Authentication and access control in Sympa mailing list server
|
|
- Raymond Underwood
- 8 years ago
- Views:
Transcription
1 Authentication and access control in Sympa mailing list server February 2004 Serge Aumont & Olivier Salaün Comité Réseau des Universités Campus de Beaulieu, Rennes France 1 Introduction Sympa is a rich open source mailing list software that is widely used (4 000 known sites) especially by academic institutions world wide but also private service providers. It has been designed to get integrated with universities information system, allowing dynamic mailing lists to be built ; it is also able to use existing authentication services. Sympa s design also highly focuses on customization possibilities and ease of administration. This article describes how Sympa deals with authentication and authorization, especially focusing on how it cooperates with single sign-on systems such as CAS and Shibboleth. 2 Some elements of Sympa architecture 2.1 A hierarchical organization Sympa is designed as an engine to manage a large number of mailing lists built on top of a common base, not just mailing lists side by side. This architecture allows a global management of virtual mailing list servers under control of different listmasters, each of them managing a set of mailing lists. Like Apache s virtual host concept, Sympa can manage multiple mailing list services (called Virtual robots) within a single installation. Virtual robots share the same code and a set of configuration files (including web templates and authorization scenarios), thereby requiring only specific parameters to be customized at the virtual robot level. The same inheritance principles apply to mailing lists themselves, thus making their configuration lighter. A single web interface allows a global management of user preferences (language, preferred MIME format, ) as well as the authentication service we describe in chapter 3. Sympa also provides transverse features such as list memberships for subscribers and the ability to manage mailing lists and users for the listmaster. Hosting of large mailing lists (can cope with subscribers) has lead us toward a fine-grained and strict definition of roles in Sympa, because responsibilities and administration tasks need to be shared. From the higher to the lower level Sympa defines the following roles : the super listmaster, the virtual robot listmaster, the mailing list owner, the mailing list moderator and the mailing list subscriber. The super listmaster is responsible for creating new virtual robots and defines default global parameters inherited by virtual robots, whereas the listmaster s main task is mailing list activation. List owners are in charge of subscribers management (subscriptions requests, bounces) as well as list setup (access control to each feature). One list owner is responsible for delegating administration tasks to a group of list owners, if the mailing list size requires such an organization. List moderators (who are often also defined as owners) are responsible for editorial contents of moderated mailing lists.
2 2.2 Dynamic mailing lists based on LDAP The standard way to build mailing lists is for members to subscribe to the list, though the list owner may sometimes add members (for working groups mailing lists). Sympa proposes another way to build more administrative mailing lists in relation with the institution s information system. This kind of institutional mailing list can range from small student working groups allowing horizontal communication to a newsletter for contacting all university employees. Informations regarding these populations are either stored in a relational database or in the institution s LDAP directory. Sympa has the ability to dynamically build mailing lists based on RDBMS (many supported databases) and LDAP directories. There s a growing usage of this feature in french and foreign universities to systematically provide a groupware communication tool to each student community. Sympa will fetch members addresses from an LDAP directory (or a relational database) depending on the list configuration. Required parameters include server information and an LDAP filter. Institutions that use groupofuniquenames in their LDAP schema require Sympa to proceed in two times : first fetch the selected DNs and then extract, for each DN, the associated address. Note that Sympa has no prerequisite about the LDAP schema except that the directory should contain addresses. Resulting entries are cached in Sympa s own database for performance reasons and updated (based on a TTL parameter) by a dedicated process. Such a dynamic mailing list can query multiple LDAP (or SQL) servers and even allow static members to subscribe. 2.3 Interfaces to the mailing list service Sympa mail interface is comparable to other well known mailing list softwares. Commands (subscribe, review, lists, ) are sent to an address unique for each virtual robot. Each mailing list has a main address for sending messages and associated administative addresses (-request, -owner, - unsubscribe, ). Like most mailing list servers, Sympa provides a web interface to the mailing list service. All mail features are available (archives, subscription, members review, ) and even more (document repository, list creation and setup, template customization, ). User authentication is password or certificate based, privileges for each operation are evaluated by an authorization engine we will describe in chapter 4. All web pages are defined by templates that have been internationalized (14 languages) and can be customized by listmasters.
3 A SOAP server for Sympa has recently been added to the package. This server provides an API to integrate simple mailing list services within another application ; for example include a list subscription form in a PHP page. In the past, external applications would directly access Sympa s database, thus bypassing Sympa s authentication and authorization procedures. The SOAP interface makes it easy to develop a Sympa Uportal [6] channel; this has been done by the french ESUP project [5], along with CAS authentication. 3 User authentication in Sympa Sympa needs to authenticate users (listmaster, owners, moderators, subscribers) on both its mail and web interfaces to then apply appropriate access controls (authorization process) to subsequent requested actions. At the beginning, like most web application, Sympa provided its own authentication service based on internal user passwords and challenges. Several other authentication backends have been added later. Authentication backends are now defined in an ordered configuration file that allows to restrict each backend to a subset of users. This restriction is expressed with a regular expression that is applied on the user address. It is crucial to provide various authentication methods in a mailing list server because unlike a webmail service, it is not restricted to local users. Users from other universities or from out side the community will certainly use your mailing list service and Sympa wil be able to authenticate them with one of its backends. 3.1 Mail versus web authentication For the mail interface, basic authentication is based on From: message header field whereas a higher authentication level relies on a mail challenge password. On the web interface, a password is required when authentication is needed. Sy mpa assumes that user mailbox is confidential and usually sends new user passwords via . Therefore web password-based authentication and mail challenges are considered equivalent. Of course the authentication level when based on an SMTP header is very low but the evaluation of user privileges depends on which authentication technique has been used. For most mailing lists, the subscription process will trust the SMTP From: header field whereas it is not strong enough while creating or removing a mailing list.
4 3.2 X509 user certificates Sympa s basic authentication method has been extended in order to support x509 user certificates for strong authentication both for mail access using S/MIME signature (PGP is on the way) and for web access. HTTPS is not only used to encrypt CGI data but with SSL V3 it authenticates end users owning an X509 personal certificate. This method provides stronger authentication and may be more user friendly, but its usage depends on user certificate deployment and can t be generalized now. 3.3 LDAP authentication Listmasters want the mailing list service st rongly integrated with their information system, beyond HTML customization. The first need is to make the authentication process conform to the institution policy. Most universities don't use a Single Sign-On solution yet but they use an LDAP directory as the reference for all password authentication. Sympa can validate user identifier and password against an LDAP directory. Then it performs one more LDAP request to fetch the user address given his DN. Here are the three steps algorithm of the LDAP authentication process : 1. Search the DN given the userid 2. Bind with the DN and password to validate the password 3. Fetch address in the DN entry 3.4 Sympa and CAS single sign-on french universities are currently deploying single sign-on services to solve the multiple authentication problem within web portals. This problematic has araised within the ESUP project [5], a consortium of Universities building an open source Virtual campus solution that could be generalized at a national level. We ve been working on the integration of CAS, the single sign-on software they have chosen, with Sympa s web interface. CAS [3] (Central Authentication Service) is a web single sign-on system that has been developped by Yale University. It is strongly inspired by Kerberos concepts, making use of tickets and allowing user authentication delegation. There are usually low impacts on a CASified application unless the application support s multiple CAS servers or if it uses CAS authentication only for a subset of users Getting user attributes CAS only handles user authentication, it does not spread user attributes. The result of a CAS authentication is a user identifier but the user address is not transmitted by the CAS server, whereas Sympa requires it. Sympa assumes that user attributes including the address is stored in an LDAP directory. Along with the CAS server definition, Sympa configuration file will include a description of a LDAP request to fetch the user address from its user-id. The LDAP server and filters are defined the same way it was for LDAP-based authentication CAS redirections Like most web single sign-on systems, CAS intensely uses HTTP redirections. These redirections bring the magic of single sign-on, transparently checking if the user was previously authenticated on the CAS server and skip the login step. Otherwise the CAS server prints a login form. When Sympa is configured to use more than one CAS server, any redirection to a CAS server is a dead end for user that couldn t login on that particular server. CAS provides a way to perform non-blocking login redirections; the CAS server is only providing the user login status but not requesting a login action. This feature allows Sympa to test if a user is already authenticated against different servers. If none of the CAS servers has an active login session with that user, he will be redirected back to Sympa login banner. The Sympa login banner proposes an /password form along with a menu list ing all supported CAS servers, thereby acting like a Shibboleth WAYF (Where Are You From). The redirection technique has a major drawback : if the CAS server is unreachable the user is never brought back to Sympa. This risk is acceptable for institutions using their own CAS server but the average risk becomes too
5 high for virtual organizations relying on several CAS servers (service br oken if one CAS server is broken). Sympa allows the listmaster to configure each CAS server in order to disable automatic redirection. Two optimizations are planed to reduce risks related to CAS redirections : Adjust redirection order using heuristics based on user IP address. Sympa would try to find out which CAS server is capable of authenticating the user. This mainly addresses performance issues and it would be a rather tedious task for the listmaster to maintain the set of IP addresses. Sympa could regularly ping each CAS server and disable unreachable servers until they come up CAS logout When using its native authentication, Sympa proposes a logout button in order to remove its session cookie and safely close the current login session. When users have logged in on a CAS server, the logout button should provide the same feature. This is done using a redirection to the appropriate CAS logout URL. Some administrators don t want any target application to provide a global logout function ; the portal itself being the only place where this feature is proposed. Sympa keeps track of which backend authenticated the user in session cookies, then adapting the logout behavior to the backend CAS authentication across Uportal Sympa can be queried from within an Uportal [6]channel via its SOAP interface, briefly described earlier. Authentication on the SOAP interface requires an address and a password or a CAS Proxy Ticket can be used. In the later case the Uportal channel acts as a CAS proxy and will request a Proxy Ticket for the Sympa service ; the Sympa authentication library is able to validate such CAS tickets. Since SOAP is based on HTTP, Sympa uses HTTP cookies to maintain authentication sessions with the user. 4 Managing access control with authorization scenarios Since Sympa proposes three interfaces (mail, web and SOAP) to most of its services, the access control rules applied to the same f unction via different interfaces have to be equivalent. This required a common authorization process and a way to express authorization rules for each functions. To achieve this goal Sympa uses its authorization scenarios, an access control language. An service request is mapped to an appropriate scenario and evaluated by Sympa s authorization engine. A service is requested within some conext : role of the requesting user, environment variables (REMOTE_ADDR, SSL_CLIENT_S_DN, ), authentication method, mail headers and body The scenario describes which action(s), depending on this context, must be performed to achieve the authorization process. The scenario file is made of rules evaluated sequentially and composed by three elements : a condition, an authentication method and an action. If the service request context matches a rule condition and satisfies its authentication method, then the corresponding action is returned by the authorization engine to the main program. The action might be a request for a stronger authentication process for the user, a new service request or eventually the execution of the request (do_it). Here is an example of a sophisticated authorization scenario for a moderated mailing list : title.us Moderated list for non subscribers or multipart messages title.fr Modération pour les non abonnés ou messages multipart is_editor([listname],[sender]) smtp,md5 -> do_it #rule 1 match([header->content-type],/multipart/) smtp -> editorkey #rule 2 is_subscriber([listname],[sender]) smtp,md5 -> do_it #rule 3 true() smtp -> request_auth #rule 4 true() md5 -> editorkey #rule 5 Note that when evaluated for non subscribers, the scenario above will be evaluated three times by Sympa : rule (4) is first matched and will request the message sender to confirm (request_auth) confirmation is then identified by the md5 authentication method in rule (5) and the message is forwarded to moderators (editorkey)
6 the message is validated by moderator, rule (1) is matched and message is distributed to list subscribers (do_it) Sympa is distributed with a set of 100 scenario files that can be overloaded according to Sympa hierarchical organization ; listmasters can of course write new scenarios. Thanks to the rich context that is passed to the authorization engine, the behaviour of Sympa services can be extended to listmaster needs very easily without any changes in the code. From the list owner s point of view, a scenario is just a list of possible values (scenario titles) for one list parameter. List owners are not allowed to create or edit existing scenarios. Extensions have been planned around authorization scenarios to provide parameters to scenarios. Sympa s web admin interface could also include a scenario editor, so list owners could build their own scenarios based on a few standard rules. 5 Sympa and Shibboleth Shibboleth [4] is a software developped by Internet2 that aims at interconnecting local authentication systems to distant web ressources, thus allowing sophisticated access control management. Shibboleth is made of three main components : The Origin package is installed in the user s home organization. This component is a front-end to the local authentication system and user attribute database. The Target package is installed in front of a web ressources that requires Shibboleth access control. This component will communicate with the Origin to perform user authentication and user attribute negotiation. The WAYF (Where Are You From) is the central component, shared by multiple organisations. It is in charge of guiding users to their Home organisation s Shibboleth component (Origin) to authenticate. Shibboleth integration with Sympa has been asked by Internet2 for their own use. These developments also allowed us to have a better understanding of Shibboleth architecture and see how it could be used by french universities. In Shibboleth architecture, Sympa s web interface is one service that can act as a protected ressource on the Target side. Sympa is supposed to redirect the user to the WAYF that will delegate user authentication to the appropriate Origin site ; Sympa then receives the user identity and attributes (Student, Teacher, ) from Shibboleth Origin site and will grant the user appropriate application privileges. Note that changes that were made to Sympa for Shibboleth authentication should adapt to any other single signon software, as long as it is able to protect a single URL (not the whole site) and assuming that user attributes are passed to Sympa as HTTP header fields. 5.1 Shibboleth authentication Unlike static web pages, Sympa s web interface can not be located behind an authentication point but needs to trigger authentication when required. This is due to the fact that a single Sympa server may authenticate users using different authentication methods (internal password, LDAP passwords, X509 client certificates, CAS) depending on user populations. Many Sympa features (including web archives) are also accessible to unauthenticated users. Sympa delegates Shibboleth authentication to the web server (Apache) via the ShibRM module (RM = Ressource Manager). This module acts like Apache s mod_auth module to restrict access to a web URL for a set of authenticated users. To allow a triggered authentication, only a dedicated URL of Sympa (/sso_login) is protected by ShibRM. If the user selects Shibboleth Inqueue authentication service from Sympa s login banner, he is redirected to the /sso_login URL that will guide the user to his home organisation login banner. Once the user is authenticated, he is brought back to Sympa that will set an authentication HTTP cookie.
7 5.2 User attributes Shibboleth does a sophisticated management of user attributes in both Origin and Target packages, allowing various data sources to be used ; exchanged attributes (including user ID and address) can be filtered on both side. The user s identity and attributes are carried from the ShibRM to Sympa via HTTP header fields. Sympa requires at least the user address to be set because this is the user identifier in the mailing list manager. Additional user attributes that are provided will be stored in Sympa s cache (until the user logs out) for later use. Provided the user s address, Sympa considers the user authenticated and sets its session cookie. During the login session, Shibboleth user attributes (obtained from the Origin site) are available in web/mail templates and in authorization scenarios. This way, the web interface can include additional user information ; user privileges can be tailored (extended or restricted) depending on user information provided by his home organization. 5.3 Changes in Sympa user interface If Shibboleth servers have been defined in auth.conf, a menu is added to the Sympa login banner with the list of defined Shibboleth (or CAS) servers the user can be redirected to. If the user selects a Shibboleth server, he is not directly redirected to the corresponding WAYF but to the sso_login page that is Shibboleth-protected and will thereby redirect the user to the WAYF. Note that the logout function is unchanged and only closes the Sympa login session. It does neither performs a logout at the user s home organization nor at the local level of the ShibRM. 6 Conclusion We now consider that Sympa is well adapted to interoperate with complex information systems. The authentication mechanism, which is an important concern for interoperability, has been made highly configurable. It can cope with major authentication technologies including LDAP, single sign-on and X509 certificates. Support of SAML authentication for the Sympa SOAP server is now considered. In between authentication and authorization layers, the attributes management process might require some extentions in Sympa. As information system concerns are moving toward dedicated attributes delivery services, we will improve user attributes management in Sympa to extend usage of these attribute sources. This will allow us to map user attributes with mailing list roles. Sympa authorization scenario engine would also benefit from these new user attributes. 7 Références [1] Sympa : [2] Sample SOAP client to Sympa service : [3] CAS : [4] Shibboleth : [5] Esup-Portail - Groupe 1B - SSO et gestion des autorisations [6] Uportal :
Authentication and access control in Sympa mailing list software
Authentication and access control in Sympa mailing list software May 2004 Serge Aumont & Olivier Salaün Comité Réseau des Universités http://www.cru.fr Campus de Beaulieu, Rennes France 1 Introduction
More informationMiddleware integration in the Sympa mailing list software. Olivier Salaün - CRU
Middleware integration in the Sympa mailing list software Olivier Salaün - CRU 1. Sympa, its middleware connectors 2. Sympa web authentication 3. CAS authentication 4. Shibboleth authentication 5. Sympa
More informationS/MIME and Sympa mailing lists manager Using signature and encryption with a mailing list manager
S/MIME and Sympa mailing lists manager Using signature and encryption with a mailing list manager Preface Serge Aumont and Olivier Salaün Comité Réseaux des Universités The development was initiated in
More informationSympa, un gestor de listas de distribución para las universidades
Sympa, un gestor de listas de distribución para las universidades PONENCIAS Sympa, a mailing list software for universities S. Aumont y O. Salaün Resumen Este artículo describe las funcionalidades de Sympa,
More informationAuthentication Methods
Authentication Methods Overview In addition to the OU Campus-managed authentication system, OU Campus supports LDAP, CAS, and Shibboleth authentication methods. LDAP users can be configured through the
More informationAn Open Source, Middleware-enabled Mailing list server
An Open Source, Middleware-enabled Mailing list server Serge Aumont & Olivier Salaün September 2004 Internet2 Austin/Texas 1 CRU brief presentation, why Sympa Sympa overview The web document repository
More informationFrom centralized to single sign on
The LemonLDAP::NG project Abstract LemonLDAP::NG is a modular WebSSO (Web Single Sign On) software based on Apache::Session modules. It simplifies the build of a protected area with a few changes in the
More informationOpen-source Single Sign-On with CAS (Central Authentication Service)
Open-source Single Sign-On with CAS (Central Authentication Service) Pascal Aubry, Vincent Mathieu & Julien Marchal Copyright 2004 ESUP-Portail consortium Open-source Single Sign-On with CAS Single Sign-On
More informationCA Performance Center
CA Performance Center Single Sign-On User Guide 2.4 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation ) is
More informationWWPass External Authentication Solution for IBM Security Access Manager 8.0
WWPass External Authentication Solution for IBM Security Access Manager 8.0 Setup guide Enhance your IBM Security Access Manager for Web with the WWPass hardware authentication IBM Security Access Manager
More informationRemote Authentication and Single Sign-on Support in Tk20
Remote Authentication and Single Sign-on Support in Tk20 1 Table of content Introduction:... 3 Architecture... 3 Single Sign-on... 5 Remote Authentication... 6 Request for Information... 8 Testing Procedure...
More informationLIGO Mailing List Group Configuration
LASER INTERFEROMETER GRAVITATIONAL WAVE OBSERVA- TORY LIGO Laboratory / LIGO Scientific Collaboration LIGO-T1200490-v2 LIGO Wednesday, October 31, 2012 LIGO Mailing List Group Configuration Warren G. Anderson
More informationFAQ for List Owners/Moderators
FAQ for List Owners/Moderators This FAQ is intended as a quick reference for Sympa list owners and moderators. It is only a supplement to the full built-in Sympa documentation available via the Help tab
More informationAuthentication and Single Sign On
Contents 1. Introduction 2. Fronter Authentication 2.1 Passwords in Fronter 2.2 Secure Sockets Layer 2.3 Fronter remote authentication 3. External authentication through remote LDAP 3.1 Regular LDAP authentication
More informationAdministrator Guide. v 11
Administrator Guide JustSSO is a Single Sign On (SSO) solution specially developed to integrate Google Apps suite to your Directory Service. Product developed by Just Digital v 11 Index Overview... 3 Main
More informationNETASQ ACTIVE DIRECTORY INTEGRATION
NETASQ ACTIVE DIRECTORY INTEGRATION NETASQ ACTIVE DIRECTORY INTEGRATION RUNNING THE DIRECTORY CONFIGURATION WIZARD 2 VALIDATING LDAP CONNECTION 5 AUTHENTICATION SETTINGS 6 User authentication 6 Kerberos
More informationPerceptive Experience Single Sign-On Solutions
Perceptive Experience Single Sign-On Solutions Technical Guide Version: 2.x Written by: Product Knowledge, R&D Date: January 2016 2016 Lexmark International Technology, S.A. All rights reserved. Lexmark
More informationTIBCO Spotfire Web Player 6.0. Installation and Configuration Manual
TIBCO Spotfire Web Player 6.0 Installation and Configuration Manual Revision date: 12 November 2013 Important Information SOME TIBCO SOFTWARE EMBEDS OR BUNDLES OTHER TIBCO SOFTWARE. USE OF SUCH EMBEDDED
More informationDeploying RSA ClearTrust with the FirePass controller
Deployment Guide Deploying RSA ClearTrust with the FirePass Controller Deploying RSA ClearTrust with the FirePass controller Welcome to the FirePass RSA ClearTrust Deployment Guide. This guide shows you
More informationIGI Portal architecture and interaction with a CA- online
IGI Portal architecture and interaction with a CA- online Abstract In the framework of the Italian Grid Infrastructure, we are designing a web portal for the grid and cloud services provisioning. In following
More informationSetup Guide Access Manager 3.2 SP3
Setup Guide Access Manager 3.2 SP3 August 2014 www.netiq.com/documentation Legal Notice THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF A LICENSE
More informationInterwise Connect. Working with Reverse Proxy Version 7.x
Working with Reverse Proxy Version 7.x Table of Contents BACKGROUND...3 Single Sign On (SSO)... 3 Interwise Connect... 3 INTERWISE CONNECT WORKING WITH REVERSE PROXY...4 Architecture... 4 Interwise Web
More informationStep-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x
Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x Sverview Trust between SharePoint 2010 and ADFS 2.0 Use article Federated Collaboration with Shibboleth 2.0 and SharePoint 2010 Technologies
More informationIdentity Management in Liferay Overview and Best Practices. Liferay Portal 6.0 EE
Identity Management in Liferay Overview and Best Practices Liferay Portal 6.0 EE Table of Contents Introduction... 1 IDENTITY MANAGEMENT HYGIENE... 1 Where Liferay Fits In... 2 How Liferay Authentication
More informationDEPLOYMENT GUIDE Version 1.2. Deploying F5 with Oracle E-Business Suite 12
DEPLOYMENT GUIDE Version 1.2 Deploying F5 with Oracle E-Business Suite 12 Table of Contents Table of Contents Introducing the BIG-IP LTM Oracle E-Business Suite 12 configuration Prerequisites and configuration
More informationUser-ID Best Practices
User-ID Best Practices PAN-OS 5.0, 5.1, 6.0 Revision A 2011, Palo Alto Networks, Inc. www.paloaltonetworks.com Table of Contents PAN-OS User-ID Functions... 3 User / Group Enumeration... 3 Using LDAP Servers
More informationPrepared by Enea S.Teresa (Italy) Version 1.0 2006-October 24
Mersea Information System: an Authentication and Authorization System to access distributed oceanographic data. Prepared by Enea S.Teresa (Italy) Version 1.0 2006-October 24 Revision History Date Version
More informationThis chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:
CHAPTER 1 SAML Single Sign-On This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections: Junos Pulse Secure Access
More informationSonian Getting Started Guide October 2008
Sonian Getting Started Guide October 2008 Sonian, Inc. For Authorized Use Only 1 Create your new archiving account 3 Configure your firewall for IMAP collections 4 (Skip this step if you will be using
More informationSAML-Based SSO Solution
About SAML SSO Solution, page 1 SAML-Based SSO Features, page 2 Basic Elements of a SAML SSO Solution, page 2 SAML SSO Web Browsers, page 3 Cisco Unified Communications Applications that Support SAML SSO,
More informationShibboLEAP Project. Final Report: School of Oriental and African Studies (SOAS) Colin Rennie
ShibboLEAP Project Final Report: School of Oriental and African Studies (SOAS) Colin Rennie May 2006 Shibboleth Implementation at SOAS Table of Contents Introduction What this document contains Who writes
More informationDESLock+ Basic Setup Guide Version 1.20, rev: June 9th 2014
DESLock+ Basic Setup Guide Version 1.20, rev: June 9th 2014 Contents Overview... 2 System requirements:... 2 Before installing... 3 Download and installation... 3 Configure DESLock+ Enterprise Server...
More informationOnly LDAP-synchronized users can access SAML SSO-enabled web applications. Local end users and applications users cannot access them.
This chapter provides information about the Security Assertion Markup Language (SAML) Single Sign-On feature, which allows administrative users to access certain Cisco Unified Communications Manager and
More informationTIBCO Spotfire Platform IT Brief
Platform IT Brief This IT brief outlines features of the system: Communication security, load balancing and failover, authentication options, and recommended practices for licenses and access. It primarily
More informationCA Single Sign-On r12.x (CA SiteMinder) Implementation Proven Professional Exam
CA Single Sign-On r12.x (CA SiteMinder) Implementation Proven Professional Exam (CAT-140) Version 1.4 - PROPRIETARY AND CONFIDENTIAL INFORMATION - These educational materials (hereinafter referred to as
More informationCrawl Proxy Installation and Configuration Guide
Crawl Proxy Installation and Configuration Guide Google Enterprise EMEA Google Search Appliance is able to natively crawl secure content coming from multiple sources using for instance the following main
More informationSophos UTM Web Application Firewall for Microsoft Exchange connectivity
How to configure Sophos UTM Web Application Firewall for Microsoft Exchange connectivity This article explains how to configure your Sophos UTM 9.2 to allow access to the relevant Microsoft Exchange services
More informationMAPI Connector Overview
The CommuniGate Pro Server can be used as a "service provider" for Microsoft Windows applications supporting the MAPI (Microsoft Messaging API). To use this service, a special Connector library (CommuniGate
More informationVMware Identity Manager Administration
VMware Identity Manager Administration VMware Identity Manager 2.4 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new
More informationDIGIPASS Authentication for Microsoft ISA 2006 Single Sign-On for Outlook Web Access
DIGIPASS Authentication for Microsoft ISA 2006 Single Sign-On for Outlook Web Access With IDENTIKEY Server / Axsguard IDENTIFIER Integration Guidelines Disclaimer Disclaimer of Warranties and Limitations
More informationCyberAds Studio. Ready to Deploy Intranets Small to mid-sized companies February 2003
CyberAds Studio Ready to Deploy Intranets Small to mid-sized companies February 2003 www.cyberadsstudio.com 190 Jill Lane, Suite 1 Laurel, MD 20724 Tel: (301) 776 1446 Sales@cyberadsstudio.com 1 Product
More informationIntegrating WebSphere Portal V8.0 with Business Process Manager V8.0
2012 Integrating WebSphere Portal V8.0 with Business Process Manager V8.0 WebSphere Portal & BPM Services [Page 2 of 51] CONTENTS CONTENTS... 2 1. DOCUMENT INFORMATION... 4 1.1 1.2 2. INTRODUCTION... 5
More informationMicrosoft Lync Server 2010
Microsoft Lync Server 2010 Scale to a Load Balanced Enterprise Edition Pool with WebMux Walkthrough Published: March. 2012 For the most up to date version of the Scale to a Load Balanced Enterprise Edition
More informationFlexible Identity Federation
Flexible Identity Federation Administration guide version 1.0.1 Publication history Date Description Revision 2015.09.24 initial release 1.0.0 2015.12.11 minor updates 1.0.1 Copyright Orange Business Services
More informationNETASQ MIGRATING FROM V8 TO V9
UTM Firewall version 9 NETASQ MIGRATING FROM V8 TO V9 Document version: 1.1 Reference: naentno_migration-v8-to-v9 INTRODUCTION 3 Upgrading on a production site... 3 Compatibility... 3 Requirements... 4
More informationSiteminder Integration Guide
Integrating Siteminder with SA SA - Siteminder Integration Guide Abstract The Junos Pulse Secure Access (SA) platform supports the Netegrity Siteminder authentication and authorization server along with
More informationEvaluation of different Open Source Identity management Systems
Evaluation of different Open Source Identity management Systems Ghasan Bhatti, Syed Yasir Imtiaz Linkoping s universitetet, Sweden [ghabh683, syeim642]@student.liu.se 1. Abstract Identity management systems
More informationSAML Authentication Quick Start Guide
SAML Authentication Quick Start Guide Powerful Authentication Management for Service Providers and Enterprises Authentication Service Delivery Made EASY Copyright 2013 SafeNet, Inc. All rights reserved.
More informationUsing LDAP for User Authentication
Using LDAP for User Authentication Product version: 4.50 Document version: 1.1 Document creation date: 03-06-05 Purpose This technical note describes how to configure and set up EPiServer to use an LDAP
More informationUsing SAP Logon Tickets for Single Sign on to Microsoft based web applications
Collaboration Technology Support Center - Microsoft - Collaboration Brief March 2005 Using SAP Logon Tickets for Single Sign on to Microsoft based web applications André Fischer, Project Manager CTSC,
More informationReliable & Secure Email. Professional, Dependable, Complete Easy to Learn, Use and Grow
Reliable & Secure Email Professional, Dependable, Complete Easy to Learn, Use and Grow About this Presentation Summarizes primary purposes of email, plus the needs of email providers and users. Introduces
More informationEntrust IdentityGuard Comprehensive
Entrust IdentityGuard Comprehensive Entrust IdentityGuard Comprehensive is a five-day, hands-on overview of Entrust Course participants will gain experience planning, installing and configuring Entrust
More informationF-Secure Messaging Security Gateway. Deployment Guide
F-Secure Messaging Security Gateway Deployment Guide TOC F-Secure Messaging Security Gateway Contents Chapter 1: Deploying F-Secure Messaging Security Gateway...3 1.1 The typical product deployment model...4
More informationUse Enterprise SSO as the Credential Server for Protected Sites
Webthority HOW TO Use Enterprise SSO as the Credential Server for Protected Sites This document describes how to integrate Webthority with Enterprise SSO version 8.0.2 or 8.0.3. Webthority can be configured
More informationBiometrics for Global Web Authentication: an Open Source Java/J2EE-Based Approach
Biometrics for Global Web Authentication: an Open Source Java/J2EE-Based Approach Ruchir Choudhry ruchirchoudhry@cint.co.in; Abstract. J2EE based Web applications have largely spread over our multiple
More informationIntegrating IBM Cognos 8 BI with 3rd Party Auhtentication Proxies
Guideline Integrating IBM Cognos 8 BI with 3rd Party Auhtentication Proxies Product(s): IBM Cognos 8 BI Area of Interest: Security Integrating IBM Cognos 8 BI with 3rd Party Auhtentication Proxies 2 Copyright
More informationVERALAB LDAP Configuration Guide
VERALAB LDAP Configuration Guide VeraLab Suite is a client-server application and has two main components: a web-based application and a client software agent. Web-based application provides access to
More informationOwner of the content within this article is www.msexchange.org Written by Marc Grote www.it-training-grote.de
Owner of the content within this article is www.msexchange.org Written by Marc Grote www.it-training-grote.de Exchange 2003 - User, groups, distribution list and contact management with Windows 2003 Active
More informationPingFederate. Salesforce Connector. Quick Connection Guide. Version 4.1
PingFederate Salesforce Connector Version 4.1 Quick Connection Guide 2011 Ping Identity Corporation. All rights reserved. PingFederate Salesforce Quick Connection Guide Version 4.1 June, 2011 Ping Identity
More informationRSA Authentication Manager 7.1 Microsoft Active Directory Integration Guide
RSA Authentication Manager 7.1 Microsoft Active Directory Integration Guide Contact Information Go to the RSA corporate web site for regional Customer Support telephone and fax numbers: www.rsa.com Trademarks
More informationSingle Sign-on (SSO) technologies for the Domino Web Server
Single Sign-on (SSO) technologies for the Domino Web Server Jane Marcus December 7, 2011 2011 IBM Corporation Welcome Participant Passcode: 4297643 2011 IBM Corporation 2 Agenda USA Toll Free (866) 803-2145
More informationIBM SPSS Collaboration and Deployment Services Version 6 Release 0. Single Sign-On Services Developer's Guide
IBM SPSS Collaboration and Deployment Services Version 6 Release 0 Single Sign-On Services Developer's Guide Note Before using this information and the product it supports, read the information in Notices
More informationAmeritas Single Sign-On (SSO) and Enterprise SAML Standard. Architectural Implementation, Patterns and Usage Guidelines
Ameritas Single Sign-On (SSO) and Enterprise SAML Standard Architectural Implementation, Patterns and Usage Guidelines 1 Background and Overview... 3 Scope... 3 Glossary of Terms... 4 Architecture Components...
More informationClick Studios. Passwordstate. Installation Instructions
Passwordstate Installation Instructions This document and the information controlled therein is the property of Click Studios. It must not be reproduced in whole/part, or otherwise disclosed, without prior
More informationDelegated Administration Quick Start
Delegated Administration Quick Start Topic 50200 Delegated Administration Quick Start Updated 22-Oct-2013 Applies to: Web Filter, Web Security, Web Security Gateway, and Web Security Gateway Anywhere,
More informationCiphermail Gateway Administration Guide
CIPHERMAIL EMAIL ENCRYPTION Ciphermail Gateway Administration Guide September 23, 2014, Rev: 9112 Copyright 2008-2014, ciphermail.com. Acknowledgements: Thanks goes out to Andreas Hödle for feedback. CONTENTS
More informationCiphermail Gateway Administration Guide
CIPHERMAIL EMAIL ENCRYPTION Ciphermail Gateway Administration Guide October 10, 2015, Rev: 10214 Copyright 2008-2015, ciphermail.com. Acknowledgements: Thanks goes out to Andreas Hödle for feedback. CONTENTS
More informationCarisbrooke. End User Guide
Carisbrooke Contents Contents... 2 Introduction... 3 Negotiate Kerberos/NTLM... 4 Scope... 4 What s changed... 4 What hasn t changed... 5 Multi-Tenant Categories... 6 Scope... 6 What s changed... 6 What
More informationConfiguring Salesforce
Chapter 94 Configuring Salesforce The following is an overview of how to configure the Salesforce.com application for singlesign on: 1 Prepare Salesforce for single sign-on: This involves the following:
More informationNEFSIS DEDICATED SERVER
NEFSIS TRAINING SERIES Nefsis Dedicated Server version 5.2.0.XXX (DRAFT Document) Requirements and Implementation Guide (Rev5-113009) REQUIREMENTS AND INSTALLATION OF THE NEFSIS DEDICATED SERVER Nefsis
More informationNETASQ SSO Agent Installation and deployment
NETASQ SSO Agent Installation and deployment Document version: 1.3 Reference: naentno_sso_agent Page 1 / 20 Copyright NETASQ 2013 General information 3 Principle 3 Requirements 3 Active Directory user
More informationIntroduction to the EIS Guide
Introduction to the EIS Guide The AirWatch Enterprise Integration Service (EIS) provides organizations the ability to securely integrate with back-end enterprise systems from either the AirWatch SaaS environment
More informationClick Studios. Passwordstate. Installation Instructions
Passwordstate Installation Instructions This document and the information controlled therein is the property of Click Studios. It must not be reproduced in whole/part, or otherwise disclosed, without prior
More informationVodafone Secure Device Manager Administration User Guide
Vodafone Secure Device Manager Administration User Guide Vodafone New Zealand Limited. Correct as of September 2014. Do business better Contents Introduction 3 Help 4 How to find help in the Vodafone Secure
More informationCIPHERMAIL EMAIL ENCRYPTION. CipherMail white paper
CIPHERMAIL EMAIL ENCRYPTION CipherMail white paper Copyright 2009-2014, ciphermail.com. Introduction Most email is sent as plain text. This means that anyone who can intercept email messages, either in
More informationPierce County IT Department GIS Division Xuejin Ruan Dan King
Pierce County IT Department GIS Division Xuejin Ruan Dan King Web Application Work Flow Main Topics Authentication Authorization Session Management * Concurrent Session Management * Session Timeout Single
More informationHow To Use Saml 2.0 Single Sign On With Qualysguard
QualysGuard SAML 2.0 Single Sign-On Technical Brief Introduction Qualys provides its customer the option to use SAML 2.0 Single Sign On (SSO) authentication with their QualysGuard subscription. When implemented,
More informationDomains Help Documentation This document was auto-created from web content and is subject to change at any time. Copyright (c) 2016 SmarterTools Inc.
Help Documentation This document was auto-created from web content and is subject to change at any time. Copyright (c) 2016 SmarterTools Inc. Domains All Domains System administrators can use this section
More informationTableau Server Security. Version 8.0
Version 8.0 Author: Marc Rueter Senior Director, Strategic Solutions, Tableau Software June 2013 p2 Today s enterprise class systems need to provide robust security in order to meet the varied and dynamic
More informationSetup Guide Access Manager Appliance 3.2 SP3
Setup Guide Access Manager Appliance 3.2 SP3 August 2014 www.netiq.com/documentation Legal Notice THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS
More informationGetting Started with Clearlogin A Guide for Administrators V1.01
Getting Started with Clearlogin A Guide for Administrators V1.01 Clearlogin makes secure access to the cloud easy for users, administrators, and developers. The following guide explains the functionality
More informationCopyright http://support.oracle.com/
Primavera Portfolio Management 9.0 Security Guide July 2012 Copyright Oracle Primavera Primavera Portfolio Management 9.0 Security Guide Copyright 1997, 2012, Oracle and/or its affiliates. All rights reserved.
More informationFlexible Identity Federation
Flexible Identity Federation Quick start guide version 1.0.1 Publication history Date Description Revision 2015.09.23 initial release 1.0.0 2015.12.11 minor updates 1.0.1 Copyright Orange Business Services
More informationdotmailer for Dynamics Frequently Asked Questions v 6,0
for Dynamics Frequently Asked Questions v 6,0 Page 1 Contents Introduction... 2 Why should I use the Microsoft Dynamics CRM Connector for dotmailer?... 3 What software needs to be installed?... 3 Can I
More informationDEPLOYMENT GUIDE Version 1.2. Deploying the BIG-IP system v10 with Microsoft Exchange Outlook Web Access 2007
DEPLOYMENT GUIDE Version 1.2 Deploying the BIG-IP system v10 with Microsoft Exchange Outlook Web Access 2007 Table of Contents Table of Contents Deploying the BIG-IP system v10 with Microsoft Outlook Web
More informationINUVIKA OPEN VIRTUAL DESKTOP ENTERPRISE
INUVIKA OPEN VIRTUAL DESKTOP ENTERPRISE SAML 2.0 CONFIGURATION GUIDE Roy Heaton David Pham-Van Version 1.1 Published March 23, 2015 This document describes how to configure OVD to use SAML 2.0 for user
More informationSAP Certified Technology Professional - Security with SAP NetWeaver 7.0. Title : Version : Demo. The safer, easier way to help you pass any IT exams.
Exam : P_ADM_SEC_70 Title : SAP Certified Technology Professional - Security with SAP NetWeaver 7.0 Version : Demo 1 / 5 1.Which of the following statements regarding SSO and SAP Logon Tickets are true?
More informationDJIGZO EMAIL ENCRYPTION. Djigzo white paper
DJIGZO EMAIL ENCRYPTION Djigzo white paper Copyright 2009-2011, djigzo.com. Introduction Most email is sent as plain text. This means that anyone who can intercept email messages, either in transit or
More informationExternal Authentication with Citrix Secure Gateway - Presentation server Authenticating Users Using SecurAccess Server by SecurEnvoy
External Authentication with Citrix Secure Gateway - Presentation server Authenticating Users Using SecurAccess Server by SecurEnvoy Contact information SecurEnvoy www.securenvoy.com 0845 2600010 1210
More information1. Introduction. Authors. Abstract. Quang Vu DANG (IFI) Olivier BERGER (GET/INT) Christian BAC (GET/INT) Benoît HAMET (phpgroupware)
Authenticating from mutiple authentication sources in a collaborative work platform: the Picolibre & Shibboleth case study Authors Quang Vu DANG (IFI) Olivier BERGER (GET/INT) Christian BAC (GET/INT) Benoît
More informationUsing weblock s Servlet Filters for Application-Level Security
Using weblock s Servlet Filters for Application-Level Security September 2006 www.2ab.com Introduction Access management is a simple concept. Every business has information that needs to be protected from
More information1. How to Register... 2. 2. Forgot Password... 4. 3. Login to MailTrack Webmail... 5. 4. Accessing MailTrack message Centre... 6
MailTrack How To Document 27 March 2014 Table of Contents 1. How to Register... 2 2. Forgot Password... 4 3. Login to MailTrack Webmail... 5 4. Accessing MailTrack message Centre... 6 5. Creating a MailTrack
More informationConfiguring User Identification via Active Directory
Configuring User Identification via Active Directory Version 1.0 PAN-OS 5.0.1 Johan Loos johan@accessdenied.be User Identification Overview User Identification allows you to create security policies based
More informationLotus Domino Security
An X-Force White Paper Lotus Domino Security December 2002 6303 Barfield Road Atlanta, GA 30328 Tel: 404.236.2600 Fax: 404.236.2626 Introduction Lotus Domino is an Application server that provides groupware
More informationActive Directory Integration
January 11, 2011 Author: Audience: SWAT Team Evaluator Product: Cymphonix Network Composer EX Series, XLi OS version 9 Active Directory Integration The following steps will guide you through the process
More informationOkta/Dropbox Active Directory Integration Guide
Okta/Dropbox Active Directory Integration Guide Okta Inc. 301 Brannan Street, 3rd Floor San Francisco CA, 94107 info@okta.com 1-888- 722-7871 1 Table of Contents 1 Okta Directory Integration Edition for
More informationComputer Systems Security 2013/2014. Single Sign-On. Bruno Maia ei09095@fe.up.pt. Pedro Borges ei09063@fe.up.pt
Computer Systems Security 2013/2014 Single Sign-On Bruno Maia ei09095@fe.up.pt Pedro Borges ei09063@fe.up.pt December 13, 2013 Contents 1 Introduction 2 2 Explanation of SSO systems 2 2.1 OpenID.................................
More informationDenodo Data Virtualization Security Architecture & Protocols
Denodo Data Virtualization Security Architecture & Protocols XLS Security Architecture & Protocols We include hereinafter a description of the security support in the Denodo Platform. The following diagram
More informationSingle Sign On (SSO) Implementation Manual. For Connect 5 & MyConnect Sites
Single Sign On (SSO) Implementation Manual For Connect 5 & MyConnect Sites Version 6 Release 5.7 September 2013 1 What is Blackboard Connect Single Sign On?... 3 How it Works... 3 Drawbacks to Using Single
More informationQualtrics Single Sign-On Specification
Qualtrics Single Sign-On Specification Version: 2010-06-25 Contents Introduction... 2 Implementation Considerations... 2 Qualtrics has never been used by the organization... 2 Qualtrics has been used by
More information