SlideShare a Scribd company logo

SAML Single Sign-on for Higher Education

PortalGuard
PortalGuard

Putting an end to students’ and faculty’s complaints about the requirement to remember multiple passwords is an objective at many universities. With multiple web applications being accessed, IT staff also struggle to manage multiple user repositories. For example, when a password changes in one repository, it typically isn’t updated in the others. This can lead to security and support issues that make it even more difficult to implement a password security policy across multiple systems. To solve these issues you may look towards single sign-on (SSO) as a solution to elimi-nate multiple password prompts and streamline access for students and faculty. However, many SSO solutions are costly and difficult to implement to effectively handle all access scenarios. Integration is especially difficult when attempting to allow the single sign-on ex-perience to continue for external users, such as commuting or roaming students and facul-ty, who all want seamless access to hosted web applications. For example, if a student logged into their BlackBoard account to view an online class posting, and then decided to access their Outlook Web App (OWA) email account, without SSO the student would be prompted to login again to the OWA application. With SSO in place, the students would be able to enter the OWA cloud-based application without being prompted again. This type of integration is essential for providing students/faculty with seamless application access as well as maintaining unified security and compliance stand-ards to protect university data. Universities opting to use cloud infrastructures are struggling to achieve seamless access for their students/faculty. Integration is the key challenge -- they are left with forcing their students/faculty and administrators to login multiple times or figure out how to federate the identity in the cloud while maintaining regulatory compliance The solution is a product which can create a single or federated sign-in process to handle an organization’s multiple cloud applications and provide a centralized point of secure access. http://www.portalguard.com

Education
1 of 15
Download to read offline
PistolStar, Inc. dba PortalGuard PO Box 1226 Amherst, NH 03031 USA Phone: 603.547.1200 E-mail: sales@portalguard.com Website: www.portalguard.com © 2012, PistolStar, Inc. dba PortalGuard All Rights Reserved. SAML Single Sign-on for Higher Education: Seamless Integration with Web-based Applications whether cloud- based, private, on-premise, or behind a firewall v.3.2-003 Single Sign-on Layer
© 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 1 Tech Brief — SAML Single Sign-on for Higher Education SAML Single Sign-on for Higher Education: Seamless Integration with Web-based Applications whether cloud-based, private, on-premise, or behind a firewall Table of Contents Summary................................................................................................. 2 The Basics............................................................................................... 2 Identity Federation............................................................................................ 2 Security Assertion Markup Language (SAML) ................................................. 3 PortalGuard’s SAML-enabled Portal........................................................ 3 Usage Scenarios .............................................................................................. 4 Benefits ................................................................................................... 4 How it Works ........................................................................................... 4 SP-Initiated SSO............................................................................................... 4 IdP-Initiated SSO.............................................................................................. 7 Configuration ........................................................................................... 9 Deployment ........................................................................................... 11 IIS Installation........................................................................................ 11 System Requirements ........................................................................... 11 Alternative SSO Methods ...................................................................... 12 Platform Layers ..................................................................................... 14
© 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 2 Tech Brief — SAML Single Sign-on for Higher Education Summary Putting an end to students’ and faculty’s complaints about the requirement to remember multiple passwords is an objective at many universities. With multiple web applications being accessed, IT staff also struggle to manage multiple user repositories. For example, when a password changes in one repository, it typically isn’t updated in the others. This can lead to security and support issues that make it even more difficult to implement a password security policy across multiple systems. To solve these issues you may look towards single sign-on (SSO) as a solution to elimi- nate multiple password prompts and streamline access for students and faculty. However, many SSO solutions are costly and difficult to implement to effectively handle all access scenarios. Integration is especially difficult when attempting to allow the single sign-on ex- perience to continue for external users, such as commuting or roaming students and facul- ty, who all want seamless access to hosted web applications. For example, if a student logged into their BlackBoard account to view an online class posting, and then decided to access their Outlook Web App (OWA) email account, without SSO the student would be prompted to login again to the OWA application. With SSO in place, the students would be able to enter the OWA cloud-based application without being prompted again. This type of integration is essential for providing students/faculty with seamless application access as well as maintaining unified security and compliance stand- ards to protect university data. Universities opting to use cloud infrastructures are struggling to achieve seamless access for their students/faculty. Integration is the key challenge -- they are left with forcing their students/faculty and administrators to login multiple times or figure out how to federate the identity in the cloud while maintaining regulatory compliance The solution is a product which can create a single or federated sign-in process to handle an organization’s multiple cloud applications and provide a centralized point of secure ac- cess. The Basics Identity Federation Identity federation is the concept of linking a user’s identity across multiple systems or servers. When two servers are federated, the authentication against one can be lever- aged to prove the user’s identity to the other. Some application servers in the secondary role can allow this without requiring the user to register an account. Identity federation typically entails some level of Single Sign-On (SSO). Once authentica- tion has been performed against a primary server, the user’s session with that server can then be used as a launch point for SSO-based access to other federated services. This can be used to realize the common business requirement of reducing access barriers with- out compromising the security of the systems involved. There are multiple protocols that can be used to apply the successful authentication against one system to another, but Security Assertion Markup Language (SAML) has emerged as a clear front-runner. Using SAML SSO offers a seamless way to provide students and faculty with the ability to unlock their account, enroll answers to challenge questions, reset or recover their forgotten passwords and manage their mobile device for use in multi-factor authentication.
© 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 3 Tech Brief — SAML Single Sign-on for Higher Education Security Assertion Markup Language (SAML) Originally developed by OASIS Security Services Technical Committee, Security Assertion Markup Language (SAML) is leading the way in providing seamless web-based SSO as an open, widely implemented, industry standard protocol. SAML is an XML-based authen- tication protocol that passes assertions between hosted SAML-enabled applications. Once the user requests access to a hosted resource, an online identity provider creates a SAML token containing the user’s identity assertions. Once those assertions are validated by the hosted resource the user is granted access without any further password prompts. SAML is heavily leveraged today for numerous reasons:  It works for cloud-based services that are typically hosted offsite as well as “on premise” services.  It is typically wrapped in the HTTP/HTTPS protocols which ensures it can be used by any client device regardless of operating system (e.g. Windows, Mac, and Linux) or ar- chitecture (PC, iPad, smart phones).  The use of HTTP/HTTPS also allows for easier network administration since these ports are more frequently open in server or client firewalls.  Manual user authentication for multiple services can be redirected and always be per- formed against a single Identity Provider (IdP). This “choke point” allows for network and access policies to be controlled at a single point making them much easier to imple- ment and enforce.  Users can be authenticated against virtually any user repository using any required method(s) without impacting the downstream servers, which always receive a SAML assertion. PortalGuard’s SAML-enabled Portal: PortalGuard’s SAML Identity Provider (IdP) acts as a SAML-based portal that uses a sin- gle set of credentials for the portal login itself and then grants access to your web-based applications, such as the BlackBoard Learn platform. When using SAML the student/ faculty member will no longer be prompted for multiple passwords. As a result, administra- tive and IT costs associated with performing password resets in several places, synchro- nizing numerous sets of password quality rules that may or may not overlap and creating and disabling accounts will be greatly reduced. The main objective with using PortalGuard’s SAML-based portal is to give students/faculty members one place to login using stronger authentication, and thereby granting them ac- cess to web-based applications, the university portal and/or to disparate sites where they are authenticated without having to sign on again. PortalGuard provides seamless integration with web-based applications whether cloud- based, private, on-premise, or behind a firewall. This integration allows you to use PortalGuard not only as your single authentication point but to provide stronger authentication, including tokenless two-factor authentication and knowledge-based authentication, plus all the necessary self-service password manage- ment functionality needed to increase usability in order to reduce Help Desk calls. Although many web-based applications are already SAML-enabled, alternatives such as cookie-based single sign-on or other established authentication mechanisms such as Ker- beros can be provided by PortalGuard to enable SSO for non-SAML applications. Alternatives such as cookie -based single sign-on or other established authentication mechanisms such as Kerberos can be provided by PortalGuard to enable SSO for non-SAML applications.
© 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 4 Tech Brief — SAML Single Sign-on for Higher Education The PortalGuard authentication platform incorporates and supports numerous authentica- tion layers, providing IT staff with the flexibility to meet their requirements in a highly cost- effective manner. Usage Scenarios PortalGuard’s flexibility allows you to choose the appropriate authentication method for each user, group or application, by leveraging Contextual Authentication. Varying access scenarios in every university drive the need for this type of authentication. For instance, students on campus may only need to provide strong passwords whereas commuting or roaming students are presented with two-factor authentication. Consistent authentication interface When the student/faculty member is always forced to login to your SAML-enabled applica- tions using PortalGuard, a consistent authentication interface and process can be en- forced. This reduces the need for training and frustrations associated with managing mul- tiple accounts through multiple websites. Enforcing self-service enrollment Using SAML SSO offers a seamless way to provide students/faculty with the ability to un- lock their account, enroll answers to challenge questions, reset or recover their forgotten passwords and manage their mobile device for use in multi-factor authentication. Multi-factor authentication Because the student/faculty member communicates directly with the PortalGuard server, authentication decisions made by PortalGuard are strictly enforced. This ensures a high level of security and consistency. Benefits  Eliminate the need to develop and maintain your own portal  Reduce the number of passwords the student/faculty member is required to remember and manage  Implement configurable corporate password policies  Remove the need to manage external students/faculty credentials  Optionally increase security using any combination of transparent barriers  Add stronger authentication using tokenless two-factor authentication and/or knowledge- based authentication  Reduce password-related Help Desk calls related to resets and recoveries How it Works The following steps and screenshots show how the PortalGuard SAML IdP works using two different SSO methods, SP-Initiated and IdP-initiated. **Note: for the following steps the term “user” refers to students and/or faculty members. PortalGuard’s flexibility allows you to choose the appropriate authentication method for each user, group or application, by leveraging Contextual Authentication.
© 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 5 Tech Brief — SAML Single Sign-on for Higher Education SP-Initiated SSO Step 1: The user opens their browser and accesses the target server, e.g. https:// blackboard.abc.edu/webapps/portal/example.jsp. Step 2: The target server sees the user has not yet authenticated so it generates a SAML request and returns it and the originally requested URL (the “RelayState”) as hidden input fields in a HTML form response. Step 3: JavaScript in the response automatically submits the form to the PortalGuard Identity Provider (IdP). Note: The user can be forced to login using any of PortalGuard’s authentication methods. This demo describes two-factor authentication (2FA). Step 4: PortalGuard’s login screen is presented to the user. The user enters their username and clicks “Continue”. Note: This login screen can be fully customized to match your organization’s branding, creating a seamless experience for the user.
© 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 6 Tech Brief — SAML Single Sign-on for Higher Education Step 5: The user is then prompted for their normal password and clicks “Log On”. Step 6: PortalGuard validates the username and password in real-time then sends a ran- dom one-time password (OTP) to the user’s mobile phone in the form of an SMS. Note: PortalGuard can sent the OTP via SMS, email, Skype, printer or transparent token. Step 7: The user is then prompted to enter the OTP. Step 8: The user enters the OTP they received and clicks “Log On”. Step 9: PortalGuard validates the OTP and the user has now established a session with the PortalGuard web server. Step 10: The original SAML request is now serviced by the PortalGuard IdP application. It generates a SAML response and sends it and the “RelayState” back to the end user wrapped in a HTML form.
© 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 7 Tech Brief — SAML Single Sign-on for Higher Education Step 11: Javascript in the response automatically submits the form to the target server’s Assertion Consumer Service (ACS). Step 12: The target server parses and validates the SAML response. It uses the embed- ded identity claims to determine the user’s identity and allow the user access to the appli- cation, in this case Blackboard. IdP-Initiated SSO Step 1: The user opens their browser and accesses the PortalGuard IdP application, e.g. “portalguard.abc.edu/sso”. Step 2: PortalGuard’s login screen is presented to the user if they do not already have an active session.
© 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 8 Tech Brief — SAML Single Sign-on for Higher Education Step 3: The user enters their username and clicks “Continue”. Step 4: The user is then prompted for their normal password and clicks “Log On”. Step 5: PortalGuard validates the username and password in real-time then sends a ran- dom OTP to the user’s mobile phone in the form of an SMS. Step 6: The user is then prompted to enter the OTP. Step 7: The user enters the OTP they received and clicks “Log On”. Step 8: PortalGuard validates the OTP and the user has now established a session with the PortalGuard web server. Step 9: The user gains access to the SAML IdP jump page. Step 10: User clicks a displayed application. Note: The applications available to the user are configurable by the admin. Step 11: The click is serviced by the PortalGuard IdP application. It generates a SAML response and sends it back to the end user wrapped in a HTML form. Step 12: Javascript in the response automatically submits the form to the target server’s Assertion Consumer Service (ACS). Step 13: The target server parses and validates the SAML response. It uses the embed- ded identity claims to determine the user’s identity and allow the user access to the appli- cation, in this case Blackboard.
© 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 9 Tech Brief — SAML Single Sign-on for Higher Education Configuration NOTE: All the following settings are application specific, so you can have different permis- sions for individual users. Configurable through the PortalGuard Configuration Utility: Main  Relying parties  Attribute Stores  IdP Configuration
© 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 10 Tech Brief — SAML Single Sign-on for Higher Education
© 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 11 Tech Brief — SAML Single Sign-on for Higher Education Deployment Implementation of the PortalGuard platform is seamless and requires no changes to Active Directory/LDAP schema. A server-side software installation is required on at least one IIS server on the network. Additional client-side software is not required. All major Web brows- ers, including Microsoft Internet Explorer, Mozilla Firefox, Google Chrome and Apple Safa- ri, are capable of performing SAML authentication to Web servers. IIS Installation A MSI is used to install PortalGuard on IIS 6 or 7.x. If installing PortalGuard on IIS 7.x/ Windows Server 2008, make sure to have installed the following feature roles prior to launching the MSI: 1. All the Web Server Management Tools role services 2. All the Application Development role services 3. All IIS 6 Management Compatibility role services The MSI is a wizard-based install which will quickly guide you through the installation. System Requirements PortalGuard can be installed directly on the following web servers:  IBM WebSphere/WebSphere Portal v5.1 or higher  Microsoft IIS 6.0 or higher  Microsoft Windows SharePoint Services 3.0 or higher  Microsoft Office SharePoint Server 2007 or later The PortalGuard IdP requires the following:  The target server must support SP-initiated SAML SSO using the SAML v2.0 POST binding method  The target server must be configured to not allow manual authentication. Other- wise, users could use that method and bypass the interactions with PortalGuard.  A trust must be configured between the PortalGuard Identity Provider and the target server/Service Provider by importing the PortalGuard public signing certifi- cate.  The end user must have network connectivity (HTTPS) to both the PortalGuard server and the target server.  The PortalGuard server does not need network connectivity to the target server since the user’s browser delivers all SAML messages. The PortalGuard Web server also has the following requirements on Windows operating systems:  .NET 2.0 framework or later must be installed  (64-bit OS only) Microsoft Visual C++ 2005 SP1 Redistributable Package (x64)
© 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 12 Tech Brief — SAML Single Sign-on for Higher Education PortalGuard is fully supported for installation on virtual machines. Furthermore, Portal- Guard can currently be installed on the following platforms:  Microsoft Windows Server 2000  Microsoft Windows Server 2003 (32 or 64-bit)  Microsoft Windows Server 2008 (32 or 64-bit)  Microsoft Windows Server 2008 R2 If you have a platform not listed here, please contact us at sales@portalguard.com to see if we have recently added support for your platform. Alternative SSO Methods This tech brief is intended to highlight SAML-based SSO; however the following single sign-on methods are also supported: Cookie-based SSO: Works by using Web based HTTP Cookies to transport user credentials from browser to server without input from the user. Existing credentials on the client machine are gathered and encrypted before being stored in the cookie and sent to the destination server. The server receives the cookie, extracts and decrypts the credentials and validates them against the internal server directory of users. Kerberos-based SSO: Kerberos enables a user to log into their Windows domain account and then receive SSO to their internal applications. Kerberos requires the user to have connectivity to a central Key Distribution Center (KDC). In Windows, each Active Directory domain controller acts as a KDC. Users authenticate themselves to services (e.g. web servers) by first authenti- cating to the KDC, then requesting encrypted service tickets from the KDC for the specific service they wish to use which happens automatically in all major browsers using SPNEGO (see below). Screen Scraping: Screen scraping deals with recognizing and remembering the dialog boxes that prompt users for their credentials. The idea of "scraping" the fields and layout of these dialogs and automatically entering the user's credentials are the basis behind this SSO type. Claims-based SSO: Claims (aka "assertions") are created by a claims issuer that is trusted by multiple parties. Claims are typically packaged into a digitally signed token that can be sent over the network using Security Assertion Markup Language (SAML). Smart Card-based SSO: With smart card SSO the user is required to enter their smart card into a reader, which then allows them to sign-on to the de- sired application. The smart card information is then used to allow SSO to other applications that the user attempts to access. Biometric-based SSO: Existing biometric authentication can be combined with SSO technologies to further secure and simplify the life of the daily work force. Biometric authentication can include the use of fingerprints, retinal scans, facial scans, hand geometry, and even DNA.
© 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 13 Tech Brief — SAML Single Sign-on for Higher Education Form-filling SSO: Form-filling allows for the secure storage of information that is normally filled into a form. For users that repetitively fill out forms, espe- cially for security access, this technology will remember/store all this infor- mation and secure it with a single password. To access the information the user only has to remember one password and the Form-filling technology can take care of filling in the forms. NTLM-based SSO: It is possible for a user to prove they know their password without actually providing the password itself. NTLM achieves this using a challenge and response protocol that first determines what type of NTLM and encryption mechanisms the client and server mutually support, then crypto- graphically hashes the user's password and sends it to the server requiring authentication. SPNEGO-based SSO: There are instances when the client application and remote server do not know what types of authentication the other one sup- ports. This is when SPNEGO (Simple and Protected GSSAPI Negotiation Mechanism) can be used to find out what authentication mechanisms are mu- tually available. Some of these mechanisms can include Kerberos and NTLM authentication. Reduced SSO: Reduced single sign-on is widely used for limiting the number of times a user will be required to enter in their credentials to access different applications. With critical applications, reduced SSO also offers a technique to make sure that a user is not signed on without a second factor of authentica- tion, having been provided by the user. Cross-domain SSO: Credentials may need to be transferred between differ- ent servers and domains, which is referred to as cross-domain single sign-on (CDSSO). By not relying on a master authentication server, CDSSO allows the user to easily be authenticated between separate secure domains, when requesting resources from each. Enrollment-based SSO: A user logging into a website may choose to have their credentials permanently remembered for that site. This is accomplished by creating an encrypted cookie on the user's machine for that web browser that contains the user's credentials. This cookie persists across different browser sessions and restarts of the machine, but will be set to expire after a set period. The next time the user accesses the website, the server recogniz- es the cookie, decrypts it to obtain the user's credentials and completely by- passes the login screen after validating them successfully. Session-based SSO: A user's initial logon to a HTTP server through a web browser results in a session token being generated on the server and returned to the user as an in-memory cookie. From then on, SSO is accomplished by presenting the session token to the server as proof of authentication. True SSO: True SSO is the ability to provide your credentials one time during your computer session and not be asked for credentials again. This is done by leveraging those credentials when navigating to other resources during your session that will also require you to verify your identity.
© 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 14 Tech Brief — SAML Single Sign-on for Higher Education Platform Layers Beyond single sign-on, PortalGuard is a flexible authentication platform with multiple lay- ers of available functionality to help you achieve your authentication goals:  Contextual Authentication  Self-service Password Reset  Two-factor Authentication  Password Management  Password Synchronization ###

Recommended

New Single Sign-on Options for IBM Lotus Notes & Domino (We4IT)
New Single Sign-on Options for IBM Lotus Notes & Domino (We4IT)New Single Sign-on Options for IBM Lotus Notes & Domino (We4IT)
New Single Sign-on Options for IBM Lotus Notes & Domino (We4IT)We4IT Group
 
The Future of Mobile Application Security
The Future of Mobile Application SecurityThe Future of Mobile Application Security
The Future of Mobile Application SecuritySecureAuth
 
SecureAuth & 451 Research Webinar: Connected Security - A Holistic Approach t...
SecureAuth & 451 Research Webinar: Connected Security - A Holistic Approach t...SecureAuth & 451 Research Webinar: Connected Security - A Holistic Approach t...
SecureAuth & 451 Research Webinar: Connected Security - A Holistic Approach t...SecureAuth
 
What's New in IdP 9.0 Behavioral Biometrics and more…
What's New in IdP 9.0 Behavioral Biometrics and more…What's New in IdP 9.0 Behavioral Biometrics and more…
What's New in IdP 9.0 Behavioral Biometrics and more…SecureAuth
 
A Technical Guide To Deploying Single Sign On
A Technical Guide To Deploying Single Sign OnA Technical Guide To Deploying Single Sign On
A Technical Guide To Deploying Single Sign OnGabriella Davis
 
What to Expect in 2016: Top 5 Predictions for Security and Access Control
What to Expect in 2016: Top 5 Predictions for Security and Access ControlWhat to Expect in 2016: Top 5 Predictions for Security and Access Control
What to Expect in 2016: Top 5 Predictions for Security and Access ControlSecureAuth
 
Simplifying The S's: Single Sign-On, SPNEGO and SAML
Simplifying The S's: Single Sign-On, SPNEGO and SAMLSimplifying The S's: Single Sign-On, SPNEGO and SAML
Simplifying The S's: Single Sign-On, SPNEGO and SAMLGabriella Davis
 
RMLL 2013 - The SAML Protocol: Single Sign On for skilled people
RMLL 2013 - The SAML Protocol: Single Sign On for skilled peopleRMLL 2013 - The SAML Protocol: Single Sign On for skilled people
RMLL 2013 - The SAML Protocol: Single Sign On for skilled peopleClément OUDOT
 

Recommended

New Single Sign-on Options for IBM Lotus Notes & Domino (We4IT)
New Single Sign-on Options for IBM Lotus Notes & Domino (We4IT)New Single Sign-on Options for IBM Lotus Notes & Domino (We4IT)
New Single Sign-on Options for IBM Lotus Notes & Domino (We4IT)We4IT Group
 
The Future of Mobile Application Security
The Future of Mobile Application SecurityThe Future of Mobile Application Security
The Future of Mobile Application SecuritySecureAuth
 
SecureAuth & 451 Research Webinar: Connected Security - A Holistic Approach t...
SecureAuth & 451 Research Webinar: Connected Security - A Holistic Approach t...SecureAuth & 451 Research Webinar: Connected Security - A Holistic Approach t...
SecureAuth & 451 Research Webinar: Connected Security - A Holistic Approach t...SecureAuth
 
What's New in IdP 9.0 Behavioral Biometrics and more…
What's New in IdP 9.0 Behavioral Biometrics and more…What's New in IdP 9.0 Behavioral Biometrics and more…
What's New in IdP 9.0 Behavioral Biometrics and more…SecureAuth
 
A Technical Guide To Deploying Single Sign On
A Technical Guide To Deploying Single Sign OnA Technical Guide To Deploying Single Sign On
A Technical Guide To Deploying Single Sign OnGabriella Davis
 
What to Expect in 2016: Top 5 Predictions for Security and Access Control
What to Expect in 2016: Top 5 Predictions for Security and Access ControlWhat to Expect in 2016: Top 5 Predictions for Security and Access Control
What to Expect in 2016: Top 5 Predictions for Security and Access ControlSecureAuth
 
Simplifying The S's: Single Sign-On, SPNEGO and SAML
Simplifying The S's: Single Sign-On, SPNEGO and SAMLSimplifying The S's: Single Sign-On, SPNEGO and SAML
Simplifying The S's: Single Sign-On, SPNEGO and SAMLGabriella Davis
 
RMLL 2013 - The SAML Protocol: Single Sign On for skilled people
RMLL 2013 - The SAML Protocol: Single Sign On for skilled peopleRMLL 2013 - The SAML Protocol: Single Sign On for skilled people
RMLL 2013 - The SAML Protocol: Single Sign On for skilled peopleClément OUDOT
 
LDAP, SAML and Hue
LDAP, SAML and HueLDAP, SAML and Hue
LDAP, SAML and Huegethue
 
Saml in cloud
Saml in cloudSaml in cloud
Saml in cloudNagraj Rao
 
White Paper: Saml as an SSO Standard for Customer Identity Management
White Paper: Saml as an SSO Standard for Customer Identity ManagementWhite Paper: Saml as an SSO Standard for Customer Identity Management
White Paper: Saml as an SSO Standard for Customer Identity ManagementGigya
 
SAML Smackdown
SAML SmackdownSAML Smackdown
SAML SmackdownPat Patterson
 
SAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your EnterpriseSAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your EnterpriseDenis Gundarev
 
SAML Protocol Overview
SAML Protocol OverviewSAML Protocol Overview
SAML Protocol OverviewMike Schwartz
 
Introduction to SAML
Introduction to SAMLIntroduction to SAML
Introduction to SAMLClément OUDOT
 
Single sign on using SAML
Single sign on using SAML Single sign on using SAML
Single sign on using SAML Programming Talents
 
Enterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSOEnterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSOOliver Mueller
 
IBM WebSphere Enterprise Service Bus
IBM WebSphere Enterprise Service BusIBM WebSphere Enterprise Service Bus
IBM WebSphere Enterprise Service BusQuauhtli Zazueta
 
Single Sign On 101
Single Sign On 101Single Sign On 101
Single Sign On 101Mike Schwartz
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0Mika Koivisto
 
Building an SSO platform in php (Zendcon 2010)
Building an SSO platform in php (Zendcon 2010)Building an SSO platform in php (Zendcon 2010)
Building an SSO platform in php (Zendcon 2010)Ivo Jansch
 
Let's Build a Better Password
Let's Build a Better PasswordLet's Build a Better Password
Let's Build a Better PasswordPortalGuard
 
Designing and Implementing a Secure, Fully Brandable Web Portal
Designing and Implementing a Secure, Fully Brandable Web PortalDesigning and Implementing a Secure, Fully Brandable Web Portal
Designing and Implementing a Secure, Fully Brandable Web PortalPortalGuard
 
Designing and Creating a Secure Web Portal
Designing and Creating a Secure Web PortalDesigning and Creating a Secure Web Portal
Designing and Creating a Secure Web PortalPortalGuard
 
PortalGuard Product Tour
PortalGuard Product TourPortalGuard Product Tour
PortalGuard Product TourPortalGuard
 
SSPM Retail
SSPM RetailSSPM Retail
SSPM RetailPortalGuard
 
SAML Executive Overview
SAML Executive OverviewSAML Executive Overview
SAML Executive OverviewPortalGuard
 
The Role of Password Management in Achieving Compliance
The Role of Password Management in Achieving ComplianceThe Role of Password Management in Achieving Compliance
The Role of Password Management in Achieving CompliancePortalGuard
 
PortalGuard Platform
PortalGuard PlatformPortalGuard Platform
PortalGuard PlatformPortalGuard
 
Already Have a Solution?
Already Have a Solution? Already Have a Solution?
Already Have a Solution? PortalGuard
 

More Related Content

Viewers also liked

LDAP, SAML and Hue
LDAP, SAML and HueLDAP, SAML and Hue
LDAP, SAML and Huegethue
 
White Paper: Saml as an SSO Standard for Customer Identity Management
White Paper: Saml as an SSO Standard for Customer Identity ManagementWhite Paper: Saml as an SSO Standard for Customer Identity Management
White Paper: Saml as an SSO Standard for Customer Identity ManagementGigya
 
SAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your EnterpriseSAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your EnterpriseDenis Gundarev
 
SAML Protocol Overview
SAML Protocol OverviewSAML Protocol Overview
SAML Protocol OverviewMike Schwartz
 
Enterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSOEnterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSOOliver Mueller
 
IBM WebSphere Enterprise Service Bus
IBM WebSphere Enterprise Service BusIBM WebSphere Enterprise Service Bus
IBM WebSphere Enterprise Service BusQuauhtli Zazueta
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0Mika Koivisto
 
Building an SSO platform in php (Zendcon 2010)
Building an SSO platform in php (Zendcon 2010)Building an SSO platform in php (Zendcon 2010)
Building an SSO platform in php (Zendcon 2010)Ivo Jansch
 

Viewers also liked (13)

LDAP, SAML and Hue
LDAP, SAML and HueLDAP, SAML and Hue
LDAP, SAML and Hue
 
Saml in cloud
Saml in cloudSaml in cloud
Saml in cloud
 
White Paper: Saml as an SSO Standard for Customer Identity Management
White Paper: Saml as an SSO Standard for Customer Identity ManagementWhite Paper: Saml as an SSO Standard for Customer Identity Management
White Paper: Saml as an SSO Standard for Customer Identity Management
 
SAML Smackdown
SAML SmackdownSAML Smackdown
SAML Smackdown
 
SAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your EnterpriseSAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your Enterprise
 
SAML Protocol Overview
SAML Protocol OverviewSAML Protocol Overview
SAML Protocol Overview
 
Introduction to SAML
Introduction to SAMLIntroduction to SAML
Introduction to SAML
 
Single sign on using SAML
Single sign on using SAML Single sign on using SAML
Single sign on using SAML
 
Enterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSOEnterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSO
 
IBM WebSphere Enterprise Service Bus
IBM WebSphere Enterprise Service BusIBM WebSphere Enterprise Service Bus
IBM WebSphere Enterprise Service Bus
 
Single Sign On 101
Single Sign On 101Single Sign On 101
Single Sign On 101
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0
 
Building an SSO platform in php (Zendcon 2010)
Building an SSO platform in php (Zendcon 2010)Building an SSO platform in php (Zendcon 2010)
Building an SSO platform in php (Zendcon 2010)
 

More from PortalGuard

Let's Build a Better Password
Let's Build a Better PasswordLet's Build a Better Password
Let's Build a Better PasswordPortalGuard
 
Designing and Implementing a Secure, Fully Brandable Web Portal
Designing and Implementing a Secure, Fully Brandable Web PortalDesigning and Implementing a Secure, Fully Brandable Web Portal
Designing and Implementing a Secure, Fully Brandable Web PortalPortalGuard
 
Designing and Creating a Secure Web Portal
Designing and Creating a Secure Web PortalDesigning and Creating a Secure Web Portal
Designing and Creating a Secure Web PortalPortalGuard
 
PortalGuard Product Tour
PortalGuard Product TourPortalGuard Product Tour
PortalGuard Product TourPortalGuard
 
SAML Executive Overview
SAML Executive OverviewSAML Executive Overview
SAML Executive OverviewPortalGuard
 
The Role of Password Management in Achieving Compliance
The Role of Password Management in Achieving ComplianceThe Role of Password Management in Achieving Compliance
The Role of Password Management in Achieving CompliancePortalGuard
 
PortalGuard Platform
PortalGuard PlatformPortalGuard Platform
PortalGuard PlatformPortalGuard
 
Already Have a Solution?
Already Have a Solution? Already Have a Solution?
Already Have a Solution? PortalGuard
 
Centralized Self-service Password Reset: From the Web and Windows Desktop
Centralized Self-service Password Reset: From the Web and Windows DesktopCentralized Self-service Password Reset: From the Web and Windows Desktop
Centralized Self-service Password Reset: From the Web and Windows DesktopPortalGuard
 
Sever-based Password Synchronization: Managing Multiple Passwords
Sever-based Password Synchronization: Managing Multiple PasswordsSever-based Password Synchronization: Managing Multiple Passwords
Sever-based Password Synchronization: Managing Multiple PasswordsPortalGuard
 
Configurable Password Management: Balancing Usability and Compliance
Configurable Password Management: Balancing Usability and ComplianceConfigurable Password Management: Balancing Usability and Compliance
Configurable Password Management: Balancing Usability and CompliancePortalGuard
 
Contextual Authentication: A Multi-factor Approach
Contextual Authentication: A Multi-factor ApproachContextual Authentication: A Multi-factor Approach
Contextual Authentication: A Multi-factor ApproachPortalGuard
 
Two-factor Authentication: A Tokenless Approach
Two-factor Authentication: A Tokenless ApproachTwo-factor Authentication: A Tokenless Approach
Two-factor Authentication: A Tokenless ApproachPortalGuard
 
Password Security and CJIS Compliance
Password Security and CJIS CompliancePassword Security and CJIS Compliance
Password Security and CJIS CompliancePortalGuard
 
Avoiding Two-factor Authentication? You're Not Alone
Avoiding Two-factor Authentication? You're Not AloneAvoiding Two-factor Authentication? You're Not Alone
Avoiding Two-factor Authentication? You're Not AlonePortalGuard
 
Portal Authentication: A Balancing Act Between Security Usability and Complia...
Portal Authentication: A Balancing Act Between Security Usability and Complia...Portal Authentication: A Balancing Act Between Security Usability and Complia...
Portal Authentication: A Balancing Act Between Security Usability and Complia...PortalGuard
 

More from PortalGuard (17)

Let's Build a Better Password
Let's Build a Better PasswordLet's Build a Better Password
Let's Build a Better Password
 
Designing and Implementing a Secure, Fully Brandable Web Portal
Designing and Implementing a Secure, Fully Brandable Web PortalDesigning and Implementing a Secure, Fully Brandable Web Portal
Designing and Implementing a Secure, Fully Brandable Web Portal
 
Designing and Creating a Secure Web Portal
Designing and Creating a Secure Web PortalDesigning and Creating a Secure Web Portal
Designing and Creating a Secure Web Portal
 
PortalGuard Product Tour
PortalGuard Product TourPortalGuard Product Tour
PortalGuard Product Tour
 
SSPM Retail
SSPM RetailSSPM Retail
SSPM Retail
 
SAML Executive Overview
SAML Executive OverviewSAML Executive Overview
SAML Executive Overview
 
The Role of Password Management in Achieving Compliance
The Role of Password Management in Achieving ComplianceThe Role of Password Management in Achieving Compliance
The Role of Password Management in Achieving Compliance
 
PortalGuard Platform
PortalGuard PlatformPortalGuard Platform
PortalGuard Platform
 
Already Have a Solution?
Already Have a Solution? Already Have a Solution?
Already Have a Solution?
 
Centralized Self-service Password Reset: From the Web and Windows Desktop
Centralized Self-service Password Reset: From the Web and Windows DesktopCentralized Self-service Password Reset: From the Web and Windows Desktop
Centralized Self-service Password Reset: From the Web and Windows Desktop
 
Sever-based Password Synchronization: Managing Multiple Passwords
Sever-based Password Synchronization: Managing Multiple PasswordsSever-based Password Synchronization: Managing Multiple Passwords
Sever-based Password Synchronization: Managing Multiple Passwords
 
Configurable Password Management: Balancing Usability and Compliance
Configurable Password Management: Balancing Usability and ComplianceConfigurable Password Management: Balancing Usability and Compliance
Configurable Password Management: Balancing Usability and Compliance
 
Contextual Authentication: A Multi-factor Approach
Contextual Authentication: A Multi-factor ApproachContextual Authentication: A Multi-factor Approach
Contextual Authentication: A Multi-factor Approach
 
Two-factor Authentication: A Tokenless Approach
Two-factor Authentication: A Tokenless ApproachTwo-factor Authentication: A Tokenless Approach
Two-factor Authentication: A Tokenless Approach
 
Password Security and CJIS Compliance
Password Security and CJIS CompliancePassword Security and CJIS Compliance
Password Security and CJIS Compliance
 
Avoiding Two-factor Authentication? You're Not Alone
Avoiding Two-factor Authentication? You're Not AloneAvoiding Two-factor Authentication? You're Not Alone
Avoiding Two-factor Authentication? You're Not Alone
 
Portal Authentication: A Balancing Act Between Security Usability and Complia...
Portal Authentication: A Balancing Act Between Security Usability and Complia...Portal Authentication: A Balancing Act Between Security Usability and Complia...
Portal Authentication: A Balancing Act Between Security Usability and Complia...
 

Recently uploaded

Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfsanyamsingh5019
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformChameera Dedduwage
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdfQucHHunhnh
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Sapana Sha
 
mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docxPoojaSen20
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxSayali Powar
 
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...Sapna Thakur
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...fonyou31
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxVS Mahajan Coaching Centre
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Krashi Coaching
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introductionMaksud Ahmed
 
JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...
JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...
JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...anjaliyadav012327
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationnomboosow
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdfQucHHunhnh
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionSafetyChain Software
 
Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 💞 Full Nigh...
Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 💞 Full Nigh...Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 💞 Full Nigh...
Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 💞 Full Nigh...Pooja Nehwal
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAssociation for Project Management
 

Recently uploaded (20)

Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdf
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy Reform
 
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptxINDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
 
mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docx
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
 
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...
JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...
JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...
 
Advance Mobile Application Development class 07
Advance Mobile Application Development class 07Advance Mobile Application Development class 07
Advance Mobile Application Development class 07
 
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communication
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory Inspection
 
Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 💞 Full Nigh...
Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 💞 Full Nigh...Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 💞 Full Nigh...
Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 💞 Full Nigh...
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across Sectors
 

SAML Single Sign-on for Higher Education

  • 1. PistolStar, Inc. dba PortalGuard PO Box 1226 Amherst, NH 03031 USA Phone: 603.547.1200 E-mail: sales@portalguard.com Website: www.portalguard.com © 2012, PistolStar, Inc. dba PortalGuard All Rights Reserved. SAML Single Sign-on for Higher Education: Seamless Integration with Web-based Applications whether cloud- based, private, on-premise, or behind a firewall v.3.2-003 Single Sign-on Layer
  • 2. © 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 1 Tech Brief — SAML Single Sign-on for Higher Education SAML Single Sign-on for Higher Education: Seamless Integration with Web-based Applications whether cloud-based, private, on-premise, or behind a firewall Table of Contents Summary................................................................................................. 2 The Basics............................................................................................... 2 Identity Federation............................................................................................ 2 Security Assertion Markup Language (SAML) ................................................. 3 PortalGuard’s SAML-enabled Portal........................................................ 3 Usage Scenarios .............................................................................................. 4 Benefits ................................................................................................... 4 How it Works ........................................................................................... 4 SP-Initiated SSO............................................................................................... 4 IdP-Initiated SSO.............................................................................................. 7 Configuration ........................................................................................... 9 Deployment ........................................................................................... 11 IIS Installation........................................................................................ 11 System Requirements ........................................................................... 11 Alternative SSO Methods ...................................................................... 12 Platform Layers ..................................................................................... 14
  • 3. © 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 2 Tech Brief — SAML Single Sign-on for Higher Education Summary Putting an end to students’ and faculty’s complaints about the requirement to remember multiple passwords is an objective at many universities. With multiple web applications being accessed, IT staff also struggle to manage multiple user repositories. For example, when a password changes in one repository, it typically isn’t updated in the others. This can lead to security and support issues that make it even more difficult to implement a password security policy across multiple systems. To solve these issues you may look towards single sign-on (SSO) as a solution to elimi- nate multiple password prompts and streamline access for students and faculty. However, many SSO solutions are costly and difficult to implement to effectively handle all access scenarios. Integration is especially difficult when attempting to allow the single sign-on ex- perience to continue for external users, such as commuting or roaming students and facul- ty, who all want seamless access to hosted web applications. For example, if a student logged into their BlackBoard account to view an online class posting, and then decided to access their Outlook Web App (OWA) email account, without SSO the student would be prompted to login again to the OWA application. With SSO in place, the students would be able to enter the OWA cloud-based application without being prompted again. This type of integration is essential for providing students/faculty with seamless application access as well as maintaining unified security and compliance stand- ards to protect university data. Universities opting to use cloud infrastructures are struggling to achieve seamless access for their students/faculty. Integration is the key challenge -- they are left with forcing their students/faculty and administrators to login multiple times or figure out how to federate the identity in the cloud while maintaining regulatory compliance The solution is a product which can create a single or federated sign-in process to handle an organization’s multiple cloud applications and provide a centralized point of secure ac- cess. The Basics Identity Federation Identity federation is the concept of linking a user’s identity across multiple systems or servers. When two servers are federated, the authentication against one can be lever- aged to prove the user’s identity to the other. Some application servers in the secondary role can allow this without requiring the user to register an account. Identity federation typically entails some level of Single Sign-On (SSO). Once authentica- tion has been performed against a primary server, the user’s session with that server can then be used as a launch point for SSO-based access to other federated services. This can be used to realize the common business requirement of reducing access barriers with- out compromising the security of the systems involved. There are multiple protocols that can be used to apply the successful authentication against one system to another, but Security Assertion Markup Language (SAML) has emerged as a clear front-runner. Using SAML SSO offers a seamless way to provide students and faculty with the ability to unlock their account, enroll answers to challenge questions, reset or recover their forgotten passwords and manage their mobile device for use in multi-factor authentication.
  • 4. © 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 3 Tech Brief — SAML Single Sign-on for Higher Education Security Assertion Markup Language (SAML) Originally developed by OASIS Security Services Technical Committee, Security Assertion Markup Language (SAML) is leading the way in providing seamless web-based SSO as an open, widely implemented, industry standard protocol. SAML is an XML-based authen- tication protocol that passes assertions between hosted SAML-enabled applications. Once the user requests access to a hosted resource, an online identity provider creates a SAML token containing the user’s identity assertions. Once those assertions are validated by the hosted resource the user is granted access without any further password prompts. SAML is heavily leveraged today for numerous reasons:  It works for cloud-based services that are typically hosted offsite as well as “on premise” services.  It is typically wrapped in the HTTP/HTTPS protocols which ensures it can be used by any client device regardless of operating system (e.g. Windows, Mac, and Linux) or ar- chitecture (PC, iPad, smart phones).  The use of HTTP/HTTPS also allows for easier network administration since these ports are more frequently open in server or client firewalls.  Manual user authentication for multiple services can be redirected and always be per- formed against a single Identity Provider (IdP). This “choke point” allows for network and access policies to be controlled at a single point making them much easier to imple- ment and enforce.  Users can be authenticated against virtually any user repository using any required method(s) without impacting the downstream servers, which always receive a SAML assertion. PortalGuard’s SAML-enabled Portal: PortalGuard’s SAML Identity Provider (IdP) acts as a SAML-based portal that uses a sin- gle set of credentials for the portal login itself and then grants access to your web-based applications, such as the BlackBoard Learn platform. When using SAML the student/ faculty member will no longer be prompted for multiple passwords. As a result, administra- tive and IT costs associated with performing password resets in several places, synchro- nizing numerous sets of password quality rules that may or may not overlap and creating and disabling accounts will be greatly reduced. The main objective with using PortalGuard’s SAML-based portal is to give students/faculty members one place to login using stronger authentication, and thereby granting them ac- cess to web-based applications, the university portal and/or to disparate sites where they are authenticated without having to sign on again. PortalGuard provides seamless integration with web-based applications whether cloud- based, private, on-premise, or behind a firewall. This integration allows you to use PortalGuard not only as your single authentication point but to provide stronger authentication, including tokenless two-factor authentication and knowledge-based authentication, plus all the necessary self-service password manage- ment functionality needed to increase usability in order to reduce Help Desk calls. Although many web-based applications are already SAML-enabled, alternatives such as cookie-based single sign-on or other established authentication mechanisms such as Ker- beros can be provided by PortalGuard to enable SSO for non-SAML applications. Alternatives such as cookie -based single sign-on or other established authentication mechanisms such as Kerberos can be provided by PortalGuard to enable SSO for non-SAML applications.
  • 5. © 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 4 Tech Brief — SAML Single Sign-on for Higher Education The PortalGuard authentication platform incorporates and supports numerous authentica- tion layers, providing IT staff with the flexibility to meet their requirements in a highly cost- effective manner. Usage Scenarios PortalGuard’s flexibility allows you to choose the appropriate authentication method for each user, group or application, by leveraging Contextual Authentication. Varying access scenarios in every university drive the need for this type of authentication. For instance, students on campus may only need to provide strong passwords whereas commuting or roaming students are presented with two-factor authentication. Consistent authentication interface When the student/faculty member is always forced to login to your SAML-enabled applica- tions using PortalGuard, a consistent authentication interface and process can be en- forced. This reduces the need for training and frustrations associated with managing mul- tiple accounts through multiple websites. Enforcing self-service enrollment Using SAML SSO offers a seamless way to provide students/faculty with the ability to un- lock their account, enroll answers to challenge questions, reset or recover their forgotten passwords and manage their mobile device for use in multi-factor authentication. Multi-factor authentication Because the student/faculty member communicates directly with the PortalGuard server, authentication decisions made by PortalGuard are strictly enforced. This ensures a high level of security and consistency. Benefits  Eliminate the need to develop and maintain your own portal  Reduce the number of passwords the student/faculty member is required to remember and manage  Implement configurable corporate password policies  Remove the need to manage external students/faculty credentials  Optionally increase security using any combination of transparent barriers  Add stronger authentication using tokenless two-factor authentication and/or knowledge- based authentication  Reduce password-related Help Desk calls related to resets and recoveries How it Works The following steps and screenshots show how the PortalGuard SAML IdP works using two different SSO methods, SP-Initiated and IdP-initiated. **Note: for the following steps the term “user” refers to students and/or faculty members. PortalGuard’s flexibility allows you to choose the appropriate authentication method for each user, group or application, by leveraging Contextual Authentication.
  • 6. © 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 5 Tech Brief — SAML Single Sign-on for Higher Education SP-Initiated SSO Step 1: The user opens their browser and accesses the target server, e.g. https:// blackboard.abc.edu/webapps/portal/example.jsp. Step 2: The target server sees the user has not yet authenticated so it generates a SAML request and returns it and the originally requested URL (the “RelayState”) as hidden input fields in a HTML form response. Step 3: JavaScript in the response automatically submits the form to the PortalGuard Identity Provider (IdP). Note: The user can be forced to login using any of PortalGuard’s authentication methods. This demo describes two-factor authentication (2FA). Step 4: PortalGuard’s login screen is presented to the user. The user enters their username and clicks “Continue”. Note: This login screen can be fully customized to match your organization’s branding, creating a seamless experience for the user.
  • 7. © 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 6 Tech Brief — SAML Single Sign-on for Higher Education Step 5: The user is then prompted for their normal password and clicks “Log On”. Step 6: PortalGuard validates the username and password in real-time then sends a ran- dom one-time password (OTP) to the user’s mobile phone in the form of an SMS. Note: PortalGuard can sent the OTP via SMS, email, Skype, printer or transparent token. Step 7: The user is then prompted to enter the OTP. Step 8: The user enters the OTP they received and clicks “Log On”. Step 9: PortalGuard validates the OTP and the user has now established a session with the PortalGuard web server. Step 10: The original SAML request is now serviced by the PortalGuard IdP application. It generates a SAML response and sends it and the “RelayState” back to the end user wrapped in a HTML form.
  • 8. © 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 7 Tech Brief — SAML Single Sign-on for Higher Education Step 11: Javascript in the response automatically submits the form to the target server’s Assertion Consumer Service (ACS). Step 12: The target server parses and validates the SAML response. It uses the embed- ded identity claims to determine the user’s identity and allow the user access to the appli- cation, in this case Blackboard. IdP-Initiated SSO Step 1: The user opens their browser and accesses the PortalGuard IdP application, e.g. “portalguard.abc.edu/sso”. Step 2: PortalGuard’s login screen is presented to the user if they do not already have an active session.
  • 9. © 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 8 Tech Brief — SAML Single Sign-on for Higher Education Step 3: The user enters their username and clicks “Continue”. Step 4: The user is then prompted for their normal password and clicks “Log On”. Step 5: PortalGuard validates the username and password in real-time then sends a ran- dom OTP to the user’s mobile phone in the form of an SMS. Step 6: The user is then prompted to enter the OTP. Step 7: The user enters the OTP they received and clicks “Log On”. Step 8: PortalGuard validates the OTP and the user has now established a session with the PortalGuard web server. Step 9: The user gains access to the SAML IdP jump page. Step 10: User clicks a displayed application. Note: The applications available to the user are configurable by the admin. Step 11: The click is serviced by the PortalGuard IdP application. It generates a SAML response and sends it back to the end user wrapped in a HTML form. Step 12: Javascript in the response automatically submits the form to the target server’s Assertion Consumer Service (ACS). Step 13: The target server parses and validates the SAML response. It uses the embed- ded identity claims to determine the user’s identity and allow the user access to the appli- cation, in this case Blackboard.
  • 10. © 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 9 Tech Brief — SAML Single Sign-on for Higher Education Configuration NOTE: All the following settings are application specific, so you can have different permis- sions for individual users. Configurable through the PortalGuard Configuration Utility: Main  Relying parties  Attribute Stores  IdP Configuration
  • 11. © 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 10 Tech Brief — SAML Single Sign-on for Higher Education
  • 12. © 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 11 Tech Brief — SAML Single Sign-on for Higher Education Deployment Implementation of the PortalGuard platform is seamless and requires no changes to Active Directory/LDAP schema. A server-side software installation is required on at least one IIS server on the network. Additional client-side software is not required. All major Web brows- ers, including Microsoft Internet Explorer, Mozilla Firefox, Google Chrome and Apple Safa- ri, are capable of performing SAML authentication to Web servers. IIS Installation A MSI is used to install PortalGuard on IIS 6 or 7.x. If installing PortalGuard on IIS 7.x/ Windows Server 2008, make sure to have installed the following feature roles prior to launching the MSI: 1. All the Web Server Management Tools role services 2. All the Application Development role services 3. All IIS 6 Management Compatibility role services The MSI is a wizard-based install which will quickly guide you through the installation. System Requirements PortalGuard can be installed directly on the following web servers:  IBM WebSphere/WebSphere Portal v5.1 or higher  Microsoft IIS 6.0 or higher  Microsoft Windows SharePoint Services 3.0 or higher  Microsoft Office SharePoint Server 2007 or later The PortalGuard IdP requires the following:  The target server must support SP-initiated SAML SSO using the SAML v2.0 POST binding method  The target server must be configured to not allow manual authentication. Other- wise, users could use that method and bypass the interactions with PortalGuard.  A trust must be configured between the PortalGuard Identity Provider and the target server/Service Provider by importing the PortalGuard public signing certifi- cate.  The end user must have network connectivity (HTTPS) to both the PortalGuard server and the target server.  The PortalGuard server does not need network connectivity to the target server since the user’s browser delivers all SAML messages. The PortalGuard Web server also has the following requirements on Windows operating systems:  .NET 2.0 framework or later must be installed  (64-bit OS only) Microsoft Visual C++ 2005 SP1 Redistributable Package (x64)
  • 13. © 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 12 Tech Brief — SAML Single Sign-on for Higher Education PortalGuard is fully supported for installation on virtual machines. Furthermore, Portal- Guard can currently be installed on the following platforms:  Microsoft Windows Server 2000  Microsoft Windows Server 2003 (32 or 64-bit)  Microsoft Windows Server 2008 (32 or 64-bit)  Microsoft Windows Server 2008 R2 If you have a platform not listed here, please contact us at sales@portalguard.com to see if we have recently added support for your platform. Alternative SSO Methods This tech brief is intended to highlight SAML-based SSO; however the following single sign-on methods are also supported: Cookie-based SSO: Works by using Web based HTTP Cookies to transport user credentials from browser to server without input from the user. Existing credentials on the client machine are gathered and encrypted before being stored in the cookie and sent to the destination server. The server receives the cookie, extracts and decrypts the credentials and validates them against the internal server directory of users. Kerberos-based SSO: Kerberos enables a user to log into their Windows domain account and then receive SSO to their internal applications. Kerberos requires the user to have connectivity to a central Key Distribution Center (KDC). In Windows, each Active Directory domain controller acts as a KDC. Users authenticate themselves to services (e.g. web servers) by first authenti- cating to the KDC, then requesting encrypted service tickets from the KDC for the specific service they wish to use which happens automatically in all major browsers using SPNEGO (see below). Screen Scraping: Screen scraping deals with recognizing and remembering the dialog boxes that prompt users for their credentials. The idea of "scraping" the fields and layout of these dialogs and automatically entering the user's credentials are the basis behind this SSO type. Claims-based SSO: Claims (aka "assertions") are created by a claims issuer that is trusted by multiple parties. Claims are typically packaged into a digitally signed token that can be sent over the network using Security Assertion Markup Language (SAML). Smart Card-based SSO: With smart card SSO the user is required to enter their smart card into a reader, which then allows them to sign-on to the de- sired application. The smart card information is then used to allow SSO to other applications that the user attempts to access. Biometric-based SSO: Existing biometric authentication can be combined with SSO technologies to further secure and simplify the life of the daily work force. Biometric authentication can include the use of fingerprints, retinal scans, facial scans, hand geometry, and even DNA.
  • 14. © 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 13 Tech Brief — SAML Single Sign-on for Higher Education Form-filling SSO: Form-filling allows for the secure storage of information that is normally filled into a form. For users that repetitively fill out forms, espe- cially for security access, this technology will remember/store all this infor- mation and secure it with a single password. To access the information the user only has to remember one password and the Form-filling technology can take care of filling in the forms. NTLM-based SSO: It is possible for a user to prove they know their password without actually providing the password itself. NTLM achieves this using a challenge and response protocol that first determines what type of NTLM and encryption mechanisms the client and server mutually support, then crypto- graphically hashes the user's password and sends it to the server requiring authentication. SPNEGO-based SSO: There are instances when the client application and remote server do not know what types of authentication the other one sup- ports. This is when SPNEGO (Simple and Protected GSSAPI Negotiation Mechanism) can be used to find out what authentication mechanisms are mu- tually available. Some of these mechanisms can include Kerberos and NTLM authentication. Reduced SSO: Reduced single sign-on is widely used for limiting the number of times a user will be required to enter in their credentials to access different applications. With critical applications, reduced SSO also offers a technique to make sure that a user is not signed on without a second factor of authentica- tion, having been provided by the user. Cross-domain SSO: Credentials may need to be transferred between differ- ent servers and domains, which is referred to as cross-domain single sign-on (CDSSO). By not relying on a master authentication server, CDSSO allows the user to easily be authenticated between separate secure domains, when requesting resources from each. Enrollment-based SSO: A user logging into a website may choose to have their credentials permanently remembered for that site. This is accomplished by creating an encrypted cookie on the user's machine for that web browser that contains the user's credentials. This cookie persists across different browser sessions and restarts of the machine, but will be set to expire after a set period. The next time the user accesses the website, the server recogniz- es the cookie, decrypts it to obtain the user's credentials and completely by- passes the login screen after validating them successfully. Session-based SSO: A user's initial logon to a HTTP server through a web browser results in a session token being generated on the server and returned to the user as an in-memory cookie. From then on, SSO is accomplished by presenting the session token to the server as proof of authentication. True SSO: True SSO is the ability to provide your credentials one time during your computer session and not be asked for credentials again. This is done by leveraging those credentials when navigating to other resources during your session that will also require you to verify your identity.
  • 15. © 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 14 Tech Brief — SAML Single Sign-on for Higher Education Platform Layers Beyond single sign-on, PortalGuard is a flexible authentication platform with multiple lay- ers of available functionality to help you achieve your authentication goals:  Contextual Authentication  Self-service Password Reset  Two-factor Authentication  Password Management  Password Synchronization ###