Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.

Slides:



Advertisements
Similar presentations
Secure Single Sign-On Across Security Domains
Advertisements

Identity Network Ideals – Heterogeneity & Co-existence
Welcome to Middleware Joseph Amrithraj
NRL Security Architecture: A Web Services-Based Solution
Office 365 Identity June 2013 Microsoft Office365 4/2/2017
Authentication solutions for Outlook and Office 365 Multi-factor authentication for Office 365 Outlook client futures.
Implementing and Administering AD FS
Infocard and Eduroam Enrique de la Hoz, Diego R. L ó pez, Antonio Garc í a, Samuel Mu ñ oz.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Active Directory: Final Solution to Enterprise System Integration
T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
WebFTS as a first WLCG/HEP FIM pilot
Authenticating REST/Mobile clients using LDAP and OERealm
#CONVERGE2014 Session 1304 Managing Telecom Directories in a Distributed or Multi-Vendor Environment David Raanan Starfish Associates.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
Identity Management Report By Jean Carreon and Marlon Gonzales.
© 2012 Cisco and/or its affiliates. All rights reserved. BRKUCC Cisco Public (SAML) Single Sign-On (SSO) for Cisco Unified Communications 10.x By.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
1 Multi Cloud Navid Pustchi April 25, 2014 World-Leading Research with Real-World Impact!
Integrating with UCSF’s Shibboleth system
FIspace SPT Seyhun Futaci. Technology behind FIspace Authentication and Authorization IDM service of Fispace provides SSO solution for web apps, mobile.
ArcGIS Server and Portal for ArcGIS An Introduction to Security
Chad La Joie Shibboleth’s Future.
Belnet Federation Belnet – Loriau Nicolas Brussels – 12 th of June 2014.
Helsinki Institute of Physics (HIP) Liberty Alliance Overview of the Liberty Alliance Architecture Helsinki Institute of Physics (HIP), May 9 th.
TWSd - Security Workshop Part I of III T302 Tuesday, 4/20/2010 TWS Distributed & Mainframe User Education April 18-21, 2010  Carefree Resort  Carefree,
SharePoint Security Fundamentals Introduction to Claims-based Security Configuring Claims-based Security Development Opportunities.
Serving society Stimulating innovation Supporting legislation Danny Vandenbroucke & Ann Crabbé KU Leuven (SADL) AAA-architecture for.
SAML 2.0: Federation Models, Use-Cases and Standards Roadmap
Shibboleth at the U of M Christopher A. Bongaarts code-people June 2, 2011.
Identity Management: A Technical Perspective Richard Cissée DAI-Labor; Technische Universität Berlin
Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.
Federated Identity and Shibboleth Concepts Rick Summerhill Chief Technology Officer Internet2 GEC3 October 29, 2008 Slides by Nate Klingenstein
Using Enterprise Logins in Portal for ArcGIS via SAML Greg Ponto & Tom Shippee.
NT SECURITY Introduction Security features of an operating system revolve around the principles of “Availability,” “Integrity,” and Confidentiality. For.
Shibboleth What is it and what is it good for? Chad La Joie, Georgetown University.
Claims-Based Identity Solution Architect Briefing zoli.herczeg.ro Taken from David Chappel’s work at TechEd Berlin 2009.
All Rights Reserved 2014 © CMG Consulting LLC Federated Identity Management and Access Andres Carvallo Dwight Moore CMG Consulting, LLC October
February, TRANSCEND SHIRO-CAS INTEGRATION ANALYSIS.
Web Services Security Patterns Alex Mackman CM Group Ltd
Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
Secure Mobile Development with NetIQ Access Manager
Agenda  Microsoft Directory Synchronization Tool  Active Directory Federation Server  ADFS Proxy  Hybrid Features – LAB.
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
F5 APM & Security Assertion Markup Language ‘sam-el’
The FederID project The First Identity Management and Federation Free Software.
Access Policy - Federation March 23, 2016
Secure Single Sign-On Across Security Domains
Using Your Own Authentication System with ArcGIS Online
Stop Those Prying Eyes Getting to Your Data
LIGO Identity and Access Management
Single Sign-On Led by Terrice McClain, Jen Paulin, & Leighton Wingerd
Analyn Policarpio Andrew Jazon Gupaal
Federation made simple
Federation Systems, ADFS, & Shibboleth 2.0
Prime Service Catalog 12.0 SAML 2.0 Single Sign-On Support
John O’Keefe Director of Academic Technology & Network Services
Federated IdM Across Heterogeneous Clouding Environment
Creating Novell Portal Services Gadgets: An Architectural Overview
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
Office 365 Identity Management
CLASP Project AAI Workshop, Nov 2000 Denise Heagerty, CERN
TechEd /22/2019 9:22 PM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks.
Shibboleth 2.0 IdP Training: Introduction
Presentation transcript:

Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR Final Project February 7 th, Eunice Mondésir Pierre Weill-Tessier

Eunice Mondésir Pierre Weill-Tessier 2 Agenda 1. Introduction 2. Federated Identity concepts 3. Presentation of Ping Federate server 4. Platform implementation 5. Demonstrations 6. Conclusion

Introduction

Federated Identity Concepts

Eunice Mondésir Pierre Weill-Tessier 5 Federated Identity concepts 1. Why Federated Identity? 2. What is Federated Identity? 3. Participants of Circle of Trust 4. Single Sign On and Single Log Out 5. SAML langage

Eunice Mondésir Pierre Weill-Tessier 6 1. Why federated identity? Federated Identity Concepts

Eunice Mondésir Pierre Weill-Tessier 7 1. Why federated identity? Multiple authentication parameters Heterogeneous authentification and access control methods No control on personal information’s exhibition Need for easier and faster acces to services Federated Identity Concepts

Eunice Mondésir Pierre Weill-Tessier 8 2. What is federated identity? Set of agreements, standards and technologies Trust relationships between organizations Integrity and privacy perserved Independance of organizations Federated Identity Concepts

Eunice Mondésir Pierre Weill-Tessier 9 3. Circle of Trust (CoT) participants Service Provider (SP):  Provides one or more services within a federation  Access control policy Identity Provider (IdP):  Creates, maintains, manages identity information  user must authenticate at an IdP recognized by a SP Federated Identity Concepts

Eunice Mondésir Pierre Weill-Tessier Circle of Trust (CoT) participants Circle of trust:  Federation of IdP and SP  Business relationships  Operational agreements  Secured communication channels  Seamless environment Federated Identity Concepts CoT IdP SP

Eunice Mondésir Pierre Weill-Tessier 11 4.SSO and SLO Liberty alliance Single Sign On (SSO):  Sign on once at a site (single account)  Seamless signed-on for other sites  No extra authentication  SP both within and across circles of trusts Single Log Out (SLO):  Synchronized session logout  All sessions authenticated by an IdP closed Federated Identity Concepts

Eunice Mondésir Pierre Weill-Tessier SAML (Security Assertion Markup Langage) XML standard developped by OASIS Exchanging authentication & authorization data between security domains (IdP and SP) SSO solution beyond the intranet Exchange of assertions between IdP and SP Federated Identity Concepts

Presentation of Ping Federate

Eunice Mondésir Pierre Weill-Tessier 14 Presentation of Ping Federate server 1. How does Ping Federate work ? 2. Communication tools of Ping Federate

Eunice Mondésir Pierre Weill-Tessier How does Ping Federate work ? Server that passes identities between CoTs Distinction between two roles: IdP and SP  Both roles can be combined Ping Federate does not interfere with local usage of the application Presentation of Ping Federate server

Eunice Mondésir Pierre Weill-Tessier Communication tools in PF server different environments: how communicate?  Ping Federate provides Integration Toolkits** Application or IdM X programming language PF Token agent adapter SAML Presentation of Ping Federate server

Plateform Implementation

Eunice Mondésir Pierre Weill-Tessier 18 Platform Implementation 1. Needs 2. LDAP 3. Postfix 4. Tomcat 5. Ping Federate server

Eunice Mondésir Pierre Weill-Tessier Needs Applications often interacts with a database for authentication Ping Federate server asks for parameters of a mail server to send notification mail Ping Federate’s sample application runs on Tomcat Application Server Platform Implementation

Eunice Mondésir Pierre Weill-Tessier LDAP Why this protocol ?  LDAP adapter proposed by PF  Authentication to IdPs via pop-up window Our configuration:  Server OpenLDAP  Client LDAPBrowser to check our entries  Simple tree: root + inetOrgPerson class instances Platform Implementation

Eunice Mondésir Pierre Weill-Tessier 21 dn: o=INT,c=FR dn: cn=Eunice, o=INT, c=FR dn: cn=Pierre, o=INT, c=FR 2. LDAP Example of LDAP Tree: Attributes we used:  cn, sn  mail, userPassword  title Platform Implementation

Eunice Mondésir Pierre Weill-Tessier Postfix Why ?  mail server working on Linux O.S  “Lighter” configuration than Sendmail No database associated : only one user !   is a “fake” address used for the notification only. IMAP server as a MDA Platform Implementation

Eunice Mondésir Pierre Weill-Tessier Tomcat Why ?  Required applications server to test the samples  Multi-technologies support server (jsp, html) Identification tools:  Double authentication based on Role and Login  Default configuration  LDAP-using configuration  JNDI Platform Implementation

Eunice Mondésir Pierre Weill-Tessier Tomcat Key configuration files  server.xml: defines the database connection  web.xml: defines the security constraint Platform Implementation

Eunice Mondésir Pierre Weill-Tessier Ping Federate Standalone web administration   Support of multi-account administration  Modifiable role selection (IdP, SP or both) Ease of management  Server configuration  Partner configuration Platform Implementation

Eunice Mondésir Pierre Weill-Tessier Ping Federate Server settings  Local settings Base URL: where reaching the server ? Federation Info: choice of technologies Entity ID / realm: outside Ping Federate alias IdP/SP events: systematic redirections Platform Implementation

Eunice Mondésir Pierre Weill-Tessier Ping Federate Server settings  Local settings  IdP/SP adapters management  Data Store management  Metadata export Platform Implementation

Eunice Mondésir Pierre Weill-Tessier Ping Federate Partner settings’ connections  IdP connections = we are SP  SP connections = we are IdP  SP affiliations = 2+ partners’ Federation  According to partners’ configuration = Each CoT defines its policy independently Platform Implementation

Demonstrations

Eunice Mondésir Pierre Weill-Tessier 30 Test Platform implementation 1. Before Ping Federate servers 2. Simplification 3. Ping Federate servers setting-up 4. IdP initiated SSO with ITAM 5. SP initiated SSO with ITAM 6. SP initiated SSO with LDAP adapter

Eunice Mondésir Pierre Weill-Tessier Before Ping Federate servers INT CoT IdM S1 S2 S3 INT Services ITAM CoT S1 S2 S3 ITAM Services IdM Connection to INT services within INT

Eunice Mondésir Pierre Weill-Tessier Before Ping Federate servers INT CoT IdM S1 S2 S3 INT Services ITAM CoT S1 S2 S3 ITAM Services IdM Connection to INT services from outside INT

Eunice Mondésir Pierre Weill-Tessier Before Ping Federate servers INT CoT IdM S1 S2 S3 INT Services ITAM CoT S1 S2 S3 ITAM Services IdM Connection to ITAM services within INT or from outside INT not possible

Eunice Mondésir Pierre Weill-Tessier 34 INT CoT ITAM CoT 2. Simplification IdM S1 S2 S3 INT Services S1 S2 S3 ITAM Services IdM S1 IdM All aplications hosted by tomcat server Authentcation files serving as database

Eunice Mondésir Pierre Weill-Tessier PF servers setting up For INT CoT: only one PF server (IdP and SP server) For ITAM CoT: two PF servers, one IdP and one SP INT CoT IdM S1 ITAM CoT S1 IdM IdP & SP cubitus SP titania IdP oberon

Eunice Mondésir Pierre Weill-Tessier 36 ITAM CoT S1 IdM SP titania IdP oberon 4. IdP initiated SSO with ITAM INT CoT IdM S1 SSOSAML 2.0 Sarah connected to S1 without having passed by ITAM IdM Sarah IdP cubitus

Eunice Mondésir Pierre Weill-Tessier 37 ITAM CoT S1 IdM 5. SP initiated SSO with ITAM INT CoT IdM S1 IdP cubitus SP titania IdP oberon Bob SAML 2.0 SSO

Eunice Mondésir Pierre Weill-Tessier 38 ITAM CoT S1 IdM 6. SP initiated SSO with LDAP adapter S1 IdP cubitus SP titania IdP oberon Sam SAML 2.0 INT IdP interaction with LDAP directory via a pop-up window LDAP IdM LDAP adapterstandard adapter SSO INT CoT SAML 2.0

Conclusion

Eunice Mondésir Pierre Weill-Tessier 40 What remains to do ?  Adapt INTest with Ping Federate (Token)  Test Multi-partners federation  Perform tests on security and privacy Other solutions ?  Microsoft CardSpace (.NET)  WS-Federation  Servers (Sun One Identity Server, IBM Tivoli, Microsoft ADFS…) Conclusion

Eunice Mondésir Pierre Weill-Tessier 41 Thanks for your attention Questions ?