<Insert Picture Here> Single Sign-on a propagácia identít v heterogénnom prostredí Marian Kuna, Technology Sales Consultant
<Insert Picture Here> Single Sign-On Wikipédia Single sign-on (SSO) je jednou zo súčastí riadenia prístupu k viacerým súvisiacim, ale nezávislým softvérovým systémom. Vďaka tomuto komponentu sa používateľ prihlási raz a získa prístup ku všetkým systémom bez nutnosti prihlasovania do každého z nich. SSO je postavené na centralizovanom autentifikačnom serveri, ktorý aplikácie a systémy využívajú za účelom autentifikácie
Prínosy Single Sign-On Potrebujem sa znova prihlásiť do Windows Deti, bežte pomôcť ockovi stlačiť ctrl-alt-del
Prínosy Single Sign-On Používateľský komfort Nie je potrebné pamätať si množstvo rôzných mien/hesiel Rýchlejší prístup k aplikáciám bez nutnosti autentifikácie Bezpečnosť Heslá na papieri Silná autentifikácia Náklady Tech. podpora/reset hesiel Efektivita používateľov Zákony, normy, nariadenia Centralizovaný reporting
Typy single sign-on Password Synchronization <Insert Picture Here> Perimeter Single Sign-on Web Single Sign-on X.509 authentication Server-based SSO, Identity Propagation Standards, Weblogic Security Framework SAML Kerberos Enterprise Single Sign-on
Password Synchronization <Insert Picture Here>
Password Synchronization Identity Management
Perimeter Single Single Sign-on <Insert Picture Here>
Perimeter SSO 10 1 3 4 Web Server (app Proxy) Gateway 8 2 Application Server Protected Resources 6 DMZ 9 Firewall Firewall Access Server Resource Protection User Validation Token Validation 5, 7 User & Policy Store
Oracle Access Manager
Supported Authentication Mechanisms Form based authentication Basic authentication X.509 authentication OAAM virtual pad based authentication Kerberos based authentication (windows native authentication)
X.509 Client Authentication Two-way SSL Client Hello Server The quick brown fox jumps over the lazy dog Py75c%bzjFr@g5=&nmdFg$5knvMd rkvegms private The quick brown fox jumps over the lazy dog public
X.509 Client Authentication WebLogic Server and Database Oracle Fusion Middleware Securing Oracle WebLogic Server > 12 Configuring SSL http://download.oracle.com/docs/cd/e14571_01/web.1111/e13707/ssl.htm Oracle Database Advanced Security Administrator's Guide > 8 Configuring Secure Sockets Layer Authentication http://download.oracle.com/docs/cd/e11882_01/network.112/e10746/asossl.htm#i1013323 Requires Oracle Advanced Security option
<Insert Picture Here> Server based Single Sign-on SAML Kerberos Identity Propagation
End to End Security Web Server (app Proxy) Application Server Message Queue Mainframe Application Client DB DB Point to Point Interactions End-to-end security
Identity Propagation User authenticates at the perimeter with an id and password Identity is propagated in many forms throughout the compute path http Basic Auth Web tier SSO token Portal Application SOA Business Process End User Service Bus DB connection Business Service Data Service DB
Common Security Standards WS-Policy WS-SecurityPolicy WS-ReliableMessaging SOAP & SwA WS-Security SAML Token Profile UsernameToken Profile Kerberos Token Profile WS-Trust WS-SecureConversation WS-Federation X.509 Token Profile XML XML Encryption KEY: XML Signature A B Std. B is based on Std. A SAML XACML CARML AAPML Web Service standards XML-based standards IP-based standards SPML Algorithms & protocols Kerberos Java standards IP HTTP TLS & SSL X.500 HTTPS LDAP Included in WS-I Basic Security Profile Included in WS-I Reliable Secure Profile Symmetric Key Algorithms: AES-(128,192,256), DES, 3-DES Message Digests: MD5, SHA-(1,2,3) PKI: X.509; RSA key encryption; RSA, DSA signature algorithms; PKCS Java SE/EE Platform Security: JCA, JCE, JAAS, JSSE, JGSS, Java SASL
WebLogic Server Security Framework
WebLogic Server Authentication Validates user credentials against identity store Identity store LDAP directories: Embedded, OID, OVD, iplanet, Open LDAP, Novell, Active Directory RDBMS (SQL, read only SQL, Custom DBMS) Identity Assertion Maps identities to users Token types Username/Password Certificate CSI v2 SAML SPNEGO
<Insert Picture Here> Server based Single Sign-on SAML
Web Services SOAP messages SOAP message SOAP Header SOAP Body Portal Application SOA Business Process Service Bus Business Service Data Service DB connection DB
SAML token SOAP message SOAP Header <saml: Assertion>... <saml:subject> <saml:nameid...> CN=Marian Kuna, OU=Sales, O=Oracle Slovensko </saml:nameid> </saml:subject>... <Signature> SOAP Body
Oracle Identity Federation Identity provider (IDP) is a service that hosts and/or provides identity information to other services Service Provider is responsible for offering the services to the end users
Oracle Identity Federation Industry s most complete implementation of federation standards Standards: SAML 1.0 / 1.1 / 2.0 Liberty Alliance ID-FF 1.1 /1.2 WS-Federation Liberty Alliance certification for Liberty ID-FF and SAML 2.0.
Oracle OpenSSO Fedlet Oracle OpenSSO Fedlet is a lightweight SP-only implementation of SAML 2.0 SSO protocols Can be used to SSO enable: Internal apps Partner apps Oracle Identity Federation OpenSSO 3 rd party Identity Provider.NET Fedlet Java Fedlet
<Insert Picture Here> Server based Single Sign-on Kerberos
Kerberos Project Athena was initiated in 1983 8 years of research passed before Kerberos was officially complete widely used as default authentication methods in popular operating systems Windows Unix Mac OS X
Kerberos
Kerberos
Kerberos
Kerberos WebLogic Server and Kerberos Oracle Fusion Middleware Securing Oracle WebLogic Server > 6 Configuring Single Sign-On with Microsoft Clients http://download.oracle.com/docs/cd/e14571_01/web.1111/e13707/sso.htm Define a principal in Active Directory to represent the WebLogic Server. Any client must be set up to use Windows Integrated authentication, sending a Kerberos ticket when available. In the security realm of the WebLogic domain, configure a Negotiate Identity Assertion provider
Kerberos Oracle Database and Kerberos Oracle Database Advanced Security Administrator's Guide > 7 Configuring Kerberos Authentication http://download.oracle.com/docs/cd/e11882_01/network.112/e10746/asokerb.htm Requires Oracle Advanced Security option
<Insert Picture Here> Server based Single Sign-on Identity Propagation
Identity Propagation Application Users Identity Management Aplikácia marian.kuna/pwd app/pwd Databáza marian.kuna/pwd
Identity Propagation Enterprise User Security Identity Management OID Aplikácia marian.kuna/pwd Databáza marian.kuna/pwd
Enterprise User Security Spôsoby Implementácie OID MSAD Používateľ Oracle databáza Používatelia Business Role DB user DB Role Používatelia Skupiny
Enterprise User Security Spôsoby Implementácie OVD MSAD Používateľ Oracle databáza Používatelia Business Role DB user DB Role
Enterprise Single Sign-on <Insert Picture Here>
Oracle esso Logon Manager Oracle esso Suite Management Console LDAP, Doména, Databáza Windows Web sídla Mainframes (OS390, AS400) meno/heslo Oracle esso Logon Manager Java Extranet & Portal Autentifikácia PC/Desktop Sign-On
Oracle esso Authentication Manager Oracle esso AM MS CAPI smart cards SAFLINK Entrust PKI LDAP Multi-Auth Interface & Graded Auth Policies Auth API Auth API Oracle esso SM Oracle esso KM User Auth
Oracle esso Password Reset Reset Windows Logon Oracle esso Password Reset Server Audit, Reporting Doména Admin Oracle esso Suite Management Console
Oracle esso Provisioning Gateway Provisioning Sources Oracle Identity Manager (OIM) Applications & Custom Programs Data file and Manual Entry Password Oracle esso Provisioning GW Connectors Server SPML Windows Web Sites PKI Directory, Domain, Database Mainframes (OS390, AS400) Biometrics Credentials Java Token/ Smart card User Auth Oracle esso Logon Manager User s Desktop Extranet & Portal Application Sign-On
Oracle esso Kiosk Manager Oracle esso KM Windows LDAP Logon Session Monitor Time out Application Shutdown Keystroke submit Closure request Sign-off Web Apps, Extranet, Portal User Auth Process terminate Session (Initiate, Suspend, Terminate) Java Mainframes (OS390, AS400) Audit, Reporting