using federation to simplify access to sharepoint, saas and partner applications

Simplify Access to Microsoft SharePoint and SaaS Applications with Novell® Access Manager™

Lloyd BurchDistinguished EngineerNovell/[email protected]

Eduardo Barragan Senior Engineer Novacoast/[email protected]

mailto:Novell/[email protected]

© Novell, Inc. All rights reserved.2

Novell® Access Manager™ Federation Overview• What does Novell Access Manager Do?

– Access Control to Protected Resources– Authentication

> Name Password, X509, Smart Cards, Kerberos, Others

– Federation > Liberty, SAML 1.x SAML 2.0, WS-Fed, CardSpace> Identity Provider (Builds Tokens)> Relying Party / Service Provider (Uses Tokens)> Manages Trust

– SSL-VPN> Secure external access


Novell® Access Manager™ Federation Overview• What is Federation?

– Established trust between two parties (IDP/SP)> How will IDP authenticate?> What claims/attributes can be exchanged?> What identifier will be used to identify user account at SP?> Is automatic provisioning of an account needed?

– How does it work?> Administrator defined – IDP sends transparent authentication> User links accounts – Requests authentication> Open standards define the rules for how this is done> There can be many trusted providers or consumers of Identity


Simple Federated Identity

ZZYZX Car RentalIdentity Provider

ABC TravelService

1 – Request Service and Get Requirements

3 – Set Token and Receive Service

2 – Get Attested Identity Token


User-Driven Identity

Web Service

My Local Identity

Login Request

- Novell claims this is LBurch- My Hobby Group claims this is Lloyd- My Family claims this is “Son of Dad”- Lloyd claims this is Me

My FamilyIdentity

My HobbyIdentity

My EmployerIdentity


Open Standards allow Interoperability

Open Standard

Open Standard

Open Standard

Open Standard


Achieving Cost Savings

• Industry trends enabling Identity Federation– Open Standards support for identity– Multiple vendor support– Oasis and other standards bodies– Open Source reference code– Interoperability testing and certification – Lower cost– Partners can be added and removed quickly– Single store front from multiple vendors– Cost saving by sharing resources


The Cost of Interoperability as Partners Increase

$-

$5

$10

$15

$20

$25

12

34

Open standards

Proprietary Code


Achieving the Vision

• Industry trends enabling Identity Federation

– The role of the firewall is changing

– Outside partners, customers and employees have access

– Applications must be protected from inside attacks

– Firewalls are becoming identity aware

– Increasing bandwidth for devices

– Most devices are connected (work, home, mobile)


SharePoint and Novell® Access Manager™

• What are the components?

• How do they work?

• What is the value to the customer?



• WS-Federation is used as the binding protocol to share identities

• ADFS is the connecting point to Microsoft SharePoint

• Access Manager is the connection point to multiple identity stores

• Together single sign-on and shared identity works



eDirectory“Employees”

Active Directory“Business Units”

Sun One“Customers”

Active Directory“SharePoint”

NovellAccess

Manager

MicrosoftSharePoint

Acess ManagertransformsLDAP andFederatedIdentity into

ADFS Claims

• User authenticates to Access Manager(Direct or Federated)

• Access Manager can validate Identitiesacross multiple Identity Stores as well asfederated authentication from partnersusing SAML, WS-Fed or Alliance

• User access SharePoint• Access Manager transforms LDAP and

Federated Identity into claims that areforwarded to Active Directory FederationServices (ADFS)

• SharePoint Administrator – Mr. Happy• Associates claim to SharePoint Groups

• No need to manage individual identitiesfor all users that need to SharePoint

• Improved user experience• Single Sign-On to SharePoint and other

web resources protected by Access Manager

Simplified Access to MS SharePoint



LDAPServer

Novell Access ManagerIdentity Server

LegacyWebserver

Novell Access ManagerGateway

ADFSWindows

SharePointWindows

Internal User



LDAPServer

Novell Access ManagerIdentity Server

LegacyWebserver

Novell Access ManagerGateway

ADFSWindows

SharePointWindows

Internal User

StepA

StepB



• Benefits to the customer

– Novell Access Manager can validate identities across multiple identity stores as well as federated authentication from partners using SAML, WS-Federation or Liberty Alliance

– Non Active Directory user can use SharePoint

– SharePoint administrator does not need to manage individual identities for all users that need access to SharePoint

– Single sign-on to SharePoint and other web resources protected by Novell Access Manager

– Novell Access Manager policy can control SharePoint access via roles

Demonstration SharePoint and Novell® Access Manager™


Force.com CRM and Novell® Access Manager™

• Just an example of SaaS vendors embracing industry standards like SAML 2.0

– Salesforce.com offers Federated and Delegated SSO> Federated is simple, based on SAML 2.0 HTTP-POST profile

» You define NameID

» You create Metadata

» Easy with Access Manager

> Delegated requires Web services to be setup and uses SOAP to authenticate

» You host Web Service

» SOAP call back

– Delegated is not in scope of this presentation


SAML Terms(Security Assertion Markup Language)

• Identity Provider (IDP)

– Producer of assertions

– Novell® Access Manager™

– Usually verifies credentials against LDAP

• Service Provider (SP)

– Consumer of assertions

– Provides the application

– SalesforceCRM is a cloud SP


SAML Terms(Security Assertion Markup Language)

• Metadata“SAML profiles require agreements between system entities regarding identifiers, binding support and endpoints, certificates and keys, and so forth. A metadata specification is useful for describing this information in a standardized way” -http://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf

• Assertion (response)– Synonym to Claim– A trusted authentication – replaces password with COT

• Name Identifier – NameID– How to refer to the subject– Many supported formats


SAML References

Novell - http://www.novell.com/documentation/novellaccessmanager/index.html

Wikipedia -http://en.wikipedia.org/wiki/SAML_2.0 – this is a good overview

OASIS -http://saml.xml.org/saml-specifications and http://docs.oasis-open.org/security/saml/v2.0/– saml.xml.org – is the wiki for the OASIS group which maintains the SAML specifications. The link is to the specifications page.


Authentication Flow


Typical Three Step Process - COT

1. Circle or Trust

• Metadata– Need to create SP metadata– Access Manager provides metadata

• X.509 Certificates– SP does not provide certificate (you can create a self-signed

cert)– IDP should always use SSL especially since this is HTTP-POST

profile• End points which resolve via DNS


Typical Three Step Process - SP

2. Setup SP side first

• Why?– The login URL contains specific data to handle NameID and

Attribute names– e.q. https://login.salesforce.com/?

saml=MgoTx78aEPXRoZ2hRrHg2wwl5GLiR0qVpDJYXG4e5wzM83LxYv4TgrzVZsOpNK76ItidNdsqihgDsiG2horV_wCGmSN.N1pVNrfRKMIW0QwpMQyrV_QZw94y_TvXB08Jyhi9l32PLM_RH3LQ==

• Have your IDP certificate handy– Export the signing certificate public key, save in .der format


Typical Three Step Process – SP

• Login to salesforce.com

– [email protected] - Admin user

– Go to Setup > under Administration Setup

– Select Security Controls > Single Sign-On Settings

• Issuer

– https://idpsrv.novacoast.com/nidp/saml2/metadata

• Name ID format

– urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified

https://idpsrv.novacoast.com/nidp/saml2/metadata


SP Details

Good Help Reference


SP Details


Typical Three Step Process - IDP

3. Setup IDP – Novell® Access Manager™

• Create Attribute Map


IDP Details

• SP Metadata:<EntityDescriptor entityID="https://saml.salesforce.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"><SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat><AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://login.salesforce.com/?saml=MgoTx78aEPXToZ2hRrHg2wwl5GLiR0qVpDJYXG4e5wzM83LxYv4TgrzVZsOpNK76ItidNdsqIhgDsi2horU_wCGmSM.N1pVNrfRKMIW0QwpMQyrV_QZw94y_TvXB08Oyhi9l32PLM_RH3LQ=="/></SPSSODescriptor></EntityDescriptor>


IDP Details

Create Trusted Service Provider


IDP Details

Configure Response


IDP Details

Configure Target (Inter-site Transfer URL)https://idpsrv.novacoast.com/nidp/saml2/idpsend?PID=https://saml.salesforce.com

TARGET=https://na7.salesforce.com/home/home.jsp

https://idpsrv.novacoast.com/nidp/saml2/idpsend?PID=https://saml.salesforce.com

DemonstrationSalesforce.com CRM andNovell® Access Manager™


Google Apps and Novell® Access Manager™

• Very similar to force.com SSO setup

– Have a look at Neil Cashell's Cool solution on the subject for details

– http://www.novell.com/communities/node/8645/integrating-google-apps-and-novell-access-manager-using-saml2



Same three step process

1 - Create COT– In this case, it's the same as previous process, the public key of

the IDP's signing and encryption certificate is all that's required

2 - Configure SP– Everything you need for this page is in the IDP metadata

> Login URL

> Logout URL

> Password management URL

3 - Configure IDP (Novell Access Manager)



Main PointsUse this metadata, but replace the “Location” attribute. It must contain your domain<EntityDescriptor entityID="google.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">

<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">

<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress </NameIDFormat>

<AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"

Location="https://www.google.com/a/domain/acs" />

</SPSSODescriptor>

</EntityDescriptor>



Main PointsThe Authentication Response is slightly different than force.com

DemonstrationGoogle Apps and Novell® Access Manager™

Unpublished Work of Novell, Inc. All Rights Reserved.This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.

General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.

using federation to simplify access to sharepoint, saas and partner applications

Documents

customer novell access

federated access manager

access manager direct

access applications

access control

resources7 novell

sharepoint groups

sharepoint single sign