SSO Eurécia. and external Applications. Purpose



Similar documents
OpenADR 2.0 Security. Jim Zuber, CTO QualityLogic, Inc.

OpenSSL (lab notes) Definition: OpenSSL is an open-source library containing cryptographic tools.

Online signature API. Terms used in this document. The API in brief. Version 0.20,

Tusker IT Department Tusker IT Architecture

How encryption works to provide confidentiality. How hashing works to provide integrity. How digital signatures work to provide authenticity and

Dashlane Security Whitepaper

Cryptosystems. Bob wants to send a message M to Alice. Symmetric ciphers: Bob and Alice both share a secret key, K.

WEB SERVICES CERTIFICATE GUIDE

Qualtrics Single Sign-On Specification

Single Sign-On in PHP & HATS Applications using Hashed Cookies

ADFS Integration Guidelines

Lecture 9: Application of Cryptography

SSL Certificates in IPBrick

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

Overview. SSL Cryptography Overview CHAPTER 1

Paynow 3rd Party Shopping Cart or Link Integration Guide

Lukasz Pater CMMS Administrator and Developer

Implementing SSL Security on a PowerExchange Network

Using Foundstone CookieDigger to Analyze Web Session Management

Chapter 8. Network Security

Absorb Single Sign-On (SSO) V3.0

Creation and Management of Certificates

Configuring ADFS 3.0 to Communicate with WhosOnLocation SAML

Copyright: WhosOnLocation Limited

mod_auth_pubtkt a pragmatic Web Single Sign-On solution by Manuel Kasper, Monzoon Networks AG mkasper@monzoon.net

FL EDI SECURE FTP CONNECTIVITY TROUBLESHOOTING GUIDE. SFTP (Secure File Transfer Protocol)

Apache Shiro - Executive Summary

Using etoken for SSL Web Authentication. SSL V3.0 Overview

OOo Digital Signatures. Malte Timmermann Technical Architect Sun Microsystems GmbH

Securing Your Condor Pool With SSL. Zach Miller Condor Project Computer Sciences Department University of Wisconsin-Madison

itds OAuth Integration Paterva itds OAuth Integration Building and re-using OAuth providers within Maltego 2014/09/22

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x

PGP - Pretty Good Privacy

You re FREE Guide SSL. (Secure Sockets Layer) webvisions

Web Security: Encryption & Authentication

Package PKI. July 28, 2015

How To Encrypt Data With Encryption

Electronic Mail Security. Security. is one of the most widely used and regarded network services currently message contents are not secure

Version 1.0. ASAM CS Single Sign-On

Crypto Lab Public-Key Cryptography and PKI

Cryptography and Network Security Chapter 15

McAfee Cloud Identity Manager

Encrypting*a*Windows*7*Hard*Disk* with%bitlocker%disk%encryption!

CS615 - Aspects of System Administration

Acano solution. Certificate Guidelines R1.7. for Single Combined Acano Server Deployments. December H

Hushmail Express Password Encryption in Hushmail. Brian Smith Hush Communications

SSO Plugin. HP Service Request Catalog. J System Solutions. Version 3.6

How To Use Saml 2.0 Single Sign On With Qualysguard

Secure Part II Due Date: Sept 27 Points: 25 Points

First Semester Examinations 2011/12 INTERNET PRINCIPLES

NISTIR 7676 Maintaining and Using Key History on Personal Identity Verification (PIV) Cards

VMware vrealize Operations for Horizon Security

Common security requirements Basic security tools. Example. Secret-key cryptography Public-key cryptography. Online shopping with Amazon

User Guide Supplement. S/MIME Support Package for BlackBerry Smartphones BlackBerry Pearl 8100 Series

Package PKI. February 20, 2013

Symmetric and Public-key Crypto Due April , 11:59PM

AD Image Encryption. Format Version 1.2

Network Security Essentials Chapter 7

CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

CERTIFICATE-BASED SINGLE SIGN-ON FOR EMC MY DOCUMENTUM FOR MICROSOFT OUTLOOK USING CA SITEMINDER

Secure Network Communications FIPS Non Proprietary Security Policy

qwertyuiopasdfghjklzxcvbnmqwertyui opasdfghjklzxcvbnmqwertyuiopasdfgh jklzxcvbnmqwertyuiopasdfghjklzxcvb

VMware vrealize Operations for Horizon Security

Chapter 10. Cloud Security Mechanisms

HTTPS Configuration for SAP Connector

Encrypted Connections

Network-Enabled Devices, AOS v.5.x.x. Content and Purpose of This Guide...1 User Management...2 Types of user accounts2

Installing your Digital Certificate & Using on MS Out Look 2007.

CS 348: Computer Networks. - Security; 30 th - 31 st Oct Instructor: Sridhar Iyer IIT Bombay

Efficient Framework for Deploying Information in Cloud Virtual Datacenters with Cryptography Algorithms

Project #2: Secure System Due: Tues, November 29 th in class

Digital Signatures on iqmis User Access Request Form

Safeguarding Data Using Encryption. Matthew Scholl & Andrew Regenscheid Computer Security Division, ITL, NIST

Using certificates as authentication method for VPN connections between Netgear ProSafe Routers and the ProSafe VPN Client

Texas Medicaid & Healthcare Partnership (TMHP)

Implementation and Comparison of Various Digital Signature Algorithms. -Nazia Sarang Boise State University

SECURITY ANALYSIS OF A SINGLE SIGN-ON MECHANISM FOR DISTRIBUTED COMPUTER NETWORKS

Implementing 2-Legged OAuth in Javascript (and CloudTest)

Python Cryptography & Security. José Manuel

CA Nimsoft Service Desk

Two-Factor Authentication

Authentication Applications

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

Guidelines for Developing Cryptographic Service Providers (CSPs) for Acrobat on Windows

Using etoken for Securing s Using Outlook and Outlook Express

Certificate Management. PAN-OS Administrator s Guide. Version 7.0

INTEGRATION GUIDE. DIGIPASS Authentication for SimpleSAMLphp using IDENTIKEY Federation Server

Introduction...3 Terms in this Document...3 Conditions for Secure Operation...3 Requirements...3 Key Generation Requirements...

Encryption Mechanism Software Requirement Specifications changed to Dokumentation Version 1.3.0

Configure SecureZIP for Windows for Entrust Entelligence Security Provider 7.x for Windows

A Standards-based Approach to IP Protection for HDLs

Savitribai Phule Pune University

SmarterMeasure Inbound Single Sign On (SSO) Version 1.3 Copyright 2010 SmarterServices, LLC / SmarterServices.com PO Box , Deatsville, AL 36022

A Brief Guide to Certificate Management

[SMO-SFO-ICO-PE-046-GU-

CSE/EE 461 Lecture 23

Djigzo S/MIME setup guide

Network Security (2) CPSC 441 Department of Computer Science University of Calgary

SAML Implementation Guidelines

Transcription:

SSO Eurécia Purpose This document describes the way to manage SSO connection and external applications. The users logged to the external application by entering his credentials then access to Eurécia without authenticate themselves again. They will be able to access to their Eurécia application datas. Uses cases 1. The user authenticates to an external application 2. He clicks to a link to access to Eurécia. This link is formatted like https://plateforme.eurecia.com/eurecia/sso?source=src&token= Z2VvZmY7bGFuZ29zOzEwMTIzNBsxMDIzNDtnbGFuZ29zQG1vcnRnYWdl LmNvbTttb3J0Z2FnZTsyMBEyLTA1LTE0VBIwOjI1OjAyLjMxMFo7M0FDRE JFOTMzQzc0NTdDMTNDNjNCMjEzMjYxNjEzNERDNTgzRDA5RA== 3. The token is composed as: a. Email b. TimeStamp (GMT) c. Signature 4. Eurécia receives the token and decrypt it with his private key 5. The user access to Eurécia once the token is validated after decryption. 1/6

Before starting Set the trust between the 2 applications Setting the trust and the external application by exchanging X509 certificates. These keys will be used to decrypt the token. Eurécia will verify that the expeditor, the external application, is the good one by comparing the hash to the decrypted message. How to generate and exchange certificates : First of all, you need to generate an RSA key pair with a size of 1024 bytes and generate an X509 certificate from the public key. An easy way to do this is to use the openssl tool as following : openssl req -new -newkey rsa:1024 -days 365 -nodes -x509 -keyout privatekey.key - out xopenss509cert.cert The Eurécia certificate is available through the Eurécia platform at the company configuration page. The same page allows you to upload your certificate and link it to the source name of your choice. 2/6

Token composition Encoded algorithm used Encryption algorithm used Email Encoding String Hash TimeStamp Signature BASE 64 (url Safe) RSA Sha1 (http://hash.online-convert.com/sha1-generator) String = User email UTF-8 Sha1 yyyy''-''mm''-''dd''t''hh'':''mm'':''ss''z'' SignedWithExternalAppPrivateKey(Hash(Email ;TimeStamp)) Example: Email TimeStamp Signature Jean.dupont@eurecia.com 2013-01-23T20:25:02.310Z Email ;TimeStamp ;Z2VvZmY7bGFuZ29zOzEzNxMFo7zNEZBNTgzRDA5RA== 3/6

Steps to follow by the external application before sending the request 1. Token=message;signature 2. Generate a TimeStamp with the GMT time zone 3. Build the message = Email;TimeStamp encoded in UTF-8. For example jean.dupont@eurecia.com; 2013-01-23T20:25:02.310Z 4. Build the signature to be sent. signature= Hash SHA-1 the message before encrypt it with the external application private key; let s say signature=cryptedwithexternalappprivatekey(hash(email ;TimeStamp)) 5. Encrypt the Token with the public key given by Eurécia 6. Encode the crypted token with Base64 url safe 7. Send the Token with the url like https://plateforme.eurecia.com /sso?source=yourorganisation&token= Z2VvZmY7bGFuZ29zOzEwMTIzNDsxMDIzNDtnbGFuZ29zQG1vcnRnyWdl LmNvbTttb3J0Z2FnZTsyNDEyLTA1LTE0VDIwOjI1OjByLjMxMFo7M0FDRE JFOTMzQzc0NTdDMTNDNjNCMjEzMjYxNjEzNEZBNTgzRDA5RA 4/6

Once Eurécia receives the request 1. Eurécia receives the Token then decrypt it with his private key. Get the result like message;signature 2. Eurécia explode the message with the ; separator into 3 elements, jean.dupont@eurecia.com; 2013-01-23T20:25:02.310Z; CryptedWithExternalAppPrivateKey(Hash(Email ;TimeStamp)) 3. Eurécia decrypt the CryptedWithExternalAppPrivateKey(Hash(Email ;TimeStamp)) with the External application public key. So the result is Hash(Email ;TimeStamp) 4. Eurécia compare the Hash(jean.dupont@eurecia.com; 2013-01- 23T20:25:02.310Z) to the Hash(Email ;TimeStamp) to confirm that the external application is the good one 5. Finally Eurécia compare the TimeStamp received with a newly generated TimeStamp and refuses to log in the user if the TimeStamp received is older than 1 hour. (This is configurable via the Eurécia platform) 5/6

JAVA Sample code SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss"); sdf.settimezone(timezone.gettimezone("gmt")); String message = "user@eurecia.com;"+sdf.format(new Date());; PrivateKey myprivatekey = getmyprivatekey; PublicKey eureciapublickey = geteureciapublickey(); //Compute and sign the hash Signature sig = Signature.getInstance("SHA1withRSA"); sig.initsign(myprivatekey); sig.update(message.getbytes("utf-8")); byte[] digest = sig.sign(); //Concat the message ByteArrayOutputStream outputstream = new ByteArrayOutputStream(); message += ";"; outputstream.write( message.getbytes("utf-8") ); outputstream.write( digest ); byte[] messagebytes = outputstream.tobytearray( ); //Encrypt message Cipher cipher = Cipher.getInstance("RSA/ECB/PKCS1PADDING"); cipher.init(cipher.encrypt_mode, eureciapublickey); byte[] ciphertext = cipher.dofinal(messagebytes); token = Base64.encodeBase64URLSafeString(cipherText); 6/6

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information