Your SlideShare is downloading. ×
Using Federation to Simplify Access to SharePoint, SaaS and Partner Applications
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Using Federation to Simplify Access to SharePoint, SaaS and Partner Applications

4,371
views

Published on

Identity federation has become the standard method for delivering access to services across organizational boundaries. More recently, federation has become the preferred method for managing user …

Identity federation has become the standard method for delivering access to services across organizational boundaries. More recently, federation has become the preferred method for managing user access within Microsoft SharePoint environments.
In this session, you will get an overview of the federation capabilities in Novell Access Manager. Specifically, the presenters will provide an introduction to identity federation, cover basic setup and configuration, and show you how to enable federated access to Microsoft SharePoint and Google applications. No previous knowledge of federation standards is required for this session.


0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
4,371
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
193
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Simplify Access to Microsoft SharePoint and SaaS Applications with Novell Access Manager ® ™ Lloyd Burch Distinguished Engineer Novell/lburch@novell.com Eduardo Barragan Senior Engineer Novacoast/ebarragan@novacoast.com
  • 2. Novell Access Manager ® ™ Federation Overview • What does Novell Access Manager Do? – Access Control to Protected Resources – Authentication > Name Password, X509, Smart Cards, Kerberos, Others – Federation > Liberty, SAML 1.x SAML 2.0, WS-Fed, CardSpace > Identity Provider (Builds Tokens) > Relying Party / Service Provider (Uses Tokens) > Manages Trust – SSL-VPN > Secure external access 2 © Novell, Inc. All rights reserved.
  • 3. Novell Access Manager ® ™ Federation Overview • What is Federation? – Established trust between two parties (IDP/SP) > How will IDP authenticate? > What claims/attributes can be exchanged? > What identifier will be used to identify user account at SP? > Is automatic provisioning of an account needed? – How does it work? > Administrator defined – IDP sends transparent authentication > User links accounts – Requests authentication > Open standards define the rules for how this is done > There can be many trusted providers or consumers of Identity 3 © Novell, Inc. All rights reserved.
  • 4. Simple Federated Identity ZZYZX Car Rental Identity Provider 2– Ge tA tte ste d Ide nti ty T oke n 3 – Set Token and Receive Service 1 – Request Service and Get Requirements ABC Travel Service 4 © Novell, Inc. All rights reserved.
  • 5. User-Driven Identity My Employer Identity My Hobby My Family Identity Identity - Novell claims this is LBurch - My Hobby Group claims this is Lloyd - My Family claims this is “Son of Dad” - Lloyd claims this is Me My Local Identity Login Request Web Service 5 © Novell, Inc. All rights reserved.
  • 6. Open Standards allow Interoperability Open Standard Open Standard Open Standard Open Standard 6 © Novell, Inc. All rights reserved.
  • 7. Achieving Cost Savings • Industry trends enabling Identity Federation – Open Standards support for identity – Multiple vendor support – Oasis and other standards bodies – Open Source reference code – Interoperability testing and certification – Lower cost – Partners can be added and removed quickly – Single store front from multiple vendors – Cost saving by sharing resources 7 © Novell, Inc. All rights reserved.
  • 8. The Cost of Interoperability as Partners Increase $25 $20 $15 $10 $5 $- 1 2 Openstandards 3 4 ProprietaryCode 8 © Novell, Inc. All rights reserved.
  • 9. Achieving the Vision • Industry trends enabling Identity Federation – The role of the firewall is changing – Outside partners, customers and employees have access – Applications must be protected from inside attacks – Firewalls are becoming identity aware – Increasing bandwidth for devices – Most devices are connected (work, home, mobile) 9 © Novell, Inc. All rights reserved.
  • 10. SharePoint and Novell Access Manager ® ™ • What are the components? • How do they work? • What is the value to the customer? 10 © Novell, Inc. All rights reserved.
  • 11. SharePoint and Novell Access Manager ® ™ • WS-Federation is used as the binding protocol to share identities • ADFS is the connecting point to Microsoft SharePoint • Access Manager is the connection point to multiple identity stores • Together single sign-on and shared identity works 11 © Novell, Inc. All rights reserved.
  • 12. SharePoint and Novell Access Manager ® ™ Novell Simplified Access to MS SharePoint Access eDirectory Manager “Employees” • User authenticates to Access Manager (Direct or Federated) • Access Manager can validate Identities across multiple Identity Stores as well as Active Directory federated authentication from partners “Business Units” using SAML, WS-Fed or Alliance • User access SharePoint Acess Manager transforms • Access Manager transforms LDAP and LDAP and Federated Identity into claims that are Federated forwarded to Active Directory Federation Identity into Sun One Services (ADFS) ADFS Claims “Customers” • SharePoint Administrator – Mr. Happy • Associates claim to SharePoint Groups • No need to manage individual identities for all users that need to SharePoint • Improved user experience • Single Sign-On to SharePoint and other web resources protected by Access Manager Microsoft Active Directory SharePoint “SharePoint” 12 © Novell, Inc. All rights reserved.
  • 13. SharePoint and Novell Access Manager ® ™ LDAP Novell Access Manager ADFS SharePoint Server Identity Server Windows Windows Legacy Novell Access Manager Webserver Gateway Internal User 13 © Novell, Inc. All rights reserved.
  • 14. SharePoint and Novell Access Manager ® ™ LDAP Novell Access Manager ADFS SharePoint Server Identity Server Windows Windows Step Step A B Legacy Novell Access Manager Webserver Gateway Internal User 14 © Novell, Inc. All rights reserved.
  • 15. SharePoint and Novell Access Manager ® ™ 15 © Novell, Inc. All rights reserved.
  • 16. SharePoint and Novell Access Manager ® ™ • Benefits to the customer – Novell Access Manager can validate identities across multiple identity stores as well as federated authentication from partners using SAML, WS-Federation or Liberty Alliance – Non Active Directory user can use SharePoint – SharePoint administrator does not need to manage individual identities for all users that need access to SharePoint – Single sign-on to SharePoint and other web resources protected by Novell Access Manager – Novell Access Manager policy can control SharePoint access via roles 16 © Novell, Inc. All rights reserved.
  • 17. Demonstration SharePoint and Novell Access Manager ® ™
  • 18. Force.com CRM and Novell Access Manager ® ™ • Just an example of SaaS vendors embracing industry standards like SAML 2.0 – Salesforce.com offers Federated and Delegated SSO > Federated is simple, based on SAML 2.0 HTTP-POST profile » You define NameID » You create Metadata » Easy with Access Manager > Delegated requires Web services to be setup and uses SOAP to authenticate » You host Web Service » SOAP call back – Delegated is not in scope of this presentation 18 © Novell, Inc. All rights reserved.
  • 19. SAML Terms (Security Assertion Markup Language) • Identity Provider (IDP) – Producer of assertions – Novell Access Manager ® ™ – Usually verifies credentials against LDAP • Service Provider (SP) – Consumer of assertions – Provides the application – SalesforceCRM is a cloud SP 19 © Novell, Inc. All rights reserved.
  • 20. SAML Terms (Security Assertion Markup Language) • Metadata “SAML profiles require agreements between system entities regarding identifiers, binding support and endpoints, certificates and keys, and so forth. A metadata specification is useful for describing this information in a standardized way” - http://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf • Assertion (response) – Synonym to Claim – A trusted authentication – replaces password with COT • Name Identifier – NameID – How to refer to the subject – Many supported formats 20 © Novell, Inc. All rights reserved.
  • 21. SAML References Novell - http://www.novell.com/documentation/novellaccessmanager/index.html Wikipedia - http://en.wikipedia.org/wiki/SAML_2.0 – this is a good overview OASIS - http://saml.xml.org/saml-specifications and http://docs.oasis- open.org/security/saml/v2.0/– saml.xml.org – is the wiki for the OASIS group which maintains the SAML specifications. The link is to the specifications page. 21 © Novell, Inc. All rights reserved.
  • 22. Authentication Flow 22 © Novell, Inc. All rights reserved.
  • 23. Typical Three Step Process - COT 1. Circle or Trust • Metadata – Need to create SP metadata – Access Manager provides metadata • X.509 Certificates – SP does not provide certificate (you can create a self-signed cert) – IDP should always use SSL especially since this is HTTP-POST profile • End points which resolve via DNS 23 © Novell, Inc. All rights reserved.
  • 24. Typical Three Step Process - SP 2. Setup SP side first • Why? – The login URL contains specific data to handle NameID and Attribute names – e.q. https://login.salesforce.com/? saml=MgoTx78aEPXRoZ2hRrHg2wwl5GLiR0qVpDJYXG4e5wzM83LxYv4TgrzVZsOpNK76 ItidNdsqihgDsiG2horV_wCGmSN.N1pVNrfRKMIW0QwpMQyrV_QZw94y_TvXB08Jyhi9l32 PLM_RH3LQ== • Have your IDP certificate handy – Export the signing certificate public key, save in .der format 24 © Novell, Inc. All rights reserved.
  • 25. Typical Three Step Process – SP • Login to salesforce.com – ebarragan@novacoast.com - Admin user – Go to Setup > under Administration Setup – Select Security Controls > Single Sign-On Settings • Issuer – https://idpsrv.novacoast.com/nidp/saml2/metadata • Name ID format – urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified 25 © Novell, Inc. All rights reserved.
  • 26. SP Details Good Help Reference 26 © Novell, Inc. All rights reserved.
  • 27. SP Details 27 © Novell, Inc. All rights reserved.
  • 28. Typical Three Step Process - IDP 3. Setup IDP – Novell Access Manager ® ™ • Create Attribute Map 28 © Novell, Inc. All rights reserved.
  • 29. IDP Details • SP Metadata: <EntityDescriptor entityID="https://saml.salesforce.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"><SPSSODes criptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2. 0:protocol"><NameIDFormat>urn:oasis:names:tc:SAML:2.0: nameid- format:transient</NameIDFormat><AssertionConsumerServi ce index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP- POST" Location="https://login.salesforce.com/? saml=MgoTx78aEPXToZ2hRrHg2wwl5GLiR0qVpDJYXG4e5wzM83LxY v4TgrzVZsOpNK76ItidNdsqIhgDsi2horU_wCGmSM.N1pVNrfRKMIW 0QwpMQyrV_QZw94y_TvXB08Oyhi9l32PLM_RH3LQ=="/></SPSSODe scriptor></EntityDescriptor> 29 © Novell, Inc. All rights reserved.
  • 30. IDP Details Create Trusted Service Provider 30 © Novell, Inc. All rights reserved.
  • 31. IDP Details Configure Response 31 © Novell, Inc. All rights reserved.
  • 32. IDP Details Configure Target (Inter-site Transfer URL) https://idpsrv.novacoast.com/nidp/saml2/idpsend?PID=https://saml.salesforce.com TARGET=https://na7.salesforce.com/home/home.jsp 32 © Novell, Inc. All rights reserved.
  • 33. Demonstration Salesforce.com CRM and Novell Access Manager ® ™
  • 34. Google Apps and Novell Access Manager ® ™ • Very similar to force.com SSO setup – Have a look at Neil Cashell's Cool solution on the subject for details – http://www.novell.com/communities/node/8645/integrating- google-apps-and-novell-access-manager-using-saml2 34 © Novell, Inc. All rights reserved.
  • 35. Google Apps and Novell Access Manager ® ™ Same three step process 1 - Create COT – In this case, it's the same as previous process, the public key of the IDP's signing and encryption certificate is all that's required 2 - Configure SP – Everything you need for this page is in the IDP metadata > Login URL > Logout URL > Password management URL 3 - Configure IDP (Novell Access Manager) 35 © Novell, Inc. All rights reserved.
  • 36. Google Apps and Novell Access Manager ® ™ Main Points Use this metadata, but replace the “Location” attribute. It must contain your domain <EntityDescriptor entityID="google.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"> <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress </NameIDFormat> <AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://www.google.com/a/domain/acs" /> </SPSSODescriptor> </EntityDescriptor> 36 © Novell, Inc. All rights reserved.
  • 37. Google Apps and Novell Access Manager ® ™ Main Points The Authentication Response is slightly different than force.com 37 © Novell, Inc. All rights reserved.
  • 38. Demonstration Google Apps and Novell Access Manager ® ™
  • 39. Unpublished Work of Novell, Inc. All Rights Reserved. This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability. General Disclaimer This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.