universal sspr: a new edge for self service password reset · pdf fileuniversal sspr: a new...
TRANSCRIPT
![Page 1: Universal SSPR: A new edge for Self Service Password Reset · PDF fileUniversal SSPR: A new edge for Self Service Password Reset ... v Captcha (REST service) v Audit/Reporting](https://reader033.vdocuments.site/reader033/viewer/2022050801/5aa5ff277f8b9afa758df6fa/html5/thumbnails/1.jpg)
Universal SSPR: A new edge for Self Service Password Reset
Alban Meunier - SmartWave SA [email protected]
1
![Page 2: Universal SSPR: A new edge for Self Service Password Reset · PDF fileUniversal SSPR: A new edge for Self Service Password Reset ... v Captcha (REST service) v Audit/Reporting](https://reader033.vdocuments.site/reader033/viewer/2022050801/5aa5ff277f8b9afa758df6fa/html5/thumbnails/2.jpg)
Universal
For end-users, dummies, system integrators, security experts, and you
2
For OpenLDAP, OpenDJ, AD, any LDAP server, RDBMS, cloud apps, IDM suite, web portals,
Prod + Qua + Dev, and your environment
![Page 3: Universal SSPR: A new edge for Self Service Password Reset · PDF fileUniversal SSPR: A new edge for Self Service Password Reset ... v Captcha (REST service) v Audit/Reporting](https://reader033.vdocuments.site/reader033/viewer/2022050801/5aa5ff277f8b9afa758df6fa/html5/thumbnails/3.jpg)
Why SSPR is a must have
Self-Service Password Reseto People forget password
o Unlock User accounto Change required after compromised password
o Helpdesk costs
o End user satisfaction
o …
And because passwords are still widely used
3
![Page 4: Universal SSPR: A new edge for Self Service Password Reset · PDF fileUniversal SSPR: A new edge for Self Service Password Reset ... v Captcha (REST service) v Audit/Reporting](https://reader033.vdocuments.site/reader033/viewer/2022050801/5aa5ff277f8b9afa758df6fa/html5/thumbnails/4.jpg)
Self Service Password Reset landscape
A crowded world
Google: About 68,800,000 results
Commercial tools
Open source solutions
Identity Management suites
Access Management suites
Application specific
Bespoke implementations4
![Page 5: Universal SSPR: A new edge for Self Service Password Reset · PDF fileUniversal SSPR: A new edge for Self Service Password Reset ... v Captcha (REST service) v Audit/Reporting](https://reader033.vdocuments.site/reader033/viewer/2022050801/5aa5ff277f8b9afa758df6fa/html5/thumbnails/5.jpg)
Why reinventing the wheel?
v Too many small limitations such as
- Q & A not popular,- Multiple user stores (DEV, QUA, PRD, …)
v Outdated implementation design
- Difficult to coexist with BYOD & Domain desktop & VDI- Reuse existing components (OTP, captcha, ...)
v New needs
- Hybrid infrastructure (Cloud base & on premise user stores)- Large set of technologies coexists
- Audit- User Interface is a moving world
- Many combinations as unlimited requirements - ….
5
![Page 6: Universal SSPR: A new edge for Self Service Password Reset · PDF fileUniversal SSPR: A new edge for Self Service Password Reset ... v Captcha (REST service) v Audit/Reporting](https://reader033.vdocuments.site/reader033/viewer/2022050801/5aa5ff277f8b9afa758df6fa/html5/thumbnails/6.jpg)
Universal SSPR initiative
Why differentv inspired from work-field
Do what you can with what you have
v full pluggable design
v swiss security culture
v end user experience in mind
v in open source we trust- Someone else can do better than me
- Share with peers
- Appreciate any feedback
- Governance could be light and open
6
![Page 7: Universal SSPR: A new edge for Self Service Password Reset · PDF fileUniversal SSPR: A new edge for Self Service Password Reset ... v Captcha (REST service) v Audit/Reporting](https://reader033.vdocuments.site/reader033/viewer/2022050801/5aa5ff277f8b9afa758df6fa/html5/thumbnails/7.jpg)
AQuicktouronenduserexperience
7
![Page 8: Universal SSPR: A new edge for Self Service Password Reset · PDF fileUniversal SSPR: A new edge for Self Service Password Reset ... v Captcha (REST service) v Audit/Reporting](https://reader033.vdocuments.site/reader033/viewer/2022050801/5aa5ff277f8b9afa758df6fa/html5/thumbnails/8.jpg)
AQuicktouronenduserexperience
8
![Page 9: Universal SSPR: A new edge for Self Service Password Reset · PDF fileUniversal SSPR: A new edge for Self Service Password Reset ... v Captcha (REST service) v Audit/Reporting](https://reader033.vdocuments.site/reader033/viewer/2022050801/5aa5ff277f8b9afa758df6fa/html5/thumbnails/9.jpg)
AQuicktouronenduserexperience
9
![Page 10: Universal SSPR: A new edge for Self Service Password Reset · PDF fileUniversal SSPR: A new edge for Self Service Password Reset ... v Captcha (REST service) v Audit/Reporting](https://reader033.vdocuments.site/reader033/viewer/2022050801/5aa5ff277f8b9afa758df6fa/html5/thumbnails/10.jpg)
AQuicktouronenduserexperience
10
![Page 11: Universal SSPR: A new edge for Self Service Password Reset · PDF fileUniversal SSPR: A new edge for Self Service Password Reset ... v Captcha (REST service) v Audit/Reporting](https://reader033.vdocuments.site/reader033/viewer/2022050801/5aa5ff277f8b9afa758df6fa/html5/thumbnails/11.jpg)
AQuickview
11
![Page 12: Universal SSPR: A new edge for Self Service Password Reset · PDF fileUniversal SSPR: A new edge for Self Service Password Reset ... v Captcha (REST service) v Audit/Reporting](https://reader033.vdocuments.site/reader033/viewer/2022050801/5aa5ff277f8b9afa758df6fa/html5/thumbnails/12.jpg)
AQuickviewoffatclient
12
![Page 13: Universal SSPR: A new edge for Self Service Password Reset · PDF fileUniversal SSPR: A new edge for Self Service Password Reset ... v Captcha (REST service) v Audit/Reporting](https://reader033.vdocuments.site/reader033/viewer/2022050801/5aa5ff277f8b9afa758df6fa/html5/thumbnails/13.jpg)
AQuickviewoffatclient
13
![Page 14: Universal SSPR: A new edge for Self Service Password Reset · PDF fileUniversal SSPR: A new edge for Self Service Password Reset ... v Captcha (REST service) v Audit/Reporting](https://reader033.vdocuments.site/reader033/viewer/2022050801/5aa5ff277f8b9afa758df6fa/html5/thumbnails/14.jpg)
The geek corner
14
![Page 15: Universal SSPR: A new edge for Self Service Password Reset · PDF fileUniversal SSPR: A new edge for Self Service Password Reset ... v Captcha (REST service) v Audit/Reporting](https://reader033.vdocuments.site/reader033/viewer/2022050801/5aa5ff277f8b9afa758df6fa/html5/thumbnails/15.jpg)
Architecture overview
15
![Page 16: Universal SSPR: A new edge for Self Service Password Reset · PDF fileUniversal SSPR: A new edge for Self Service Password Reset ... v Captcha (REST service) v Audit/Reporting](https://reader033.vdocuments.site/reader033/viewer/2022050801/5aa5ff277f8b9afa758df6fa/html5/thumbnails/16.jpg)
Components review
End user side
v Web based
- Simple UI without technical wording
v Fat client- Windows Credential provider (based on MS
specifications)- Restricted mouse & keyboard actions allowed
- No local access rights
- No internet access and no cross sites
- Embedded browser (.NET + config)- SSL required
16
![Page 17: Universal SSPR: A new edge for Self Service Password Reset · PDF fileUniversal SSPR: A new edge for Self Service Password Reset ... v Captcha (REST service) v Audit/Reporting](https://reader033.vdocuments.site/reader033/viewer/2022050801/5aa5ff277f8b9afa758df6fa/html5/thumbnails/17.jpg)
Zoom in on Windows credential provider
HKEY_LOCAL_MACHINE\SOFTWARE\SmartWave\usspr • BrowserAppPath: C:\Program Files\usspr\usspr.exe • SsprUrl: https://myVerySecuredServer.example.com/usspr
17
• Internet explorer runtime version configurable • Never display script errors • No Contextual menu at the browser level • Any attempt to open a new browser window is blocked. • keyboard usage restriction: just allow
• Copy, Cut, Past • Keyboard text selection using right and left arrows combined to
control and shift modifiers
![Page 18: Universal SSPR: A new edge for Self Service Password Reset · PDF fileUniversal SSPR: A new edge for Self Service Password Reset ... v Captcha (REST service) v Audit/Reporting](https://reader033.vdocuments.site/reader033/viewer/2022050801/5aa5ff277f8b9afa758df6fa/html5/thumbnails/18.jpg)
Components review
Front end
v Run on secured application server (OWASP)v Local Reverse proxy v Minimal design and code
v Only 3 Errors and success messages
v HTML → REST
v “just” a REST consumerv No settings about targets
18
![Page 19: Universal SSPR: A new edge for Self Service Password Reset · PDF fileUniversal SSPR: A new edge for Self Service Password Reset ... v Captcha (REST service) v Audit/Reporting](https://reader033.vdocuments.site/reader033/viewer/2022050801/5aa5ff277f8b9afa758df6fa/html5/thumbnails/19.jpg)
Components review
Middleware 1
v Run on secured application server (OWASP)v Local Reverse proxy and API gateway
v Business logic
v Configuration file and no hard code
v REST calls ONLY
v Call 3rd party components
v Call intermediates to targets but no target config
v Audit trail
19
![Page 20: Universal SSPR: A new edge for Self Service Password Reset · PDF fileUniversal SSPR: A new edge for Self Service Password Reset ... v Captcha (REST service) v Audit/Reporting](https://reader033.vdocuments.site/reader033/viewer/2022050801/5aa5ff277f8b9afa758df6fa/html5/thumbnails/20.jpg)
Middleware Config file
…"identitysources":[
{ "id":"WIN_DOMAIN", "primary_email":"NO", "primary_usrid":"YES", "pwd_policy":"01", "reset_disabled":"YES", "reset_expired":"YES", "reset_locked":"YES", "rest_url":"https://dc1.int.example.com:8443", "rest_path":"/rest2ldap_AD1/users/", "source_description":"AD Integration", "source_type":"Active Directory", "technical_account_id":"sspruser", "technical_account_pwd":"Pwd-123!", "userfilter_att":"samaccountName" }, { "id":"OPENDJ",
….
"captchaserver":{ "id":"google", "url":"https://www.google.com", "path":"/recaptcha/api/siteverify", "secret":"fmn6LdJogUTABC007rosqGpfI8cjECuXLzYcsP15EG" },
"otpserver":{ "id":"oam13", "url":"https://ssprlabcore01.cloudapp.net:8040", "path":"/oam13/json/users/" },
"pwdpolicies":{ "max_length":14, "min_digits":4, "min_length":6, "min_lowercase":"", "min_specialchars":1, "min_uppercase":1, "supported_chars":"" }
"logging":{ "appender.stdout":"org.apache.log4j.Cons
20
![Page 21: Universal SSPR: A new edge for Self Service Password Reset · PDF fileUniversal SSPR: A new edge for Self Service Password Reset ... v Captcha (REST service) v Audit/Reporting](https://reader033.vdocuments.site/reader033/viewer/2022050801/5aa5ff277f8b9afa758df6fa/html5/thumbnails/21.jpg)
Components review
3rd party components
v Captcha
v SMS OTP
v OATH
v Mail serverv ….
21
![Page 22: Universal SSPR: A new edge for Self Service Password Reset · PDF fileUniversal SSPR: A new edge for Self Service Password Reset ... v Captcha (REST service) v Audit/Reporting](https://reader033.vdocuments.site/reader033/viewer/2022050801/5aa5ff277f8b9afa758df6fa/html5/thumbnails/22.jpg)
Components review
Intermediate(s) to target(s)v The only place for targets configuration
v REST over HTTPS → native protocolv Located on the most suitable server
- middleware server- dedicated server- target server
22
![Page 23: Universal SSPR: A new edge for Self Service Password Reset · PDF fileUniversal SSPR: A new edge for Self Service Password Reset ... v Captcha (REST service) v Audit/Reporting](https://reader033.vdocuments.site/reader033/viewer/2022050801/5aa5ff277f8b9afa758df6fa/html5/thumbnails/23.jpg)
Components review
Targets
v LDAP directory
v Active directory
v Data base
v Identity Managementv Access managementv Business APIv Multi environments
v ...
23
![Page 24: Universal SSPR: A new edge for Self Service Password Reset · PDF fileUniversal SSPR: A new edge for Self Service Password Reset ... v Captcha (REST service) v Audit/Reporting](https://reader033.vdocuments.site/reader033/viewer/2022050801/5aa5ff277f8b9afa758df6fa/html5/thumbnails/24.jpg)
Implementation details
Component Implementa,on1 Implementa,on2
Client Windows732bitsWindows764bits
Windows8.164bits
Frontend TomcatForgeRockOpenIGSenchaExtJS
JeIyAxwayAPIGatewayAngularJS
Middleware TomcatForgeRockOpenIGGroovyscriptslog4j
JeIyAxwayAPIGatewayAxwayAPIpolicies
3rdparty GoogleReCaptchaForgerockOpenAM(OTP)
AxwayAPIGateway
Intermediatetotarget
ForgeRockRest2Ldap ForgeRockRest2Ldap
Targets Ac,veDirectorieSForgeRockOpenDJ
Ac,veDirectorieSERP
24
![Page 25: Universal SSPR: A new edge for Self Service Password Reset · PDF fileUniversal SSPR: A new edge for Self Service Password Reset ... v Captcha (REST service) v Audit/Reporting](https://reader033.vdocuments.site/reader033/viewer/2022050801/5aa5ff277f8b9afa758df6fa/html5/thumbnails/25.jpg)
Current Project status
Some delay to start the community
v Pilot in progress
v New requirements - Captcha bespoke
- localization
v Documentation in draft with missing parts
v Pending legal & strategic decisions on moving to open-source
25
![Page 26: Universal SSPR: A new edge for Self Service Password Reset · PDF fileUniversal SSPR: A new edge for Self Service Password Reset ... v Captcha (REST service) v Audit/Reporting](https://reader033.vdocuments.site/reader033/viewer/2022050801/5aa5ff277f8b9afa758df6fa/html5/thumbnails/26.jpg)
Roadmap = Todo list
v Fat client- Windows 8
v Front end
- Localized Sencha apps
- Other technologies when “nothing” on client side
v MiddleWare - Improve Groovy scripts for ForgeRock OpenAM (unlock, ...)- Configuration for other API gateway
- Logger improvement v New features
- Change password (and not only reset password) - Forgot username
26
![Page 27: Universal SSPR: A new edge for Self Service Password Reset · PDF fileUniversal SSPR: A new edge for Self Service Password Reset ... v Captcha (REST service) v Audit/Reporting](https://reader033.vdocuments.site/reader033/viewer/2022050801/5aa5ff277f8b9afa758df6fa/html5/thumbnails/27.jpg)
Roadmap = Wish list
Fat client Windows, 10, OSX, Linux’s
3rd party components
v Verification of a unique code / OTP (REST service)v Mail 2 SMS gateway (TBD)v Captcha (REST service)v Audit/Reporting (TBD)
REST2native gateway
v REST2LDAP (from various origins)v REST2SQL
v REST2SOAP
v REST2REST Packaging v Wizard (HowTo, install/config tools)
27
![Page 28: Universal SSPR: A new edge for Self Service Password Reset · PDF fileUniversal SSPR: A new edge for Self Service Password Reset ... v Captcha (REST service) v Audit/Reporting](https://reader033.vdocuments.site/reader033/viewer/2022050801/5aa5ff277f8b9afa758df6fa/html5/thumbnails/28.jpg)
Contributors
The original contributors are
v City of Lausanne
v SmartWave
v Private Swiss insurance
v United Nations
All of You are Welcome
v Personal interest, university projects, corporate program
v Developers front-end, back-end, middleware
v Integrators, security officers, testers v End users
28
![Page 29: Universal SSPR: A new edge for Self Service Password Reset · PDF fileUniversal SSPR: A new edge for Self Service Password Reset ... v Captcha (REST service) v Audit/Reporting](https://reader033.vdocuments.site/reader033/viewer/2022050801/5aa5ff277f8b9afa758df6fa/html5/thumbnails/29.jpg)
License
Collaboration spirit: Each user is invited to contribute
v No money
v Intensive & extensive tests and feedback
v Doc review
v Code review (security check & fixes, comment, ...)v Extensions
29
![Page 30: Universal SSPR: A new edge for Self Service Password Reset · PDF fileUniversal SSPR: A new edge for Self Service Password Reset ... v Captcha (REST service) v Audit/Reporting](https://reader033.vdocuments.site/reader033/viewer/2022050801/5aa5ff277f8b9afa758df6fa/html5/thumbnails/30.jpg)
Get itWhat is provided: a full working solution
v The core: APIs' definition between front & middleware, configuration file
v Windows Credential providers (source, exe as example)
v Example of Web front based on Sencha ExtJS
v Groovy scripts for ForgeRock OpenIG
v Configuration file for ForgeRock Rest2LDAP
v Documentation (architecture, HowTo) v Interfaces and config for 3rd party (no limit )
What cannot be provided
v JRE, JDK
v Apache Tomcatv ForgeRock OpenAM, OpenIG, OpenDJ, Rest2LDAP
v Microsoft Active Directory
v ...30
![Page 31: Universal SSPR: A new edge for Self Service Password Reset · PDF fileUniversal SSPR: A new edge for Self Service Password Reset ... v Captcha (REST service) v Audit/Reporting](https://reader033.vdocuments.site/reader033/viewer/2022050801/5aa5ff277f8b9afa758df6fa/html5/thumbnails/31.jpg)
Get it
Google group (temporary hosting) http://shortlinks.smartwavesa.com/usspr Waiting for legal decision (expected to come soon …..) New hosting (source, bin, forum, wiki, wish list, ..,), for smooth collaboration
31
![Page 32: Universal SSPR: A new edge for Self Service Password Reset · PDF fileUniversal SSPR: A new edge for Self Service Password Reset ... v Captcha (REST service) v Audit/Reporting](https://reader033.vdocuments.site/reader033/viewer/2022050801/5aa5ff277f8b9afa758df6fa/html5/thumbnails/32.jpg)
Conclusion
v Security, security, security
v Innovative pluggable design
v Integration and evolution
v Extensive collaboration ready
v Professional services on request ($)
See you soon on Mail: [email protected] Group: http://shortlinks.smartwavesa.com/usspr
32