Overview...
More informationPROVIDING SINGLE SIGN-ON TO AMAZON EC2 APPLICATIONS FROM AN ON-PREMISES WINDOWS DOMAIN
PROVIDING SINGLE SIGN-ON TO AMAZON EC2 APPLICATIONS FROM AN ON-PREMISES WINDOWS DOMAIN CONNECTING TO THE CLOUD DAVID CHAPPELL DECEMBER 2009 SPONSORED BY AMAZON AND MICROSOFT CORPORATION CONTENTS The Challenge:
More informationHP Software as a Service. Federated SSO Guide
HP Software as a Service Federated SSO Guide Document Release Date: July 2014 Legal Notices Warranty The only warranties for HP products and services are set forth in the express warranty statements accompanying
More informationAn SAML Based SSO Architecture for Secure Data Exchange between User and OSS
An SAML Based SSO Architecture for Secure Data Exchange between User and OSS Myungsoo Kang 1, Choong Seon Hong 1,Hee Jung Koo 1, Gil Haeng Lee 2 1 Department of Computer Engineering, Kyung Hee University
More informationLeveraging SAML for Federated Single Sign-on:
Leveraging SAML for Federated Single Sign-on: Seamless Integration with Web-based Applications whether cloudbased, private, on-premise, or behind a firewall Single Sign-on Layer v.3.2-006 PistolStar, Inc.
More informationMicrosoft.NET Passport, a solution of single sign on
Microsoft.NET Passport, a solution of single sign on Zheng Liu Department of Computer Science University of Auckland zliu025@ec.auckland.ac.nz Abstract: As the World Wide Web grows rapidly, accessing web-based
More informationPerceptive Experience Single Sign-On Solutions
Perceptive Experience Single Sign-On Solutions Technical Guide Version: 2.x Written by: Product Knowledge, R&D Date: January 2016 2016 Lexmark International Technology, S.A. All rights reserved. Lexmark
More informationLeverage Active Directory with Kerberos to Eliminate HTTP Password
Leverage Active Directory with Kerberos to Eliminate HTTP Password PistolStar, Inc. PO Box 1226 Amherst, NH 03031 USA Phone: 603.547.1200 Fax: 603.546.2309 E-mail: salesteam@pistolstar.com Website: www.pistolstar.com
More informationCS 356 Lecture 28 Internet Authentication. Spring 2013
CS 356 Lecture 28 Internet Authentication Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists
More informationFederated Identity Management Solutions
Federated Identity Management Solutions Jyri Kallela Helsinki University of Technology jkallela@cc.hut.fi Abstract Federated identity management allows users to access multiple services based on a single
More informationCopyright http://support.oracle.com/
Primavera Portfolio Management 9.0 Security Guide July 2012 Copyright Oracle Primavera Primavera Portfolio Management 9.0 Security Guide Copyright 1997, 2012, Oracle and/or its affiliates. All rights reserved.
More informationIBM WebSphere Application Server
IBM WebSphere Application Server SAML 2.0 web single-sign-on 2012 IBM Corporation This presentation describes support for SAML 2.0 web browser Single Sign On profile included in IBM WebSphere Application
More informationArchitecture of Enterprise Applications III Single Sign-On
Architecture of Enterprise Applications III Single Sign-On Haopeng Chen REliable, INtelligent and Scalable Systems Group (REINS) Shanghai Jiao Tong University Shanghai, China e-mail: chen-hp@sjtu.edu.cn
More informationWHITE PAPER Usher Mobile Identity Platform
WHITE PAPER Usher Mobile Identity Platform Security Architecture For more information, visit Usher.com info@usher.com Toll Free (US ONLY): 1 888.656.4464 Direct Dial: 703.848.8710 Table of contents Introduction
More informationAllidm.com. SSO Introduction. Discovering IAM Solutions. Leading the IAM Training. @aidy_idm facebook/allidm
Discovering IAM Solutions Leading the IAM Training @aidy_idm facebook/allidm SSO Introduction Disclaimer and Acknowledgments The contents here are created as a own personal endeavor and thus does not reflect
More informationIMPLEMENTING SINGLE SIGN- ON USING SAML 2.0 ON JUNIPER NETWORKS MAG SERIES JUNOS PULSE GATEWAYS
APPLICATION NOTE IMPLEMENTING SINGLE SIGN- ON USING SAML 2.0 ON JUNIPER NETWORKS MAG SERIES JUNOS PULSE GATEWAYS SAML 2.0 combines encryption and digital signature verification across resources for a more
More informationIT@Intel. Improving Security and Productivity through Federation and Single Sign-on
White Paper Intel Information Technology Computer Manufacturing Security Improving Security and Productivity through Federation and Single Sign-on Intel IT has developed a strategy and process for providing
More informationShareFile Security Overview
ShareFile Security Overview ShareFile Company Policy All ShareFile employees undergo full background checks and sign our information security policy prior to beginning employment with the company. The
More informationEnabling Federation and Web-Single Sign-On in Heterogeneous Landscapes with the Identity Provider and Security Token Service Supplied by SAP NetWeaver
Enabling Federation and Web-Single Sign-On in Heterogeneous Landscapes with the Identity Provider and Security Token Service Supplied by SAP NetWeaver SAP Product Management, SAP NetWeaver Identity Management
More informationOkta/Dropbox Active Directory Integration Guide
Okta/Dropbox Active Directory Integration Guide Okta Inc. 301 Brannan Street, 3rd Floor San Francisco CA, 94107 info@okta.com 1-888- 722-7871 1 Table of Contents 1 Okta Directory Integration Edition for
More informationFederated Identity Architectures
Federated Identity Architectures Uciel Fragoso-Rodriguez Instituto Tecnológico Autónomo de México, México {uciel@itam.mx} Maryline Laurent-Maknavicius CNRS Samovar UMR 5157, GET Institut National des Télécommunications,
More informationAgenda. How to configure
dlaw@esri.com Agenda Strongly Recommend: Knowledge of ArcGIS Server and Portal for ArcGIS Security in the context of ArcGIS Server/Portal for ArcGIS Access Authentication Authorization: securing web services
More informationConfiguring Single Sign-on from the VMware Identity Manager Service to ServiceNow
Configuring Single Sign-on from the VMware Identity Manager Service to ServiceNow VMware Identity Manager AUGUST 2015 V1 Configuring Single Sign-On from VMware Identity Manager to ServiceNow Table of Contents
More informationUsing SAML for Single Sign-On in the SOA Software Platform
Using SAML for Single Sign-On in the SOA Software Platform SOA Software Community Manager: Using SAML on the Platform 1 Policy Manager / Community Manager Using SAML for Single Sign-On in the SOA Software
More informationHow To Use Saml 2.0 Single Sign On With Qualysguard
QualysGuard SAML 2.0 Single Sign-On Technical Brief Introduction Qualys provides its customer the option to use SAML 2.0 Single Sign On (SSO) authentication with their QualysGuard subscription. When implemented,
More informationSingle Sign On (SSO) Implementation Manual. For Connect 5 & MyConnect Sites
Single Sign On (SSO) Implementation Manual For Connect 5 & MyConnect Sites Version 6 Release 5.7 September 2013 1 What is Blackboard Connect Single Sign On?... 3 How it Works... 3 Drawbacks to Using Single
More informationHow to Implement Enterprise SAML SSO
How to Implement Enterprise SSO THE LEADER IN API AND CLOUD GATEWAY TECHNOLOGY How to Implement Enterprise SSO Introduction Security Assertion Markup Language, or, provides numerous The advantages and
More informationSafewhere*Identify 3.4. Release Notes
Safewhere*Identify 3.4 Release Notes Safewhere*identify is a new kind of user identification and administration service providing for externalized and seamless authentication and authorization across organizations.
More informationSingle Sign-On Implementation Guide
Salesforce.com: Salesforce Winter '09 Single Sign-On Implementation Guide Copyright 2000-2008 salesforce.com, inc. All rights reserved. Salesforce.com and the no software logo are registered trademarks,
More informationMicrosoft Office 365 Using SAML Integration Guide
Microsoft Office 365 Using SAML Integration Guide Revision A Copyright 2013 SafeNet, Inc. All rights reserved. All attempts have been made to make the information in this document complete and accurate.
More informationCryptoNET: Security Management Protocols
CryptoNET: Security Management Protocols ABDUL GHAFOOR ABBASI, SEAD MUFTIC CoS, School of Information and Communication Technology Royal Institute of Technology Borgarfjordsgatan 15, SE-164 40, Kista,
More informationUser Guide. The AMF's File Transfer Service (FTS)
User Guide The AMF's File Transfer Service (FTS) TABLE OF CONTENTS 1 INTENDED USERS... 3 2 SCOPE OF GUIDE... 3 3 BACKGROUND... 3 4 REQUIRED CONFIGURATION... 3 5 CONTACT INFORMATION FOR SUPPORT... 4 6 SECURITY...
More informationFlexible Identity Federation
Flexible Identity Federation Quick start guide version 1.0.1 Publication history Date Description Revision 2015.09.23 initial release 1.0.0 2015.12.11 minor updates 1.0.1 Copyright Orange Business Services
More informationImplementation Guide SAP NetWeaver Identity Management Identity Provider
Implementation Guide SAP NetWeaver Identity Management Identity Provider Target Audience Technology Consultants System Administrators PUBLIC Document version: 1.10 2011-07-18 Document History CAUTION Before
More informationJVA-122. Secure Java Web Development
JVA-122. Secure Java Web Development Version 7.0 This comprehensive course shows experienced developers of Java EE applications how to secure those applications and to apply best practices with regard
More informationELM Manages Identities of 4 Million Government Program Users with. Identity Server
ELM Manages Identities of 4 Million Government Program Users with Identity Server ELM Implements Single Sign-on With WSO2 Identity Server to Streamline Administration, Improve Productivity, and Reduce
More informationSTUDY ON IMPROVING WEB SECURITY USING SAML TOKEN
STUDY ON IMPROVING WEB SECURITY USING SAML TOKEN 1 Venkadesh.M M.tech, Dr.A.Chandra Sekar M.E., Ph.d MISTE 2 1 ResearchScholar, Bharath University, Chennai 73, India. venkadeshkumaresan@yahoo.co.in 2 Professor-CSC
More informationIdentity Management im Liberty Alliance Project
Rheinisch-Westfälische Technische Hochschule Aachen Lehrstuhl für Informatik IV Prof. Dr. rer. nat. Otto Spaniol Identity Management im Liberty Alliance Project Seminar: Datenkommunikation und verteilte
More informationCloud Single Sign-On and On-Premise Identity Federation with SAP NetWeaver Cloud White Paper
Cloud Single Sign-On and On-Premise Identity Federation with SAP NetWeaver Cloud White Paper TABLE OF CONTENTS INTRODUCTION... 3 Where we came from... 3 The User s Dilemma with the Cloud... 4 The Administrator
More informationPassword Power 8 Plug-In for Lotus Domino Single Sign-On via Kerberos
Password Power 8 Plug-In for Lotus Domino Single Sign-On via Kerberos PistolStar, Inc. PO Box 1226 Amherst, NH 03031 USA Phone: 603.547.1200 Fax: 603.546.2309 E-mail: salesteam@pistolstar.com Website:
More informationDeploying RSA ClearTrust with the FirePass controller
Deployment Guide Deploying RSA ClearTrust with the FirePass Controller Deploying RSA ClearTrust with the FirePass controller Welcome to the FirePass RSA ClearTrust Deployment Guide. This guide shows you
More informationSalesforce1 Mobile Security Guide
Salesforce1 Mobile Security Guide Version 1, 1 @salesforcedocs Last updated: December 8, 2015 Copyright 2000 2015 salesforce.com, inc. All rights reserved. Salesforce is a registered trademark of salesforce.com,
More informationWhite paper December 2008. Addressing single sign-on inside, outside, and between organizations
White paper December 2008 Addressing single sign-on inside, outside, and between organizations Page 2 Contents 2 Overview 4 IBM Tivoli Unified Single Sign-On: Comprehensively addressing SSO 5 IBM Tivoli
More informationAmeritas Single Sign-On (SSO) and Enterprise SAML Standard. Architectural Implementation, Patterns and Usage Guidelines
Ameritas Single Sign-On (SSO) and Enterprise SAML Standard Architectural Implementation, Patterns and Usage Guidelines 1 Background and Overview... 3 Scope... 3 Glossary of Terms... 4 Architecture Components...
More informationMAXIMUM DATA SECURITY with ideals TM Virtual Data Room
MAXIMUM DATA SECURITY with ideals TM Virtual Data Room WWW.IDEALSCORP.COM ISO 27001 Certified Account Settings and Controls Administrators control users settings and can easily configure privileges for
More informationCybersecurity and Secure Authentication with SAP Single Sign-On
Solution in Detail SAP NetWeaver SAP Single Sign-On Cybersecurity and Secure Authentication with SAP Single Sign-On Table of Contents 3 Quick Facts 4 Remember One Password Only 6 Log In Once to Handle
More informationSamsung KNOX EMM Authentication Services. SDK Quick Start Guide
Samsung KNOX EMM Authentication Services SDK Quick Start Guide June 2014 Legal notice This document and the software described in this document are furnished under and are subject to the terms of a license
More informationCentrify Mobile Authentication Services
Centrify Mobile Authentication Services SDK Quick Start Guide 7 November 2013 Centrify Corporation Legal notice This document and the software described in this document are furnished under and are subject
More informationCloud Computing. Chapter 5 Identity as a Service (IDaaS)
Cloud Computing Chapter 5 Identity as a Service (IDaaS) Learning Objectives Describe challenges related to ID management. Describe and discuss single sign-on (SSO) capabilities. List the advantages of
More informationWebLogic Server 7.0 Single Sign-On: An Overview
WebLogic Server 7.0 Single Sign-On: An Overview Today, a growing number of applications are being made available over the Web. These applications are typically comprised of different components, each of
More informationA Federated Authorization and Authentication Infrastructure for Unified Single Sign On
A Federated Authorization and Authentication Infrastructure for Unified Single Sign On Sascha Neinert Computing Centre University of Stuttgart Allmandring 30a 70550 Stuttgart sascha.neinert@rus.uni-stuttgart.de
More informationINTEGRATE SALESFORCE.COM SINGLE SIGN-ON WITH THIRD-PARTY SINGLE SIGN-ON USING SENTRY A GUIDE TO SUCCESSFUL USE CASE
INTEGRATE SALESFORCE.COM SINGLE SIGN-ON WITH THIRD-PARTY SINGLE SIGN-ON USING SENTRY A GUIDE TO SUCCESSFUL USE CASE Legal Marks No portion of this document may be reproduced or copied in any form, or by
More informationBiometric Single Sign-on using SAML
Biometric Single Sign-on using SAML Architecture & Design Strategies Ramesh Nagappan CISSP Ramesh.Nagappan@sun.com 1 Setting Expectations What you can take away! Understand the importance of Single Sign-On
More informationAPI-Security Gateway Dirk Krafzig
API-Security Gateway Dirk Krafzig Intro Digital transformation accelerates application integration needs Dramatically increasing number of integration points Speed Security Industrial robustness Increasing
More informationnexus Hybrid Access Gateway
Product Sheet nexus Hybrid Access Gateway nexus Hybrid Access Gateway nexus Hybrid Access Gateway uses the inherent simplicity of virtual appliances to create matchless security, even beyond the boundaries
More informationBiometric Single Sign-on using SAML Architecture & Design Strategies
Biometric Single Sign-on using SAML Architecture & Design Strategies Ramesh Nagappan Java Technology Architect Sun Microsystems Ramesh.Nagappan@sun.com 1 Setting Expectations What you can take away! Understand
More informationCloud-based Identity and Access Control for Diagnostic Imaging Systems
Cloud-based Identity and Access Control for Diagnostic Imaging Systems Weina Ma and Kamran Sartipi Department of Electrical, Computer and Software Engineering University of Ontario Institute of Technology
More informationThree attacks in SSL protocol and their solutions
Three attacks in SSL protocol and their solutions Hong lei Zhang Department of Computer Science The University of Auckland zhon003@ec.auckland.ac.nz Abstract Secure Socket Layer (SSL) and Transport Layer
More informationFederated Identity and Single-Sign On
CS 6393 Lecture 5 Federated Identity and Single-Sign On Prof. Ravi Sandhu Executive Director and Endowed Chair February 15, 2013 ravi.sandhu@utsa.edu www.profsandhu.com Ravi Sandhu 1 The Web Today User
More informationWeb Applications Access Control Single Sign On
Web Applications Access Control Single Sign On Anitha Chepuru, Assocaite Professor IT Dept, G.Narayanamma Institute of Technology and Science (for women), Shaikpet, Hyderabad - 500008, Andhra Pradesh,
More informationDigital Identity Management
Digital Identity Management Roohul Halim Syed Atif Shaharyar Email: {rooha433, syesh740}@student.liu.se Supervisor: Anna Vapen, {annva@ida.liu.se} Project Report for Information Security Course Linköpings
More informationEntrust Secure Web Portal Solution. Livio Merlo Security Consultant September 25th, 2003
Entrust Secure Web Portal Solution Livio Merlo Security Consultant September 25th, 2003 1 Entrust Secure Web Portal Solution Only the Entrust Secure Web Portal solution provides Security Services coupled
More informationUsing Foundstone CookieDigger to Analyze Web Session Management
Using Foundstone CookieDigger to Analyze Web Session Management Foundstone Professional Services May 2005 Web Session Management Managing web sessions has become a critical component of secure coding techniques.
More informationLecture Notes for Advanced Web Security 2015
Lecture Notes for Advanced Web Security 2015 Part 6 Web Based Single Sign-On and Access Control Martin Hell 1 Introduction Letting users use information from one website on another website can in many
More informationDashlane Security Whitepaper
Dashlane Security Whitepaper November 2014 Protection of User Data in Dashlane Protection of User Data in Dashlane relies on 3 separate secrets: The User Master Password Never stored locally nor remotely.
More informationAn Identity Management Survey. on Cloud Computing
Int. Journal of Computing and Optimization, Vol. 1, 2014, no. 2, 63-71 HIKARI Ltd, www.m-hikari.com http://dx.doi.org/10.12988/ijco.2014.458 An Identity Management Survey on Cloud Computing Ardi BENUSI
More informationCentrify Mobile Authentication Services for Samsung KNOX
Centrify Mobile Authentication Services for Samsung KNOX SDK Quick Start Guide 3 October 2013 Centrify Corporation Legal notice This document and the software described in this document are furnished under
More informationSingle Sign-On Scheme using XML for Multimedia Device Control in Children s Game Network based on OSGi service Platform
Single Sign-On Scheme using XML for Multimedia Device Control in Children s Game Network based on OSGi service Platform Dongkyoo Shin and Dongil Shin Department of Computer Engineering, Sejong University
More informationAn Oracle White Paper December 2010. Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance
An Oracle White Paper December 2010 Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance Executive Overview... 1 Health Information Portability and Accountability Act Security
More informationClientless SSL VPN Users
Manage Passwords, page 1 Username and Password Requirements, page 3 Communicate Security Tips, page 3 Configure Remote Systems to Use Clientless SSL VPN Features, page 3 Manage Passwords Optionally, you
More informationCA SiteMinder SSO Agents for ERP Systems
PRODUCT SHEET: CA SITEMINDER SSO AGENTS FOR ERP SYSTEMS CA SiteMinder SSO Agents for ERP Systems CA SiteMinder SSO Agents for ERP Systems help organizations minimize sign-on requirements and increase security
More information