Authentication Methods



Similar documents
Configuring User Identification via Active Directory

VERALAB LDAP Configuration Guide

Egnyte Single Sign-On (SSO) Installation for OneLogin

NSi Mobile Installation Guide. Version 6.2

F-Secure Messaging Security Gateway. Deployment Guide

SAML-Based SSO Solution

Getting Started with AD/LDAP SSO

Configuring Sponsor Authentication

INTEGRATION GUIDE. DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server

Only LDAP-synchronized users can access SAML SSO-enabled web applications. Local end users and applications users cannot access them.

ADFS Integration Guidelines

INTEGRATION GUIDE. DIGIPASS Authentication for Google Apps using IDENTIKEY Federation Server

Agenda. How to configure

Jive Connects for Microsoft SharePoint: Authentication Scenarios

Authentication Integration

How to Configure Active Directory based User Authentication

LDAP User Guide PowerSchool Premier 5.1 Student Information System

Deploying RSA ClearTrust with the FirePass controller

To set up Egnyte so employees can log in using SSO, follow the steps below to configure VMware Horizon and Egnyte to work with each other.

CA Nimsoft Service Desk

Single Sign On for ShareFile with NetScaler. Deployment Guide

This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:

DESLock+ Basic Setup Guide Version 1.20, rev: June 9th 2014

Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x

Configuring EPM System for SAML2-based Federation Services SSO

NetBeat NAC Version 9.2 Build 4 Release Notes

Cloud Services. Sharepoint. Admin Quick Start Guide

External Authentication with Citrix Secure Gateway - Presentation server Authenticating Users Using SecurAccess Server by SecurEnvoy

USER GUIDE. Lightweight Directory Access Protocol (LDAP) Schoolwires Centricity

Configuring and Using the TMM with LDAP / Active Directory

Dynamic DNS How-To Guide

SchoolBooking SSO Integration Guide

SCADA Security. Enabling Integrated Windows Authentication For CitectSCADA Web Client. Applies To: CitectSCADA 6.xx and 7.xx VijeoCitect 6.xx and 7.

PingFederate. Salesforce Connector. Quick Connection Guide. Version 4.1

InfoRouter LDAP Authentication Web Service documentation for inforouter Versions 7.5.x & 8.x

Active Directory Integration. Documentation. v1.02. making your facilities work for you!

IIS, FTP Server and Windows

Setting Up Scan to SMB on TaskALFA series MFP s.

Basic Configuration. Key Operator Tools older products. Program/Change LDAP Server (page 3 of keyop tools) Use LDAP Server must be ON to work

Click Studios. Passwordstate. Installation Instructions

Setup Corporate (Microsoft Exchange) . This tutorial will walk you through the steps of setting up your corporate account.

Flexible Identity Federation

TIBCO Spotfire Platform IT Brief

Computer Services Documentation

Configuring ADFS 3.0 to Communicate with WhosOnLocation SAML

Sophos UTM Web Application Firewall for Microsoft Exchange connectivity

Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER

About Me. Software Architect with ShapeBlue Specialise in. 3 rd party integrations and features in CloudStack

SchoolBooking LDAP Integration Guide

Federated Identity Management and Shibboleth. Noreen Hogan Asst. Director Enterprise Admin. Applications

Configuring. Moodle. Chapter 82

Office 365 deployment checklists

Please return this document to when complete.

Getting Started with Clearlogin A Guide for Administrators V1.01

Field Description Example. IP address of your DNS server. It is used to resolve fully qualified domain names

INTEGRATION GUIDE. DIGIPASS Authentication for SimpleSAMLphp using IDENTIKEY Federation Server

WebSpy Vantage Ultimate 2.2 Web Module Administrators Guide

Authentication and Single Sign On

From centralized to single sign on

IMPLEMENTING SINGLE SIGN- ON USING SAML 2.0 ON JUNIPER NETWORKS MAG SERIES JUNOS PULSE GATEWAYS

Skyward LDAP Launch Kit Table of Contents

NAS 206 Using NAS with Windows Active Directory

Using LDAP Authentication in a PowerCenter Domain

Contents. Before You Install Server Installation Configuring Print Audit Secure... 10

Administrator Guide. v 11

Client configuration and migration Guide Setting up Thunderbird 3.1

Active Directory Integration

Creating Custom Nameservers Contents

Click Studios. Passwordstate. Installation Instructions

How to Enable LDAP Directory Services Authentication to Microsoft Active Directory in the HP cclass Onboard Administrator

Livezilla How to Install on Shared Hosting By: Jon Manning

Egnyte Single Sign-On (SSO) Configuration for Active Directory Federation Services (ADFS)

Copyright: WhosOnLocation Limited

Advanced Configuration Administration Guide

Acunetix Web Vulnerability Scanner. Getting Started. By Acunetix Ltd.

PriveonLabs Research. Cisco Security Agent Protection Series:

Folder Proxy + OWA + ECP/EAC Guide. Version 2.0 April 2016

Ameritas Single Sign-On (SSO) and Enterprise SAML Standard. Architectural Implementation, Patterns and Usage Guidelines

Quick Start Guide Sendio Hosted

Authentication and access control in Sympa mailing list server

SalesForce SSO with Active Directory Federated Services (ADFS) v2.0 Authenticating Users Using SecurAccess Server by SecurEnvoy

Content Filtering Client Policy & Reporting Administrator s Guide

Flexible Identity Federation

VMware Identity Manager Administration

App Orchestration 2.0

This guide identifies two possible enterprise integration scenarios for NetScaler and Azure AD.

Alert Notification of Critical Results (ANCR) Public Domain Deployment Instructions

HP Software as a Service. Federated SSO Guide

Wireless Setup for Windows 8

Install SQL Server 2014 Express Edition

Authentication and access control in Sympa mailing list software

IGEL Linux and Microsoft Remote Desktop Connection Broker 2012 R2

Shibboleth User Verification Customer Implementation Guide Version 3.5

netld External Authentication Setup Guide

MadCap Software. Upgrading Guide. Pulse

Office 365 deploym. ployment checklists. Chapter 27

Using LDAP for User Authentication

NF3ADV VoIP Setup Guide (for TPG)

NETASQ ACTIVE DIRECTORY INTEGRATION

Setting up Sharp MX-Color Imagers for Inbound Fax Routing to or Network Folder

Transcription:

Authentication Methods Overview In addition to the OU Campus-managed authentication system, OU Campus supports LDAP, CAS, and Shibboleth authentication methods. LDAP users can be configured through the standard process to create an administrator or user in OU Campus. The administrator can create matching users in OU Campus for every LDAP user. There are three supported LDAP security options and two types of supported distinguished names (DNs). When logging in, users will still log in through the normal OU Campus login interface. The Central Authentication Service (CAS) is a single sign-on protocol for the web. Its purpose is to permit a user to access multiple applications while providing their credentials (such as user identification and password) only once. It also allows web applications to authenticate users without gaining access to a user's security credentials, such as a password. When logging in, users are redirected to the CAS authentication page from where they can enter their credentials. Standard Shibboleth Native Service Provider (SP) software integrates with OU Campus. User accounts are created and managed in OU Campus to establish workflow and permission levels; Shibboleth is used to authenticate only. When logging in, users are redirected to the Identity Provider (IdP) page to authenticate. OU Campus verifies that the user identification attribute defined returned by the IdP matches the username of an OU Campus user. LDAP When a user logs in to OU Campus, they visit a login page housed on the application server that holds their account. The server may be located in the OmniUpdate server farm (for OU SaaS hosting solutions) or in the server located at the institution (for Enterprise customers). The user enters their login credentials, which are then passed back to the OmniUpdate server using SSL encryption. OU Campus first looks up the username in its local database. If a matching user is not found, access is denied. If the user is found, the system attempts to authenticate the user. If LDAP information is specified for the account, the OU Campus server attempts to bind to the sever specified with the given DN, and the password submitted by the user at log in time. The OU Campus user is granted access only if the bind is successful. Creating LDAP Users in OU Campus To create an LDAP user in OU Campus, follow the same process for creating any user or administrator. 1. From the OU Campus interface, when logged in as a Level 10 administrator, navigate to Setup > Users. 2. Click the New button. 3. Complete the new user form, leaving the Password field in the User Information panel blank. 4. Fill in the LDAP Configuration fields, which are as follows: Authentication Type: LDAP security level or authorization type Hostname: LDAP server hostname or IP OU Campus Authentication Methods Page 1 of 5

DN: The user's unique distinguished name (DN) There are three supported security options for Authentication Type when using LDAP with OU Campus. Each supported option uses the simple method of binding. The options for Authentication Type are: Simple: When using the Simple method, the LDAP session is conducted in plain text, without encryption. Simple (SSL): When using SSL encryption, OmniUpdate needs to install a copy of the customer's X.509 public certificate on the OmniUpdate server. The SSL method is commonly used in many LDAP installs, including installs utilizing Microsoft's Active Directory. Simple (StartTLS): The StartTLS security method is also supported by OmniUpdate. There are generally two types of DNs that can be used with OU Campus. The first is the standard LDAP DN, comprising of relative distinguished names (RDN), which looks similar to this: CN=FirstName LastName,OU=Staff,DC=domain,DC=edu The second type of DN looks like an email address. Usually this format is seen in a Microsoft Active Directory environment. A DN for Active Directory might look similar to this: user@domain.edu. CAS The Central Authentication Service (CAS) protocol involves at least three parties: a client web browser, the web application requesting authentication, and the CAS server. It may also involve a back-end service, such as a database server, that does not have its own HTTP interface but communicates with a web application. When the client visits an application desiring to authenticate to it, the application redirects it to the CAS server. CAS validates the client's authenticity, usually by checking a username and password against a database (such as SQL or Active Directory). If the authentication succeeds, CAS returns the client to the application by passing along a security ticket. The application then validates the ticket by contacting CAS over a secure connection and providing its own service identifier and the ticket. CAS then gives the application trusted information about whether a particular user has successfully authenticated. Configuring OU Campus for CAS When a user logs in to OU Campus directly, they visit a login page housed on the application server that holds their account. The server may be located in the OmniUpdate server farm (for OU SaaS hosting solutions) or in the server located at the institution (for Enterprise customers). The user enters their login credentials, which are then passed back to the OmniUpdate server using SSL encryption. If an institution desires to use CAS authentication in place of the built-in authentication method, the institution must provide their CAS server's SSL certificate, as well as their CAS login and logout page URLs. The CAS server s SSL certificate must be installed on the OmniUpdate server before OU Campus will be able to authenticate via CAS. OU Campus Authentication Methods Page 2 of 5

When CAS is configured, users will then be redirected to the CAS login and logout pages when logging in and logging out, respectively, as opposed to the standard OU Campus login page. CAS then authenticates, compares the username with the usernames configured in OU Campus and, if everything validates, the user is granted access to OU Campus. If OU Campus is configured with a CAS URL, any password and LDAP information that has been configured for OU Campus users is ignored. OU Campus usernames must match usernames on the CAS server in order to be authenticated and logged in via CAS. All user levels, including level 10 admins, are authenticated through CAS. However, users in the SuperAdmin interface are separate entities; they do not use CAS server to authenticate and must either use the standard authentication method or LDAP. Creating CAS Users in OU Campus OmniUpdate s CAS authentication module is very easy to use. A level 10 administrator creates a matching user in OU Campus for every CAS user that will log in to the system. Since users are administrated at the Account level in OU Campus, CAS is also enabled at the Account level. When CAS is enabled, all users within an OU Campus account no matter what site within it they are attempting to access will be redirected to the CAS login page. To create a CAS user in OU Campus, follow the same process as for creating any other user, with the exception of leaving the password and LDAP fields blank. 1. First, as a level 10 administrator, ensure that CAS is configured correctly by navigating to Setup > Account. 2. In the Login Page panel, configure the CAS or Shibboleth URL and Logout URL fields. 3. Once CAS has been configured, navigate to Setup > Users to create new users who will authenticate over CAS. 4. Click the New button. 5. Complete the new user form, leaving the Password field in the User Information field blank. The OU Campus username must match the user's CAS ID. Shibboleth Shibboleth operates in a similar manner to CAS, in that users will be redirected to an external server to authenticate before accessing OU Campus. Since users are administrated at the Account level in OU Campus, Shibboleth is also enabled at the Account level. When Shibboleth is enabled, all users within an OU Campus account no matter what site within it they are attempting to access will be redirected to the IdP. Each account can have a separate IdP specified. Requirements for Shibboleth Authentication Integration The requirements for Shibboleth authentication integration are: Be a member of the InCommon Federation (http://incommon.org). OmniUpdate is a member and InCommon acts as a broker between the OmniUpdate service provider (SP) and the identity provider. Release user ID attribute to the OmniUpdate service provider. OU Campus Authentication Methods Page 3 of 5

OU Campus integrates with standard Shibboleth service provider software, which is not specific to OmniUpdate and uses the mod_shib extension for Apache (or its IIS equivalent). The service provider metadata will be included in that installation. Configure the Service Provider and OU Campus Once installed, the following steps must be taken to configure the Shibboleth service provider software: Included in the OU Campus WAR is a JSP for Shibboleth support, located under /secure. The file can be adjusted for specific configuration parameters. Assuming that the Shibboleth service provider is set up and working properly, the next steps must be taken to set up OU Campus: 1. Place the JSP into the /secure directory of the installation. 2. Open two different web browsers (e.g., Firefox and Chrome). To easily test Shibboleth integration, have one session to the system that stays open, and another that does not and therefore must authenticate. 3. Update the OU Campus account to use Shibboleth authentication. As a level 10 user (or from the SuperAdmin interface), navigate to Setup > Account (or click on the desired account in SuperAdmin). 4. In the Login Page panel, configure the CAS or Shibboleth URL field. Point to the file shib:/ secure/shibboleth.jsp (file name for the JSP file may vary). 5. Configure the Logout URL field as well. 6. Save the changes. This setting takes effect immediately and takes over authentication for that OU Campus account and all sites inside the account. It is not possible to have one user authenticate using Shibboleth and another authenticating using CAS, LDAP, or the standard authentication. Multiple accounts may all use the same JSP file, if linking to the same IdP, or each have their own JSP file for different IdPs. Testing Authentication To test Shibboleth authentication, attempt a log in to edit a page from that account in a separate browser. For example (substituting the appropriate values for the domain, skin, and account): http://oucampus.school.edu/skin/login.jsp?user=account This redirects to the Where are You From (WAYF) service, at which point one can choose the IdP, authenticate there, and be redirected back to OU Campus. If a link is made between the provided user name and an OU Campus user name, then access is granted. Creating Shibboleth Users in OU Campus To create a Shibboleth user in OU Campus, follow the same process as for creating any other user, with the exception of leaving the password and LDAP fields blank. 1. As a level 10 administrator in OU Campus, navigate to Setup > Users. 2. Click the New button. OU Campus Authentication Methods Page 4 of 5

3. Complete the new user form, leaving the Password field in the User Information panel blank. The OU Campus username must match the user's Shibboleth ID. OU Campus Authentication Methods Page 5 of 5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information