<Insert Picture Here> Single Sign-on a propagácia identít v heterogénnom prostredí

(1)

(2)

<Insert Picture Here>

Single Sign-on a propagácia identít v heterogénnom prostredí

(3)

“Single sign-on (SSO) je jednou zo súčastí riadenia prístupu k viacerým súvisiacim, ale nezávislým softvérovým systémom. Vďaka tomuto komponentu sa používateľ prihlási raz a získa prístup ku všetkým systémom bez nutnosti prihlasovania do každého z nich.”

Single Sign-On

Wikipédia

„SSO je postavené na centralizovanom autentifikačnom serveri, ktorý aplikácie a systémy využívajú za účelom autentifikácie “

(4)

Prínosy Single Sign-On

Deti, bežte pomôcť ockovi stlačiť ctrl-alt-del Potrebujem sa

znova prihlásiť do Windows

(5)

Prínosy Single Sign-On

• Používateľský komfort

• Nie je potrebné pamätať si množstvo rôzných mien/hesiel

• Rýchlejší prístup k aplikáciám bez nutnosti autentifikácie

• Bezpečnosť

• Heslá na papieri

• Silná autentifikácia

• Náklady

• Tech. podpora/reset hesiel

• Efektivita používateľov

• Zákony, normy, nariadenia

(6)

Typy single sign-on

• Password Synchronization

• Perimeter Single Sign-on

• Web Single Sign-on

• X.509 authentication

• Server-based SSO, Identity Propagation

• Standards, Weblogic Security Framework

• SAML

• Kerberos

(7)

Password

(8)

Password Synchronization

Identity Management

(9)

Perimeter

(10)

Perimeter SSO

Firewall Web Server (app Proxy) Gateway Firewall DMZ Access Server User Validation Token Validation Application Server Protected Resources User & Policy Store 1 2 3 4 5, 7 6 8 9 Resource Protection 10

(11)

(12)

Supported Authentication Mechanisms

• Form based authentication

• Basic authentication

• X.509 authentication

• OAAM virtual pad based authentication

• Kerberos based authentication (windows native authentication)

(13)

X.509 Client Authentication

Two-way SSL

Hello

“The quick brown fox jumps over the lazy dog”

“Py75c%bzjFr@g5=&nmdFg$5knvMd’rkvegMs”

private

public

“The quick brown fox jumps over the

lazy dog”

(14)

X.509 Client Authentication

WebLogic Server and Database

Oracle® Fusion Middleware Securing Oracle WebLogic Server > 12 Configuring SSL

http://download.oracle.com/docs/cd/E14571_01/web.1111/e13707/ssl.htm

Oracle® Database Advanced Security Administrator's Guide > 8 Configuring Secure Sockets Layer Authentication

http://download.oracle.com/docs/cd/E11882_01/network.112/e10746/asossl.htm#i1013323

(15)

Server based

Single Sign-on

Identity Propagation

• SAML • Kerberos

(16)

End to End Security

Web Server (app Proxy) Application Server DB Message Queue Mainframe Application DB Client

(17)

Identity Propagation

• User authenticates at the perimeter with an id and password

• Identity is propagated in many forms throughout the compute path Web tier DB End User Portal Application Service Bus Business Service Data Service http Basic

Auth SSO token

SOA

DB connection

Business Process

(18)

Common Security Standards

SOAP & SwA XML XACML WS-ReliableMessaging WS-Policy WS-SecurityPolicy SAML XML Signature XML Encryption WS-Security SAML Token Profile

Kerberos Token Profile X.509 Token Profile

UsernameToken Profile WS-Trust

SPML

X.500

Symmetric Key Algorithms: AES-(128,192,256), DES, 3-DES Message Digests: MD5, SHA-(1,2,3)

PKI: X.509; RSA key encryption; RSA, DSA signature algorithms; PKCS IP Kerberos HTTP TLS & SSL WS-Federation WS-SecureConversation HTTPS LDAP

Java SE/EE Platform Security: JCA, JCE, JAAS, JSSE, JGSS, Java SASL

Web Service standards

XML-based standards IP-based standards

Included in

WS-I Basic Security Profile

Included in

WS-I Reliable Secure Profile

“Std. B” is based on “Std. A”

Algorithms & protocols Java standards

A B

KEY:

CARML

(19)

WebLogic Server

(20)

WebLogic Server

Authentication

• Validates user credentials against identity store

• Identity store

• LDAP directories: Embedded, OID, OVD, iPlanet, Open LDAP, Novell, Active Directory

• RDBMS (SQL, read only SQL, Custom DBMS)

• Identity Assertion

• Maps identities to users • Token types • Username/Password • Certificate • CSI v2 • SAML • SPNEGO

(21)

Server based

Single Sign-on

(22)

DB Portal Application Service Bus Business Service Data Service SOA DB connection Business Process

Web Services

SOAP messages SOAP message SOAP Header SOAP Body

(23)

SAML token

SOAP message SOAP Header SOAP Body <saml: Assertion> . . . <saml:Subject> <saml:NameID ...>

CN=Marian Kuna, OU=Sales, O=Oracle Slovensko </saml:NameID>

</saml:Subject> . . .

(24)

Oracle Identity Federation

• Identity provider (IDP) is

a service that hosts

and/or provides identity information to other

services

• Service Provider is

responsible for offering the services to the end users

(25)

Oracle Identity Federation

• “Industry’s most complete implementation of

federation standards”

• Standards:

• SAML 1.0 / 1.1 / 2.0

• Liberty Alliance ID-FF 1.1 /1.2

• WS-Federation

• Liberty Alliance certification for Liberty ID-FF and SAML 2.0.

(26)

Oracle OpenSSO Fedlet

• Oracle OpenSSO Fedlet is a lightweight SP-only implementation of SAML 2.0 SSO protocols

• Can be used to SSO enable:

• Internal apps • Partner apps Identity Provider • Oracle Identity Federation • OpenSSO • 3rd_party .NET Fedlet Java Fedlet

(27)

Server based

Single Sign-on

(28)

Kerberos

• Project Athena was initiated in 1983

• 8 years of research passed before Kerberos was officially complete

• widely used as default authentication methods in popular operating systems

• Windows

• Unix

(29)

(30)

(31)

(32)

Kerberos

WebLogic Server and Kerberos

Oracle® Fusion Middleware Securing Oracle WebLogic Server > 6 Configuring Single Sign-On with Microsoft Clients

http://download.oracle.com/docs/cd/E14571_01/web.1111/e13707/sso.htm

• Define a principal in Active Directory to represent the WebLogic Server.

• Any client must be set up to use Windows Integrated

authentication, sending a Kerberos ticket when available.

• In the security realm of the WebLogic domain, configure a

(33)

Kerberos

Oracle Database and Kerberos

Oracle® Database Advanced Security Administrator's Guide > 7 Configuring Kerberos Authentication

http://download.oracle.com/docs/cd/E11882_01/network.112/e10746/asokerb.htm • Requires Oracle Advanced Security option

(34)

Server based

Single Sign-on

(35)

Identity Propagation Application Users marian.kuna/pwd marian.kuna/pwd app/pwd Databáza Aplikácia Identity Management

(36)

marian.kuna/pwd marian.kuna/pwd Identity Management Databáza Aplikácia OID Identity Propagation

(37)

Oracle databáza •Používatelia •Business Role •DB user •DB Role Používateľ OID MSAD •Používatelia •Skupiny

Enterprise User Security

(38)

Oracle databáza •Používatelia •Business Role •DB user •DB Role Používateľ OVD MSAD

Enterprise User Security

(39)

Enterprise

(40)

Oracle eSSO Logon Manager

PC/Desktop

Oracle eSSO Suite Management Console LDAP, Doména, Databáza Sign-On Autentifikácia Windows Web sídla Extranet & Portal Mainframes (OS390, AS400) Java Oracle eSSO Logon Manager meno/heslo

(41)

Oracle eSSO Authentication Manager

MS CAPI smart cards SAFLINK Auth API Auth API Multi-Auth Interface & Graded Auth Policies Entrust PKI LDAP User Auth Oracle eSSO AM Oracle eSSO SM Oracle eSSO KM

(42)

Oracle eSSO Password Reset

Doména Admin Audit, Reporting Windows Logon

Reset Oracle eSSO Password Reset Server

Oracle eSSO Suite Management

(43)

Oracle eSSO Provisioning Gateway

User’s Desktop Directory, Domain, Database Application Sign-On User Auth Biometrics

Token/ Smart card PKI Password Windows Web Sites Extranet & Portal Mainframes (OS390, AS400) Java

Oracle eSSO Logon Manager Server Connectors SPML Provisioning Sources Applications &

Custom Programs Manual Entry Data file and

Credentials Oracle eSSO

Provisioning GW

(44)

Sign-off

Oracle eSSO Kiosk Manager

Windows Web Apps, Extranet, Portal Mainframes (OS390, AS400) Java Session (Initiate, Suspend, Terminate)

Session Monitor Time out Application Shutdown Keystroke submit Closure request Process terminate Audit, Reporting LDAP Logon User Auth Oracle eSSO KM

(45)