Identity Management with Spring Security. Dave Syer, VMware, SpringOne 2011
|
|
- Luke Johnson
- 8 years ago
- Views:
Transcription
1 Identity Management with Spring Security Dave Syer, VMware, SpringOne 2011
2 Overview What is Identity Management? Is it anything to do with Security? Some existing and emerging standards Relevant features of Spring Security and other Spring projects Common use cases Demo of prototype IDM system
3 Agenda Core domain: Authentication, identity, trust, delegation, claim, authorization SSO Identity Management Standards: SAML OpenID OAuth, OAuth2 OpenID Connect SCIM JWT Spring Security and other projects Use cases (Google, Facebook, CloudFoundry) and demos IDM as a Service
4 Demo Code $ git clone git://gist.github.com/ git
5 Authentication You say you are Fred Bloggs? Can you prove it? Human-human interactions Official document (passport, driving licence, etc.) We actually call it ID Letter of introduction Word of mouth, friend of a friend Machine-human interactions Something you know, hopefully unguessable, maybe random, e.g. username/password Something you have, e.g. one Time Password (OTP) from RSA hard/soft token Multifactor authentication Machine-machine interactions
6 Typical System Architecture APP I'm Fred, show me my photos User DB User details store
7 Fred Accesses his Photos
8 Two Apps, No Shared Authentication APP1 I'm Fred, show me my photos User I'm Fred, can I buy a book? APP2 DB User details store DB
9 Two Apps, Shared User Details APP1 I'm Fred, show me my photos User I'm Fred, can I buy a book? APP2 DB User details store
10 Two Apps, Single Sign On APP1 I'm Fred, show me my photos User I'm Fred, can I buy a book? SSO APP2 DB User details store
11 Single Sign On: Example Flow All Apps are the same Explicit authentication required on first visit Avoidable subsequently if App can store token but then with multiple apps you have distributed state This is unavoidable
12 Two Apps, Single Sign On with Separate Authentication APP1 I'm Fred, show me my photos User AUTH I'm Fred, can I buy a book? SSO APP2 DB User details store
13 SSO With Spring Security Good support for CAS Many custom implementations for commercial products like SiteMinder Field is fragmented OpenID...
14 Trust You say you are Fred Bloggs? Can you prove it? Oh, I remember, Martha said you're alright. Come in... I trust Martha, USDOT, UKPA, etc, to verify Fred's identity Why? Because I know them, and they say they know Fred.
15 Consumer Trusts Provider Consumer, Relying Party APP I'm Fred, show me my photos User IDP Provider DB User details store
16 Simplified User-App-IDP Interaction
17 So What did we Gain with an Identity Provider? App no longer has to do authentication or keep record of secure information about users User only has to type secrets into a known trusted site (e.g. Google) Separation of concerns Abstraction always comes at a cost Increased complexity more to understand, more to maintain, more to go wrong Complexity and Security are uneasy bedfellows Hence there are standards that cover this interaction
18 Complexity: Schematic Actual Conversation
19 Complexity: HTTP Protocol Actual Conversation
20 Compare: Native Authentication
21 OpenID Relying Party APP I'm Fred, show me my photos User OpenID Provider DB User details store
22 OpenID Protocol for attribute exchange Sits on top of HTTP(S) Form plus JSONish on back channel (attribute fetch) Form data and redirects on front channel Does not specify authentication (up to the Provider) Does not require pre-registration of Relying Parties (Apps) Implemented in various languages, e.g. Java->OpenID4J (Google code) Support in Spring Security for Relying Party
23 Spring Security OpenID RP <http xmlns=" <openid-login login-page="/openid" user-service-ref="registeringuserservice" authentication-failure-url="/login_error.jsp"> <attribute-exchange identifier-match=".*"> <openid-attribute name=" " Type=" required="true" /> <openid-attribute name="fullname" type=" required="true" /> </attribute-exchange> </openid-login> </http>
24 SSO with OpenID Relying Party APP1 I'm Fred, show me my photos User I'm Fred, can I buy a book? APP2 OpenID DB User details store Provider
25 SSO with OpenID No user input required here if IDP is stateful
26 Delegation and Client Authorization So Fred told you to come and pick up his order? You say you're Martha? Show me some ID. And what about some documentation about the order? Resource Owner Client (e.g. a service provider) Scope of responsibility
27 Delegation and Client Authorization An App needs to access Fred's resources on his behalf Resources live in a protected Resource Server (API) Fred is the Resource Owner: he can read and write his resources if he logs into the API himself But App is the Client of the API service not Fred, and Fred doesn't want to grant App write access Resource Server can grant App access to a restricted Scope of activity Fred authorizes the App to read his Resources App gets an Access Token that enables it to act on behalf of Fred Where does it get the token from? An Authorization Server
28 Delegation Client APP I'm Fred, show me my photos Resource Owner Token API Resource Server Token Services AUTH Authorization Server
29 Example Token Services using Shared Storage Client APP I'm Fred, show me my photos Resource Owner Token API Resource Server DB AUTH Authorization Server Token Store
30 Delegation Standards SAML 1.0, 2.0 XML back channel Need key exchange cryptography Spring Security SAML, Service Provider = Resource Server only OAuth 1.0a plain text back channel Nonce and request token cryptography Spring Security OAuth (consumer and provider) OAuth 2 JSON (plus optional custom formats) no back channel in spec (but need token services in practice) clear text (need SSL), plus extensions Spring Security OAuth (consumer and provider)
31 OAuth2 Client /app GET /api/photos Authorization: Bearer FDSHGK78JH356G Resource Server /api authenticated: 200 OK... unauthenticated: 401 Unauthorized WWW-Authenticate: Bearer realm= /auth
32 OAuth2 Acquiring an Access Token Grant Types Password Authorization Code Refresh Token Implicit Client Credentials Others allowed as extensions, e.g. SAML assertion
33 OAuth2 Grant Type: Password Resource Server /api GET /auth/token?response_type=password&username=...&... Authorization: Basic asdsdfggghf= Authorization Server /auth Token Endpoint Client credentials 200 OK { access_token : JAHDGFJH78IOUY, token_type : bearer, expires_in : 3600 }
34 OAuth2: Grant Type Password
35 OAuth2 Grant Type: Authorization Code Client /app GET /auth/authorize?response_type=authorization_code&... Authorization: Basic asdsdfggghf= Authorization Server /auth Authorization Endpoint 302 Found Location: /app/photos?code=dfjhg
36 OAuth2 Grant Type: Authorization Code Resource Server /api GET /auth/token?grant_type=authorization_code&code=...&... Authorization: Basic asdsdfggghf= Authorization Server /auth Token Endpoint 200 OK { access_token : JAHDGFJH78IOUY, token_type : bearer, expires_in : 3600 }
37 OAuth2 Grant Type: Authorization Code????
38 OAuth2 Grant Type: Authorization Code, Explicit Authorization???? The spec doesn't say how this happens, just that it does, e.g:
39 OAuth2: More Detail and Options Grant type Password native apps, fixed authentication Authorization Code webapps with browser redirects Refresh Token optional for tokens issued with Auth Code Implicit script clients in webapps, native apps Client Credentials service peers Other, e.g. SAML Token type Bearer Other, e.g. MAC Scope Arbitrary string. Signifies something to Resource Server about which resources are available. C.f. audience in SAML. State
40 Spring Security OAuth: Resource Server /api <sec:http...>... <sec:custom-filter ref="oauth2servicefilter" before="exception_translation_filter" /> </sec:http> <oauth:provider id="oauth2servicefilter" token-services-ref="tokenservices"> <oauth:resource-server resource-id="api" /> </oauth:provider>
41 Spring Security OAuth: Authorization Server /auth <sec:http>... <sec:custom-filter ref="oauth2servicefilter" after="exception_translation_filter" /> </sec:http> <oauth:provider id="oauth2servicefilter" token-services-ref="tokenservices"> <oauth:authorization-server client-details-service-ref="clientdetails"> <oauth:authorization-code /> <oauth:implicit /> <oauth:refresh-token /> <oauth:client-credentials /> <oauth:password /> </oauth:authorization-server> </oauth:provider> <oauth:client-details-service id="clientdetails"> <oauth:client clientid="app" authorizedgranttypes="password,authorization_code,refresh_token" scope="read_photos" authorities="role_guest" /> </oauth:client-details-service>
42 Spring Security OAuth: Client /app <sec:http>... <sec:custom-filter ref="oauth2clientfilter" after="exception_translation_filter"/> </sec:http> <oauth:client id="oauth2clientfilter" token-services-ref="oauth2tokenservices" /> <bean class="apiresttemplate" class="org...oauth2.client.oauth2resttemplate"> <constructor-arg ref="api" /> </bean> <oauth:resource id="api" type="authorization_code" clientid="app" accesstokenuri="${accesstokenuri}" userauthorizationuri="${userauthorizationuri}" scope="read_photos" /> N.B. Spring Social has client support as well (similar approach, convergence will come later)
43 OpenID Connect Similar to OpenID in the role that it plays, but not in any other way related Uses OAuth2 as a protocol for attribute exchange Google, Salesforce, etc. behind spec OAuth2 endpoints: /authorize /token OpenID endpoints are OAuth2 protected resources: /userinfo /check_id Clients obtain access token with scope=openid OAuth /token endpoint includes id token in response as well as access token Responses in JSON or JWT (=encrypted JSON) Not implemented in Spring project (yet), SECOAUTH or SEC
44 OpenID Connect: Token Acquisition Resource Server /api GET /auth/token?grant_type=authorization_code&code=...&... Authorization: Basic asdsdfggghf= Authorization Server /auth Token Endpoint 200 OK { access_token : JAHDGFJH78IOUY, token_type : bearer, expires_in : 3600, scope : openid, id_token : LKJADSFKHJG8723E }
45 OpenID Connect: User Info Resource Server /api GET /auth/userinfo Authorization: Bearer JAHDGFJH78IOUY Authorization Server /auth User Info Endpoint 200 OK { user_id : dsyer, name : Dave Syer, dsyer@vmware.com,... }
46 SCIM Simple Cloud Identity Management Plain test / JSON standard for provisioning identity systems Standard endpoints /Users query user accounts /User CRUD operations on users /Groups CRUD operations on groups An OAuth2 authorization service might implement SCIM Not implemented (yet) in Spring
47 Spring Security: Project Organization Luke Taylor (VMW), Robert Winch Ryan Heaton, Dave Syer (VMW), Spring Security OAuth Spring Security Core just released Stable, mature Web LDAP OpenID... Spring Extensions: Security OAuth1a OAuth2 Oauth2 spec not yet final External lead M5 release in pipeline Keith Donald (VMW), Craig Walls (VMW) Spring Social just released Consumer for wellknown providers Vladimir Schaefer, Mike Wiesner (VMW) SAML Kerberos not yet released Partly external, low-activity
48 CloudFoundry IDM Client Admin Console I'm Fred, show me my apps Resource Owner Token CloudController Resource Server Access Decision Collab Spaces Token Services UAA Authorization Server: OAuth2, OpenID Connect, SCIM
49 CloudFoundry IDM Client VMC I'm Fred, show me my apps Resource Owner Token CloudController Resource Server Access Decision Collab Spaces Token Services UAA Authorization Server: OAuth2, OpenID Connect, SCIM
50 Links SECOAUTH: OpenId4J: OpenID Connect: OAuth2: SCIM: SES (SAML and Kerberos): Demos:
51 Overview What is Identity Management? Is it anything to do with Security? Some existing and emerging standards Relevant features of Spring Security and other Spring projects Common use cases Demo of prototype IDM system
A Standards-based Mobile Application IdM Architecture
A Standards-based Mobile Application IdM Architecture Abstract Mobile clients are an increasingly important channel for consumers accessing Web 2.0 and enterprise employees accessing on-premise and cloud-hosted
More informationOAuth 2.0 Developers Guide. Ping Identity, Inc. 1001 17th Street, Suite 100, Denver, CO 80202 303.468.2900
OAuth 2.0 Developers Guide Ping Identity, Inc. 1001 17th Street, Suite 100, Denver, CO 80202 303.468.2900 Table of Contents Contents TABLE OF CONTENTS... 2 ABOUT THIS DOCUMENT... 3 GETTING STARTED... 4
More informationAxway API Gateway. Version 7.4.1
O A U T H U S E R G U I D E Axway API Gateway Version 7.4.1 3 February 2016 Copyright 2016 Axway All rights reserved. This documentation describes the following Axway software: Axway API Gateway 7.4.1
More informationCopyright Pivotal Software Inc, 2013-2015 1 of 10
Table of Contents Table of Contents Getting Started with Pivotal Single Sign-On Adding Users to a Single Sign-On Service Plan Administering Pivotal Single Sign-On Choosing an Application Type 1 2 5 7 10
More informationOracle Fusion Middleware Oracle API Gateway OAuth User Guide 11g Release 2 (11.1.2.4.0)
Oracle Fusion Middleware Oracle API Gateway OAuth User Guide 11g Release 2 (11.1.2.4.0) July 2015 Oracle API Gateway OAuth User Guide, 11g Release 2 (11.1.2.4.0) Copyright 1999, 2015, Oracle and/or its
More informationDell One Identity Cloud Access Manager 8.0.1 - How to Develop OpenID Connect Apps
Dell One Identity Cloud Access Manager 8.0.1 - How to Develop OpenID Connect Apps May 2015 This guide includes: What is OAuth v2.0? What is OpenID Connect? Example: Providing OpenID Connect SSO to a Salesforce.com
More informationOAuth 2.0. Weina Ma Weina.Ma@uoit.ca
OAuth 2.0 Weina Ma Weina.Ma@uoit.ca Agenda OAuth overview Simple example OAuth protocol workflow Server-side web application flow Client-side web application flow What s the problem As the web grows, more
More informationMIT Tech Talk, May 2013 Justin Richer, The MITRE Corporation
MIT Tech Talk, May 2013 Justin Richer, The MITRE Corporation Approved for Public Release Distribution Unlimited 13-1871 2013 The MITRE Corporation All Rights Reserved } OpenID Connect and OAuth2 protocol
More informationOpenID Connect 1.0 for Enterprise
OpenID Connect 1.0 for Enterprise By Paul Madsen Executive Overview In order to meet the challenges presented by the use of mobile apps and cloud services in the enterprise, a new generation of identity
More informationBuilding Secure Applications. James Tedrick
Building Secure Applications James Tedrick What We re Covering Today: Accessing ArcGIS Resources ArcGIS Web App Topics covered: Using Token endpoints Using OAuth/SAML User login App login Portal ArcGIS
More informationACR Connect Authentication Service Developers Guide
ACR Connect Authentication Service Developers Guide Revision History Date Revised by Version Description 29/01/2015 Sergei Rusinov 1.0 Authentication using NRDR account Background The document describes
More informationOpenLogin: PTA, SAML, and OAuth/OpenID
OpenLogin: PTA, SAML, and OAuth/OpenID Ernie Turner Chris Fellows RightNow Technologies, Inc. Why should you care about these features? Why should you care about these features? Because users hate creating
More informationOnegini Token server / Web API Platform
Onegini Token server / Web API Platform Companies and users interact securely by sharing data between different applications The Onegini Token server is a complete solution for managing your customer s
More informationThe increasing popularity of mobile devices is rapidly changing how and where we
Mobile Security BACKGROUND The increasing popularity of mobile devices is rapidly changing how and where we consume business related content. Mobile workforce expectations are forcing organizations to
More informationLecture Notes for Advanced Web Security 2015
Lecture Notes for Advanced Web Security 2015 Part 6 Web Based Single Sign-On and Access Control Martin Hell 1 Introduction Letting users use information from one website on another website can in many
More informationPRACTICAL IDENTITY AND ACCESS MANAGEMENT FOR CLOUD - A PRIMER ON THREE COMMON ADOPTION PATTERNS FOR CLOUD SECURITY
PRACTICAL IDENTITY AND ACCESS MANAGEMENT FOR CLOUD - A PRIMER ON THREE COMMON ADOPTION PATTERNS FOR CLOUD SECURITY Shane Weeden IBM Session ID: CLD-W01 Session Classification: Advanced Agenda Cloud security
More informationFlexible Identity Federation
Flexible Identity Federation Quick start guide version 1.0.1 Publication history Date Description Revision 2015.09.23 initial release 1.0.0 2015.12.11 minor updates 1.0.1 Copyright Orange Business Services
More informationSAML and OAUTH comparison
SAML and OAUTH comparison DevConf 2014, Brno JBoss by Red Hat Peter Škopek, pskopek@redhat.com, twitter: @pskopek Feb 7, 2014 Abstract SAML and OAuth are one of the most used protocols/standards for single
More informationSingle Sign On. SSO & ID Management for Web and Mobile Applications
Single Sign On and ID Management Single Sign On SSO & ID Management for Web and Mobile Applications Presenter: Manish Harsh Program Manager for Developer Marketing Platforms of NVIDIA (Visual Computing
More informationCopyright: WhosOnLocation Limited
How SSO Works in WhosOnLocation About Single Sign-on By default, your administrators and users are authenticated and logged in using WhosOnLocation s user authentication. You can however bypass this and
More informationIdentity Federation: Bridging the Identity Gap. Michael Koyfman, Senior Global Security Solutions Architect
Identity Federation: Bridging the Identity Gap Michael Koyfman, Senior Global Security Solutions Architect The Need for Federation 5 key patterns that drive Federation evolution - Mary E. Ruddy, Gartner
More informationOpenID connect @ Deutsche telekom. Dr. Torsten Lodderstedt, Deutsche Telekom AG
OpenID connect @ Deutsche telekom Dr. Torsten Lodderstedt, Deutsche Telekom AG service ecosystem and Telekom Login Dr. Torsten Lodderstedt / OpenID Workshop @ IIW #18 2014-05-05 2 Open Standards: Our History
More informationOpenID Single Sign On and OAuth Data Access for Google Apps. Ryan Boyd @ryguyrg Dave Primmer May 2010
OpenID Single Sign On and OAuth Data Access for Google Apps Ryan Boyd @ryguyrg Dave Primmer May 2010 Why? View live notes and questions about this session on Google Wave: http://bit.ly/magicwave Agenda
More informationGlobus Auth. Steve Tuecke. The University of Chicago
Globus Auth Enabling an extensible, integrated ecosystem of services and applications for the research and education community. Steve Tuecke The University of Chicago Cloud has transformed how platforms
More informationFlexible Identity Federation
Flexible Identity Federation Administration guide version 1.0.1 Publication history Date Description Revision 2015.09.24 initial release 1.0.0 2015.12.11 minor updates 1.0.1 Copyright Orange Business Services
More informationMobile Security. Policies, Standards, Frameworks, Guidelines
Mobile Security Policies, Standards, Frameworks, Guidelines Guidelines for Managing and Securing Mobile Devices in the Enterprise (SP 800-124 Rev. 1) http://csrc.nist.gov/publications/drafts/800-124r1/draft_sp800-124-rev1.pdf
More informationHow To Use Salesforce Identity Features
Identity Implementation Guide Version 35.0, Winter 16 @salesforcedocs Last updated: October 27, 2015 Copyright 2000 2015 salesforce.com, inc. All rights reserved. Salesforce is a registered trademark of
More informationFrom the Intranet to Mobile. By Divya Mehra and Stian Thorgersen
ENTERPRISE SECURITY WITH KEYCLOAK From the Intranet to Mobile By Divya Mehra and Stian Thorgersen PROJECT TIMELINE AGENDA THE OLD WAY Securing monolithic web app relatively easy Username and password
More informationIBM WebSphere Application Server
IBM WebSphere Application Server OAuth 2.0 service provider and TAI 2012 IBM Corporation This presentation describes support for OAuth 2.0 included in IBM WebSphere Application Server V7.0.0.25. WASV70025_OAuth20.ppt
More informationTrustedX: eidas Platform
TrustedX: eidas Platform Identification, authentication and electronic signature platform for Web environments. Guarantees identity via adaptive authentication and the recognition of either corporate,
More informationComputer Systems Security 2013/2014. Single Sign-On. Bruno Maia ei09095@fe.up.pt. Pedro Borges ei09063@fe.up.pt
Computer Systems Security 2013/2014 Single Sign-On Bruno Maia ei09095@fe.up.pt Pedro Borges ei09063@fe.up.pt December 13, 2013 Contents 1 Introduction 2 2 Explanation of SSO systems 2 2.1 OpenID.................................
More informationFederation architectures for mobile applications OAuth 2.0 Drivers OAuth 2.0 Overview Mobile walkthrough
Agenda Federation architectures for mobile applications OAuth 2.0 Drivers OAuth 2.0 Overview Mobile walkthrough Enter OAuth 2.0 Defines authorization & authentication framework for RESTful APIs An open
More informationHow To Use Kiteworks On A Microsoft Webmail Account On A Pc Or Macbook Or Ipad (For A Webmail Password) On A Webcomposer (For An Ipad) On An Ipa Or Ipa (For
GETTING STARTED WITH KITEWORKS DEVELOPER GUIDE Version 1.0 Version 1.0 Copyright 2014 Accellion, Inc. All rights reserved. These products, documents, and materials are protected by copyright law and distributed
More informationThis chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:
CHAPTER 1 SAML Single Sign-On This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections: Junos Pulse Secure Access
More informationOAuth 2.0: Theory and Practice. Daniel Correia Pedro Félix
OAuth 2.0: Theory and Practice Daniel Correia Pedro Félix 1 whoami Daniel Correia Fast learner Junior Software Engineer Passionate about everything Web-related Currently working with the SAPO SDB team
More informationWeb 2.0 Lecture 9: OAuth and OpenID
Web 2.0 Lecture 9: OAuth and OpenID doc. Ing. Tomáš Vitvar, Ph.D. tomas@vitvar.com @TomasVitvar http://www.vitvar.com Leopold-Franzens Universität Innsbruck and Czech Technical University in Prague Faculty
More informationAgenda. How to configure
dlaw@esri.com Agenda Strongly Recommend: Knowledge of ArcGIS Server and Portal for ArcGIS Security in the context of ArcGIS Server/Portal for ArcGIS Access Authentication Authorization: securing web services
More informationLogin with Amazon. Developer Guide for Websites
Login with Amazon Developer Guide for Websites Copyright 2014 Amazon Services, LLC or its affiliates. All rights reserved. Amazon and the Amazon logo are trademarks of Amazon.com, Inc. or its affiliates.
More informationThe Password Problem Will Only Get Worse
The Password Problem Will Only Get Worse New technology for proving who we are Isaac Potoczny-Jones Galois & SEQRD ijones@seqrd.com @SyntaxPolice Goals & Talk outline Update the group on authentication
More informationTraitware Authentication Service Integration Document
Traitware Authentication Service Integration Document February 2015 V1.1 Secure and simplify your digital life. Integrating Traitware Authentication This document covers the steps to integrate Traitware
More informationIdentity Implementation Guide
Identity Implementation Guide Version 37.0, Summer 16 @salesforcedocs Last updated: May 26, 2016 Copyright 2000 2016 salesforce.com, inc. All rights reserved. Salesforce is a registered trademark of salesforce.com,
More informationThe Role of Identity Enabled Web Services in Cloud Computing
The Role of Identity Enabled Web Services in Cloud Computing April 20, 2009 Patrick Harding CTO Agenda Web Services and the Cloud Identity Enabled Web Services Some Use Cases and Case Studies Questions
More informationKeeping access control while moving to the cloud. Presented by Zdenek Nejedly Computing & Communications Services University of Guelph
Keeping access control while moving to the cloud Presented by Zdenek Nejedly Computing & Communications Services University of Guelph 1 Keeping access control while moving to the cloud Presented by Zdenek
More information2015-11-30. Web Based Single Sign-On and Access Control
0--0 Web Based Single Sign-On and Access Control Different username and password for each website Typically, passwords will be reused will be weak will be written down Many websites to attack when looking
More informationSAML-Based SSO Solution
About SAML SSO Solution, page 1 SAML-Based SSO Features, page 2 Basic Elements of a SAML SSO Solution, page 2 SAML SSO Web Browsers, page 3 Cisco Unified Communications Applications that Support SAML SSO,
More informationSecurity and ArcGIS Web Development. Heather Gonzago and Jeremy Bartley
Security and ArcGIS Web Development Heather Gonzago and Jeremy Bartley Agenda Types of apps Traditional token-based authentication OAuth2 authentication User login authentication Application authentication
More informationNew Single Sign-on Options for IBM Lotus Notes & Domino. 2012 IBM Corporation
New Single Sign-on Options for IBM Lotus Notes & Domino 2012 IBM Corporation IBM s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM s sole
More informationMid-Project Report August 14 th, 2012. Nils Dussart 0961540
Mid-Project Report August 14 th, 2012 Nils Dussart 0961540 CONTENTS Project Proposal... 3 Project title... 3 Faculty Advisor... 3 Project Scope and Individual Student Learning Goals... 3 Proposed Product
More informationTrustedX - PKI Authentication. Whitepaper
TrustedX - PKI Authentication Whitepaper CONTENTS Introduction... 3 1... 4 Use Scenarios... 5 Operation... 5 Architecture and Integration... 6 SAML and OAuth 7 RESTful Web Services 8 Monitoring and Auditing...
More informationAAI for Mobile Apps How mobile Apps can use SAML Authentication and Attributes. Lukas Hämmerle lukas.haemmerle@switch.ch
AAI for Mobile Apps How mobile Apps can use SAML Authentication and Attributes Lukas Hämmerle lukas.haemmerle@switch.ch Berne, 13. August 2014 Introduction App by University of St. Gallen Universities
More informationFinal Project Report December 9, 2012. Cloud-based Authentication with Native Client Server Applications. Nils Dussart 0961540
Final Project Report December 9, 2012 Cloud-based Authentication with Native Client Server Applications. Nils Dussart 0961540 CONTENTS Project Proposal... 4 Project title... 4 Faculty Advisor... 4 Introduction...
More informationPingFederate. Windows Live Cloud Identity Connector. User Guide. Version 1.0
Windows Live Cloud Identity Connector Version 1.0 User Guide 2011 Ping Identity Corporation. All rights reserved. Windows Live Cloud Identity Connector User Guide Version 1.0 April, 2011 Ping Identity
More informationSecuring RESTful Web Services Using Spring and OAuth 2.0
Securing RESTful Web Services Using Spring and OAuth 2.0 1.0 EXECUTIVE SUMMARY While the market is hugely 1 accepting REST based architectures due to their light weight nature, there is a strong need to
More informationOkta/Dropbox Active Directory Integration Guide
Okta/Dropbox Active Directory Integration Guide Okta Inc. 301 Brannan Street, 3rd Floor San Francisco CA, 94107 info@okta.com 1-888- 722-7871 1 Table of Contents 1 Okta Directory Integration Edition for
More informationContents. 2 Alfresco API Version 1.0
The Alfresco API Contents The Alfresco API... 3 How does an application do work on behalf of a user?... 4 Registering your application... 4 Authorization... 4 Refreshing an access token...7 Alfresco CMIS
More informationEXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES
pingidentity.com EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES Best practices for identity federation in AWS Table of Contents Executive Overview 3 Introduction: Identity and Access Management in Amazon
More informationOPENIAM ACCESS MANAGER. Web Access Management made Easy
OPENIAM ACCESS MANAGER Web Access Management made Easy TABLE OF CONTENTS Introduction... 3 OpenIAM Access Manager Overview... 4 Access Gateway... 4 Authentication... 5 Authorization... 5 Role Based Access
More informationSecuring WebFOCUS A Primer. Bob Hoffman Information Builders
Securing WebFOCUS A Primer Bob Hoffman Information Builders 1 Agenda Gain an understanding of the WebFOCUS Architecture Where can security be implemented? Review the internal WebFOCUS repository and resource
More informationTransport Layer Security Protocols
SSL/TLS 1 Transport Layer Security Protocols Secure Socket Layer (SSL) Originally designed to by Netscape to secure HTTP Version 2 is being replaced by version 3 Subsequently became Internet Standard known
More informationYour Mission: Use F-Response Cloud Connector to access Google Apps for Business Drive Cloud Storage
Your Mission: Use F-Response Cloud Connector to access Google Apps for Business Drive Cloud Storage Note: This guide assumes you have installed F-Response Consultant, Consultant + Covert, or Enterprise,
More informationEgnyte Single Sign-On (SSO) Installation for OneLogin
Egnyte Single Sign-On (SSO) Installation for OneLogin To set up Egnyte so employees can log in using SSO, follow the steps below to configure OneLogin and Egnyte to work with each other. 1. Set up OneLogin
More informationBrian Spector CEO, CertiVox. CloudAuthZ
Brian Spector CEO, CertiVox CloudAuthZ Removes username and password databases Two-Factor Authentication No single point of failure Simplified and improved UX Pricing that scales for the cloud What is
More informationSecurity As A Service Leveraged by Apache Projects. Oliver Wulff, Talend
Security As A Service Leveraged by Apache Projects Oliver Wulff, Talend Application Security Landscape 2 Solution Building blocks Apache CXF Fediz Single Sign On (WS-Federation) Attribute Based Access
More informationIdentity. Provide. ...to Office 365 & Beyond
Provide Identity...to Office 365 & Beyond Sponsored by shops around the world are increasingly turning to Office 365 Microsoft s cloud-based offering for email, instant messaging, and collaboration. A
More informationSalesforce1 Mobile Security Guide
Salesforce1 Mobile Security Guide Version 1, 1 @salesforcedocs Last updated: December 8, 2015 Copyright 2000 2015 salesforce.com, inc. All rights reserved. Salesforce is a registered trademark of salesforce.com,
More informationEnterprise Access Control Patterns For REST and Web APIs
Enterprise Access Control Patterns For REST and Web APIs Francois Lascelles Layer 7 Technologies Session ID: STAR-402 Session Classification: intermediate Today s enterprise API drivers IAAS/PAAS distributed
More informationFairsail REST API: Guide for Developers
Fairsail REST API: Guide for Developers Version 1.02 FS-API-REST-PG-201509--R001.02 Fairsail 2015. All rights reserved. This document contains information proprietary to Fairsail and may not be reproduced,
More informationFederated single sign-on (SSO) and identity management. Secure mobile access. Social identity integration. Automated user provisioning.
PingFederate We went with PingFederate because it s based on standards like SAML, which are important for a secure implementation. John Davidson Senior Product Manager, Opower PingFederate is the leading
More informationUSING FEDERATED AUTHENTICATION WITH M-FILES
M-FILES CORPORATION USING FEDERATED AUTHENTICATION WITH M-FILES VERSION 1.0 Abstract This article provides an overview of federated identity management and an introduction on using federated authentication
More informationThe Essential OAuth Primer: Understanding OAuth for Securing Cloud APIs
The Essential OAuth Primer: Understanding OAuth for Securing Cloud APIs Executive Overview A key technical underpinning of the Cloud is the Application Programming Interface (API). APIs provide consistent
More informationEnabling SSO for native applications
Enabling SSO for native applications Paul Madsen Ping Identity Session ID: IAM F42B Session Classification: Intermediate Mobile Modes Source - 'How to Connect with Mobile Consumers' Yahoo! Overview Enterprise
More informationAuthenticate and authorize API with Apigility. by Enrico Zimuel (@ezimuel) Software Engineer Apigility and ZF2 Team
Authenticate and authorize API with Apigility by Enrico Zimuel (@ezimuel) Software Engineer Apigility and ZF2 Team About me Enrico Zimuel (@ezimuel) Software Engineer since 1996 PHP Engineer at Zend Technologies
More informationApplying Cryptography as a Service to Mobile Applications
Applying Cryptography as a Service to Mobile Applications SESSION ID: CSV-F02 Peter Robinson Senior Engineering Manager RSA, The Security Division of EMC Introduction This presentation proposes a Cryptography
More informationFederated Identity and Single Sign-On using CA API Gateway
WHITE PAPER DECEMBER 2014 Federated Identity and Single Sign-On using Federation for websites, Web services, APIs and the Cloud K. Scott Morrison VP Engineering and Chief Architect 2 WHITE PAPER: FEDERATED
More informationSingle-Sign-On between On-Premises and the Cloud: Leveraging Windows Azure Active Directory to authenticate custom solutions and Apps
Sofia Event Center 14-15 May 2014 Single-Sign-On between On-Premises and the Cloud: Leveraging Windows Azure Active Directory to authenticate custom solutions and Apps Radi Atanassov SharePoint MCM & MVP
More informationBYOD to the Cloud May 28, 2013
BYOD to the Cloud May 28, 2013 Start Time: 9 AM US Pacific, Noon US Eastern, 5 pm London 1 2 Generously sponsored by: Welcome Conference Moderator Matt Mosley Northern Virginia, USA Chapter ISSA Web Conference
More informationGetting Started with AD/LDAP SSO
Getting Started with AD/LDAP SSO Active Directory and LDAP single sign- on (SSO) with Syncplicity Business Edition accounts allows companies of any size to leverage their existing corporate directories
More informationINTEGRATION GUIDE. DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server
INTEGRATION GUIDE DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server Disclaimer Disclaimer of Warranties and Limitation of Liabilities All information contained in this document is
More informationOAuth Guide Release 6.0
[1]Oracle Communications Services Gatekeeper OAuth Guide Release 6.0 E50767-02 November 2015 Oracle Communications Services Gatekeeper OAuth Guide, Release 6.0 E50767-02 Copyright 2012, 2015, Oracle and/or
More informationAdministering Jive Mobile Apps
Administering Jive Mobile Apps Contents 2 Contents Administering Jive Mobile Apps...3 Configuring Jive for Android and ios... 3 Native Apps and Push Notifications...4 Custom App Wrapping for ios... 5 Native
More informationVMware Identity Manager Administration
VMware Identity Manager Administration VMware Identity Manager 2.4 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new
More informationHOL9449 Access Management: Secure web, mobile and cloud access
HOL9449 Access Management: Secure web, mobile and cloud access Kanishk Mahajan Principal Product Manager, Oracle September, 2014 Copyright 2014, Oracle and/or its affiliates. All rights reserved. Oracle
More informationAuthentication and Single Sign On
Contents 1. Introduction 2. Fronter Authentication 2.1 Passwords in Fronter 2.2 Secure Sockets Layer 2.3 Fronter remote authentication 3. External authentication through remote LDAP 3.1 Regular LDAP authentication
More informationAdd Microsoft Azure as the Federated Authenticator in WSO2 Identity Server
Add Microsoft Azure as the Federated Authenticator in WSO2 Identity Server This blog will explain how to use Microsoft Azure as a Federated Authenticator for WSO2 Identity Server 5.0.0. In this example
More informationForce.com REST API Developer's Guide
Force.com REST API Developer's Guide Version 35.0, Winter 16 @salesforcedocs Last updated: December 10, 2015 Copyright 2000 2015 salesforce.com, inc. All rights reserved. Salesforce is a registered trademark
More informationPingFederate. Salesforce Connector. Quick Connection Guide. Version 4.1
PingFederate Salesforce Connector Version 4.1 Quick Connection Guide 2011 Ping Identity Corporation. All rights reserved. PingFederate Salesforce Quick Connection Guide Version 4.1 June, 2011 Ping Identity
More informationMobile Identity and Edge Security Forum Sentry Security Gateway. Jason Macy CTO, Forum Systems jmacy@forumsys.com
Mobile Identity and Edge Security Forum Sentry Security Gateway Jason Macy CTO, Forum Systems jmacy@forumsys.com Evolution Evolution of Enterprise Identities Cloud Computing Iaas Infrastructure as a Service
More informationEnabling Federation and Web-Single Sign-On in Heterogeneous Landscapes with the Identity Provider and Security Token Service Supplied by SAP NetWeaver
Enabling Federation and Web-Single Sign-On in Heterogeneous Landscapes with the Identity Provider and Security Token Service Supplied by SAP NetWeaver SAP Product Management, SAP NetWeaver Identity Management
More informationConfiguring Single Sign-on from the VMware Identity Manager Service to ServiceNow
Configuring Single Sign-on from the VMware Identity Manager Service to ServiceNow VMware Identity Manager AUGUST 2015 V1 Configuring Single Sign-On from VMware Identity Manager to ServiceNow Table of Contents
More informationCloud Elements! Marketing Hub Provisioning and Usage Guide!
Cloud Elements Marketing Hub Provisioning and Usage Guide API Version 2.0 Page 1 Introduction The Cloud Elements Marketing Hub is the first API that unifies marketing automation across the industry s leading
More informationAPI-Security Gateway Dirk Krafzig
API-Security Gateway Dirk Krafzig Intro Digital transformation accelerates application integration needs Dramatically increasing number of integration points Speed Security Industrial robustness Increasing
More informationAIRTEL INDIA OPEN API. Application Developer Guide for OAuth2 Authentication and Authorization. Document Version 1.1
AIRTEL INDIA OPEN API Application Developer Guide for OAuth2 Authentication and Authorization Document Version 1.1 This Application Developer Guide has been prepared for Airtel India. Copyright Intel Corporation
More informationUsing ArcGIS with OAuth 2.0. Aaron Parecki @aaronpk CTO, Esri R&D Center Portland
Using ArcGIS with OAuth 2.0 Aaron Parecki @aaronpk CTO, Esri R&D Center Portland Before OAuth Apps stored the user s password Apps got complete access to a user s account Users couldn t revoke access to
More informationWeb Security (SSL) Tecniche di Sicurezza dei Sistemi 1
Web Security (SSL) Tecniche di Sicurezza dei Sistemi 1 How the Web Works - HTTP Hypertext transfer protocol (http). Clients request documents (or scripts) through URL. Server response with documents. Documents
More informationUsing OpenID/OAuth to access
Using OpenID/OAuth to access Federated d Data Services M. Benno Blumenthal IRI of Columbia University GO-ESSP 2011 10 May 2011 CMIP3 Pydap server: http://esgcet.llnl.gov/dap/ipcc4/?thredds g p p THREDDS
More informationEHR OAuth 2.0 Security
Hospital Health Information System EU HIS Contract No. IPA/2012/283-805 EHR OAuth 2.0 Security Final version July 2015 Visibility: Restricted Target Audience: EHR System Architects EHR Developers EPR Systems
More informationvcloud Air Platform Programmer's Guide
vcloud Air Platform Programmer's Guide vcloud Air OnDemand 5.7 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition.
More informationINTEGRATION GUIDE. DIGIPASS Authentication for Google Apps using IDENTIKEY Federation Server
INTEGRATION GUIDE DIGIPASS Authentication for Google Apps using IDENTIKEY Federation Server Disclaimer Disclaimer of Warranties and Limitation of Liabilities All information contained in this document
More informationOAuth2lib. http://tools.ietf.org/html/ietf-oauth-v2-10 implementation
OAuth2lib http://tools.ietf.org/html/ietf-oauth-v2-10 implementation 15 Julio 2010 OAuth2 - Assertion Profile Library! 3 Documentation! 4 OAuth2 Assertion Flow! 4 OAuth Client! 6 OAuth Client's Architecture:
More information