Get Cloud Ready: Secure Access to Google Apps and Other SaaS Applications Matt Weisberg Vice President & CIO, Weisberg Consulting, Inc. matt@weisberg.net Paul McKeith Technical Sales, Novell, Inc. pmckeith@novell.com Mike Weaver IDM Practice Lead, Concensus Consulting mike.weaver@concensus.com
Introduction Provisioning and Management of Accounts Single Sign-On using Secure Assertion Markup Language (SAML) 2
Provisioning via Identity Manager
NetIQ/Identity Manager (IDM) Event-Based Identity Provisioning and Management Near real-time data synchronization between connected systems User Password Management Password Self-Service Multiple hosting platform support Out of the box support for a wide array of connected systems 4
IDM Connector for Google Apps IDM Connector for Google Apps Enterprise Identity Data 5
IDM Connector for Google Apps IDM Integration Module for unidirectional synchronization into Google Apps Native Java code Utilizes several published Google APIs IDM 4.0.1 or later 6
Features Synchronize (provision): Users Groups Shared Contacts Containers (OUs) Move between OUs Supports Secondary Email domains Support for Alias and Send-As settings Supports RBE and RBPM entitlements Account Tracking Support Password sync (one-way) User Profile Information 7
IDM Driver VS GADS 8
Implementation Requires Google Apps for Business Google Apps for Education API Access Enabled Network access to Google Remote Loader IDM Engine 9
Implementation Install the driver modules Download the latest from the Novell Patch site Add the Schema extensions Novell_Google_Schema.sch Be sure to update Designer Packages! Latest versions of the policies and driver configuration 10
Futures Move user mailbox between email domains within the same Google Apps domain Resource Objects Postini Driver New features dependent on Google API updates 11
Single Sign On via SAML
Google Apps Single Sign-On (SSO) Google Supports Two Methods of Single Sign-On: Open ID Simple implementation Auto discovery of identities Service Provider Initiated SSO only Secure Assertion Markup Language (SAML) More Complex Better end-user experience Faster Flexible Supported by Access Manager 13
What is SAML? Security Assertion Markup Language (SAML) is an XML-based standard for exchanging authentication and authorization data between security domains, that is, between an identity provider (a producer of assertions) and a service provider (a consumer of assertions). Source, Wikipedia (http://en.wikipedia.org/wiki/saml) 14
SAML - Service Provider Initiated SSO User/Browser 1 2 3 4 5 Google Apps (Service Provider) Access Manager (Identity Provider) 1. User accesses Google Apps 2. Google generates SAML request and redirects user to IdP. 3. User logs into IdP and gets SAML response (assertion) 4. User is redirected back to Google and sends SAML response 5. Google verifies response and allows user into application 15
Access Manager Quick Overview Reverse Proxy Course Grained Access Control Agent-less Web SSO via Form Fill J2EE Web Agents Fine Grained Access Control SSLVPN Loosely Coupled Identity Stores LDAP Directories e.g. Active Directory, Sun One, edirectory Open Standard Federation and Web SSO Support Liberty Alliance, SAML, and Microsoft WS-Federation 16
Access Manager Identity Provider Base URL is the Identity Provider URL Must be accessible by clients Can use port 443 instead of 8443 (iptables redirect) 17
Access Manager User Store edirectory, AD or SunOne supported out of the box. Other LDAP supported via custom plugins. 18
Access Manager Default Contract 19
Access Manager Trusted Providers 20
Access Manager SP Metadata <md:entitydescriptor xmlns:md="urn:oasis:names:tc:saml:2.0:metadata" entityid="google.com"> <md:spssodescriptor WantAssertionsSigned="true" protocolsupportenumeration="urn:oasis:names:tc:saml:2.0:protocol"> <md:nameidformat> urn:oasis:names:tc:saml:2.0:nameid-format:emailaddress </md:nameidformat> <md:assertionconsumerservice Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://www.google.com/a/samlexperts.com/acs" index="1"/> </md:spssodescriptor> </md:entitydescriptor> Not supplied by Google! You must create. entityid can be domain specific to support multiple Google Apps instances with the same IdP. 21
Access Manager SAML Trust 22
Access Manager SAML Attributes 23
Access Manager Authentication Response 24
25
Google Apps Advanced Tools 26
Google Apps Set up SSO 27
Google Apps Example SSO URLs Sign-in page URL: https://ids1.samlexperts.com:8443/nidp/saml2/sso Sign-out page URL: https://ids1.samlexperts.com:8443/nidp/app/logout Change Password URL: https://pwm.samlexperts.com/pwm/private/changepassword Access Manager IdS Metadata URL: https://ids1.samlexperts.com:8443/nidp/saml2/metadata 28
Single Sign On Demo
Password Self Service Password Management Servlets (PWM) Open Source http://code.google.com/p/pwm/ IdM User Application Novell Self-Service Password Reset (SSPR) http://download.novell.com/download?buildid=plbqmvidc80~ http://www.novell.com/documentation/sspr10/ Note: Based on Open-Source PWM 30
Questions and Answers
This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. NetIQ Corporation may make improvements in or changes to the software described in this document at any time. Copyright ActiveAudit, ActiveView, Aegis, AppManager, Change Administrator, Change Guardian, Compliance Suite, the cube logo design, Directory and Resource Administrator, Directory Security Administrator, Domain Migration Administrator, Exchange Administrator, File Security Administrator, Group Policy Administrator, Group Policy Guardian, Group Policy Suite, IntelliPolicy, Knowledge Scripts, NetConnect, NetIQ, the NetIQ logo, PSAudit, PSDetect, PSPasswordManager, PSSecure, Secure Configuration Manager, Security Administration Suite, Security Manager, Server Consolidator, VigilEnt, and Vivinet are trademarks or registered trademarks of NetIQ Corporation or its subsidiaries in the United States and other countries.