Single sign-on enabled OpenCms

Similar documents

Architecture of Enterprise Applications III Single Sign-On

TIBCO Spotfire Platform IT Brief

How To Configure The Jasig Casa Single Sign On On A Workstation On Ahtml.Org On A Server On A Microsoft Server On An Ubuntu (Windows) On A Linux Computer On A Raspberry V

Leverage Active Directory with Kerberos to Eliminate HTTP Password

Single Sign-on (SSO) technologies for the Domino Web Server

Two SSO Architectures with a Single Set of Credentials

Windows Authentication on Microsoft SQL Server

Password Power 8 Plug-In for Lotus Domino Single Sign-On via Kerberos

Integrated Authentication

How To Get A Single Sign On (Sso)

Configuring Sponsor Authentication

Chapter 4. Authentication Applications. COSC 490 Network Security Annie Lu 1

How-to: Single Sign-On

Using Kerberos for Web Authentication. Wesley Craig University of Michigan

Cisco ASA Adaptive Security Appliance Single Sign-On: Solution Brief

SAP Certified Technology Professional - Security with SAP NetWeaver 7.0. Title : Version : Demo. The safer, easier way to help you pass any IT exams.

Open-source Single Sign-On with CAS (Central Authentication Service)

Open Directory. Apple s standards-based directory and network authentication services architecture. Features

Configuring Single Sign-on for WebVPN

Gabriel Magariño. Software Engineer. Overview Revisited

External Authentication with WebCT. What We ll Discuss

Oracle White Paper October Oracle Advanced Security with Oracle Database 11g Release 2

Step- by- Step guide to Configure Single sign- on for HTTP requests using SPNEGO web authentication

Kerberos and Single Sign On with HTTP

Deploying RSA ClearTrust with the FirePass controller

Identity Management in Liferay Overview and Best Practices. Liferay Portal 6.0 EE

Kerberos. Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, BC. From Italy (?).

Connecting Web and Kerberos Single Sign On

CA Performance Center

Using SAP Logon Tickets for Single Sign on to Microsoft based web applications

SAML Security Option White Paper

HOBCOM and HOBLink J-Term

OpenHRE Security Architecture. (DRAFT v0.5)

Kerberos: An Authentication Service for Computer Networks by Clifford Neuman and Theodore Ts o. Presented by: Smitha Sundareswaran Chi Tsong Su

BlueCoat s Guide to Authentication V1.0

Integration with Active Directory. Jeremy Allison Samba Team

NetIQ Access Manager 3.2 integration

IceWarp Server - SSO (Single Sign-On)

Architecture Guidelines Application Security

SAML-Based SSO Solution

Citrix Access on SonicWALL SSL VPN

NETASQ ACTIVE DIRECTORY INTEGRATION

SCAS: AN IMPROVED SINGLE SIGN-ON MODEL BASE ON CAS

Juniper Networks Secure Access Kerberos Constrained Delegation

Approaches and challenges for a SSO enabled extranet using Jasig CAS. Florian Holzschuher René Peinl

Implementing a Kerberos Single Sign-on Infrastructure

Single Sign-On for Kerberized Linux and UNIX Applications

TopEase Single Sign On Windows AD

Eliminating Authentication Pop- Ups in SAP Landscapes

From centralized to single sign on

Cross-Realm Trust Interoperability, MIT Kerberos and AD

Biometrics for Global Web Authentication: an Open Source Java/J2EE-Based Approach

Centralized Oracle Database Authentication and Authorization in a Directory

Unlocking the Secrets of Alfresco Authentication. Mehdi BELMEKKI,! Consultancy Team! Alfresco!

Integrating WebPCM Applications into Single Sign On (SSO) Tom Schaefer Better Software Solutions, Inc. UN 4023 V

Kerberos and Single Sign-On with HTTP

Executive Summary. What is Authentication, Authorization, and Accounting? Why should I perform Authentication, Authorization, and Accounting?

Digital Identity Management

Enterprise Knowledge Platform

Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER

WHITE PAPER. Active Directory and the Cloud

INTEGRATION GUIDE. IDENTIKEY Federation Server for Juniper SSL-VPN

PingFederate. IWA Integration Kit. User Guide. Version 3.0

Enabling single sign-on for Cognos 8/10 with Active Directory

Security solutions Executive brief. Understand the varieties and business value of single sign-on.

Pierce County IT Department GIS Division Xuejin Ruan Dan King

Securing WebFOCUS A Primer. Bob Hoffman Information Builders

Kerberos and Windows SSO Guide Jahia EE v6.1

New Security Features

Xerox DocuShare Security Features. Security White Paper

Proxied Authentication in SSO Setups with Common OSS. Open Identity Summit 2015 Prof. Dr. René Peinl Berlin,

QLIKVIEW MOBILE SECURITY

Extending Microsoft Windows Active Directory Authentication to Access HP Service Health Reporter

Security Provider Integration Kerberos Authentication

Enabling Federation and Web-Single Sign-On in Heterogeneous Landscapes with the Identity Provider and Security Token Service Supplied by SAP NetWeaver

PingFederate. IWA Integration Kit. User Guide. Version 2.6

Ameritas Single Sign-On (SSO) and Enterprise SAML Standard. Architectural Implementation, Patterns and Usage Guidelines

Crawl Proxy Installation and Configuration Guide

Liberty Alliance. CSRF Review. .NET Passport Review. Kerberos Review. CPSC 328 Spring 2009

Vyom SSO-Edge: Single Sign-On for BMC Remedy

Web Services Security: OpenSSO and Access Management for SOA. Sang Shin Java Technology Evangelist Sun Microsystems, Inc. javapassion.

Evaluation of different Open Source Identity management Systems

Computer Systems Security 2013/2014. Single Sign-On. Bruno Maia Pedro Borges

Introduction to Computer Security

User Pass-Through Authentication in IBM Cognos 8 (SSO to data sources)

IBM SPSS Collaboration and Deployment Services Version 6 Release 0. Single Sign-On Services Developer's Guide

SchoolBooking SSO Integration Guide

Oracle Identity Management: Integration with Windows. An Oracle White Paper December. 2004

SSO Plugin. Release notes. J System Solutions. Version 3.6

Get Success in Passing Your Certification Exam at first attempt!

Single Sign On. SSO & ID Management for Web and Mobile Applications

Perceptive Experience Single Sign-On Solutions

Transcription:

Single sign-on enabled OpenCms Architecture for Single sign-on implementation into OpenCms Pavel Slavíček, pavel.slavicek@qbizm.cz Brno, The Czech Republic, 2. 5. 2008

Content Single sign-on introduction (SSO)» Introduction to Single sign-on SSO protocols» Basic mechanisms» Simplified mechanisms of CAS, NTLM, Kerberos Implementation of SSO into OpenCms» General architecture» Architecture for concrete protocol Experiences» Our experiences in real projects

What is Single sign-on?

Single sing-on Method of access control User enters his credentials once and has access to multiple applications» Without the need to enter multiple passwords Heterogeneous systems» Intranet, emails, stock system,... Comfortable for users

Single sing-on Advantages» Reduces sending password over the network etc.» Reduces human error» Comfortable for users» Disadvantages» Single sign-on component failure» Single sign-on component must be component with high security»

Protocols for Single sing-on Central Authentication Service (CAS) NTLM (NT Lan Manager) Kerberos And others» CoSign (cookie based)» OpenSSO (Sun Java System Access Manager)»

Single sign-on concepts and protocols

Central Authentication Service (CAS) Yale University JA-SIG project Mostly used for web applications Features» Involves a client web browser» Cookies based mechanism» Password is send over network (https)

Central Authentication Service (CAS)

NTLM (NT Lan Manager) Microsoft authentication protocol,,old protocol» Microsoft adopted Kerberos» In several cases Kerberos can t be used Features» Challenge-reponse sequence» Messages between client and server» Password is not send over the network (Hash, DES)

NTLM (NT Lan Manager)

Kerberos Massachusetts Institute of Technology (MIT) Protocol was adopted by Microsoft» Windows 2000 and Windows Active Directory server 2003 Features» Client-server model, mutual-authentication» Symetric key kryptography» Over non-secure networks (eavesdropping, replay)» Password is not send over the network

Kerberos

Architecture for SSO implementation into OpenCms

General architecture Concrete architecture depends on chosen Single sing-on protocol We do not have user s password» We have to trust to Single sing-on component» Special authentication mechanism We have to implement own user driver User name transforming We have to modify authentication mechanisms in OpenCms Central user s account storage» User s account synchronization from LDAP server OCEE Modules from Alkacon OpenCms-LDAP module from sourceforge.net

General architecture LDAP (AD) Auth. prov. Filter Central user s account storage User Driver OpenCms Accounts synch. OCEE/ OpenCms- LDAP

CAS CAS server LDAP/ Ticket Cookie Filter User Driver Login/logout OpenCms Accounts synch.

NTLM AD Challengeresponse JCIFS Filter User Driver OpenCms Accounts synch.

Kerberos KDC Central user s account storage Secret Filter User Driver Accounts synch. ServiceTicket Decryption OpenCms

Experiences with Single sign-on

Experiences with Single sing-on in real projects Popular, user friendly Good feedback from customers Projects» CAS Intranet/extranet Over 30 000 of users» NTLM Intranet, company with affiliates About 5 000 of users» Kerberos Intranet

Summary Single sing-on is attractive for customers Usefully for intranets Architectures of modules were presented Implementation of our modules are based on presented architectures» Knowledge of Single sing-on mechanisms

Thank you for your attention, any questions?

References [1] Introduction to Single Sign-On, http://www.opengroup.org/security/sso/sso_intro.htm/ [2] Single sign-on, http://en.wikipedia.org/wiki/single_sign-on [3] Central Authentication Service, http://en.wikipedia.org/wiki/central_authentication_service [4] NTLM, http://en.wikipedia.org/wiki/ntlm [5] Kerberos, http://en.wikipedia.org/wiki/kerberos_(protocol) [6] The Java CIFS Client Library, http://jcifs.samba.org/ [7] JA-SIG Central Authentication Service, http://www.ja-sig.org/products/cas/ [8] TagLab, http://dev.taglab.com/ [9] Single Sign On Concepts & Protocols, http://www.sans.org/reading_room/whitepapers/authentication/1352.php