SAML Security Option White Paper



Similar documents
HP Software as a Service. Federated SSO Guide

SAML-Based SSO Solution

HP Software as a Service

CA Performance Center

CA Nimsoft Service Desk

Perceptive Experience Single Sign-On Solutions

Security Assertion Markup Language (SAML) Site Manager Setup

STUDY ON IMPROVING WEB SECURITY USING SAML TOKEN

Enabling Federation and Web-Single Sign-On in Heterogeneous Landscapes with the Identity Provider and Security Token Service Supplied by SAP NetWeaver

Configuring Single Sign-on from the VMware Identity Manager Service to AirWatch Applications

SAML-Based SSO Solution

Improving Security and Productivity through Federation and Single Sign-on

PARTNER INTEGRATION GUIDE. Edition 1.0

Tenrox. Single Sign-On (SSO) Setup Guide. January, Tenrox. All rights reserved.

Configuring Single Sign-on from the VMware Identity Manager Service to WebEx

INTEGRATION GUIDE. DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server

PingFederate. Salesforce Connector. Quick Connection Guide. Version 4.1

Introduction to SAML

Cloud Single Sign-On and On-Premise Identity Federation with SAP NetWeaver Cloud White Paper

Getting Started with AD/LDAP SSO

New Single Sign-on Options for IBM Lotus Notes & Domino IBM Corporation

Using SAML for Single Sign-On in the SOA Software Platform

The increasing popularity of mobile devices is rapidly changing how and where we

Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER

INTEGRATION GUIDE. DIGIPASS Authentication for Google Apps using IDENTIKEY Federation Server

Ameritas Single Sign-On (SSO) and Enterprise SAML Standard. Architectural Implementation, Patterns and Usage Guidelines

INTEGRATION GUIDE. IDENTIKEY Federation Server for Juniper SSL-VPN

Implementation Guide SAP NetWeaver Identity Management Identity Provider

CA Single Sign-On r12.x (CA SiteMinder) Implementation Proven Professional Exam

Microsoft Office 365 Using SAML Integration Guide

IMPLEMENTING SINGLE SIGN- ON USING SAML 2.0 ON JUNIPER NETWORKS MAG SERIES JUNOS PULSE GATEWAYS

INUVIKA OPEN VIRTUAL DESKTOP ENTERPRISE

PingFederate. Windows Live Cloud Identity Connector. User Guide. Version 1.0

Integration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Salesforce

Safewhere*Identify 3.4. Release Notes

Copyright: WhosOnLocation Limited

Authentication Methods

CA Adapter. Installation and Configuration Guide for Windows. r2.2.9

Configuring Single Sign-on from the VMware Identity Manager Service to ServiceNow

Authentication and Single Sign On

Evaluation of different Open Source Identity management Systems

An Oracle White Paper Dec Oracle Access Management Security Token Service

SalesForce SSO with Active Directory Federated Services (ADFS) v2.0 Authenticating Users Using SecurAccess Server by SecurEnvoy

OpenHRE Security Architecture. (DRAFT v0.5)

Only LDAP-synchronized users can access SAML SSO-enabled web applications. Local end users and applications users cannot access them.

Agenda. How to configure

TrustedX - PKI Authentication. Whitepaper

Biometric Single Sign-on using SAML

HOTPin Integration Guide: Salesforce SSO with Active Directory Federated Services

An SAML Based SSO Architecture for Secure Data Exchange between User and OSS

Single Sign-On Implementation Guide

Configuring EPM System for SAML2-based Federation Services SSO

DualShield SAML & SSO. Integration Guide. Copyright 2011 Deepnet Security Limited. Copyright 2011, Deepnet Security. All Rights Reserved.

OpenLogin: PTA, SAML, and OAuth/OpenID

Copyright

SAML 2.0 Configurations at SAP NetWeaver AS ABAP and Microsoft ADFS

Get Cloud Ready: Secure Access to Google Apps and Other SaaS Applications

Liberty Alliance. CSRF Review. .NET Passport Review. Kerberos Review. CPSC 328 Spring 2009

Configuring Single Sign-On from the VMware Identity Manager Service to Office 365

idp Connect for OutSystems applications

USING FEDERATED AUTHENTICATION WITH M-FILES

This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:

ACTIVID APPLIANCE AND MICROSOFT AD FS

SAML Authentication Quick Start Guide

Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x

SAML Authentication with BlackShield Cloud

About Me. Software Architect with ShapeBlue Specialise in. 3 rd party integrations and features in CloudStack

Single Sign-On Implementation Guide

Single Sign-On between SAP Portal and SuccessFactors

DIGIPASS as a Service. Google Apps Integration

Egnyte Single Sign-On (SSO) Installation for OneLogin

Research and Implementation of Single Sign-On Mechanism for ASP Pattern *

TIB 2.0 Administration Functions Overview

Get Success in Passing Your Certification Exam at first attempt!

Biometric Single Sign-on using SAML Architecture & Design Strategies

Flexible Identity Federation

Single Sign On (SSO) Implementation Manual. For Connect 5 & MyConnect Sites

JVA-122. Secure Java Web Development

Architecture Guidelines Application Security

DocuSign Single Sign On Implementation Guide Published: March 17, 2016

Single Sign-On Implementation Guide

OpenLDAP Oracle Enterprise Gateway Integration Guide

Federated Identity Management Solutions

DEPLOYMENT GUIDE. SAML 2.0 Single Sign-on (SSO) Deployment Guide with Ping Identity

White paper December Addressing single sign-on inside, outside, and between organizations

IBM WebSphere Application Server

Securing Web Services With SAML

SAP NetWeaver Single Sign-On. Product Management SAP NetWeaver Identity Management & Security June 2011

Single Log-Out. Andreas Åkre Solberg Malaga, June 2009

CA SiteMinder. Federation Security Services Release Notes. r12.0 SP3

AAI for Mobile Apps How mobile Apps can use SAML Authentication and Attributes. Lukas Hämmerle

OAuth Guide Release 6.0

DocuSign Information Guide. Single Sign On Functionality. Overview. Table of Contents

White Paper March 1, Integrating AR System with Single Sign-On (SSO) authentication systems

Single Sign On for ShareFile with NetScaler. Deployment Guide

INTEGRATION GUIDE. DIGIPASS Authentication for SimpleSAMLphp using IDENTIKEY Federation Server

CONFIGURATION GUIDE WITH MICROSOFT ACTIVE DIRECTORY FEDERATION SERVER

Logout Support on SP and Application

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES

Google Apps Deployment Guide

Transcription:

Fujitsu mpollux SAML Security Option White Paper Fujitsu mpollux Version 2.1 February 2009

First Edition February 2009 The programs described in this document may only be used in accordance with the conditions under which Fujitsu Finland Oy supplies them. This document is provided to your organization on the understanding that its content is and remains the intellectual property of Fujitsu Finland Oy. The document is provided on the understanding that its use is confined to the people in your organization who are responsible for evaluating its content and that there is an obligation on your organization and such people within your organization to keep its content in confidence. This document may not, without the prior written authority of Fujitsu Finland Oy, be copied or shown in whole or in part to any third party. When no longer required for the agreed purpose, the document is to be returned to Fujitsu Finland Oy. Fujitsu Finland Oy endeavors to ensure that the information in this document is correct and fairly stated but does not accept liability for any error or omission. The development of Fujitsu Finland Oy products and services is continuous and published information may not be up to date. It is important to check the current position with Fujitsu Finland Oy. This document is not part of a contract or license save insofar as may be expressly agreed. Fujitsu and the Fujitsu logo are registered trademarks of Fujitsu Limited. PalmSecure and the PalmSecure logo are registered trademarks of Fujitsu Limited. The Possibilities are Infinite is a trademark of Fujitsu Limited. mpollux, mpollux security options are trademarks or registered trademarks of Fujitsu Finland Oy and Fujitsu Limited. Other product and company names mentioned herein may be trademarks or trade names of their respective owners. Fujitsu Finland Oy

Table of Contents 1 INTRODUCTION... 4 2 MPOLLUX SAML FUNCTIONALITY... 5 2.1 Web Browser SSO... 6 2.2 Single Logout... 6 2.3 Attribute Query... 6 2.4 Identity Provider... 6 2.5 Service Provider... 6 3 MPOLLUX SAML ARCHITECTURE... 7 3.1 mpollux Server... 8 3.2 mpollux Login Application... 8 4 EXAMPLES OF MPOLLUX SAML USE CASES... 9 4.1 Case 1: mpollux as SAML Identity Provider... 9 4.2 Case 2: mpollux as SAML Service Provider... 10 Page 3 (10) Copyright Fujitsu Finland Oy

1 INTRODUCTION In the context of e-business, the need for security functions is of ever growing importance. Several different schemes exist for the authentication of the involved parties and communicated messages, or for the insurance of transaction confidentiality and non-repudiation. The problem currently is that as a rule these schemes build on special secure devices and complex infrastructure such as PKI. While the security achieved by such means is high, the threshold for applying such an infrastructure for smaller scale business cases can be high as well. mpollux Security Server provides a range of security solutions from conventional user id password authentication, telephone call authentication to full-scale PKI based security. mpollux SAML provides web-based single sign-on functionality for the mpollux authentication service. mpollux SAML implements the roles identity provider (IdP) and service provider (SP). Page 4 (10) Copyright Fujitsu Finland Oy

2 MPOLLUX SAML FUNCTIONALITY The mpollux SAML implements SAML 2.0 specification s Web Browser SSO Profile and Single Logout Profile. These profiles are used to provide web-bases single sign-on functionality between security domains. The Security Assertion Markup Language (SAML) standard defines an XML-based framework for describing and exchanging security information between an identity provider and a service provider. This security information is expressed in the form of portable SAML assertions that applications working across security domain boundaries can trust. The SAML standard defines precise syntax and rules for requesting, creating, communicating, and using these SAML assertions. More information about SAML standard: http://www.oasis-open.org/specs/ http://www.projectliberty.org/liberty/specifications 1 There are both identity provider and service provider roles. An identity provider is responsible for management of identities, authenticating user and producing assertions. A service provider redirects user to authenticate when necessary and consumes assertions produced by identity provider. Web Application Service Provider Browser Identity Service Database Figure 1 mpollux SAML provider roles About the SAML profiles, the supported features are, Web Browser SSO, profile to provide web-bases cross-domain single sign-on functionality. Single Logout, profile to terminate own session with all session participants. Attribute Query, profile is for requesting attributes for specified subject. Page 5 (10) Copyright Fujitsu Finland Oy

2.1 WEB BROWSER SSO Web Browser SSO profile provides web-bases cross-domain single sign-on functionality. A service provider issues an authentication request to an identity provider. The identity provider authenticates the user (or has already authenticated), and then provides an authentication assertion to the service provider. This above is performed using profile of the SAML Authentication Request protocol. 2.2 SINGLE LOGOUT Single Logout profile is used to terminate user session with all session participants. After Web Browser SSO profile is used, user s sessions exist in the identity provider and service providers, which are used during that session. When user or session authority wants to terminate user s global session, Single Logout request is sent to all session participants. Asynchronous front-channel binding is required when user session exists in a user agent in the form of cookie. 2.3 ATTRIBUTE QUERY Attribute Query messages from Assertion Query/Request profile is used for requesting attributes for specified subject. This profile uses synchronous SAML SOAP binding and is performed using backchannel after user is authenticated. 2.4 IDENTITY PROVIDER Identity provider is SAML participant role that is defined to support Multi-Domain Single Sign-On. An identity provider is responsible for management of identities, authenticating user and producing assertions. 2.5 SERVICE PROVIDER Service provider is SAML participant role that is defined to support Multi-Domain Single Sign-On. A service provider redirects user to authenticate when necessary and consumes assertions produced by identity provider. Page 6 (10) Copyright Fujitsu Finland Oy

3 MPOLLUX SAML ARCHITECTURE For an overview of the overall architecture of the mpollux Security Server, see the mpollux Security Server White Paper. Figure 1 shows the architecture of the mpollux Security Server with SAML. External SAML Provider mpollux Login Application mpolluxapi Java Application Server mpollux Base DigiSign Security Option mpollux Security Server Database Figure 2 The Architecture of mpollux Security Server with SAML As figure 1 shows, the main components of mpollux Security Server with SAML are mpollux API and mpollux Base, which are the common components for all mpollux Security Options, and mpollux Login Application, which provides user interface, External SAML Provider, a service provider or an identity provider Service requests from applications using mpollux Security Server are transmitted from mpollux API in an XML message over a secure (if required) TCP/IP socket connection to mpollux Base. mpollux Base determines which Security Option instance has been called (there may be several instances of different or the same Security Options running in a mpollux installation) and forwards the service call to the right receiver. The called Security Option in this case DigiSign executes the service call and returns result via mpollux Base to the application. This is in brief the way mpollux Security Server operates. Page 7 (10) Copyright Fujitsu Finland Oy

Because of the architecture, mpollux Security Server functionality can be run either on the Application or Web server platform or on a separate server. 3.1 MPOLLUX SERVER mpollux Server uses mpollux Bases for the basic function like logging, DB connection etc please see mpollux Service Description. mpollux Server itself manages the SignXML, SignPKCS1, CheckXMLSignature and CheckPKCS1Signature based on Client request. 3.2 MPOLLUX LOGIN APPLICATION mpollux Server with utilizing mpollux Bases, provides the features as follows, Data connections, mpollux Base provides connections for fetching data from common SQL DB and LDAP directory. SignXML/SignPKCS1/CheckXMLSignature/CheckPKCS1Signature, mpollux Server proceed signing/checking utilizing mpollux Bases functions. Authentication methods: mpollux CallSign, mpollux PalmSign. mpollux DigiSign, mpollux MobiSign, mpollux Classic and mpollux SMS. Transaction Log, mpollux Server provides the simple transaction log of client/server communication. mpollux Login Application provides identity provider and service provider functionality with mpollux Server integration. Its functionality and user interface is configurable and it can be used in multi customer environments. The application runs on Java Application Server as web application. When mpollux Login is used as service provider, Login component acts as an access controller to the actual application server where user is about to enter. When mpollux Login is used as identity provider, Login component authenticates users using authentication methods that mpollux Server provides. Page 8 (10) Copyright Fujitsu Finland Oy

4 EXAMPLES OF MPOLLUX SAML USE CASES 4.1 CASE 1: MPOLLUX AS SAML IDENTITY PROVIDER When you need to offer authentication services for web applications, mpollux as SAML identity provider provides solution. Web Browser Service Provider mpollux Login Application as IdP mpollux Server Database Figure 3 mpollux as SAML Identity Provider The Service Provider provides the necessary mechanism to request Identity Provider for authenticate user. The mpollux Login Application as Identity Provider The mpollux Server The sample access sequence proceeds as follows 1. When user browses to page that requires authentication, the service provider forward user to Login application to authenticate. 2. mpollux Login Application authenticates user and calls mpollux Server. 3. Then mpollux Server verify the user s credentials and return the result to mpollux Login Application. 4. According to the result, mpollux Login Application sends the necessary information to the service provider. Page 9 (10) Copyright Fujitsu Finland Oy

4.2 CASE 2: MPOLLUX AS SAML SERVICE PROVIDER When you want to secure your web applications with access control, authenticate users using external SAML identity provider and offer Single Sign-On service to web applications, mpollux as Service Provider provides solution. Web Browser Web Application Identity Provider mpollux Login Application as SP mpollux Server Database Figure 4 mpollux as SAML Service Provider The sample access sequence proceeds as follows 1. User open a web application with a browser 2. The web application redirects to mpollux Login Application, when user does not yet login. 3. mpollux Login Application forwards user to Identity Provider to authenticate 4. Identity Provider authenticates user 5. According to the result, Identity Provider sends the necessary information to the service provider (mpollux Login Application). 6. According to the result, mpollux Login Application sends the necessary information to the web application Page 10 (10) Copyright Fujitsu Finland Oy

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information