(ATS4-PLAT09) Kerberos & SAML with Accelrys Enterprise Platform 9.0


Published on

In the past, users have authenticated with Pipeline Pilot by providing a username and password. Starting with 8.5 and continuing with 9.0 we now support additional authentication mechanisms such as Kerberos and SAML. Both Kerberos and SAML can provide a Single Sign On capability; SAML also provides the ability to run secure SOAP web services. This session will detail the current state of support for Kerberos and SAML in AEP 9.0 and discuss future enhancements.

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

(ATS4-PLAT09) Kerberos & SAML with Accelrys Enterprise Platform 9.0

  1. 1. (ATS4-PLAT09) Kerberos and SAMLwith Accelrys Enterprise Platform 9.0 Jon Hurley Senior Manager, Platform R&D Jon.Hurley@accelrys.com
  2. 2. The information on the roadmap and future software development efforts areintended to outline general product direction and should not be relied on in makinga purchasing decision.
  3. 3. Security in AEP 9.0• (ATS-PLAT02) Security Enhancements in Accelrys Enterprise Platform 9.0 – Discussion of authorization enhancements in AEP 9.0• New Authentication Methods – Kerberos – SAML • Sender Vouches – Why?
  4. 4. I am NOT a security expert
  5. 5. What is Kerberos?• Kerberos is ticket based authentication baked into the Operating System – Many components (e.g. Web Browsers) are able to transmit Kerberos tickets • Provides Single Sign On – if you are already signed on to the browser, the Kerberos ticket can log you in to another system – The server requests an ‘authentication negotiation’ with the browser • If the browser (and OS account) is appropriately configured, a Kerberos ticket can be transmitted in response
  6. 6. Kerberos Sequence Diagram
  7. 7. Support for Kerberos/SPNEGO• In the AEP 8.5 release, Kerberos authentication was only supported on Windows Servers – The authentication method was termed WIA (Windows Integrated Authentication) – The mechanism used to perform the authentication is termed SPNEGO which allows authentication with Kerberos tickets • On Windows, NTLM can also be used with SPNEGO – Kerberos requires clients that support SPNEGO: • Web browsers: IE, Firefox, Chrome • SDKs: .NET Client SDK, JavaScript Client SDK, RunProtocol • Not supported: other SDKs (Java) or Pipeline Pilot client
  8. 8. Enhanced support for Kerberos/SPNEGO• Additional Kerberos support in AEP 9.0 – Delegation on Windows using Full Impersonation • If your AEP server is configured for Full Impersonation and if your Kerberos realm (e.g. Active Directory) is configured to allow Delegation, this is supported through Pipeline Pilot – Protocols can use their Kerberos token to connect to other Kerberized resources (e.g. UNC files, HTTP services, SQL Server databases) – Delegation with Restricted Impersonation is planned
  9. 9. Enhanced support for Kerberos/SPNEGO• Kerberos Authentication on Linux – Kerberos authentication is now supported on Linux – We do NOT support delegation in AEP 9.0 • Just Kerberos Authentication on Linux
  10. 10. Kerberos Configuration• On the authentication page, enable SPNEGO
  11. 11. Demo
  12. 12. Kerberos Client Configuration – Internet Explorer• Internet Explorer – Add the server as a trusted site (Tools > Internet Options > Security > Trusted Sites > Custom Level > User Authentication > Logon). – Select Automatic logon with current user name and password. – If your server is already part of the Local Intranet, select Automatic logon only in Intranet zone. – These settings may be provided by IT using a group policy
  13. 13. Kerberos Client Configuration – Firefox – Browse to "about:config" and add the server names to the following preferences: • network.negotiate-auth.trusted-uris • network.negotiate-auth.delegation-uris – If wish to support delegation on AEP server
  14. 14. SAML Support• SAML is Security Assertions Markup Language• Commonly associated to SOAP services• SAML Sender Vouches Sender Confirmation – Web Services securely calling AEP – AEP securely calling SAML protected Web Services• Externalization – SAML allows federation of multiple Identify Providers (IdP)
  15. 15. SAML Sender Vouches - Outbound Clients AEP Server Other Web Server http(s) http(s) Browse r Kerberos WebLog Container Service IE, FF, SAML AEP SAML ic Chrome Kerberos 9.0 Server Username Form Based Serv Token er Other SDK Custom Server Basic Cookie Clients Token CALPP, NALPP, JALPP 15
  16. 16. SAML Sender Vouches - Outbound• AEP Protocol securely calling a SAML protected web service – Need to create our SAML Certificate used to self-sign our outbound SAML Sender Vouches messages – We use the AEP server’s SSL Certificate – Use the Security > SAML Certificates admin portal page – Click the Import KeyPair button to store the SSL Certificate as the SAML Certficate • AEP 9.0 self-signs all outbound Sender Vouches messages (does not use an external IdP for message signing)
  17. 17. SAML Sender Vouches – Outbound: SOAP Connector• Call the service with the SOAP Connector – Set the Token Type parameter to ‘SAML 2.0 Sender Vouches’ • Coming by 9.0 – support for a policy engine (map to a ws-policy file)
  18. 18. SAML Sender Vouches - Outbound
  19. 19. SAML Sender Vouches - Inbound Clients Other Web Server AEP Server http(s) http(s) Browse r WebLo Container AEP SAML SAML IE, FF, Service Chrome Kerberos gic Kerberos 9.0 Username Server Form Serv Based Custom Other er Other Cookie Basic Server Clients 19
  20. 20. SAML Sender Vouches - Inbound• Web Services securely calling AEP – Need to import a certificate from the outside web service agent so that we trust it • Use the Security > SAML Certificates admin portal page • Click the Import button on the Available Certificates grid and paste in the server’s SAML Certificate – Optionally specify one or more SAML Issuer Ids to restrict this certificate to certain services – If none specified, any service using this certificate will be supported
  21. 21. SAML Sender Vouches - Inbound
  22. 22. SAML Sender Vouches – Example Protocol• Example protocol that demonstrates an outbound/inbound round trip – The Protocol uses the SOAP Connector to make an Outbound SAML Sender Vouches call to an Inbound SAML Sender Vouches endpoint – This Inbound endpoint is a SAML protected web service on the same AEP server that runs a protocol echoing the request
  23. 23. SAML Sender Vouches – Example Protocol
  24. 24. SAML Sender Vouches – SOAP Request Packet…
  25. 25. SAML Sender Vouches – SOAP Request Packet (Body)<soap-env:Body> <ns1:echo> <hello>jhurley</hello> </ns1:echo></soap-env:Body>
  26. 26. SAML Sender Vouches – SOAP Response Packet<?xml version="1.0" encoding="UTF-8"?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="urn:examples:soap:echoservice" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <soapenv:Body> <echoResponse xmlns="urn:examples:soap:echoservice"> <return>jhurley</return> </echoResponse> </soapenv:Body></soapenv:Envelope>
  27. 27. SAML Sender Vouches – Example Protocol• Results from the protocol – Successful execution echoing the username (SAML assertion)TestResult PassedechoResponse/return jhurley
  28. 28. WSDL-First Protocols• This example calls the Echo Service protocol – This is an example of a WSDL-First protocol – As a user, create the WSDL file and then your protocol is designed to operate with a SOAP packet conforming to that WSDL – Invoke the protocol with a suitable SOAP URL: • $(ServerRoot)/wsse/wservice/{Full Path of Protocol} – The framework validates the request and passes in the contents of the soap- env:body element as a global property xmldocin: <ns1:echo> <hello>jhurley</hello> </ns1:echo>
  29. 29. WSDL First Protocols• Using an XML Reader and the setting ‘Properties Are: Leaf Elements’ results in this data record
  30. 30. Summary• AEP 9.0 supports Kerberos SSO and SAML Sender Vouches• Communicate with us – let us know what authentication providers are important now and in the future• Forthcoming documentation on configuring protocols as WSDL-first Web Services• (ATS-PLAT02) Security Enhancements in Accelrys Enterprise Platform 9.0