simplifying the s's: single sign-on, spnego and saml
DESCRIPTION
Presentation from IBM Connect 2014 with Gab Davis and Chris MillerTRANSCRIPT
© 2014 IBM Corporation
BP104: Simplifying The S's: Single Sign-On, SPNEGO and SAMLGabriella Davis - The Turtle Partnership Chris Miller - Connectria
© 2014 IBM Corporation
Subtitle
6
Single Sign On vs Password Synchronisation
What is this presentation about?
▪ We are here to talk about concepts
▪ Once you understand the concepts, their requirements, limitations and benefits you can make decisions about what you need
▪ Hopefully we will give you a good overview of a bunch of confusing acronyms
!▪ If you want an awesome step by step presentation on configuring SAML for Notes client
access then Rob Axelrod and Andy Pedisich have a Show and Tell this week for you SHOW100 AD + SAML + Kerberos + IBM Notes and Domino = SSO!Tue, 28/Jan 04:30 PM - 06:15 PM Swan Osprey 1 & 2
!3
I do not think that means what you think it means…
!4
Password Synchronisation
!5
You may have the same password but you’re not the same person
Single Sign On !Hello, have you met my friend?
!6
I can vouch for him completely !Is trust transferable?
!76
One Password, One Location
!8
Authenticating against a single password in a single place
Sametime
Network Login
Connections
LDAP Password
!9
Synchronising passwords across different systems
Sametime LDAP
Connections LDAP
Traveler Authentication
Password Synchronisation
Tool
Steps For Single Password, Single Place
▪ For LDAP compliant applications ensure you use the same LDAP directory source
!▪ For Domino systems, configure Directory Assistance to point to an LDAP source
▪ ensure you have an attribute in your LDAP directory that contains the user’s distinguished name so Domino is returned a valid user name
▪ You can then empty out the HTTP Password field for all users
▪ This will work for any Domino application, mail , traveler, Sametime etc
▪ The user can be entirely remote and with no access to LDAP directly and this will still work
!10
!116
SPNEGO
!12
S impleP rotected
N egotiation
known as NTLM or Kerberos in Active Directory
GSSAPI
Mechanism
SPNEGO Example For Domino
!13
1
USER LOGS INTO
WINDOWS
STEPS
SPNEGO Example For Domino
!14
1 2ACTIVE
DIRECTORY GENERATES
SPNEGO TOKEN
STEPS
USER LOGS INTO
WINDOWS
SPNEGO Example For Domino
!15
1 2 3ACTIVE
DIRECTORY GENERATES
SPNEGO TOKEN
USER TRIES TO ACCESS
DOMINO WEBSITE
STEPS
USER LOGS INTO
WINDOWS
SPNEGO Example For Domino
!16
1 2 3 4ACTIVE
DIRECTORY GENERATES
SPNEGO TOKEN
USER TRIES TO ACCESS
DOMINO WEBSITE
BROWSER SENDS
SPNEGO TOKEN TO DOMINO
ALONG WITH USER NAME
STEPS
USER LOGS INTO
WINDOWS
SPNEGO Example For Domino
!17
1 2 3 4 5ACTIVE
DIRECTORY GENERATES
SPNEGO TOKEN
USER TRIES TO ACCESS
DOMINO WEBSITE
BROWSER SENDS
SPNEGO TOKEN TO DOMINO
ALONG WITH USER NAME
DOMINO CONTACTS
ACTIVE DIRECTORY
TO VALIDATE TOKEN AND RETRIEVE
THE USER’S NAME
STEPS
USER LOGS INTO
WINDOWS
Domino Creates a LTPAToken For The
Validated User And Grants Access
!18
Enable Multi Server Single Sign-On To
Extend Access To Other Servers
Setting Up SPNEGO
▪ Create a Domino Web SSO document
▪ Set up a SPN for the Domino server in Active Directory
▪ Domino must run under whatever account you set up for it
▪ Run domspnego
▪ Take the output and give it to your AD administrator to run setspn with
▪ Run setspn -a http://<dominohostname> <accountnamerunningdomino>
▪ Update person documents with AD name appended to FullName (and optional others like krbPrincipalName and LTPA User Name)
!19
Why Not SPNEGO
▪ It requires Active Directory
▪ It requires users to login to Active Directory
▪ It requires Microsoft Supported browsers
▪ It requires a Windows client for the users
▪ It requires Domino to be on a Windows platform
▪ at least the first Domino server that’s accessed, the rest can then be reached via Multi Server SSO token generated by Domino
!▪ It doesn’t work at all if the user is remotely connecting and not logging into Active Directory
▪ It has a very specific use case
!20
!216
SAML
S ecurity
!22
A ssertionM arkupL anguage
SAML is a protocol and process for exchanging authorisation and authentication data for a user between services and servers
!23
No Passwords…..
To Compromise
To Expire To Intercept
Once a user has authenticated with the IdP they won’t be asked again
IdP (Identity Provider)
Sp (Service Provider)
Sp (Service Provider)
Sp (Service Provider)
SAML Example
!25!25
1USER
ATTEMPTS TO LOG IN
TO A WEBSITE
STEPS
SAML Example
!26!26
1 2USER
ATTEMPTS TO LOG IN
TO A WEBSITE
USER IS REDIRECTED TO IDENTITY PROVIDER
STEPS
SAML Example
!27!27
1 2 3USER
ATTEMPTS TO LOG IN
TO A WEBSITE
USER IS REDIRECTED TO IDENTITY PROVIDER
IDENTITY PROVIDER REQUESTS
AUTHENTICATION OR (IF USER IS LOGGED
IN) RETURNS CREDENTIALS
STEPS
SAML Example
!28!28
1 2 3 4USER
ATTEMPTS TO LOG IN
TO A WEBSITE
USER IS REDIRECTED TO IDENTITY PROVIDER
IDENTITY PROVIDER REQUESTS
AUTHENTICATION OR (IF USER IS LOGGED
IN) RETURNS CREDENTIALS
USER IS REDIRECTED
BACK TO ORIGINAL SITE
WITH SAML ASSERTION ATTACHED
STEPS
SAML Example
!29!29
1 2 3 4 5USER
ATTEMPTS TO LOG IN
TO A WEBSITE
USER IS REDIRECTED TO IDENTITY PROVIDER
IDENTITY PROVIDER REQUESTS
AUTHENTICATION OR (IF USER IS LOGGED
IN) RETURNS CREDENTIALS
USER IS REDIRECTED
BACK TO ORIGINAL SITE
WITH SAML ASSERTION ATTACHED
ORIGINAL SITE USES ITS SAML
SERVICE PROVIDER TO
CONFIRM SAML ASSERTION AND GRANT ACCESS
STEPS
▪ IdP - Identity Provider (SSO)
▪ ADFS (Active Directory Federation Services in Windows 2008 and Windows 2012)
▪ SAML 2.0 only
▪ can be combined with SPNEGO
▪ Enhances Integrated Windows Authentication (IWA)
▪ TFIM (Tivoli Federated Identity Manager)
▪ SAML 1.1 and 2.0
Definitions
!30
▪ SP - Service Provider
▪ IBM Domino (web federated login)
▪ IBM WebSphere
▪ IBM Notes (requires ID Vault) (notes federated login)
!31
Definitions
▪ IdP (Identity Providers) use HTTP or SOAP to communicate to SP (Service Providers) via XML based assertions
▪ Assertions have three roles
▪ Authentication
▪ Authorisation
▪ Retrieving Attributes
More Definitions
!32
An IdP can service many SPs
!33
A SP can be connected to several
IdPsAn IdP can
use a variety of authentication methods including multi factor
Setting Up SAML
▪ Choose your IdP if you don’t already have one
▪ which fits best in your business
▪ Build the IdP
▪ Configure the SP
!▪ Sounds easy doesn’t it?
▪ It’s really not easy by any means but it is worth the investment in time
!34
Why Not SAML
▪ Not everything supports it
▪ Traveler doesn’t
▪ Sametime doesn’t
▪ ID Vault is a requirement so IDs that can’t be vaulted can’t be used
▪ multiple passwords, smartcards etc
!35
!366
OAUTH
Not Everything Belongs To You
!37
OAuth is an authentication standard supported by most major cloud providers
The User & The Consumer
!38
Let’s say you want Facebook to post on your Connections Activity Stream. !We need OAuth for that..You are the UserFacebook is the Consumer
The Service Provider & Its Secrets
!39
The consumer (Facebook) wanders over to the Service Provider (IBM Connections) and asks for permission to post on the Activity Stream
The Service Provider issues a Secret to go with every URL request from the user which authorises access
OAuth Simplified Example
!40!40
1USER ASKS FACEBOOK
(THE CONSUMER) TO POST ON
THEIR ACTIVITY STREAM
STEPS
OAuth Simplified Example
!41!41
1 2USER ASKS FACEBOOK
(THE CONSUMER) TO POST ON
THEIR ACTIVITY STREAM
FACEBOOK GOES TO
CONNECTIONS (THE SERVICE
PROVIDER) AND ASKS FOR PERMISSION
TO POST
STEPS
OAuth Simplified Example
!42!42
1 2 3USER ASKS FACEBOOK
(THE CONSUMER) TO POST ON
THEIR ACTIVITY STREAM
FACEBOOK GOES TO
CONNECTIONS (THE SERVICE
PROVIDER) AND ASKS FOR PERMISSION
TO POST
THE SERVICE PROVIDER GIVES THE CONSUMER A
SECRET KEY TO GIVE TO THE USER AND A URL FOR THE USER
TO CLICK ON
STEPS
OAuth Simplified Example
!43!43
1 2 3 4USER ASKS FACEBOOK
(THE CONSUMER) TO POST ON
THEIR ACTIVITY STREAM
FACEBOOK GOES TO
CONNECTIONS (THE SERVICE
PROVIDER) AND ASKS FOR PERMISSION
TO POST
THE SERVICE PROVIDER GIVES THE CONSUMER A
SECRET KEY TO GIVE TO THE USER AND A URL FOR THE USER
TO CLICK ON
THE USER CLICKS ON THE
URL AND AUTHENTICATES
WITH THE SERVICE
PROVIDER
STEPS
OAuth Simplified Example
!44!44
1 2 3 4 5USER ASKS FACEBOOK
(THE CONSUMER) TO POST ON
THEIR ACTIVITY STREAM
FACEBOOK GOES TO
CONNECTIONS (THE SERVICE
PROVIDER) AND ASKS FOR PERMISSION
TO POST
THE SERVICE PROVIDER GIVES THE CONSUMER A
SECRET KEY TO GIVE TO THE USER AND A URL FOR THE USER
TO CLICK ON
THE USER CLICKS ON THE
URL AND AUTHENTICATES
WITH THE SERVICE
PROVIDER
THE SERVICE PROVIDER ,
SATISFIED THE SECRET KEY IS
GOOD, WILL NOW ALLOW THE CONSUMER
ACCESS TO ITS SERVICES
STEPS
That Was REALLY Simplified
▪ There are other steps and other secrets to ensure traffic is not intercepted once authorisation is granted
▪ There are checks to ensure the Service Provider is who it claims to be
▪ You don’t want to accidentally authorise a phishing site
▪ There are also lots of timeouts on the authorisation
!▪ Make sure you understand the security of both the Consumer and the Service Provider as
well as what access you are granting the Consumer on your behalf
!45
In Summary
▪ Think about what your problem actually is, there are plenty of technologies to make the user experience seamless but they become ever more complex to build and maintain
▪ What are your priorities. Single password? No password? No authentication with a particular service
▪ Many solutions require specific operating systems, software and client versions
▪ Make sure you meet all requirements before building a plan you can’t deliver on
▪ Some things are very easy (Single password, SPNEGO)
▪ Some things are very hard (SAML, OAuth)
▪ There is no one solution, you need to choose the combination that delivers for you
!46
HOW TO FIND USTwitter, blogs, Instagram, Facebook and more
!47
[email protected] GabriellaDavis (skype) http://turtleblog.info gabturtle on twitter and elsewhere
idonotes on EVERYTHING
!488