the three s’ - single sign-on, spnego & saml … · the three s’ - single sign-on, spnego...
TRANSCRIPT
THE THREE S’ - SINGLE SIGN-ON, SPNEGO & SAMLGabriella Davis [email protected] The Turtle Partnership
WHO AM I?
Gab Davis
Administrator, Problem Solver, Stubborn Fixer of Things
Working with IBM technologies and all the things surrounding and integrating with those
Based in London, about half the time
WHAT IS THIS PRESENTATION ABOUT?
We are here to talk about concepts
Once you understand the concepts, their requirements, limitations and benefits you can make decisions about what you need
Hopefully we will give you a good overview of a bunch of confusing acronyms
SINGLE SIGN ON !HELLO, HAVE YOU MET MY FRIEND?
I can vouch for him completely !
Is trust transferable?
Authenticating against a single password in a single place
Sametime
Network Login
Connections
LDAP Password
Synchronising passwords across different systems
Sametime LDAP
Connections LDAP
Traveler Authentication
Password Synchronisation
Tool
STEPS FOR SINGLE PASSWORD, SINGLE PLACE
For LDAP compliant applications ensure you use the same LDAP directory source
For Domino systems, configure Directory Assistance to point to an LDAP source
ensure you have an attribute in your LDAP directory that contains the user’s distinguished name so Domino is returned a valid user name
You can then empty out the HTTP Password field for all users
This will work for any Domino application, mail , traveler, Sametime etc
The user can be entirely remote and with no access to LDAP directly and this will still work
SPNEGO EXAMPLE FOR DOMINO
1 2 3
ACTIVE DIRECTORY GENERATES
SPNEGO TOKEN
USER TRIES TO ACCESS
DOMINO WEBSITE
STEPS
USER LOGS INTO
WINDOWS
SPNEGO EXAMPLE FOR DOMINO
1 2 3 4
ACTIVE DIRECTORY GENERATES
SPNEGO TOKEN
USER TRIES TO ACCESS
DOMINO WEBSITE
BROWSER SENDS
SPNEGO TOKEN TO DOMINO
ALONG WITH USER NAME
STEPS
USER LOGS INTO
WINDOWS
SPNEGO EXAMPLE FOR DOMINO
1 2 3 4 5
ACTIVE DIRECTORY GENERATES
SPNEGO TOKEN
USER TRIES TO ACCESS
DOMINO WEBSITE
BROWSER SENDS
SPNEGO TOKEN TO DOMINO
ALONG WITH USER NAME
DOMINO CONTACTS
ACTIVE DIRECTORY
TO VALIDATE TOKEN AND
RETRIEVE THE USER’S NAME
STEPS
USER LOGS INTO
WINDOWS
DOMINO CREATES A LTPATOKEN FOR THE
VALIDATED USER AND GRANTS ACCESS
Enable Multi Server Single Sign-On To
Extend Access To Other Servers
SETTING UP SPNEGO
Create a Domino Web SSO document
Set up a SPN for the Domino server in Active Directory
Domino must run under whatever account you set up for it
Run domspnego
Take the output and give it to your AD administrator to run setspn with
Run setspn -a http://<dominohostname> <accountnamerunningdomino>
Update person documents with AD name appended to FullName (and optional others like krbPrincipalName and LTPA User Name)
WHY NOT SPNEGO
It requires Active Directory
It requires users to login to Active Directory
It requires Microsoft Supported browsers
It requires a Windows client for the users
It requires Domino to be on a Windows platform
at least the first Domino server that’s accessed, the rest can then be reached via Multi Server SSO token generated by Domino
!
It doesn’t work at all if the user is remotely connecting and not logging into Active Directory
It has a very specific use case
A ssertionM arkupL anguage
SAML is a protocol and process for exchanging authorisation and authentication data for a user
between services and servers
S ecurity
NO PASSWORDS…..
TO COMPROMISE
TO EXPIRE TO INTERCEPT
Once a user has authenticated with the IdP they won’t be asked again
SAML EXAMPLE
26
1 2
USER ATTEMPTS TO LOG IN TO A
WEBSITE
USER IS REDIRECTED TO IDENTITY PROVIDER
STEPS
SAML EXAMPLE
27
1 2 3
USER ATTEMPTS TO LOG IN TO A
WEBSITE
USER IS REDIRECTED TO IDENTITY PROVIDER
IDENTITY PROVIDER REQUESTS
AUTHENTICATION OR (IF USER IS LOGGED
IN) RETURNS CREDENTIALS
STEPS
SAML EXAMPLE
28
1 2 3 4
USER ATTEMPTS TO LOG IN TO A
WEBSITE
USER IS REDIRECTED TO IDENTITY PROVIDER
IDENTITY PROVIDER REQUESTS
AUTHENTICATION OR (IF USER IS LOGGED
IN) RETURNS CREDENTIALS
USER IS REDIRECTED
BACK TO ORIGINAL SITE
WITH SAML ASSERTION ATTACHED
STEPS
SAML EXAMPLE
29
1 2 3 4 5
USER ATTEMPTS TO LOG IN TO A
WEBSITE
USER IS REDIRECTED TO IDENTITY PROVIDER
IDENTITY PROVIDER REQUESTS
AUTHENTICATION OR (IF USER IS LOGGED
IN) RETURNS CREDENTIALS
USER IS REDIRECTED
BACK TO ORIGINAL SITE
WITH SAML ASSERTION ATTACHED
ORIGINAL SITE USES ITS SAML
SERVICE PROVIDER TO CONFIRM SAML
ASSERTION AND GRANT ACCESS
STEPS
DEFINITIONS
IdP - Identity Provider (SSO)
ADFS (Active Directory Federation Services in Windows 2008 and Windows 2012)
SAML 2.0 only
can be combined with SPNEGO
Enhances Integrated Windows Authentication (IWA)
TFIM (Tivoli Federated Identity Manager)
SAML 1.1 and 2.0
DEFINITIONS
SP - Service Provider
IBM Domino (web federated login)
IBM WebSphere
IBM Notes (requires ID Vault) (notes federated login)
MORE DEFINITIONS
IdP (Identity Providers) use HTTP or SOAP to communicate to SP (Service Providers) via XML based assertions
Assertions have three roles
Authentication
Authorisation
Retrieving Attributes
AN IDP CAN SERVICE MANY SERVICE PROVIDERS
A SP can be connected to several
IdPs
An IdP can use a variety of authentication
methods including multi factor
SETTING UP SAML
Choose your IdP if you don’t already have one
which fits best in your business
Build the IdP
Configure the SP
!
Sounds easy doesn’t it?
It’s really not easy by any means but it is worth the investment in time
WHY NOT SAML
Not everything supports it
Traveler doesn’t
Sametime doesn’t
ID Vault is a requirement so IDs that can’t be vaulted can’t be used
multiple passwords, smartcards etc
NOT EVERYTHING BELONGS TO YOU
OAuth is an authentication standard supported by most major cloud providers
THE USER & THE CONSUMER
Let’s say you want Facebook to post on your Connections Activity Stream.
!We need OAuth for that..
You are the User
Facebook is the Consumer
THE SERVICE PROVIDER & ITS SECRETSThe consumer (Facebook) wanders over to the Service Provider (IBM Connections) and
asks for permission to post on the Activity Stream
The Service Provider issues a Secret to go with every URL request from the user
which authorises access
OAUTH SIMPLIFIED EXAMPLE
40
1
USER ASKS FACEBOOK (THE CONSUMER) TO POST ON THEIR
ACTIVITY STREAM
STEPS
OAUTH SIMPLIFIED EXAMPLE
41
1 2
USER ASKS FACEBOOK (THE CONSUMER) TO POST ON THEIR
ACTIVITY STREAM
FACEBOOK GOES TO
CONNECTIONS (THE SERVICE
PROVIDER) AND ASKS FOR
PERMISSION TO POST
STEPS
OAUTH SIMPLIFIED EXAMPLE
42
1 2 3
USER ASKS FACEBOOK (THE CONSUMER) TO POST ON THEIR
ACTIVITY STREAM
FACEBOOK GOES TO
CONNECTIONS (THE SERVICE
PROVIDER) AND ASKS FOR
PERMISSION TO POST
THE SERVICE PROVIDER GIVES THE CONSUMER A SECRET KEY TO GIVE TO THE
USER AND A URL FOR THE USER TO CLICK
ON
STEPS
OAUTH SIMPLIFIED EXAMPLE
43
1 2 3 4
USER ASKS FACEBOOK (THE CONSUMER) TO POST ON THEIR
ACTIVITY STREAM
FACEBOOK GOES TO
CONNECTIONS (THE SERVICE
PROVIDER) AND ASKS FOR
PERMISSION TO POST
THE SERVICE PROVIDER GIVES THE CONSUMER A SECRET KEY TO GIVE TO THE
USER AND A URL FOR THE USER TO CLICK
ON
THE USER CLICKS ON THE URL AND AUTHENTICATES
WITH THE SERVICE PROVIDER
STEPS
OAUTH SIMPLIFIED EXAMPLE
44
1 2 3 4 5
USER ASKS FACEBOOK (THE CONSUMER) TO POST ON THEIR
ACTIVITY STREAM
FACEBOOK GOES TO
CONNECTIONS (THE SERVICE
PROVIDER) AND ASKS FOR
PERMISSION TO POST
THE SERVICE PROVIDER GIVES THE CONSUMER A SECRET KEY TO GIVE TO THE
USER AND A URL FOR THE USER TO CLICK
ON
THE USER CLICKS ON THE URL AND AUTHENTICATES
WITH THE SERVICE PROVIDER
THE SERVICE PROVIDER ,
SATISFIED THE SECRET KEY IS
GOOD, WILL NOW ALLOW THE CONSUMER
ACCESS TO ITS SERVICES
STEPS
THAT WAS REALLY SIMPLIFIED
There are other steps and other secrets to ensure traffic is not intercepted once authorisation is granted
There are checks to ensure the Service Provider is who it claims to be
You don’t want to accidentally authorise a phishing site
There are also lots of timeouts on the authorisation
!
Make sure you understand the security of both the Consumer and the Service Provider as well as what access you are granting the Consumer on your behalf
IN SUMMARY
Think about what your problem actually is, there are plenty of technologies to make the user experience seamless but they become ever more complex to build and maintain
What are your priorities. Single password? No password? No authentication with a particular service
Many solutions require specific operating systems, software and client versions
Make sure you meet all requirements before building a plan you can’t deliver on
Some things are very easy (Single password, SPNEGO)
Some things are very hard (SAML, OAuth)
There is no one solution, you need to choose the combination that delivers for you
HOW TO FIND METwitter, blogs, Instagram, Facebook and more
[email protected] GabriellaDavis (skype) http://turtleblog.info
gabturtle on twitter and elsewhere