Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR Final Project February 7 th, Eunice Mondésir Pierre Weill-Tessier
Eunice Mondésir Pierre Weill-Tessier 2 Agenda 1. Introduction 2. Federated Identity concepts 3. Presentation of Ping Federate server 4. Platform implementation 5. Demonstrations 6. Conclusion
Introduction
Federated Identity Concepts
Eunice Mondésir Pierre Weill-Tessier 5 Federated Identity concepts 1. Why Federated Identity? 2. What is Federated Identity? 3. Participants of Circle of Trust 4. Single Sign On and Single Log Out 5. SAML langage
Eunice Mondésir Pierre Weill-Tessier 6 1. Why federated identity? Federated Identity Concepts
Eunice Mondésir Pierre Weill-Tessier 7 1. Why federated identity? Multiple authentication parameters Heterogeneous authentification and access control methods No control on personal information’s exhibition Need for easier and faster acces to services Federated Identity Concepts
Eunice Mondésir Pierre Weill-Tessier 8 2. What is federated identity? Set of agreements, standards and technologies Trust relationships between organizations Integrity and privacy perserved Independance of organizations Federated Identity Concepts
Eunice Mondésir Pierre Weill-Tessier 9 3. Circle of Trust (CoT) participants Service Provider (SP): Provides one or more services within a federation Access control policy Identity Provider (IdP): Creates, maintains, manages identity information user must authenticate at an IdP recognized by a SP Federated Identity Concepts
Eunice Mondésir Pierre Weill-Tessier Circle of Trust (CoT) participants Circle of trust: Federation of IdP and SP Business relationships Operational agreements Secured communication channels Seamless environment Federated Identity Concepts CoT IdP SP
Eunice Mondésir Pierre Weill-Tessier 11 4.SSO and SLO Liberty alliance Single Sign On (SSO): Sign on once at a site (single account) Seamless signed-on for other sites No extra authentication SP both within and across circles of trusts Single Log Out (SLO): Synchronized session logout All sessions authenticated by an IdP closed Federated Identity Concepts
Eunice Mondésir Pierre Weill-Tessier SAML (Security Assertion Markup Langage) XML standard developped by OASIS Exchanging authentication & authorization data between security domains (IdP and SP) SSO solution beyond the intranet Exchange of assertions between IdP and SP Federated Identity Concepts
Presentation of Ping Federate
Eunice Mondésir Pierre Weill-Tessier 14 Presentation of Ping Federate server 1. How does Ping Federate work ? 2. Communication tools of Ping Federate
Eunice Mondésir Pierre Weill-Tessier How does Ping Federate work ? Server that passes identities between CoTs Distinction between two roles: IdP and SP Both roles can be combined Ping Federate does not interfere with local usage of the application Presentation of Ping Federate server
Eunice Mondésir Pierre Weill-Tessier Communication tools in PF server different environments: how communicate? Ping Federate provides Integration Toolkits** Application or IdM X programming language PF Token agent adapter SAML Presentation of Ping Federate server
Plateform Implementation
Eunice Mondésir Pierre Weill-Tessier 18 Platform Implementation 1. Needs 2. LDAP 3. Postfix 4. Tomcat 5. Ping Federate server
Eunice Mondésir Pierre Weill-Tessier Needs Applications often interacts with a database for authentication Ping Federate server asks for parameters of a mail server to send notification mail Ping Federate’s sample application runs on Tomcat Application Server Platform Implementation
Eunice Mondésir Pierre Weill-Tessier LDAP Why this protocol ? LDAP adapter proposed by PF Authentication to IdPs via pop-up window Our configuration: Server OpenLDAP Client LDAPBrowser to check our entries Simple tree: root + inetOrgPerson class instances Platform Implementation
Eunice Mondésir Pierre Weill-Tessier 21 dn: o=INT,c=FR dn: cn=Eunice, o=INT, c=FR dn: cn=Pierre, o=INT, c=FR 2. LDAP Example of LDAP Tree: Attributes we used: cn, sn mail, userPassword title Platform Implementation
Eunice Mondésir Pierre Weill-Tessier Postfix Why ? mail server working on Linux O.S “Lighter” configuration than Sendmail No database associated : only one user ! is a “fake” address used for the notification only. IMAP server as a MDA Platform Implementation
Eunice Mondésir Pierre Weill-Tessier Tomcat Why ? Required applications server to test the samples Multi-technologies support server (jsp, html) Identification tools: Double authentication based on Role and Login Default configuration LDAP-using configuration JNDI Platform Implementation
Eunice Mondésir Pierre Weill-Tessier Tomcat Key configuration files server.xml: defines the database connection web.xml: defines the security constraint Platform Implementation
Eunice Mondésir Pierre Weill-Tessier Ping Federate Standalone web administration Support of multi-account administration Modifiable role selection (IdP, SP or both) Ease of management Server configuration Partner configuration Platform Implementation
Eunice Mondésir Pierre Weill-Tessier Ping Federate Server settings Local settings Base URL: where reaching the server ? Federation Info: choice of technologies Entity ID / realm: outside Ping Federate alias IdP/SP events: systematic redirections Platform Implementation
Eunice Mondésir Pierre Weill-Tessier Ping Federate Server settings Local settings IdP/SP adapters management Data Store management Metadata export Platform Implementation
Eunice Mondésir Pierre Weill-Tessier Ping Federate Partner settings’ connections IdP connections = we are SP SP connections = we are IdP SP affiliations = 2+ partners’ Federation According to partners’ configuration = Each CoT defines its policy independently Platform Implementation
Demonstrations
Eunice Mondésir Pierre Weill-Tessier 30 Test Platform implementation 1. Before Ping Federate servers 2. Simplification 3. Ping Federate servers setting-up 4. IdP initiated SSO with ITAM 5. SP initiated SSO with ITAM 6. SP initiated SSO with LDAP adapter
Eunice Mondésir Pierre Weill-Tessier Before Ping Federate servers INT CoT IdM S1 S2 S3 INT Services ITAM CoT S1 S2 S3 ITAM Services IdM Connection to INT services within INT
Eunice Mondésir Pierre Weill-Tessier Before Ping Federate servers INT CoT IdM S1 S2 S3 INT Services ITAM CoT S1 S2 S3 ITAM Services IdM Connection to INT services from outside INT
Eunice Mondésir Pierre Weill-Tessier Before Ping Federate servers INT CoT IdM S1 S2 S3 INT Services ITAM CoT S1 S2 S3 ITAM Services IdM Connection to ITAM services within INT or from outside INT not possible
Eunice Mondésir Pierre Weill-Tessier 34 INT CoT ITAM CoT 2. Simplification IdM S1 S2 S3 INT Services S1 S2 S3 ITAM Services IdM S1 IdM All aplications hosted by tomcat server Authentcation files serving as database
Eunice Mondésir Pierre Weill-Tessier PF servers setting up For INT CoT: only one PF server (IdP and SP server) For ITAM CoT: two PF servers, one IdP and one SP INT CoT IdM S1 ITAM CoT S1 IdM IdP & SP cubitus SP titania IdP oberon
Eunice Mondésir Pierre Weill-Tessier 36 ITAM CoT S1 IdM SP titania IdP oberon 4. IdP initiated SSO with ITAM INT CoT IdM S1 SSOSAML 2.0 Sarah connected to S1 without having passed by ITAM IdM Sarah IdP cubitus
Eunice Mondésir Pierre Weill-Tessier 37 ITAM CoT S1 IdM 5. SP initiated SSO with ITAM INT CoT IdM S1 IdP cubitus SP titania IdP oberon Bob SAML 2.0 SSO
Eunice Mondésir Pierre Weill-Tessier 38 ITAM CoT S1 IdM 6. SP initiated SSO with LDAP adapter S1 IdP cubitus SP titania IdP oberon Sam SAML 2.0 INT IdP interaction with LDAP directory via a pop-up window LDAP IdM LDAP adapterstandard adapter SSO INT CoT SAML 2.0
Conclusion
Eunice Mondésir Pierre Weill-Tessier 40 What remains to do ? Adapt INTest with Ping Federate (Token) Test Multi-partners federation Perform tests on security and privacy Other solutions ? Microsoft CardSpace (.NET) WS-Federation Servers (Sun One Identity Server, IBM Tivoli, Microsoft ADFS…) Conclusion
Eunice Mondésir Pierre Weill-Tessier 41 Thanks for your attention Questions ?