sso report v3

7/31/2019 SSO Report v3

1/83

Single Sign-On vi

LDAP

GVHD: Ths L c ThngNhm thc hin: Nhm 1


2/83

Hunh Thanh Tng 06520546 V Quc Vit 06520569 Trn Huy Cng 06520062 H Thanh Bnh 06520027

Danh sch nhm


3/83

Giao thc LDAP Single Sign-On Ph lc

Ni dung bo co


4/83

M hnh chun X.500. Gii thiu LDAP. LDAP Data model LDAP Naming model

LDIF v Schema Ldap client tools

Giao thc LDAP


5/83

M hnh X.500


6/83

Lu tr d liu theo dng Directory Cyth mc.

Ti u ha kh nng tm kim thng tin. Phc v cho cng vic tm kim, truy vn

d liu khi lng ln. S dng DAP(Directory Access

Protocol)lm giao thc lin lc gia client server.Ch hot ng trong m hnh OSI

M hnh X.500 (tt)


7/83

LDAP Lightweight Directory Access Protocol L giao thc ci tin ca giao thc DAP, hot

ng trn m hnh OSI ln TCP/IP.

S dng truy xut v cp nht thng tin tdirectory chun X.500. H tr cc phng thc khi to kt ni, truy

xut, cp nht, ng kt ni gia client v

server.

Gii thiu LDAP


8/83

Gii thiu LDAP (tt)


9/83

Ldap data model


10/83

DIT

Ldap lu d liu di dng cy phn cp DIT (Data information Tree)


11/83

DIT (tt)

Khi u ca cy l root Cc node trong cy l cc entry Mi entry gm t nht mt objectclass

Objectclass c th khng hoc chaattribute

Attribute lu data


12/83

Entry

Entry l mt nt trong DIT cha thng tin


13/83

Entry

Entry ch bao gm mt STRUCTURALobjectclass

Entry c th bao gmAUXILIARY

objectclass Entry ch bao gm mtABTRACTobjectclass

Entry c th c child entry , parent entry


14/83

Entry (tt)


15/83

Entry (tt)

Mi entry c mt hoc nhiu attribute Mi attribute c type (Syntax) v c th c

mt hay nhiu gi tr ty thuc vo

attribute quy nh attribute cn c 2 gi tr


16/83

Entry (tt)


17/83

Entry (tt)


18/83

Objectclass

Objectclass l cc package bao gm ccattribute

Objectclass nh ngha cc attribute thnh

vin l bt buc (MUST) hay l ty chn(MAY) Objectclass c th c nh ngha theo

m hnh phn cp, tha k cc c trngca parent objectclass


19/83

Attribute

Attribute cha dataAttribute lun phi l thnh vin ca t nhtmt objectclass

C th l ty chn (MAY) hay bt buc(MUST) vi cc objectclass khc nhau

C th c mt hay nhiu gi tr Ngoi tn, attribute cn c th cha

aliases hoc tn tm gn (abbreviation)commonName , cn


20/83

V d entry

# Boss, People, kakauit.comdn: uid=Boss,ou=People,dc=kakauit,dc=com

uid: Boss

cn: chief

cn: sep

uidNumber: 200

gidNumber: 200

homeDirectory: /home/Boss

description: account cua sep

objectClass: accountobjectClass: posixAccount


21/83

Naming model


22/83

nh ngha cch thc cc entry c xcnh v t chc Cc entry c sp xp trong DIT da trn

Distinguised name (DN) DN ca mt entry tn duy nht trn ton DIT DN c to thnh bi cc relative

distinguised name (RDN)DN: uid=Boss,dc=kakauit,dc=comRDN: kakauit,com

Naming model


23/83

Naming model


24/83

Naming model

Khi to entry trong DIT, ni dung ca entrycha trong cc attribute Cc attribute c nhm vo trong cc

objectclass Cc objectclass c ng gi trong cc

Schema

Schema ng gi cc objectclass vattribute lin quan vi nhauCc Schema c bn:core.schema,ldap.schema


25/83

LDIF v Schema


26/83

LDIF

LDIF: LDAP Data Interchanged Format L mt loi nh dng d liu cho php

thao tc nhanh hn vi d liu directory nh ng c bn cho mt entry directory:dn: ::


27/83

LDIF (tt)

Ni dung mt file .ldif n gin


28/83

LDIF

Entry trong file ldif c nh ngha gm:dn: tn phn bit ca entry trn ton DITobjectclass: ty thuc vo mc ch s

dng ca entry m entry c cc objectclasskhc nhauVd: account, posixAccount

attribute: ty thuc vo loi objectclass

ca entry m c cc attribute khc nhauVd: posixAccount yu cu entry phi cattribute cn


29/83

Schema

Tt c objectclass v attribute u cnh ngha trong cc Schema c ldap server s dng, cc schema

phi c khai bo trong file slapd.configinclude/etc/openldap/schema/core.schema

Attribute khai bo trong mt schema c thc s dng bi mt objectclass trongschema khc


30/83

Schema


31/83

Objectclass Objectclass l mt tp cc attribute Objectclass c th c t chc theo m

hnh phn cp, tha k cc c tnh caparent objectclass (SUPerior)objectclass ( 2.5.6.1 NAME 'alias'SUP top STRUCTURAL MUSTaliasedObjectName )

C 3 kiu objectclass:ABSTRACTSTRUCTURAL

AUXILIARY
http://www.zytrax.com/books/ldap/ape/core-schema.htmlhttp://www.zytrax.com/books/ldap/ape/core-schema.htmlhttp://www.zytrax.com/books/ldap/ape/core-schema.htmlhttp://www.zytrax.com/books/ldap/ape/core-schema.html


32/83

V d objectclass

Objectclass: key word, nh ngha objectclassNAME : tn objectclass 2.5.6.2 : OID SUP : SUPerior objectclass


33/83

V d objectclass (tt)

STRUCTURAL: loi objectclass DESC : m t objectclass

MUST: cc thuc tnh bt buc cMAY : cc thuc tnh ty chn


34/83

Attribute


35/83

Attribute (tt)

Attribute phi thuc v t nht mt haynhiu objectclass

s dng attribute, objectclass cha

attribute phi c nh ngha trongentryobjectclass=person


36/83

Attribute (tt)

Attribute c th c mt (SINGLE-VALUE)hay nhiu value (MULTI-VALUE), mcnh l nhiu attributetype ( 2.5.4.6

NAME('c''countryName' )DESC 'RFC2256:ISO-3166 country 2-letter codeSUP nameSINGLE-VALUE)


37/83

Attribute (tt)Attribute c th c nh ngha phn cp

attributetype ( 2.5.4.6 NAME ( 'c''countryName' ) SUP name SINGLE-VALUE )

Attribute c nh ngha bao gm type

(SYNTAX) attributetype ( 2.5.4.2 NAME'knowledgeInformation'DESC 'RFC2256:knowledge information EQUALITY

caseIgnoreMatch SYNTAX1.3.6.1.4.1.1466.115.121.1.15{32768} )
http://www.zytrax.com/books/ldap/ape/core-schema.htmlhttp://www.zytrax.com/books/ldap/ape/core-schema.html


38/83

V d attribute

Attributetype : nh ngha attributeNAME: tn attribute 2.5.4.3: OID,c to ra v qun l bi IANA SUP: ch ra SUPerior attribute


39/83

L cc cng c cho php thao tc trn dliu directory c s dng cng vi nhiu option

-c: continous operation mode -f : c d liu t file -x : s dng chng thc n gin

-X: s dng chng thc SASL..

Ldap client tools


40/83

Ldap client tools (tt)

ldapsearch Ldapadd Ldapdelete

Ldapmodify Ldapmodrdn Ldappasswd


41/83


LdapsearchLdapsearch [option] [searchfilter]

Ldapsearch cx Dcn=Manager,dc=kakauit,dc=com wkakauit objectclass=*


42/83


Kt qu cho cu lnh ldapsearch


43/83


Ldapaddldapadd [option]

ldapadd cx D

cn=Manager,dc=kakauit,dc=com -wkakauit f exam.ldif


44/83

Ldap client tools (tt) Kt qu cho cu lnh ldapadd:


45/83

Vn t ra Gii quyt vn Single Domain SSO Multi Domain SSO

Single Sign On


46/83

Kha cnh user u nhiu thng tin ng nhp(username v password) nh.

hm ln cc thng tin gia ccng dng.

hi nhp thng tin ng nhpnhiu ln i vi tng ng dng

khc nhau.

Vn t ra


47/83

Kha cnh qun tr u trnh cp pht ti khon miphc tp.

un l thng tin truy cp ca user.

n ch cc truy cp tri php.

rin khai cc ng dng ln (cp enterpise).

Vn t ra


48/83

1 thng tin ng nhp, dng cho nhiu Web,Applications khc nhau.

ng nhp 1 ln ti 1 ng dng, v c th sdng cc ng dng khc m khng cn ngnhp li trong 1 khong thi gian nht nh.

Qun l tp trung thng tin ng nhp ca user.

Hn ch c cc truy cp tri php.

Single Sign-On

Gii quyt vn


49/83

Single Sign-On, gi tt l SSO. Cung cp cho user quyn truy cp nhiu

ti nguyn Web, Applications trong phmvi cho php ch vi mt ln ng nhp.

SSO thng c trin khai theo 2 mhnh:Single Domain: Khi xc thc thnh cng vo

domain.com, ngi dng ng thi c xcthc vo cc sub-domain.domain.com tn ti.Multi Domain: Khi xc thc thnh cng vo

facebook.com, ngi dng ng thi cxc thc vo example.com

Gii quyt vn (tt)


50/83

S dng cookie nhn din user, c ch nycng c s dng trong m hnh Multi DomainSSO.

Web Server (hay Web Gate) gi cookie cm ha cho browser sau khi xc thc thnhcng.

Cookie ny s l cha kha s dng cho cc xc

thc ti cc ti nguyn khc hoc cho cc xcthc c cng cp.

Da theo m hnh Single Domain SSO ca

Oracle Access System.

Single domain Single Sign On


51/83

Single Domain Single Sign-On (tt.)

Cookie thng c t tn .domain.com, bao gm 2 phn: Phn m ha (s dng thut ton AES, MD5):

Session ID chui k t xc nhn phin hot ng ca user.

Distinguished Name nh danh ca user.

a ch IP ca client m user ang s dng. Thi gian khi to cookie.

Ln cp nht gn nht ca cookie.

Phn khng m ha:

Thi hn s dng ca cookie. Domain m cookie c hiu lc.

Cc flag khc nh: SSL, HTTPonly

Trong m hnh SSO ca Oracle Access System, cookie ny thngc tn l ObSSOCookie.


52/83

Single Domain Single Sign-On (tt.)


53/83

Multi Domain SSO cho php ngi dng truy cp vo nhiu

domains/hosts sau 1 ln ng nhp. Vd: Google.com, Windows Live Passport, Gate passport Tuy nhin cookie khng th c thit t cho across domains

do Policy bo mt ca hu ht browser.

Chn ra 1 domain lm Master Domain. Mi Web Gate ca h thng s redirect ti master domain. Master domain s hot ng nh quy trnh ca Single Domain

SSO, n chnh l proxy truyn ti cookie hp l v chomi domain c yu cu xc thc.

Multi domain Single Sign On


54/83


55/83


56/83

Cc khi nim

Master Domain l domain duy nht trn tonb forest c kh nng chng thc da trnthng tin truy xut t csdl LDAP.

Slave Domain l cc domain chuyn hngchng thc v Master Domain.

Master Cookie cookie c sinh ra t Master

Domain Slave Cookie cookie c sinh ra t Slave

Domain


57/83

Cookie c bn

SID lu thng tin sessionID Cookie c = new Cookie(sid,session.getID());

y l cookie lu thng tin gip user c th ng nhp

1 ln trn tt c cc slave domain m master domainchu trch nhim chng thc gim.


58/83


59/83

Cu trc ng dng

Slave domain: Slavecookie.jsp

Sinh slave cookie cho user, sau redirect user v trang web m user yucu ban u.

Page1.jsp Trang web m user yu cu, c nhng vo mt on code kim tra

cookie ca user trc khi user xem ni dung ca trang web.


60/83

Cu trc ng dng (tt)

Master domain: Check.jsp

Dng kim tra master cookie ca user request c redirect t slavedomain (c th trong m hnh l page1.jsp ca slave domain).

Login.jsp Hin th form ng nhp.

Auth.jsp Kim tra thng tin ng nhp m user cung cp, hp l th tip tc forward

sang trang mastercookie.jsp, ngc li th forward v trang login.jsp

tip tc nhp li thng tin ng nhp. Mastercookie.jsp

Sinh master cookie cho user, tip tc redirect user v trangslavecookie.jsp sinh slave cookie.


61/83

M hnh tng th


62/83


63/83

Cc qu trnh c bn ca SSO

Kim tra cookie ng nhp Chng thc LDAP Sinh cookie


64/83

Kim tra cookie


65/83

Kim tra cookie(tt) I/ Ti slave domain:

1. Server tip nhn yu cu trang page1.jsp t user browser.

2. Server yu cu cookie ca user. Cookie cookies[] = request.getCookies();

Cookie sid_Cookie=getCookie(cookies, "sid");

String slavesid=sid_Cookie.getValue();

1. Nu user c cookie sid tng ng vi slave domain, chuynn bc 4, ngc li chuyn n bc 5.

2. Server kim tra s tn ti ca gi tr sid lu trong cookie trncsdl MySQL,hp l th chuyn n bc 6,ngc li chuynn bc 5.a) truy vn c s d liu SQL, s dng Mysql Connector (3.0.17)


66/83

Kim tra cookie(tt)Class.forName("com.mysql.jdbc.Driver").newInstance();

Connection con = DriverManager.getConnection

("jdbc:mysql://192.168.208.128/sso?

user=root&password=1234");

Statement state = con.createStatement();

ResultSet rs = state.executeQuery(

SELECT sessionhash

FROM sso.session

WHERE sessionhash = '" + escape_string(slavesid) + "'

AND username='"+escape_string(username)+"'");

// escape_string: function to avoid() SQL injection

5. Server redirect request ca user sang trang check.jsp timaster domain cng vi param domain, returnURL. String returnURL = request.getRequestURL().toString();

response.sendRedirect(http://www.master.com/check.jsp?

returnURL=+returnURL+);

5. Server tr v tran a e1. s .


67/83

Kim tra cookie(tt) II/ Ti master domain

Thc hin cc bc kim tra tng t nh slave domain:1. Server tip nhn request trang check.jsp t user browser cng vi

param i km returnURL.

2. Server yu cu cookie ca user.3. Nu user c cookie sid tng ng vi master domain, chuyn n

bc 4, ngc li chuyn n bc 5.

4. Server kim tra s tn ti ca gi tr sid lu trong cookie trn csdlMySQL,hp l chuyn n bc 6, ngc li chuyn n bc 5.


68/83

Kim tra cookie(tt)5. Server forward request ca user sang trang ng nhp login.jsp

ti master domain cng vi param returnURL.


69/83


70/83

ng nhp


71/83

ng nhp(tt)1. Sau qu trnh kim tra cookie master domain, nu khng hp l,

browser s c chuyn n trang login.jsp user thc hin qutrnh ng nhp.

2. User s nhp username v password ti login form.

Please Login

Login :

Password:

1. Thng tin username v password c chuyn n Auth.jsp x lLDAP.


72/83


73/83


74/83


75/83


76/83


77/83

Sinh Cookies


78/83

Sinh Cookies (tt).

I/ Ti master domain:

1. Sau khi chng thc thnh cng, user c to mi master cookie.

String mastersid = session.getsid();

Cookie sid_cookie = new Cookie(sid,mastersid);

response.addCookie(sid_cookie);

ng thi lu thng tin mastersid vo csdl MySQl kim tra khiuser request trang web cn ng nhp.Class.forName("com.mysql.jdbc.Driver").newInstance();

con =

DriverManager.getConnection("jdbc:mysql://192.168.208.128/sso?user=

root&password=1234");

state=con.createStatement();

state.executeUpdate("REPLACE INTO sso.session (sessionhash) VALUE

('"+mastersid+);


79/83

Sinh Cookies (tt).

2. To master domain cookie thnh cng, user tip tc c redirectn trang slavecookie.jsp x l mi slave cookie.

redirectURL="http://www.slave.com/slavecookie.jsp?sid="+mastersid+"&

returnURL="+returnURL;

Response.sendRedirect(redirectURL);


80/83

Sinh Cookies (tt).

II/ Ti slave domain:

1. Sau khi to master domain cookie thnh cng, user c requestn trang slavecookie.jsp ti slave domain, ti y s sinh ra

cookie mi cho user tn sid lu li thng tin ng nhp SSO.String mastersid = request.getParameter(sid);

Cookie sid_cookie = new Cookie(sid,mastersid);

response.addCookie(sid_cookie);


81/83

Sinh Cookies (tt).

2. To slave domain cookie thnh cng, user cui cng credirect v trang page1.jsp ban u v tip tc vng lp x l vuser xem c ni dung ca trang page1.jsp.

String redirectURL = request.getParameter(returnURL);

Response.sendRedirect(returnURL);

2. User tip tc yu cu cc trang web khc s khng cn phi ngnhp li ln na cho n khi cookie expire.

Tham kho


82/83

Tham kho

Configuring SSO - Oracle Access ManagerAccess Administration Guide -http://download.oracle.com/docs/cd/B28196_01/idm

Sharing Cookies Across Domains WayneBerry 15Seconds.com -http://www.15seconds.com/issue/971108.htm
http://download.oracle.com/docs/cd/B28196_01/idmanage.1014/b25990/v2sso.htmhttp://www.15seconds.com/issue/971108.htmhttp://www.15seconds.com/issue/971108.htmhttp://download.oracle.com/docs/cd/B28196_01/idmanage.1014/b25990/v2sso.htm


83/83

Q&AQ&A

sso report v3

Documents