How Single-Sign-On Improves The Usability Of Protected Services For Geospatial Data
|
|
- Mariah Gray
- 8 years ago
- Views:
Transcription
1 2014 Fifth International Conference on Computing for Geospatial Research and Application How Single-Sign-On Improves The Usability Of Protected Services For Geospatial Data Andreas Matheus University of the Bundeswehr Neubiberg, Germany Abstract The Internet is full of services and data providers that offer access to massive data holdings, in particular with geospatial content. But when it comes to build meaningful applications in domains such as disaster management, what is important then? Usually trusted data and services are required. So the main questions are about open standards and technologies that allow the secure and trustworthy use of protected geospatial data and services. One prominent solution was practiced during the Group on Earth Observations (GEO) Architecture Implementation Pilot (AIP) no. 6, were international organizations from the US and Europe participated in the creation of a federation of protected data and services. During the GEO-X plenary in Geneva Switzerland in January 2014, a life demonstration concluded with the feasibility of the approach taken. It was in particular the Single-Sign-On and the managed circle of trust that enabled the creation of meaningful client applications of which one combined NASA Ames and ESA protected data. This paper reports about the resulting Access Management Federation that was implemented during AIP-6, the required standards and technologies as well as the technical approach taken. The paper concludes with findings and best practices important towards operational use. Keywords Security, Authentication, Access Management Federation, Single-Sign-On, SAML, GeoXACML, XACML, OASIS I. MOTIVATION The Internet is full of geospatial data and services. But when it comes to create meaningful applications, the use of free and open data and services is most often not sufficient. It is the trust in the data and services that becomes important. And, many providers of geospatial mapping and vector data provide view services for free but when it comes to access the vector data as an essential data asset, access to it may be restricted. Even though most geospatial data and services are interoperable because they are based on open standards, e.g. from the Open Geospatial Consortium (OGC), the interoperability of access and use of the data is broken when introducing your own security mechanism. With broken, we mean that data from protected services across different providers cannot be used in an application such as OpenLayers, because the requirement to be compliant with the specific security mechanism in place is not supported. Or, the use of the protected services becomes so extremely user unfriendly, that the use in an application is not feasible. This can happen if each protected service requests user credentials independent from another provider. To the extreme, a user must input a different username and password for each service. So, is there not a standards based solution available to improve the situation? One prominent and promising solution that is in operation around the globe for Universities and Academic institutions is called Access Management Federation (see [2]). This operational model provides all the features that are required to make use of protected data and services: (i) Single-Sign- On, (ii) Circle of Trust and (iii) Access Management. During AIP-6, an Access Management federation was created that demonstrates that it is feasible to adopt the same model from the academia for geospatial data and services. It turned out, that specific settings are required that differ from the typical setup of academic federations, but the overall organizational model remains the same. This paper aims to explain this organizational model and what the technical differences are to create an Access Management Federation for geospatial data services. The paper concludes with illustrating the power of a federation of protected geospatial data and services by developed mapping applications that run in a Web Browser (OpenLayers), as a desktop client (QGIS) and native mobile applications (Android). II. ACCESS MANAGEMENT FEDERATION AS AN ORGANIZATIONAL MODEL The term Access Management Federation (AMF) is coined in the academia: The UK Access Management Federation provides a single solution to access online resources and services for education and research (see [2]). According to the German academic federation (see [3]), the following table is a list of major academic Access Management Federations around the world. TABLE I. SELECTED LIST OF ACADEMIC AMF OF THE WORLD Europe America Asia & Australia Belnet Federation (Belgium) CAF (Canada) CARSI (China) DFN-AAI (Germany) InCommon (USA) GakuNin (Japan) Haka-Federation (Finnland) AAF (Australia) Federation Education-Recherche (France) SURFnet (The Netherlands) Entree, Kennisnet Federatie (The Netherlands) FEIDE (Norway) SWAMID (Sweden) SWITCH-AAI (Switzerland) UK AMF for Education and Research (UK and Northern Ireland) It is important to note that they all adhere to the same identical organizational model as outlined in [4]. Looking at an Access Management Federation more closely, three different roles of responsibility can be identified: Coordination Center /14 $ IEEE DOI /COM.Geo
2 (CC), Service Provider (SP) and Identity Provider (IdP) as illustrated in figure 1. Fig. 1. Federation Principle (source: [1]) The Coordination Center for a federation is in the first place responsible to manage the Circle of Trust (CoT). This involves to approve joining requests of entities that wish to participate as an IdP or SP. For either application, certain procedures are in place to ensure that the circle of trust is not breached. The coordination center also maintains, digitally signs and publishes the federation metadata which is the whitelisting of trusted entities determining the CoT; either in the role of IdP or SP. The IdP is responsible for enabling a trustworthy user management regarding the users of the organization. In particular, the organization participating as an IdP is responsible to ensure that the attributes of a user send to SPs is correct. In that sense, the user s identity is verifiable to the IdP. In addition to the user management, the IdP provides SAML compliant endpoints to support authentication requests from SPs for session initiation as well as other SAML specific protocol endpoints. And finally, an IdP must provide means and methods for login that enables the own users to provide login credentials in a secure fashion. The SP is the entity role that actually provides data sets and services. The SP does not have any user management in place. The SP relies on the IdP to report in a trustworthy manner that a user was successfully authenticated. Once an assertion about the user is received from the user s IdP, a session with the user client gets created. For each request to a protected SP endpoint, access control determines if the user characterized through the attributes sent by the IdP may execute the endpoint and receive the result. III. THE AIP-6 ACCESS MANAGEMENT FEDERATION The Group on Earth Observations (GEO) has defined a System of Systems (GEOSS) that support decision-support tools for a variety of users. In the annual initiatives called Architecture Implementation Pilot (AIP), different aspects of GEOSS for the purpose of extending / enhancing the infrastructure are practiced. During the AIP-6 initiative (March 2013 January 2014) the work in the context of data sharing focused on establishing Single-Sign-On for protected services at different participating organizations. For the federation to be established during AIP-6, two main user requirements have been considered: (i) Single-Sign-On and (ii) Social Media login. The first user focusing requirement of Single-Sign-On is key as it ensures the usability of the protected geospatial services in the first place. At this point, we need to understand that there are many potential IdPs for a user to login. Depending on the realized solution for IdP discovery, two different notions to Single-Sign-On exist. A. IdP Discovery and SSO The challenge of IdP discovery is addressed in the SAML standard in the profile called Identity Provider Discovery Profile. In order to realize this profile, it is essential do define and use the so called common domain cookie. It is therefore essential to define that common domain for the federation and to deploy a service in that domain that acts as the common domain cookie reading and writing service. This cookie contains the list of IdPs selected by the user. Based on this cookie, it is possible to remember the IdP selection which enables the optional skipping of the IdP selection. The first method of SSO is interpreted as single is associated with the number of times that a user must provide credentials (login). In most academic AMF, each session creation with a SP requires the user to select the IdP. This Single-Sign-On may be considered SSO with stop-over, as no direct (automatic) session creation is performed even though the user must not login again 1. Fig. 2. stop-over SSO As illustrated in figure 2, the list of available IdPs gets provided in a distributed fashion, e.g. by each SP individually. If not utilizing the common domain option, the decision of the IdP selection cannot be stored. Each request of the user s client to a new SP has no knowledge about any existing sessions and which IdP was used to authenticate. Therefore, the user must select the IdP. But once that has happened, the session establishment completes automatically, assuming the user has an active session with the IdP. 1 assuming the user s session with the IdP is still active 96
3 As we will see later, this stop-over is not sufficient when executing OpenLayers based web mapping applications that run inside a Web Browser. Instead, direct SSO is required which can only be achieved when the user must not select the IdP to be used when requesting a new SP session creation. How can this be achieved? For the AIP-6 federation, the common domain cookie writing service was combined with the functionality of a central Discovery Service (DS): The DS has the responsibility to provide the list of available IdPs to the user and to create and maintain the saml idp HTTP cookie. This cookie enables the direct SSO, as the selected IdP is stored in it and the selection of the IdP can be skipped when the user wishes to establish a new session with the second, third, etc. SP. Fig. 4. IdP Discovery including Trust Gateway IdP to Google OpenId As illustrated in figure 4, one of the IdPs in the AIP-6 federation acts as a mediator to the Gmail OpenId login. It is important to understand that the user credentials are not known to the gateway. It performs a clean redirect to Gmail account services, upon an authentication request is received from a SP of the federation. In order to maintain an active login session with the trusted gateway, it is required that the user selects the stay logged in option with the Gmail login. Fig. 3. direct SSO As illustrated in figure 3, the DS is the central entity that provides the list of IdPs to the user, as indicated by arrow (1). Once the user has selected his IdP as indicated with arrow (2), the DS creates the saml idp HTTP cookie and a session cookie for the application. When the user application such as the OpenLayers client is used, the JavaScript library can establish new sessions to SP 2 and SP 3 automatically, as the redirect from the DS to the IdP will not stop. However, there is one implication to the Web Browser configuration: The DS session and saml idp cookies may be considered 3rd party cookies: Assuming that the SP is hosted in domain SP.net, the IdP in IdP.org and the DS is hosted in DS.com, then the common domain is DS.com and the created HTTP cookies live in that domain. For any browser communication with the SP, were a redirect to the IdP takes place via the DS, the DS cookies are considered 3rd party. But the good thing is that only the MSIE default configuration excludes the trust of 3rd party cookies. All other major browsers support 3rd party cookies by default. If deselected, applications such as OpenLayers that need to leverage the direct SSO, will not work! B. Social Media Authentication The second user focusing requirement, to support Social Media users, was implemented in AIP-6 via a so called trust gateway from the SAML based federation to Google OpenId. This trust gateway acts as a trusted IdP towards the federation and as a OpenId consumer towards Google. Any user with a valid Gmail account is able to login via the trust gateway. IV. CLIENT APPLICATIONS In addition to the user focusing requirements, additional technical requirements can be derived from the context of application development: (i) Web Browser based applications, (ii) Desktop client applications and (iii) Mobile applications. A. OpenLayers based mapping application The support for a Web Browser based client application based on OpenLayers finalizes in constraints on allowed SSO profile / binding combinations: SAML defines exactly one profile for establishing SSO via a Web Browser: Web Browser SSO Profile. For new SP session creation, this profile leverages the ability to create a sequence of HTTP redirects. In order to actually execute the profile, one out of three bindings may be used. But only one is suitable, taking under considerations the function limitations of JavaScript enabling sessions: The HTTP Artifact Binding. This is the only suitable binding, as the SAML assertion from the IdP to the SP is passed via the secure Back-Channel. The implication for the SP configuration is that session initiation shall take place using Artifact Binding only. B. QGIS based mapping The support for desktop applications, such as QGIS, require to use a non Web Browser Single-Sign-On profile. The SAML profile named Enhanced Client or Proxy (ECP) Profile is the only one suitable, as the desktop client does not support the same functionality as a Web Browser. In particular the ability to process (X)HTML pages with JavaScript support reduce the use to this profile. It is important to note that as the name of the profile suggests SSO is not guaranteed by the profile itself. It is the client s responsibility to enable the Single-Sign-On capability by properly implementing the 97
4 Fig. 5. OpenLayers based Web Browser mapping application functionality. According to the SAML specification, the only binding option is PAOS: Reverse SOAP (PAOS) Binding. When implementing this profile and binding in a desktop application it is important to note that it is the client that indicates to the SP that it is capable of fulfilling the ECP protocol. The implication for the SP is that ECP must be supported if the provided services shall be consumed via a desktop application. The implication for the identity provider is to enable ECP if the own users that shall be able to leverage a desktop application to use protected services. Fig. 7. Android mapping application V. ACCESS MANAGEMENT, SCALABILITY AND TRUST Fig. 6. QGIS based desktop client mapping application C. Android mobile app mapping The support for mobile applications does not introduce additional technical requirements. It is important to understand that a developer of a mobile application can choose which profile to activate: Web Browser SSO Profile or Enhanced Client or Proxy (ECP) Profile. The former eases the session management but may introduce the difficulties to leverage the Web Browser application installed on the mobile device as an external application. The correlation of HTTP cookies present in the Web Browser for other applications may influence the session cookies to be maintained for federation login. It is therefore recommended that a native mobile mapping application implements ECP. In order to operate an Access Management Federation in a productive environment, it is essential to take a closer look at issues like scalability, trust and finally the ability to manage access rights. As outlined in the first chapter, the coordination center is responsible to approve requests for participation. This typically include the check of key length used to sign and encrypt SAML assertions as well as ensuring that established procedures for IdPs are sufficient for user authentication. It is also the duty of the coordination center to continuously verify that service level agreements with Service Providers and Identity Providers are met. In case of a shortcoming, the coordination center has the duty and power to exclude the entity from the federation. Regarding scalability, it is important to understand that the federation metadata does not contain the actual data service endpoints that are offered by a Service Provider or the login URL for the login at an Identity Provider. Instead, the participant provides a list of SAML specific endpoints that are characteristic for the type of participation: SP or IdP. So for example, a SP s protected WMS (e.g. /protected/service/wms) would not go into the federation metadata. Looking at productive AMF in the academia, the number of Service / Identity Providers vary from some 25 / 30 for Belnet, Belgium to 1555 / 337 for InCommon, USA. The only implication derives from IdP discovery: A simple pull-down list as used in AIP-6 is not feasible for e.g. 10 or more IdPs. But, the Discovery Service from SWITCH used in the AIP-6 work supports to store the selection in a persistent cookie. Therefore, the IdP selection must be done only once. Finally, the enforcement of Access Rights is the sole duty 98
5 of each Service Provider. Which technology / standard a service provider leverages is up to their own decision. However, it seems to be reasonable that the technology supports Attribute Based Access Control (ABAC). Why? Because the service provider receives from the IdP an assertion about the user s attributes. For the AIP-6 federation, three different nonpersonal attributes are used: 1) geoss-user, 2) affiliation and 3) unscoped-affiliation. For AIP-6 then, a Service Provider would be able to base access decisions for service and data on these user attributes. In addition, environment information such as IP addresses could also be taken under consideration. For mobile applications, the location of the device may also be taken under consideration when deriving an authorization decision. VI. STANDARDS AND TECHNOLOGY DISCUSSION Taking under consideration the introduced organizational model and the key requirement Single-Sign-On, the use of standards is actually limited to the topic of authentication. As all known Access Management Federations are based on the OASIS standard SAML (Secure Assertion Markup Language) (see [6]), it is this standard that builds the back bone of interoperability to the AIP-6 federation. At this point it is important to note that by no means it was required to implement SAML and integrate it with the existing infrastructure. The use of SAML can be reduced to deploy Web Services that support the required network endpoints to achieve interoperability for the IdP and SP. For example, the IdP can be deployed on a Tomcat, that becomes accessible via a production strength Apache Web Server. In order to enable user login, the IdP can get connected to existing user management systems such as LDAP, Kerberos, etc. For AIP-6, the simplistic use of an Apache username-password-file and LDAP was used. For the SP, the Apache or IIS Web Server configuration can be changed to load the functionality required to make the Web Service SAML authentication compliant. Once the Apache module is loaded, the Apache Web Server can be configured such that certain path require SAML based authentication. For an SP, another loosely coupled technic can also be used: Additional instance of an Apache Web Service with SAML authentication support that functions as a reverse proxy to internal services. Most, if not all productive IdPs and SPs in Access Management federations for the academia use the SAML compliant, open source software named Shibboleth. For AIP-6, the same identical main stream IT software was used to realize the AIP-6 federation. The specific requirements of session establishment and IdP discovery as outlined earlier could be realized via simple configuration options. For the sake of interoperability verification, one IdP is deployed using the former SUN product OpenAM. When it comes to the enforcement of access rights, the use of yet another OASIS standard becomes prominent: XACML (extensible Access Control Markup Language) (see [13]). The main reason for that is that XACML supports ABAC, which is the natural choice when thinking of coupling access rights with user attributes. But for the declaration and enforcement of access rights with geospatial conditions, the OGC standard GeoXACML (Geospatial XACML) (see [14]) would be a natural choice as it defines a geospatial extension to XACML: GeoXACML defines the data type Geometry and different geo-specific functions as defined in the ISO standard named Simple Features (see [15]). The use of the GeoXACML standard supports the enforcement of access rights that are based on user / mobile device location as well as the geometric characteristics (e.g. location) of protected resources. VII. CONCLUSION The major conclusion is that the AIP-6 federation for geospatial data and services can be realized using the exact same organizational model, technology and standards as the productive Access Management Federations in the academia. So beside the specific configuration of the session creation, the support for ECP and the central DS, there is nothing different. But as outlined earlier, it was entirely possible to get the AIP-6 specific settings in place by just configuring the main stream IT software Shibboleth. With the AIP-6 federation, it was possible to make protected OGC Web Services available to different kinds of clients, including a Web Browser based mapping application based on OpenLayers, a desktop GIS application such as QGIS and a simple mapping application as an Android application. For one application, protected OGC Web Coverage Service (WCS) and Web Coverage Processing Services (WCPS) for NASA Ames Research Center and ESA data sets are used. For another application, protected OGC Web Map Services (WMS) and Web Map Tile Service (WMTS) from the German Bundesamt für Kartographie und Geodäsie (BKG) and the British Catapult are used. The successful result on AIP-6 demonstrated that data sharing via the Internet among different participating organizations with Single-Sign-On support is a powerful organizational model to enable the trustworthy use of protected geospatial data and services for meaningful applications. REFERENCES [1] SWITCH, [2] Jisc, [3] DFN-AAI - Authentication and authorization infrastructure, [4] Chris Higgins, Shibboleth Access Management Federations as an Organisational Model for SDI, INSPIRE conference 2011, [5] Advancing open standards for the information society, OASIS [6] SAML: Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0, OASIS Standard, 15 March 2005 [7] SAML-Bindings: Bindings for the OASIS Security Assertion Markup Language (SAML) V2.0, OASIS Standard, 15 March 2005 [8] SAML-Profiles: Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0, OASIS Standard, 15 March 2005 [9] Internet2: Shibboleth homepage, verified on 6 January 2010: [10] Open Geospatial Consortium Inc., OpenGIS Geography Markup Language (GML) Encoding Standard, Version [11] XML Digital Signature: XML-Signature Syntax and Processing, W3C Recommendation 12 February 2002 [12] XML Encryption: XML Encryption Syntax and Processing, W3C Recommendation 10 December 2002 [13] XACML: extensible Access Control Markup Language (XACML) Version 2.0, OASIS Standard, 1 Feb 2005 [14] GeoXACML: Geospatial extensible Access Control Markup Language (GeoXACML) v1.0, Open Geospatial Consortium, Inc., 2008/02/20 [15] ISO: 19125, Geographic information Simple feature access Part 1: Common architecture 99
Masdar Institute Single Sign-On: Standards-based Identity Federation. John Mikhael ICT Department jmikhael@masdar.ac.ae
Masdar Institute Single Sign-On: Standards-based Identity Federation John Mikhael ICT Department jmikhael@masdar.ac.ae Agenda The case for Single Sign-On (SSO) Types of SSO Standards-based Identity Federation
More informationSAML-Based SSO Solution
About SAML SSO Solution, page 1 SAML-Based SSO Features, page 2 Basic Elements of a SAML SSO Solution, page 2 SAML SSO Web Browsers, page 3 Cisco Unified Communications Applications that Support SAML SSO,
More informationSAML Federated Identity at OASIS
International Telecommunication Union SAML Federated Identity at OASIS Hal Lockhart BEA Systems Geneva, 5 December 2006 SAML and the OASIS SSTC o SAML: Security Assertion Markup Language A framework for
More informationShibboleth User Verification Customer Implementation Guide 2015-03-13 Version 3.5
Shibboleth User Verification Customer Implementation Guide 2015-03-13 Version 3.5 TABLE OF CONTENTS Introduction... 1 Purpose and Target Audience... 1 Commonly Used Terms... 1 Overview of Shibboleth User
More informationTitle: A Client Middleware for Token-Based Unified Single Sign On to edugain
Title: A Client Middleware for Token-Based Unified Single Sign On to edugain Sascha Neinert Computing Centre University of Stuttgart, Allmandring 30a, 70550 Stuttgart, Germany e-mail: sascha.neinert@rus.uni-stuttgart.de
More informationFederated Identity Management Solutions
Federated Identity Management Solutions Jyri Kallela Helsinki University of Technology jkallela@cc.hut.fi Abstract Federated identity management allows users to access multiple services based on a single
More informationFederated Identity Management and Shibboleth. Noreen Hogan Asst. Director Enterprise Admin. Applications
Federated Identity Management and Shibboleth Noreen Hogan Asst. Director Enterprise Admin. Applications Federated Identity Management Management of digital identity/credentials (username/password) Access
More informationA Federated Authorization and Authentication Infrastructure for Unified Single Sign On
A Federated Authorization and Authentication Infrastructure for Unified Single Sign On Sascha Neinert Computing Centre University of Stuttgart Allmandring 30a 70550 Stuttgart sascha.neinert@rus.uni-stuttgart.de
More informationSAML-Based SSO Solution
About SAML SSO Solution, page 1 SAML-Based SSO Features, page 2 Basic Elements of a SAML SSO Solution, page 2 SAML SSO Web Browsers, page 3 Cisco Unified Communications Applications that Support SAML SSO,
More informationAuthentication Methods
Authentication Methods Overview In addition to the OU Campus-managed authentication system, OU Campus supports LDAP, CAS, and Shibboleth authentication methods. LDAP users can be configured through the
More informationImplementation Guide SAP NetWeaver Identity Management Identity Provider
Implementation Guide SAP NetWeaver Identity Management Identity Provider Target Audience Technology Consultants System Administrators PUBLIC Document version: 1.10 2011-07-18 Document History CAUTION Before
More informationFlexible Identity Federation
Flexible Identity Federation Quick start guide version 1.0.1 Publication history Date Description Revision 2015.09.23 initial release 1.0.0 2015.12.11 minor updates 1.0.1 Copyright Orange Business Services
More informationAbout Me. #ccceu. @shapeblue. Software Architect with ShapeBlue Specialise in. 3 rd party integrations and features in CloudStack
Software Architect with ShapeBlue Specialise in. 3 rd party integrations and features in CloudStack About Me KVM, API, DB, Upgrades, SystemVM, Build system, various subsystems Contributor and Committer
More informationThis chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:
CHAPTER 1 SAML Single Sign-On This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections: Junos Pulse Secure Access
More informationToward campus portal with shibboleth middleware
Toward campus portal with shibboleth middleware Eisuke Ito and Masanori Nakakuni itou@cc.kyushu u.ac.jp, Kyushu University nak@fukuoka u.ac.jp, Fukuoka University Outline 1. Background 2. Shibboleth 3.
More informationThe increasing popularity of mobile devices is rapidly changing how and where we
Mobile Security BACKGROUND The increasing popularity of mobile devices is rapidly changing how and where we consume business related content. Mobile workforce expectations are forcing organizations to
More informationNew Single Sign-on Options for IBM Lotus Notes & Domino. 2012 IBM Corporation
New Single Sign-on Options for IBM Lotus Notes & Domino 2012 IBM Corporation IBM s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM s sole
More informationThe Top 5 Federated Single Sign-On Scenarios
The Top 5 Federated Single Sign-On Scenarios Table of Contents Executive Summary... 1 The Solution: Standards-Based Federation... 2 Service Provider Initiated SSO...3 Identity Provider Initiated SSO...3
More informationIMPLEMENTING SINGLE SIGN- ON USING SAML 2.0 ON JUNIPER NETWORKS MAG SERIES JUNOS PULSE GATEWAYS
APPLICATION NOTE IMPLEMENTING SINGLE SIGN- ON USING SAML 2.0 ON JUNIPER NETWORKS MAG SERIES JUNOS PULSE GATEWAYS SAML 2.0 combines encryption and digital signature verification across resources for a more
More informationAgenda. How to configure
dlaw@esri.com Agenda Strongly Recommend: Knowledge of ArcGIS Server and Portal for ArcGIS Security in the context of ArcGIS Server/Portal for ArcGIS Access Authentication Authorization: securing web services
More informationFederation At Fermilab. Al Lilianstrom National Laboratories Information Technology Summit May 2015
Federation At Fermilab Al Lilianstrom National Laboratories Information Technology Summit May 2015 About Fermilab Since 1967, Fermilab has worked to answer fundamental questions and enhance our understanding
More informationSTUDY ON IMPROVING WEB SECURITY USING SAML TOKEN
STUDY ON IMPROVING WEB SECURITY USING SAML TOKEN 1 Venkadesh.M M.tech, Dr.A.Chandra Sekar M.E., Ph.d MISTE 2 1 ResearchScholar, Bharath University, Chennai 73, India. venkadeshkumaresan@yahoo.co.in 2 Professor-CSC
More informationComputer Systems Security 2013/2014. Single Sign-On. Bruno Maia ei09095@fe.up.pt. Pedro Borges ei09063@fe.up.pt
Computer Systems Security 2013/2014 Single Sign-On Bruno Maia ei09095@fe.up.pt Pedro Borges ei09063@fe.up.pt December 13, 2013 Contents 1 Introduction 2 2 Explanation of SSO systems 2 2.1 OpenID.................................
More informationOPENIAM ACCESS MANAGER. Web Access Management made Easy
OPENIAM ACCESS MANAGER Web Access Management made Easy TABLE OF CONTENTS Introduction... 3 OpenIAM Access Manager Overview... 4 Access Gateway... 4 Authentication... 5 Authorization... 5 Role Based Access
More informationGetting Started with AD/LDAP SSO
Getting Started with AD/LDAP SSO Active Directory and LDAP single sign- on (SSO) with Syncplicity Business Edition accounts allows companies of any size to leverage their existing corporate directories
More informationSecuring Web Services With SAML
Carl A. Foster CS-5260 Research Project Securing Web Services With SAML Contents 1.0 Introduction... 2 2.0 What is SAML?... 2 3.0 History of SAML... 3 4.0 The Anatomy of SAML 2.0... 3 4.0.1- Assertion
More informationUsing SAML for Single Sign-On in the SOA Software Platform
Using SAML for Single Sign-On in the SOA Software Platform SOA Software Community Manager: Using SAML on the Platform 1 Policy Manager / Community Manager Using SAML for Single Sign-On in the SOA Software
More informationFederations 101. An Introduction to Federated Identity Management. Peter Gietz, Martin Haase
Authentication and Authorisation for Research and Collaboration Federations 101 An Introduction to Federated Identity Management Peter Gietz, Martin Haase AARC NA2 Task 2 - Outreach and Dissemination DAASI
More informationFederated Identity Architectures
Federated Identity Architectures Uciel Fragoso-Rodriguez Instituto Tecnológico Autónomo de México, México {uciel@itam.mx} Maryline Laurent-Maknavicius CNRS Samovar UMR 5157, GET Institut National des Télécommunications,
More informationFederated Identity Management
Federated Identity Management SWITCHaai Introduction Course Bern, 1. March 2013 Thomas Lenggenhager aai@switch.ch Overview What is Federated Identity Management? What is a Federation? The SWITCHaai Federation
More informationShibboLEAP Project. Final Report: School of Oriental and African Studies (SOAS) Colin Rennie
ShibboLEAP Project Final Report: School of Oriental and African Studies (SOAS) Colin Rennie May 2006 Shibboleth Implementation at SOAS Table of Contents Introduction What this document contains Who writes
More informationSAML Authentication with BlackShield Cloud
SAML Authentication with BlackShield Cloud Powerful Authentication Management for Service Providers and Enterprises Version 3.1 Authentication Service Delivery Made EASY Copyright Copyright 2011. CRYPTOCARD
More informationDEPLOYMENT GUIDE. SAML 2.0 Single Sign-on (SSO) Deployment Guide with Ping Identity
DEPLOYMENT GUIDE SAML 2.0 Single Sign-on (SSO) Deployment Guide with Ping Identity Table of Contents SAML Overview...3 Integration Topology...3 Deployment Requirements...4 Configuration Steps...4 Step
More informationPerceptive Experience Single Sign-On Solutions
Perceptive Experience Single Sign-On Solutions Technical Guide Version: 2.x Written by: Product Knowledge, R&D Date: January 2016 2016 Lexmark International Technology, S.A. All rights reserved. Lexmark
More informationSAML Authentication Quick Start Guide
SAML Authentication Quick Start Guide Powerful Authentication Management for Service Providers and Enterprises Authentication Service Delivery Made EASY Copyright 2013 SafeNet, Inc. All rights reserved.
More informationOpenSSO: Simplify Your Single-Sign-On Needs. Sang Shin Java Technology Architect Sun Microsystems, inc. javapassion.com
OpenSSO: Simplify Your Single-Sign-On Needs Sang Shin Java Technology Architect Sun Microsystems, inc. javapassion.com 1 Agenda Enterprise security needs What is OpenSSO? OpenSSO features > > > > SSO and
More informationOpenID and identity management in consumer services on the Internet
OpenID and identity management in consumer services on the Internet Kari Helenius Helsinki University of Technology kheleniu@cc.hut.fi Abstract With new services emerging on the Internet daily, users need
More informationIVOA Single-Sign-On Profile: Authentication Mechanisms Version 2.0
International Virtual Observatory Alliance IVOA Single-Sign-On Profile: Authentication Mechanisms Version 2.0 IVOA Proposed Recommendation 20151029 Working group http://www.ivoa.net/twiki/bin/view/ivoa/ivoagridandwebservices
More informationSAML Security Option White Paper
Fujitsu mpollux SAML Security Option White Paper Fujitsu mpollux Version 2.1 February 2009 First Edition February 2009 The programs described in this document may only be used in accordance with the conditions
More informationHP Software as a Service. Federated SSO Guide
HP Software as a Service Federated SSO Guide Document Release Date: July 2014 Legal Notices Warranty The only warranties for HP products and services are set forth in the express warranty statements accompanying
More informationAuthentication Integration
Authentication Integration VoiceThread provides multiple authentication frameworks allowing your organization to choose the optimal method to implement. This document details the various available authentication
More informationSingle Sign-On Implementation Guide
Salesforce.com: Salesforce Winter '09 Single Sign-On Implementation Guide Copyright 2000-2008 salesforce.com, inc. All rights reserved. Salesforce.com and the no software logo are registered trademarks,
More informationPingFederate. Salesforce Connector. Quick Connection Guide. Version 4.1
PingFederate Salesforce Connector Version 4.1 Quick Connection Guide 2011 Ping Identity Corporation. All rights reserved. PingFederate Salesforce Quick Connection Guide Version 4.1 June, 2011 Ping Identity
More informationIntroduction to SAML
Introduction to THE LEADER IN API AND CLOUD GATEWAY TECHNOLOGY Introduction to Introduction In today s world of rapidly expanding and growing software development; organizations, enterprises and governments
More informationServer based signature service. Overview
1(11) Server based signature service Overview Based on federated identity Swedish e-identification infrastructure 2(11) Table of contents 1 INTRODUCTION... 3 2 FUNCTIONAL... 4 3 SIGN SUPPORT SERVICE...
More informationSingle Sign On. SSO & ID Management for Web and Mobile Applications
Single Sign On and ID Management Single Sign On SSO & ID Management for Web and Mobile Applications Presenter: Manish Harsh Program Manager for Developer Marketing Platforms of NVIDIA (Visual Computing
More informationSymplified I: Windows User Identity. Matthew McNew and Lex Hubbard
Symplified I: Windows User Identity Matthew McNew and Lex Hubbard Table of Contents Abstract 1 Introduction to the Project 2 Project Description 2 Requirements Specification 2 Functional Requirements 2
More information000-575. IBM Tivoli Federated Identity Manager V6.2.2 Implementation. Version: Demo. Page <<1/10>>
000-575 IBM Tivoli Federated Identity Manager V6.2.2 Implementation Version: Demo Page 1.What is the default file name of the IBM Tivoli Directory Integrator log? A. tdi.log B. ibmdi.log C. ibmdisrv.log
More informationLecture Notes for Advanced Web Security 2015
Lecture Notes for Advanced Web Security 2015 Part 6 Web Based Single Sign-On and Access Control Martin Hell 1 Introduction Letting users use information from one website on another website can in many
More informationESA EO Identify Management
ESA EO Identify Management The ESA EO IM Infrastructure & Services A. Baldi ESA: Andrea.Baldi@esa.int M. Leonardi ESA: m.leonardi@rheagroup.com 1 Issues @ ESA with legacy user management Users had multiple
More informationWebNow Single Sign-On Solutions
WebNow Single Sign-On Solutions Technical Guide ImageNow Version: 6.7. x Written by: Product Documentation, R&D Date: June 2015 2012 Perceptive Software. All rights reserved CaptureNow, ImageNow, Interact,
More informationCopyright Pivotal Software Inc, 2013-2015 1 of 10
Table of Contents Table of Contents Getting Started with Pivotal Single Sign-On Adding Users to a Single Sign-On Service Plan Administering Pivotal Single Sign-On Choosing an Application Type 1 2 5 7 10
More informationAuthentication and Single Sign On
Contents 1. Introduction 2. Fronter Authentication 2.1 Passwords in Fronter 2.2 Secure Sockets Layer 2.3 Fronter remote authentication 3. External authentication through remote LDAP 3.1 Regular LDAP authentication
More informationUsing Shibboleth for Single Sign- On
Using Shibboleth for Single Sign- On One Logon to Rule them all.. Kirk Yaros Director, Enterprise Services Mott Community College 1 Agenda Overview of Mott Overview of Shibboleth and Mott s Project Review
More informationSD Departmental Meeting November 28 th, 2006. Ale de Vries Product Manager ScienceDirect Elsevier
ש בולת SD Departmental Meeting November 28 th, 2006 Ale de Vries Product Manager ScienceDirect Elsevier Shi... whát? : Shibboleth ש בולת [...] "stream, torrent". It derives from a story in the Hebrew Bible,
More informationSetup Guide Access Manager 3.2 SP3
Setup Guide Access Manager 3.2 SP3 August 2014 www.netiq.com/documentation Legal Notice THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF A LICENSE
More informationAAI for Mobile Apps How mobile Apps can use SAML Authentication and Attributes. Lukas Hämmerle lukas.haemmerle@switch.ch
AAI for Mobile Apps How mobile Apps can use SAML Authentication and Attributes Lukas Hämmerle lukas.haemmerle@switch.ch Berne, 13. August 2014 Introduction App by University of St. Gallen Universities
More information2015-11-30. Web Based Single Sign-On and Access Control
0--0 Web Based Single Sign-On and Access Control Different username and password for each website Typically, passwords will be reused will be weak will be written down Many websites to attack when looking
More informationCopyright: WhosOnLocation Limited
How SSO Works in WhosOnLocation About Single Sign-on By default, your administrators and users are authenticated and logged in using WhosOnLocation s user authentication. You can however bypass this and
More informationShibboleth Identity Provider (IdP) Sebastian Rieger sebastian.rieger@gwdg.de
Shibboleth Identity Provider (IdP) Sebastian Rieger sebastian.rieger@gwdg.de Gesellschaft für wissenschaftliche Datenverarbeitung mbh Göttingen, Germany CLARIN AAI Hands On Workshop, 25.02.2009, Oxford
More informationEnhancing Web Application Security
Enhancing Web Application Security Using Another Authentication Factor Karen Lu and Asad Ali Gemalto, Inc. Technology & Innovations Austin, TX, USA Overview Introduction Current Statet Smart Cards Two-Factor
More informationOnly LDAP-synchronized users can access SAML SSO-enabled web applications. Local end users and applications users cannot access them.
This chapter provides information about the Security Assertion Markup Language (SAML) Single Sign-On feature, which allows administrative users to access certain Cisco Unified Communications Manager and
More informationTest Plan for Liberty Alliance SAML Test Event Test Criteria SAML 2.0
1 2 3 4 5 6 7 8 9 10 11 Test Plan for Liberty Alliance SAML Test Event Test Criteria SAML 2.0 Version 3.2.2 Editor: Kyle Meadors, Drummond Group Inc. Abstract: This document describes the test steps to
More informationIdentity Management in Liferay Overview and Best Practices. Liferay Portal 6.0 EE
Identity Management in Liferay Overview and Best Practices Liferay Portal 6.0 EE Table of Contents Introduction... 1 IDENTITY MANAGEMENT HYGIENE... 1 Where Liferay Fits In... 2 How Liferay Authentication
More informationIntroducing Shibboleth
workshop Introducing Shibboleth MPG-AAI Workshop Clarin Centers Prague 2009 2009-11-06 MPG-AAI MPG-AAI a MPG-wide Authentication & Authorization Infrastructure for access control to web-based resources
More informationAn SAML Based SSO Architecture for Secure Data Exchange between User and OSS
An SAML Based SSO Architecture for Secure Data Exchange between User and OSS Myungsoo Kang 1, Choong Seon Hong 1,Hee Jung Koo 1, Gil Haeng Lee 2 1 Department of Computer Engineering, Kyung Hee University
More informationCloud-based Identity and Access Control for Diagnostic Imaging Systems
Cloud-based Identity and Access Control for Diagnostic Imaging Systems Weina Ma and Kamran Sartipi Department of Electrical, Computer and Software Engineering University of Ontario Institute of Technology
More informationGet Success in Passing Your Certification Exam at first attempt!
Get Success in Passing Your Certification Exam at first attempt! Exam : C2150-575 Title : IBM Tivoli Federated Identity Manager V6.2.2 Implementation Version : Demo 1.What is the default file name of the
More informationIntegrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER
Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER Table of Contents Introduction.... 3 Requirements.... 3 Horizon Workspace Components.... 3 SAML 2.0 Standard.... 3 Authentication
More informationFederated Access to an HTTP Web Service Using Apache (WSTIERIA Project Technical Note 1)
(WSTIERIA Project Technical Note 1) 1 Background 12/04/2010, Version 0 One of the outputs of the SEE-GEO project was façade code to sit in front of an HTTP web service, intercept client requests, and check
More informationPingFederate. Windows Live Cloud Identity Connector. User Guide. Version 1.0
Windows Live Cloud Identity Connector Version 1.0 User Guide 2011 Ping Identity Corporation. All rights reserved. Windows Live Cloud Identity Connector User Guide Version 1.0 April, 2011 Ping Identity
More informationExtending DigiD to the Private Sector (DigiD-2)
TECHNISCHE UNIVERSITEIT EINDHOVEN Department of Mathematics and Computer Science MASTER S THESIS Extending DigiD to the Private Sector (DigiD-2) By Giorgi Moniava Supervisors: Eric Verheul (RU, PwC) L.A.M.
More informationStep-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x
Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x Sverview Trust between SharePoint 2010 and ADFS 2.0 Use article Federated Collaboration with Shibboleth 2.0 and SharePoint 2010 Technologies
More informationFederated Wikis Andreas Åkre Solberg andreas@uninett.no
Federated Wikis Andreas Åkre Solberg andreas@uninett.no Wikis in the beginning...in the beginning wikis were wide open. Great! - But then the spammers arrived. Password protected wikis Create yet another
More informationTenrox. Single Sign-On (SSO) Setup Guide. January, 2012. 2012 Tenrox. All rights reserved.
Tenrox Single Sign-On (SSO) Setup Guide January, 2012 2012 Tenrox. All rights reserved. About this Guide This guide provides a high-level technical overview of the Tenrox Single Sign-On (SSO) architecture,
More informationOpenAM All-In-One solution to securely manage access to digital enterprise and customer services, anytime and anywhere.
OpenAM All-In-One solution to securely manage access to digital enterprise and customer services, anytime and anywhere. OpenAM, the only all-in-one open source access management solution, provides the
More informationUsing SAP Logon Tickets for Single Sign on to Microsoft based web applications
Collaboration Technology Support Center - Microsoft - Collaboration Brief March 2005 Using SAP Logon Tickets for Single Sign on to Microsoft based web applications André Fischer, Project Manager CTSC,
More informationCrawl Proxy Installation and Configuration Guide
Crawl Proxy Installation and Configuration Guide Google Enterprise EMEA Google Search Appliance is able to natively crawl secure content coming from multiple sources using for instance the following main
More informationBiometric Single Sign-on using SAML
Biometric Single Sign-on using SAML Architecture & Design Strategies Ramesh Nagappan CISSP Ramesh.Nagappan@sun.com 1 Setting Expectations What you can take away! Understand the importance of Single Sign-On
More informationIdentity and Access Management for Federated Resource Sharing: Shibboleth Stories
Identity and Access Management for Federated Resource Sharing: Shibboleth Stories http://arch.doit.wisc.edu/keith/apan/ apanshib-060122-01.ppt Keith Hazelton (hazelton@doit.wisc.edu) Sr. IT Architect,
More informationCopyright 2012, Oracle and/or its affiliates. All rights reserved.
1 OTM and SOA Mark Hagan Principal Software Engineer Oracle Product Development Content What is SOA? What is Web Services Security? Web Services Security in OTM Futures 3 PARADIGM 4 Content What is SOA?
More informationHP Software as a Service
HP Software as a Service Software Version: 6.1 Federated SSO Document Release Date: August 2013 Legal Notices Warranty The only warranties for HP products and services are set forth in the express warranty
More informationAmeritas Single Sign-On (SSO) and Enterprise SAML Standard. Architectural Implementation, Patterns and Usage Guidelines
Ameritas Single Sign-On (SSO) and Enterprise SAML Standard Architectural Implementation, Patterns and Usage Guidelines 1 Background and Overview... 3 Scope... 3 Glossary of Terms... 4 Architecture Components...
More informationSecure the Web: OpenSSO
Secure the Web: OpenSSO Sang Shin, Technology Architect Sun Microsystems, Inc. javapassion.com Pat Patterson, Principal Engineer Sun Microsystems, Inc. blogs.sun.com/superpat 1 Agenda Need for identity-based
More informationShibboleth N-Tier Support. Chad La Joie chad.lajoie@switch.ch
Shibboleth N-Tier Support Chad La Joie chad.lajoie@switch.ch Agenda Use Case Terminology Shibboleth Solution Future Effort Resources 2 Use Case Current use case comes from University of Chicago University
More informationHow To Use Netiq Access Manager 4.0.1.1 (Netiq) On A Pc Or Mac Or Macbook Or Macode (For Pc Or Ipad) On Your Computer Or Ipa (For Mac) On An Ip
Setup Guide Access Manager 4.0 SP1 May 2014 www.netiq.com/documentation Legal Notice THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF A LICENSE
More informationSAML Security Analysis. Huang Zheng Xiong Jiaxi Ren Sijun
SAML Security Analysis Huang Zheng Xiong Jiaxi Ren Sijun outline The intorduction of SAML SAML use case The manner of SAML working Security risks on SAML Security policy on SAML Summary my course report
More informationIBM WebSphere Application Server
IBM WebSphere Application Server SAML 2.0 web single-sign-on 2012 IBM Corporation This presentation describes support for SAML 2.0 web browser Single Sign On profile included in IBM WebSphere Application
More informationConfiguring EPM System 11.1.2.1 for SAML2-based Federation Services SSO
Configuring EPM System 11.1.2.1 for SAML2-based Federation Services SSO Scope... 2 Prerequisites Tasks... 2 Procedure... 2 Step 1: Configure EPM s WebLogic domain for SP Federation Services... 2 Step 2:
More informationCyber Authentication Technology Solutions Interface Architecture and Specification Version 2.0: Deployment Profile
Cyber Authentication Technology Solutions Interface Architecture and Specification Version 2.0: Status: Baseline for RFP #3 Final r7.2 Date modified: 25 March, 2011 13:53 File name: CA - V2.0 Final r7.2_en.doc
More informationFrom centralized to single sign on
The LemonLDAP::NG project Abstract LemonLDAP::NG is a modular WebSSO (Web Single Sign On) software based on Apache::Session modules. It simplifies the build of a protected area with a few changes in the
More informationGetting Started with Single Sign-On
Getting Started with Single Sign-On I. Introduction Your institution is considering or has already purchased Collaboratory from Treetop Commons, LLC. One benefit provided to member institutions is Single
More informationThis Working Paper provides an introduction to the web services security standards.
International Civil Aviation Organization ATNICG WG/8-WP/12 AERONAUTICAL TELECOMMUNICATION NETWORK IMPLEMENTATION COORDINATION GROUP EIGHTH WORKING GROUP MEETING (ATNICG WG/8) Christchurch New Zealand
More informationLets get a federated identity. Intro to Federated Identity. Feide OpenIdP. Enter your email address. Do you have access to your email?
Lets get a feated identity Intro to Feated Identity EuroCAMP Training for APAN32 This work is licensed un a Creative Commons Attribution ShareAlike 3.0 Unported License. Do you have access to your email?
More informationSingle Sign-on (SSO) technologies for the Domino Web Server
Single Sign-on (SSO) technologies for the Domino Web Server Jane Marcus December 7, 2011 2011 IBM Corporation Welcome Participant Passcode: 4297643 2011 IBM Corporation 2 Agenda USA Toll Free (866) 803-2145
More informationPARTNER INTEGRATION GUIDE. Edition 1.0
PARTNER INTEGRATION GUIDE Edition 1.0 Last Revised December 11, 2014 Overview This document provides standards and guidance for USAA partners when considering integration with USAA. It is an overview of
More informationThe EUMETSAT EO Portal User Management Concept
The EUMETSAT EO Portal User Management Concept Second Workshop on the use of GIS/OGC standards in meteorology Météo-France International Conference Center 42 avenue Gaspard Coriolis, Toulouse, France 23.-25.
More informationSCAS: AN IMPROVED SINGLE SIGN-ON MODEL BASE ON CAS
SCAS: AN IMPROVED SINGLE SIGN-ON MODEL BASE ON CAS 1,2 XIANG LIYUN, 1 FANG ZHIYI, 1 SUN HONGYU 1 College of Computer Science and Technology, Jilin University, Changchun, China 2 Department of Computer
More informationSingle Sign-On: Reviewing the Field
Outline Michael Grundmann Erhard Pointl Johannes Kepler University Linz January 16, 2009 Outline 1 Why Single Sign-On? 2 3 Criteria Categorization 4 Overview shibboleth 5 Outline Why Single Sign-On? Why
More informationAn Oracle White Paper August 2010. Oracle OpenSSO Fedlet
An Oracle White Paper August 2010 Oracle OpenSSO Fedlet Disclaimer The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated
More information