Presentation is loading. Please wait.

Presentation is loading. Please wait.

Access Policy - Federation March 23, 2016

Published byAlannah Skinner Modified over 6 years ago

Similar presentations

Presentation on theme: "Access Policy - Federation March 23, 2016"— Presentation transcript:

1 Access Policy - Federation March 23, 2016
Chas Lesley, SE Norcal

2 Agenda – Usergroup News & Updates
Intro - Cover Federation/SSO Concepts Intro - Cover SAML Federation iDP Initiated SP Initiated Demo– iDP/SP SAML Cover general troubleshooting Cover SaaS SAML LAB – SaaS use case Cover More Advanced SAML use cases LAB – KerbSSO to SAML Questions & Answers

3 Federation …

4 + = What is Federated SSO? Single Sign On [SSO] Federation
An umbrella term for any time a user can login to multiple applications while only authenticating once.  It covers both federation and password vaulting which is more commonly known as “Enterprise SSO” Federation A trust established between two systems with the purpose if enabling the targeted system to accept or trust the asserted identity provided by the source system. Federated SSO A combining of Federation and SSO wherein a previously validated and verified identity is leveraged in order to provide seamless access to federated systems. + = In 2013 Gartner said “Through 2016, Federated Single Sign-On Will Be the Predominant SSO Technology, Needed by 80% of Enterprises.”

5 Federation Standards & Additional Standards
WS-Federation is part of the Web Services Security (WSS) set of proposed and accepted standards which includes WS-Trust and WS-Security. Microsoft and IBM both contributed to the design of the standards and employ them in their federation software. WS-Federation SAML stands for Security Assertion Markup Language. The OASIS standard is composed of a set of specifications for assertions, protocols, bindings, profiles, metadata, etc. (Community developed edition by the Shibboleth Consortium) SAML OpenID is an identity federation protocol specification. Several major web vendors, including Google and Yahoo!, implement OpenID authentication systems OpenID OAuth is technically not a federated authentication protocol. Rather, it is an authorization framework. It is typically employed in situations where one user is granting limited access to his or her protected resources to another user. OAuth

6 SAML 2.0

7 SAML Definition & Versions
Security Assertion Markup Language (SAML) is an XML standard for exchanging authentication and authorization data between entities Why SAML? Cookies don’t do it – Cookie (signed with server’s private key) can be used for re-authentication at a particular server, but is of no use at a different server Cross domain authentication currently requires proprietary SSO software SAML intended as a Web standard that will bridge proprietary software SAML 1.0 was adopted as an OASIS standard in Nov 2002 SAML 1.1 was ratified as an OASIS standard in Sep 2003 SAML 2.0 became an OASIS standard in Mar 2005 SAML is a product of the OASIS Security Services Technical Committee:

8 SAML Standards & Specification
SAML is built upon the following technology standards: Extensible Markup Language (XML) XML Schema XML Signature XML Encryption (SAML 2.0 only) Hypertext Transfer Protocol (HTTP) SOAP A SAML specification defines: Assertions (XML) Protocols (XML + processing rules) Bindings (HTTP, SOAP) Profiles (= Protocols + Bindings) Assertions and protocols together constitute SAML core (syntactically defined by XML schema (XSD)) Profiles define semantics of use cases SAML must be used in the context of a trust relationship between asserting and relying parties

9 SAML Components Profiles Assertions: Authentication, Attribute and Authorization information Protocol: Request and Response elements for packaging assertions Bindings: How SAML Protocols map onto standard messaging or communication protocols Profiles: How SAML protocols, bindings and assertions combine to support a defined use case Bindings In 2013 Gartner said “Through 2016, Protocol Assertions In 2013 Gartner said “Through 2016,

10 SAML iDP & SP Initiated

11 SAML Identity Provider
SAML Architecture 2 iDP 1 The User/Client (Principal) who will be accessing an application via a URL. 2 The Identity Provider [iDP] which asserts identity and provides an Assertion for an application. 3 1 SAML Identity Provider SAML Assertion 3 The Assertion generated by the iDP and to be used by the User/Client to gain access to an application. 4 User/Client (Principal) SP 4 The Service Provider [SP] which accepts Assertions and provides access to an application Also PRESUMES that proper trust relationship has been established between iDP & SP (certificates) SAML Service Provider

12 SAML Identity Provider
Service Provider [SP] Initiated SAML iDP 1 User/Client (Principal) accesses Service Provider [SP] without any authentication. SAML Assertion 3 2 4 SP creates access request for User/Client & redirects it to Identity Provider [iDP] SAML Identity Provider 3 User/Client contacts iDP and provides identity SAML Assertion 2 1 4 iDP asserts identity and provides User/Client SAML Assertion User/Client (Principal) SP 5 5 Following receipt of SAML Assertion User/Client contacts SP and provides Assertion for access SAML Service Provider

13 SAML Identity Provider
Identity Provider [iDP] Initiated SAML iDP 1 User/Client (Principal) accesses “application” via URL which directs them to the Identity Provider [iDP] at which time the User/client provides identity. SAML Assertion 1 2 SAML Identity Provider 2 iDP asserts identity and provides User/Client SAML Assertion based on the requested URL SAML Assertion User/Client (Principal) SP 3 Following receipt of SAML Assertion User/Client contacts SP and provides Assertion for access 3 SAML Service Provider

14 F5 & SAML (Ingress & Egress)

15 F5 & SAML (Lateral)

16 Demo: SAML Lab: SP & iDP

17 SAML Lab Requirements Must have Access Policy Manager (APM) licensed and provisioned OR must have Access Policy Manager (APM) provisioned and using the “lite license” (10 User) Hardware must support running APM. Generally applies to only smallest platforms and with already heavy usage. (Ask Us) Custom iRules to host Web Pages on the F5. (included in SAML iDP/SP Guide) Additional SAML Resource, tips & tricks available on DevCentral. Start there first!

18 SAML Lab Steps Create a SAML IDP Create a SAML SP
Create & Bind a SAML SP Connecter (for IDP via MetaData) Create & Bind a SAML IDP Connecter (for SP via MetaData) Create a SAML Resource Create IDP/SP Access Policies Attach to Virtual Servers & Test (Cross your fingers)

19 Demo: SaaS

20 SaaS

21 Demo: Federated SSO

22 Egress SAML (iDP Initiated)
Streamlined Access without User Interaction SAML eliminates the need for Authentication Synchronization

23 The Power of Visual Policy Editor
Additional Layers of Control

24

Download ppt "Access Policy - Federation March 23, 2016"

Similar presentations

Secure Single Sign-On Across Security Domains

Secure Single Sign-On Across Security Domains
Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.

Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
1 Security Assertion Markup Language (SAML). 2 SAML Goals Create trusted security statements –Example: Bill’s address is and he was authenticated.

1 Security Assertion Markup Language (SAML). 2 SAML Goals Create trusted security statements –Example: Bill’s address is and he was authenticated.
Will Darby 91.514 5 April 2010.  What is Federated Security  Security Assertion Markup Language (SAML) Overview  Example Implementations  Alternative.

Will Darby April  What is Federated Security  Security Assertion Markup Language (SAML) Overview  Example Implementations  Alternative.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
Carl A. Foster.  What is SAML?  Security Assertion and Markup Language is an XML-based standard for exchanging authentication and authorization between.

Carl A. Foster.  What is SAML?  Security Assertion and Markup Language is an XML-based standard for exchanging authentication and authorization between.
95-804 Applied Cryptography Week 13 SAML 1 95-804 Applied Cryptography SAML and XACML Mike McCarthy Week 13.

Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.
Web services security I

Web services security I
Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.

Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.
A Use Case for SAML Extensibility Ashish Patel, France Telecom Paul Madsen, NTT.

A Use Case for SAML Extensibility Ashish Patel, France Telecom Paul Madsen, NTT.
SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.

SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.
IDENTITY MANAGEMENT Hoang Huu Hanh (PhD), OST – Hue University hanh-at-hueuni.edu.vn.

IDENTITY MANAGEMENT Hoang Huu Hanh (PhD), OST – Hue University hanh-at-hueuni.edu.vn.
Shibboleth 2.0 IdP Training: Basics and Installation January, 2009.

Shibboleth 2.0 IdP Training: Basics and Installation January, 2009.
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.

Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.

Similar presentations

Ads by Google