<Insert Picture Here>
Single Sign-on a propagácia identít
v heterogénnom prostredí
Marian Kuna, Technology Sales Consultant
<Insert Picture Here>
Single Sign-On
Wikipédia
“Single sign-on (SSO) je jednou zo súčastí riadenia
prístupu k viacerým súvisiacim, ale nezávislým softvérovým
systémom. Vďaka tomuto komponentu sa používateľ
prihlási raz a získa prístup ku všetkým systémom bez
nutnosti prihlasovania do každého z nich.”
„SSO je postavené na centralizovanom autentifikačnom
serveri, ktorý aplikácie a systémy využívajú za účelom
autentifikácie “
Prínosy Single Sign-On
Potrebujem sa
znova prihlásiť do
Windows
Deti, bežte pomôcť
ockovi stlačiť ctrl-alt-del
Prínosy Single Sign-On
• Používateľský komfort
• Nie je potrebné pamätať si množstvo rôzných mien/hesiel
• Rýchlejší prístup k aplikáciám bez nutnosti autentifikácie
• Bezpečnosť
• Heslá na papieri
• Silná autentifikácia
• Náklady
• Tech. podpora/reset hesiel
• Efektivita používateľov
• Zákony, normy, nariadenia
• Centralizovaný reporting
Typy single sign-on
• Password Synchronization
• Perimeter Single Sign-on
• Web Single Sign-on
• X.509 authentication
• Server-based SSO, Identity Propagation
• Standards, Weblogic Security Framework
• SAML
• Kerberos
• Enterprise Single Sign-on
<Insert Picture Here>
<Insert Picture Here>
Password
Synchronization
Password Synchronization
Identity
Management
<Insert Picture Here>
Perimeter
Single Single Sign-on
Perimeter SSO
10
Application
8
Web Server
1
(app Proxy)
3
2
Gateway
Server
Protected
Resources
4
6
DMZ
Firewall
9
Firewall
Access
Server
Resource
Protection
User
Validation
Token
Validation
5, 7
User &
Policy
Store
Oracle Access Manager
Supported Authentication Mechanisms
•
•
•
•
•
Form based authentication
Basic authentication
X.509 authentication
OAAM virtual pad based authentication
Kerberos based authentication (windows native
authentication)
X.509 Client Authentication
Two-way SSL
Client
Hello
Server
“The quick brown fox jumps over the lazy dog”
[email protected]=&nmdFg$5knvMd’rkvegMs”
private
“The quick
brown fox
jumps over the
lazy dog”
public
X.509 Client Authentication
WebLogic Server and Database
Oracle® Fusion Middleware Securing Oracle WebLogic Server
> 12 Configuring SSL
http://download.oracle.com/docs/cd/E14571_01/web.1111/e13707/ssl.htm
Oracle® Database Advanced Security Administrator's Guide
> 8 Configuring Secure Sockets Layer Authentication
http://download.oracle.com/docs/cd/E11882_01/network.112/e10746/asossl.htm#i1013323
• Requires Oracle Advanced Security option
<Insert Picture Here>
Server based
Single Sign-on
• SAML
• Kerberos
Identity Propagation
End to End Security
Web Server
(app Proxy)
Application
Server
Message
Queue
Mainframe
Application
Client
DB
Point to Point Interactions
End-to-end security
DB
• User authenticates at the
perimeter with an id and
password
• Identity is propagated in many
forms throughout the compute
path
Identity Propagation
http Basic
Auth
SSO token
Web
tier
Portal
Application
SOA
Business
Process
End User
Service
Bus
DB
connection
Business
Service
Data
Service
DB
Common Security Standards
WS-Policy
WS-SecurityPolicy
WS-ReliableMessaging
WS-Security
SOAP &
SwA
WS-SecureConversation
SAML Token Profile
UsernameToken Profile
WS-Trust
WS-Federation
Kerberos Token Profile
X.509 Token Profile
XML
XML Encryption
KEY:
A
XML Signature
SAML
CARML
XACML
AAPML
B
“Std. B” is based on “Std. A”
Web Service standards
XML-based standards
IP-based standards
Algorithms & protocols
SPML
Java standards
Kerberos
Included in
HTTP
IP
HTTPS
TLS & SSL
X.500
WS-I Basic Security Profile
Included in
WS-I Reliable Secure Profile
LDAP
Symmetric Key Algorithms: AES-(128,192,256), DES, 3-DES
Message Digests: MD5, SHA-(1,2,3)
PKI: X.509; RSA key encryption; RSA, DSA signature algorithms; PKCS
Java SE/EE Platform Security: JCA, JCE, JAAS, JSSE, JGSS, Java SASL
WebLogic Server
Security Framework
WebLogic Server
Authentication
• Validates user credentials against identity store
• Identity store
• LDAP directories: Embedded, OID, OVD, iPlanet, Open
LDAP, Novell, Active Directory
• RDBMS (SQL, read only SQL, Custom DBMS)
• Identity Assertion
• Maps identities to users
• Token types
• Username/Password
• Certificate
• CSI v2
• SAML
• SPNEGO
<Insert Picture Here>
Server based
Single Sign-on
SAML
Web Services
SOAP message
SOAP messages
SOAP Header
SOAP Body
Portal
Application
SOA
Business
Process
Service
Bus
DB
connection
Business
Service
Data
Service
DB
SAML token
SOAP message
SOAP Header
<saml: Assertion>
...
<saml:Subject>
<saml:NameID ...>
CN=Marian Kuna, OU=Sales, O=Oracle Slovensko
</saml:NameID>
</saml:Subject>
...
<Signature>
SOAP Body
Oracle Identity Federation
• Identity provider (IDP) is
a service that hosts
and/or provides identity
information to other
services
• Service Provider is
responsible for offering
the services to the end
users
Oracle Identity Federation
• “Industry’s most complete implementation of
federation standards”
• Standards:
• SAML 1.0 / 1.1 / 2.0
• Liberty Alliance ID-FF 1.1 /1.2
• WS-Federation
• Liberty Alliance certification for Liberty ID-FF and
SAML 2.0.
Oracle OpenSSO Fedlet
• Oracle OpenSSO Fedlet is a lightweight SP-only
implementation of SAML 2.0 SSO protocols
• Can be used to SSO enable:
• Internal apps
• Partner apps
• Oracle Identity
Federation
• OpenSSO
• 3rd party
.NET
Fedlet
Identity
Provider
Java
Fedlet
<Insert Picture Here>
Server based
Single Sign-on
Kerberos
Kerberos
• Project Athena was initiated in 1983
• 8 years of research passed before
Kerberos was officially complete
• widely used as default authentication
methods in popular operating systems
• Windows
• Unix
• Mac OS X
Kerberos
Kerberos
Kerberos
Kerberos
WebLogic Server and Kerberos
Oracle® Fusion Middleware Securing Oracle WebLogic Server
> 6 Configuring Single Sign-On with Microsoft Clients
http://download.oracle.com/docs/cd/E14571_01/web.1111/e13707/sso.htm
• Define a principal in Active Directory to represent the
WebLogic Server.
• Any client must be set up to use Windows Integrated
authentication, sending a Kerberos ticket when available.
• In the security realm of the WebLogic domain, configure a
Negotiate Identity Assertion provider
Kerberos
Oracle Database and Kerberos
Oracle® Database Advanced Security Administrator's Guide
> 7 Configuring Kerberos Authentication
http://download.oracle.com/docs/cd/E11882_01/network.112/e10746/asokerb.htm
• Requires Oracle Advanced Security option
<Insert Picture Here>
Server based
Single Sign-on
Identity Propagation
Identity Propagation
Application Users
Identity
Management
Aplikácia
marian.kuna/pwd
app/pwd
Databáza
marian.kuna/pwd
Identity Propagation
Enterprise User Security
Identity
Management
OID
Aplikácia
marian.kuna/pwd
Databáza
marian.kuna/pwd
Enterprise User Security
Spôsoby Implementácie
OID
Používateľ
•Používatelia
•Business Role
•DB user
Oracle
databáza
•DB Role
MSAD
•Používatelia
•Skupiny
Enterprise User Security
Spôsoby Implementácie
OVD
Používateľ
MSAD
•Používatelia
•Business Role
•DB user
•DB Role
Oracle
databáza
<Insert Picture Here>
Enterprise
Single Sign-on
Oracle eSSO Logon Manager
Oracle eSSO Suite
Management
Console
LDAP,
Doména,
Databáza
Windows
Web sídla
Mainframes
(OS390, AS400)
meno/heslo
Oracle eSSO
Logon Manager
Java
Extranet
& Portal
Autentifikácia
PC/Desktop
Sign-On
Oracle eSSO Authentication Manager
Oracle eSSO AM
MS CAPI
smart cards
SAFLINK
Entrust PKI
LDAP
User Auth
Multi-Auth
Interface
&
Graded
Auth
Policies
Auth API
Oracle eSSO SM
Auth API
Oracle eSSO KM
Oracle eSSO Password Reset
Reset
Oracle eSSO
Password
Reset Server
Windows Logon
Audit,
Reporting
Doména
Admin
Oracle eSSO Suite
Management
Console
Oracle eSSO Provisioning Gateway
Provisioning
Sources
Oracle Identity Manager (OIM)
Applications & Data file and
Custom Programs Manual Entry
Connectors
Oracle eSSO
Provisioning GW
SPML
Password
Windows
Server
Web Sites
PKI
Directory,
Domain,
Database
Biometrics
Token/ Smart card
User Auth
Credentials
Oracle eSSO Logon
Manager
User’s Desktop
Mainframes
(OS390, AS400)
Java
Extranet
& Portal
Application Sign-On
Oracle eSSO Kiosk Manager
Oracle eSSO KM
LDAP Logon
Session
Monitor
Application
Shutdown
Time out
Keystroke submit
Windows
Sign-off
Web Apps,
Extranet,
Portal
Closure request
Process terminate
Java
Session
(Initiate, Suspend, Terminate)
Mainframes
User Auth
(OS390, AS400)
Audit,
Reporting
Download

Single sign-on