IBM WebSphere Application Server



Similar documents
IBM WebSphere Application Server

New Single Sign-on Options for IBM Lotus Notes & Domino IBM Corporation

Memory-to-memory session replication

IBM WebSphere Application Server Communications Enabled Applications

This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:

WebSphere Commerce V7 Feature Pack 2

Business Process Management IBM Business Process Manager V7.5

IBM Tivoli Provisioning Manager V 7.1

Single Sign-on (SSO) technologies for the Domino Web Server

SAML Single-Sign-On (SSO)

Using SAML for Single Sign-On in the SOA Software Platform

SAML and OAUTH Technologies WebSphere Application Server

IBM WebSphere Partner Gateway V6.2.1 Advanced and Enterprise Editions

SAML Security Analysis. Huang Zheng Xiong Jiaxi Ren Sijun

Configuring SAML2 for Single Sign-On to Smartsheet (Enterprise Only)

Web Single Sign-On Authentication using SAML

WebSphere Business Monitor

National Identity Exchange Federation. Web Browser User-to-System Profile. Version 1.0

Get Success in Passing Your Certification Exam at first attempt!

Single Sign-On Implementation Guide

IBM WebSphere Application Server

IMPLEMENTING SINGLE SIGN- ON USING SAML 2.0 ON JUNIPER NETWORKS MAG SERIES JUNOS PULSE GATEWAYS

WebSphere DataPower Release DNS Enhancements

Configuring Single Sign-on from the VMware Identity Manager Service to AirWatch Applications

Ameritas Single Sign-On (SSO) and Enterprise SAML Standard. Architectural Implementation, Patterns and Usage Guidelines

DEPLOYMENT GUIDE. SAML 2.0 Single Sign-on (SSO) Deployment Guide with Ping Identity

HP Software as a Service

IBM Tivoli Network Manager V3.9

Siebel CRM On Demand Single Sign-On. An Oracle White Paper December 2006

Single Sign on Using SAML

Business Process Management IBM Business Process Manager V7.5

DualShield SAML & SSO. Integration Guide. Copyright 2011 Deepnet Security Limited. Copyright 2011, Deepnet Security. All Rights Reserved.

Configuring SAML2 for Single Sign-On to Smartsheet (Enterprise Only)

IAM Application Integration Guide

HP Software as a Service. Federated SSO Guide

INUVIKA OPEN VIRTUAL DESKTOP ENTERPRISE

Web Access Management and Single Sign-On

Internet Information Services Integration Kit. Version 2.4. User Guide

PingFederate. Salesforce Connector. Quick Connection Guide. Version 4.1

Implementation Guide SAP NetWeaver Identity Management Identity Provider

Dell One Identity Cloud Access Manager How to Configure for SSO to SAP NetWeaver using SAML 2.0

IBM Tivoli Federated Identity Manager V6.2.2 Implementation. Version: Demo. Page <<1/10>>

Flexible Identity Federation

MONDESIR Eunice WEILL-TESSIER Pierre FEDERATED IDENTITY. ASR 2006/2007 Final Project. Supervisers: Maryline Maknavicius-Laurent, Guy Bernard

SINGLE SIGNON FUNCTIONALITY IN HATS USING MICROSOFT SHAREPOINT PORTAL

IBM Business Monitor. BPEL process monitoring

MLSListings Single Sign On Implementation Guide. Compatible with MLSListings Applications

Single Sign-On Implementation Guide

Tenrox. Single Sign-On (SSO) Setup Guide. January, Tenrox. All rights reserved.

The EUMETSAT EO Portal User Management Concept

Single Sign-On Implementation Guide

SAML Authentication Quick Start Guide

IBM Tivoli Network Manager IP Edition V3.8

HOTPin Integration Guide: Salesforce SSO with Active Directory Federated Services

Web servers and WebSphere Portal

WebSphere Business Monitor

DocuSign Single Sign On Implementation Guide Published: March 17, 2016

INTEGRATE SALESFORCE.COM SINGLE SIGN-ON WITH THIRD-PARTY SINGLE SIGN-ON USING SENTRY A GUIDE TO SUCCESSFUL USE CASE

Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x

SAML Authentication with BlackShield Cloud

PingFederate. SSO Integration Overview

Integration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Salesforce

WebSphere Commerce V7 Feature Pack 3

PHP Integration Kit. Version User Guide

Feide Technical Guide. Technical details for integrating a service into Feide

McAfee Cloud Identity Manager

How To Use Saml 2.0 Single Sign On With Qualysguard

Web Based Single Sign-On and Access Control

Microsoft Office 365 Using SAML Integration Guide

SAM Context-Based Authentication Using Juniper SA Integration Guide

How to Implement Enterprise SAML SSO

PingFederate. Integration Overview

An Oracle White Paper Dec Oracle Access Management Security Token Service

PARTNER INTEGRATION GUIDE. Edition 1.0

SAML Security Option White Paper

Sametime Version 9. Integration Guide. Integrating Sametime 9 with Domino 9, inotes 9, Connections 4.5, and WebSphere Portal

OpenLDAP Oracle Enterprise Gateway Integration Guide

Single Sign-On Implementation Guide

Fairsail. Implementer. Single Sign-On with Fairsail and Microsoft Active Directory Federation Services 2.0. Version 1.92 FS-SSO-XXX-IG R001.

OpenSSO: Cross Domain Single Sign On

Microsoft Active Directory Oracle Enterprise Gateway Integration Guide

Leveraging SAML for Federated Single Sign-on:

C05 Discovery of Enterprise zsystems Assets for API Management

SAML-Based SSO Solution

IBM Tivoli Network Manager 3.8

Setting Up Federated Identity with IBM SmartCloud

Cloud Single Sign-On and On-Premise Identity Federation with SAP NetWeaver Cloud White Paper

FTP-Stream Integrating Active Directory Federation Services

Secure Identity Propagation Using WS- Trust, SAML2, and WS-Security 12 Apr 2011 IBM Impact

Identity Management in Liferay Overview and Best Practices. Liferay Portal 6.0 EE

OIOSAML Rich Client to Browser Scenario Version 1.0

TIB 2.0 Administration Functions Overview

WebSphere Business Monitor

Configuring Single Sign-on from the VMware Identity Manager Service to ServiceNow

Novell Access Manager

Lecture Notes for Advanced Web Security 2015

Configuring Single Sign-on from the VMware Identity Manager Service to WebEx

Integration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Tableau Server

An overview of configuring WebEx for single sign-on. To configure the WebEx application for single-sign on from the cloud service (an overview)

STUDY ON IMPROVING WEB SECURITY USING SAML TOKEN

Transcription:

IBM WebSphere Application Server SAML 2.0 web single-sign-on 2012 IBM Corporation This presentation describes support for SAML 2.0 web browser Single Sign On profile included in IBM WebSphere Application Server V7.0.0.23. SAML_Web_SSO.ppt Page 1 of 15

Overview 2 SAML 2.0 web single-sign-on 2012 IBM Corporation This feature provides a service provider for SAML 2.0 web browser SSO profile, which supports Identity Provider initiated post binding. SAML_Web_SSO.ppt Page 2 of 15

What is SAML? Security Assertion Markup Language (SAML) is an OASIS open standard for representing and exchanging user identity, authentication, and attribute information. A SAML assertion is an XML-formatted token that is used to transfer user identity and attribute information from the identity provider of a user to a trusted service provider as part of the completion of a single sign-on request. 3 SAML 2.0 web single-sign-on 2012 IBM Corporation A SAML assertion provides a vendor-neutral means of transferring information between federation business partners. SAML_Web_SSO.ppt Page 3 of 15

SAML versions and specs Versions: As a protocol, SAML has three versions: SAML 1.0, SAML 1.1, and SAML 2.0. SAML 2.0 and specs: 4 SAML 2.0 web single-sign-on 2012 IBM Corporation SAML 2.0 is an enhancement to the previous SAML 1 and 1.1 specifications, but is not compatible with those versions. SAML 2.0 defines several request-response protocols, which all correspond to the action being communicated in the message. These protocols are HTTP-redirect based and involve the user's browser. SAML 2.0 has defined several binding options, HTTP redirect, HTTP POST, HTTP artifact, and SOAP. These options specify the way in which messages can be transported. SAML 2.0 HTTP POST enables SAML protocol messages to be transmitted within an HTML form using base64- encoded content. SAML 2.0 HTTP POST enables the SAML provider and consumer to communicate using an HTTP user agent as an intermediary. HTTP POST is sometimes called Browser POST, particularly when used in single sign-on operations. SAML 2.0 web Browser SSO Profile is defined to support web single sign-on. A web user either accesses a resource at a service provider, or accesses an identity provider such that the service provider and required resource are understood or implicit. The web user authenticates to the identity provider, which then produces an authentication assertion, and the service provider consumes the assertion to establish a security context for the web user. SAML_Web_SSO.ppt Page 4 of 15

Parties in SAML web SSO 5 SAML 2.0 web single-sign-on 2012 IBM Corporation User authenticates to Identity provider (IdP), IdP sends SAML assertion to Service Provider (SP). SP validates SAML assertion and authorize web resource request. Identity Provider (IdP) is a producer of assertions that authenticates a principal. Service Provider (SP) is a consumer of assertions that relies on the identity provider to identify and provide a principal. The SP will receive a SAML assertion containing the principle and security attributes to be used for a given request. SAML_Web_SSO.ppt Page 5 of 15

Sample SAML Response from IdP <Response IssueInstant="2010-04-17T00:46:02Z" Version="2.0" ID="_c7055387-af61-4fce-8b98-e2927324b306" xmlns="urn:oasis:names: tc:saml:2.0:protocol" xmlns:saml="urn:oasis:names:tc:saml:2.0:assertion"> <saml:issuer>idp.bank.com"</saml:issuer> <ds:signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">...</ d s:s igna ture> <Status><StatusCode Value= "urn:oasis:names:tc:saml:2.0:status:su cc ess" /> < /Status > <Assertion ID="_a75adf55-01d7-40cc-929f-d bd8 372e bdfc" IssueInstant="2010-04-17T00:46:02Z" Vers i on="2.0" x mlns="urn:oasis:names:tc:saml:2.0:assertion"> <Issuer>idp.bank.com</Issuer> <ds:signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" >... Important assertions for security context: IdP issuer = idp.bank.com Principal name: idp.bank.com/ito@bank.com Attributes = idp.bank.com/employee <ds:signaturemethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />... <ds:digestmethod Algorithm="ht tp://www.w3.org/2001/04/xmlenc#sha256" />... </ds:signature> <Subject> <NameID>ito@bank.com</NameID> <SubjectConfirmation Method="urn:oasis: names:tc:saml:2.0:cm:bearer" /> </Subject> <saml:attribute AttributeName="Group"> <saml:attributevalue>employee</saml:attributevalue> </saml:attribute> <Conditions NotBefore="2010-04-17T00:46:02Z" NotOnOrAfter="2010-04-17T00:51:02Z"> <AudienceRestriction><Audience>sp.bank.com</Audience></AudienceRestriction> </Conditions> <AuthnStatement AuthnInstant="2010-04-17T00:46:00Z">...</AuthnStatement> </Assertion> </Response> 6 SAML 2.0 web single-sign-on 2012 IBM Corporation This is a sample SAML protocol message from IdP SAML_Web_SSO.ppt Page 6 of 15

Usage scenarios 7 SAML 2.0 web single-sign-on 2012 IBM Corporation This section shows an example use case of this new feature. SAML_Web_SSO.ppt Page 7 of 15

SAML 2.0 web SSO The WebSphere Application Server SAML service provider (SP) supports SAML 2.0 Identity Provider (IdP) initiated single sign-on (SSO). 8 SAML 2.0 web single-sign-on 2012 IBM Corporation WebSphere IdP initiated SSO service is implemented as a Trust Association Interceptor, and can be described as follows: 1. User accesses a front end web application that can reside on the IdP, SP, or elsewhere. 2. Front end web application redirects user to IdP and user authenticates to IdP. 3. IdP redirects user to Assertion Consumer Service (ACS) in SP by sending SAML response over HTTP POST inside a hidden form. 4. SP processes SAML response and creates WebSphere security context. 5. SP adds LTPA cookie to HTTP response and redirects request to web resource or business application. 6. WebSphere Application Server intercepts request, and maps LTPA cookie to security context and authorizes user access to the requested web resource. 7. WebSphere Application Server sends HTTP response back to user. SAML_Web_SSO.ppt Page 8 of 15

SAML web SSO and web service Propagate SAML 2.0 in web service call Front End Portal type Application 1 Identity provider Service provider Assertion Consumer service (saml20) SAMLResponse Contact IdP 2 3 Servlet servlet 4 sso Cookie 5 SAML 20 propagation 6 Web Service Browser 9 SAML 2.0 web single-sign-on 2012 IBM Corporation In a SAML web SSO scenario, you can propagate a SAML assertion from a service provider to a downstream web service. After SSO is completed and the user is authorized to access the web resource, you can make a web service call within the servlet with the SAML assertion as a caller token. SAML_Web_SSO.ppt Page 9 of 15

SAML web SSO and web service Propagate SAML 2.0 from servlet to EJB Front End Portal type Application 1 Identity provider Service provider EJB Assertion Consumer service SAMLResponse Contact IdP 2 3 Servlet servlet 4 sso Cookie 5 SAML 6 Browser 10 SAML 2.0 web single-sign-on 2012 IBM Corporation In a SAML web SSO scenario, you can propagate a SAML assertion from a service provider to a downstream EJB. After the SSO is completed and the user is authorized to access a web resource, you can make an EJB call within the servlet with the SAML assertion as a caller token. SAML_Web_SSO.ppt Page 10 of 15

Summary of features inside WebSphere 11 SAML 2.0 web single-sign-on 2012 IBM Corporation 1. The WebSphere SAML TAI, or trust association interceptor, can be configured not to require SAML users in WebSphere Security s user registry. That is, the WebSphere user registry does not contain any users as long as the user is authenticated by a SAML identity provider. The WebSphere runtime subject is build from the SAML assertion without calling into WebSphere user registry. 2. The WebSphere SAML TAI can be configured to verify a SAML user in the WebSphere user registry, and the WebSphere runtime subject is built based on the user s attributes in the user registry. 3. When using ID assertion to create a WebSphere runtime subject, WebSphere SAML TAI can extract SAML token attributes, and use those attributes to create the WebSphere security subject s realm, principal, unique ID, and group memberships. 4. The WebSphere SAML TAI supports using a plug-in for external identity mapping before creating the security subject. 5. While doing SAML user ID assertion, this TAI can optionally retrieve the SAML user's groups from the user registry. 6. The WebSphere SAML TAI provides several administrative commands to simplify enablement and configuration; those commands include Add, show, and delete tasks to configure and manage the SAML web SSO TAI; and import or export metadata to establish SSO partnership with an IdP. 7. The WebSphere SAML TAI supports single-sign-on with multiple identity providers. Within TAI, you can have one AssertionConsumerService instance working with multiple identity provider s SingleSignOnService, and you can also have multiple AssertionServiceprovider instances working with multiple SingleSignOnServices. 8. The WebSphere SAML TAI has an IdP selection filter that routes request back to the proper IdP if a request has not yet been authenticated. 9. The WebSphere SAML TAI supports both RSA-SHA1 and RSA-SHA256 signature methods. 10. WebSphere SAML TAI preserves the SAML token in the subject, so an application can retrieve a SAML token from the executed thread for additional authorization. 11. Any business application that implements HTTP POST method can act as SAML AssertionConsumerService. SAML_Web_SSO.ppt Page 11 of 15

Beyond basic Assertion consumer service (ACS) in WebSphere SAML service provider: Any business service that implements the POST method can act as an ACS. Multiple security domain support: It is expected that the ACS reside in the same security domain as the business application. Multiple single sign-on partners: The WebSphere SAML TAI supports multiple ACS and IdP single sign-on (SingleSignOnService) partners. Bookmark style SSO and TAI filter. Identity mapping and security context management: The WebSphere SAML TAI provides a rich and flexible identity mapping. Identity assertion Map NameID from the IdP against the user registry of the service provider Combination of ID assertion and local registry 12 SAML 2.0 web single-sign-on 2012 IBM Corporation 1.Any business service that implements the POST method can act as an ACS. Using a target business servlet as an ACS is preferred, because it reduces one round trip between the browser and the service provider server. 2. The WebSphere SAML TAI supports multiple ACS and IdP SingleSignOnService partners. One SSO partner is defined as one ACS URL, and multiple SingleSignOnServices. Each SSO partner can have its own validation rules, mapping rule from assertion to subject, or a rule to start the SSO with its own IdP. 3. If a user accesses the business application without authenticating to the IdP first, the WebSphere SAML TAI can be configured to initiate an SSO. Each SSO partner configuration contains an IdP login application and a routing filter. The TAI filter allows an IdP-initiated SSO to provide similar functionality as the combination of an SP-initiated SSO and an IdP discovery service. 4. The WebSphere SAML TAI provides a rich and flexible identity mapping, and can be classified as follows: Identity assertion maps the SAML assertion to the WebSphere platform subject without a local registry. Map NameID from the IdP against the user registry of the service provider, and build the subject from the registry. Three scenarios are supported: Directly map the SAML NameID to the local registry, a plug-in point for custom mapping, followed by using a new user to build the subject, and Map NameID to the user registry, and fall back to ID assertion. Combination of ID assertion and local registry: In addition to ID assertion, TAI searches parent groups of the asserted groups in the user registry of the service provider, and includes the parent groups into the subject. For example, authorization is granted to parent groups, but the identity provider does not know the parent group names. SAML_Web_SSO.ppt Page 12 of 15

References Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0 http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf Bindings for the OASIS Security Assertion Markup Language (SAML) V2.0: http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0 http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf 13 SAML 2.0 web single-sign-on 2012 IBM Corporation These links access additional information about SAML 2.0 web browser Single Sign On profiles. SAML_Web_SSO.ppt Page 13 of 15

Feedback Your feedback is valuable You can help improve the quality of IBM Education Assistant content to better meet your needs by providing feedback. Did you find this module useful? Did it help you solve a problem or answer a question? Do you have suggestions for improvements? Click to send email feedback: mailto:iea@us.ibm.com?subject=feedback_about_saml_web_sso.ppt This module is also available in PDF format at:../saml_web_sso.pdf 14 SAML 2.0 web single-sign-on 2012 IBM Corporation You can help improve the quality of IBM Education Assistant content by providing feedback. SAML_Web_SSO.ppt Page 14 of 15

Trademarks, disclaimer, and copyright information IBM, the IBM logo, ibm.com, and WebSphere are trademarks or registered trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of other IBM trademarks is available on the web at "Copyright and trademark information" at http://www.ibm.com/legal/copytrade.shtml THE INFORMATION CONTAINED IN THIS PRESENTATION IS PROVIDED FOR INFORMATIONAL PURPOSES ONLY. THE INFORMATION CONTAINED IN THIS PRESENTATION IS PROVIDED FOR INFORMATIONAL PURPOSES ONLY. WHILE EFFORTS WERE MADE TO VERIFY THE COMPLETENESS AND ACCURACY OF THE INFORMATION CONTAINED IN THIS PRESENTATION, IT IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. IN ADDITION, THIS INFORMATION IS BASED ON IBM S CURRENT PRODUCT PLANS AND STRATEGY, WHICH ARE SUBJECT TO CHANGE BY IBM WITHOUT NOTICE. IBM SHALL NOT BE RESPONSIBLE FOR ANY DAMAGES ARISING OUT OF THE USE OF, OR OTHERWISE RELATED TO, THIS PRESENTATION OR ANY OTHER DOCUMENTATION. NOTHING CONTAINED IN THIS PRESENTATION IS INTENDED TO, NOR SHALL HAVE THE EFFECT OF, CREATING ANY WARRANTIES OR REPRESENTATIONS FROM IBM (OR ITS SUPPLIERS OR LICENSORS), OR ALTERING THE TERMS AND CONDITIONS OF ANY AGREEMENT OR LICENSE GOVERNING THE USE OF IBM PRODUCTS OR SOFTWARE. Copyright International Business Machines Corporation 2012. All rights reserved. 15 2012 IBM Corporation SAML_Web_SSO.ppt Page 15 of 15

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information