Copyright 2007, Information Builders. Slide 1 WebFOCUS Authentication Mark Nesson, Vashti Ragoonath Information Builders Summit 2008 User Conference June.

Slides:

Advertisements

Similar presentations

Copyright 2007, Information Builders. Slide 1 Workload Distribution for the Enterprise Mark Nesson, Vashti Ragoonath June, 2008.

Advertisements

Microsoft ASP.NET Security Venkat Chilakala Support Professional Microsoft Corporation.

Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.

Teamcenter™ Security Services SSO

Introduction To Windows NT ® Server And Internet Information Server.

Blackboard Building Blocks Authentication Overview Tuesday, June 30, 2015 Tom Joyce, Product Manager, Platform Architecture & Database.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.

Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.

WebFOCUS 8: Best Practices for Migration

Delivering Excellence in Software Engineering ® EPAM Systems. All rights reserved. ASP.NET Authentication.

1 ASP.NET SECURITY Presenter: Van Nguyen. 2 Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will.

Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd

TAM STE Series 2008 © 2008 IBM Corporation WebSEAL SSO, Session 108/2008 TAM STE Series WebSEAL SSO, Session 1 Presented by: Andrew Quap.

Understanding Integrated Authentication in IIS Chris Adams IIS Supportability Lead Microsoft Corp.

Copyright © 2007, SAS Institute Inc. All rights reserved. SAS Activity-Based Management Survey Kit (ASK): User Management & Security.

WebFOCUS 8: Best Practices for Migration

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Session 11: Security with ASP.NET

Philadelphia Area SharePoint User Group Building Customer/Partner Extranets Designing a Secure Extranet with Sharepoint 2007 Russ Basiura RJB Technical.

© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.

Developing Applications for SSO Justen Stepka Authentisoft, LLC

1 Web services and security ---discuss different ways to enforce security Presenter: Han, Xue.

ArcGIS Server and Portal for ArcGIS An Introduction to Security

SSL, Single Sign On, and External Authentication Presented By Jeff Kelley April 12, 2005.

Using AS 10g with EBS What are the Benefits of Integrating AS 10g with Oracle Applications?

Are you feeling secure ? Lee Donaldson Information Builders.

Information Security and WebFOCUS Penny J Lester SVP Delivery Services August 22, 2008.

Oracle Application Express Security. © 2009 Oracle Corporation Authentication Out-of-the-Box Pre-Configured Schemes LDAP Directory credentials Oracle.

Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.

TWSd - Security Workshop Part I of III T302 Tuesday, 4/20/2010 TWS Distributed & Mainframe User Education April 18-21, 2010  Carefree Resort  Carefree,

SQL Server Security By Mattias Lind For PASS Security VC.

SharePoint Security Fundamentals Introduction to Claims-based Security Configuring Claims-based Security Development Opportunities.

The New MR Repository & Security Authorization Model Ben Naphtali WebFOCUS Product Manager Architecture and Security May 2010 Copyright 2009, Information.

Introduction to the Adapter Server Rob Mace June, 2008.

Shibboleth 2.0 IdP Training: Authentication January, 2009.

CAS Lightning Talk Jasig-Sakai 2012 Tuesday June 12th 2012 Atlanta, GA Andrew Petro - Unicon, Inc.

Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.

Module 11: Securing a Microsoft ASP.NET Web Application.

Securing Sensitive Information Data Security Dashboards often contain the most important data in the company Securing that information makes business.

New MR Repository & Security Universal Object Access Brian A Suter VP WebFOCUS Product Development November 16, 2015 Copyright 2009, Information Builders.

Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.

MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Copyright 2007, Information Builders. Slide 1 Machine Sizing and Scalability Mark Nesson, Vashti Ragoonath June 2008.

Web Services Security Patterns Alex Mackman CM Group Ltd

15 Copyright © 2004, Oracle. All rights reserved. Adding JAAS Security to the Client.

Designing a Secure Extranet with Sharepoint Russ Basiura Principal Consultant RJB Technical Consulting

Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.

Using PIV Cards with NIH Login Chris Leggett NIH Login Technical Lead CIT/NIH.

Agenda  Microsoft Directory Synchronization Tool  Active Directory Federation Server  ADFS Proxy  Hybrid Features – LAB.

Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.

© 2014 IBM Corporation Mobile Customization & Administration IBM Connections 5.0 Workshop Author: Paul Godby IBM Ecosystem Development Duration: 30 minutes.

#SummitNow Consuming OAuth Services in Alfresco Share Alfresco Summit 2013 Will Abson

Business Objects XIr2 Windows NT Authentication Single Sign-on 18 August 2006.

Unlocking the Secrets of Alfresco Authentication Mehdi BELMEKKI, Consultancy Team Alfresco.

ADFS - Does it Still have a Place? Fitting into the EMS puzzle Frank C. Drewes III 2016 Redmond Summit | Identity.

19 Copyright © 2008, Oracle. All rights reserved. Security.

QlikView Security Overview. Most common Security challenges faced by a vendor The QlikView platform: a basis for understanding Security Authentication.

Alain Bethuyne Web Security Architect BNPParibas Fortis

Ask the Experts – Building Login-Based Sites in AEM

Federation made simple

Jim Fawcett CSE686 – Internet Programming Summer 2005

Radius, LDAP, Radius used in Authenticating Users

Quickr Domino – Master Class

Cisco Real Exam Dumps IT-Dumps

BACHELOR’S THESIS DEFENSE

BACHELOR’S THESIS DEFENSE

BACHELOR’S THESIS DEFENSE

Presentation transcript:

Copyright 2007, Information Builders. Slide 1 WebFOCUS Authentication Mark Nesson, Vashti Ragoonath Information Builders Summit 2008 User Conference June 2008

Copyright 2007, Information Builders. Slide 2 WebFOCUS Authentication Agenda  We are going to learn more about WebFOCUS Authentication:  General Overview – What is Authentication?  Where are the WebFOCUS authentication checkpoints?  Web Tier  Reporting Server  What are the Authentication options?  Configuring Authentication options at security checkpoints  What are some of the considerations in architecting a secured WebFOCUS environment?  A look at some common customer scenarios  Conclusion

Copyright 2007, Information Builders. Slide 3 WebFOCUS Authentication General Overview – What is Authentication?  Authentication  Process of confirming a user’s identity and whether he/she is allowed to access the service or application  Involves identity retrieval process  Via Prompt (Browser Prompt, HTML Forms, etc)  Or via Secured Token (NTLM, Kerberos Token, Cookie, etc)  Involves identity validation  User Id and Password Validation  Token Validation (NTLM Processing, SPNEGO, etc)  Cookie Validation (SiteMinder Single Sign-On/SSO Cookie, Managed Reporting Cookie, etc)

Copyright 2007, Information Builders. Slide 4 WebFOCUS Authentication Authentication Checkpoints

Copyright 2007, Information Builders. Slide 5 WebFOCUS Authentication Security Options  Internal Authentication  Credentials are validated and stored internally in a proprietary repository.  External Authentication  Active Directory  LDAP  RDBMS  Reporting Server  Custom (Such as custom API, Web Services, etc)  Trusted Authentication  Credentials are not validated  User ID is provided securely by external service (Web Server, Operating System, etc).  External service (e.g SiteMinder) will pass to WebFOCUS either REMOTE_USER or an HTTP Header with the authenticated user id.

Copyright 2007, Information Builders. Slide 6 WebFOCUS Authentication Security Options – Trusted  Authentication  “Authentication” process occurs at the Web Server level.  Common Web Server Authentication Scheme  Anonymous Authentication (No authentication)  Basic Web Authentication  Integrated Windows Authentication (IWA/NTLM)  Kerberos  3 rd Party Single Sign-On Applications  Example: SiteMinder, Oblix, RSA ClearTrust  Common Characteristics  Use of Encrypted Cookie to maintain Single Sign- On session management  Ability to pass authentication header (REMOTE_USER) or custom headers/cookie.

Copyright 2007, Information Builders. Slide 7 WebFOCUS Authentication Security Options – External  Why would we want “External” Security?  To provide better control  To centralize identity management in a common system  To provide better auditing/reporting capabilities  Why would we want “Trusted” Security?  To avoid repeated credentials prompting  Single Sign-On

Copyright 2007, Information Builders. Slide 8 WebFOCUS Authentication Apply security options at WebFOCUS checkpoints  SecurityCheckpoints  Web Tier  Managed Reporting/Dashboard  WebFOCUS Client Administration Console  ReportCaster  Self-Service Applications  Reporting Server

Copyright 2007, Information Builders. Slide 9 WebFOCUS Authentication Web Tier checkpoints In the context of Internal, Trusted and External Authentication:  Managed Reporting/Dashboard  Internal (User credentials verified against proprietary repository)  External (User authenticated by LDAP, AD, WFRS,etc)  Trusted ( User authenticated by Web Server)  WebFOCUS Client Administration Console  None (Console is unprotected)  External (Reporting Server)  Trusted ( User authenticated by Web Server)  ReportCaster  Internal ( User id and password stored in ReportCaster repository)  External (User authenticated by Managed Reporting)  Trusted ( User authenticated by Web Server)  Self-Service Applications  Trusted ( User authenticated by Web Server)  External (Reporting Server)

Copyright 2007, Information Builders. Slide 10 WebFOCUS Authentication Reporting Server Checkpoint Authentication Options on the Reporting Server:  PTH Internal, file-based authentication for HTTP connections TCP connections are not authenticated  OPSYSTCP/HTTP Connections are authenticated by the Operating system  DBMSTCP/HTTP Connections are authenticated by the Database Server  LDAPTCP/HTTP Connections are authenticated by LDAP Server or Active Directory. New Trust Extension Setting, trust_ext=y  Supported on all server platforms, including Windows  Does not support impersonation  Server secured with LDAP requires user be found  Not supported with Server security DBMS

Copyright 2007, Information Builders. Slide 11 WebFOCUS Authentication Configuring WebFOCUS security options  Let’s go through the steps on how to configure these security checkpoints. Then we will move on to applying the security options to some common customer scenarios.  Managed Reporting/Dashboard  Login to WebFOCUS Client Administration Console  From Configuration/MR Security Settings  General  From here can set MR Authentication to Internal, External or Trusted

Copyright 2007, Information Builders. Slide 12 WebFOCUS Authentication Configuring WebFOCUS security options  WebFOCUS Client Administration Console  Login to WebFOCUS Client Administration Console  From Configuration/Startup Parameters  Modify IBIWFC_AUTHENTICATION  Options Include  No authentication  Trusted (Web/REMOTE_USER and WEBHDR/HTTP Header)  Reporting Server (EDA and EDA:edanode)

Copyright 2007, Information Builders. Slide 13 WebFOCUS Authentication Configuring WebFOCUS security options  ReportCaster  Open ReportCaster Configuration File  General Tab/Security  Authentication Plug-In set to:  “None” means “use Id/Pwd from BOTUPROF”  “Trusted MR Sign-on” means connect with owner Id only  Caster Remote Authenticated is optional SSO setting  No means sign-on with Id/Pwd  Yes means use Id in REMOTE_USER  HTTP Header allows you to specify header for SSO

Copyright 2007, Information Builders. Slide 14 WebFOCUS Authentication Configuring WebFOCUS security options  Reporting Server  Web Console/Workspace/Access Control  Security Mode drop-down list  OPSYS  OFF  PTH  DBMS  LDAP  Now let’s see how we can out these options together to architect WebFOCUS secured environments.

Copyright 2007, Information Builders. Slide 15 WebFOCUS Authentication Configuring WebFOCUS security options  Reporting Server  When do we use the different Reporting Server options?  ON/LDAP/RDBMS  Preferred due to added security level by requiring an authentication prior to connection to the service  LDAP and RDBMS offer more flexibility in terms of the authentication providers  PTH/OFF/Explicit Connection ID  Useful when connection can be “trusted” into the Reporting Server tier due an “authentication” occurring up-front at the web or application tier (such as MR SIGNON)  Console is still protected under PTH mode  Password is not available beyond the Web Tier  Customer does not want to maintain OS level accounts for every user

Copyright 2007, Information Builders. Slide 16 WebFOCUS Authentication Reporting Server Impersonation  Scenario 1  Enables fine-grained access control and auditing at the file system and relational database  Requires Reporting Server Security = OPSYS  Requires RC Authentication Plug-in = MR Trusted Sign-on  Tip: This is always a requirement whenever MR Authentication is External or Trusted  Recommendation A – Kerberos SSO (7.6.1)  MR Authentication = Trusted / REMOTE_USER  WF Console Authentication = WEB  RC Caster Remote Authenticated = YES  Server Connection Security = KERBEROS

Copyright 2007, Information Builders. Slide 17 WebFOCUS Authentication Reporting Server Impersonation  Recommendation B – MR Sign-on Page  MR Authentication = External / WFRS  WF Console Authentication = EDA  Server Connection Security = Default  Recommendation C – Basic Web Authentication (7.6.1)  Web Server Security = Basic Web Authentication  MR Authentication = Trusted / REMOTE_USER  WF Console Authentication = WEB  RC Caster Remote Authenticated = YES  Server Connection Security = HTTP Basic  If SSO vendor solution preferred for Web-tier, then Reporting Server will require secondary Id/Pwd prompt

Copyright 2007, Information Builders. Slide 18 WebFOCUS Authentication Authenticate to Sun One LDAP Server  Recommendation A - MR / WFRS  MR Authentication = External / WFRS  WF Console Authentication = EDA  Server Security = LDAP  Server Connection Security = Default  ReportCaster Data Server Settings: Run Id=User  Drawback  If LDAP passwords expire periodically, user passwords stored in ReportCaster repository will become stale, potentially resulting in failed schedule execution  Workaround  Set trust_ext=y option on Server (7.6.1)  ReportCaster Data Server Settings: Run Id=User, Shared=Yes, Trusted=Passthrough

Copyright 2007, Information Builders. Slide 19 WebFOCUS Authentication Authenticate to Sun One LDAP Server  Alternative B - MR / LDAP  MR Authentication = LDAP  Server Security = LDAP, trust_ext=y (7.6.1)  WF Console Authentication = EDA  Server Connection Security = Trusted: IBIMR_user (7.6.1)  ReportCaster Data Server Settings: Run Id=User, Shared=Yes, Trusted=Passthrough

Copyright 2007, Information Builders. Slide 20 WebFOCUS Authentication Netegrity SiteMinder SSO  Consider SiteMinder Authenticates to Active Directory  MR Authentication = Trusted  Trusted to HTTP Header (e.g., sm_user) or  Trusted to REMOTE_USER  Server Connection Security = Trusted  Trusted to HTTP Header  IBIWFC_authentication  WEB or WEBHDR  Caster Remote Authenticated  Yes (uses REMOTE_USER)  ReportCaster Settings: Run Id=User, Trusted=Yes  HTTP Header  ReportCaster Settings: Run Id=User, Trusted=Passthrough, Shared=Yes

Copyright 2007, Information Builders. Slide 21 WebFOCUS Authentication Netegrity SiteMinder SSO  Alternative B - MR / LDAP  MR Authentication = LDAP  Server Security = LDAP, trust_ext=y (7.6.1)  WF Console Authentication = EDA  Server Connection Security = Trusted: IBIMR_user (7.6.1)  ReportCaster Data Server Settings: Run Id=User, Shared=Yes, Trusted=Passthrough

Copyright 2007, Information Builders. Slide 22 WebFOCUS Authentication Conclusion  We wish to extend our thanks to Jeff Rustandi and Jim Thorstad for their contributions to this presentation.