Proxied Authentication in SSO Setups with Common OSS. Open Identity Summit 2015 Prof. Dr. René Peinl Berlin, 10.11.2015



Similar documents
Collaborative process maturing support by mining activity streams. iknow 2015 Prof. Dr. René Peinl Graz,

Proxied Authentication in Single Sign-On Setups with Common Open Source Systems an Empirical Survey

Approaches and challenges for a SSO enabled extranet using Jasig CAS. Florian Holzschuher René Peinl

ClearPass A CAS Extension Enabling Credential Replay

Single Sign On. SSO & ID Management for Web and Mobile Applications

Architecture of Enterprise Applications III Single Sign-On

TIBCO Spotfire Platform IT Brief

Federated single sign-on (SSO) and identity management. Secure mobile access. Social identity integration. Automated user provisioning.

Access Management Analysis of some available solutions

From the Intranet to Mobile. By Divya Mehra and Stian Thorgersen

A viable alternative to TMG / UAG Web Application security, acceleration and authentication with DenyAll s DA-WAF

Dell One Identity Cloud Access Manager How to Develop OpenID Connect Apps

MIT Tech Talk, May 2013 Justin Richer, The MITRE Corporation

Identity Management in Liferay Overview and Best Practices. Liferay Portal 6.0 EE

Flexible Identity Federation

Single Sign-on (SSO) technologies for the Domino Web Server

HOL9449 Access Management: Secure web, mobile and cloud access

Single-Sign-On between On-Premises and the Cloud: Leveraging Windows Azure Active Directory to authenticate custom solutions and Apps

Identity Management with Spring Security. Dave Syer, VMware, SpringOne 2011

Computer Systems Security 2013/2014. Single Sign-On. Bruno Maia Pedro Borges

Easy as 1-2-3: The Steps to XE. Mark Hoye Services Portfolio Consultant

Authentication and access control in Sympa mailing list server

Integrating Apex into Federated Environment using SAML 2.0. Jon Tupman Portalsoft Solutions Ltd

Interwise Connect. Working with Reverse Proxy Version 7.x

Agenda. How to configure

Single sign-on enabled OpenCms

The Challenges of Web single sign-on

Masdar Institute Single Sign-On: Standards-based Identity Federation. John Mikhael ICT Department

An Overview of Samsung KNOX Active Directory and Group Policy Features

Enterprise Access Control Patterns For REST and Web APIs

Integrating WebPCM Applications into Single Sign On (SSO) Tom Schaefer Better Software Solutions, Inc. UN 4023 V

Open-source Single Sign-On with CAS (Central Authentication Service)

Onegini Token server / Web API Platform

Federated Identity for Cloud Computing and Cross-organization Collaboration

APIs The Next Hacker Target Or a Business and Security Opportunity?

The Role of Federation in Identity Management

Digital Asset Management Beyond CMIS

Mobile Security. Policies, Standards, Frameworks, Guidelines

Use Enterprise SSO as the Credential Server for Protected Sites

External and Federated Identities on the Web

OPENIAM ACCESS MANAGER. Web Access Management made Easy

API-Security Gateway Dirk Krafzig

LinuxCon North America

owncloud Architecture Overview

Enhancing Web Application Security

CENTRAL AUTHENTICATION SERVICE (CAS) SSO FOR EMC DOCUMENTUM REST SERVICES

September 9 11, 2013 Anaheim, California 507 Demystifying Authentication and SSO Options in Business Intelligence

OVERVIEW. DIGIPASS Authentication for Office 365

Kenneth Hee Director, Business Development Security & Identity Management. Oracle Identity Management 11g R2 Securing The New Digital Experience

SharePoint 2013 Logical Architecture

SAP NetWeaver Single Sign-On. Product Management SAP NetWeaver Identity Management & Security June 2011

Authentication and access control in Sympa mailing list software

SAML and OAUTH comparison

BOF2337 Open Source Identity and Access Management Expert Panel, Part II. 23 September :30p Hilton - Golden Gate 6/7/8 San Francisco CA

Integration with Active Directory. Jeremy Allison Samba Team

Securing WebFOCUS A Primer. Bob Hoffman Information Builders

OpenAM All-In-One solution to securely manage access to digital enterprise and customer services, anytime and anywhere.

SAP HANA Cloud Portal Overview and Scenarios

Interoperate in Cloud with Federation

Enabling Federation and Web-Single Sign-On in Heterogeneous Landscapes with the Identity Provider and Security Token Service Supplied by SAP NetWeaver

Flexible Identity Federation

Identity and Access Management (IAM) Across Cloud and On-premise Environments: Best Practices for Maintaining Security and Control

Password Power 8 Plug-In for Lotus Domino Single Sign-On via Kerberos

The Essential OAuth Primer: Understanding OAuth for Securing Cloud APIs

Extend and Enhance AD FS

Session Code*: 0310 Demystifying Authentication and SSO Options in Business Intelligence. Greg Wcislo

DOVECOT Overview. Timo Sirainen Chief Architect Co-Founder

Using SAP Logon Tickets for Single Sign on to Microsoft based web applications

A Standards-based Mobile Application IdM Architecture

Globus Auth. Steve Tuecke. The University of Chicago

From centralized to single sign on

The Primer: Nuts and Bolts of Federated Identity Management

Web Services Security: OpenSSO and Access Management for SOA. Sang Shin Java Technology Evangelist Sun Microsystems, Inc. javapassion.

Product Training Services. Training Options and Procedures for JobScheduler and YADE

INTEGRATION GUIDE. IDENTIKEY Federation Server for Juniper SSL-VPN

MICROSOFT OFFICE 365 MIGRATION 2013/05/13

Connecting Users with Identity as a Service

CLAIMS-BASED IDENTITY FOR WINDOWS

Open-Xchange Server High availability Daniel Halbe, Holger Achtziger

TrustedX - PKI Authentication. Whitepaper

Implementing CAS. Adam Rybicki Jasig Conference, San Diego, CA March 7, 2010

OpenID Single Sign On and OAuth Data Access for Google Apps. Ryan Dave Primmer May 2010

Leverage Active Directory with Kerberos to Eliminate HTTP Password

Automatic Recognition, Processing and Attacking of Single Sign-On Protocols with Burp Suite

managing SSO with shared credentials

High Availability CAS

SINGLE & SAME SIGN-ON ASPECTS

Product overview. CA SiteMinder lets you manage and deploy secure web applications to: Increase new business opportunities

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES

owncloud Architecture Overview

Outsource the hosting of Luminis and have it hosted elsewhere

IBM Cloud Manager with OpenStack

Securing ArcGIS Server Services: First Steps

Transcription:

Proxied Authentication in SSO Setups with Common OSS Open Identity Summit 2015 Prof. Dr. René Peinl Berlin, 10.11.2015

Agenda 1 Use case / context 2 Challenge and ideal solution 3 Analysis of established SSO protocols 4 Analysis of use cases and involved systems 5 Conclusion and outlook 2

Project: Social Collaboration Hub (SCHub) Goal: Establishing an integrated infrastructure for effective support of team collaboration, esp. for knowledge intensive tasks and regionally distributed employees direct support for knowledge and business processes From a user s perspective, a unified intranet with continuous support for working tasks without breaches in the workflow should arise. Solution: Integration of Open Source Software from the areas portal, document management (DMS), groupware and business process management (BPM) 10/2014-09/2016

SCHub system architecture nginx End-user Applications Liferay Nuxeo OX App Suite Middleware / Supporting Services Camunda BPM ElasticSearch Shindig CAS Backend Dovecot Postfix MySQL Galera / XtraDB Cluster CEPH neo4j Open LDAP Infrastructure Docker OpenStack + KVM Mesos + Marathon Univention Corporate Server

SCHub communication flows Connections to/from CAS and LDAP ommitted for clarity 5

Challenge Securely authenticate from one server system to communicate with another server system in the name of the user logged on to the first system Use cases 1. Access to the ECMS Nuxeo via CMIS * from Liferay and OX 2. Triggering workflows in Camunda from Liferay, Nuxeo and OX 3. Storing activities in Shindig from Liferay, Nuxeo, OX and Camunda 4. Accessing emails in Dovecot via IMAP ** from OX * Content Management Interoperability Services ** Internet Mail Access Protocol 6

Terms No common terminology to describe the challenge double hop issue (Microsoft) Not widely accepted term delegated authentication (SAML) Also used for delegating authentication to an external system Impersonation Server 1 impersonates the user, but mainly used to describe attacks proxy authentication HTTP proxy that authenticates, vs app that does API calls => proxied authentication in order to avoid wrong associations 7

Ideal solution 8

SSO protocols OAuth 2.0 Authorization code grant flow seems well suited for the scenario Existing implementations assume authorization server (SSO system) and resource server (server system 2) are identical Supplement on bearer token usage mentions our scenario Problem really solved in successor OpenID connect SAML 2.0 Delegated SAML authentication [1] is describing the scenario Technologies used are specified in addendum to SAML 2.0 spec. Not fully supported by CAS 4.1, new in Nuxeo 7.4, established in Liferay, but delegated authentication still questionable 9

SSO protocols Kerberos Not tailored for the Web-based world but still suitable Supports the scenario with ticket granting tickets Two open source Kerberos v5 implementations for Linux MIT Kerberos Server Heimdall CAS, Nuxeo and Liferay support Kerberos, CAS only with AD 10

Proprietary solutions CAS * Proxy Authentication Uses similar mechanism like Kerberos Server 1 can request proxy granting ticket (PGT) Afterwards use PGT to request proxy tickets for server 2 Server 2 must validate whole chain included in proxy ticket CAS * ClearPass Password replay feature of CAS Server 1 can request the current user s password Authentication against server 2 with username/password Less secure, not nice, but effective and efficient * Central Authentication Service, Jasig / Apero 11

Use case CMIS All systems with CMIS interface in the project use Apache Chemistry Chemistry supports OAuth 2.0 since version 0.13 (04/2015) Nuxeo is still using version 0.12 in their latest version 7.4 (09/2015) Liferay explicitly states that only user/password auth is supported although Liferay is already using Chemistry version 0.13 Decision Evaluate usage of CAS ClearPass Encourage Liferay to support OAuth 2.0 Encourage Chemistry community to update support to OID connect 12

Use case workflows Camunda only supports basic http authentication Authentication is exchangable Multiple candidates would make sense OAuth 2.0 or even better OpenID connect seem the right way to go Decision Write an own wrapper around Camunda Evaluate usage of RESTeasy and RESTlet for this wrapper Use OAuth 2.0 with bearer tokens for authentication until CAS supports OpenID connect 13

Use case OpenSocial OpenSocial 2.x uses OAuth 2.0 as primary authentication mechanism Apache Shindig comes with an OAuth 2.0 service provider For the project, Apache Shindig was CASified Special challenge: systems have to authenticate if user is not logged in (e.g. for long running processes) Decision Use 2-legged OAuth 2.0 for storing activities in Shindig 14

Use case IMAP Dovecot is used as an IMAP Server Dovecot does only support Kerberos In large scale installations like Strato, communication between OX Server and Dovecot uses a master password to authenticate Decision Since our SaaS scenario of the project is similar to the Strato hosting, we will also use the master password feature 15

Conclusion and outlook The described scenario has some pitfalls and is costly to implement Although solved in theory, it is still demanding in practice As often, new protocols like OAuth are less sophisticated than older protocols like Kerberos, who are seen as heavy weight OpenID connect is a promising specification SSO with the Web frontend is easy, but hard for end-to-end solutions Use libraries that do authentication for you! 16

Please do SSO right from the beginning! Hof University Alfons-Goppel-Platz 1 95028 Hof, Germany Prof. Dr. René Peinl Head of research group systems integration Teaching area: Web architecture Phone +49 9281 409-3000 Fax +49 9281 409-4000 rene.peinl@hof-university.de www.hof-university.de

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information