sso report v3
TRANSCRIPT
-
7/31/2019 SSO Report v3
1/83
Single Sign-On vi
LDAP
GVHD: Ths L c ThngNhm thc hin: Nhm 1
-
7/31/2019 SSO Report v3
2/83
Hunh Thanh Tng 06520546 V Quc Vit 06520569 Trn Huy Cng 06520062 H Thanh Bnh 06520027
Danh sch nhm
-
7/31/2019 SSO Report v3
3/83
Giao thc LDAP Single Sign-On Ph lc
Ni dung bo co
-
7/31/2019 SSO Report v3
4/83
M hnh chun X.500. Gii thiu LDAP. LDAP Data model LDAP Naming model
LDIF v Schema Ldap client tools
Giao thc LDAP
-
7/31/2019 SSO Report v3
5/83
M hnh X.500
-
7/31/2019 SSO Report v3
6/83
Lu tr d liu theo dng Directory Cyth mc.
Ti u ha kh nng tm kim thng tin. Phc v cho cng vic tm kim, truy vn
d liu khi lng ln. S dng DAP(Directory Access
Protocol)lm giao thc lin lc gia client server.Ch hot ng trong m hnh OSI
M hnh X.500 (tt)
-
7/31/2019 SSO Report v3
7/83
LDAP Lightweight Directory Access Protocol L giao thc ci tin ca giao thc DAP, hot
ng trn m hnh OSI ln TCP/IP.
S dng truy xut v cp nht thng tin tdirectory chun X.500. H tr cc phng thc khi to kt ni, truy
xut, cp nht, ng kt ni gia client v
server.
Gii thiu LDAP
-
7/31/2019 SSO Report v3
8/83
Gii thiu LDAP (tt)
-
7/31/2019 SSO Report v3
9/83
Ldap data model
-
7/31/2019 SSO Report v3
10/83
DIT
Ldap lu d liu di dng cy phn cp DIT (Data information Tree)
-
7/31/2019 SSO Report v3
11/83
DIT (tt)
Khi u ca cy l root Cc node trong cy l cc entry Mi entry gm t nht mt objectclass
Objectclass c th khng hoc chaattribute
Attribute lu data
-
7/31/2019 SSO Report v3
12/83
Entry
Entry l mt nt trong DIT cha thng tin
-
7/31/2019 SSO Report v3
13/83
Entry
Entry ch bao gm mt STRUCTURALobjectclass
Entry c th bao gmAUXILIARY
objectclass Entry ch bao gm mtABTRACTobjectclass
Entry c th c child entry , parent entry
-
7/31/2019 SSO Report v3
14/83
Entry (tt)
-
7/31/2019 SSO Report v3
15/83
Entry (tt)
Mi entry c mt hoc nhiu attribute Mi attribute c type (Syntax) v c th c
mt hay nhiu gi tr ty thuc vo
attribute quy nh attribute cn c 2 gi tr
-
7/31/2019 SSO Report v3
16/83
Entry (tt)
-
7/31/2019 SSO Report v3
17/83
Entry (tt)
-
7/31/2019 SSO Report v3
18/83
Objectclass
Objectclass l cc package bao gm ccattribute
Objectclass nh ngha cc attribute thnh
vin l bt buc (MUST) hay l ty chn(MAY) Objectclass c th c nh ngha theo
m hnh phn cp, tha k cc c trngca parent objectclass
-
7/31/2019 SSO Report v3
19/83
Attribute
Attribute cha dataAttribute lun phi l thnh vin ca t nhtmt objectclass
C th l ty chn (MAY) hay bt buc(MUST) vi cc objectclass khc nhau
C th c mt hay nhiu gi tr Ngoi tn, attribute cn c th cha
aliases hoc tn tm gn (abbreviation)commonName , cn
-
7/31/2019 SSO Report v3
20/83
V d entry
# Boss, People, kakauit.comdn: uid=Boss,ou=People,dc=kakauit,dc=com
uid: Boss
cn: chief
cn: sep
uidNumber: 200
gidNumber: 200
homeDirectory: /home/Boss
description: account cua sep
objectClass: accountobjectClass: posixAccount
-
7/31/2019 SSO Report v3
21/83
Naming model
-
7/31/2019 SSO Report v3
22/83
nh ngha cch thc cc entry c xcnh v t chc Cc entry c sp xp trong DIT da trn
Distinguised name (DN) DN ca mt entry tn duy nht trn ton DIT DN c to thnh bi cc relative
distinguised name (RDN)DN: uid=Boss,dc=kakauit,dc=comRDN: kakauit,com
Naming model
-
7/31/2019 SSO Report v3
23/83
Naming model
-
7/31/2019 SSO Report v3
24/83
Naming model
Khi to entry trong DIT, ni dung ca entrycha trong cc attribute Cc attribute c nhm vo trong cc
objectclass Cc objectclass c ng gi trong cc
Schema
Schema ng gi cc objectclass vattribute lin quan vi nhauCc Schema c bn:core.schema,ldap.schema
-
7/31/2019 SSO Report v3
25/83
LDIF v Schema
-
7/31/2019 SSO Report v3
26/83
LDIF
LDIF: LDAP Data Interchanged Format L mt loi nh dng d liu cho php
thao tc nhanh hn vi d liu directory nh ng c bn cho mt entry directory:dn: ::
-
7/31/2019 SSO Report v3
27/83
LDIF (tt)
Ni dung mt file .ldif n gin
-
7/31/2019 SSO Report v3
28/83
LDIF
Entry trong file ldif c nh ngha gm:dn: tn phn bit ca entry trn ton DITobjectclass: ty thuc vo mc ch s
dng ca entry m entry c cc objectclasskhc nhauVd: account, posixAccount
attribute: ty thuc vo loi objectclass
ca entry m c cc attribute khc nhauVd: posixAccount yu cu entry phi cattribute cn
-
7/31/2019 SSO Report v3
29/83
Schema
Tt c objectclass v attribute u cnh ngha trong cc Schema c ldap server s dng, cc schema
phi c khai bo trong file slapd.configinclude/etc/openldap/schema/core.schema
Attribute khai bo trong mt schema c thc s dng bi mt objectclass trongschema khc
-
7/31/2019 SSO Report v3
30/83
Schema
-
7/31/2019 SSO Report v3
31/83
Objectclass Objectclass l mt tp cc attribute Objectclass c th c t chc theo m
hnh phn cp, tha k cc c tnh caparent objectclass (SUPerior)objectclass ( 2.5.6.1 NAME 'alias'SUP top STRUCTURAL MUSTaliasedObjectName )
C 3 kiu objectclass:ABSTRACTSTRUCTURAL
AUXILIARY
http://www.zytrax.com/books/ldap/ape/core-schema.htmlhttp://www.zytrax.com/books/ldap/ape/core-schema.htmlhttp://www.zytrax.com/books/ldap/ape/core-schema.htmlhttp://www.zytrax.com/books/ldap/ape/core-schema.html -
7/31/2019 SSO Report v3
32/83
V d objectclass
Objectclass: key word, nh ngha objectclassNAME : tn objectclass 2.5.6.2 : OID SUP : SUPerior objectclass
-
7/31/2019 SSO Report v3
33/83
V d objectclass (tt)
STRUCTURAL: loi objectclass DESC : m t objectclass
MUST: cc thuc tnh bt buc cMAY : cc thuc tnh ty chn
-
7/31/2019 SSO Report v3
34/83
Attribute
-
7/31/2019 SSO Report v3
35/83
Attribute (tt)
Attribute phi thuc v t nht mt haynhiu objectclass
s dng attribute, objectclass cha
attribute phi c nh ngha trongentryobjectclass=person
-
7/31/2019 SSO Report v3
36/83
Attribute (tt)
Attribute c th c mt (SINGLE-VALUE)hay nhiu value (MULTI-VALUE), mcnh l nhiu attributetype ( 2.5.4.6
NAME('c''countryName' )DESC 'RFC2256:ISO-3166 country 2-letter codeSUP nameSINGLE-VALUE)
-
7/31/2019 SSO Report v3
37/83
Attribute (tt)Attribute c th c nh ngha phn cp
attributetype ( 2.5.4.6 NAME ( 'c''countryName' ) SUP name SINGLE-VALUE )
Attribute c nh ngha bao gm type
(SYNTAX) attributetype ( 2.5.4.2 NAME'knowledgeInformation'DESC 'RFC2256:knowledge information EQUALITY
caseIgnoreMatch SYNTAX1.3.6.1.4.1.1466.115.121.1.15{32768} )
http://www.zytrax.com/books/ldap/ape/core-schema.htmlhttp://www.zytrax.com/books/ldap/ape/core-schema.html -
7/31/2019 SSO Report v3
38/83
V d attribute
Attributetype : nh ngha attributeNAME: tn attribute 2.5.4.3: OID,c to ra v qun l bi IANA SUP: ch ra SUPerior attribute
-
7/31/2019 SSO Report v3
39/83
L cc cng c cho php thao tc trn dliu directory c s dng cng vi nhiu option
-c: continous operation mode -f : c d liu t file -x : s dng chng thc n gin
-X: s dng chng thc SASL..
Ldap client tools
-
7/31/2019 SSO Report v3
40/83
Ldap client tools (tt)
ldapsearch Ldapadd Ldapdelete
Ldapmodify Ldapmodrdn Ldappasswd
-
7/31/2019 SSO Report v3
41/83
Ldap client tools (tt)
LdapsearchLdapsearch [option] [searchfilter]
Ldapsearch cx Dcn=Manager,dc=kakauit,dc=com wkakauit objectclass=*
-
7/31/2019 SSO Report v3
42/83
Ldap client tools (tt)
Kt qu cho cu lnh ldapsearch
-
7/31/2019 SSO Report v3
43/83
Ldap client tools (tt)
Ldapaddldapadd [option]
ldapadd cx D
cn=Manager,dc=kakauit,dc=com -wkakauit f exam.ldif
-
7/31/2019 SSO Report v3
44/83
Ldap client tools (tt) Kt qu cho cu lnh ldapadd:
-
7/31/2019 SSO Report v3
45/83
Vn t ra Gii quyt vn Single Domain SSO Multi Domain SSO
Single Sign On
-
7/31/2019 SSO Report v3
46/83
Kha cnh user u nhiu thng tin ng nhp(username v password) nh.
hm ln cc thng tin gia ccng dng.
hi nhp thng tin ng nhpnhiu ln i vi tng ng dng
khc nhau.
Vn t ra
-
7/31/2019 SSO Report v3
47/83
Kha cnh qun tr u trnh cp pht ti khon miphc tp.
un l thng tin truy cp ca user.
n ch cc truy cp tri php.
rin khai cc ng dng ln (cp enterpise).
Vn t ra
-
7/31/2019 SSO Report v3
48/83
1 thng tin ng nhp, dng cho nhiu Web,Applications khc nhau.
ng nhp 1 ln ti 1 ng dng, v c th sdng cc ng dng khc m khng cn ngnhp li trong 1 khong thi gian nht nh.
Qun l tp trung thng tin ng nhp ca user.
Hn ch c cc truy cp tri php.
Single Sign-On
Gii quyt vn
-
7/31/2019 SSO Report v3
49/83
Single Sign-On, gi tt l SSO. Cung cp cho user quyn truy cp nhiu
ti nguyn Web, Applications trong phmvi cho php ch vi mt ln ng nhp.
SSO thng c trin khai theo 2 mhnh:Single Domain: Khi xc thc thnh cng vo
domain.com, ngi dng ng thi c xcthc vo cc sub-domain.domain.com tn ti.Multi Domain: Khi xc thc thnh cng vo
facebook.com, ngi dng ng thi cxc thc vo example.com
Gii quyt vn (tt)
-
7/31/2019 SSO Report v3
50/83
S dng cookie nhn din user, c ch nycng c s dng trong m hnh Multi DomainSSO.
Web Server (hay Web Gate) gi cookie cm ha cho browser sau khi xc thc thnhcng.
Cookie ny s l cha kha s dng cho cc xc
thc ti cc ti nguyn khc hoc cho cc xcthc c cng cp.
Da theo m hnh Single Domain SSO ca
Oracle Access System.
Single domain Single Sign On
-
7/31/2019 SSO Report v3
51/83
Single Domain Single Sign-On (tt.)
Cookie thng c t tn .domain.com, bao gm 2 phn: Phn m ha (s dng thut ton AES, MD5):
Session ID chui k t xc nhn phin hot ng ca user.
Distinguished Name nh danh ca user.
a ch IP ca client m user ang s dng. Thi gian khi to cookie.
Ln cp nht gn nht ca cookie.
Phn khng m ha:
Thi hn s dng ca cookie. Domain m cookie c hiu lc.
Cc flag khc nh: SSL, HTTPonly
Trong m hnh SSO ca Oracle Access System, cookie ny thngc tn l ObSSOCookie.
-
7/31/2019 SSO Report v3
52/83
Single Domain Single Sign-On (tt.)
-
7/31/2019 SSO Report v3
53/83
Multi Domain SSO cho php ngi dng truy cp vo nhiu
domains/hosts sau 1 ln ng nhp. Vd: Google.com, Windows Live Passport, Gate passport Tuy nhin cookie khng th c thit t cho across domains
do Policy bo mt ca hu ht browser.
Chn ra 1 domain lm Master Domain. Mi Web Gate ca h thng s redirect ti master domain. Master domain s hot ng nh quy trnh ca Single Domain
SSO, n chnh l proxy truyn ti cookie hp l v chomi domain c yu cu xc thc.
Multi domain Single Sign On
-
7/31/2019 SSO Report v3
54/83
-
7/31/2019 SSO Report v3
55/83
-
7/31/2019 SSO Report v3
56/83
Cc khi nim
Master Domain l domain duy nht trn tonb forest c kh nng chng thc da trnthng tin truy xut t csdl LDAP.
Slave Domain l cc domain chuyn hngchng thc v Master Domain.
Master Cookie cookie c sinh ra t Master
Domain Slave Cookie cookie c sinh ra t Slave
Domain
-
7/31/2019 SSO Report v3
57/83
Cookie c bn
SID lu thng tin sessionID Cookie c = new Cookie(sid,session.getID());
y l cookie lu thng tin gip user c th ng nhp
1 ln trn tt c cc slave domain m master domainchu trch nhim chng thc gim.
-
7/31/2019 SSO Report v3
58/83
-
7/31/2019 SSO Report v3
59/83
Cu trc ng dng
Slave domain: Slavecookie.jsp
Sinh slave cookie cho user, sau redirect user v trang web m user yucu ban u.
Page1.jsp Trang web m user yu cu, c nhng vo mt on code kim tra
cookie ca user trc khi user xem ni dung ca trang web.
-
7/31/2019 SSO Report v3
60/83
Cu trc ng dng (tt)
Master domain: Check.jsp
Dng kim tra master cookie ca user request c redirect t slavedomain (c th trong m hnh l page1.jsp ca slave domain).
Login.jsp Hin th form ng nhp.
Auth.jsp Kim tra thng tin ng nhp m user cung cp, hp l th tip tc forward
sang trang mastercookie.jsp, ngc li th forward v trang login.jsp
tip tc nhp li thng tin ng nhp. Mastercookie.jsp
Sinh master cookie cho user, tip tc redirect user v trangslavecookie.jsp sinh slave cookie.
-
7/31/2019 SSO Report v3
61/83
M hnh tng th
-
7/31/2019 SSO Report v3
62/83
-
7/31/2019 SSO Report v3
63/83
Cc qu trnh c bn ca SSO
Kim tra cookie ng nhp Chng thc LDAP Sinh cookie
-
7/31/2019 SSO Report v3
64/83
Kim tra cookie
-
7/31/2019 SSO Report v3
65/83
Kim tra cookie(tt) I/ Ti slave domain:
1. Server tip nhn yu cu trang page1.jsp t user browser.
2. Server yu cu cookie ca user. Cookie cookies[] = request.getCookies();
Cookie sid_Cookie=getCookie(cookies, "sid");
String slavesid=sid_Cookie.getValue();
1. Nu user c cookie sid tng ng vi slave domain, chuynn bc 4, ngc li chuyn n bc 5.
2. Server kim tra s tn ti ca gi tr sid lu trong cookie trncsdl MySQL,hp l th chuyn n bc 6,ngc li chuynn bc 5.a) truy vn c s d liu SQL, s dng Mysql Connector (3.0.17)
-
7/31/2019 SSO Report v3
66/83
Kim tra cookie(tt)Class.forName("com.mysql.jdbc.Driver").newInstance();
Connection con = DriverManager.getConnection
("jdbc:mysql://192.168.208.128/sso?
user=root&password=1234");
Statement state = con.createStatement();
ResultSet rs = state.executeQuery(
SELECT sessionhash
FROM sso.session
WHERE sessionhash = '" + escape_string(slavesid) + "'
AND username='"+escape_string(username)+"'");
// escape_string: function to avoid() SQL injection
5. Server redirect request ca user sang trang check.jsp timaster domain cng vi param domain, returnURL. String returnURL = request.getRequestURL().toString();
response.sendRedirect(http://www.master.com/check.jsp?
returnURL=+returnURL+);
5. Server tr v tran a e1. s .
-
7/31/2019 SSO Report v3
67/83
Kim tra cookie(tt) II/ Ti master domain
Thc hin cc bc kim tra tng t nh slave domain:1. Server tip nhn request trang check.jsp t user browser cng vi
param i km returnURL.
2. Server yu cu cookie ca user.3. Nu user c cookie sid tng ng vi master domain, chuyn n
bc 4, ngc li chuyn n bc 5.
4. Server kim tra s tn ti ca gi tr sid lu trong cookie trn csdlMySQL,hp l chuyn n bc 6, ngc li chuyn n bc 5.
-
7/31/2019 SSO Report v3
68/83
Kim tra cookie(tt)5. Server forward request ca user sang trang ng nhp login.jsp
ti master domain cng vi param returnURL.
-
7/31/2019 SSO Report v3
69/83
-
7/31/2019 SSO Report v3
70/83
ng nhp
-
7/31/2019 SSO Report v3
71/83
ng nhp(tt)1. Sau qu trnh kim tra cookie master domain, nu khng hp l,
browser s c chuyn n trang login.jsp user thc hin qutrnh ng nhp.
2. User s nhp username v password ti login form.
Please Login
Login :
Password:
1. Thng tin username v password c chuyn n Auth.jsp x lLDAP.
-
7/31/2019 SSO Report v3
72/83
-
7/31/2019 SSO Report v3
73/83
-
7/31/2019 SSO Report v3
74/83
-
7/31/2019 SSO Report v3
75/83
-
7/31/2019 SSO Report v3
76/83
-
7/31/2019 SSO Report v3
77/83
Sinh Cookies
-
7/31/2019 SSO Report v3
78/83
Sinh Cookies (tt).
I/ Ti master domain:
1. Sau khi chng thc thnh cng, user c to mi master cookie.
String mastersid = session.getsid();
Cookie sid_cookie = new Cookie(sid,mastersid);
response.addCookie(sid_cookie);
ng thi lu thng tin mastersid vo csdl MySQl kim tra khiuser request trang web cn ng nhp.Class.forName("com.mysql.jdbc.Driver").newInstance();
con =
DriverManager.getConnection("jdbc:mysql://192.168.208.128/sso?user=
root&password=1234");
state=con.createStatement();
state.executeUpdate("REPLACE INTO sso.session (sessionhash) VALUE
('"+mastersid+);
-
7/31/2019 SSO Report v3
79/83
Sinh Cookies (tt).
2. To master domain cookie thnh cng, user tip tc c redirectn trang slavecookie.jsp x l mi slave cookie.
redirectURL="http://www.slave.com/slavecookie.jsp?sid="+mastersid+"&
returnURL="+returnURL;
Response.sendRedirect(redirectURL);
-
7/31/2019 SSO Report v3
80/83
Sinh Cookies (tt).
II/ Ti slave domain:
1. Sau khi to master domain cookie thnh cng, user c requestn trang slavecookie.jsp ti slave domain, ti y s sinh ra
cookie mi cho user tn sid lu li thng tin ng nhp SSO.String mastersid = request.getParameter(sid);
Cookie sid_cookie = new Cookie(sid,mastersid);
response.addCookie(sid_cookie);
-
7/31/2019 SSO Report v3
81/83
Sinh Cookies (tt).
2. To slave domain cookie thnh cng, user cui cng credirect v trang page1.jsp ban u v tip tc vng lp x l vuser xem c ni dung ca trang page1.jsp.
String redirectURL = request.getParameter(returnURL);
Response.sendRedirect(returnURL);
2. User tip tc yu cu cc trang web khc s khng cn phi ngnhp li ln na cho n khi cookie expire.
Tham kho
-
7/31/2019 SSO Report v3
82/83
Tham kho
Configuring SSO - Oracle Access ManagerAccess Administration Guide -http://download.oracle.com/docs/cd/B28196_01/idm
Sharing Cookies Across Domains WayneBerry 15Seconds.com -http://www.15seconds.com/issue/971108.htm
http://download.oracle.com/docs/cd/B28196_01/idmanage.1014/b25990/v2sso.htmhttp://www.15seconds.com/issue/971108.htmhttp://www.15seconds.com/issue/971108.htmhttp://download.oracle.com/docs/cd/B28196_01/idmanage.1014/b25990/v2sso.htm -
7/31/2019 SSO Report v3
83/83
Q&AQ&A