• No results found

Get Cloud Ready: Secure Access to Google Apps and Other SaaS Applications

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Get Cloud Ready: Secure Access to Google Apps and Other SaaS Applications"

Copied!
33
0
0

Loading.... (view fulltext now)

Download now ( 33 Page )

Full text

(1)

Get Cloud Ready:

Secure Access to Google Apps and Other SaaS Applications

Matt Weisberg

Vice President & CIO, Weisberg Consulting, Inc.

[email protected]

Mike Weaver

IDM Practice Lead, Concensus Consulting [email protected]

Paul McKeith

(2)

© 2011 NetIQ Corporation. All rights reserved.

2

• Provisioning and Management of Accounts

• Single Sign-On using Secure Assertion Markup

Language (SAML)

(3)
(4)

© 2011 NetIQ Corporation. All rights reserved.

4

NetIQ/Identity Manager (IDM)

• Event-Based Identity Provisioning and Management • Near real-time data synchronization between

connected systems

• User Password Management • Password Self-Service

• Multiple hosting platform support

• Out of the box support for a wide array of connected

(5)

© 2011 NetIQ Corporation. All rights reserved.

5

IDM Connector for Google Apps

Enterprise Identity Data IDM Connector for

(6)

© 2011 NetIQ Corporation. All rights reserved.

6

IDM Connector for Google Apps

• IDM Integration Module for unidirectional

synchronization into Google Apps

• Native Java code

– Utilizes several published Google APIs

(7)

© 2011 NetIQ Corporation. All rights reserved. 7

Features

• Synchronize (provision): – Users – Groups – Shared Contacts – Containers (OUs) • Move between OUs

• Supports Secondary Email domains • Support for Alias and Send-As settings • Supports RBE and RBPM entitlements • Account Tracking Support

(8)

© 2011 NetIQ Corporation. All rights reserved.

8

(9)

© 2011 NetIQ Corporation. All rights reserved.

9

Implementation

• Requires

– Google Apps for Business – Google Apps for Education – API Access Enabled

– Network access to Google

(10)

© 2011 NetIQ Corporation. All rights reserved.

10

Implementation

• Install the driver modules

– Download the latest from the Novell® Patch site

• Add the Schema extensions Novell_Google_Schema.sch

• Be sure to update Designer Packages!

(11)

© 2011 NetIQ Corporation. All rights reserved.

11

Futures

• Move user mailbox between email domains within the

same Google Apps domain

• Resource Objects • Postini Driver

(12)
(13)

© 2011 NetIQ Corporation. All rights reserved.

13

Google Apps Single Sign-On (SSO)

• Google Supports Two Methods of Single Sign-On: • Open ID

– Simple implementation – Auto discovery of identities

– Service Provider Initiated SSO only

• Secure Assertion Markup Language (SAML) – More Complex

– Better end-user experience – Faster

– Flexible

(14)

© 2011 NetIQ Corporation. All rights reserved.

14

What is SAML?

Security Assertion Markup Language (SAML) is an

XML-based standard for exchanging authentication and authorization data between security domains, that is, between an identity provider (a producer of assertions) and a service provider (a consumer of assertions).

(15)

© 2011 NetIQ Corporation. All rights reserved.

15

SAML - Service Provider Initiated SSO

Google Apps (Service Provider) Access Manager (Identity Provider) 1 2 5 3 4 User/Browser

1. User accesses Google Apps

2. Google generates SAML request and redirects user to IdP. 3. User logs into IdP and gets SAML response (assertion)

(16)

© 2011 NetIQ Corporation. All rights reserved.

16

Access Manager –

Quick Overview • Reverse Proxy

– Course Grained Access Control – Agent-less Web SSO via Form Fill

• J2EE Web Agents

– Fine Grained Access Control

• SSLVPN

• Loosely Coupled Identity Stores

– LDAP Directories e.g. Active Directory, Sun One, eDirectory™

• Open Standard Federation and Web SSO Support

(17)

© 2011 NetIQ Corporation. All rights reserved.

17

Access Manager – Identity Provider

• Base URL is the Identity Provider URL • Must be accessible by clients

(18)

© 2011 NetIQ Corporation. All rights reserved.

18

Access Manager – User Store

• eDirectory™, AD or

SunOne supported out of the box. Other

(19)

© 2011 NetIQ Corporation. All rights reserved.

19

(20)

© 2011 NetIQ Corporation. All rights reserved.

20

(21)

© 2011 NetIQ Corporation. All rights reserved.

21

Access Manager – SP Metadata

• Not supplied by Google! You must create.

• entityID can be domain specific to support multiple Google Apps

instances with the same IdP.

(22)

© 2011 NetIQ Corporation. All rights reserved.

22

(23)

© 2011 NetIQ Corporation. All rights reserved.

23

(24)

© 2011 NetIQ Corporation. All rights reserved.

24

Access Manager –

(25)

© 2011 NetIQ Corporation. All rights reserved.

(26)

© 2011 NetIQ Corporation. All rights reserved.

26

(27)

© 2011 NetIQ Corporation. All rights reserved.

27

(28)

© 2011 NetIQ Corporation. All rights reserved.

28

Google Apps – Example SSO URLs

Sign-in page URL:

https://ids1.samlexperts.com:8443/nidp/saml2/sso

Sign-out page URL:

https://ids1.samlexperts.com:8443/nidp/app/logout

Change Password URL:

https://pwm.samlexperts.com/pwm/private/ChangePassword

Access Manager IdS Metadata URL:

(29)
(30)

© 2011 NetIQ Corporation. All rights reserved.

30

Password Self Service

• Password Management Servlets (PWM)

– Open Source

http://code.google.com/p/pwm/

• IdM User Application

• Novell® Self-Service Password Reset (SSPR)

http://download.novell.com/Download?buildid=PLBqMVIDc80~ http://www.novell.com/documentation/sspr10/

(31)
(32)
(33)

This document could include technical inaccuracies or typographical errors. Changes are

periodically made to the information herein. These changes may be incorporated in new editions of this document. NetIQ Corporation may make improvements in or changes to the software described in this document at any time.

Copyright © 2011 NetIQ Corporation. All rights reserved.

References

Download now ( PDF - 33 Page - 1.33 MB )

Related documents

a best practices guide Six Best Practices for Cloud-Based Identity Management Services Making Identities Work Securely in the Cloud

Fortunately, solutions like Symplified exist that work with your existing Active Directory (or other identity store) to provide secure access to cloud-based applications,

Environmental Radiation Monitoring in Taiwan

For man-made ionizing radiation, surveillance programs include the radioactive fallout surveillance, the environmental radiation monitoring around the nuclear facilities

Environmental geological and geochemical aspects of the material flow of metallurgy in Ózd

This study involved the material research of the base material, the steel melt, slag and settling dust of the production and by-products and the operation

Google Apps. Google Apps. On Steroids. Extend Google Apps to your directory services. Extend Google Apps to your directory services

For organizations already leveraging Google Apps and interested in utilizing DaaS, the starting place is to quickly and easily import in all of the users in Google Apps into

Google Apps and Open Directory. Randy Saeks

Workflow for SAML SAML SP OpenDirectory G o o g l e Apps User SAML IdP Web Browser Via LDAP Returns attribute values via LDAP. Asks to

User Guide. Directory and Resource Administrator Exchange Administrator. Directory and Resource Administrator Exchange Administrator User Guide

To identify Active Directory properties managed using user interface extensions: 1 In the left pane, expand Directory and Resource Administrator.. 2 Expand Configuration

Evidence for capacity sharing when stopping

Fig. A schematic representation of ‘capacity sharing’ between go processing in the primary task and signal processing. The top panel depicts go processing on no-signal trials;

Antibiotics and antibiotic resistance in agroecosystems : State of the science

We propose a simple causal model depicting relationships involved in dissemination of antibiotics and antibiotic resistance in agroecosystems and potential efects on human health,