eunice mondésir pierre weill-tessier 1 federated identity with ping federate project supervisor: m....

1

Eunice Mondésir Pierre Weill-Tessier

Federated Identity withFederated Identity withPing FederatePing Federate

Project Supervisor: M. Maknavicius-Laurent

ASR Coordinator: G. Bernard

ASR Final Project February 7th, 2007

--------------------------------------------

Eunice Mondésir

Pierre Weill-Tessier

--------------------------------------------

2


Agenda

1. Introduction

2. Federated Identity concepts

3. Presentation of Ping Federate server

4. Platform implementation

5. Demonstrations

6. Conclusion

Introduction

Federated Identity Concepts

5


Federated Identity concepts

1. Why Federated Identity?

2. What is Federated Identity?

3. Participants of Circle of Trust

4. Single Sign On and Single Log Out

5. SAML langage

6


1. Why federated identity?


7


1. Why federated identity?

Multiple authentication parameters Heterogeneous authentification and access

control methods No control on personal information’s exhibition Need for easier and faster acces to services


8


2. What is federated identity?

Set of agreements, standards and technologies Trust relationships between organizations

Integrity and privacy perserved Independance of organizations


9


3. Circle of Trust (CoT) participants

Service Provider (SP): Provides one or more services within a federation Access control policy

Identity Provider (IdP): Creates, maintains, manages identity information user must authenticate at an IdP recognized by a SP


10


3. Circle of Trust (CoT) participants

Circle of trust: Federation of IdP and SP Business relationships Operational agreements Secured communication

channels Seamless environment


CoT

IdP

SP

SP

SP

SP

SP

SP

11


4.SSO and SLO

Liberty alliance

Single Sign On (SSO): Sign on once at a site (single account) Seamless signed-on for other sites No extra authentication SP both within and across circles of trusts

Single Log Out (SLO): Synchronized session logout All sessions authenticated by an IdP closed


12


5. SAML (Security Assertion Markup Langage)

XML standard developped by OASIS

Exchanging authentication & authorization data between security domains (IdP and SP)

SSO solution beyond the intranet

Exchange of assertions between IdP and SP


Presentation of Ping Federate

14


Presentation of Ping Federate server

1. How does Ping Federate work ?

2. Communication tools of Ping Federate

15


1. How does Ping Federate work ?

Server that passes identities between CoTs

Distinction between two roles: IdP and SP Both roles can be combined

Ping Federate does not interfere with local usage of the application


16


2. Communication tools in PF server

different environments: how communicate? Ping Federate provides Integration Toolkits**

Application or IdM

X

programming

language

PF Token

agent adapter

SAML


Plateform Implementation

18


Platform Implementation

1. Needs

2. LDAP

3. Postfix

4. Tomcat

5. Ping Federate server

19


1. Needs

Applications often interacts with a database for authentication

Ping Federate server asks for parameters of a mail server to send notification mail

Ping Federate’s sample application runs on Tomcat Application Server


20


2. LDAP

Why this protocol ? LDAP adapter proposed by PF Authentication to IdPs via pop-up window

Our configuration: Server OpenLDAP Client LDAPBrowser to check our entries Simple tree: root + inetOrgPerson class instances


21


dn: o=INT,c=FR

dn: cn=Eunice, o=INT, c=FR

dn: cn=Pierre, o=INT, c=FR

2. LDAP

Example of LDAP Tree:

Attributes we used: cn, sn mail, userPassword title


22


3. Postfix

Why ? mail server working on Linux O.S “Lighter” configuration than Sendmail

No database associated : only one user ! [email protected] [email protected] is a “fake” address used for the

notification only.

IMAP server as a MDA


23


4. Tomcat

Why ? Required applications server to test the samples Multi-technologies support server (jsp, html)

Identification tools: Double authentication based on Role and Login Default configuration LDAP-using configuration JNDI


24


4. Tomcat

Key configuration files server.xml: defines the database connection web.xml: defines the security constraint


25


5. Ping Federate

Standalone web administration https://cubitus.int-evry.fr:9999/pingfederate/app Support of multi-account administration Modifiable role selection (IdP, SP or both)

Ease of management Server configuration Partner configuration


26


5. Ping Federate

Server settings Local settings

Base URL: where reaching the server ? Federation Info: choice of technologies Entity ID / realm: outside Ping Federate

alias IdP/SP events: systematic redirections


27


5. Ping Federate

Server settings Local settings IdP/SP adapters management Data Store management Metadata export


28


5. Ping Federate

Partner settings’ connections IdP connections = we are SP SP connections = we are IdP

SP affiliations = 2+ partners’ Federation

According to partners’ configuration

= Each CoT defines its policy independently


Demonstrations

30


Test Platform implementation

1. Before Ping Federate servers

2. Simplification

3. Ping Federate servers setting-up

4. IdP initiated SSO with ITAM

5. SP initiated SSO with ITAM

6. SP initiated SSO with LDAP adapter

31



INT CoT

IdM S1S2S3

INT Services

ITAM CoT

S1S2S3

ITAM Services

IdM

Connection to INT services within INT

32



INT CoT

IdM S1S2S3

INT Services

ITAM CoT

S1S2S3

ITAM Services

IdM

Connection to INT services from outside INT

33



INT CoT

IdM S1S2S3

INT Services

ITAM CoT

S1S2S3

ITAM Services

IdM

Connection to ITAM services within INT or from outside INT

not possible

34


INT CoT

ITAM CoT

2. Simplification

IdM S1S2S3

INT Services

S1S2S3

ITAM Services

IdM

S1

S1IdM

IdM

•All aplications hosted by tomcat server

•Authentcation files serving as database

35


3. PF servers setting up

•For INT CoT: only one PF server (IdP and SP server)

•For ITAM CoT: two PF servers, one IdP and one SP

INT CoT

IdMS1

ITAM CoT

S1

IdM

IdP &

SP

cubitus

SP

titania

IdP

oberon

36


ITAM CoT

S1

IdM

SP

titania

IdP

oberon

4. IdP initiated SSO with ITAM

INT CoT

IdMS1

SSO SAML 2.0

Sarah connected to S1 without having

passed by ITAM IdM

Sarah

IdP

cubitus

37


ITAM CoT

S1

IdM

5. SP initiated SSO with ITAM

INT CoT

IdMS1

IdP

cubitus

SP

titania

IdP

oberon

Bob

SAML 2.0

SAML 2.0

SSO

38


ITAM CoT

S1

IdM

6. SP initiated SSO with LDAP adapter

S1

IdP

cubitus

SP

titania

IdP

oberon

Sam SAML 2.0

INT IdP interaction with LDAP directory via a pop-up window

LDAP

IdM

LDAP adapter standard adapter

SSO

INT CoT

SAML 2.0

Conclusion

40


What remains to do ? Adapt INTest with Ping Federate (Token) Test Multi-partners federation Perform tests on security and privacy

Other solutions ? Microsoft CardSpace (.NET) WS-Federation Servers (Sun One Identity Server, IBM Tivoli,

Microsoft ADFS…)

Conclusion

41


Thanks for your attentionThanks for your attention

Questions ?Questions ?

eunice mondésir pierre weill-tessier 1 federated identity with ping federate project supervisor: m....

Documents

sp federated identity

server slide

introduction slide

conclusion slide

identity information

saml langage slide

federate work

federation of idp