Single Sign-On Architectures. Jan De Clercq Security Consultant HPCI Technology Leadership Group Hewlett-Packard



Similar documents
Red Hat Enterprise ipa

Centralized Oracle Database Authentication and Authorization in a Directory

How To Get A Single Sign On (Sso)

Agenda. Federation using ADFS and Extensibility options. Office 365 Identity overview. Federation and Synchronization

Single Sign-On: Reviewing the Field

From the Intranet to Mobile. By Divya Mehra and Stian Thorgersen

Two SSO Architectures with a Single Set of Credentials

Web Single Sign-On System. For WRL Company

Role Based Identity and Access Management Basic Infrastructure for New Citizen Services and Lean Internal Administration

IDENTITY MANAGEMENT AND WEB SECURITY. A Customer s Pragmatic Approach

Leverage Active Directory with Kerberos to Eliminate HTTP Password

Password Power 8 Plug-In for Lotus Domino Single Sign-On via Kerberos

Double SSO A Prudent and Lightweight SSO Scheme. Master of Science Thesis in the Programme Secure and Dependable Computer Systems SARI HAJ HUSSEIN

PKI for Electronic Commerce

Computer Systems Security 2013/2014. Single Sign-On. Bruno Maia Pedro Borges

Mod 2: User Management

Agenda. How to configure

Executive Summary. What is Authentication, Authorization, and Accounting? Why should I perform Authentication, Authorization, and Accounting?

The Challenges of Web single sign-on

Single Sign-on (SSO) technologies for the Domino Web Server

Identity Management and eid Integration

Mac OS X Directory Services

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 8 Authentication

Web Applications Access Control Single Sign On

1 Building an Identity Management Business Case. 2 Agenda. 3 Business Challenges

Centralized Mac Home Directories On Windows Servers: Using Windows To Serve The Mac

The Emerging Infrastructure for Identity and Access Management

This research note is restricted to the personal use of

Pick Your Identity Bridge

Allidm.com. SSO Introduction. Discovering IAM Solutions. Leading the IAM facebook/allidm

SEC100 Secure Authentication and Data Transfer with SAP Single Sign-On. Public

AVG Business Secure Sign On Active Directory Quick Start Guide

ArcGIS for Server Reference Implementations. An ArcGIS Server s architecture tour

Two-Factor Authentication

ITKwebcollege.ADMIN-Basics Fundamentals of Microsoft Windows Server

How to build an Identity Management System on Linux. Simo Sorce Principal Software Engineer Red Hat, Inc.

G Cloud 6 CDG Service Definition for Forgerock Software Services

SAP NetWeaver Single Sign-On. Product Management SAP NetWeaver Identity Management & Security June 2011

AVG Business SSO Connecting to Active Directory

Standardizing PKI in Higher Education Apple PKI and Universal Hi-Ed Spec proposal

Arcot Systems, Inc. Securing Digital Identities. FPKI-TWG Mobility Solutions Today s Speaker Tom Wu Principal Software Engineer

The Centrify Vision: Unified Access Management

The Identity and Access Management Market Landscape

Charles Firth Managing Macs in a Windows World

Oracle Enterprise Single Sign-on Technical Guide An Oracle White Paper June 2009

Mobility, Security and Trusted Identities: It s Right In The Palm of Your Hands. Ian Wills Country Manager, Entrust Datacard

Copyright

CA Single Sign-On Migration Guide

Authentication: Password Madness

BIG-IP Access Policy Manager Tech Note for BIG-IP Edge Client App for ios

Introduction to SAML

LinuxCon North America

Single Sign On In A CORBA-Based

Single Sign-On. Security and comfort can be friend. Arnd Langguth. September, 2006

The PortalGuard All-In-One Authentication Solution-set: A Comparison Guide of Two-Factor Capabilities vs. the Competition

Take Control of Identities & Data Loss. Vipul Kumra

Identity Management and Access Control

The Unique Alternative to the Big Four. Identity and Access Management

Schlumberger PKI /Corporate Badge Deployment. Neville Pattinson Director of Business Development & Technology IT & Public Sector

Securing ArcGIS Server Services: First Steps

5 Day Imprivata Certification Course Agenda

Active Directory Compatibility with ExtremeZ-IP

Implementing and Administering Security in a Microsoft Windows Server 2003 Network

Product overview. CA SiteMinder lets you manage and deploy secure web applications to: Increase new business opportunities

SAML-Based SSO Solution

101 Things to Know About Single Sign On

How To Make Your Computer System More Secure And Secure

Enabling single sign-on for Cognos 8/10 with Active Directory

ArcGIS for Server Deployment Scenarios An ArcGIS Server s architecture tour

Protecting Juniper SA using Certificate-Based Authentication. Quick Start Guide

CA SiteMinder. Implementation Guide. r12.0 SP2

F5 BIG-IP: Configuring v11 Access Policy Manager APM

Authentication. Authentication in FortiOS. Single Sign-On (SSO)

BlueCoat s Guide to Authentication V1.0

OpenAM. 1 open source 1 community experience distilled. Single Sign-On (SSO) tool for securing your web. applications in a fast and easy way

Active Directory Compatibility with ExtremeZ-IP. A Technical Best Practices Whitepaper

IPA Identity, Policy, Audit Karl Wirth, Red Hat Kevin Unthank, Red Hat

Thales ncipher modules. Version: 1.2. Date: 22 December Copyright 2009 ncipher Corporation Ltd. All rights reserved.

External Authentication with WebCT. What We ll Discuss

IBM Security Access Manager for Enterprise Single Sign-On V8.2 Implementation Exam.

Commercially Proven Trusted Computing Solutions RSA 2010

Enabling Federation and Web-Single Sign-On in Heterogeneous Landscapes with the Identity Provider and Security Token Service Supplied by SAP NetWeaver

Directory Integration with Okta. An Architectural Overview. Okta Inc. 301 Brannan Street San Francisco, CA

NCSU SSO. Case Study

STRONGER AUTHENTICATION for CA SiteMinder

OneLogin Integration User Guide

Entrust Secure Web Portal Solution. Livio Merlo Security Consultant September 25th, 2003

Siteminder Integration Guide

Transcription:

Single Sign-On Architectures Jan De Clercq Security Consultant HPCI Technology Leadership Group Hewlett-Packard page 1

Agenda Trusted Security Infrastructures SSO: What and Why? SSO Architectures Extending SSO page 2

Trusted Security Infrastructures (TSIs) Applications App 1 App 2 App 3 App... Trusted Security Infrastructures Security Admin Identity Mgmt Sec Pol Mgmt Authent Infra Auditing Access Control Infra Core I.T Infrastructure Services Meta-Directory Dir ADir BDir C DBs Msg Mgmt Web Services page 3

SSO Foundations: Trust Trust Identification SSO Authorization Access Control page 4

Agenda Trusted Security Infrastructures SSO: What and Why? SSO Architectures Extending SSO page 5

Ease of Administration SSO What and Why? Ease of Use Enables Enforcement of Coherent Security Policy Key to the Kingdom? page 6

Infrastructure Server - Physical providers of authentication/sso Authority SSO Terminology - Logical providers of authentication/sso/trust = Domain (Windows speak) = Cell (DCE speak) = Realm (Kerberos speak) s Digital Identity Factors Token page 7

SSO Terminology Tok Sign-On Server Account and Management User Trust Token Validation Exchange Resource Domain Domain Server page 8

Agenda Trusted Security Infrastructures SSO: What and Why? SSO Architectures Extending SSO page 9

Simple SSO Single Authority and Server Single Authority and Multiple Servers SSO Solution and Architectures Complex SSO With Single Set of s Token-based SSO PKI-based SSO With Multiple Sets of s Synchronization Client-side Caching Server-side Caching page 10

Tok Simple SSO Solutions Sign-On Server Account and Management User Trust Token Validation Exchange Resource Domain Domain Server SSO with a single Authority and a single Server Examples: OS, EAMS, Centralized RAS page 11

Simple SSO Solutions Server Replicated Tok Replication Sign-On Server Master Account and Management User Trust Token Validation Exchange Resource Domain Domain Server SSO with a single Authority and multiple Servers Examples: OS, EAMS, Centralized RAS page 12

Tok Traditional Sign-On (No SSO) Tok Sign-On Authority Account and Management User Sign-On(s) Authority Account and Management page 13

Complex SSO Solutions: Single Set: Token-based SSO Tok Sign-On Temporary Token Authority Account and Management User Trust Transparant Sign-On(s) using Temporary Token Authority Account and Management Examples: Kerberos, EAMS, Passport page 14

Complex SSO Solutions: Single Set: PKI-based SSO User Private Key User Cert User User Registration Certificate Issuance Authority Trust CA Cert Account and Management CA Cert Transparant Sign-On(s) using Public Key s (Certificate and Private Key) Authority CA Cert Examples: Entrust, Baltimore, Windows 2000, Windows.NET page 15

Tok Complex SSO Solutions: Multiple Set: Password Sync Tok Sign-On Authority Account and Management User Sync Software Trust Synchronization Sign-On(s) Sync Software Authority Account and Management Examples: PassGo, PSynch, MetaDirectories, Provisioning software page 16

Tok Complex SSO Solutions: Multiple Set: Client-side Caching Tok User Sign-On Authority Account and Management Secure Client-Side Cache Transparant Sign-On(s) Using Cached s Trust Authority Account and Management Examples: Windows XP and Windows.NET, Identix Biologon, Entrust Entelligence page 17

Tok Complex SSO Solutions: Multiple Set: Server-side Cache Sign-On Tok User Request for s s for Autentication Authority Authority Account and Management Trust Transparant Sign-On(s) Using s Returned from Authority s Authority Account and Management Examples: Tivoli SecureWay SSO, CA ETrust SSO page 18

SSO Solutions: Pros and Cons (1) page 19

SSO Solutions: Pros and Cons (2) page 20

SSO Solutions: Pros and Cons (3) page 21

Agenda Trusted Security Infrastructures SSO: What and Why? SSO Architectures Extending SSO page 22

Extending SSO To cover Different Organizations Scope: Extranet and Internet Federation To cover Different Applications Scope: Intranet APIs page 23

Defining Federation The Use of agreements, standards, and technologies to make identity and entitlements portable across autonomous identity domains. page 24

Extending SSO: Federation page 25

Extending SSO: APIs page 26

Conclusion Creating an SSO Infrastructure for a heterogeneous environment is not an easy job The creation of SSO Infrastructures is a great opportunity to leverage directory and meta-directory investments page 27

TSI: Conclusion Trusted Security Infrastructures Security Admin Sec Adm Provisioning Authent Infra NOS Access Control Infra Apps Resource Managers Access Method Office Enterprise (SMB) EAMS Web (HTTP) PKI AAA Radius / Tacacs+ Remote Access (PPP) Wireless page 28

Questions? Jan.DeClercq@hp.com page 29