download - ASBIS SK Online
download - ASBIS SK Online
download - ASBIS SK Online
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Single Sign-on a propagácia identítv heterogénnom prostredíMarian Kuna, Technology Sales Consultant
Single Sign-OnWikipédia“Single sign-on (SSO) je jednou zo súčastí riadeniaprístupu k viacerým súvisiacim, ale nezávislým softvérovýmsystémom. Vďaka tomuto komponentu sa používateľprihlási raz a získa prístup ku všetkým systémom beznutnosti prihlasovania do každého z nich.”„SSO je postavené na centralizovanom autentifikačnomserveri, ktorý aplikácie a systémy využívajú za účelomautentifikácie “
Prínosy Single Sign-OnPotrebujem saznova prihlásiť doWindowsDeti, bežte pomôcťockovi stlačiť ctrl-alt-del
Prínosy Single Sign-On• Používateľský komfort• Nie je potrebné pamätať si množstvo rôzných mien/hesiel• Rýchlejší prístup k aplikáciám bez nutnosti autentifikácie• Bezpečnosť• Heslá na papieri• Silná autentifikácia• Náklady• Tech. podpora/reset hesiel• Efektivita používateľov• Zákony, normy, nariadenia• Centralizovaný reporting
Typy single sign-on• Password Synchronization• Perimeter Single Sign-on• Web Single Sign-on• X.509 authentication• Server-based SSO, Identity Propagation• Standards, Weblogic Security Framework• SAML• Kerberos• Enterprise Single Sign-on
PasswordSynchronization
Password SynchronizationIdentityManagement
PerimeterSingle Single Sign-on
Perimeter SSO10134Web Server(app Proxy)Gateway82ApplicationServerProtectedResources6DMZ9FirewallFirewallAccessServerResourceProtectionUserValidationTokenValidation5, 7User &PolicyStore
Oracle Access Manager
Supported Authentication Mechanisms• Form based authentication• Basic authentication• X.509 authentication• OAAM virtual pad based authentication• Kerberos based authentication (windows nativeauthentication)
X.509 Client AuthenticationTwo-way SSLClientHelloServer“The quick brown fox jumps over the lazy dog”“Py75c%bzjFr@g5=&nmdFg$5knvMd’rkvegMs”private“The quickbrown foxjumps over thelazy dog”public
X.509 Client AuthenticationWebLogic Server and DatabaseOracle® Fusion Middleware Securing Oracle WebLogic Server> 12 Configuring SSLhttp://<strong>download</strong>.oracle.com/docs/cd/E14571_01/web.1111/e13707/ssl.htmOracle® Database Advanced Security Administrator's Guide> 8 Configuring Secure Sockets Layer Authenticationhttp://<strong>download</strong>.oracle.com/docs/cd/E11882_01/network.112/e10746/asossl.htm#i1013323• Requires Oracle Advanced Security option
Server basedSingle Sign-on• SAML• KerberosIdentity Propagation
End to End SecurityWeb Server(app Proxy)ApplicationServerMessageQueueMainframeApplicationClientDBDBPoint to Point InteractionsEnd-to-end security
Identity Propagation• User authenticates at theperimeter with an id andpassword• Identity is propagated in manyforms throughout the computepathhttp BasicAuthWebtierSSO tokenPortalApplicationSOABusinessProcessEnd UserServiceBusDBconnectionBusinessServiceDataServiceDB
Common Security StandardsWS-PolicyWS-SecurityPolicyWS-ReliableMessagingSOAP &SwAWS-SecuritySAML Token ProfileUsernameToken ProfileKerberos Token ProfileWS-TrustWS-SecureConversationWS-FederationX.509 Token ProfileXMLXML EncryptionKEY:XML SignatureAB“Std. B” is based on “Std. A”SAMLXACMLCARMLAAPMLWeb Service standardsXML-based standardsIP-based standardsSPMLAlgorithms & protocolsKerberosJava standardsIPHTTPTLS & SSLX.500HTTPSLDAPIncluded inWS-I Basic Security ProfileIncluded inWS-I Reliable Secure ProfileSymmetric Key Algorithms: AES-(128,192,256), DES, 3-DESMessage Digests: MD5, SHA-(1,2,3)PKI: X.509; RSA key encryption; RSA, DSA signature algorithms; PKCSJava SE/EE Platform Security: JCA, JCE, JAAS, JSSE, JGSS, Java SASL
WebLogic ServerSecurity Framework
WebLogic ServerAuthentication• Validates user credentials against identity store• Identity store• LDAP directories: Embedded, OID, OVD, iPlanet, OpenLDAP, Novell, Active Directory• RDBMS (SQL, read only SQL, Custom DBMS)• Identity Assertion• Maps identities to users• Token types• Username/Password• Certificate• CSI v2• SAML• SPNEGO
Server basedSingle Sign-onSAML
Web ServicesSOAP messagesSOAP messageSOAP HeaderSOAP BodyPortalApplicationSOABusinessProcessServiceBusBusinessServiceDataServiceDBconnectionDB
SAML tokenSOAP messageSOAP Header. . .CN=Marian Kuna, OU=Sales, O=Oracle Slovensko. . .SOAP Body
Oracle Identity Federation• Identity provider (IDP) isa service that hostsand/or provides identityinformation to otherservices• Service Provider isresponsible for offeringthe services to the endusers
Oracle Identity Federation• “Industry’s most complete implementation offederation standards”• Standards:• SAML 1.0 / 1.1 / 2.0• Liberty Alliance ID-FF 1.1 /1.2• WS-Federation• Liberty Alliance certification for Liberty ID-FF andSAML 2.0.
Oracle OpenSSO Fedlet• Oracle OpenSSO Fedlet is a lightweight SP-onlyimplementation of SAML 2.0 SSO protocols• Can be used to SSO enable:• Internal apps• Partner apps• Oracle IdentityFederation• OpenSSO• 3 rd partyIdentityProvider.NETFedletJavaFedlet
Server basedSingle Sign-onKerberos
Kerberos• Project Athena was initiated in 1983• 8 years of research passed beforeKerberos was officially complete• widely used as default authenticationmethods in popular operating systems• Windows• Unix• Mac OS X
Kerberos
Kerberos
Kerberos
KerberosWebLogic Server and KerberosOracle® Fusion Middleware Securing Oracle WebLogic Server> 6 Configuring Single Sign-On with Microsoft Clientshttp://<strong>download</strong>.oracle.com/docs/cd/E14571_01/web.1111/e13707/sso.htm• Define a principal in Active Directory to represent theWebLogic Server.• Any client must be set up to use Windows Integratedauthentication, sending a Kerberos ticket when available.• In the security realm of the WebLogic domain, configure aNegotiate Identity Assertion provider
KerberosOracle Database and KerberosOracle® Database Advanced Security Administrator's Guide> 7 Configuring Kerberos Authenticationhttp://<strong>download</strong>.oracle.com/docs/cd/E11882_01/network.112/e10746/asokerb.htm• Requires Oracle Advanced Security option
Server basedSingle Sign-onIdentity Propagation
Identity PropagationApplication UsersIdentityManagementAplikáciamarian.kuna/pwdapp/pwdDatabázamarian.kuna/pwd
Identity PropagationEnterprise User SecurityIdentityManagementOIDAplikáciamarian.kuna/pwdDatabázamarian.kuna/pwd
Enterprise User SecuritySpôsoby ImplementácieOIDMSADPoužívateľOracledatabáza•Používatelia•Business Role•DB user•DB Role•Používatelia•Skupiny
Enterprise User SecuritySpôsoby ImplementácieOVDMSADPoužívateľOracledatabáza•Používatelia•Business Role•DB user•DB Role
EnterpriseSingle Sign-on
Oracle eSSO Logon ManagerOracle eSSO SuiteManagementConsoleLDAP,Doména,DatabázaWindowsWeb sídlaMainframes(OS390, AS400)meno/hesloOracle eSSOLogon ManagerJavaExtranet& PortalAutentifikáciaPC/DesktopSign-On
Oracle eSSO Authentication ManagerOracle eSSO AMMS CAPIsmart cardsSAFLINKEntrust PKILDAPMulti-AuthInterface&GradedAuthPoliciesAuth APIAuth APIOracle eSSO SMOracle eSSO KMUser Auth
Oracle eSSO Password ResetResetWindows LogonOracle eSSOPasswordReset ServerAudit,ReportingDoménaAdminOracle eSSO SuiteManagementConsole
Oracle eSSO Provisioning GatewayProvisioningSourcesOracle Identity Manager (OIM)Applications &Custom ProgramsData file andManual EntryPasswordOracle eSSOProvisioning GWConnectorsServerSPMLWindowsWeb SitesPKIDirectory,Domain,DatabaseMainframes(OS390, AS400)BiometricsCredentialsJavaToken/ Smart cardUser AuthOracle eSSO LogonManagerUser’s DesktopExtranet& PortalApplication Sign-On
Oracle eSSO Kiosk ManagerOracle eSSO KMWindowsLDAP LogonSessionMonitorTime outApplicationShutdownKeystroke submitClosure requestSign-offWeb Apps,Extranet,PortalUser AuthProcess terminateSession(Initiate, Suspend, Terminate)JavaMainframes(OS390, AS400)Audit,Reporting