Here is a quick diagram of the ULV SSO/Sync Application. Number 3 is what we deal with in this document.

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Here is a quick diagram of the ULV SSO/Sync Application. Number 3 is what we deal with in this document."

Transcription

1 University of La Verne Single-SignOn Project How this Single-SignOn thing is built, the requirements, and all the gotchas. Kenny Katzgrau, August 25, 2008 Contents: Pre-requisites Overview of ULV Project How is this project set up? o What is SimpleSAMLphp? o What is Zend? o What does LTech s code do? o Major Function documentation o The LTech Hook/Patch o Where are actual page layouts are kept? The flow of application usage Configuring Debugging Server Prerequisites PHP gotchas Prerequisites: Before you keep reading, it s pretty important to have a good grip on what single sign-on is, and also what SAML is all about. Because this document is specifically about the ULV project, I won t get into it here. You can read more about SSO at: Here is a quick diagram of the ULV SSO/Sync Application. Number 3 is what we deal with in this document.

2 Overview of the University of La Verne Project: When Google sends our SSO application a SignOn request, it comes with a SAML request. In a regular SSO application, the app would ask the user to enter their login information, the app would authenticate them with the client s LDAP directory, and then the app would sign the SAML request and send them back to Google, and they would be logged in. For ULV, things happen differently. When the user enters their information, the app is required to: 1. Check to see if the user exists 2. Check to see if their password is expired ( hasn t been changed in 180 days). If it is expired, force them to change it (We supply that functionality too). 3. Check to see that the user hasn t made 3 consecutive failed logins (if they did, lock them out). If they are locked out, keep them out for 30 minutes. 4. Check to see if the User/Password Binds (Logs In) to the LDAP directory. If the user passes all these checks, we sign their SAML request, and they mosey along to Google. If in the event of something else occurring:

3 The username doesn t even exist: Load up the login page, and just display the Username/Password combination does not exist message. The password is expired: Checking if the password is expired requires looking up the username (which we now confirmed DOES exist), and checking the appropriate LDAP attribute to see if this user needs to change their password. If they need to, redirect them to Change Password Page. To change the password, make the user enter their old password and new password. Then make sure the new password passes the rules required by La Verne: It has a number in it It has an upper-case letter in it It has a lower-case letter in it It is not one of their last 10 passwords Checking the first 3 rules is easy, checking the last requires an LDAP lookup of that user, getting the appropriate attribute, and checking for matches. When we pass all the requirements, we change the password in both LDAP, and Google Apps. This is discussed in a bit. The user is locked out: If the user fails to log in, log that timestamp in the appropriate attribute in their LDAP record, and increment a fail count in their record as well. If the user has made 3 or more consecutive failed login attempts, display message telling them they have been locked out for 30 minutes. If 30 minutes has passed since their last failed login, allow an additional login attempt. If they succeed, reset the failed logins count and delete the attribute which holds the failed login time. Read this for the official requirements from ULV: %20Requirements.doc Overview of the University of La Verne Project: Before I get into the flow of the project, let s talk about the major code bases in it. What is SimpleSAMLphp? SimpleSAML php is a library whose whole purpose is to provide a SingleSignOn service. It natively supports talking to an LDAP directory, authenticating the user, and sending them back. Because of the extended requirements, there is a lot more needed from LDAP than simple authentication. Not only does the user need to be authenticated, but we have to do everything

4 mentioned in the previous sections. For this reason, we handle the authentication procedure instead. This is discussed later. SimpleSAMLphp s core usefulness is signing the SAML request, but it also acts as the web application. At this point, I want to make it clear that LTech s code exists to handle custom requirements from ULV. It s also important to note that SimpleSAMLphp s code is half-procedural, half Object-Oriented oriented framework. Modifying SimpleSAML s core code is not recommended, and doing is not required by any custom requirements. SimpleSAMLphp is recommended by Google, and is the standard for PHP Single Sign on apps. SimpleSAML provides a pure-script alternative to installing a number of dependencies, preventing a portability nightmare It is extremely unlikely that you will ever have to modify the core SimpleSAMLphp code, except for that mentioned in this document. Everything in the root of the application, except the ULV, LTech, and ChangePassword.php folders/files is SimpleSAMLphp s. This is its default layout. There are also several requirements you need to meet to make SimpleSAMLphp work correctly on any server. That is discussed in the Server Prerequisites section. What is Zend? Zend is the name of a company that created a very helpful library named Zend_GData. This library can be used to modify the settings of a user account in Google Apps. As long as you have the administrator account name and password, you can use this library to modify any account under his domain. In this SSO App, this library is only used to change a user s password. You cannot retrieve a password, only change it. What does LTech s code do? LTech s code is the API that performs all of the important stuff mentioned above. All the necessary tasks needed for the SSO application have been created. For instance, if you wanted to check whether a user exists, there is a function just to do that. It is unlikely that you will ever need to talk to LDAP directly (although I have tried to make it as easy as possible if you want to). Major Function Documentation: LTech s code is also completely Object-Oriented. There are 3 classes which perform all of the functionality needed at the time of this writing. They are (In order of abstraction): Class Name File Description ULV_LdapGdataManager /ULV/LdapGdataManager.php Contains two major functions: Login, and Change Password. Login: Does all necessary checking of rules on

5 passwords, and changes passwords in LDAP and Google Apps. One-Stop shopping for performing a full login. Returns a constant depending on what the status was (define in the class). ULV_UserDirectory /ULV/UserDirectory Contains all the major functions that ULV_LdapGdataManager uses. You use ULV_UserDirectory to do any interaction with LDAP. It has many functions, which are documented in a bit. LTech_Ldap /LTech/Ldap.php Is the actual object used by ULV_UserDirectory to talk to LDAP. This class is completely reusable in any PHP-Ldap application. It is highly recommended to use this Kenny Katzgrau innovation instead of the low level PHP Ldap API. There are also 2 utility classes used: Class Name File Description ULV_Utilities /ULV/Utilities.php Contains utility functions such as Encryption/Decryption, validating passwords, redirecting users to pages, converting LDAP Timestamps, loading templates, etc. Depends on LTech_Utilities. LTech_Utilities_String /LTech/Utilities/String.php Contains reusable functions for dealing with strings that aren t built in to PHP. For example, does this string have a number in it? Used by ULV_Utilities.

6 There is 1 Configuration File: Class Name File Description ULV_Config /ULV/Config Contains all the configuration constants used by the application. This file is one-stop shopping for configuration changes. Look it over and see all the awesome stuff you can change on the fly. As you may have been able to tell, both Zend and LTech s code follow a very useful naming convention. Class names are somewhat of a C# namespace. If a class is kept in /Path/To/Class.php, the actual class name is made Path_To_Class. This is important, because in a PHP app, it isn t always obvious where a class is coming from. Another readability design used is naming functions and variables with occasionally long, but highly descriptive names. Take the ULV_UserDirectories doesuserexist( function. Can you guess what it does? LTech s Code performs the following functions, in the following files (only major functions are mentioned). ULV_LdapGdataManager Function ChangePassword ( $userid, $newpassword, $oldpassword ) Login( $username, $password) ULV_UserDirectory Function construct addtouserpasswordhistory( $username, $password ) Description Checks the new password for validity, changes the Ldap password, and then changes the Google apps password. Returns a status constant: Password_Changed Password_UnChanged_Invalid_Login Password_UnChanged_NoUser Password_UnChanged_Reqs Password_UnChanged_History Password_UnChanged_Fail Authenticates the user against LDAP, returns a status constant: Login_User_Failed Login_Expired Login_Locked Login_Password_Failed Description Creates a new UserDirectory object, all ready to talk to LDAP. LDAP connection info is set in the config. Adds a passwords to the specified user s history of used passwords. (That attribute is in the config)

7 changeuserpassword( $username, $password ) getuserinfobyusername( getuserattribute( $username, $attribute, $indexvalue = -1 ) getfirstuserattributevalue( $username, $attribute ) getlastknownuserpassword( iscorrectuserpass( $username, $password ) ispasswordexpired( isuserlockedout ( loguserloginfail( makednfromusername ( resetfailedlogincount( saveattribute( $username, $attributename, $attributevalue ) saveattributes( $username, $attributesarray ) doesuserexist( getinstance() Changes a user s LDAP password, with no checking, validation, or anything. Gets a user s entire LDAP record. Gets a specific attribute from a user s LDAP record. Gets the first value of a potentially multivalued attribute in a user s LDAP record. Gets the last user password changed in our system. If the password was modified outside of our App, we don t know that. Attempts a bind against the LDAP directory with the specified username and password. Returns true or false depending on if the user/pass worked. Checks to see is the user s password is expired beyond the number of days set in the config. Checks to see if the user has failed a login more than the number of times set in the config. Increments the failed login count, sets the lockout time, and adds a timestamp to a failed login date list. Creates a user s DN from the dn template in the config. Guess. Saves an attribute in a user s directory. Saves a user s attribute, which is specified in a name/value pair array. Checks to see if that user has an entry in the LDAP directory. Gets a running instance of the UserDirectory object. Use this to maintain and use one connection in several different parts of a script. The LTech Hook/Patch So where does LTech s code get included in SimpleSAMLphp? In /auth/login-auto.php, around line 70. This is where we got rid of SimpleSAML s authentication process, and used our own. If everything goes well, and the user was authenticated in LDAP, we get their record in an $attributes array. We then create a pseudo record of the form that SimpleSAMLphp was expecting before we made our path, and start to insert the correct information into it, which comes out of our own $attributes array. This takes place around line 140. The attribute that SimpleSAMLphp uses as the GoogleApp ID is uid. This can be set in the config.

8 At this point, I should mention that a user logs into with a username such as msmith. This is the username we use when talking to LDAP. When we talk to Google Apps, we refer to the user as something like Mark.Smith. This name is stored in an attribute. At the time of this writing, the CN attribute of a user is multivalued. CN[0] == msmith, and CN[1] == Mark.Smith. This, although, is expected to change due to ULV s schema change. After we create our pseudo array, we load it into SimpleSAMLphp, and let it take care of the rest. Where are the actual page layouts/designs kept? All page designs and layouts are kept in /templates/default. This is not our choice directory structure, it is SimpleSAML php s. These files are shown when needed in files such as loginauto.php, around line 70. The flow of application usage: 1. User browses to 2. User is redirected to Laverne s server. (Which we ll call mail.laverne.edu/sso) They are sent by Google to mail.laverne.edu/sso/ssoservice.php. 3. SimpleSAMLPHP stores information about the SAML request in the session, and forwards the user to mail.laverne.edu/sso/auth/login-auto.php with some crazy parameters. At this points, our code was not executed yet, because no username/password had been submitted. 4. The user enters his username and password, and submits. 5. login-auto.php is loaded once again. It sees there is a password, and then the LTech patch is executed, calling the ULV_LdapGdataManager::Login( $username, $password) function. Depending on what that function returns, different things can happen. If the function returns: a. ULV_LdapGdataManager::Login_User_Failed: Show the page again with a error message. b. ULV_LdapGdataManager::Login_Expired: Direct the user to the change password page. c. ULV_LdapGdataManager::Login_Locked: Tell the user they re locked out. d. ULV_LdapGdataManager::Login_Password_Failed: Show the page again with an error message. (User_Failed means the user didn t exist, and this means that the user existed, but the password failed. Don t tell them this, though). If we got this far, then the function must have returned an attribute array for the user (hooray for duck typing!). Now we can proceed with the login procedure mentioned above. There she is, the whole application in 5 steps, and 7 pages. But there s more! Configuring: All configurations for this SSO application are performed through the ULV_Config class, located in /ULV/ULV_Config.php.

9 Debugging: Debugging in PHP is a lot like ASP debugging: Print out lines to the page to see what is happening at a given time. There are a few very helpful things to do when debugging this app: 1. If is seems that you aren t even connecting the ldap server, the LTech_Ldap class keeps an internal message queue that contains error messages, and stuff like that. If you want to see that status of the ldap object, you can use the PHP print_r function, to print out this array. Print_r prints out the nicely formatted contents of any PHP object. Example: print_r( $My_User_Directory->ldap->MessageQueue). By the way, the ldap object the ULV_UserDirectory uses is a public property. 2. There are a few test that I use to test functions of the ULV_UserDirectory Class. In /tests there is an ldaptest.php file. Open it up, and see the SSO API in action. You may have to change the require_once files at the top to the correct path. Server Prerequisites: Here are the required extensions and libraries needed by this app. Claudio knows about installing these, and making them work: Required - PHP Version >= Required - Hashing function Required - ZLib Required - OpenSSL Required - SimpleXML Required - XML DOM Required - RegEx support Required - LDAP Extension Required - Radius Extension Required - Mcrypt And https (however that is done) PHP Gotchas: Here are some things in PHP that aren t quite obvious. PHP uses duck-typing, meaning variables can be treated like string one minute, objects the next, and numbers the next. In fact: 0 == false == == null. If you require a file at the top of a script, keep in mind that PHP always uses the path relative to the originally executing script. If you want to include a file relative to the file you are editing, use: Require_once dirname( FILE ). /path/to/file ; FILE is a global php constant containing the name of the current file. If you have an instantiated object in a variable $myobject, the way to call a function on that object is $myobject->function. This is a lot like C++. If you want to call a static function, you have to use the class name and ::. Example: If I wanted to call ULV_Utility s static convertldaptimestamp( $value ) function, I would call: $timestamp = ULV_Utility::convertLDAPTimestamp( $timestamp );. Constants are also treated this way. You will see a lot of ULV_Config::[ConstantName] throughout the app.

10

PHP Integration Kit. Version 2.5.1. User Guide

PHP Integration Kit. Version 2.5.1. User Guide PHP Integration Kit Version 2.5.1 User Guide 2012 Ping Identity Corporation. All rights reserved. PingFederate PHP Integration Kit User Guide Version 2.5.1 December, 2012 Ping Identity Corporation 1001

More information

SAML single sign-on configuration overview

SAML single sign-on configuration overview Chapter 46 Configurin uring Drupal Configure the Drupal Web-SAML application profile in Cloud Manager to set up single sign-on via SAML with a Drupal-based web application. Configuration also specifies

More information

Qualtrics Single Sign-On Specification

Qualtrics Single Sign-On Specification Qualtrics Single Sign-On Specification Version: 2010-06-25 Contents Introduction... 2 Implementation Considerations... 2 Qualtrics has never been used by the organization... 2 Qualtrics has been used by

More information

Configuring. Moodle. Chapter 82

Configuring. Moodle. Chapter 82 Chapter 82 Configuring Moodle The following is an overview of the steps required to configure the Moodle Web application for single sign-on (SSO) via SAML. Moodle offers SP-initiated SAML SSO only. 1 Prepare

More information

Documentation. CloudAnywhere. http://www.cloudiway.com. Page 1

Documentation. CloudAnywhere. http://www.cloudiway.com. Page 1 Documentation CloudAnywhere http://www.cloudiway.com Page 1 Table of Contents 1 INTRODUCTION 3 2 OVERVIEW 4 2.1 KEY FUNCTIONALITY 4 2.2 PREREQUISITES 5 3 FEATURES 6 3.1 A UNIVERSAL PROVISIONING SOLUTION.

More information

SAML application scripting guide

SAML application scripting guide Chapter 151 SAML application scripting guide You can use the generic SAML application template (described in Creating a custom SAML application profile) to add a SAML-enabled web application to the app

More information

User-password application scripting guide

User-password application scripting guide Chapter 2 User-password application scripting guide You can use the generic user-password application template (described in Creating a generic user-password application profile) to add a user-password

More information

Egnyte Single Sign-On (SSO) Configuration for Active Directory Federation Services (ADFS)

Egnyte Single Sign-On (SSO) Configuration for Active Directory Federation Services (ADFS) w w w. e g n y t e. c o m Egnyte Single Sign-On (SSO) Configuration for Active Directory Federation Services (ADFS) To set up ADFS so that your employees can access Egnyte using their ADFS credentials,

More information

Authentication and Single Sign On

Authentication and Single Sign On Contents 1. Introduction 2. Fronter Authentication 2.1 Passwords in Fronter 2.2 Secure Sockets Layer 2.3 Fronter remote authentication 3. External authentication through remote LDAP 3.1 Regular LDAP authentication

More information

Single Sign-On Implementation Guide

Single Sign-On Implementation Guide Single Sign-On Implementation Guide Salesforce, Winter 16 @salesforcedocs Last updated: November 4, 2015 Copyright 2000 2015 salesforce.com, inc. All rights reserved. Salesforce is a registered trademark

More information

Configuring Sponsor Authentication

Configuring Sponsor Authentication CHAPTER 4 Sponsors are the people who use Cisco NAC Guest Server to create guest accounts. Sponsor authentication authenticates sponsor users to the Sponsor interface of the Guest Server. There are five

More information

Single Sign-On Implementation Guide

Single Sign-On Implementation Guide Single Sign-On Implementation Guide Salesforce, Summer 15 @salesforcedocs Last updated: July 1, 2015 Copyright 2000 2015 salesforce.com, inc. All rights reserved. Salesforce is a registered trademark of

More information

SAML single sign-on configuration overview

SAML single sign-on configuration overview Chapter 34 Configurin guring g Clarizen Configure the Clarizen Web-SAML application profile in Cloud Manager to set up single sign-on via SAML with Clarizen. Configuration also specifies how the application

More information

SchoolBooking SSO Integration Guide

SchoolBooking SSO Integration Guide SchoolBooking SSO Integration Guide Before you start This guide has been written to help you configure SchoolBooking to operate with SSO (Single Sign on) Please treat this document as a reference guide,

More information

GlobalSign Enterprise Solutions Google Apps Authentication User Guide

GlobalSign Enterprise Solutions Google Apps Authentication User Guide GlobalSign Enterprise Solutions Google Apps Authentication User Guide Using EPKI for Google Apps for Business Single Sign-on and Secure Document Sharing v.1.1 1 Table of Contents Table of Contents... 2

More information

INTEGRATION GUIDE. DIGIPASS Authentication for Google Apps using IDENTIKEY Federation Server

INTEGRATION GUIDE. DIGIPASS Authentication for Google Apps using IDENTIKEY Federation Server INTEGRATION GUIDE DIGIPASS Authentication for Google Apps using IDENTIKEY Federation Server Disclaimer Disclaimer of Warranties and Limitation of Liabilities All information contained in this document

More information

Siteminder Integration Guide

Siteminder Integration Guide Integrating Siteminder with SA SA - Siteminder Integration Guide Abstract The Junos Pulse Secure Access (SA) platform supports the Netegrity Siteminder authentication and authorization server along with

More information

Getting Started with Clearlogin A Guide for Administrators V1.01

Getting Started with Clearlogin A Guide for Administrators V1.01 Getting Started with Clearlogin A Guide for Administrators V1.01 Clearlogin makes secure access to the cloud easy for users, administrators, and developers. The following guide explains the functionality

More information

Centrify Mobile Authentication Services

Centrify Mobile Authentication Services Centrify Mobile Authentication Services SDK Quick Start Guide 7 November 2013 Centrify Corporation Legal notice This document and the software described in this document are furnished under and are subject

More information

SAP NetWeaver AS Java

SAP NetWeaver AS Java Chapter 75 Configuring SAP NetWeaver AS Java SAP NetWeaver Application Server ("AS") Java (Stack) is one of the two installation options of SAP NetWeaver AS. The other option is the ABAP Stack, which is

More information

OpenLogin: PTA, SAML, and OAuth/OpenID

OpenLogin: PTA, SAML, and OAuth/OpenID OpenLogin: PTA, SAML, and OAuth/OpenID Ernie Turner Chris Fellows RightNow Technologies, Inc. Why should you care about these features? Why should you care about these features? Because users hate creating

More information

SAP NetWeaver Fiori. For more information, see "Creating and enabling a trusted provider for Centrify" on page 108-10.

SAP NetWeaver Fiori. For more information, see Creating and enabling a trusted provider for Centrify on page 108-10. Chapter 108 Configuring SAP NetWeaver Fiori The following is an overview of the steps required to configure the SAP NetWeaver Fiori Web application for single sign-on (SSO) via SAML. SAP NetWeaver Fiori

More information

Remote Authentication and Single Sign-on Support in Tk20

Remote Authentication and Single Sign-on Support in Tk20 Remote Authentication and Single Sign-on Support in Tk20 1 Table of content Introduction:... 3 Architecture... 3 Single Sign-on... 5 Remote Authentication... 6 Request for Information... 8 Testing Procedure...

More information

Example for Using the PrestaShop Web Service : CRUD

Example for Using the PrestaShop Web Service : CRUD Example for Using the PrestaShop Web Service : CRUD This tutorial shows you how to use the PrestaShop web service with PHP library by creating a "CRUD". Prerequisites: - PrestaShop 1.4 installed on a server

More information

Active Directory Requirements and Setup

Active Directory Requirements and Setup Active Directory Requirements and Setup The information contained in this document has been written for use by Soutron staff, clients, and prospective clients. Soutron reserves the right to change the

More information

Integration Overview. Web Services and Single Sign On

Integration Overview. Web Services and Single Sign On Integration Overview Web Services and Single Sign On Table of Contents Overview...3 Quick Start 1-2-3...4 Single Sign-On...6 Background... 6 Setup... 6 Programming SSO... 7 Web Services API...8 What is

More information

EZcast technical documentation

EZcast technical documentation EZcast technical documentation Document written by > Michel JANSENS > Arnaud WIJNS from ULB PODCAST team http://podcast.ulb.ac.be http://ezcast.ulb.ac.be podcast@ulb.ac.be SOMMAIRE SOMMAIRE 2 1. INTRODUCTION

More information

Setting up single signon with Zendesk Remote Authentication

Setting up single signon with Zendesk Remote Authentication Setting up single signon with Zendesk Remote Authentication Zendesk Inc. 2 Zendesk Developer Library Introduction Notice Copyright and trademark notice Copyright 2009 2013 Zendesk, Inc. All rights reserved.

More information

Crawl Proxy Installation and Configuration Guide

Crawl Proxy Installation and Configuration Guide Crawl Proxy Installation and Configuration Guide Google Enterprise EMEA Google Search Appliance is able to natively crawl secure content coming from multiple sources using for instance the following main

More information

SP-initiated SSO for Smartsheet is automatically enabled when the SAML feature is activated.

SP-initiated SSO for Smartsheet is automatically enabled when the SAML feature is activated. Chapter 87 Configuring Smartsheet The following is an overview of the steps required to configure the Smartsheet Web application for single sign-on (SSO) via SAML. Smartsheet offers both IdP-initiated

More information

INTEGRATION GUIDE. DIGIPASS Authentication for SimpleSAMLphp using IDENTIKEY Federation Server

INTEGRATION GUIDE. DIGIPASS Authentication for SimpleSAMLphp using IDENTIKEY Federation Server INTEGRATION GUIDE DIGIPASS Authentication for SimpleSAMLphp using IDENTIKEY Federation Server Disclaimer Disclaimer of Warranties and Limitation of Liabilities All information contained in this document

More information

Building Secure Applications. James Tedrick

Building Secure Applications. James Tedrick Building Secure Applications James Tedrick What We re Covering Today: Accessing ArcGIS Resources ArcGIS Web App Topics covered: Using Token endpoints Using OAuth/SAML User login App login Portal ArcGIS

More information

Administration Guide. BlackBerry Enterprise Service 12. Version 12.0

Administration Guide. BlackBerry Enterprise Service 12. Version 12.0 Administration Guide BlackBerry Enterprise Service 12 Version 12.0 Published: 2015-01-16 SWD-20150116150104141 Contents Introduction... 9 About this guide...10 What is BES12?...11 Key features of BES12...

More information

Configuring. SugarCRM. Chapter 121

Configuring. SugarCRM. Chapter 121 Chapter 121 Configuring SugarCRM The following is an overview of the steps required to configure the SugarCRM Web application for single sign-on (SSO) via SAML. SugarCRM offers both IdP-initiated SAML

More information

Configuring User Identification via Active Directory

Configuring User Identification via Active Directory Configuring User Identification via Active Directory Version 1.0 PAN-OS 5.0.1 Johan Loos johan@accessdenied.be User Identification Overview User Identification allows you to create security policies based

More information

NSi Mobile Installation Guide. Version 6.2

NSi Mobile Installation Guide. Version 6.2 NSi Mobile Installation Guide Version 6.2 Revision History Version Date 1.0 October 2, 2012 2.0 September 18, 2013 2 CONTENTS TABLE OF CONTENTS PREFACE... 5 Purpose of this Document... 5 Version Compatibility...

More information

Single Sign-On Implementation Guide

Single Sign-On Implementation Guide Salesforce.com: Salesforce Winter '09 Single Sign-On Implementation Guide Copyright 2000-2008 salesforce.com, inc. All rights reserved. Salesforce.com and the no software logo are registered trademarks,

More information

Configuring. SuccessFactors. Chapter 67

Configuring. SuccessFactors. Chapter 67 Chapter 67 Configuring SuccessFactors The following is an overview of the steps required to configure the SuccessFactors Enterprise Edition Web application for single sign-on (SSO) via SAML. SuccessFactors

More information

OIOSAML 2.0 Toolkits Test results May 2009

OIOSAML 2.0 Toolkits Test results May 2009 OIOSAML 2.0 Toolkits Test results May 2009 5. September 2008 - Søren Peter Nielsen: - Lifted and modified from http://docs.google.com/a/nemsso.info/doc?docid=dfxj3xww_7d9xdf7gz&hl=en by Joakim Recht 12.

More information

Samsung KNOX EMM Authentication Services. SDK Quick Start Guide

Samsung KNOX EMM Authentication Services. SDK Quick Start Guide Samsung KNOX EMM Authentication Services SDK Quick Start Guide June 2014 Legal notice This document and the software described in this document are furnished under and are subject to the terms of a license

More information

Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER

Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER Table of Contents Introduction.... 3 Requirements.... 3 Horizon Workspace Components.... 3 SAML 2.0 Standard.... 3 Authentication

More information

An overview of configuring Intacct for single sign-on. To configure the Intacct application for single-sign on (an overview)

An overview of configuring Intacct for single sign-on. To configure the Intacct application for single-sign on (an overview) Chapter 94 Intacct This section contains the following topics: "An overview of configuring Intacct for single sign-on" on page 94-710 "Configuring Intacct for SSO" on page 94-711 "Configuring Intacct in

More information

Configuring SuccessFactors

Configuring SuccessFactors Chapter 117 Configuring SuccessFactors The following is an overview of the steps required to configure the SuccessFactors Enterprise Edition Web application for single sign-on (SSO) via SAML. SuccessFactors

More information

IIS SECURE ACCESS FILTER 1.3

IIS SECURE ACCESS FILTER 1.3 OTP SERVER INTEGRATION MODULE IIS SECURE ACCESS FILTER 1.3 Copyright, NordicEdge, 2006 www.nordicedge.se Copyright, 2006, Nordic Edge AB Page 1 of 14 1 Introduction 1.1 Overview Nordic Edge One Time Password

More information

Connected Data. Connected Data requirements for SSO

Connected Data. Connected Data requirements for SSO Chapter 40 Configuring Connected Data The following is an overview of the steps required to configure the Connected Data Web application for single sign-on (SSO) via SAML. Connected Data offers both IdP-initiated

More information

CA Performance Center

CA Performance Center CA Performance Center Single Sign-On User Guide 2.4 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation ) is

More information

CA Nimsoft Service Desk

CA Nimsoft Service Desk CA Nimsoft Service Desk Single Sign-On Configuration Guide 6.2.6 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation

More information

The increasing popularity of mobile devices is rapidly changing how and where we

The increasing popularity of mobile devices is rapidly changing how and where we Mobile Security BACKGROUND The increasing popularity of mobile devices is rapidly changing how and where we consume business related content. Mobile workforce expectations are forcing organizations to

More information

Absorb Single Sign-On (SSO) V3.0

Absorb Single Sign-On (SSO) V3.0 Absorb Single Sign-On (SSO) V3.0 Overview Absorb allows single sign-on (SSO) with third-party systems, regardless of the programming language. SSO is made secure by a series of calls (between Absorb and

More information

Administrator's Guide

Administrator's Guide Active Directory Module AD Module Administrator's Guide Rev. 090923 Active Directory Module Administrator's Guide Installation, configuration and usage of the AD module Table of Contents Chapter 1 Introduction...

More information

Use Enterprise SSO as the Credential Server for Protected Sites

Use Enterprise SSO as the Credential Server for Protected Sites Webthority HOW TO Use Enterprise SSO as the Credential Server for Protected Sites This document describes how to integrate Webthority with Enterprise SSO version 8.0.2 or 8.0.3. Webthority can be configured

More information

Moodle and Office 365 Step-by-Step Guide: Federation using Active Directory Federation Services

Moodle and Office 365 Step-by-Step Guide: Federation using Active Directory Federation Services Moodle and Office 365 Step-by-Step Guide: Federation using Active Directory Federation Services This document is provided as-is. Information and views expressed in this document, including URL and other

More information

Google Apps and Open Directory. Randy Saeks Twitter: @rsaeks http://www.techrecess.com

Google Apps and Open Directory. Randy Saeks Twitter: @rsaeks http://www.techrecess.com Google Apps and Open Directory Randy Saeks Twitter: @rsaeks http://www.techrecess.com Agenda Quick Google Apps Overview Structure Setup Preparing OD Configuration Q&A&S Resources http://techrecess.com/technical-papers/gapps/

More information

This presentation explains how to integrate Microsoft Active Directory to enable LDAP authentication in the IBM InfoSphere Master Data Management

This presentation explains how to integrate Microsoft Active Directory to enable LDAP authentication in the IBM InfoSphere Master Data Management This presentation explains how to integrate Microsoft Active Directory to enable LDAP authentication in the IBM InfoSphere Master Data Management Collaboration Server. Before going into details, there

More information

OneLogin Integration User Guide

OneLogin Integration User Guide OneLogin Integration User Guide Table of Contents OneLogin Account Setup... 2 Create Account with OneLogin... 2 Setup Application with OneLogin... 2 Setup Required in OneLogin: SSO and AD Connector...

More information

SIMIAN systems. Sitellite LDAP Administrator Guide. Sitellite Enterprise Edition

SIMIAN systems. Sitellite LDAP Administrator Guide. Sitellite Enterprise Edition Sitellite LDAP Administrator Guide Sitellite Enterprise Edition Environment In order for the Sitellite LDAP driver to work, PHP must be compiled with its LDAP extension enabled. Instructions on installing

More information

For details about using automatic user provisioning with Salesforce, see Configuring user provisioning for Salesforce.

For details about using automatic user provisioning with Salesforce, see Configuring user provisioning for Salesforce. Chapter 41 Configuring Salesforce The following is an overview of how to configure the Salesforce.com application for singlesign on: 1 Prepare Salesforce for single sign-on: This involves the following:

More information

Configuring Salesforce

Configuring Salesforce Chapter 94 Configuring Salesforce The following is an overview of how to configure the Salesforce.com application for singlesign on: 1 Prepare Salesforce for single sign-on: This involves the following:

More information

mod_auth_pubtkt a pragmatic Web Single Sign-On solution by Manuel Kasper, Monzoon Networks AG mkasper@monzoon.net

mod_auth_pubtkt a pragmatic Web Single Sign-On solution by Manuel Kasper, Monzoon Networks AG mkasper@monzoon.net mod_auth_pubtkt a pragmatic Web Single Sign-On solution by Manuel Kasper, Monzoon Networks AG mkasper@monzoon.net The login hell Solutions use client certificates and OCSP and get killed by end users?

More information

Configuring ADFS 3.0 to Communicate with WhosOnLocation SAML

Configuring ADFS 3.0 to Communicate with WhosOnLocation SAML Configuring ADFS 3.0 to Communicate with WhosOnLocation SAML --------------------------------------------------------------------------------------------------------------------------- Contents Overview...

More information

Single Sign-On for the UQ Web

Single Sign-On for the UQ Web Single Sign-On for the UQ Web David Gwynne Infrastructure Architect, ITIG, EAIT Taxonomy Authentication - Verification that someone is who they claim to be - ie, only the relevant user

More information

Ciphermail Gateway Web LDAP Authentication Guide

Ciphermail Gateway Web LDAP Authentication Guide CIPHERMAIL EMAIL ENCRYPTION Ciphermail Gateway Web LDAP Authentication Guide June 19, 2014, Rev: 5454 Copyright 2008-2014, ciphermail.com. CONTENTS CONTENTS Contents 1 Introduction 3 2 Create an LDAP configuration

More information

www.novell.com/documentation Jobs Guide Identity Manager 4.0.1 February 10, 2012

www.novell.com/documentation Jobs Guide Identity Manager 4.0.1 February 10, 2012 www.novell.com/documentation Jobs Guide Identity Manager 4.0.1 February 10, 2012 Legal Notices Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation,

More information

Application Security Testing. Generic Test Strategy

Application Security Testing. Generic Test Strategy Application Security Testing Generic Test Strategy Page 2 of 8 Contents 1 Introduction 3 1.1 Purpose: 3 1.2 Application Security Testing: 3 2 Audience 3 3 Test Strategy guidelines 3 3.1 Authentication

More information

Centrify Mobile Authentication Services for Samsung KNOX

Centrify Mobile Authentication Services for Samsung KNOX Centrify Mobile Authentication Services for Samsung KNOX SDK Quick Start Guide 3 October 2013 Centrify Corporation Legal notice This document and the software described in this document are furnished under

More information

CSCI110 Exercise 4: Database - MySQL

CSCI110 Exercise 4: Database - MySQL CSCI110 Exercise 4: Database - MySQL The exercise This exercise is to be completed in the laboratory and your completed work is to be shown to the laboratory tutor. The work should be done in week-8 but

More information

PriveonLabs Research. Cisco Security Agent Protection Series:

PriveonLabs Research. Cisco Security Agent Protection Series: Cisco Security Agent Protection Series: Enabling LDAP for CSA Management Center SSO Authentication For CSA 5.2 Versions 5.2.0.245 and up Fred Parks Systems Consultant 3/25/2008 2008 Priveon, Inc. www.priveonlabs.com

More information

Integrating IBM Cognos 8 BI with 3rd Party Auhtentication Proxies

Integrating IBM Cognos 8 BI with 3rd Party Auhtentication Proxies Guideline Integrating IBM Cognos 8 BI with 3rd Party Auhtentication Proxies Product(s): IBM Cognos 8 BI Area of Interest: Security Integrating IBM Cognos 8 BI with 3rd Party Auhtentication Proxies 2 Copyright

More information

SAML-Based SSO Solution

SAML-Based SSO Solution About SAML SSO Solution, page 1 SAML-Based SSO Features, page 2 Basic Elements of a SAML SSO Solution, page 2 SAML SSO Web Browsers, page 3 Cisco Unified Communications Applications that Support SAML SSO,

More information

http://cnmonitor.sourceforge.net CN=Monitor Installation and Configuration v2.0

http://cnmonitor.sourceforge.net CN=Monitor Installation and Configuration v2.0 1 Installation and Configuration v2.0 2 Installation...3 Prerequisites...3 RPM Installation...3 Manual *nix Installation...4 Setup monitoring...5 Upgrade...6 Backup configuration files...6 Disable Monitoring

More information

INTEGRATION GUIDE. DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server

INTEGRATION GUIDE. DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server INTEGRATION GUIDE DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server Disclaimer Disclaimer of Warranties and Limitation of Liabilities All information contained in this document is

More information

PingFederate. Salesforce Connector. Quick Connection Guide. Version 4.1

PingFederate. Salesforce Connector. Quick Connection Guide. Version 4.1 PingFederate Salesforce Connector Version 4.1 Quick Connection Guide 2011 Ping Identity Corporation. All rights reserved. PingFederate Salesforce Quick Connection Guide Version 4.1 June, 2011 Ping Identity

More information

SafeNet Authentication Manager

SafeNet Authentication Manager SafeNet Authentication Manager TECHNICAL BRIEF Using SafeNet Authentication Manager as Identity Provider for AirWatch Contents Description... 2 Single Sign-On Dataflow... 2 Identity Provider Configuration...

More information

IBM SPSS Collaboration and Deployment Services Version 6 Release 0. Single Sign-On Services Developer's Guide

IBM SPSS Collaboration and Deployment Services Version 6 Release 0. Single Sign-On Services Developer's Guide IBM SPSS Collaboration and Deployment Services Version 6 Release 0 Single Sign-On Services Developer's Guide Note Before using this information and the product it supports, read the information in Notices

More information

SCOPTEL WITH ACTIVE DIRECTORY USER DOCUMENTATION

SCOPTEL WITH ACTIVE DIRECTORY USER DOCUMENTATION SCOPTEL WITH ACTIVE DIRECTORY USER DOCUMENTATION Table of content ScopTel with Active Directory... 3 Software Features... 3 Software Compatibility... 3 Requirements... 3 ScopTel Configuration... 4 Prerequisites...

More information

User-ID Best Practices

User-ID Best Practices User-ID Best Practices PAN-OS 5.0, 5.1, 6.0 Revision A 2011, Palo Alto Networks, Inc. www.paloaltonetworks.com Table of Contents PAN-OS User-ID Functions... 3 User / Group Enumeration... 3 Using LDAP Servers

More information

McAfee One Time Password

McAfee One Time Password McAfee One Time Password Integration Module Outlook Web App 2010 Module version: 1.3.1 Document revision: 1.3.1 Date: Feb 12, 2014 Table of Contents Integration Module Overview... 3 Prerequisites and System

More information

Module - Facebook PS Connect

Module - Facebook PS Connect Module - Facebook PS Connect Operation Date : October 10 th, 2013 Business Tech Installation & Customization Service If you need assistance, we can provide you a full installation and customization service

More information

Cloudwork Dashboard User Manual

Cloudwork Dashboard User Manual STUDENTNET Cloudwork Dashboard User Manual Make the Cloud Yours! Studentnet Technical Support 10/28/2015 User manual for the Cloudwork Dashboard introduced in January 2015 and updated in October 2015 with

More information

Interstage Application Server V7.0 Single Sign-on Operator's Guide

Interstage Application Server V7.0 Single Sign-on Operator's Guide Interstage Application Server V7.0 Single Sign-on Operator's Guide Single Sign-on Operator's Guide - Preface Trademarks Trademarks of other companies are used in this user guide only to identify particular

More information

Architecture and Data Flow Overview. BlackBerry Enterprise Service 10 721-08877-123 Version: 10.2. Quick Reference

Architecture and Data Flow Overview. BlackBerry Enterprise Service 10 721-08877-123 Version: 10.2. Quick Reference Architecture and Data Flow Overview BlackBerry Enterprise Service 10 721-08877-123 Version: Quick Reference Published: 2013-11-28 SWD-20131128130321045 Contents Key components of BlackBerry Enterprise

More information

Symplified I: Windows User Identity. Matthew McNew and Lex Hubbard

Symplified I: Windows User Identity. Matthew McNew and Lex Hubbard Symplified I: Windows User Identity Matthew McNew and Lex Hubbard Table of Contents Abstract 1 Introduction to the Project 2 Project Description 2 Requirements Specification 2 Functional Requirements 2

More information

Single Sign-On Guide for Blackbaud NetCommunity and The Patron Edge Online

Single Sign-On Guide for Blackbaud NetCommunity and The Patron Edge Online Single Sign-On Guide for Blackbaud NetCommunity and The Patron Edge Online 062212 2012 Blackbaud, Inc. This publication, or any part thereof, may not be reproduced or transmitted in any form or by any

More information

Facebook Twitter YouTube Google Plus Website Email

Facebook Twitter YouTube Google Plus Website Email PHP MySQL COURSE WITH OOP COURSE COVERS: PHP MySQL OBJECT ORIENTED PROGRAMMING WITH PHP SYLLABUS PHP 1. Writing PHP scripts- Writing PHP scripts, learn about PHP code structure, how to write and execute

More information

Criteria for web application security check. Version 2015.1

Criteria for web application security check. Version 2015.1 Criteria for web application security check Version 2015.1 i Content Introduction... iii ISC- P- 001 ISC- P- 001.1 ISC- P- 001.2 ISC- P- 001.3 ISC- P- 001.4 ISC- P- 001.5 ISC- P- 001.6 ISC- P- 001.7 ISC-

More information

Cloud Elements ecommerce Hub Provisioning Guide API Version 2.0 BETA

Cloud Elements ecommerce Hub Provisioning Guide API Version 2.0 BETA Cloud Elements ecommerce Hub Provisioning Guide API Version 2.0 BETA Page 1 Introduction The ecommerce Hub provides a uniform API to allow applications to use various endpoints such as Shopify. The following

More information

Protected Trust Directory Sync Guide

Protected Trust Directory Sync Guide Protected Trust Directory Sync Guide Protected Trust Directory Sync Guide 2 Overview Protected Trust Directory Sync enables your organization to synchronize the users and distribution lists in Active Directory

More information

Only LDAP-synchronized users can access SAML SSO-enabled web applications. Local end users and applications users cannot access them.

Only LDAP-synchronized users can access SAML SSO-enabled web applications. Local end users and applications users cannot access them. This chapter provides information about the Security Assertion Markup Language (SAML) Single Sign-On feature, which allows administrative users to access certain Cisco Unified Communications Manager and

More information

Oracle Communications Unified Communications Suite

Oracle Communications Unified Communications Suite Oracle Communications Unified Communications Suite Schema Reference Release 8.0 July 2015 Oracle Communications Unified Communications Suite Schema Reference, Release 8.0 Copyright 2007, 2015, Oracle and/or

More information

Identity Federation: Bridging the Identity Gap. Michael Koyfman, Senior Global Security Solutions Architect

Identity Federation: Bridging the Identity Gap. Michael Koyfman, Senior Global Security Solutions Architect Identity Federation: Bridging the Identity Gap Michael Koyfman, Senior Global Security Solutions Architect The Need for Federation 5 key patterns that drive Federation evolution - Mary E. Ruddy, Gartner

More information

Embedded Web Server Security

Embedded Web Server Security Embedded Web Server Security Administrator's Guide September 2014 www.lexmark.com Model(s): MS911de, MX910de, MX911, MX912, XM9145, XM9155, XM9165, CS310, CS410, CS510, CX310, CX410, CX510, M1140, M1145,

More information

SalesForce SSO with Active Directory Federated Services (ADFS) v2.0 Authenticating Users Using SecurAccess Server by SecurEnvoy

SalesForce SSO with Active Directory Federated Services (ADFS) v2.0 Authenticating Users Using SecurAccess Server by SecurEnvoy SalesForce SSO with Active Directory Federated Services (ADFS) v2.0 Authenticating Users Using SecurAccess Server by SecurEnvoy Contact information SecurEnvoy www.securenvoy.com 0845 2600010 Merlin House

More information

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: 10.1.1. Security Note

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: 10.1.1. Security Note BlackBerry Enterprise Service 10 Secure Work Space for ios and Android Version: 10.1.1 Security Note Published: 2013-06-21 SWD-20130621110651069 Contents 1 About this guide...4 2 What is BlackBerry Enterprise

More information

Configuring Steel-Belted RADIUS Proxy to Send Group Attributes

Configuring Steel-Belted RADIUS Proxy to Send Group Attributes Configuring Steel-Belted RADIUS Proxy to Send Group Attributes Copyright 2007 Sophos Group. All rights reserved. No part of this publication may be reproduced, stored in retrieval system, or transmitted,

More information

esoc SSA DC-I Part 1 - Single Sign-On and Access Management ICD

esoc SSA DC-I Part 1 - Single Sign-On and Access Management ICD esoc European Space Operations Centre Robert-Bosch-Strasse 5 64293 Darmstadt Germany Tel: (49)615190-0 Fax: (49)615190485 www.esa.int SSA DC-I Part 1 - Single Sign-On and Access Management ICD Prepared

More information

SecureAware on IIS8 on Windows Server 2008/- 12 R2-64bit

SecureAware on IIS8 on Windows Server 2008/- 12 R2-64bit SecureAware on IIS8 on Windows Server 2008/- 12 R2-64bit Note: SecureAware version 3.7 and above contains all files and setup configuration needed to use Microsoft IIS as a front end web server. Installing

More information

Administrator's Guide

Administrator's Guide Active Directory Module 1.2 for CMS 7.2-8.0 Administrator's Guide Rev. 141225 Active Directory Module 1.2 for CMS 7.2-8.0 Administrator's Guide How to install, configure, and use the AD module Table of

More information

Portal User Guide. Customers. Version 1.1. May 2013 http://www.sharedband.com 1 of 5

Portal User Guide. Customers. Version 1.1. May 2013 http://www.sharedband.com 1 of 5 Portal User Guide Customers Version 1.1 May 2013 http://www.sharedband.com 1 of 5 Table of Contents Introduction... 3 Using the Sharedband Portal... 4 Login... 4 Request password reset... 4 View accounts...

More information

Password Management Guide

Password Management Guide www.novell.com/documentation Management Guide Identity Manager 4.0.2 June 2012 Legal Notices Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation,

More information

The full setup includes the server itself, the server control panel, Firebird Database Server, and three sample applications with source code.

The full setup includes the server itself, the server control panel, Firebird Database Server, and three sample applications with source code. Content Introduction... 2 Data Access Server Control Panel... 2 Running the Sample Client Applications... 4 Sample Applications Code... 7 Server Side Objects... 8 Sample Usage of Server Side Objects...

More information