How to Implement Enterprise SAML SSO



Similar documents
Introduction to SAML

This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:

Flexible Identity Federation

Mobile Identity and Edge Security Forum Sentry Security Gateway. Jason Macy CTO, Forum Systems

The increasing popularity of mobile devices is rapidly changing how and where we

INTEGRATE SALESFORCE.COM SINGLE SIGN-ON WITH THIRD-PARTY SINGLE SIGN-ON USING SENTRY A GUIDE TO SUCCESSFUL USE CASE

PARTNER INTEGRATION GUIDE. Edition 1.0

IMPLEMENTING SINGLE SIGN- ON USING SAML 2.0 ON JUNIPER NETWORKS MAG SERIES JUNOS PULSE GATEWAYS

Perceptive Experience Single Sign-On Solutions

SAML 2.0 SSO Deployment with Okta

The Top 5 Federated Single Sign-On Scenarios

An Overview of Samsung KNOX Active Directory-based Single Sign-On

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES

Leveraging SAML for Federated Single Sign-on:

How To Use Saml 2.0 Single Sign On With Qualysguard

Ameritas Single Sign-On (SSO) and Enterprise SAML Standard. Architectural Implementation, Patterns and Usage Guidelines

SAML-Based SSO Solution

DocuSign Single Sign On Implementation Guide Published: March 17, 2016

Siebel CRM On Demand Single Sign-On. An Oracle White Paper December 2006

Connected Data. Connected Data requirements for SSO

New Single Sign-on Options for IBM Lotus Notes & Domino IBM Corporation

OpenSSO: Simplify Your Single-Sign-On Needs. Sang Shin Java Technology Architect Sun Microsystems, inc. javapassion.com

Using SAML for Single Sign-On in the SOA Software Platform

RealMe. Technology Solution Overview. Version 1.0 Final September Authors: Mick Clarke & Steffen Sorensen

Tenrox. Single Sign-On (SSO) Setup Guide. January, Tenrox. All rights reserved.

Tenable for CyberArk

IBM WebSphere Application Server

PingFederate. Salesforce Connector. Quick Connection Guide. Version 4.1

Implementation Guide SAP NetWeaver Identity Management Identity Provider

Increase the Security of Your Box Account With Single Sign-On

HP Software as a Service. Federated SSO Guide

PHP Integration Kit. Version User Guide

SAP NetWeaver Single Sign-On. Product Management SAP NetWeaver Identity Management & Security June 2011

INUVIKA OPEN VIRTUAL DESKTOP ENTERPRISE

Microsoft Office 365 Using SAML Integration Guide

PingFederate. IWA Integration Kit. User Guide. Version 3.0

DualShield SAML & SSO. Integration Guide. Copyright 2011 Deepnet Security Limited. Copyright 2011, Deepnet Security. All Rights Reserved.

Swivel Secure and the Cloud

DEPLOYMENT GUIDE. SAML 2.0 Single Sign-on (SSO) Deployment Guide with Ping Identity

managing SSO with shared credentials

Evaluation of different Open Source Identity management Systems

SAML SSO Configuration

idp Connect for OutSystems applications

Fairsail. Implementer. Single Sign-On with Fairsail and Microsoft Active Directory Federation Services 2.0. Version 1.92 FS-SSO-XXX-IG R001.

Ensuring the Security of Your Company s Data & Identities. a best practices guide

Building Secure Applications. James Tedrick

Configuring. Moodle. Chapter 82

Deploying RSA ClearTrust with the FirePass controller

HOTPin Integration Guide: Salesforce SSO with Active Directory Federated Services

Improving Security and Productivity through Federation and Single Sign-on

SP-initiated SSO for Smartsheet is automatically enabled when the SAML feature is activated.

SAM Context-Based Authentication Using Juniper SA Integration Guide

SAML Security Option White Paper

WebLogic Server 7.0 Single Sign-On: An Overview

WebNow Single Sign-On Solutions

A Standards-based Mobile Application IdM Architecture

PingFederate. Windows Live Cloud Identity Connector. User Guide. Version 1.0

Workday Mobile Security FAQ

Allidm.com. SSO Introduction. Discovering IAM Solutions. Leading the IAM facebook/allidm

WHITEPAPER SAML ALONE IS NOT SECURE - HERE S HOW TO FIX IT

PingFederate. IWA Integration Kit. User Guide. Version 2.6

nexus Hybrid Access Gateway

TIB 2.0 Administration Functions Overview

Google Apps Deployment Guide

API-Security Gateway Dirk Krafzig

Sharepoint server SSO

Novell Access Manager

Cisco ASA Adaptive Security Appliance Single Sign-On: Solution Brief

SAML 101. Executive Overview WHITE PAPER

CA Single Sign-On Migration Guide

CA Performance Center

An overview of configuring WebEx for single sign-on. To configure the WebEx application for single-sign on from the cloud service (an overview)

Single Sign On (SSO) Implementation Manual. For Connect 5 & MyConnect Sites

PingFederate. SSO Integration Overview

APPLICATION ACCESS MANAGEMENT (AAM) Augment, Offload and Consolidate Access Control

SAML single sign-on configuration overview

Single Sign On. SSO & ID Management for Web and Mobile Applications

White Paper. McAfee Cloud Single Sign On Reviewer s Guide

An overview of configuring Intacct for single sign-on. To configure the Intacct application for single-sign on (an overview)

SAML-Based SSO Solution

DocuSign Information Guide. Single Sign On Functionality. Overview. Table of Contents

White Paper. What is an Identity Provider, and Why Should My Organization Become One?

How to Extend your Identity Management Systems to use OAuth

Single Sign-On Implementation Guide

Novell Access Manager

An Oracle White Paper Dec Oracle Access Management Security Token Service

Authentication Integration

How To Use Salesforce Identity Features

JVA-122. Secure Java Web Development

Centrify Mobile Authentication Services for Samsung KNOX

Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER

Gateway Apps - Security Summary SECURITY SUMMARY

Okta Identity Management for Portals Built on Salesforce.com. An Architecture Review. Okta Inc. 301 Brannan Street San Francisco, CA 94107

PROVIDING SINGLE SIGN-ON TO AMAZON EC2 APPLICATIONS FROM AN ON-PREMISES WINDOWS DOMAIN

Web Applications Access Control Single Sign On

Cisco Software-as-a-Service (SaaS) Access Control

For details about using automatic user provisioning with Salesforce, see Configuring user provisioning for Salesforce.

SAP NetWeaver AS Java

Transcription:

How to Implement Enterprise SSO THE LEADER IN API AND CLOUD GATEWAY TECHNOLOGY

How to Implement Enterprise SSO Introduction Security Assertion Markup Language, or, provides numerous The advantages and challenges benefits to enterprises, organizations and governments. One of its greatest associated with each assets is Single Sign-On (SSO), the ability to enable users to securely implementation strategy. access multiple applications with a single set of credentials, entered once. With, users and organizations can conduct business faster and more efficiently by seamlessly accessing multiple applications on the same domain or on multiple domains. Many organizations are already utilizing to create a better user experience for their customers and employees. However, there are countless enterprises and organizations who have yet to implement because it can be a difficult and expensive to implement. This white paper will show how SSO works, provide examples of two different methods of implementing and showcase the advantages and disadvantages that are associated with each method. What is is an XML-based framework used to authorize, authenticate and communicate attributes and privileges of a user. provides the ability to send information about an authenticated user and does not require a third-party system to ever have access to the user s credentials. To properly understand how SSO works, there are three participants that need to be established: the User, the Identity Provider (IdP) and the Service Provider (SP). The User is the client attempting to access an application. The Service Provider is the owner of the application (may also be referred to as the relying party). The Identity Provider is the holder of record of the user s authentication credentials such as username, password, x509, roles, etc. (may be referred to as the asserting party). As the name (Security Assertion Markup Language) suggests, it is a secure means to assert the identity of a user to another system. SSO SUMMARY: In this white paper, you will learn: What is and how it s used for Single Sign-On. Two methods of implementing SSO. Now that the participants have been established, let s take a closer look at each of their roles in SSO. There are two primary methods of SSO: Service Provider Initiated (SP-Initiated) and Identity Provider Initiated (IdP-Initiated). SP-Initiated SSO is the more common use case of the two scenarios and it occurs when a user attempts to access the Service Provider directly. Refer Figure on the next page to follow the necessary steps to complete SP-Initiated SSO.

Figure : SP-Initiated SSO IDENTITY SERVICE. The User attempts to access a service from the Service Provider via URL.. The Service Provider redirects the User s browser to the Identity Provider for authentication.. The User provides credentials to the Identity Provider. If the credentials are valid, the IdP creates a token and embeds the token along with an HTTP redirect command. The HTTP redirect command sends the User s browser or mobile device back to the Service Provider to present the token. This step has no impact on the client and no code is required since it uses standard HTTP redirect mechanisms.. The Service Provider inspects the inbound token from the redirect and validates the via the PKI signature check and the contents. If valid, the user is allowed access and a session cookie is established to enable the continued use of the SSO session for some duration of time without requiring reauthentication. IdP-Initiated is a less common SSO use case because it requires the User to already be authenticated with the Identity Provider. Typically, this is the case with mobile devices where a User can be authenticated by accessing their phone. See Figure on the next page to see how IdP-Initiated SSO works.

Figure : IdP-Initiated SSO IDENTITY SERVICE. The User clicks on a link to a partner Service Provider. Since the User has already been authenticated with the Identity Provider, the IdP issues a token to the User.. The User s browser is redirected to the Service Provider.. The Service Provider inspects the inbound token from the redirect and validates the via the PKI signature check and the contents. If valid, the user is allowed access and a session cookie is established to enable the continued use of the SSO session for some duration of time without requiring reauthentication. The examples above were designed to simplify the two SSO use cases and to do that, many of the technical details associated with each step were omitted. The next section will go into a little more detail on what is required to enable SSO. Implementing SSO Implementing SSO can be challenging for an organization. consumption and generation can be complex and the PKI digital signature (DSIG) and verification components of trust relationships require PKI frameworks, key generation, and several OASIS standards-based parsing capabilities. The implementation strategy of is dependent on multiple factors: architecture design, legacy system enablement, development team skillset, and cost of building individual embedded adapters. Now, let s assess two different methods of implementing SSO. The first option is to build or purchase prebuilt SSO adapters for each Service Provider that will be used for SSO (sometimes these are referred to as agents). The second option is to deploy an API gateway to seamlessly facilitate SSO with no coding or impact on back-end services. It s important to note that these scenarios assume that the IdP is.0 enabled.

SSO Adapters Standards-based adapters have the advantage of providing a vendor-agnostic approach to identity and SSO, which is an essential part of a modernization strategy. The implementation of may provide challenges at the end-mile applications simply due to framework and environment limitations, legacy components, and lack of in-house expertise. The purpose of the adapters is to embed these -aware components into the infrastructure so that you can achieve scenarios represented in Figure below. Figure : SSO without an API Gateway IDENTITY DIRECTORY 5 SSO ADAPTER APPLICATIONS SERVICE. The User attempts to access an application from the Service Provider.. However, the User has not been authenticated and is redirected to the Identity Provider for authentication.. The IdP challenges the User for credentials. The User then authenticates at the IdP with his/her credentials.. If the credentials are valid, the SSO Adapter creates a token and redirects the User s browser back to the Service Provider. 5. The SSO Adapter at the SP inspects the token. If valid, the user is allowed access and a session cookie is established to enable the continued use of the SSO session for some duration of time without requiring re-authentication. On paper, this may seem like an easy and straightforward approach. However, there are several challenges to consider: Building your own adapters may require time and resources of your development team that you can t afford to spare. Additionally, your development team may not have the bandwidth to manage the ongoing maintenance and troubleshooting required. Purchasing adapters would still require proper integration and configuration. Each new or updated SP would require a thorough security audit, because each SP introduces a new point of vulnerability.

Adapters do not shield the Service Providers from threats to the underlying platform, resulting in additional points of vulnerability, e.g. insecure SSL implementation. As new Service Providers are added, scalability becomes an issue. Each new SP must be coded and tested, requiring time and resources. The distributed adapters and potential inconsistencies in different environments could greatly complicate testing, debugging, monitoring, auditing, maintenance, and security policy changes. SSO with an API Gateway Alternatively, you can SSO enable your enterprise architecture with an API gateway. Instead of using adapters, the API gateway takes on the responsibility of facilitating SSO. Figure illustrates an architecture deployment with an API gateway performing SSO functions. Figure : SSO with an API Gateway IDENTITY DIRECTORY 5 API GATEWAY APPLICATIONS SERVICE. The User attempts to access an application from the Service Provider.. However, the User has not been authenticated and the API gateway at the Service Provider redirects the User s browser to the Identity Provider for authentication.. The IdP challenges the User for credentials. The IdP validates the customer s credentials.. If the credentials are valid, the IdP creates a token and redirects the User s browser back to the API gateway at the Service Provider. 5. The API Gateway at the SP inspects the token and its contents. If valid, the API gateway grants the User access and a session cookie is established to enable the continued use of the SSO session for some duration of time without requiring re-authentication.

Utilizing an API gateway to enable SSO alleviates many of the challenges mentioned in the previous scenario: No coding is required. Your development team doesn t need to make any modifications to your Service Provider(s). The management and maintenance of gateway policies requires less time and resources. Deploying new API gateways is easy and doesn t require development team resources. The API gateway provides hardened security with a single point of enforcement. Scalability is no longer a concern. Configuring new applications and Service Providers is easy with the API gateway s point-and-click interface. The API gateway centralizes testing, debugging, monitoring, auditing, maintenance, and security policy changes to one centralized location, eliminating the headache of having to deal with each individual adapter. When evaluating the best approach for your organization, you must consider your current infrastructure and future development roadmap. If you are a small organization with limited IT budget and no plans to expand beyond one or two service providers, building SSO adapters may be the best route. On the other hand, if you re a company that is constantly adding new applications and Service Providers, the API gateway will suit your organization best. About Forum Systems Forum Systems is the global leader in API and Cloud Security technology with industry-certified and patented products that secure enterprise infrastructure. Forum Systems has been an industry leader for over years and has built the core architecture of its technology on the foundation of FIPS 0- and NDPP. Our security-first mindset enables trusted, network edge deployments for protecting critical enterprise transactions. Forum Systems supports enterprise customers across commercial, government, and military sectors. Forum Systems technology provides leading-edge security with identity and SSO features that enable out-of-the box business solutions with code-free configuration. References: Security Assertion Markup Language ().0 Technical Overview https://www.oasis-open.org/committees/download.php/5/sstc-saml-tech-overview-.0-draft-0.pdf

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information