External and Federated Identities on the Web

Similar documents
External Identity and Authentication Providers For Apache HTTP Server

Identity Management: The authentic & authoritative guide for the modern enterprise

FreeIPA - Open Source Identity Management in Linux

Integrating Linux systems with Active Directory

FreeIPA Cross Forest Trusts

LinuxCon North America

Handling POSIX attributes for trusted Active Directory users and groups in FreeIPA

How to build an Identity Management System on Linux. Simo Sorce Principal Software Engineer Red Hat, Inc.

System Security Services Daemon

CAC AND KERBEROS FROM VISION TO REALITY

AD Integration options for Linux Systems

Managing Identity & Access in On-premise and Cloud Environments. Ellen Newlands Identity Management Product Manager Red Hat, Inc

Building Open Source Identity Management with FreeIPA. Martin Kosek

VMware Identity Manager Administration

FreeIPA 3.3 Trust features

TIBCO Spotfire Platform IT Brief

Identity Management based on FreeIPA

Authentication Methods

OpenSSO: Cross Domain Single Sign On

Single sign-on websites with Apache httpd: Integrating with Active Directory for authentication and authorization

Red Hat Identity Management

Single Sign-On for the UQ Web

RHEL Clients to AD Integrating RHEL clients to Active Directory

Centralized Oracle Database Authentication and Authorization in a Directory

Kerberos and Single Sign On with HTTP

SAML-Based SSO Solution

Red Hat Enterprise Identity (IPA) Centralized Management of Identities & Authentication

Connecting Web and Kerberos Single Sign On

Shibboleth Identity Provider (IdP) Sebastian Rieger

SUSE Manager 1.2.x ADS Authentication

Flexible Identity Federation

Perceptive Experience Single Sign-On Solutions

Identity Management in Liferay Overview and Best Practices. Liferay Portal 6.0 EE

Interoperability Update: Red Hat Enterprise Linux 7 beta and Microsoft Windows

Kerberos and Single Sign-On with HTTP

Using Kerberos for Web Authentication. Wesley Craig University of Michigan

Enabling SAML for Dynamic Identity Federation Management

Agenda. How to configure

Open Source Identity Management in the Enterprise

Enabling Federation and Web-Single Sign-On in Heterogeneous Landscapes with the Identity Provider and Security Token Service Supplied by SAP NetWeaver

SSSD Active Directory Improvements

GL550 - Enterprise Linux Security Administration

INTEGRATION GUIDE. DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server

Security Assertion Markup Language (SAML) Site Manager Setup

INTEGRATION GUIDE. DIGIPASS Authentication for Google Apps using IDENTIKEY Federation Server

Configuration Guide BES12. Version 12.2

Integrating Red Hat Enterprise Linux 6 with Microsoft Active Directory Presentation

Flexible Identity Federation

Single Sign On. SSO & ID Management for Web and Mobile Applications

Using Kerberos tickets for true Single Sign On

Configuration Guide BES12. Version 12.3

Only LDAP-synchronized users can access SAML SSO-enabled web applications. Local end users and applications users cannot access them.

Configuration Guide BES12. Version 12.1

Advancements in Linux Authentication and Authorisation using SSSD

About Me. Software Architect with ShapeBlue Specialise in. 3 rd party integrations and features in CloudStack

Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER

Computer Systems Security 2013/2014. Single Sign-On. Bruno Maia Pedro Borges

ENTERPRISE LINUX SECURITY ADMINISTRATION

Single Sign On for ShareFile with NetScaler. Deployment Guide

SAML-Based SSO Solution

Configuring EPM System for SAML2-based Federation Services SSO

New Single Sign-on Options for IBM Lotus Notes & Domino IBM Corporation

DocuSign Single Sign On Implementation Guide Published: March 17, 2016

GL-550: Red Hat Linux Security Administration. Course Outline. Course Length: 5 days

Windows Security and Directory Services for UNIX using Centrify DirectControl

Enabling Active Directory Authentication with ESX Server 1

SSSD and OpenSSH Integration

INTEGRATION GUIDE. IDENTIKEY Federation Server for Juniper SSL-VPN

Outline SSS Configuring and Troubleshooting Windows Server 2008 Active Directory

BMC Software Webinars 2013 Atrium Single Sign On (Atrium SSO)

CA Performance Center

Copyright: WhosOnLocation Limited

F5 BIG-IP: Configuring v11 Access Policy Manager APM

INTEGRATION GUIDE. DIGIPASS Authentication for SimpleSAMLphp using IDENTIKEY Federation Server

Google Apps and Open Directory. Randy Saeks

SalesForce SSO with Active Directory Federated Services (ADFS) v2.0 Authenticating Users Using SecurAccess Server by SecurEnvoy

Single Sign-on (SSO) technologies for the Domino Web Server

Mobile Security. Policies, Standards, Frameworks, Guidelines

Leveraging SAML for Federated Single Sign-on:

User Service and Directory Agent: Configuration Best Practices and Troubleshooting

Password Power 8 Plug-In for Lotus Domino Single Sign-On via Kerberos

SAM Context-Based Authentication Using Juniper SA Integration Guide

Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x

Fedora Directory Server FUDCon III London, 2005

DIGIPASS Authentication for Microsoft ISA 2006 Single Sign-On for Outlook Web Access

Installing, Configuring, and Managing a Microsoft Active Directory

PingFederate. SSO Integration Overview

How To Use Netscaler As An Afs Proxy

Shibboleth N-Tier Support. Chad La Joie

VMware Identity Manager Administration

User Guide. Version R91. English

Ensure that your environment meets the requirements. Provision the OpenAM server in Active Directory, then generate keytab files.

The Top 5 Federated Single Sign-On Scenarios

SAP NetWeaver AS Java

ENTERPRISE LINUX SECURITY ADMINISTRATION

304 - APM TECHNOLOGY SPECIALIST

Using Shibboleth for Single Sign- On

Tenrox. Single Sign-On (SSO) Setup Guide. January, Tenrox. All rights reserved.

Authentication in a Heterogeneous Environment

SSSD. Client side identity management. LinuxAlt 2012 Jakub Hrozek 3. listopadu 2012

Transcription:

External and Federated Identities on the Web Jan Pazdziora Sr. Principal Software Engineer Identity Management Special Projects, Red Hat 1 st October 2015

Scope and problem statement Applications get deployed in large organizations and across them. What are the recommendations for application developers concerning authentication and access control methods and protocols that they should support? Problem statement Jan Pazdziora 2 / 24

Application-level authentication Typical small application approach Own database schema for users, passwords, and access policies. Web application user's browser pass control Apache HTTP Server auth database (possibly on separate host) Web server host Users in Web applications Jan Pazdziora 3 / 24

Pros: Application-level authentication Integrated user management, without external dependencies. Closely linked to custom data, including access control. Cons: In large organizations, users already exist in central identity management systems. LDAP, IdM/FreeIPA, Active Directory (AD),... With policies for access control. Noone will sync the users manually. Users in Web applications Jan Pazdziora 4 / 24

Application-level LDAP auth Developers told user identities are in LDAP Typical solution: add LDAP support to the application (or framework). user's browser Web application pass control LDAP to auth identity management server Apache HTTP Server Web server host Users in Web applications Jan Pazdziora 5 / 24

Application-level LDAP auth Pros: Organization's primary identity source is used. Cons: Getting all aspects of LDAP operations right is not easy. Authentication to the LDAP server. Failover, DNS discovery. Multiple domains and forests (AD). Every new framework / project starts from scratch. Usually only login + password supported. Kerberos / GSSAPI, smartcard, or two-factor authentication usually done via different means. Users in Web applications Jan Pazdziora 6 / 24

Front-end (Apache) authentication Front-end accepted for some setups Application supports some basic authentication methods. For complex ones, authentication front end (Apache HTTP Server) is used. Web application user's browser pass REMOTE_USER Apache HTTP Server mod_authnz_ldap LDAP to auth identity management server Web server host Users in Web applications Jan Pazdziora 7 / 24

Front-end (Apache) authentication Pros: Single solution (Apache modules) possible for various deployments. Failover, caching. Support for Active Directory Global Catalog. Cons: No support for multiple forests (AD). No support for Group Policy Objects (GPO) or centralized host-based access control. While authorization can be done on Apache level, fine-grained access control in the application not easy. Fewer possibilities for nice user management from the application. Users in Web applications Jan Pazdziora 8 / 24

OS-level tools for Web services System Security Services Daemon (SSSD) Used for logon to system (ssh), can be used for Web services as well. Web application pass REMOTE_USER user's browser + REMOTE_USER_EMAIL, REMOTE_USER_GROUP_N, REMOTE_USER_GROUP_1,... Apache HTTP Server mod_authnz_pam mod_lookup_identity auth + get info SSSD identity, authn, authz sources Web server host OS-level tools for Web services Jan Pazdziora 9 / 24

Pros: OS-level tools for Web services Single solution (Apache modules) for various applications. Failover, caching, DNS discovery, cross-forest trust support (Windows users can log in to Web services on Linux). Host-based access control (with IdM/FreeIPA) and GPO support (with AD, via PAM) for central access management. Application can get additional information, not just REMOTE_USER. Better user experience. Fine-grained access control in apps based on group membership. Cons: Fewer possibilities for nice user management from the application. OS-level tools for Web services Jan Pazdziora 10 / 24

Setups within organizations Apache modules typical in large organizations Authentication Access Check Extra User Info Kerberos / GSSAPI Certificate 2FA mod_auth_kerb mod_auth_gssapi mod_ssl mod_nss mod_auth_form (provider PAM) mod_authnz_pam mod_lookup_identity (uses mod_authnz_pam internally) mod_lookup_identity Setups in large organizations Jan Pazdziora 11 / 24

Authentication Identity is established and verified. The identifier (login name) can be further tweaked. SSLVerifyClient require SSLUserName SSL_CLIENT_CERT LookupUserByCertificate On # authenticate with mod_ssl # r->user = whole certificate data # find the user in IPA via SSSD # and set r->user = user login With mod_auth_gssapi and GSS-Proxy, privilege separation possible. Apache process does not need access to keytab. [service/http] mechs = krb5 cred_store = keytab:/etc/gssproxy/http.keytab cred_store = ccache:/var/lib/gssproxy/clients/krb5cc_%u euid = 48 2FA (password + one-time code) possible if backend supports it. Setups in large organizations Jan Pazdziora 12 / 24

Authorization / access control Not every authenticated user should be let in. In Windows domain, everyone has Kerberos ticket granting ticket. Avoid require valid-user. Editing Apache.conf files is not very flexible. Delegation to centralized policy definition (IdM, AD) is preferred. # require group crm-admins # do not define policy locally require pam-account crm-production # delegate via PAM # /etc/pam.d/crm-production auth required pam_sss.so # pam_sss.so for SSSD account required pam_sss.so # or other PAM module Applications can run fine-grained access mechanisms based on user group memberships, obtained from external identity sources. Setups in large organizations Jan Pazdziora 13 / 24

Additional info For better user experience, applications need additional attributes. For application-level roles and permissions, applications need group information. Since we have just authenticated/authorized the user in Apache, why not get their attributes as well? LookupUserAttr mail REMOTE_USER_EMAIL " " LookupUserAttr givenname REMOTE_USER_FIRSTNAME LookupUserAttr sn REMOTE_USER_LASTNAME LookupUserGroupsIter REMOTE_USER_GROUP We map SSSD's attributes to environment variables. Application does not need to reach out for the information. And hit another round of "where to get it from? how to authenticate to that source?" issues. Setups in large organizations Jan Pazdziora 14 / 24

Recommendations What are the recommendations for application developers concerning authentication and access control methods and protocols that they should support, for deployments within large organizations? Accept authentication/authorization result from front-end server. REMOTE_USER or other mechanism used. Accept additional user attributes and group membership. REMOTE_USER_EMAIL REMOTE_USER_GROUP_N REMOTE_USER_GROUP_1 REMOTE_USER_GROUP_2 or REMOTE_USER_GROUPS as colon-separated list Setups in large organizations Jan Pazdziora 15 / 24

Users across organizations Application hosted by a provider Users are managed by different organization (the customer). Likely no Kerberos as no HTTP/ service keytab from customer's KDC. No way to reach into customer's internal network, to IdM/FreeIPA or AD. Is our recent recommendation faulty? Actually, it gets even more valid across organizations. With federation, all information about the user comes from the initial authentication exchange. Across organizations' boundaries Jan Pazdziora 16 / 24

SAML Security Assertion Markup Language Getting identity of authenticated user, their attributes, and authorization information from Identity Provider (provided by customer). The single sign-on on the Web. Client side (Service Provider, that hosted solution) implemented by Apache module: mod_auth_mellon. Previous agreement/setup with metadata and public key exchange needed. Good or bad thing depending on point of view. No communication between the Service Provider and Identity Provider needed. Browser handles the redirects of signed data. Across organizations' boundaries Jan Pazdziora 17 / 24

SAML workflow hosted application pass info about user user's browser Apache mod_auth_mellon Web server host in provider's network HTTP redirects Ipsilon or other IdP (possibly with SSSD) IdM, AD, LDAP Identity Provider host identity source Across organizations' boundaries Jan Pazdziora 18 / 24

Ipsilon Three-command SAML Identity Provider Install packages, configure, restart Apache. yum install -y ipsilon ipsilon-saml2 ipsilon-authform \ ipsilon-authgssapi ipsilon-infosssd ipsilon-tools-ipa ipsilon-server-install --ipa yes --saml2 yes \ --form yes --gssapi yes \ --gssapi-httpd-keytab /etc/http.keytab \ --info-sssd yes --info-sssd-domain example.test service httpd restart Written in Python, with protocols and providers as plugins. Integrates with FreeIPA/SSSD. SAML, OpenID, Mozilla Persona available. OpenID Connect actively developed. Available in Fedora, coming to RHEL/CentOS soon. Across organizations' boundaries Jan Pazdziora 19 / 24

Service Provider mod_auth_mellon configuration Against Ipsilon server: yum install -y ipsilon-client ipsilon-client-install --saml-idp-url https://idp.example.com/idp \ --saml-sp-name application --saml-auth /application/login Against generic SAML server: yum install -y ipsilon-client ipsilon-client-install \ --saml-idp-metadata https://idp.example.com/saml/metadata \ --saml-auth /application/login Generated SP metadata needs to be transferred to IdP manually. Across organizations' boundaries Jan Pazdziora 20 / 24

Service Provider mod_auth_mellon configuration Mapping SAML response attributes to environment variables: MellonSetEnvNoPrefix REMOTE_USER_EMAIL email MellonSetEnvNoPrefix REMOTE_USER_GROUP groups The same multivalued variables as mod_lookup_identity with MellonEnvVarsIndexStart 1 MellonEnvVarsSetCount On # MellonMergeEnvVars On ":" Version 0.11.0 needed for these directives. These are currently not setup by ipsilon-client-install automatically. Across organizations' boundaries Jan Pazdziora 21 / 24

Demo Which part of the setup should we show first? Web app on externally hosted SP server Web app on IPAenrolled server IdP on IPAenrolled server IdM / IPA server crossforest trust AD mod_auth_mellon mod_authnz_pam with SSSD Demo Jan Pazdziora 22 / 24

Conclusion What are the recommendations for application developers concerning authentication and access control methods and protocols that they should support, for deployments across organizations? The same as for setups within organizations. Teach applications to accept REMOTE_USER and REMOTE_USER_* The actual protocol/setup is deployment specific, using Apache HTTP Server modules. By merely changing Apache configuration, we can switch the application from intra-organizational to federated setup. Additional application-level changes are not needed for single IdP setups when no selection is required. Currently looking at mapping of claims in mod_auth_openidc to REMOTE_USER_* for OpenID Connect federation. Conclusion Jan Pazdziora 23 / 24

References www.adelton.com/apache/mod_authnz_pam/ www.adelton.com/apache/mod_lookup_identity/ github.com/uninett/mod_auth_mellon fedorahosted.org/ipsilon github.com/pingidentity/mod_auth_openidc www.freeipa.org/page/ Environment_Variables#Proposed_Additional_Variables Jan Pazdziora <jpazdziora@redhat.com> Conclusion Jan Pazdziora 24 / 24

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information