using federation to simplify access to sharepoint, saas and partner applications
Post on 14-May-2015
4.447 Views
Preview:
DESCRIPTION
TRANSCRIPT
Simplify Access to Microsoft SharePoint and SaaS Applications with Novell® Access Manager™
Lloyd BurchDistinguished EngineerNovell/lburch@novell.com
Eduardo Barragan Senior Engineer Novacoast/ebarragan@novacoast.com
© Novell, Inc. All rights reserved.2
Novell® Access Manager™ Federation Overview• What does Novell Access Manager Do?
– Access Control to Protected Resources– Authentication
> Name Password, X509, Smart Cards, Kerberos, Others
– Federation > Liberty, SAML 1.x SAML 2.0, WS-Fed, CardSpace> Identity Provider (Builds Tokens)> Relying Party / Service Provider (Uses Tokens)> Manages Trust
– SSL-VPN> Secure external access
© Novell, Inc. All rights reserved.3
Novell® Access Manager™ Federation Overview• What is Federation?
– Established trust between two parties (IDP/SP)> How will IDP authenticate?> What claims/attributes can be exchanged?> What identifier will be used to identify user account at SP?> Is automatic provisioning of an account needed?
– How does it work?> Administrator defined – IDP sends transparent authentication> User links accounts – Requests authentication> Open standards define the rules for how this is done> There can be many trusted providers or consumers of Identity
© Novell, Inc. All rights reserved.4
Simple Federated Identity
ZZYZX Car RentalIdentity Provider
ABC TravelService
1 – Request Service and Get Requirements
3 – Set Token and Receive Service
2 – Get Attested Identity Token
© Novell, Inc. All rights reserved.5
User-Driven Identity
Web Service
My Local Identity
Login Request
- Novell claims this is LBurch- My Hobby Group claims this is Lloyd- My Family claims this is “Son of Dad”- Lloyd claims this is Me
My FamilyIdentity
My HobbyIdentity
My EmployerIdentity
© Novell, Inc. All rights reserved.6
Open Standards allow Interoperability
Open Standard
Open Standard
Open Standard
Open Standard
© Novell, Inc. All rights reserved.7
Achieving Cost Savings
• Industry trends enabling Identity Federation– Open Standards support for identity– Multiple vendor support– Oasis and other standards bodies– Open Source reference code– Interoperability testing and certification – Lower cost– Partners can be added and removed quickly– Single store front from multiple vendors– Cost saving by sharing resources
© Novell, Inc. All rights reserved.8
The Cost of Interoperability as Partners Increase
$-
$5
$10
$15
$20
$25
12
34
Open standards
Proprietary Code
© Novell, Inc. All rights reserved.9
Achieving the Vision
• Industry trends enabling Identity Federation
– The role of the firewall is changing
– Outside partners, customers and employees have access
– Applications must be protected from inside attacks
– Firewalls are becoming identity aware
– Increasing bandwidth for devices
– Most devices are connected (work, home, mobile)
© Novell, Inc. All rights reserved.10
SharePoint and Novell® Access Manager™
• What are the components?
• How do they work?
• What is the value to the customer?
© Novell, Inc. All rights reserved.11
SharePoint and Novell® Access Manager™
• WS-Federation is used as the binding protocol to share identities
• ADFS is the connecting point to Microsoft SharePoint
• Access Manager is the connection point to multiple identity stores
• Together single sign-on and shared identity works
© Novell, Inc. All rights reserved.12
SharePoint and Novell® Access Manager™
eDirectory“Employees”
Active Directory“Business Units”
Sun One“Customers”
Active Directory“SharePoint”
NovellAccess
Manager
MicrosoftSharePoint
Acess ManagertransformsLDAP andFederatedIdentity into
ADFS Claims
• User authenticates to Access Manager(Direct or Federated)
• Access Manager can validate Identitiesacross multiple Identity Stores as well asfederated authentication from partnersusing SAML, WS-Fed or Alliance
• User access SharePoint• Access Manager transforms LDAP and
Federated Identity into claims that areforwarded to Active Directory FederationServices (ADFS)
• SharePoint Administrator – Mr. Happy• Associates claim to SharePoint Groups
• No need to manage individual identitiesfor all users that need to SharePoint
• Improved user experience• Single Sign-On to SharePoint and other
web resources protected by Access Manager
Simplified Access to MS SharePoint
© Novell, Inc. All rights reserved.13
SharePoint and Novell® Access Manager™
LDAPServer
Novell Access ManagerIdentity Server
LegacyWebserver
Novell Access ManagerGateway
ADFSWindows
SharePointWindows
Internal User
© Novell, Inc. All rights reserved.14
SharePoint and Novell® Access Manager™
LDAPServer
Novell Access ManagerIdentity Server
LegacyWebserver
Novell Access ManagerGateway
ADFSWindows
SharePointWindows
Internal User
StepA
StepB
© Novell, Inc. All rights reserved.15
SharePoint and Novell® Access Manager™
© Novell, Inc. All rights reserved.16
SharePoint and Novell® Access Manager™
• Benefits to the customer
– Novell Access Manager can validate identities across multiple identity stores as well as federated authentication from partners using SAML, WS-Federation or Liberty Alliance
– Non Active Directory user can use SharePoint
– SharePoint administrator does not need to manage individual identities for all users that need access to SharePoint
– Single sign-on to SharePoint and other web resources protected by Novell Access Manager
– Novell Access Manager policy can control SharePoint access via roles
Demonstration SharePoint and Novell® Access Manager™
© Novell, Inc. All rights reserved.18
Force.com CRM and Novell® Access Manager™
• Just an example of SaaS vendors embracing industry standards like SAML 2.0
– Salesforce.com offers Federated and Delegated SSO> Federated is simple, based on SAML 2.0 HTTP-POST profile
» You define NameID
» You create Metadata
» Easy with Access Manager
> Delegated requires Web services to be setup and uses SOAP to authenticate
» You host Web Service
» SOAP call back
– Delegated is not in scope of this presentation
© Novell, Inc. All rights reserved.19
SAML Terms(Security Assertion Markup Language)
• Identity Provider (IDP)
– Producer of assertions
– Novell® Access Manager™
– Usually verifies credentials against LDAP
• Service Provider (SP)
– Consumer of assertions
– Provides the application
– SalesforceCRM is a cloud SP
© Novell, Inc. All rights reserved.20
SAML Terms(Security Assertion Markup Language)
• Metadata“SAML profiles require agreements between system entities regarding identifiers, binding support and endpoints, certificates and keys, and so forth. A metadata specification is useful for describing this information in a standardized way” -http://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf
• Assertion (response)– Synonym to Claim– A trusted authentication – replaces password with COT
• Name Identifier – NameID– How to refer to the subject– Many supported formats
© Novell, Inc. All rights reserved.21
SAML References
Novell - http://www.novell.com/documentation/novellaccessmanager/index.html
Wikipedia -http://en.wikipedia.org/wiki/SAML_2.0 – this is a good overview
OASIS -http://saml.xml.org/saml-specifications and http://docs.oasis-open.org/security/saml/v2.0/– saml.xml.org – is the wiki for the OASIS group which maintains the SAML specifications. The link is to the specifications page.
© Novell, Inc. All rights reserved.22
Authentication Flow
© Novell, Inc. All rights reserved.23
Typical Three Step Process - COT
1. Circle or Trust
• Metadata– Need to create SP metadata– Access Manager provides metadata
• X.509 Certificates– SP does not provide certificate (you can create a self-signed
cert)– IDP should always use SSL especially since this is HTTP-POST
profile• End points which resolve via DNS
© Novell, Inc. All rights reserved.24
Typical Three Step Process - SP
2. Setup SP side first
• Why?– The login URL contains specific data to handle NameID and
Attribute names– e.q. https://login.salesforce.com/?
saml=MgoTx78aEPXRoZ2hRrHg2wwl5GLiR0qVpDJYXG4e5wzM83LxYv4TgrzVZsOpNK76ItidNdsqihgDsiG2horV_wCGmSN.N1pVNrfRKMIW0QwpMQyrV_QZw94y_TvXB08Jyhi9l32PLM_RH3LQ==
• Have your IDP certificate handy– Export the signing certificate public key, save in .der format
© Novell, Inc. All rights reserved.25
Typical Three Step Process – SP
• Login to salesforce.com
– ebarragan@novacoast.com - Admin user
– Go to Setup > under Administration Setup
– Select Security Controls > Single Sign-On Settings
• Issuer
– https://idpsrv.novacoast.com/nidp/saml2/metadata
• Name ID format
– urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified
© Novell, Inc. All rights reserved.26
SP Details
Good Help Reference
© Novell, Inc. All rights reserved.27
SP Details
© Novell, Inc. All rights reserved.28
Typical Three Step Process - IDP
3. Setup IDP – Novell® Access Manager™
• Create Attribute Map
© Novell, Inc. All rights reserved.29
IDP Details
• SP Metadata:<EntityDescriptor entityID="https://saml.salesforce.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"><SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat><AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://login.salesforce.com/?saml=MgoTx78aEPXToZ2hRrHg2wwl5GLiR0qVpDJYXG4e5wzM83LxYv4TgrzVZsOpNK76ItidNdsqIhgDsi2horU_wCGmSM.N1pVNrfRKMIW0QwpMQyrV_QZw94y_TvXB08Oyhi9l32PLM_RH3LQ=="/></SPSSODescriptor></EntityDescriptor>
© Novell, Inc. All rights reserved.30
IDP Details
Create Trusted Service Provider
© Novell, Inc. All rights reserved.31
IDP Details
Configure Response
© Novell, Inc. All rights reserved.32
IDP Details
Configure Target (Inter-site Transfer URL)https://idpsrv.novacoast.com/nidp/saml2/idpsend?PID=https://saml.salesforce.com
TARGET=https://na7.salesforce.com/home/home.jsp
DemonstrationSalesforce.com CRM andNovell® Access Manager™
© Novell, Inc. All rights reserved.34
Google Apps and Novell® Access Manager™
• Very similar to force.com SSO setup
– Have a look at Neil Cashell's Cool solution on the subject for details
– http://www.novell.com/communities/node/8645/integrating-google-apps-and-novell-access-manager-using-saml2
© Novell, Inc. All rights reserved.35
Google Apps and Novell® Access Manager™
Same three step process
1 - Create COT– In this case, it's the same as previous process, the public key of
the IDP's signing and encryption certificate is all that's required
2 - Configure SP– Everything you need for this page is in the IDP metadata
> Login URL
> Logout URL
> Password management URL
3 - Configure IDP (Novell Access Manager)
© Novell, Inc. All rights reserved.36
Google Apps and Novell® Access Manager™
Main PointsUse this metadata, but replace the “Location” attribute. It must contain your domain<EntityDescriptor entityID="google.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress </NameIDFormat>
<AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://www.google.com/a/domain/acs" />
</SPSSODescriptor>
</EntityDescriptor>
© Novell, Inc. All rights reserved.37
Google Apps and Novell® Access Manager™
Main PointsThe Authentication Response is slightly different than force.com
DemonstrationGoogle Apps and Novell® Access Manager™
Unpublished Work of Novell, Inc. All Rights Reserved.This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.
General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.
top related