Apache Integration Kit. Version For Windows. User Guide



Similar documents
Internet Information Services Integration Kit. Version 2.4. User Guide

PHP Integration Kit. Version User Guide

Java Integration Kit. Version User Guide

PingFederate. Salesforce Connector. Quick Connection Guide. Version 4.1

Quick Connection Guide

PingFederate. IWA Integration Kit. User Guide. Version 3.0

PingFederate. IWA Integration Kit. User Guide. Version 2.6

PingFederate. Windows Live Cloud Identity Connector. User Guide. Version 1.0

PingFederate. OpenID Cloud Identity Connector. User Guide. Version 1.1

PingFederate. Identity Menu Builder. User Guide. Version 1.0

HOTPin Integration Guide: Salesforce SSO with Active Directory Federated Services

PingFederate. SSO Integration Overview

PingFederate. Integration Overview

DEPLOYING EMC DOCUMENTUM BUSINESS ACTIVITY MONITOR SERVER ON IBM WEBSPHERE APPLICATION SERVER CLUSTER

Configuring Single Sign-On for Documentum Applications with RSA Access Manager Product Suite. Abstract

TROUBLESHOOTING RSA ACCESS MANAGER SINGLE SIGN-ON FOR WEB-BASED APPLICATIONS

Dell One Identity Cloud Access Manager How to Configure for SSO to SAP NetWeaver using SAML 2.0

INTEGRATION GUIDE. DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server

This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:

Tenrox. Single Sign-On (SSO) Setup Guide. January, Tenrox. All rights reserved.

Symantec Backup Exec 2010 R2. Quick Installation Guide

JOSSO 2.4. Internet Information Server (IIS) Tutorial

Only LDAP-synchronized users can access SAML SSO-enabled web applications. Local end users and applications users cannot access them.

INTEGRATION GUIDE. DIGIPASS Authentication for SimpleSAMLphp using IDENTIKEY Federation Server

CA Nimsoft Service Desk

EVault Endpoint Protection 7.0 Single Sign-On Configuration

CA Performance Center

StreamServe Persuasion SP5 StreamStudio

Receiver Updater for Windows 4.0 and 3.x

HP Software as a Service. Federated SSO Guide

2 Downloading Access Manager 3.1 SP4 IR1

CA Nimsoft Service Desk

PROXY SETUP WITH IIS USING URL REWRITE, APPLICATION REQUEST ROUTING AND WEB FARM FRAMEWORK OR APACHE HTTP SERVER FOR EMC DOCUMENTUM EROOM

Dell One Identity Cloud Access Manager How to Develop OpenID Connect Apps

HP Software as a Service

EMC Documentum My Documentum for Microsoft SharePoint

INTEGRATION GUIDE. DIGIPASS Authentication for Google Apps using IDENTIKEY Federation Server

HOTPin Integration Guide: Google Apps with Active Directory Federated Services

Using SAML for Single Sign-On in the SOA Software Platform

Flexible Identity Federation

SDK Code Examples Version 2.4.2

EMC Documentum Connector for Microsoft SharePoint

SAML Authentication with BlackShield Cloud

Cisco TelePresence Management Suite Extension for Microsoft Exchange Version 4.0.1

Strong Authentication for Microsoft SharePoint

Preparing Your Server for an MDsuite Installation

Integration Guide. SafeNet Authentication Service. SAS Using RADIUS Protocol with Apache HTTP Server

IBM WebSphere Application Server

DEPLOYMENT GUIDE. SAML 2.0 Single Sign-on (SSO) Deployment Guide with Ping Identity

idp Connect for OutSystems applications

CA CloudMinder. Getting Started with SSO 1.5

Cisco TelePresence Management Suite Extension for Microsoft Exchange Version 4.0

Configuring Microsoft Internet Information Service (IIS6 & IIS7)

Identikey Server Windows Installation Guide 3.1

Integration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Salesforce

Microsoft Active Directory Oracle Enterprise Gateway Integration Guide

EMC Documentum Repository Services for Microsoft SharePoint

Dell One Identity Cloud Access Manager How to Configure Microsoft Office 365

Single Sign-on (SSO) technologies for the Domino Web Server

Novell Access Manager

Symantec Backup Exec TM 11d for Windows Servers. Quick Installation Guide

Integration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Drupal

Strong Authentication for Microsoft TS Web / RD Web

Flexible Identity Federation

Perceptive Experience Single Sign-On Solutions

Cyberoam Configuration Guide for VPNC Interoperability Testing using DES Encryption Algorithm

Integration Guide. SafeNet Authentication Service. Oracle Secure Desktop Using SAS RADIUS OTP Authentication

PARTNER INTEGRATION GUIDE. Edition 1.0

Ameritas Single Sign-On (SSO) and Enterprise SAML Standard. Architectural Implementation, Patterns and Usage Guidelines

VERITAS Backup Exec 9.1 for Windows Servers Quick Installation Guide

CA SiteMinder. Federation Security Services Release Notes. r12.0 SP3

IBM WebSphere Application Server

Dell One Identity Cloud Access Manager Installation Guide

Integration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Tableau Server

Release Notes RSA Authentication Agent for Web for IIS 7.0, 7.5, and 8.0 Web Server

Web Portal Installation Guide 5.0

Customizing the SSOSessionTimeout.jsp page for Kofax Front Office Server 3.5.2

RSA Security Analytics Netflow Collection Configuration Guide

RSA Security Analytics Netflow Collection Configuration Guide

Strong Authentication for Juniper Networks SSL VPN

Cisco TelePresence Management Suite Extension for Microsoft Exchange Version 4.0.3

Deploying EMC Documentum WDK Applications with IBM WebSEAL as a Reverse Proxy

Leverage Your EMC Storage Investment with User Provisioning for Syncplicity:

DualShield SAML & SSO. Integration Guide. Copyright 2011 Deepnet Security Limited. Copyright 2011, Deepnet Security. All Rights Reserved.

Enterprise Vault Installing and Configuring

HOTPin Integration Guide: Microsoft Office 365 with Active Directory Federated Services

SalesForce SSO with Active Directory Federated Services (ADFS) v2.0 Authenticating Users Using SecurAccess Server by SecurEnvoy

IBM WEBSPHERE LOAD BALANCING SUPPORT FOR EMC DOCUMENTUM WDK/WEBTOP IN A CLUSTERED ENVIRONMENT

CA NetQoS Performance Center

ACTi NVR Config Converter User s Manual. Version /06/07

TIBCO Spotfire Web Player 6.0. Installation and Configuration Manual

Policy Guide Access Manager 3.1 SP5 January 2013

INTEGRATION GUIDE. DIGIPASS Authentication for VMware Horizon Workspace

Implementation Guide SAP NetWeaver Identity Management Identity Provider

SAML 2.0 Configurations at SAP NetWeaver AS ABAP and Microsoft ADFS

1 of 24 7/26/2011 2:48 PM

OpenLDAP Oracle Enterprise Gateway Integration Guide

Advantage for Windows Copyright 2012 by The Advantage Software Company, Inc. All rights reserved. Client Portal blue Installation Guide v1.

CERTIFICATE-BASED SINGLE SIGN-ON FOR EMC MY DOCUMENTUM FOR MICROSOFT OUTLOOK USING CA SITEMINDER

CA Single Sign-On Migration Guide

Transcription:

Apache Integration Kit Version 1.2.1 For Windows User Guide

2012 Ping Identity Corporation. All rights reserved. PingFederate Apache Integration Kit User Guide Version 1.2.1 December, 2012 Ping Identity Corporation 1001 17th Street, Suite 100 Denver, CO 80202 U.S.A. Phone: 877.898.2905 (+1 303.468.2882 outside North America) Fax: 303.468.2909 Web Site: www.pingidentity.com Trademarks Ping Identity, the Ping Identity logo, PingFederate, PingOne, PingConnect, and PingEnable are registered trademarks of Ping Identity Corporation ("Ping Identity"). All other trademarks or registered trademarks are the property of their respective owners. Disclaimer The information provided in this document is provided "as is" without warranty of any kind. Ping Identity disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Ping Identity or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Ping Identity or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Document Lifetime Ping Identity may occasionally update online documentation between releases of the related software. Consequently, if this PDF was not downloaded recently, it may not contain the most up-to-date information. Please refer to documentation.pingidentity.com for the most current information. From the Web site, you may also download and refresh this PDF if it has been updated, as indicated by a change in this date: December 13, 2012 PingFederate Apache Integration Kit for Windows 2 User Guide

Contents Introduction... 4 Intended Audience... 4 ZIP Manifest... 4 System Requirements... 5 Processing Overview... 5 Installation and Setup... 7 Installing and Configuring the Apache Agent... 8 Agent Runtime Information... 10 Session Validation... 10 Memory Usage... 10 About Session Information... 10 Logging... 11 SSL Support... 11 Error Handling... 12 Session Logout... 12 PingFederate Apache Integration Kit for Windows 3 User Guide

Introduction The PingFederate Apache Integration Kit for Windows adds a Service Provider (SP) Web-server integration option to PingFederate by providing an Agent for the Web server. The Apache Agent works in conjunction with the PingFederate OpenToken Adapter to allow an SP enterprise to accept SAML assertions and provide single sign-on (SSO) to Apache Web applications. The assertions may be sent using the SAML protocol (version 2.0 or 1.x) or the WS-Federation passive-requestor protocol (see Supported Standards in the Getting Started). Intended Audience This document is intended for system administrators with experience in the configuration and maintenance of Windows and Apache servers. Knowledge of networking and user-management configuration is assumed. Please consult the documentation provided with your server tools if you encounter any difficulties in areas not directly associated with PingFederate or the Apache Agent. ZIP Manifest The distribution ZIP file for the Apache Integration Kit for Windows contains the following: ReadMeFirst.pdf contains links to this online documentation. /legal contains this document: Legal.pdf copyright and license information /dist contains libraries needed for the Adapter and Apache Agent: opentoken-adapter-2.5.1.jar OpenToken Adapter JAR file opentoken-agent-2.5.1.jar OpenToken Agent JAR file zlib1.dll ZLib compression library libeay32.dll OpenSSL library /apache-agent the PingFederate Apache Agent /config mod_pf.conf Apache Agent module configuration file start_page_template.html Apache Agent start-page template error_page_template.html Apache Agent error-page template /lib/apache_2.0 for Windows Server 2003 and 2008 with 32-bit Apache libopentoken.so OpenToken library mod_pf.so Apache Agent module /lib/apache_2.2 for Windows Server 2003 and 2008 with 32-bit Apache libopentoken.so OpenToken library mod_pf.so Apache Agent module PingFederate Apache Integration Kit for Windows 4 User Guide

System Requirements This PingFederate Apache Agent is designed and supported for Apache 2.0 and Apache 2.2 (http://httpd.apache.org/) on Windows Server 2003 and 2008. The Agent modules are built against 32- bit Apache but will work with 64-bit versions of Windows provided that Apache is 32-bit. The following additional prerequisites must be satisfied in order to implement the Apache Agent: PingFederate 6.x (or higher) Note: If not already done, all PingFederate deployments should be updated with this version of the OpenToken Adapter that is supplied as part of this integration-kit distribution. OpenSSL library libeay32.dll and the ZLib library zlib1.dll (included in this distribution) must be in a folder on the system PATH. Processing Overview The Apache Agent acts as a filter in front of an application (or any external protected resource). The basic responsibility of the Agent is to filter requests to determine if a request is for a protected resource: If the request is for an unprotected resource, the Agent passes the request to the application. If the request is for a protected resource, the Agent checks to see if there is a PingFederate OpenToken session available and if the session parameters meet session policy for that session. If a session exists and the session meets session policy for that request, the Agent passes the request through to the application. If a session does not exist, or if the existing session does not meet the session policy for that request, the Agent redirects the user s browser through the PingFederate server to an Identity Provider (IdP) for authentication. After authentication, PingFederate redirects the user back to the protected resource with a valid session. PingFederate Apache Integration Kit for Windows 5 User Guide

The following figure illustrates an SP-initiated SSO scenario, showing the request flow and how the PingFederate OpenToken Adapter wraps attributes from an assertion into a secure token (OpenToken) and passes the token to Apache. Processing Steps 1. A user attempts to access a resource on the Apache server protected by the PingFederate Apache Agent. 2. The user is redirected to the PingFederate server for authentication. (If an OpenToken session already exists, the user is granted immediate access.) 3. The PingFederate server redirects the user s browser to an IdP for authentication using either the SAML or WS-Federation protocols. The IdP partner authenticates the user and returns a SAML assertion. 4. PingFederate validates the assertion and creates an OpenToken for the user including any configured attributes. PingFederate then redirects the browser, including the OpenToken, back to the Apache Agent. 5. The Agent verifies the OpenToken and grants access to the protected resource. The User ID and any attributes from the OpenToken are exposed to the resource as HTTP Request Headers or Apache Environment Variables. PingFederate Apache Integration Kit for Windows 6 User Guide

Installation and Setup Setting up the PingFederate Apache Integration Kit involves: Installing and configuring the OpenToken Adapter in PingFederate Installing and configuring the Apache Agent Installing the OpenToken Adapter and Configuring PingFederate Note: If you have already deployed version 2.5.1 (or higher) of the Open Token Adapter, skip steps 1 through 4 in the following procedure. 1. Stop the PingFederate server if it is running. 2. Remove any existing OpenToken Adapter files (opentoken*.jar) from the directory: <PF_install>/pingfederate/server/default/deploy The adapter JAR file is open-token-adapter-<version>.jar. Important: If you are running PingFederate 5.1.0, also remove the file opentokenadapter.jar from the directory: <PF_install>/pingfederate/server/default/lib 3. Unzip the integration-kit distribution file and copy opentoken-adapter-2.5.1.jar from the /dist directory to the PingFederate directory: <PF_install>/pingfederate/server/default/deploy 4. Start or restart PingFederate. Note: References to screens in the following steps conform to the appearance of the PingFederate 6.x administrative console. However, the configuration is the same for 5.x versions; only the screen names have changed. 5. Create an instance of the OpenToken Adapter for your SP configuration using settings on the Instance Configuration screen as indicated in the table below. (Fields not specified are optional. For more information, see the screen descriptions.) Option Password Confirm Password Description Enter any password you choose. Password confirmation PingFederate Apache Integration Kit for Windows 7 User Guide

6. On the Actions screen, click the Download link and then click Export to save the properties file to your file system. Note: If you have access to the Apache server, you can download the file directly to the server s conf directory, where the PingFederate Apache Agent looks for the properties by default. The path and filename are configurable (see Configuring the Apache Agent on page 9). 7. On the Extended Contract screen, enter any attributes you wish to pass to the application as HTTP request headers or environment variables. For more information, see the section About Session Information on page 10. 8. Configure or modify the connection(s) to your IdP partner(s) using the OpenToken Adapter you configured in the last steps. For more information, see Identity Provider SSO Configuration in the PingFederate Administrator s Manual. Installing and Configuring the Apache Agent To set up the Apache Agent, you must copy a configuration file and a library from the extracted integration-kit distribution to your Apache installation and then modify the configuration file. Note: The Agent setup is required for both for initial installations and for upgrades. We strongly recommend reinstalling the PingFederate Apache Agent in your Apache installation. Deploying the Agent The PingFederate Apache Agent is represented by the mod_pf.so Apache module (dynamic library) and an auxiliary OpenToken library. The behavior of the Agent is controlled by properties contained in the mod_pf.conf file. To deploy the Agent: 1. Unzip the integration-kit distribution file and copy the content of the /dist/apache-agent/lib directory that corresponds to your version of Apache /modules directory. PingFederate Apache Integration Kit for Windows 8 User Guide

Be sure to copy both shared-object files for the indicated platform. 2. Copy zlib1.dll and libeay32.dll files from /dist to a folder in your system PATH. The recommended deployment is to place these files in the Apache modules directory, along with the shared object files, and add that directory to the system PATH. 3. Download the Microsoft Visual C++ 2005 Redistributable Package (x86) (vcredist_x86.exe) (http://www.microsoft.com/download/en/details.aspx?id=5638) and run it. (Due to licensing issues, the Microsoft Visual C++ 2005 Redistributable Package (x86) is not included in the distribution ZIP file.) 4. For new installations, from the integration-kit /dist/apache-agent/config directory, copy the mod_pf.conf, start_page_template.html, and error_page_template.html into the /conf directory of your Apache installation. The mod_pf.conf file must be configured: see Configuring the Apache Agent on page 9. 5. Ensure that the properties file downloaded during the PingFederate adapter setup (default name: agent-config.txt) is available to the Agent by placing it into Apache s /conf folder (see step 6 on page 8). 6. Restart your Apache server. Agent Runtime Configuration Options To configure the Apache Agent to be used by the Apache server, add the following directives to httpd.conf and restart the server:... PingFederateConfigurationFile conf/mod_pf.conf LoadFile modules/libopentoken.so LoadModule pf_module modules/mod_pf.so... Configuring the Apache Agent You must modify the file mod_pf.conf for your environment. Refer to comments in the file (located in the conf directory of your Apache installation) and configure the required properties modify example placeholders, at minimum, as well as required and optional defaults as needed. Note: Changes to mod_pf.conf will not take effect until the server has been restarted. Testing the Apache Agent The Apache Agent includes a protected start page for testing to verify the installation and configuration. The start page initiates an SSO transaction with the IdP partner, and if successful, displays the HTTP headers that the Apache Agent exposes to an underlying application. These headers correspond to attributes from the SAML assertion. Access the Apache Agent protected start page at: http://<apache-server>/<protected-path>/?cmd=pingstartpage PingFederate Apache Integration Kit for Windows 9 User Guide

Caution: This feature is for testing and demonstration only. For security reasons, an administrator should disable the page in a production environment. To disable the page, comment out the PingFederateStartPageURL property in the file <apache_home>/conf/mod_pf.conf. Agent Runtime Information The following sections provide additional information about the behavior and functionality of the PingFederate Apache Agent. Session Validation PingFederate validates both an inactivity timeout and an overall session timeout: The inactivity timeout is the amount of time that a session can be inactive (i.e., during which no new browser requests are received) before a user is required to re-authenticate. The overall session timeout is the total amount of time that a session can be active, regardless of activity, before the user is required to re-authenticate. If either of the session limits has expired, the Apache Agent cancels the existing session and redirects the user to the configured PingFederateLoginPageUrl to start an SP-initiated SSO for authentication at an IdP. Memory Usage The Apache Agent uses the Apache Portable Runtime (APR) pools for allocation of most data: either the configuration-time pool for storing configuration variables, or request-time pools for processing sessions. Heap is used only for temporary data with a short usage time and sensitive size for instance, for dynamic reallocations on compressed-token decompression, parsing session information, or operations with the OpenToken library. About Session Information The PingFederate Apache Agent exposes session information and user attributes from the adapter to the protected application via HTTP request headers or Apache environment variables. This information can then be used by the application for authorization decisions, for example, or for generation of content specific to the user making the request. The session and attribute information exposed to the application includes the following: Attributes from the OpenToken Adapter contract These include, by default, the subject (SUBJECT) and attributes specified on the Extended Contract screen of the adapter setup. Only the attributes fulfilled at runtime will be exposed to the application; attributes with a NULL value will not be included in the OpenToken. NOT-ON-OR-AFTER The time until inactivity timeout is reached. RENEW-UNTIL The time until overall session timeout is reached. AUTH_NOT-BEFORE The time when the session was created. PingFederate Apache Integration Kit for Windows 10 User Guide

AUTHNCONTEXT Information from the SAML assertion that describes how the user was authenticated at the IdP. For security reasons, each HTTP request header or Apache environment variable is first pre-pended with a specific (configurable) prefix (see Configuring the Apache Agent on page 9). The Apache Agent will always remove and rewrite these prefixed request headers and/or environment variables for each request. If applications protected by the Apache Agent cannot be modified to accept headers with this prefix, the Apache Agent can be configured not to add a prefix to the HTTP headers and/or environment variables. In this case, on the Extended Contract screen in the OpenToken Adapter configuration, include an attribute named pf_attribute_list. Then map that attribute in your IdP Connection as a Text field containing a comma-separated list of all the attributes in the adapter contract (see the following example illustration). This attribute list is sent in the OpenToken and used by the Apache Agent to overwrite headers in the request. For more information, see Configuring Adapter Contract Fulfillment in the PingFederate Administrator s Manual. Logging The PingFederate Apache Agent uses a standard Apache API logging scheme that writes into the standard logs/error_log file. This file is created automatically at startup (if it is absent) with the verbosity level controlled by a standard option LogLevel in httpd.conf. Additionally, the PingFederate Apache Agent has six internally distinguished verbosity levels, ranging from 0 to 5. The first four correspond to Apache definitions in error/warn/notice/info. The last two levels are for logging HTTP requests/responses and curl-library debug output, if necessary. The default level is 0, which logs only errors. Note: The Apache Agent logs all of its output at the info level. To have access to this output, set the Apache LogLevel to info in httpd.conf. You must re-start the Apache server after changing the configuration file. SSL Support The Apache Agent supports TLS/SSL, using standard Apache SSL support for connections to the server from browsers. PingFederate Apache Integration Kit for Windows 11 User Guide

Error Handling In case of errors, the Apache Agent redirects the inbound request to a configured error-page URL (see Configuring the Apache Agent on page 9). Session Logout The PingFederate Apache Agent provides a configurable URL (PingFederateCancelURL) for usersession logout (see Configuring the Apache Agent on page 9). This URL specifies a resource that directs the Apache Agent to initiate an SLO first, if configured to do so, and then expire the PingFederate session, clean up any resources associated with the session, and pass control back to the application so that it can clean up its own session. PingFederate Apache Integration Kit for Windows 12 User Guide

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information