![Page 1: Using Federation to Simplify Access to SharePoint, SaaS and Partner Applications](https://reader033.vdocuments.site/reader033/viewer/2022052823/5553a8e1b4c905d9448b4769/html5/thumbnails/1.jpg)
Simplify Access to Microsoft SharePoint and SaaS Applications with Novell® Access Manager™
Lloyd BurchDistinguished EngineerNovell/[email protected]
Eduardo Barragan Senior Engineer Novacoast/[email protected]
![Page 2: Using Federation to Simplify Access to SharePoint, SaaS and Partner Applications](https://reader033.vdocuments.site/reader033/viewer/2022052823/5553a8e1b4c905d9448b4769/html5/thumbnails/2.jpg)
© Novell, Inc. All rights reserved.2
Novell® Access Manager™ Federation Overview• What does Novell Access Manager Do?
– Access Control to Protected Resources– Authentication
> Name Password, X509, Smart Cards, Kerberos, Others
– Federation > Liberty, SAML 1.x SAML 2.0, WS-Fed, CardSpace> Identity Provider (Builds Tokens)> Relying Party / Service Provider (Uses Tokens)> Manages Trust
– SSL-VPN> Secure external access
![Page 3: Using Federation to Simplify Access to SharePoint, SaaS and Partner Applications](https://reader033.vdocuments.site/reader033/viewer/2022052823/5553a8e1b4c905d9448b4769/html5/thumbnails/3.jpg)
© Novell, Inc. All rights reserved.3
Novell® Access Manager™ Federation Overview• What is Federation?
– Established trust between two parties (IDP/SP)> How will IDP authenticate?> What claims/attributes can be exchanged?> What identifier will be used to identify user account at SP?> Is automatic provisioning of an account needed?
– How does it work?> Administrator defined – IDP sends transparent authentication> User links accounts – Requests authentication> Open standards define the rules for how this is done> There can be many trusted providers or consumers of Identity
![Page 4: Using Federation to Simplify Access to SharePoint, SaaS and Partner Applications](https://reader033.vdocuments.site/reader033/viewer/2022052823/5553a8e1b4c905d9448b4769/html5/thumbnails/4.jpg)
© Novell, Inc. All rights reserved.4
Simple Federated Identity
ZZYZX Car RentalIdentity Provider
ABC TravelService
1 – Request Service and Get Requirements
3 – Set Token and Receive Service
2 – Get Attested Identity Token
![Page 5: Using Federation to Simplify Access to SharePoint, SaaS and Partner Applications](https://reader033.vdocuments.site/reader033/viewer/2022052823/5553a8e1b4c905d9448b4769/html5/thumbnails/5.jpg)
© Novell, Inc. All rights reserved.5
User-Driven Identity
Web Service
My Local Identity
Login Request
- Novell claims this is LBurch- My Hobby Group claims this is Lloyd- My Family claims this is “Son of Dad”- Lloyd claims this is Me
My FamilyIdentity
My HobbyIdentity
My EmployerIdentity
![Page 6: Using Federation to Simplify Access to SharePoint, SaaS and Partner Applications](https://reader033.vdocuments.site/reader033/viewer/2022052823/5553a8e1b4c905d9448b4769/html5/thumbnails/6.jpg)
© Novell, Inc. All rights reserved.6
Open Standards allow Interoperability
Open Standard
Open Standard
Open Standard
Open Standard
![Page 7: Using Federation to Simplify Access to SharePoint, SaaS and Partner Applications](https://reader033.vdocuments.site/reader033/viewer/2022052823/5553a8e1b4c905d9448b4769/html5/thumbnails/7.jpg)
© Novell, Inc. All rights reserved.7
Achieving Cost Savings
• Industry trends enabling Identity Federation– Open Standards support for identity– Multiple vendor support– Oasis and other standards bodies– Open Source reference code– Interoperability testing and certification – Lower cost– Partners can be added and removed quickly– Single store front from multiple vendors– Cost saving by sharing resources
![Page 8: Using Federation to Simplify Access to SharePoint, SaaS and Partner Applications](https://reader033.vdocuments.site/reader033/viewer/2022052823/5553a8e1b4c905d9448b4769/html5/thumbnails/8.jpg)
© Novell, Inc. All rights reserved.8
The Cost of Interoperability as Partners Increase
$-
$5
$10
$15
$20
$25
12
34
Open standards
Proprietary Code
![Page 9: Using Federation to Simplify Access to SharePoint, SaaS and Partner Applications](https://reader033.vdocuments.site/reader033/viewer/2022052823/5553a8e1b4c905d9448b4769/html5/thumbnails/9.jpg)
© Novell, Inc. All rights reserved.9
Achieving the Vision
• Industry trends enabling Identity Federation
– The role of the firewall is changing
– Outside partners, customers and employees have access
– Applications must be protected from inside attacks
– Firewalls are becoming identity aware
– Increasing bandwidth for devices
– Most devices are connected (work, home, mobile)
![Page 10: Using Federation to Simplify Access to SharePoint, SaaS and Partner Applications](https://reader033.vdocuments.site/reader033/viewer/2022052823/5553a8e1b4c905d9448b4769/html5/thumbnails/10.jpg)
© Novell, Inc. All rights reserved.10
SharePoint and Novell® Access Manager™
• What are the components?
• How do they work?
• What is the value to the customer?
![Page 11: Using Federation to Simplify Access to SharePoint, SaaS and Partner Applications](https://reader033.vdocuments.site/reader033/viewer/2022052823/5553a8e1b4c905d9448b4769/html5/thumbnails/11.jpg)
© Novell, Inc. All rights reserved.11
SharePoint and Novell® Access Manager™
• WS-Federation is used as the binding protocol to share identities
• ADFS is the connecting point to Microsoft SharePoint
• Access Manager is the connection point to multiple identity stores
• Together single sign-on and shared identity works
![Page 12: Using Federation to Simplify Access to SharePoint, SaaS and Partner Applications](https://reader033.vdocuments.site/reader033/viewer/2022052823/5553a8e1b4c905d9448b4769/html5/thumbnails/12.jpg)
© Novell, Inc. All rights reserved.12
SharePoint and Novell® Access Manager™
eDirectory“Employees”
Active Directory“Business Units”
Sun One“Customers”
Active Directory“SharePoint”
NovellAccess
Manager
MicrosoftSharePoint
Acess ManagertransformsLDAP andFederatedIdentity into
ADFS Claims
• User authenticates to Access Manager(Direct or Federated)
• Access Manager can validate Identitiesacross multiple Identity Stores as well asfederated authentication from partnersusing SAML, WS-Fed or Alliance
• User access SharePoint• Access Manager transforms LDAP and
Federated Identity into claims that areforwarded to Active Directory FederationServices (ADFS)
• SharePoint Administrator – Mr. Happy• Associates claim to SharePoint Groups
• No need to manage individual identitiesfor all users that need to SharePoint
• Improved user experience• Single Sign-On to SharePoint and other
web resources protected by Access Manager
Simplified Access to MS SharePoint
![Page 13: Using Federation to Simplify Access to SharePoint, SaaS and Partner Applications](https://reader033.vdocuments.site/reader033/viewer/2022052823/5553a8e1b4c905d9448b4769/html5/thumbnails/13.jpg)
© Novell, Inc. All rights reserved.13
SharePoint and Novell® Access Manager™
LDAPServer
Novell Access ManagerIdentity Server
LegacyWebserver
Novell Access ManagerGateway
ADFSWindows
SharePointWindows
Internal User
![Page 14: Using Federation to Simplify Access to SharePoint, SaaS and Partner Applications](https://reader033.vdocuments.site/reader033/viewer/2022052823/5553a8e1b4c905d9448b4769/html5/thumbnails/14.jpg)
© Novell, Inc. All rights reserved.14
SharePoint and Novell® Access Manager™
LDAPServer
Novell Access ManagerIdentity Server
LegacyWebserver
Novell Access ManagerGateway
ADFSWindows
SharePointWindows
Internal User
StepA
StepB
![Page 15: Using Federation to Simplify Access to SharePoint, SaaS and Partner Applications](https://reader033.vdocuments.site/reader033/viewer/2022052823/5553a8e1b4c905d9448b4769/html5/thumbnails/15.jpg)
© Novell, Inc. All rights reserved.15
SharePoint and Novell® Access Manager™
![Page 16: Using Federation to Simplify Access to SharePoint, SaaS and Partner Applications](https://reader033.vdocuments.site/reader033/viewer/2022052823/5553a8e1b4c905d9448b4769/html5/thumbnails/16.jpg)
© Novell, Inc. All rights reserved.16
SharePoint and Novell® Access Manager™
• Benefits to the customer
– Novell Access Manager can validate identities across multiple identity stores as well as federated authentication from partners using SAML, WS-Federation or Liberty Alliance
– Non Active Directory user can use SharePoint
– SharePoint administrator does not need to manage individual identities for all users that need access to SharePoint
– Single sign-on to SharePoint and other web resources protected by Novell Access Manager
– Novell Access Manager policy can control SharePoint access via roles
![Page 17: Using Federation to Simplify Access to SharePoint, SaaS and Partner Applications](https://reader033.vdocuments.site/reader033/viewer/2022052823/5553a8e1b4c905d9448b4769/html5/thumbnails/17.jpg)
Demonstration SharePoint and Novell® Access Manager™
![Page 18: Using Federation to Simplify Access to SharePoint, SaaS and Partner Applications](https://reader033.vdocuments.site/reader033/viewer/2022052823/5553a8e1b4c905d9448b4769/html5/thumbnails/18.jpg)
© Novell, Inc. All rights reserved.18
Force.com CRM and Novell® Access Manager™
• Just an example of SaaS vendors embracing industry standards like SAML 2.0
– Salesforce.com offers Federated and Delegated SSO> Federated is simple, based on SAML 2.0 HTTP-POST profile
» You define NameID
» You create Metadata
» Easy with Access Manager
> Delegated requires Web services to be setup and uses SOAP to authenticate
» You host Web Service
» SOAP call back
– Delegated is not in scope of this presentation
![Page 19: Using Federation to Simplify Access to SharePoint, SaaS and Partner Applications](https://reader033.vdocuments.site/reader033/viewer/2022052823/5553a8e1b4c905d9448b4769/html5/thumbnails/19.jpg)
© Novell, Inc. All rights reserved.19
SAML Terms(Security Assertion Markup Language)
• Identity Provider (IDP)
– Producer of assertions
– Novell® Access Manager™
– Usually verifies credentials against LDAP
• Service Provider (SP)
– Consumer of assertions
– Provides the application
– SalesforceCRM is a cloud SP
![Page 20: Using Federation to Simplify Access to SharePoint, SaaS and Partner Applications](https://reader033.vdocuments.site/reader033/viewer/2022052823/5553a8e1b4c905d9448b4769/html5/thumbnails/20.jpg)
© Novell, Inc. All rights reserved.20
SAML Terms(Security Assertion Markup Language)
• Metadata“SAML profiles require agreements between system entities regarding identifiers, binding support and endpoints, certificates and keys, and so forth. A metadata specification is useful for describing this information in a standardized way” -http://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf
• Assertion (response)– Synonym to Claim– A trusted authentication – replaces password with COT
• Name Identifier – NameID– How to refer to the subject– Many supported formats
![Page 21: Using Federation to Simplify Access to SharePoint, SaaS and Partner Applications](https://reader033.vdocuments.site/reader033/viewer/2022052823/5553a8e1b4c905d9448b4769/html5/thumbnails/21.jpg)
© Novell, Inc. All rights reserved.21
SAML References
Novell - http://www.novell.com/documentation/novellaccessmanager/index.html
Wikipedia -http://en.wikipedia.org/wiki/SAML_2.0 – this is a good overview
OASIS -http://saml.xml.org/saml-specifications and http://docs.oasis-open.org/security/saml/v2.0/– saml.xml.org – is the wiki for the OASIS group which maintains the SAML specifications. The link is to the specifications page.
![Page 22: Using Federation to Simplify Access to SharePoint, SaaS and Partner Applications](https://reader033.vdocuments.site/reader033/viewer/2022052823/5553a8e1b4c905d9448b4769/html5/thumbnails/22.jpg)
© Novell, Inc. All rights reserved.22
Authentication Flow
![Page 23: Using Federation to Simplify Access to SharePoint, SaaS and Partner Applications](https://reader033.vdocuments.site/reader033/viewer/2022052823/5553a8e1b4c905d9448b4769/html5/thumbnails/23.jpg)
© Novell, Inc. All rights reserved.23
Typical Three Step Process - COT
1. Circle or Trust
• Metadata– Need to create SP metadata– Access Manager provides metadata
• X.509 Certificates– SP does not provide certificate (you can create a self-signed
cert)– IDP should always use SSL especially since this is HTTP-POST
profile• End points which resolve via DNS
![Page 24: Using Federation to Simplify Access to SharePoint, SaaS and Partner Applications](https://reader033.vdocuments.site/reader033/viewer/2022052823/5553a8e1b4c905d9448b4769/html5/thumbnails/24.jpg)
© Novell, Inc. All rights reserved.24
Typical Three Step Process - SP
2. Setup SP side first
• Why?– The login URL contains specific data to handle NameID and
Attribute names– e.q. https://login.salesforce.com/?
saml=MgoTx78aEPXRoZ2hRrHg2wwl5GLiR0qVpDJYXG4e5wzM83LxYv4TgrzVZsOpNK76ItidNdsqihgDsiG2horV_wCGmSN.N1pVNrfRKMIW0QwpMQyrV_QZw94y_TvXB08Jyhi9l32PLM_RH3LQ==
• Have your IDP certificate handy– Export the signing certificate public key, save in .der format
![Page 25: Using Federation to Simplify Access to SharePoint, SaaS and Partner Applications](https://reader033.vdocuments.site/reader033/viewer/2022052823/5553a8e1b4c905d9448b4769/html5/thumbnails/25.jpg)
© Novell, Inc. All rights reserved.25
Typical Three Step Process – SP
• Login to salesforce.com
– [email protected] - Admin user
– Go to Setup > under Administration Setup
– Select Security Controls > Single Sign-On Settings
• Issuer
– https://idpsrv.novacoast.com/nidp/saml2/metadata
• Name ID format
– urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified
![Page 26: Using Federation to Simplify Access to SharePoint, SaaS and Partner Applications](https://reader033.vdocuments.site/reader033/viewer/2022052823/5553a8e1b4c905d9448b4769/html5/thumbnails/26.jpg)
© Novell, Inc. All rights reserved.26
SP Details
Good Help Reference
![Page 27: Using Federation to Simplify Access to SharePoint, SaaS and Partner Applications](https://reader033.vdocuments.site/reader033/viewer/2022052823/5553a8e1b4c905d9448b4769/html5/thumbnails/27.jpg)
© Novell, Inc. All rights reserved.27
SP Details
![Page 28: Using Federation to Simplify Access to SharePoint, SaaS and Partner Applications](https://reader033.vdocuments.site/reader033/viewer/2022052823/5553a8e1b4c905d9448b4769/html5/thumbnails/28.jpg)
© Novell, Inc. All rights reserved.28
Typical Three Step Process - IDP
3. Setup IDP – Novell® Access Manager™
• Create Attribute Map
![Page 29: Using Federation to Simplify Access to SharePoint, SaaS and Partner Applications](https://reader033.vdocuments.site/reader033/viewer/2022052823/5553a8e1b4c905d9448b4769/html5/thumbnails/29.jpg)
© Novell, Inc. All rights reserved.29
IDP Details
• SP Metadata:<EntityDescriptor entityID="https://saml.salesforce.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"><SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat><AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://login.salesforce.com/?saml=MgoTx78aEPXToZ2hRrHg2wwl5GLiR0qVpDJYXG4e5wzM83LxYv4TgrzVZsOpNK76ItidNdsqIhgDsi2horU_wCGmSM.N1pVNrfRKMIW0QwpMQyrV_QZw94y_TvXB08Oyhi9l32PLM_RH3LQ=="/></SPSSODescriptor></EntityDescriptor>
![Page 30: Using Federation to Simplify Access to SharePoint, SaaS and Partner Applications](https://reader033.vdocuments.site/reader033/viewer/2022052823/5553a8e1b4c905d9448b4769/html5/thumbnails/30.jpg)
© Novell, Inc. All rights reserved.30
IDP Details
Create Trusted Service Provider
![Page 31: Using Federation to Simplify Access to SharePoint, SaaS and Partner Applications](https://reader033.vdocuments.site/reader033/viewer/2022052823/5553a8e1b4c905d9448b4769/html5/thumbnails/31.jpg)
© Novell, Inc. All rights reserved.31
IDP Details
Configure Response
![Page 32: Using Federation to Simplify Access to SharePoint, SaaS and Partner Applications](https://reader033.vdocuments.site/reader033/viewer/2022052823/5553a8e1b4c905d9448b4769/html5/thumbnails/32.jpg)
© Novell, Inc. All rights reserved.32
IDP Details
Configure Target (Inter-site Transfer URL)https://idpsrv.novacoast.com/nidp/saml2/idpsend?PID=https://saml.salesforce.com
TARGET=https://na7.salesforce.com/home/home.jsp
![Page 33: Using Federation to Simplify Access to SharePoint, SaaS and Partner Applications](https://reader033.vdocuments.site/reader033/viewer/2022052823/5553a8e1b4c905d9448b4769/html5/thumbnails/33.jpg)
DemonstrationSalesforce.com CRM andNovell® Access Manager™
![Page 34: Using Federation to Simplify Access to SharePoint, SaaS and Partner Applications](https://reader033.vdocuments.site/reader033/viewer/2022052823/5553a8e1b4c905d9448b4769/html5/thumbnails/34.jpg)
© Novell, Inc. All rights reserved.34
Google Apps and Novell® Access Manager™
• Very similar to force.com SSO setup
– Have a look at Neil Cashell's Cool solution on the subject for details
– http://www.novell.com/communities/node/8645/integrating-google-apps-and-novell-access-manager-using-saml2
![Page 35: Using Federation to Simplify Access to SharePoint, SaaS and Partner Applications](https://reader033.vdocuments.site/reader033/viewer/2022052823/5553a8e1b4c905d9448b4769/html5/thumbnails/35.jpg)
© Novell, Inc. All rights reserved.35
Google Apps and Novell® Access Manager™
Same three step process
1 - Create COT– In this case, it's the same as previous process, the public key of
the IDP's signing and encryption certificate is all that's required
2 - Configure SP– Everything you need for this page is in the IDP metadata
> Login URL
> Logout URL
> Password management URL
3 - Configure IDP (Novell Access Manager)
![Page 36: Using Federation to Simplify Access to SharePoint, SaaS and Partner Applications](https://reader033.vdocuments.site/reader033/viewer/2022052823/5553a8e1b4c905d9448b4769/html5/thumbnails/36.jpg)
© Novell, Inc. All rights reserved.36
Google Apps and Novell® Access Manager™
Main PointsUse this metadata, but replace the “Location” attribute. It must contain your domain<EntityDescriptor entityID="google.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress </NameIDFormat>
<AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://www.google.com/a/domain/acs" />
</SPSSODescriptor>
</EntityDescriptor>
![Page 37: Using Federation to Simplify Access to SharePoint, SaaS and Partner Applications](https://reader033.vdocuments.site/reader033/viewer/2022052823/5553a8e1b4c905d9448b4769/html5/thumbnails/37.jpg)
© Novell, Inc. All rights reserved.37
Google Apps and Novell® Access Manager™
Main PointsThe Authentication Response is slightly different than force.com
![Page 38: Using Federation to Simplify Access to SharePoint, SaaS and Partner Applications](https://reader033.vdocuments.site/reader033/viewer/2022052823/5553a8e1b4c905d9448b4769/html5/thumbnails/38.jpg)
DemonstrationGoogle Apps and Novell® Access Manager™
![Page 39: Using Federation to Simplify Access to SharePoint, SaaS and Partner Applications](https://reader033.vdocuments.site/reader033/viewer/2022052823/5553a8e1b4c905d9448b4769/html5/thumbnails/39.jpg)
![Page 40: Using Federation to Simplify Access to SharePoint, SaaS and Partner Applications](https://reader033.vdocuments.site/reader033/viewer/2022052823/5553a8e1b4c905d9448b4769/html5/thumbnails/40.jpg)
Unpublished Work of Novell, Inc. All Rights Reserved.This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.
General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.