Enabling Applications to Use Your Identity Management System



Similar documents
Using Kerberos for Web Authentication. Wesley Craig University of Michigan

An Open Source Wide-Area Distributed File System. Jeffrey Eric Altman jaltman *at* secure-endpoints *dot* com

Identity Management in Liferay Overview and Best Practices. Liferay Portal 6.0 EE

CloudCERT (Testbed framework to exercise critical infrastructure protection)

Development and deployment of integrated attribute based access control for collaboration

Single Sign-on (SSO) technologies for the Domino Web Server

Federated AAA middleware and the QUT SSO environment

Oracle Platform Security Services & Authorization Policy Manager. Vinay Shukla July 2010

Middleware integration in the Sympa mailing list software. Olivier Salaün - CRU

Identity Management. (Re)discovering authorization APIs and LDAP model binding. Clément OUDOT

Using SAP Logon Tickets for Single Sign on to Microsoft based web applications

From centralized to single sign on

TIBCO Spotfire Platform IT Brief

S P I E Information Environments Shibboleth and Its Integration into Security Architectures. EDUCAUSE & Internet 2 Security Professionals Conference

Shibboleth Identity Provider (IdP) Sebastian Rieger

Connecting Web and Kerberos Single Sign On

Integrating Multi-Factor Authentication into Your Campus Identity Management System

DAMe Deploying Authorization Mechanisms for Federated Services in the eduroam Architecture

Authentication and access control in Sympa mailing list server

Globus Toolkit: Authentication and Credential Translation

AA enabling a closed source legacy application

Centralized Oracle Database Authentication and Authorization in a Directory

CERN, Information Technology Department

IDENTITY MANAGEMENT ROLLOUT: IN A HURRY. Jason Blackader, UNIX Systems Administrator

Entitlements Access Management for Software Developers

Authentication and access control in Sympa mailing list software

Guide to SASL, GSSAPI & Kerberos v.6.0

OPENIAM ACCESS MANAGER. Web Access Management made Easy

FreeIPA 3.3 Trust features

Crawl Proxy Installation and Configuration Guide

Session Code*: 0310 Demystifying Authentication and SSO Options in Business Intelligence. Greg Wcislo

Directory Integration with Okta. An Architectural Overview. Okta Inc. 301 Brannan Street San Francisco, CA

Spring Security 3. rpafktl Pen source. intruders with this easy to follow practical guide. Secure your web applications against malicious

External Identity and Authentication Providers For Apache HTTP Server

OpenHRE Security Architecture. (DRAFT v0.5)

Identity Management. Manager, Identity Management. Academic Technology Services. Michigan State University Board of Trustees

September 9 11, 2013 Anaheim, California 507 Demystifying Authentication and SSO Options in Business Intelligence

Oracle Identity Manager (OIM) as Enterprise Security Platform - A Real World Implementation Approach for Success

How To Get A Single Sign On (Sso)

Open-source Single Sign-On with CAS (Central Authentication Service)

ovirt Introduction James Rankin Product Manager Red Hat Virtualization Management the ovirt way

INTEGRATION GUIDE. IDENTIKEY Federation Server for Juniper SSL-VPN

Single Sign-On, Two Factor & more: Advanced Authentication & Authorization at the University of Pennsylvania

Configuring User Identification via Active Directory

Red Hat Enterprise ipa

Apache Authentication, Authorization, and Access Control Concepts Version 2.2

Integration of Office 365 with existing faculty SSO

Advanced Configuration Steps

Approaches and challenges for a SSO enabled extranet using Jasig CAS. Florian Holzschuher René Peinl

Single Sign-On Architectures. Jan De Clercq Security Consultant HPCI Technology Leadership Group Hewlett-Packard

Authentication Methods

SAP Business Objects Security

SSO Plugin. Release notes. J System Solutions. Version 3.6

Single Sign On. Configuration Checklist for Single Sign On CHAPTER

Approaches to Enterprise Identity Management: Best of Breed vs. Suites

Implementation Guide SAP NetWeaver Identity Management Identity Provider

Windows Security and Directory Services for UNIX using Centrify DirectControl

Identity Federation: Bridging the Identity Gap. Michael Koyfman, Senior Global Security Solutions Architect

User Identification (User-ID) Tips and Best Practices

IDENTITY MANAGEMENT AND WEB SECURITY. A Customer s Pragmatic Approach

Using the MyProxy Online Credential Repository

APIs The Next Hacker Target Or a Business and Security Opportunity?

mod_auth_pubtkt a pragmatic Web Single Sign-On solution by Manuel Kasper, Monzoon Networks AG mkasper@monzoon.net

The Role of Federation in Identity Management

Integrating IBM Cognos 8 BI with 3rd Party Auhtentication Proxies

Commercially Proven Trusted Computing Solutions RSA 2010

Single Sign-On for the UQ Web

Step- by- Step guide to Configure Single sign- on for HTTP requests using SPNEGO web authentication

Securing WebFOCUS A Primer. Bob Hoffman Information Builders

SchoolBooking SSO Integration Guide

Single Sign-On. Security and comfort can be friend. Arnd Langguth. September, 2006

CERN Single Sign On. Emmanuel Ormancey CERN IT/IS. CERN IT Department CH-1211 Genève 23 Switzerland

Federated Authentication and Credential Translation in the EUDAT Collaborative Data Infrastructure

IGI Portal architecture and interaction with a CA- online

Quality Management Consultancy

Implementing Microsoft Azure Infrastructure Solutions

Single Sign On In A CORBA-Based

Perceptive Experience Single Sign-On Solutions

Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x

Single sign-on enabled OpenCms

Transcription:

Enabling Applications to Use Your Identity Management System Or Why Mark began losing his hair at age 23 Mark Earnes# The Pennsylvania State University

Where We Are Coming From Authentication: Kerberos V (DCE) - aka Access Accounts Friends of Penn State Kerberos realm Authorization: Mostly application specific (user lists), some DCE group usage No web initial sign on Thankfully, the vast majority of Penn State uses the centrally managed Access Accounts

Central Authorization Today DCE Groups Provisioning occurs via a variety of means: Triggered automatically - eg: new student registration Controlled Manually - eg: User Managed Groups Delegated authority to manage these groups

Central Authorization Tomorrow IBM Secureway LDAP LDAP Groups Attributes & Groups (where each makes sense) Retain User Managed Groups and delegated authority Direct LDAP calls? Shib-like Attribute Authority?

Case Study: Portal & Webmail Penn State Portal and Webmail Authentication and Authorization are handled at the web server via mod_auth_dce AuthN/AuthZ easily changed to a single sign on archecture that uses Apache modules Only sticking point is that DFS is required. SSO must be able to pass a credential that can be converted into a DCE context

Case Study: elion & Angel elion - Student and Faculty Portal UserID and password are obtained via a web form and passed off onto a DLL that authenticates via DCE - DCE creds needed for RPC call Angel - Course Management System Similar to elion, but does not require credentials Both require Friends of Penn State integration

Case Study: ISIS & IBIS ISIS & IBIS - Student and business logic Relies on front end to provide authentication Authorization is done via user lists stored in local database. (IdM stone age) Complete re-architecture required to integrate with modern identity management system

Migration Solutions: Cosign Web based initial sign on architecture using Kerberos V Drop in web module for Apache or IIS Capable of issuing Kerberos service tickets Current direction for Webmail, Portal, and elion

Making Cosign Work For Us Current requirements include access to DFS space (Portal, Webmail) and the ability to make an authenticated DCE RPC call (elion) Using Paul Henson s DCE/OpenSSL patches, we modified cosign to convert K5 creds to DCE We also modified the Cosign ISAPI module to request K5 tickets We plan to modify Cosign to use our Friends of Penn State realm as well

Portal & Webmail Solutions Cosign with DCE credential conversion code. Still dependent on DCE/DFS Future plans include LDAP based authorization and neutral distributed filesystem requirements

Potential Angel Solutions Cosign + LDAP LDAP portion needs to be written Shibboleth Already exists and works Is protecting attributes internally overkill? Either Solution requires significant work

Potential IBIS & ISIS Solution Server Broker component receives a K5 ticket from front end and calls a Policy Decision Module Possibly XACML based policy descriptions Validates ticket and retrieves LDAP attributes Makes authorization decision before control is passed into the legacy applications

IBIS & ISIS Difficulties Typical nightmare application case: very old code, limited programmers, and mission critical applications Natural & ADABAS use their own authn/ authz routines for access control and record locking Hard sell. Often no perceived need for this kind of architecture

Future LDAP Plans New Group Types Dynamic Groups - Auto-generated based on results of a query Nested Groups - Groups inside groups Hybrid Groups - A combination of static, dynamic, and nested Fine grained access control to group lists

Signet? Grouper? We are watching these applications closely Grouper appears to duplicate the functionality we have built that assembles group membership data from various sources We are watching more for ideas for our own system Signet is interesting to us because we currently do identity based group management, not role based

Additional Tricks SASL-CA Similar to the KCA (kx509) but uses SASL to negotiate authentication method Signs a short term client cert (digitalsignature key extension) Cert can contain identifying information, or a Shibboleth persistent opaque handle for use with Attribute Authority Originally developed as part of the Lionshare project

Questions/Comments My Email: mxe20@psu.edu Presentation URL: http://www.personal.psu.edu/mxe20 Thank you :)

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information