Developing Applications for SSO



Similar documents
White Paper March 1, Integrating AR System with Single Sign-On (SSO) authentication systems

Integrating OID/SSO with E- Business Suite and Third-Party SSO Solutions. Presented by Paul Jackson (Norman Leach)

Authentication: Password Madness

Oracle Identity Management: Integration with Windows. An Oracle White Paper December. 2004

Web Applications Access Control Single Sign On

Integrating IBM Cognos 8 BI with 3rd Party Auhtentication Proxies

An Oracle White Paper December Implementing Enterprise Single Sign-On in an Identity Management System

Vyom SSO-Edge: Single Sign-On for BMC Remedy

Gabriel Magariño. Software Engineer. Overview Revisited

WHITE PAPER. Active Directory and the Cloud

Single Sign-on (SSO) technologies for the Domino Web Server

G Cloud 6 CDG Service Definition for Forgerock Software Services

SAP Business Objects Security

PingFederate. SSO Integration Overview

USING FEDERATED AUTHENTICATION WITH M-FILES

Passlogix Sign-On Platform

IBM SPSS Collaboration and Deployment Services Version 6 Release 0. Single Sign-On Services Developer's Guide

Oracle Enterprise Single Sign-on Technical Guide An Oracle White Paper June 2009

Oracle Identity Management Concepts and Architecture. An Oracle White Paper December 2003

Deploying Single-sign On with RDC 46 OnSite: An examination of methods to allow Single-Sign-On for existing RDC 46 OnSite environments

Protect Everything: Networks, Applications and Cloud Services

CA SiteMinder SSO Agents for ERP Systems

Remote Authentication and Single Sign-on Support in Tk20

SAML SSO Configuration

enterprise^ IBM WebSphere Application Server v7.0 Security "publishing Secure your WebSphere applications with Java EE and JAAS security standards

Absorb Single Sign-On (SSO) V3.0

Integrating Hitachi ID Suite with WebSSO Systems

SchoolBooking SSO Integration Guide

The Top 5 Federated Single Sign-On Scenarios

Introduction to SAML

Vyom SSO-Edge: Single Sign-On Solution for BMC Remedy

Securing WebFOCUS A Primer. Bob Hoffman Information Builders

Citrix Password Manager 4.1

WebSphere Training Outline

IBM Security Access Manager, Version 8.0 Distributed Session Cache Architectural Overview and Migration Guide

PingFederate. Integration Overview

HP Asset Manager. Implementing Single Sign On for Asset Manager Web 5.x. Legal Notices Introduction Using AM

CA Spectrum and CA Embedded Entitlements Manager

ENABLING SINGLE SIGN-ON FOR EMC DOCUMENTUM WDK-BASED APPLICATIONS USING IBM WEBSEAL ON AIX

Leverage Active Directory with Kerberos to Eliminate HTTP Password

Configuration Guide BES12. Version 12.3

managing SSO with shared credentials

Executive Summary. What is Authentication, Authorization, and Accounting? Why should I perform Authentication, Authorization, and Accounting?

1 Introduction Product overview Product description System requirements Software support... 7

Security solutions Executive brief. Understand the varieties and business value of single sign-on.

Choosing an SSO Solution Ten Smart Questions

Global Headquarters: 5 Speen Street Framingham, MA USA P F

WHITE PAPER Usher Mobile Identity Platform

Configuration Guide BES12. Version 12.2

Building Secure Applications. James Tedrick

Centralized Oracle Database Authentication and Authorization in a Directory

Enabling SSO between Cognos 8 and WebSphere Portal

Extranet Access Management Web Access Control for New Business Services

Design Patterns. Design patterns are known solutions for common problems. Design patterns give us a system of names and ideas for common problems.

Copyright

Biometrics for Global Web Authentication: an Open Source Java/J2EE-Based Approach

CA Performance Center

Crawl Proxy Installation and Configuration Guide

What s New in VMware vsphere 5.1 VMware vcenter Server

Protected Trust Directory Sync Guide

How To Secure Your Data Center From Hackers

Allidm.com. SSO Introduction. Discovering IAM Solutions. Leading the IAM facebook/allidm

Using DeployR to Solve the R Integration Problem

The Benefits of an Industry Standard Platform for Enterprise Sign-On

OAuth Guide Release 6.0

Copyright 2014 Jaspersoft Corporation. All rights reserved. Printed in the U.S.A. Jaspersoft, the Jaspersoft

Xerox DocuShare Security Features. Security White Paper

BMC Software Webinars 2013 Atrium Single Sign On (Atrium SSO)

Flexible Identity Federation

SaaS at Pfizer. Challenges, Solutions, Recommendations. Worldwide Business Technology

IBM Security Access Manager for Enterprise Single Sign-On V8.2 Implementation Exam.

C21 Introduction to User Access

Configuration Guide BES12. Version 12.1

Compliance and Security Challenges with Remote Administration

PingFederate. Identity Menu Builder. User Guide. Version 1.0

API-Security Gateway Dirk Krafzig

TIBCO Spotfire Platform IT Brief

TrustedX - PKI Authentication. Whitepaper

Oracle Enterprise Single Sign-On Provisioning Gateway. Administrator's Guide Release E

An Oracle White Paper Dec Oracle Access Management Security Token Service

How To Get A Single Sign On (Sso)

WHITE PAPER. Smart Card Authentication for J2EE Applications Using Vintela SSO for Java (VSJ)

Single Sign On. SSO & ID Management for Web and Mobile Applications

CERN, Information Technology Department

ABOUT TOOLS4EVER ABOUT DELOITTE RISK SERVICES

Identity and Access Management Policy

Quality Center LDAP Guide

Cisco ASA Adaptive Security Appliance Single Sign-On: Solution Brief

Getting Started with AD/LDAP SSO

Authentication. Authentication in FortiOS. Single Sign-On (SSO)

Configuring Single Sign-On for Documentum Applications with RSA Access Manager Product Suite. Abstract

Only LDAP-synchronized users can access SAML SSO-enabled web applications. Local end users and applications users cannot access them.

REQUEST FOR INFORMATION. Identity and Access Management Administration Software RFI

GlassFish Security. open source community experience distilled. security measures. Secure your GlassFish installation, Web applications,

Transcription:

Developing Applications for SSO Justen Stepka Authentisoft, LLC www.authentisoft.com Overview Introduction What is SSO Designing and Implementing for SSO environments Available Solutions Introduction Justen Stepka Principal and Founder of Authentisoft, LLC. Hibernate Hibernate documentation manager. O Reilly Author Contributing author of Java Database Programming Best Practices Various articles for the O Reilly website. JDJ guest writer Open Symphony Project Overview

The Problem As web-applications have grown over the years to support various business processes. These applications have expanded to support a growing number of users, groups and roles. Most of these applications administration functions are controlled by a small sub-set of internal users that have permissions to access additional functionality where they become the gatekeeper for the security information and application deployment attributes. The burden taken on with the administration grows as the number these systems are deployed. What is Single Sign-On Different views on what is SSO. Authentication verses Authorization SSO Definition SSO maintains two definitions, depending what your ultimate deployment goals are: Central repository where username and credential information are kept and then used by all subscribing applications for authentication. When a principal authenticates with a node of the system, they are assigned a token. This token can then be used by other applications to validate the user is who they claim to be. With this token, the principal can then bypass the authentication process.

Authentication verses Authorization Authentication is the process of verifying the users identity. Typically this involves obtaining a username and password, other forms of credentials may be used such as scan-cards or biometric devices. Authorization is the process of verifying whether a user has access to a protected resource. The End Goal Authentication is to be performed in a single pluggable fashion. This will permit your Java applications to remain independent from the underlying authentication technologies. New or updated technologies can then be plugged in without requiring modifications to the application iself. SSO Benefits Termination of account is cascaded across all applications. Simplified authentication approach. Removes burden of continuously solving the same problem over. Identity information does not have to be replicated between applications. Reduced number of authentication credentials for a principal. Removing the need to remember multiple credentials resulting in replicated passwords.

When to use SSO A single principal store exist for storing principals Active Directory Open Directory Custom database tables 1+n applications Every company is different, it s about easy of maintenance at the end of the day. Acme Corporation Example Active Directory Windows environment for the desktop. Database storing customer information. Web inventory management application. Public website where customers order ACME widgets. Intranet applications where company information is posted for employees. Issue tracking software where customers log widget defects. Forum system software where customers receive support for their widgets. Acme Corporation Deployment Diagram

Acme Corporation SSO Benefits Customers share authentication between the public website, issue tracking, and forum system. Employees are able to access all applications with their Active Directory account. How Applications are picked for ACME Corp ACME corporation selected Jive and JIRA for the support they offer with integrating third-party authentication systems. Forward thinking applications these days provide authentication interfaces to support external users. Uses an LDAP connector. Provides an interface for implementing custom connectors. Application and Open Source Call to Arms Interoperability between separate open-source applications will help spread open-source. At minimal provide an LDAP connector option. For smaller corporations, or those running at datacenters, LDAP may be too costly over overkill. Provide an interface option, this is a more elegant and flexible solution.

Designing for SSO When designing an application to support external authentication or authorization, there are a few natural breaks in functionality. Authentication The process of verifying the credentials provided by the requesting principal Authorization Determining whether a requesting principal has access to a specific resource through a group or role. Profile Management The personal details and preferences that are associated with a principal. Resources Management Creating, modifying, and deleting the security rules and relationships. Designing for SSO When designing an application to support external authentication or authorization, there are a few natural breaks in functionality. Authentication The process of verifying the credentials provided by the requesting principal Authorization Determining whether a requesting principal has access to a specific resource through a group or role. Profile Management The personal details and preferences that are associated with a principal. Resources Management Creating, modifying, and deleting the security rules and relationships. Breaking Functionality Out Breaking functionality out enables wider deployment integration. Not all deployments may be able to support all aspects of functionality. Might be able to support reading authentication and authorization rules, but not able to write to the directory server. Storing profile information would then need to be kept internal to the application. Using an interface system will allow your customers to easily implement their own security architecture into your application.

Interface Examples Examples here are as simple as possible, additional Exceptions often help with workflow related issues. It is important to remember that as you add complexity to an already complex problem, the difficulty with implementing the solution seems to go up ten-fold. An existing interface system that already exist is OSUser which is available developed and maintained by the Open Symphony group at http://www.opensymphony.com/. Authentication Interface public interface Authentication { public String authenticate (String username, char[] password) throws AuthenticationException; public String authenticate (String username, char[] password, HttpServletRequest request, HttpServletResponse response) throws AuthenticationException; public boolean isvalidtoken(string token, HttpServletRequest request, HttpServletResponse response); } Authorization Interface public interface Authentication { public boolean isgroupmember (String username, String group); public List listgroups(); public List listgroup(string username); }

Profile Interface public interface Authentication { public void addattribute (String username, String key, String value); } public void removeattribute (String username, String key); public String getattribute (String username, String key); Management Interface public interface Management { public void addprincipal (String username, char[] password) throws InvalidPrincipalException; public void removeprincipal (String username); public void changepassword (String username, char[] password); throws InvalidCredentialException; public void addtogroup (String username, String group); } public void removefromgroup (String username, String group); Using the Interfaces The simplest approach is to load the implementations off a deployment descriptor using the DAO Factory Model. This allows you to load implementations at run-time, giving you the ability to quickly connect applications to new or existing directory services.

Existing Approaches Open Source JAAS Java Authentication and Authorization services. JOSSO Open source gateway connector to LDAP. Commercial IDX SiteMinder Oblix Tivoli

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information