Keeping access control while moving to the cloud. Presented by Zdenek Nejedly Computing & Communications Services University of Guelph

Similar documents
University of Guelph. developing applications with D2L WebServices & SSO

OAuth 2.0 Developers Guide. Ping Identity, Inc th Street, Suite 100, Denver, CO

Web Based Single Sign-On and Access Control

SAML and OAUTH comparison

Using SAML for Single Sign-On in the SOA Software Platform

Flexible Identity Federation

Lecture Notes for Advanced Web Security 2015

Oracle Fusion Middleware Oracle API Gateway OAuth User Guide 11g Release 2 ( )

Integrating Apex into Federated Environment using SAML 2.0. Jon Tupman Portalsoft Solutions Ltd

Copyright Pivotal Software Inc, of 10

ACR Connect Authentication Service Developers Guide

How to Extend Identity Security to Your APIs

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES

The increasing popularity of mobile devices is rapidly changing how and where we

Identity Management in Liferay Overview and Best Practices. Liferay Portal 6.0 EE

How to create a SP and a IDP which are visible across tenant space via Config files in IS

Axway API Gateway. Version 7.4.1

Masdar Institute Single Sign-On: Standards-based Identity Federation. John Mikhael ICT Department

Easy as 1-2-3: The Steps to XE. Mark Hoye Services Portfolio Consultant

This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:

Identity Management with Spring Security. Dave Syer, VMware, SpringOne 2011

Mobile Security. Policies, Standards, Frameworks, Guidelines

Title page. Alcatel-Lucent 5620 SERVICE AWARE MANAGER 13.0 R7

Enterprise Access Control Patterns For REST and Web APIs

Mobile Identity and Edge Security Forum Sentry Security Gateway. Jason Macy CTO, Forum Systems

SAML-Based SSO Solution

Creating federated authorisation

Agenda. Federation using ADFS and Extensibility options. Office 365 Identity overview. Federation and Synchronization

HOL9449 Access Management: Secure web, mobile and cloud access

SAML AS AN SSO STANDARD FOR CUSTOMER IDENTITY MANAGEMENT. How to Create a Frictionless, Secure Customer Identity Management Strategy

MIT Tech Talk, May 2013 Justin Richer, The MITRE Corporation

Identity Federation: Bridging the Identity Gap. Michael Koyfman, Senior Global Security Solutions Architect

How To Use Saml 2.0 Single Sign On With Qualysguard

The Essential OAuth Primer: Understanding OAuth for Securing Cloud APIs

OpenID Single Sign On and OAuth Data Access for Google Apps. Ryan Dave Primmer May 2010

PingFederate. Windows Live Cloud Identity Connector. User Guide. Version 1.0

Fairsail REST API: Guide for Developers

An Oracle White Paper Dec Oracle Access Management OAuth Service

Computer Systems Security 2013/2014. Single Sign-On. Bruno Maia Pedro Borges

The Challenges of Web single sign-on

New Single Sign-on Options for IBM Lotus Notes & Domino IBM Corporation

OpenID Deutsche telekom. Dr. Torsten Lodderstedt, Deutsche Telekom AG

Building Secure Applications. James Tedrick

Integration Overview. Web Services and Single Sign On

Federated Identity Management and Shibboleth. Noreen Hogan Asst. Director Enterprise Admin. Applications

Cloud Elements ecommerce Hub Provisioning Guide API Version 2.0 BETA

Flexible Identity Federation

Toward campus portal with shibboleth middleware

SAML Security Analysis. Huang Zheng Xiong Jiaxi Ren Sijun

A Standards-based Mobile Application IdM Architecture

Introduction to SAML

Saba Cloud. Overview of SSO for mobile applications

Enable Your Applications for CAC and PIV Smart Cards

Authentication and Authorization for Mobile Devices

Enabling SSO for native applications

Middleware integration in the Sympa mailing list software. Olivier Salaün - CRU

Authentication Integration

The saga of WebFTS and Federated Identity

Simple Cloud Identity Management (SCIM)

Разработка программного обеспечения промежуточного слоя. TERENA BASNET Workshop, November 2009 Joost van Dijk - SURFnet

WHITEPAPER. NAPPS: A Game-Changer for Mobile Single Sign-On (SSO)

This section includes troubleshooting topics about single sign-on (SSO) issues.

Virtualization and Cloud Computing

Providing Single Signon (SSO) with Enterprise Identity Services and Directory Integration

Egnyte Single Sign-On (SSO) Installation for OneLogin

It is I, SAML. Ana Mandić Development Five Minutes Ltd

Table of Contents. Open-Xchange Authentication & Session Handling. 1.Introduction...3

Software Design Document SAMLv2 IDP Proxying

Integrating Multi-Factor Authentication into Your Campus Identity Management System

Get a Whiff of WIF Windows Identity Foundation. Keith Brown

Federation architectures for mobile applications OAuth 2.0 Drivers OAuth 2.0 Overview Mobile walkthrough

SAML SSO Configuration

Single Sign On. SSO & ID Management for Web and Mobile Applications

Federated Identity and Single Sign-On using CA API Gateway

TrustedX: eidas Platform

Integrating CRM On Demand with the E-Business Suite to Supercharge your Sales Team

INUVIKA OPEN VIRTUAL DESKTOP ENTERPRISE

Final Project Report December 9, Cloud-based Authentication with Native Client Server Applications. Nils Dussart

Using Shibboleth for Single Sign- On

SAML 101. Executive Overview WHITE PAPER

AAI for Mobile Apps How mobile Apps can use SAML Authentication and Attributes. Lukas Hämmerle

How To Use Kiteworks On A Microsoft Webmail Account On A Pc Or Macbook Or Ipad (For A Webmail Password) On A Webcomposer (For An Ipad) On An Ipa Or Ipa (For

Ameritas Single Sign-On (SSO) and Enterprise SAML Standard. Architectural Implementation, Patterns and Usage Guidelines

Cloud federation. Prelude to Hybrid Clouds. CHEP 2015 Okinawa, Japan. Marek Denis CERN Geneva, Switzerland

IETF 84 SCIM System for Cross-domain Identity Management. Kelly Grizzle

JVA-122. Secure Java Web Development

THE NEW DIGITAL EXPERIENCE

IBM WebSphere Application Server

Configuring Single Sign-on from the VMware Identity Manager Service to ServiceNow

Dell One Identity Cloud Access Manager How to Develop OpenID Connect Apps

Apigee Gateway Specifications

Add Microsoft Azure as the Federated Authenticator in WSO2 Identity Server

OpenID Connect 1.0 for Enterprise

CAS s IDP system and resources in Education Cloud

Administering Jive Mobile Apps

Identity, Privacy, and Data Protection in the Cloud XACML. David Brossard Product Manager, Axiomatics

Transcription:

Keeping access control while moving to the cloud Presented by Zdenek Nejedly Computing & Communications Services University of Guelph 1

Keeping access control while moving to the cloud Presented by Zdenek Nejedly Computing & Communications Services University of Guelph 2

Objectives Intro: University of Guelph mail migration Review: Access Management in the Cloud Conclusion: Solutions and Lessons Learned Computing & Communications Services www.uoguelph.ca/ccs 3

University of Guelph mail migration Computing & Communications Services www.uoguelph.ca/ccs 4

Migration project highlights Migrating 36k undergraduate students Production Sep 1, 2014 Expanding from one to two mail systems Zimbra Collaboration Suite University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs 5

Migration project challenges User: two mail systems - am I on Google or Zimbra? Or both? University: policy confirmation before authorizing access to the service - how can we serve it to the users? University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs 6

Access Management technologies Computing & Communications Services www.uoguelph.ca/ccs 7

Do you provide Web Access Management on your campus? Do you provide authentication for cloud services? How? Shibboleth? CAS? ADFS? Other SAML 2 or non-saml? Custom SSO? 8

Why Web Access Management? Functions: authn, authz, SSO, attrs, audit Benefits: Security: secured credentials Password Reuse xkcd.com/792 User experience: single identity, SSO Service Providers: friction - retention Identity providers: lower management cost University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs 9

Cloud authentication: the early years SSO mostly as a custom solution Secret token exchanged between the parties Individual solutions high cost University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs 10

Cloud authentication: the protocols Gartner (2013) Gartner estimates a penetration well over 50% worldwide for SAML-based federations.. University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs 11

What do I need to know? University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs 12

HTTP & HTTPS HTTP - application protocol (RFC 2616) Stateless GET & POST methods in HTTP GET: resource retrieval, preserved in redirects POST: sends data to the server in the body, may be lost in redirects GET http://example.com/stocks.cgi?name=ibm HTTP/1.1 POST https://example.com/authenticate HTTP/1.1 Content-Type: application/x-www-form-urlencoded Content-Length: 31 username=jane&password=w0rld2u HTTP/1.1 302 Found Location: http://example.org/secure/docs/ Tech Primer SAML & OAuth SOAP & REST XML & JSON GET & POST HTTP & HTTPS University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs 13

extensible Markup Language XML & JSON free open standards Tech Primer SAML & OAuth SOAP & REST XML & JSON GET & POST HTTP & HTTPS JavaScript Object Notation <person> <firstname>john</firstname> <lastname>smith</lastname> <isanalyst>true</isanalyst> <phonenumbers> <phone type="home">123 123-1234</phone> <phone type= cell">123 123-9999</phone> </phonenumbers> </person> { "firstname": "John", "lastname": "Smith", "isanalyst": true, "phone": [ { "type": "home", "number": "123 123-1234" }, { "type": "fax", "number": "123 123-9999" } ] } University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs 14

Tech Primer SAML & OAuth SOAP & REST XML & JSON GET & POST HTTP & HTTPS SOAP & REST University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs 15

Example of a SOAP fault message (http://www.w3.org/tr/soap12- part1/#faultcodes) <env:envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope" xmlns:m="http://www.example.org/timeouts" xmlns:xml="http://www.w3.org/xml/1998/namespace"> <env:body> <env:fault> <env:code> <env:value>env:sender</env:value> <env:subcode> <env:value>m:messagetimeout</env:value> </env:subcode> </env:code> <env:reason> <env:text xml:lang="en">sender Timeout</env:Text> </env:reason> <env:detail> <m:maxtime>p5m</m:maxtime> </env:detail> </env:fault> </env:body> </env:envelope> Tech Primer SAML & OAuth SOAP & REST XML & JSON GET & POST HTTP & HTTPS University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs 16

REST (Roy Fielding 2000) Tech Primer SAML & OAuth SOAP & REST XML & JSON GET & POST HTTP & HTTPS University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs 17

Tech Primer SAML & OAuth SOAP & REST XML & JSON SAML 2.0 & OAuth 2.0 GET & POST HTTP & HTTPS University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs 18

GET https://mail.google.com/a/uoguelph.org GET https://idp.uoguelph.org/sso?samlrequest=... 1 2 4 Service Provider (Google) 5 User s Gmail content returned POST https://www.google.com/a/uoguelph.org/acs Tech Primer SAML & OAuth SOAP & REST XML & JSON GET & POST HTTP & HTTPS Identity Provider SAML Authentication Flow for Google Apps (Web Browser SSO Profile) 1) Browser requests Gmail content 2) Browser redirected to IdP with AuthnRequest 3) IdP identifies the user 4) Browser posts Response to Google with NameID 5) Google returns Gmail content 3 University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs 19 3

Client/ Claims Consumer (web app) Tech Primer SAML & OAuth Accessing app content 1 2 4 5 6 7 API calls SOAP & REST XML & JSON GET & POST HTTP & HTTPS Request authz code Authorization Server (API Provider) OAuth 2 Authorization flow (Server Side Web App profile) 1) Browser accesses Claim Consumer (CC) 2) Browser redirected to the Authorization Server (AS) 3) User authenticates, AS issues Authorization Code 4) Browser redirected to CC with 5) CC posts to AS 6) CC receives JSON response with Access Token 7) CC makes an API call to the API Provider with Access Token 3 University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs 20

More on OAuth 2.0 and OpenID Connect Talk by Ryan Boyd http://www.youtube.com/watch?v=ylhyesubspi Getting started with OAuth 2.0 O Reilly (2012) University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs 21

Solutions, lessons learned Computing & Communications Services www.uoguelph.ca/ccs 22

Challenge: where is my mail? Zimbra Staff, faculty, grads Multiple roles? Transient entitlements? Undergrads Gmail University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs 23

Solution: Single access point Mail SSO Middleware determines the correct mail system and routes the user accordingly University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs 24

Challenge: can we add a business process into the authn flow? Service Provider (Google) 1 5 User s Gmail content returned 2 4 UofG Identity Provider 3 3 University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs 25

Solution: insert middleware Service Provider (Google) 1 5 User s Gmail content returned 2c 2b 2a 4 Mail SSO Middleware with the Policy engine UofG Identity Provider 3 3 University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs 26

Mail SSO Middleware Session Request for Gmail Session Request for Zimbra Google Apps Session Request for either Gmail or Zimbra SAML2 AuthN Request AuthN Request Zimbra SAML2 AuthN Response UofG Shibboleth SAML2 AuthN Request Mail SSO Middleware OAM User Identity OAM AuthN Request OAM User ID and Attrs OAM AuthN Request UofG Oracle Access Manager University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs 27

Availability expectations for WAM? Clustering? Standby infrastructure? 28

Next steps - opportunities Weak points? Efficiency? University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs 29

Takeaway points With Access Management we can: create a single access point for both email systems build a policy confirmation even into proprietary services With increasing dependencies comes increasing requirement on high availability. University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs 30

Acknowledgements Universities already on Google Apps - Thank you for sharing your experience with us. University of Guelph Gryph Mail SSO team: Fazil, Hugh, Jill, Leo, Matt, Paul, Rob, Saveena, and Zdenek Computing & Communications Services www.uoguelph.ca/ccs 31

External identities Predicts 2014: Identity and Access Management (Gartner):..by 2020 60% identities interacting with the enterprise will come from external IdPs (up from 10% today) Are you using (or plan to) social identities on your campus? 32

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information