Presentation is loading. Please wait.

Presentation is loading. Please wait.

Single Sign-On in a Single Day

Similar presentations


Presentation on theme: "Single Sign-On in a Single Day"— Presentation transcript:

1 Single Sign-On in a Single Day
Jack McAfee

2 Different SSO Approaches The IBM approach
Agenda Different SSO Approaches The IBM approach Enterprise Identity Mapping (EIM) Kerberos or Identity Tokens Implementation Overview

3 A “Typical” Configuration
Who Benefits from SSO? End Users  Higher Productivity Administrators  Less Password Management Programmers  More Secure Applications UID: JACKM PWD: HOUSTON i1 OS/400 V5R2 End Users i2 OS/400 V5R3 UID: JACK PWD: LONGHORN x1 Windows 2003 Server UID: jmcafee PWD: LoneStar i3 OS/400 V5R3 UID: RJMCAF PWD: ALAMO p1 Linux UID: rjmcafee PWD: SpaceCenter

4 Synchronization SSO Approach
User ID/Password Synchronization No end user productivity gains (not really SSO) Implementation cost is high to synchronize UIDs/PWDs Administration cost is high to maintain synchronization UIDs and PWDs are limited by platform Synchronization is not always reliable UID: JACKM PWD: TEXAS i1 OS/400 V5R2 End Users i2 OS/400 V5R3 UID: JACKM PWD: TEXAS x1 Windows 2003 Server UID: JACKM PWD: TEXAS i3 OS/400 V5R3 UID: JACKM PWD: TEXAS p1 Linux UID: JACKM PWD: TEXAS

5 Centralization SSO Approach
User ID/Password Centralization End user productivity gains Implementation cost is high to capture and replay UIDs/PWDs Administration cost is high to maintain centralization Management cost is high to synchronize and secure list Synchronization is not always reliable UID: JACKM PWD: HOUSTON i1 OS/400 V5R2 End Users i2 OS/400 V5R3 UID: JACK PWD: LONGHORN x1 Windows 2003 Server UID: jmcafee PWD: LoneStar Central Repository i3 OS/400 V5R3 UID: jmcafee PWD: LoneStar UID: JACKM PWD: HOUSTON UID: JACK PWD: LONGHORN UID: RJMCAF PWD: ALAMO UID: rjmcafee PWD: SpaceCenter UID: RJMCAF PWD: ALAMO p1 Linux UID: rjmcafee PWD: SpaceCenter

6 The IBM Approach Single Sign-On Components Kerberos for authentication
Uses strongly encrypted tickets and not passwords Implemented on all major platforms Enterprise Identity Mapping (EIM) for authorization Maps people to their user identities on various registries Registry might be a platform, application, or middleware Applications enabled for Kerberos and EIM IBM has enabled many popular services in V5R2 and i5/OS You can also enable your applications

7 What is EIM? IBM’s Enterprise Identity Mapping (EIM) is an infrastructure for associating a unique person with one or more user identities in various registries across the enterprise pSeries zSeries iSeries Jack McAfee rjmcafee RJM46D JACKM Person (EIM Identifier) Registries User Identities Associations EIM is NOT Single Sign-On EIM for identity mapping is used with Kerberos for authentication (starting with V5R2) to provide SSO

8 Where is the EIM Domain kept?
On a Domain Controller in an LDAP directory IBM Directory Server offers broad platform support: Windows® 2000, AIX®, Solaris™, and HP-UX™ As well as Linux distributions for Intel™, and IBM eServer iSeries, pSeries, and zSeries platforms EIM Application Domain Controller EIM Domain Q: Who is Jack McAfee? In an LDAP directory A: JACKM People Associations VERY SECURE! Neither User Identities nor Passwords are maintained in the EIM Domain! Registries

9 Source and Target Associations
For initial authentication Typically, desktop or laptop User Identity, Registry  Person Target For subsequent authentication Typically, servers Person, Registry  User Identity Jack McAfee People Person User Identity Registry Association Type Jack McAfee jmcafee Gatekeeper Source Person User Identity Registry Association Type Jack McAfee JACKM Production Target Source Target User Identity: jmcafee User Identity: JACKM

10 The EIM and Kerberos Approach
End user productivity gains Easy to implement – no synchronization Easy to manage – no centralization Reduces password management cost! jmcafee on x1  Jack McAfee  JACKM on i1 Source Target EIM Identifier UID: JACKM PWD: HOUSTON i1 OS/400 V5R2 EIM Domain Controller Source Key Distribution Center (KDC) End Users i2 OS/400 V5R3 UID: JACK PWD: *NONE x1 Windows 2003 Server Targets UID: jmcafee PWD: LoneStar i3 OS/400 V5R3 Sign-On to x1 as jmcafee and get Kerberos TGT KDC on x1 sends a Kerberos ST to i1 i1 authenticates the Kerberos ST EIM  Jack McAfee is authorized on i1 as JACKM UID: RJMCAF PWD: ALAMO p1 Linux UID: rjmcafee PWD: SpaceCenter

11 The EIM and Kerberos Approach
Services or Applications enabled by IBM OS/400 V5R2 iSeries Access iSeries Navigator Telnet (includes PC5250) ODBC/JDBC/DRDA LDAP QFileSvr.400 Post V5R2 GA Apache Web Server (PTF Group SF99098) IBM Websphere Host On-Demand (PTF level IP22748)

12 SSO Approach Comparison
Cost to... IBM Approach Synchronization Centralization Acquire (+) Infrastructure integrated into OS/400, i5/OS by IBM, and Windows by Microsoft (-) Infrastructure provided by ISVs Implement (+) No Agents to deploy (+) EIM and Kerberos APIs are open source (-) Agents likely deployed (-) Must synchronize UIDs/PWDs (-) Potential changes to security schemes (-) Agents deployed (-) Must synchronize and secure centralized list of UIDs/PWDs (-) PWDs eventually made available in clear-text Maintain (+) Infrastructure supported by IBM (+) No centralized list of UIDs/PWDs to secure or synchronize (-) Must maintain synchronization (-) UIDs/PWDs limited by “weakest” platform (-) Synchronization not always reliable (-) Scripts must be maintained to capture UIDs/PWDs

13 SSO Approach Comparison
Benefits... IBM Approach Synchronization Centralization End Users (+) Fewer UIDs/PWDs (+) Fewer Sign-Ons (-) Same number of Sign-Ons Administrators (+) Fewer PWD reset issues (+) Fewer PWDs to manage! (+) Improved security (Kerberos tickets, *NONE passwords) (-) Synchronization issues (-) Capture and Synchronization issues (-) UIDs/PWDs reside in two locations Programmers (+) Leverage the same EIM domain managed by Administrators (-) Limited benefit to Programmers (-) Some benefit to Programmers – if they can access centralized UID/PWD repository

14 IBM Approach Benefits End Users Administrators Programmers
Increased productivity No longer need to write down multiple passwords Only need to remember a single, strong password Administrators Less time resetting passwords More secure enterprise (including *NONE passwords) No need to secure or synchronize another registry Platform authorization schemes are not changed Incremental roll-out Programmers User identities and passwords no longer hard coded Utilize same EIM domain maintained by administrators

15 SSO in a Single Day! (Really)
SSO requires extensive planning Everyone must be enabled at the same time Not any more... End-user client applications (i.e. iSeries Navigator and PC5250) are configured to use Kerberos for authentication Platform authorization schemes need to be changed Not any more... Authorization continues to be determined by user identity controls SSO configuration is a challenge EIM IBM Directory Server integrated into OS/400; iSeries Navigator EIM Configuration wizard simplifies EIM configuration Kerberos You are probably already using Kerberos; iSeries Navigator Network Authentication Service wizard simplifies Kerberos configuration SSO weakens overall security Passwords must be centrally stored and synchronized EIM does not centrally replicate user identities and passwords; Kerberos tickets are used for authentication Single point-of-access for people with malicious intentions Today, most end users already down their passwords or use password synchronization? Also 2-factor authentication is a countermeasure Expensive (time and or money) Deployment Not any more... IBM has integrated EIM and Kerberos into OS/400 starting with V5R2 Ongoing maintenance TriAWorks Identity Manager for Single Sign-On (TIM SSO) make is easy to populate EIM, create associations, and identify problems

16 SSO in a Single Day Implementation
Configure Kerberos Configure EIM Populate EIM Create Associations Configure Applications

17 SSO in a Single Day Implementation
But what about web applications?

18 The EIM and Identity Tokens Approach
Single Sign-On Components Client – Any web browser or Java application No change to WAS authentication model Middleware – WebSphere Application Server (WAS) WAS V5 or Express V5 IBM Java Toolbox (JT400) Java Connector Architecture (JCA) Application – Enabled to create Identity Tokens iSeries Access for Web WebFacing WebSphere Development Studio Client (WDSc) Web Tools And YOURS! Back-end Server – V5R2 or i5/OS V5R3 iSeries Using the Java Toolbox (JT400) Which uses the iSeries Access host servers

19 The EIM and Identity Tokens Approach
Enabled Single Sign-On Host Servers Sign-on server Central server File server Database server DRDA and DDM server Data queue server Remote command server Distributed program call server Network print server

20 The EIM and Identity Tokens Approach
Single Sign-On Configuration Apply requisite PTF support Deploy WebSphere JT400 JCA and define: The EIM domain location Provide its authentication credentials (i.e. userid and password) Provide a WAS registry name Enable your WAS or Java application for SSO by adding code to create Identity Tokens – jt400.jar in

21 The EIM and Identity Tokens Approach
Single Sign-On PTFs The V5R2 Identity Token PTFs are: PTF/FIX #: SI OS/400 - Extended Base Directory Support LICENSED PROGRAM: 5722SS1 New function. Enterprise Identity Mapping (EIM) Identity Token Connection Factory. (This is to enable the WebSphere JCA component) PTF/FIX #: SI Operating System/400 LICENSED PROGRAM: 5722SS1 Identity token support added for the operating system. PTF/FIX #: SI Operating System/400 LICENSED PROGRAM: 5722SS1 This PTF supplies support for identity tokens within the host servers. PTF/FIX #: SI Operating System/400 LICENSED PROGRAM: 5722SS1 The V5R3 Identity Token PTFs are: PTF/FIX #: SI OS/400 - Extended Base Directory Support

22 The EIM and Identity Tokens Approach
1. Sign-On to WebSphere application as jack 2. WAS application creates an Identity Token JCA connector returns an ID Token to the app The app forwards the ID Token to a JT400 object JT400 presents the ID Token to the back-end iSeries 3. OS/400 accepts the Identity Token for authentication 4. EIM  jack in WebSphere is JACKM on i1 Write X1 QAUDJRN audit record 5. Pass Identity token to i3 6. EIM  jack in WebSphere is RJMCAF on i3 TriAWorks Identity Manager for Single Sign-On (TIM SSO) TIM SSO imports people, makes associations, and maintains your SSO integrity UID: JACKM PWD: HOUSTON i1 OS/400 V5R2 EIM Domain Controller UID: JACK PWD: *NONE x1 Windows 2003 Server Targets UID: jack PWD: LoneStar i3 OS/400 V5R3 Source UID: RJMCAF PWD: ALAMO End Users p1 Linux UID: rjmcafee PWD: SpaceCenter

23 Identity Tokens Code Sample
// Use the identity token J2C connector to obtain and return an identity token private IdentityToken getIDToken() { IdentityToken idToken = null; ConnectionFactoryImpl cf = null; Context ic = null; try { // Look-up a connection factory instance ic = new InitialContext(); // Create and configure a managed connection factory instance. Note that properties were set when managed conection factory was deployed. Lookup the factory using an indirect JNDI (alias) name, configured in the applications web.xml. Note that the value of the alias must match the JNDI name used when the connector was deployed. Note you must use an indirect lookup, WAS will not pass a Subject to the JCA if you use a direct lookup. cf = (ConnectionFactoryImpl) ic.lookup( "java:comp/env/eis/IdentityToken_Shared_Reference"); } catch (Exception e2) { out.println( "The lookup for the connection factory failed. Either, the connector is not configured, or the servlet's resource reference (JNDI name) is not set correctly in the web.xml file. The servlet expects the resource reference in web.xml to be eis/IdentityToken_Shared_Reference");

24 Identity Tokens Code Sample
// Use the identity token to create a connection object to the OS/400 (host command server). private AS400 getOS400Connection(IdentityToken idToken) { AS400 OS400CmdConnection = null; try { // Create an AS400 object, and set the IdentityToken into it. OS400CmdConnection = new AS400(remoteSystemName); OS400CmdConnection.setIdentityToken(idToken.toBytes()); OS400CmdConnection.connectService(AS400.COMMAND); } catch (Exception e) { out.println(e.getMessage()); e.printStackTrace(out); } return (OS400CmdConnection);

25 Summary The IBM approach
Enterprise Identity Mapping (EIM) for authorization Kerberos or Identity Tokens for authentication Kerberos for Windows based applications Identity Tokens for WAS based applications

26 For More Information Links can be found on www.triaworks.com
Windows-based Single Signon and the EIM Framework on the IBM eServer iSeries Server Redbook Experts’ Guide to OS/400 & i5/OS Security by Carol Woodbury and Patrick Botz

27 Client Configuration End users will not be enabled for SSO until they configure their clients to utilize Kerberos for authentication. Two examples: PC5250 iSeries Navigator

28 PC5250

29 iSeries Navigator


Download ppt "Single Sign-On in a Single Day"

Similar presentations


Ads by Google