eunice mondésir pierre weill-tessier 1 federated identity with ping federate project supervisor: m....
TRANSCRIPT
1
Eunice Mondésir Pierre Weill-Tessier
Federated Identity withFederated Identity withPing FederatePing Federate
Project Supervisor: M. Maknavicius-Laurent
ASR Coordinator: G. Bernard
ASR Final Project February 7th, 2007
--------------------------------------------
Eunice Mondésir
Pierre Weill-Tessier
--------------------------------------------
2
Eunice Mondésir Pierre Weill-Tessier
Agenda
1. Introduction
2. Federated Identity concepts
3. Presentation of Ping Federate server
4. Platform implementation
5. Demonstrations
6. Conclusion
Introduction
Federated Identity Concepts
5
Eunice Mondésir Pierre Weill-Tessier
Federated Identity concepts
1. Why Federated Identity?
2. What is Federated Identity?
3. Participants of Circle of Trust
4. Single Sign On and Single Log Out
5. SAML langage
6
Eunice Mondésir Pierre Weill-Tessier
1. Why federated identity?
Federated Identity Concepts
7
Eunice Mondésir Pierre Weill-Tessier
1. Why federated identity?
Multiple authentication parameters Heterogeneous authentification and access
control methods No control on personal information’s exhibition Need for easier and faster acces to services
Federated Identity Concepts
8
Eunice Mondésir Pierre Weill-Tessier
2. What is federated identity?
Set of agreements, standards and technologies Trust relationships between organizations
Integrity and privacy perserved Independance of organizations
Federated Identity Concepts
9
Eunice Mondésir Pierre Weill-Tessier
3. Circle of Trust (CoT) participants
Service Provider (SP): Provides one or more services within a federation Access control policy
Identity Provider (IdP): Creates, maintains, manages identity information user must authenticate at an IdP recognized by a SP
Federated Identity Concepts
10
Eunice Mondésir Pierre Weill-Tessier
3. Circle of Trust (CoT) participants
Circle of trust: Federation of IdP and SP Business relationships Operational agreements Secured communication
channels Seamless environment
Federated Identity Concepts
CoT
IdP
SP
SP
SP
SP
SP
SP
11
Eunice Mondésir Pierre Weill-Tessier
4.SSO and SLO
Liberty alliance
Single Sign On (SSO): Sign on once at a site (single account) Seamless signed-on for other sites No extra authentication SP both within and across circles of trusts
Single Log Out (SLO): Synchronized session logout All sessions authenticated by an IdP closed
Federated Identity Concepts
12
Eunice Mondésir Pierre Weill-Tessier
5. SAML (Security Assertion Markup Langage)
XML standard developped by OASIS
Exchanging authentication & authorization data between security domains (IdP and SP)
SSO solution beyond the intranet
Exchange of assertions between IdP and SP
Federated Identity Concepts
Presentation of Ping Federate
14
Eunice Mondésir Pierre Weill-Tessier
Presentation of Ping Federate server
1. How does Ping Federate work ?
2. Communication tools of Ping Federate
15
Eunice Mondésir Pierre Weill-Tessier
1. How does Ping Federate work ?
Server that passes identities between CoTs
Distinction between two roles: IdP and SP Both roles can be combined
Ping Federate does not interfere with local usage of the application
Presentation of Ping Federate server
16
Eunice Mondésir Pierre Weill-Tessier
2. Communication tools in PF server
different environments: how communicate? Ping Federate provides Integration Toolkits**
Application or IdM
X
programming
language
PF Token
agent adapter
SAML
Presentation of Ping Federate server
Plateform Implementation
18
Eunice Mondésir Pierre Weill-Tessier
Platform Implementation
1. Needs
2. LDAP
3. Postfix
4. Tomcat
5. Ping Federate server
19
Eunice Mondésir Pierre Weill-Tessier
1. Needs
Applications often interacts with a database for authentication
Ping Federate server asks for parameters of a mail server to send notification mail
Ping Federate’s sample application runs on Tomcat Application Server
Platform Implementation
20
Eunice Mondésir Pierre Weill-Tessier
2. LDAP
Why this protocol ? LDAP adapter proposed by PF Authentication to IdPs via pop-up window
Our configuration: Server OpenLDAP Client LDAPBrowser to check our entries Simple tree: root + inetOrgPerson class instances
Platform Implementation
21
Eunice Mondésir Pierre Weill-Tessier
dn: o=INT,c=FR
dn: cn=Eunice, o=INT, c=FR
dn: cn=Pierre, o=INT, c=FR
2. LDAP
Example of LDAP Tree:
Attributes we used: cn, sn mail, userPassword title
Platform Implementation
22
Eunice Mondésir Pierre Weill-Tessier
3. Postfix
Why ? mail server working on Linux O.S “Lighter” configuration than Sendmail
No database associated : only one user ! [email protected] [email protected] is a “fake” address used for the
notification only.
IMAP server as a MDA
Platform Implementation
23
Eunice Mondésir Pierre Weill-Tessier
4. Tomcat
Why ? Required applications server to test the samples Multi-technologies support server (jsp, html)
Identification tools: Double authentication based on Role and Login Default configuration LDAP-using configuration JNDI
Platform Implementation
24
Eunice Mondésir Pierre Weill-Tessier
4. Tomcat
Key configuration files server.xml: defines the database connection web.xml: defines the security constraint
Platform Implementation
25
Eunice Mondésir Pierre Weill-Tessier
5. Ping Federate
Standalone web administration https://cubitus.int-evry.fr:9999/pingfederate/app Support of multi-account administration Modifiable role selection (IdP, SP or both)
Ease of management Server configuration Partner configuration
Platform Implementation
26
Eunice Mondésir Pierre Weill-Tessier
5. Ping Federate
Server settings Local settings
Base URL: where reaching the server ? Federation Info: choice of technologies Entity ID / realm: outside Ping Federate
alias IdP/SP events: systematic redirections
Platform Implementation
27
Eunice Mondésir Pierre Weill-Tessier
5. Ping Federate
Server settings Local settings IdP/SP adapters management Data Store management Metadata export
Platform Implementation
28
Eunice Mondésir Pierre Weill-Tessier
5. Ping Federate
Partner settings’ connections IdP connections = we are SP SP connections = we are IdP
SP affiliations = 2+ partners’ Federation
According to partners’ configuration
= Each CoT defines its policy independently
Platform Implementation
Demonstrations
30
Eunice Mondésir Pierre Weill-Tessier
Test Platform implementation
1. Before Ping Federate servers
2. Simplification
3. Ping Federate servers setting-up
4. IdP initiated SSO with ITAM
5. SP initiated SSO with ITAM
6. SP initiated SSO with LDAP adapter
31
Eunice Mondésir Pierre Weill-Tessier
1. Before Ping Federate servers
INT CoT
IdM S1S2S3
INT Services
ITAM CoT
S1S2S3
ITAM Services
IdM
Connection to INT services within INT
32
Eunice Mondésir Pierre Weill-Tessier
1. Before Ping Federate servers
INT CoT
IdM S1S2S3
INT Services
ITAM CoT
S1S2S3
ITAM Services
IdM
Connection to INT services from outside INT
33
Eunice Mondésir Pierre Weill-Tessier
1. Before Ping Federate servers
INT CoT
IdM S1S2S3
INT Services
ITAM CoT
S1S2S3
ITAM Services
IdM
Connection to ITAM services within INT or from outside INT
not possible
34
Eunice Mondésir Pierre Weill-Tessier
INT CoT
ITAM CoT
2. Simplification
IdM S1S2S3
INT Services
S1S2S3
ITAM Services
IdM
S1
S1IdM
IdM
•All aplications hosted by tomcat server
•Authentcation files serving as database
35
Eunice Mondésir Pierre Weill-Tessier
3. PF servers setting up
•For INT CoT: only one PF server (IdP and SP server)
•For ITAM CoT: two PF servers, one IdP and one SP
INT CoT
IdMS1
ITAM CoT
S1
IdM
IdP &
SP
cubitus
SP
titania
IdP
oberon
36
Eunice Mondésir Pierre Weill-Tessier
ITAM CoT
S1
IdM
SP
titania
IdP
oberon
4. IdP initiated SSO with ITAM
INT CoT
IdMS1
SSO SAML 2.0
Sarah connected to S1 without having
passed by ITAM IdM
Sarah
IdP
cubitus
37
Eunice Mondésir Pierre Weill-Tessier
ITAM CoT
S1
IdM
5. SP initiated SSO with ITAM
INT CoT
IdMS1
IdP
cubitus
SP
titania
IdP
oberon
Bob
SAML 2.0
SAML 2.0
SSO
38
Eunice Mondésir Pierre Weill-Tessier
ITAM CoT
S1
IdM
6. SP initiated SSO with LDAP adapter
S1
IdP
cubitus
SP
titania
IdP
oberon
Sam SAML 2.0
INT IdP interaction with LDAP directory via a pop-up window
LDAP
IdM
LDAP adapter standard adapter
SSO
INT CoT
SAML 2.0
Conclusion
40
Eunice Mondésir Pierre Weill-Tessier
What remains to do ? Adapt INTest with Ping Federate (Token) Test Multi-partners federation Perform tests on security and privacy
Other solutions ? Microsoft CardSpace (.NET) WS-Federation Servers (Sun One Identity Server, IBM Tivoli,
Microsoft ADFS…)
Conclusion
41
Eunice Mondésir Pierre Weill-Tessier
Thanks for your attentionThanks for your attention
Questions ?Questions ?