download - ASBIS SK Online

Single Sign-on a propagácia identítv heterogénnom prostredíMarian Kuna, Technology Sales Consultant

Single Sign-OnWikipédia“Single sign-on (SSO) je jednou zo súčastí riadeniaprístupu k viacerým súvisiacim, ale nezávislým softvérovýmsystémom. Vďaka tomuto komponentu sa používateľprihlási raz a získa prístup ku všetkým systémom beznutnosti prihlasovania do každého z nich.”„SSO je postavené na centralizovanom autentifikačnomserveri, ktorý aplikácie a systémy využívajú za účelomautentifikácie “

Prínosy Single Sign-OnPotrebujem saznova prihlásiť doWindowsDeti, bežte pomôcťockovi stlačiť ctrl-alt-del

Prínosy Single Sign-On• Používateľský komfort• Nie je potrebné pamätať si množstvo rôzných mien/hesiel• Rýchlejší prístup k aplikáciám bez nutnosti autentifikácie• Bezpečnosť• Heslá na papieri• Silná autentifikácia• Náklady• Tech. podpora/reset hesiel• Efektivita používateľov• Zákony, normy, nariadenia• Centralizovaný reporting

Typy single sign-on• Password Synchronization• Perimeter Single Sign-on• Web Single Sign-on• X.509 authentication• Server-based SSO, Identity Propagation• Standards, Weblogic Security Framework• SAML• Kerberos• Enterprise Single Sign-on

PasswordSynchronization

Password SynchronizationIdentityManagement

PerimeterSingle Single Sign-on

Perimeter SSO10134Web Server(app Proxy)Gateway82ApplicationServerProtectedResources6DMZ9FirewallFirewallAccessServerResourceProtectionUserValidationTokenValidation5, 7User &PolicyStore

Oracle Access Manager

Supported Authentication Mechanisms• Form based authentication• Basic authentication• X.509 authentication• OAAM virtual pad based authentication• Kerberos based authentication (windows nativeauthentication)

X.509 Client AuthenticationTwo-way SSLClientHelloServer“The quick brown fox jumps over the lazy dog”“Py75c%bzjFr@g5=&nmdFg$5knvMd’rkvegMs”private“The quickbrown foxjumps over thelazy dog”public

X.509 Client AuthenticationWebLogic Server and DatabaseOracle® Fusion Middleware Securing Oracle WebLogic Server> 12 Configuring SSLhttp://download.oracle.com/docs/cd/E14571_01/web.1111/e13707/ssl.htmOracle® Database Advanced Security Administrator's Guide> 8 Configuring Secure Sockets Layer Authenticationhttp://download.oracle.com/docs/cd/E11882_01/network.112/e10746/asossl.htm#i1013323• Requires Oracle Advanced Security option

Server basedSingle Sign-on• SAML• KerberosIdentity Propagation

End to End SecurityWeb Server(app Proxy)ApplicationServerMessageQueueMainframeApplicationClientDBDBPoint to Point InteractionsEnd-to-end security

Identity Propagation• User authenticates at theperimeter with an id andpassword• Identity is propagated in manyforms throughout the computepathhttp BasicAuthWebtierSSO tokenPortalApplicationSOABusinessProcessEnd UserServiceBusDBconnectionBusinessServiceDataServiceDB

Common Security StandardsWS-PolicyWS-SecurityPolicyWS-ReliableMessagingSOAP &SwAWS-SecuritySAML Token ProfileUsernameToken ProfileKerberos Token ProfileWS-TrustWS-SecureConversationWS-FederationX.509 Token ProfileXMLXML EncryptionKEY:XML SignatureAB“Std. B” is based on “Std. A”SAMLXACMLCARMLAAPMLWeb Service standardsXML-based standardsIP-based standardsSPMLAlgorithms & protocolsKerberosJava standardsIPHTTPTLS & SSLX.500HTTPSLDAPIncluded inWS-I Basic Security ProfileIncluded inWS-I Reliable Secure ProfileSymmetric Key Algorithms: AES-(128,192,256), DES, 3-DESMessage Digests: MD5, SHA-(1,2,3)PKI: X.509; RSA key encryption; RSA, DSA signature algorithms; PKCSJava SE/EE Platform Security: JCA, JCE, JAAS, JSSE, JGSS, Java SASL

WebLogic ServerSecurity Framework

WebLogic ServerAuthentication• Validates user credentials against identity store• Identity store• LDAP directories: Embedded, OID, OVD, iPlanet, OpenLDAP, Novell, Active Directory• RDBMS (SQL, read only SQL, Custom DBMS)• Identity Assertion• Maps identities to users• Token types• Username/Password• Certificate• CSI v2• SAML• SPNEGO

Server basedSingle Sign-onSAML

Web ServicesSOAP messagesSOAP messageSOAP HeaderSOAP BodyPortalApplicationSOABusinessProcessServiceBusBusinessServiceDataServiceDBconnectionDB

SAML tokenSOAP messageSOAP Header. . .CN=Marian Kuna, OU=Sales, O=Oracle Slovensko. . .SOAP Body

Oracle Identity Federation• Identity provider (IDP) isa service that hostsand/or provides identityinformation to otherservices• Service Provider isresponsible for offeringthe services to the endusers

Oracle Identity Federation• “Industry’s most complete implementation offederation standards”• Standards:• SAML 1.0 / 1.1 / 2.0• Liberty Alliance ID-FF 1.1 /1.2• WS-Federation• Liberty Alliance certification for Liberty ID-FF andSAML 2.0.

Oracle OpenSSO Fedlet• Oracle OpenSSO Fedlet is a lightweight SP-onlyimplementation of SAML 2.0 SSO protocols• Can be used to SSO enable:• Internal apps• Partner apps• Oracle IdentityFederation• OpenSSO• 3 rd partyIdentityProvider.NETFedletJavaFedlet

Server basedSingle Sign-onKerberos

Kerberos• Project Athena was initiated in 1983• 8 years of research passed beforeKerberos was officially complete• widely used as default authenticationmethods in popular operating systems• Windows• Unix• Mac OS X

Kerberos

Kerberos

Kerberos

KerberosWebLogic Server and KerberosOracle® Fusion Middleware Securing Oracle WebLogic Server> 6 Configuring Single Sign-On with Microsoft Clientshttp://download.oracle.com/docs/cd/E14571_01/web.1111/e13707/sso.htm• Define a principal in Active Directory to represent theWebLogic Server.• Any client must be set up to use Windows Integratedauthentication, sending a Kerberos ticket when available.• In the security realm of the WebLogic domain, configure aNegotiate Identity Assertion provider

KerberosOracle Database and KerberosOracle® Database Advanced Security Administrator's Guide> 7 Configuring Kerberos Authenticationhttp://download.oracle.com/docs/cd/E11882_01/network.112/e10746/asokerb.htm• Requires Oracle Advanced Security option

Server basedSingle Sign-onIdentity Propagation

Identity PropagationApplication UsersIdentityManagementAplikáciamarian.kuna/pwdapp/pwdDatabázamarian.kuna/pwd

Identity PropagationEnterprise User SecurityIdentityManagementOIDAplikáciamarian.kuna/pwdDatabázamarian.kuna/pwd

Enterprise User SecuritySpôsoby ImplementácieOIDMSADPoužívateľOracledatabáza•Používatelia•Business Role•DB user•DB Role•Používatelia•Skupiny

Enterprise User SecuritySpôsoby ImplementácieOVDMSADPoužívateľOracledatabáza•Používatelia•Business Role•DB user•DB Role

EnterpriseSingle Sign-on

Oracle eSSO Logon ManagerOracle eSSO SuiteManagementConsoleLDAP,Doména,DatabázaWindowsWeb sídlaMainframes(OS390, AS400)meno/hesloOracle eSSOLogon ManagerJavaExtranet& PortalAutentifikáciaPC/DesktopSign-On

Oracle eSSO Authentication ManagerOracle eSSO AMMS CAPIsmart cardsSAFLINKEntrust PKILDAPMulti-AuthInterface&GradedAuthPoliciesAuth APIAuth APIOracle eSSO SMOracle eSSO KMUser Auth

Oracle eSSO Password ResetResetWindows LogonOracle eSSOPasswordReset ServerAudit,ReportingDoménaAdminOracle eSSO SuiteManagementConsole

Oracle eSSO Provisioning GatewayProvisioningSourcesOracle Identity Manager (OIM)Applications &Custom ProgramsData file andManual EntryPasswordOracle eSSOProvisioning GWConnectorsServerSPMLWindowsWeb SitesPKIDirectory,Domain,DatabaseMainframes(OS390, AS400)BiometricsCredentialsJavaToken/ Smart cardUser AuthOracle eSSO LogonManagerUser’s DesktopExtranet& PortalApplication Sign-On

Oracle eSSO Kiosk ManagerOracle eSSO KMWindowsLDAP LogonSessionMonitorTime outApplicationShutdownKeystroke submitClosure requestSign-offWeb Apps,Extranet,PortalUser AuthProcess terminateSession(Initiate, Suspend, Terminate)JavaMainframes(OS390, AS400)Audit,Reporting