Simplifying The S's: Single Sign-On, SPNEGO and SAML

0 %
100 %
Information about Simplifying The S's: Single Sign-On, SPNEGO and SAML

Published on February 4, 2014

Author: gabturtle

Source: slideshare.net

Description

Presentation from IBM Connect 2014 with Gab Davis and Chris Miller

BP104: Simplifying The S's: Single Sign-On, SPNEGO and SAML Gabriella Davis - The Turtle Partnership Chris Miller - Connectria © 2014 IBM Corporation

Single Sign On vs Password Synchronisation Subtitle © 2014 IBM Corporation 6

What is this presentation about? ▪ We are here to talk about concepts ▪ Once you understand the concepts, their requirements, limitations and benefits you can make decisions about what you need ▪ Hopefully we will give you a good overview of a bunch of confusing acronyms ! ▪ If you want an awesome step by step presentation on configuring SAML for Notes client access then Rob Axelrod and Andy Pedisich have a Show and Tell this week for you 
 
 SHOW100 AD + SAML + Kerberos + IBM Notes and Domino = SSO!
 Tue, 28/Jan 04:30 PM - 06:15 PM Swan Osprey 1 & 2 !3

I do not think that means what you think it means… !4

Password Synchronisation You may have the same password but you’re not the same person !5

Single Sign On ! Hello, have you met my friend? I can vouch for him completely ! Is trust transferable? !6

One Password, One Location !7 6

ail Authenticating against a single password in a single place Mail Sametime LDAP Password Network Login !8 Connections

Password Synchronisation Tool Sametime LDAP Traveler Authentication Synchronising passwords across different systems !9 Connections LDAP

Steps For Single Password, Single Place ▪ For LDAP compliant applications ensure you use the same LDAP directory source ! ▪ For Domino systems, configure Directory Assistance to point to an LDAP source ▪ ensure you have an attribute in your LDAP directory that contains the user’s distinguished name so Domino is returned a valid user name ▪ You can then empty out the HTTP Password field for all users ▪ This will work for any Domino application, mail , traveler, Sametime etc ▪ The user can be entirely remote and with no access to LDAP directly and this will still work !10

SPNEGO !11 6

S imple P rotected GSSAPI N egotiation Mechanism known as NTLM or Kerberos in Active Directory !12

SPNEGO Example For Domino STEPS 1 USER LOGS INTO WINDOWS !13

SPNEGO Example For Domino STEPS 1 USER LOGS INTO WINDOWS !14 2 ACTIVE DIRECTORY GENERATES SPNEGO TOKEN

SPNEGO Example For Domino STEPS 1 3 USER LOGS INTO WINDOWS !15 2 ACTIVE DIRECTORY GENERATES SPNEGO TOKEN USER TRIES TO ACCESS DOMINO WEBSITE

SPNEGO Example For Domino STEPS 1 3 USER LOGS INTO WINDOWS !16 2 ACTIVE DIRECTORY GENERATES SPNEGO TOKEN USER TRIES TO ACCESS DOMINO WEBSITE 4 BROWSER SENDS SPNEGO TOKEN TO DOMINO ALONG WITH USER NAME

SPNEGO Example For Domino STEPS 1 3 USER LOGS INTO WINDOWS !17 2 ACTIVE DIRECTORY GENERATES SPNEGO TOKEN USER TRIES TO ACCESS DOMINO WEBSITE 4 BROWSER SENDS SPNEGO TOKEN TO DOMINO ALONG WITH USER NAME 5 DOMINO CONTACTS ACTIVE DIRECTORY TO VALIDATE TOKEN AND RETRIEVE THE USER’S NAME

Domino Creates a LTPAToken For The Validated User And Grants Access Enable Multi Server Single Sign-On To Extend Access To Other Servers !18

Setting Up SPNEGO ▪ Create a Domino Web SSO document ▪ Set up a SPN for the Domino server in Active Directory ▪ Domino must run under whatever account you set up for it ▪ Run domspnego ▪ Take the output and give it to your AD administrator to run setspn with ▪ Run setspn -a http://<dominohostname> <accountnamerunningdomino> ▪ Update person documents with AD name appended to FullName (and optional others like krbPrincipalName and LTPA User Name) !19

Why Not SPNEGO ▪ It requires Active Directory ▪ It requires users to login to Active Directory ▪ It requires Microsoft Supported browsers ▪ It requires a Windows client for the users ▪ It requires Domino to be on a Windows platform ▪ at least the first Domino server that’s accessed, the rest can then be reached via Multi Server SSO token generated by Domino ! ▪ It doesn’t work at all if the user is remotely connecting and not logging into Active Directory ▪ It has a very specific use case !20

SAML !21 6

S ecurity A ssertion M arkup L anguage SAML is a protocol and process for exchanging authorisation and authentication data for a user between services and servers !22

No Passwords…..
 To Compromise
 To Expire
 
 To Intercept !23 Once a user has authenticated with the IdP they won’t be asked again

Sp (Service Provider) Sp (Service Provider) Sp (Service Provider) IdP (Identity Provider)

SAML Example STEPS 1 USER ATTEMPTS TO LOG IN TO A WEBSITE !25

SAML Example STEPS 1 USER ATTEMPTS TO LOG IN TO A WEBSITE !26 2 USER IS REDIRECTED TO IDENTITY PROVIDER

SAML Example STEPS 1 3 USER ATTEMPTS TO LOG IN TO A WEBSITE !27 2 USER IS REDIRECTED TO IDENTITY PROVIDER IDENTITY PROVIDER REQUESTS AUTHENTICATION OR (IF USER IS LOGGED IN) RETURNS CREDENTIALS

SAML Example STEPS 1 3 4 USER ATTEMPTS TO LOG IN TO A WEBSITE !28 2 USER IS REDIRECTED TO IDENTITY PROVIDER IDENTITY PROVIDER REQUESTS AUTHENTICATION OR (IF USER IS LOGGED IN) RETURNS CREDENTIALS USER IS REDIRECTED BACK TO ORIGINAL SITE WITH SAML ASSERTION ATTACHED

SAML Example STEPS 1 3 4 USER ATTEMPTS TO LOG IN TO A WEBSITE !29 2 USER IS REDIRECTED TO IDENTITY PROVIDER IDENTITY PROVIDER REQUESTS AUTHENTICATION OR (IF USER IS LOGGED IN) RETURNS CREDENTIALS USER IS REDIRECTED BACK TO ORIGINAL SITE WITH SAML ASSERTION ATTACHED 5 ORIGINAL SITE USES ITS SAML SERVICE PROVIDER TO CONFIRM SAML ASSERTION AND GRANT ACCESS

Definitions ▪ IdP - Identity Provider (SSO) ▪ ADFS (Active Directory Federation Services in Windows 2008 and Windows 2012) ▪ SAML 2.0 only ▪ can be combined with SPNEGO ▪ Enhances Integrated Windows Authentication (IWA) ▪ TFIM (Tivoli Federated Identity Manager) ▪ SAML 1.1 and 2.0 !30

Definitions ▪ SP - Service Provider ▪ IBM Domino (web federated login) ▪ IBM WebSphere ▪ IBM Notes (requires ID Vault) (notes federated login) !31

More Definitions ▪ IdP (Identity Providers) use HTTP or SOAP to communicate to SP (Service Providers) via XML based assertions
 ▪ Assertions have three roles ▪ Authentication ▪ Authorisation ▪ Retrieving Attributes !32

An IdP can service many SPs An IdP can use a variety of authentication methods including multi factor !33 A SP can be connected to several IdPs

Setting Up SAML ▪ Choose your IdP if you don’t already have one ▪ which fits best in your business ▪ Build the IdP ▪ Configure the SP ! ▪ Sounds easy doesn’t it? ▪ It’s really not easy by any means but it is worth the investment in time !34

Why Not SAML ▪ Not everything supports it ▪ Traveler doesn’t ▪ Sametime doesn’t ▪ ID Vault is a requirement so IDs that can’t be vaulted can’t be used ▪ multiple passwords, smartcards etc !35

OAUTH !36 6

Not Everything Belongs To You OAuth is an authentication standard supported by most major cloud providers !37

The User & The Consumer Let’s say you want Facebook to post on your Connections Activity Stream. ! We need OAuth for that..
 
 You are the User
 Facebook is the Consumer !38

The Service Provider & Its Secrets The consumer (Facebook) wanders over to the Service Provider (IBM Connections) and asks for permission to post on the Activity Stream The Service Provider issues a Secret to go with every URL request from the user which authorises access !39

OAuth Simplified Example STEPS 1 USER ASKS FACEBOOK (THE CONSUMER) TO POST ON THEIR ACTIVITY STREAM !40

OAuth Simplified Example STEPS 1 2 USER ASKS FACEBOOK FACEBOOK GOES TO (THE CONNECTIONS CONSUMER) (THE SERVICE TO POST ON PROVIDER) THEIR AND ASKS FOR ACTIVITY PERMISSION STREAM TO POST !41

OAuth Simplified Example STEPS 1 2 3 USER ASKS FACEBOOK THE SERVICE FACEBOOK GOES TO PROVIDER GIVES (THE CONNECTIONS THE CONSUMER A CONSUMER) (THE SERVICE SECRET KEY TO GIVE TO POST ON PROVIDER) TO THE USER AND A THEIR AND ASKS FOR URL FOR THE USER ACTIVITY PERMISSION TO CLICK ON STREAM TO POST !42

OAuth Simplified Example STEPS 1 2 3 USER ASKS FACEBOOK THE SERVICE FACEBOOK GOES TO PROVIDER GIVES (THE CONNECTIONS THE CONSUMER A CONSUMER) (THE SERVICE SECRET KEY TO GIVE TO POST ON PROVIDER) TO THE USER AND A THEIR AND ASKS FOR URL FOR THE USER ACTIVITY PERMISSION TO CLICK ON STREAM TO POST !43 4 THE USER CLICKS ON THE URL AND AUTHENTICATES WITH THE SERVICE PROVIDER

OAuth Simplified Example STEPS 1 2 3 USER ASKS FACEBOOK THE SERVICE FACEBOOK GOES TO PROVIDER GIVES (THE CONNECTIONS THE CONSUMER A CONSUMER) (THE SERVICE SECRET KEY TO GIVE TO POST ON PROVIDER) TO THE USER AND A THEIR AND ASKS FOR URL FOR THE USER ACTIVITY PERMISSION TO CLICK ON STREAM TO POST !44 4 THE USER CLICKS ON THE URL AND AUTHENTICATES WITH THE SERVICE PROVIDER 5 THE SERVICE PROVIDER , SATISFIED THE SECRET KEY IS GOOD, WILL NOW ALLOW THE CONSUMER ACCESS TO ITS SERVICES

That Was REALLY Simplified ▪ There are other steps and other secrets to ensure traffic is not intercepted once authorisation is granted ▪ There are checks to ensure the Service Provider is who it claims to be ▪ You don’t want to accidentally authorise a phishing site ▪ There are also lots of timeouts on the authorisation ! ▪ Make sure you understand the security of both the Consumer and the Service Provider as well as what access you are granting the Consumer on your behalf !45

In Summary ▪ Think about what your problem actually is, there are plenty of technologies to make the user experience seamless but they become ever more complex to build and maintain ▪ What are your priorities. Single password? No password? No authentication with a particular service ▪ Many solutions require specific operating systems, software and client versions ▪ Make sure you meet all requirements before building a plan you can’t deliver on ▪ Some things are very easy (Single password, SPNEGO) ▪ Some things are very hard (SAML, OAuth)
 ▪ There is no one solution, you need to choose the combination that delivers for you !46

gabriella@turtlepartnership.com GabriellaDavis (skype) http://turtleblog.info gabturtle on twitter and elsewhere idonotes on EVERYTHING Twitter, blogs, Instagram, Facebook and more HOW TO FIND US !47

!48 8

Add a comment

Related pages

BP104: Simplifying The S’s: Single Sign-On, SPNEGO and SAML

This is my presentation with Chris Miller on Single Sign On technologies. We struggled with how to convey such complex ideas and varying technical ...
Read more

IBM Connect Sessions & Lotusphere Slides - IdoNotes

... Single Sign-On, SPNEGO and SAML ... IBM Connect Sessions & Lotusphere slides. ... BP104 Simplifying The S’s: Single Sign-On, SPNEGO and SAML ...
Read more

Using Kerberos Authentication for Single Sign-On - User ...

Using SAML Assertions for Single Sign-On; Using Kerberos Authentication for Single Sign-On; ... (SPNego) to negotiate ...
Read more

Single Sign-On - Portal - SAP Library

Single Sign-On SAP ... SPNego, and SAML. ... Assignments can be made on the level of single users, groups, or entire roles.
Read more

The Turtle Partnership Blog | SSO

Posts about SSO written ... third is entirely new on how to configure Single Sign On / SAML / SPNEGO for ... Simplifying The S’s: Single Sign-On, SPNEGO ...
Read more

Configuring Single Sign-On with Microsoft Clients

Configuring Single Sign-On with Microsoft Clients. This section explains how to set up single sign-on ... (SPNEGO) mechanism and the Kerberos protocol, ...
Read more

Single sign-on for HTTP requests using SPNEGO web ...

Single sign-on for HTTP requests using SPNEGO web authentication. ... An integrated single sign-on environment with Microsoft Windows Servers using Active ...
Read more

Welcome to the SPNEGO SourceForge project

Welcome to the SPNEGO SourceForge project Integrated Windows Authentication in Java. The intent of this project is to provide an alternative library (.jar ...
Read more