Perceptive Experience Single Sign-On Solutions

Similar documents
WebNow Single Sign-On Solutions

Tenrox. Single Sign-On (SSO) Setup Guide. January, Tenrox. All rights reserved.

SAML-Based SSO Solution

Agenda. How to configure

Allidm.com. SSO Introduction. Discovering IAM Solutions. Leading the IAM facebook/allidm

INUVIKA OPEN VIRTUAL DESKTOP ENTERPRISE

HP Software as a Service. Federated SSO Guide

Securing WebFOCUS A Primer. Bob Hoffman Information Builders

The increasing popularity of mobile devices is rapidly changing how and where we

CA Performance Center

CA Nimsoft Service Desk

Setup Guide Access Manager 3.2 SP3

SAML Security Option White Paper

TIBCO Spotfire Platform IT Brief

Flexible Identity Federation

Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER

HP Software as a Service

DualShield SAML & SSO. Integration Guide. Copyright 2011 Deepnet Security Limited. Copyright 2011, Deepnet Security. All Rights Reserved.

How To Use Saml 2.0 Single Sign On With Qualysguard

Q&A Session for Understanding Atrium SSO Date: Thursday, February 14, 2013, 8:00am Pacific

SAML SSO Configuration

Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x

Single Sign On. SSO & ID Management for Web and Mobile Applications

TIBCO Spotfire Web Player 6.0. Installation and Configuration Manual

Perceptive Content Security

Microsoft Office 365 Using SAML Integration Guide

Configuring Single Sign-On from the VMware Identity Manager Service to Office 365

How To Configure The Jasig Casa Single Sign On On A Workstation On Ahtml.Org On A Server On A Microsoft Server On An Ubuntu (Windows) On A Linux Computer On A Raspberry V

Deploying RSA ClearTrust with the FirePass controller

Access Gateway Guide Access Manager 4.0 SP1

Authentication Methods

This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:

OpenSSO: Simplify Your Single-Sign-On Needs. Sang Shin Java Technology Architect Sun Microsystems, inc. javapassion.com

Integrating IBM Cognos 8 BI with 3rd Party Auhtentication Proxies

SSL VPN Server Guide. Access Manager 3.2 SP2. June 2013

SAML 2.0 SSO Deployment with Okta

Building Secure Applications. James Tedrick

Centrify Mobile Authentication Services

Perceptive Intelligent Capture Solution Configration Manager

ABOUT TOOLS4EVER ABOUT DELOITTE RISK SERVICES

New Single Sign-on Options for IBM Lotus Notes & Domino IBM Corporation

Cloud Single Sign-On and On-Premise Identity Federation with SAP NetWeaver Cloud White Paper

Authentication and Single Sign On

Leveraging SAML for Federated Single Sign-on:

Siebel CRM On Demand Single Sign-On. An Oracle White Paper December 2006

U S E R D O C U M E N TA T I O N ( A L E P H I N O

Egnyte Single Sign-On (SSO) Configuration for Active Directory Federation Services (ADFS)

How to Implement Enterprise SAML SSO

Identity Management in Liferay Overview and Best Practices. Liferay Portal 6.0 EE

Vidder PrecisionAccess

TROUBLESHOOTING RSA ACCESS MANAGER SINGLE SIGN-ON FOR WEB-BASED APPLICATIONS

Introduction to SAML

Setup Guide Access Manager Appliance 3.2 SP3

How To Use Netiq Access Manager (Netiq) On A Pc Or Mac Or Macbook Or Macode (For Pc Or Ipad) On Your Computer Or Ipa (For Mac) On An Ip

PingFederate. SSO Integration Overview

NetIQ Access Manager 4.1

USING FEDERATED AUTHENTICATION WITH M-FILES

Siteminder Integration Guide

QLIKVIEW SECURITY OVERVIEW

INTEGRATION GUIDE. IDENTIKEY Federation Server for Juniper SSL-VPN

Integration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Salesforce

Integration Guide. SafeNet Authentication Service. Using SAS with Web Application Proxy. Technical Manual Template

Novell Access Manager

SAML-Based SSO Solution

Getting Started with Single Sign-On

Google Apps Deployment Guide

SSL VPN Server Guide Access Manager 3.1 SP5 January 2013

PARTNER INTEGRATION GUIDE. Edition 1.0

Interwise Connect. Working with Reverse Proxy Version 7.x

Architecture Guidelines Application Security

CA Adapter. Installation and Configuration Guide for Windows. r2.2.9

Use FortiWeb to Publish Applications

Configuring Single Sign-on for WebVPN

How To Use Salesforce Identity Features

User Management Tool 1.5

PingFederate. Salesforce Connector. Quick Connection Guide. Version 4.1

Security Assertion Markup Language (SAML) Site Manager Setup

Egnyte Single Sign-On (SSO) Installation for OneLogin

Samsung KNOX EMM Authentication Services. SDK Quick Start Guide

Web Services Security: OpenSSO and Access Management for SOA. Sang Shin Java Technology Evangelist Sun Microsystems, Inc. javapassion.

Integration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Tableau Server

CA Single Sign-On r12.x (CA SiteMinder) Implementation Proven Professional Exam

Connected Data. Connected Data requirements for SSO

IMPLEMENTING SINGLE SIGN- ON USING SAML 2.0 ON JUNIPER NETWORKS MAG SERIES JUNOS PULSE GATEWAYS

PingFederate. Windows Live Cloud Identity Connector. User Guide. Version 1.0

Copyright

Enterprise Knowledge Platform

AccountView. Single Sign-On Guide

ELM Manages Identities of 4 Million Government Program Users with. Identity Server

Getting Started with AD/LDAP SSO

CA SiteMinder. SAML Affiliate Agent Guide. 6.x QMR 6

Computer Systems Security 2013/2014. Single Sign-On. Bruno Maia Pedro Borges

How-to: Single Sign-On

Dell One Identity Cloud Access Manager How to Develop OpenID Connect Apps

Identity Server Guide Access Manager 4.0

Use Enterprise SSO as the Credential Server for Protected Sites

Improving Security and Productivity through Federation and Single Sign-on

Administrator Guide. v 11

Interact for Microsoft Office

SalesForce SSO with Active Directory Federated Services (ADFS) v2.0 Authenticating Users Using SecurAccess Server by SecurEnvoy

Transcription:

Perceptive Experience Single Sign-On Solutions Technical Guide Version: 2.x Written by: Product Knowledge, R&D Date: January 2016

2016 Lexmark International Technology, S.A. All rights reserved. Lexmark is a trademark of Lexmark International Technology, S.A., or its subsidiaries, registered in the U.S. and/or other countries. All other trademarks are the property of their respective owners. No part of this publication may be reproduced, stored, or transmitted in any form without the prior written permission of Lexmark.

Table of Contents Overview... 4 SSO for Perceptive Experience... 4 Web-based SSO solutions... 5 SSO integration options... 7 3

Overview Nearly all organizations today have multiple applications that need to operate together. One of the challenges present in all integration scenarios is user password management. Disparate systems for user accounts and passwords cause a number of side effects. For example, side effects can include lost time due to forgotten passwords, increased maintenance due to multiple passwords per user, and a lack of seamless transitions between the applications that need to interact. Single sign-on (SSO) technology is designed to simplify user management. There are many solution options available in the marketplace today. While they vary in scope, many provide both authentication and authorization. Authentication identifies who the logged in user is while Authorization restricts what the user can access and what actions they can take. These solutions also serve a variety of application types. Windows applications and browser applications are two main categories. Solutions that are focused on browser applications are often referred to as web-based SSO functionality. SSO for Perceptive Experience Perceptive Experience provides the ability to utilize SSO integration in addition to the authentication options already available in Perceptive Content Server. URL integration is frequently used to launch Perceptive Experience from a link embedded in another application so it can benefit from the use of SSO in these scenarios. Currently, only authentication can be delegated to the SSO provider. Authorization for Perceptive Experience is still managed from Perceptive Experience Management Console to determine user access privileges. Also, the user names must exist in both Perceptive Content Server and in the SSO provider. A user replication agent may be useful in synchronizing user lists. Perceptive Experience is designed to integrate with SSO providers that are installed and maintained by the customer. Because authentication is handled by an external entity, a stateful session is introduced outside of the Perceptive Content and Perceptive Experience system. The SSO provider manages the lifecycle of this session, determines if the user is logged in, and manages timeouts for the session. When SSO mode is enabled for Perceptive Experience, there are a few resulting behavioral changes. The first is that there is a programmatic hook at load time in Perceptive Experience and Integration Server to read the name of the authenticated user from the SSO provider. Secondly, normal login into Perceptive Experience is disabled since authentication has been delegated. This includes the login screen and URL parameters. While solutions vary, the basic user story follows this general pattern. 1. User requests a URL resource (http://example.com/perceptiveexperience). An SSO provider intercepts the non-authenticated request and either prompts or redirects the user for credentials. 2. An Identity Provider (IdP) authenticates the credentials against the user store. If the user authenticates successfully, the IdP directs the user to the originally requested resource. 3. Perceptive Experience loads and reads the pre-authenticated user name from the SSO provider. This is typically communicated through an HTTP header. 4

Web-based SSO solutions Shibboleth is a web-based, SSO solution. SiteMinder is another web-based SSO solution. There are many others that share a similar architecture. Web-based SSO solutions are configured to gate access to resources so that authentication is required to access the content. Perceptive Experience requires two gated resources when configuring SSO. The first is the sso directory of the /perceptive application ( /perceptive/sso). The other is the Integration Server application ( /integrationserver). To ensure proper operation of Perceptive Experience, only the sso directory should be gated, not the entire /perceptive application. In this example, Apache HTTPServer runs the Shibboleth service provider module that offers gated access to /perceptiveexperience/sso and /integrationserver. The actual content for /perceptiveexperience and /integrationserver is served to the user through a proxy from the Tomcat server using an AJP connector. When the user first requests http://example.com/perceptiveexperience, Shibboleth redirects the user to another site (http://testshib.org) that serves as the authority for the valid account names and passwords. There, users are prompted for their credentials. When a user authenticates successfully, the identity-authority site redirects the user back to http://example.com/perceptiveexperience with some information about the now logged-on user attached to the request. Typically, this information is communicated between these layers using an XML-based protocol called Security Assertion Markup Language (SAML). SAML relies on the same key-pair encryption technology employed by HTTPS to establish trust and to secure communications between the Identity Provider and Apache HTTPServer, even though they do not connect to each other directly. Their only contact with each other is through the information embedded along with the HTTP requests that are redirected. 5

When the new request has been passed to http://example.com/perceptiveexperience, the Shibboleth module again takes over and the following actions occur. Validates the authentication information embedded into the request. Approves access. Embeds the user name into the request as the REMOTE_USER header for informational use (configurable). Apache HTTP server uses the configured AJP connector to request the content from /perceptiveexperience from the Tomcat server. Perceptive Experience loads on the Tomcat server and reads the name of the pre-authenticated user from the REMOTE_USER header. Content is sent back to the end user s browser via reverse proxy through the AJP connector. To the end user, it appears the Perceptive Experience content comes from the Apache HTTP server component. 6

SSO integration options The configuration steps required for Perceptive Content Server and Perceptive Experience can be found in the Perceptive Content Server Installation and Setup Guide and the Perceptive Content Client Installation and Setup Guide. The following steps are used to determine whether an SSO provider should be integrated with Perceptive Experience. The SSO provider must detect any unauthorized request to Perceptive Experience s sso directory and Integration Server, and authenticate the user to the user store before granting access. The SSO provider must communicate information about the logged in user to Perceptive Experience and Integration Server through an HTTP header. All access to Perceptive Experience s sso directory and Integration Server must be protected by the SSO provider. Since the authentication step occurs before Perceptive Experience loads, it implies a level of trust between Perceptive Experience and the SSO provider. Because of this, you need to ensure that only SSO provider-approved requests are granted access to either Perceptive Experience or Integration Server to prevent spoofing. Each SSO implementation has its own means of security against spoofing. Direct access to the Apache Tomcat application should be limited to connections from the HTTP server component. The location of the sso folder that requires protection can be found at rootpath/sso or rootpath/packages/core/sso. 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information