Integrating WebPCM Applications into Single Sign On (SSO) Tom Schaefer Better Software Solutions, Inc. UN 4023 V



Similar documents
Single Sign-on (SSO) technologies for the Domino Web Server

Identity Federation: Bridging the Identity Gap. Michael Koyfman, Senior Global Security Solutions Architect

Kerberos and Single Sign On with HTTP

IceWarp Server - SSO (Single Sign-On)

SAML-Based SSO Solution

Security Provider Integration Kerberos Authentication

From the Intranet to Mobile. By Divya Mehra and Stian Thorgersen

Mobile Security. Policies, Standards, Frameworks, Guidelines

Kerberos and Single Sign-On with HTTP

Single Sign On. SSO & ID Management for Web and Mobile Applications

Flexible Identity Federation

Agenda. How to configure

Ensure that your environment meets the requirements. Provision the OpenAM server in Active Directory, then generate keytab files.

Deploying RSA ClearTrust with the FirePass controller

TopEase Single Sign On Windows AD

Configuring Sponsor Authentication

Federated single sign-on (SSO) and identity management. Secure mobile access. Social identity integration. Automated user provisioning.

The Top 5 Federated Single Sign-On Scenarios

ClearPath Enterprise Servers

SAML-Based SSO Solution

Single Sign On. Configuration Checklist for Single Sign On CHAPTER

SAP NetWeaver Single Sign-On. Product Management SAP NetWeaver Identity Management & Security June 2011

Single Sign On. Configuration Checklist for Single Sign On CHAPTER

SAP Certified Technology Professional - Security with SAP NetWeaver 7.0. Title : Version : Demo. The safer, easier way to help you pass any IT exams.

Security Assertion Markup Language (SAML) Site Manager Setup

Identity Management in Liferay Overview and Best Practices. Liferay Portal 6.0 EE

BlueCoat s Guide to Authentication V1.0

GENERAL OVERVIEW OF VARIOUS SSO SYSTEMS: ACTIVE DIRECTORY, GOOGLE & FACEBOOK

Single-Sign-On between On-Premises and the Cloud: Leveraging Windows Azure Active Directory to authenticate custom solutions and Apps

OVERVIEW. DIGIPASS Authentication for Office 365

VMware Identity Manager Administration

Cisco ASA Adaptive Security Appliance Single Sign-On: Solution Brief

Introductions. Christopher Cognetta Practice Manager Client Field Engineering Microsoft Dynamics CRM MVP

Mixed Authentication Setup

Connected Data. Connected Data requirements for SSO

Egnyte Single Sign-On (SSO) Installation for OneLogin

WirelessOffice Administrator LDAP/Active Directory Support

THE NEW DIGITAL EXPERIENCE

Egnyte Single Sign-On (SSO) Configuration for Active Directory Federation Services (ADFS)

Introduction. Connection security

Enabling single sign-on for Cognos 8/10 with Active Directory

API-Security Gateway Dirk Krafzig

managing SSO with shared credentials

NCSU SSO. Case Study

Enabling Kerberos SSO in IBM Cognos Express on Windows Server 2008

Active Directory Integration. Documentation. v1.02. making your facilities work for you!

Active Directory Requirements and Setup

Unlocking the Secrets of Alfresco Authentication. Mehdi BELMEKKI,! Consultancy Team! Alfresco!

Identity Management: The authentic & authoritative guide for the modern enterprise

Flexible Identity Federation

SecureAware on IIS8 on Windows Server 2008/- 12 R2-64bit

304 - APM TECHNOLOGY SPECIALIST

Administering Jive Mobile Apps

SSO Plugin. Release notes. J System Solutions. Version 3.6

TIBCO Spotfire Platform IT Brief

PC Monitor Enterprise Server. Setup Guide

Azure Active Directory

HP Software as a Service. Federated SSO Guide

September 9 11, 2013 Anaheim, California 507 Demystifying Authentication and SSO Options in Business Intelligence

Field Description Example. IP address of your DNS server. It is used to resolve fully qualified domain names

U S E R D O C U M E N TA T I O N ( A L E P H I N O

Copyright: WhosOnLocation Limited

How to Configure Captive Portal

INTEGRATION GUIDE. DIGIPASS Authentication for Google Apps using IDENTIKEY Federation Server

Setup Guide Revision A. WDS Connector

PingFederate. IWA Integration Kit. User Guide. Version 2.6

Web Application Proxy

How-to: Single Sign-On

SMART Vantage. Installation guide

External Identity and Authentication Providers For Apache HTTP Server

How To Create An Easybelle History Database On A Microsoft Powerbook (Windows)

SalesForce SSO with Active Directory Federated Services (ADFS) v2.0 Authenticating Users Using SecurAccess Server by SecurEnvoy

SchoolBooking SSO Integration Guide

The increasing popularity of mobile devices is rapidly changing how and where we

Session Code*: 0310 Demystifying Authentication and SSO Options in Business Intelligence. Greg Wcislo

Authentication Methods

How To Use Saml 2.0 Single Sign On With Qualysguard

Administering Jive for Outlook

SSO Methods Supported by Winshuttle Applications

Step- by- Step guide to Configure Single sign- on for HTTP requests using SPNEGO web authentication

Active Directory 2008 Implementation Guide Version 6.3

Enterprise Knowledge Platform

Virtualization and Cloud Computing

Chapter 3 Authenticating Users

Configuring IBM Cognos Controller 8 to use Single Sign- On

Manual. Netumo NETUMO HELP MANUAL Copyright Netumo 2014 All Rights Reserved

Password Power 8 Plug-In for Lotus Domino Single Sign-On via Kerberos

SharePoint 2013 Logical Architecture

Identity. Provide. ...to Office 365 & Beyond

Getting Started with AD/LDAP SSO

PingFederate. IWA Integration Kit. User Guide. Version 3.0

Single sign-on enabled OpenCms

Authentication and Single Sign On

Interwise Connect. Working with Reverse Proxy Version 7.x

IQProtector Mobile Application

OneLogin Integration User Guide

Transcription:

Integrating WebPCM Applications into Single Sign On (SSO) Tom Schaefer Better Software Solutions, Inc. UN 4023 V

Agenda What is SSO? How does it work? Tools for SSO on ClearPath Integrating Active Directory into ClearPath applications. Tying it all together 2

What is Single Sign On? Ability for applications to use Enterprise user and password. Federated login allows shared credentials automatically. Eliminates multiple credentials for each application. Common tools include SAML, Kerberos and OAuth/OAuth2 3

Why Single Sign On? With Google and Facebook, users have expectations of easier sign on process. Using Active Directory means single password security policy enforced Two-factor your applications as a bonus Lockout a user one place handles everywhere. That can also be a risk. 4

How does SSO work? Basic case utilizes LDAP as keeper of the passwords. Intermediary ( Federated Login) SAML SecureAuth Handles off-network access automatically. OAuth Twitter, Facebook, Google Kerberos Authenticate header for Kerberos 5

Tools for SSO on ClearPath Atlas Web Server Kerberos LDAP eportal can use SAML for SSO too (not covered here). 6

Atlas Web Server Unisys native web server ( WebTS ) Has interface to Kerberos and NTLM Atlas supports usercode/password protection of only entire site all or nothing! What about SSO for just a few pages? LDAP good alternative to single user and password maintained by each application. 7

Kerberos Common user system based on tickets Trusted 3 rd -party authenticates user. Browsers allow integration with 401 Authenticate header Also allows MARC login of MCP users. 8

LDAP Lightweight Directory Access Protocol Hierarchal database of user and attributes Email address Address Phone number, etc. Can be used to access Microsoft Active Directory information. Supported on MCP via LDAPSupport 9

Browser Integration with Kerberos and Atlas More details 10

Using Atlas Header Functions GET_HEADER Used to get authentication header CALL GET_HEADER OF WEBAPPSUPPORT USING COMS-MESSAGE-IN, WS-HDR, WS-VALUE GIVING WS- RESULT. SET_STATUS_CODE Set status code to 401 causes browser to send ticket Then, call library functions to authenticate Kerberos ticket. FireBug or HTTPWatch useful for checking headers. NA ATLASSUPPORT TRACE + DATA Files under *ATLAS/ADMIN/ATLASSUPORT/TRACE 11

401 Authenticate Header 12

401 Header Detail Client Requests page GET /index.html HTTP/1.1 Host: www.myhost.com Server Reply HTTP/1.1 401 Authorization Required Date: Wed, 11 Sep 2013 15:25:00 GMT WWW-Authenticate: Negotiate Content-Type: text/html Non-Kerberos Browsers will prompt 401 dialog 13

401 Detail Continued Request with ticket GET /index.html HTTP/1.1 Host: www.myhost.com Authorization: Negotiate <really long ticket> If ticket is accepted, browser shows the page! But, how does user know this happened? Message Welcome <user>, you have been logged into the system via Single Sign On 14

ClearPath LDAP Support LDAPSUPPORT library Native calls to your Enterprise Active Directory Kerberos supplies Active Directory name: ThomasMSchaefer Can search LDAP for email or other attributes. 15

Calling LDAPSupport LDAP_BIND Connects to LDAP with valid credentials. LDAP_SET_DIRENTRY Search organizational hive DC=ENT,DC=DS,DC=MYHOST,DC=COM LDAP_SEARCH Use LDAP_C_WHOLESUBTREE LDAP_SEARCH_RESPONSE Iterate through results. 16

How to Interact with your Directory Services Team They don t know anything about Atlas SSO means different things to different users. SecureAuth can use an intermediary but Kerberos can use AD MCP Kerberos setup requires config files from directory services team (KEYTAB files). 17

Hints to make Kerberos work Website needs to be in Local Intranet zone Browser will not send credentials if not in this zone. MCP Kerberos tracing is your friend. Unisys Kerberos manual quite helpful. Applications needs to know if user is internal. Unless you want to to give external users a 401 prompt. 18

More hints Atlas Config for Kerberos Enable ANONYMOUSWEB as a local alias +KERBEROS *ANYNAME@<REALM> LOCALALIAS = ANONYMOUSWEB For other users, LOCALALIAS cannot have ACCESSCODEREQUIRED Firewall Access UDP/123, Both/464, TCP/135, TCP/636, Both/389, TCP/3268, TCP/3269, Both/88 19

LDAP Hints LDAP_BIND can take 10 seconds depending upon network and AD server location. Bind once at start, then just SEARCH. Single Bind call for whole program. Use separate libraries or an ALGOL connection library for multiple calls: One for service account and one for user 20

Questions? toms@bettersoftwaresolutions.com @BSSI_Consulting www.bettersoftwaresolutions.com 727-437-2771 21

References Unisys Manuals LDAPSupport Kerberos Guide WEBAPPSUPPORT Manual RFC Authenticate Header RFC 4559 Adding SecureAuth to your web apps. 22