Разработка программного обеспечения промежуточного слоя. TERENA BASNET Workshop, 16-17 November 2009 Joost van Dijk - SURFnet



Similar documents
MLSListings Single Sign On Implementation Guide. Compatible with MLSListings Applications

Open Source Identity Integration with OpenSSO

Web Access Management and Single Sign-On

Configuring SAML2 for Single Sign-On to Smartsheet (Enterprise Only)

Masdar Institute Single Sign-On: Standards-based Identity Federation. John Mikhael ICT Department

SURFfederatie - edugain. Opt-in Metadata Management for a Hub & Spoke Federation

Single Sign on Using SAML

Web Single Sign-On Authentication using SAML

Standalone SAML Attribute Authority With Shibboleth

Feide Technical Guide. Technical details for integrating a service into Feide

VETUMA SAML SAMPLE MESSAGES

National Identity Exchange Federation. Web Browser User-to-System Profile. Version 1.0

IAM Application Integration Guide

Licia Florio Project Development Officer Identity Federations in Europe

Title: A Client Middleware for Token-Based Unified Single Sign On to edugain

Introducing Shibboleth

Federated Identity Management. Willem Elbers (MPI-TLA) EUDAT training

IBM WebSphere Application Server

MONDESIR Eunice WEILL-TESSIER Pierre FEDERATED IDENTITY. ASR 2006/2007 Final Project. Supervisers: Maryline Maknavicius-Laurent, Guy Bernard

Biometric Single Sign-on using SAML Architecture & Design Strategies

Federated Identity for Cloud Computing and Cross-organization Collaboration

SAML-Based SSO Solution

A Shibboleth View of Federated Identity. Steven Carmody Brown Univ./Internet2 March 6, 2007 Giornata AA - GARR

Shibboleth Identity Provider (IdP) Sebastian Rieger

Single Sign-On Implementation Guide

Single Sign-On Implementation Guide

Security Assertion Markup Language (SAML) 2.0 Technical Overview

Shibboleth Configuration from 100,000 Feet, in 15 Minutes or Less! Steve Thorpe Systems Programmer / Analyst MCNC

Agenda. How to configure

Web Based Single Sign-On and Access Control

Single Sign-On Implementation Guide

SAML Security Analysis. Huang Zheng Xiong Jiaxi Ren Sijun

Enabling SAML for Dynamic Identity Federation Management

Lets get a federated identity. Intro to Federated Identity. Feide OpenIdP. Enter your address. Do you have access to your ?

DocuSign Information Guide. Single Sign On Functionality. Overview. Table of Contents

Security Assertion Markup Language (SAML) V2.0 Technical Overview

Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x

FEDERATED IDENTITY MANAGEMENT:

Single Sign On. SSO & ID Management for Web and Mobile Applications

Enabling Federation and Web-Single Sign-On in Heterogeneous Landscapes with the Identity Provider and Security Token Service Supplied by SAP NetWeaver

Egnyte Single Sign-On (SSO) Installation for OneLogin

DAMe Deploying Authorization Mechanisms for Federated Services in the eduroam Architecture

Computer Systems Security 2013/2014. Single Sign-On. Bruno Maia Pedro Borges

ORACLE TALEO BUSINESS EDITION SINGLE SIGN ON SERVICE PROVIDER REFERENCE GUIDE RELEASE 15.A2

Flexible Identity Federation

OIOSAML 2.0 Toolkits Test results May 2009

AAI for Mobile Apps How mobile Apps can use SAML Authentication and Attributes. Lukas Hämmerle

Authentication Methods

Logout in Single Sign-on Systems

About Me. Software Architect with ShapeBlue Specialise in. 3 rd party integrations and features in CloudStack

Configuring SAML2 for Single Sign-On to Smartsheet (Enterprise Only)

SAML Single-Sign-On (SSO)

The saga of WebFTS and Federated Identity

Keeping access control while moving to the cloud. Presented by Zdenek Nejedly Computing & Communications Services University of Guelph

Federal Identity, Credential, and Access Management Security Assertion Markup Language (SAML) 2.0 Web Browser Single Sign-on (SSO) Profile

Getting Started with Single Sign-On

Federated Identity Management and Shibboleth. Noreen Hogan Asst. Director Enterprise Admin. Applications

Federated Identity Management Solutions

This section includes troubleshooting topics about single sign-on (SSO) issues.

Single Sign-On: Reviewing the Field

PingFederate. SSO Integration Overview

External and Federated Identities on the Web

Configuring EPM System for SAML2-based Federation Services SSO

Collaboration in the Cloud. Niels van Dijk, SURFnet, CAMP, Nov , San Francisco

Egnyte Single Sign-On (SSO) Configuration for Active Directory Federation Services (ADFS)

SAML Security Option White Paper

Moodle and Office 365 Step-by-Step Guide: Federation using Active Directory Federation Services

OIOIDWS for Healthcare Token Profile for Authentication Tokens

Ameritas Single Sign-On (SSO) and Enterprise SAML Standard. Architectural Implementation, Patterns and Usage Guidelines

Integrating Apex into Federated Environment using SAML 2.0. Jon Tupman Portalsoft Solutions Ltd

Shibboleth Architecture

Web Services Security: OpenSSO and Access Management for SOA. Sang Shin Java Technology Evangelist Sun Microsystems, Inc. javapassion.

Getting Started with Single Sign-On

SAML and XACML Overview. Prepared by Abbie Barbir, Nortel Canada April 25, 2006

Federation architectures for mobile applications OAuth 2.0 Drivers OAuth 2.0 Overview Mobile walkthrough

Shibboleth Authentication. Information Systems & Computing Identity and Access Management May 23, 2014

Martin Käser. Single Sign-on mit OpenSAML

Federated Identity Management

Configuring. Moodle. Chapter 82

Getting Started with AD/LDAP SSO

A Novel Cloud Hybrid Access Mechanism for Highly Sensitive Data Exchange

SAML-Based SSO Solution

Shibboleth N-Tier Support. Chad La Joie

Tusker IT Department Tusker IT Architecture

SAML single sign-on configuration overview

A Federated Authorization and Authentication Infrastructure for Unified Single Sign On

Identity Federation: Bridging the Identity Gap. Michael Koyfman, Senior Global Security Solutions Architect

HOL9449 Access Management: Secure web, mobile and cloud access

IMPLEMENTING SINGLE SIGN- ON USING SAML 2.0 ON JUNIPER NETWORKS MAG SERIES JUNOS PULSE GATEWAYS

OSOR.eu eid/pki/esignature Community Workshop in Brussels, 13. November 2008 IT Architect Søren Peter Nielsen - spn@itst.dk

How to create a SP and a IDP which are visible across tenant space via Config files in IS

UNIVERSITY OF COLORADO Procurement Service Center INTENT TO SOLE SOURCE PROCUREMENT CU-JL SS. Single Sign-On (SSO) Solution

Federated Authentication and Credential Translation in the EUDAT Collaborative Data Infrastructure

Transcription:

Разработка программного обеспечения промежуточного слоя TERENA BASNET Workshop, 16-17 November 2009 Joost van Dijk - SURFnet

Contents - SURFnet Middleware Services department: - eduroam, SURFfederatie, DNS, DNSSEC, Certificate Service, honeyspider network, IDS, IPv6, RADIUS, edugain, Mobile PKI, OpenID, CERT,... - Today s topics: - SURFfederatie: Identity Federation for Web Single Signon - eduroam: network roaming - TCS: TERENA Certificate Service 2

Identity Federations for Web Single Sign-on and beyond Joost van Dijk - SURFnet 17/11/2009

What is Federation? 4

Identity Federation - Idea: - Users log in at their Identity Provider (IDP), - using their own credentials, - to access resources at Service Providers (SPs) - Identity Federation components: - (A) technical infrastructure - (B) contracts/policies - (A) can be minimal - (B) is needed for SPs to trust IDPs (and vice versa) 5 - The federation operator (eg. NREN) is a Trusted Third Party

Towards federation Local External Federative DB DB LDAP SP LDAP IDP LDAP SP HTTP SP SAML (HTTP) IDP HTTP B HTTP HTTP B B 6

Demo: google Apps

SAML authn request <AuthnRequest Destination="http://idp.org/sso/SSORedirect/etc" IssueInstant="2008-05-28T20:12:35.971Z" ID="..."... xmlns:saml="urn:oasis:names:tc:saml:2.0:assertion"> <saml:issuer>sp.example.com</saml:issuer>... </AuthnRequest> 8

SAML authn response <Response InResponseTo="..." IssueInstant="2008-06-03T09:46:55.934Z"...> <saml:issuer>idp.example.org</saml:issuer> <Status><StatusCode Value="...:Success"/></Status> <saml:assertion IssueInstant="2008-06-03T09:46:55.947Z"...> <saml:issuer>idp.example.org</saml:issuer> <ds:signature>...</ds:signature> <saml:subject> <saml:nameid...>...</saml:nameid> <saml:subjectconfirmation Method="..."> <saml:subjectconfirmationdata... Recipient="https://foodle.feide.no/simplesaml/saml2/sp/acs.php"/> </saml:subjectconfirmation> </saml:subject> <saml:conditions NotOnOrAfter="2008-06-03T09:51:55.947Z" NotBefore="2008-06-03T09:41:55.947Z">... </saml:conditions> <saml:authnstatement AuthnInstant="2008-06-03T09:46:55.946Z"...>... </saml:authnstatement> <saml:attributestatement...> <saml:attribute... Name="...:displayName"> <saml:attributevalue>joost van Dijk</saml:AttributeValue> </saml:attribute> </saml:attributestatement> 9 </saml:assertion> </Response>

Federation Architecture 1-1 n x n n + n IDP SP IDP SP IDP SP IDP SP IDP SP IDP SP IDP CFC SP 10

IDP Discovery Where are you from? 11

SP Metadata <EntityDescriptor... entityid="http://sp.org/saml2/sp/metadata.php"> <SPSSODescriptor...>... <AssertionConsumerService... Location="http://sp.org/saml2/sp/AssertionConsumerService.php"/> </SPSSODescriptor> </EntityDescriptor> 15

IDP Metadata <EntityDescriptor... entityid="http://idp.org/saml2/idp/metadata.php"> <IDPSSODescriptor...> <KeyDescriptor> <ds:keyinfo...>... </ds:keyinfo> </KeyDescriptor>... <SingleSignOnService... Location="http://idp.org/saml2/idp/SSOService.php"/> </IDPSSODescriptor>... </EntityDescriptor> 16

Federation Metadata <EntityDescriptor... entityid='sfs.surfnet.nl' ID='...'> <ds:signature>...</ds:signature> <SPSSODescriptor...> <KeyDescriptor use='signing'> <ds:keyinfo>...</ds:keyinfo> </KeyDescriptor>... <AssertionConsumerService... Location='https://SP.esample.org/saml20'/> </SPSSODescriptor> <IDPSSODescriptor...> <KeyDescriptor use='signing'> <ds:keyinfo>...</ds:keyinfo> </KeyDescriptor>... <SingleSignOnService Location='https://IDP.example.org/saml20'/> </IDPSSODescriptor> </EntityDescriptor> 17

18 Case study:

SURFfederatie: Identity Providers 19

SURFfederatie: Service Providers 20

Federation Gateway IDP SURFfederation Service SP A-Select Cross A-Select Cross SAML 2.0 Gateway Shibboleth SAML 2.0 WS-Fed / ADFS WS-Fed / ADFS 21

Connections 8 - Federation Protocols - IDP: - SAML 2.0 (5), - ADFS (15), - A-Select (10) - SP: - SAML 2.0 (5), - Shibboleth 1.3 (5), - A-Select (3) - Federation Products - Microsoft ADFS, - Shibboleth (1/2), - A-Select, - Novell Access Manager, - simplesamlphp, - Oracle IdM, - PingFederate

Authentication Redirect Flow web service SP SFS IDP authentication backend browser request auth request SSO 1 request SSO 2 request LDAP/Radius/.. SSO 2 response SSO 1 response auth response access & attributes 23 (C) 2007-2009 SURFnet B.V.

Experiences - Multi-protocol abilities speed up institutional deployment: fits in their home ICT environment (!= JAVA, = Microsoft) - Identity-As-A-Service: service provider issues (metadata updates, attribute release policies) are handled for IDPs - SAML 2.0 implementations are hard (specs/products/ knowledge) -> slow SP take-up - Scalability is ok: up to national level - Trust model of centralized federation is functionally equivalent to distributed federations: federationoperator is TTP (signed responses vs. signed metadata) 11

Future Developments - Web-services (gateway as WS-Trust STS!) - Cross-layer identity (unified SSO) - Identity-as-a-Service extensions - User Centric privacy extensions: user consent - Microsoft Geneva - SURFnet services: OpenID - Confederations: Kennisnet, EduGAIN 12

Key Benefits - For users: - Single Login, Single Sign-on - For IDPs: - use credentials within own domain exclusively - For SPs: - out-sourcing of authentication and authorisation based on pre-established trust 26

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information