More Related Content
Similar to Enterprise Security & SSO
Similar to Enterprise Security & SSO (20)
More from Ambareesh Kulkarni
More from Ambareesh Kulkarni (20)
Enterprise Security & SSO
- 1. Actuate Security
Enterprise class, Standards based,
Robust and Flexible
Ambareesh Kulkarni, Director
1
© Actuate Corporation 2008
- 2. Anatomy of an Actuate Application
`
`
` FW1 FW2 FW3
Application
Web Server Server farm Actuate iServer Actuate
Farm running Active nodes Encycl.
Portal
2
© Actuate Corporation 2008
- 3. Features of Actuate Security
AuthN & AuthZ
• Authentication -Verify if users are who they claim to
be
• Authorization -Users can only access what the
security policy allows
• Role-based access control -Grant access based on
the user’s role in the organization
• Data privacy -Data integrity & reliability
• User Registration -External and Internal
• Audit information -Usage and exceptions
• Transport Security -Secure delivery of information
3
© Actuate Corporation 2008
- 4. Features of Actuate Security
AuthN & AuthZ
• Non-repudiation on actions -Important user
actions carry proof of execution to prevent
denial
• Session security -User sessions are uniquely
identifiable and not subject to masquerading
• Session time-out -Session inactivity leads to
session termination
• Audit logs -All actions are logged for audit
use.
• Single sign-on -Usage of multiple systems or
services does not require additional
credentials.
4
© Actuate Corporation 2008
- 5. Features of Actuate Security
AuthN & AuthZ
• Robust authentication & authorization capabilities
• Supports both Internal and External Authentication
• Can use a combination of UserID/Password for authentication
• Optionally:
• trust credentials passed to it
• Extract Userid and/or password from encrypted artifacts such as
(e.g. token, logon ticket etc.)
• Granular authorization
• Fast and easy mapping of business rules to authorization policy
• Course, medium and fine-grained authorization
• An open, interoperable Java-based architecture with data
source flexibility
• Plug-n-play integration with Web, application and directory
services
• Supports LDAP, RDBMS and any custom data sources
5
© Actuate Corporation 2008
- 6. External User Registration and Authentication
process flow
Business Process
2 Workflow
1
3
Automated Access Approval
End
Portal Server
Users
5 Data Store
4 6 Data
Repository
Actuate 8
Authentication/Revalidation
7 Services
9 Actuate
6
© Actuate Corporation 2008
- 7. Authorization Controls
What can you protect??
• Server Controls
• Resource –
Universal
Resource
Indicator…
• Applications –
group of
resources…
• Dynamic Content –
EJB’s, JSP’s,
Servlets…
• Method-level
Protection –
Access, Get, Post
• Wild-Card Control
– *, /*/, *.*
7
© Actuate Corporation 2008
- 8. Authorization & Privilege Management Levels
Limits access at the URL
Coarse-grained
level to protect machines
Coarse
and their contents
Provides conditional
Medium-grained access to Actuate Folders
and files based on access
control lists and user roles
Controls what data users
Fine Fine-grained see once they have access
to the report (Page Level
Security)
8
© Actuate Corporation 2008
- 9. Usage Logging
What have you accessed?
• Provides records required to
meet security policy and
compliance requirements
Usage logging • Helps pinpoint problem areas
against policies
• Captures “contextual”
Actuate usage log information for better
captures ALL diagnosing issues
User Activity
9
© Actuate Corporation 2008
- 10. Actuate Security
Scalable and Flexible
Key Server Dispatcher Enforcement
(Agent or Proxy)
End
Users
Authentication
Authorization Engine
Actuate iServer Centralized
Logging Engine
Browser-based
Web/App
Administration
Server
Entitlements Engine
10
© Actuate Corporation 2008
- 11. Security Extensions
iPortal Security Extension (iPSE)
• For Single Sign-on
Report Server Security Extension
(RSSE)
• For any external data store
including LDAP & Microsoft Active
Directory integration
11
© Actuate Corporation 2008
- 12. Single Cluster supports diverse and disparate
security systems
• Actuate integrates with
all major security
systems and services
providers
• RSA, Netegrity,
Kerberos, SAP,
Tivoli, BMC, SAML,
etc.
• Leverages
investments in
enterprise security
models
• Centralizes the
administration of
common user
information
• Supports multiple
authentication and
authorization sources
from a single iServer
cluster
12
© Actuate Corporation 2008
- 13. Java RSSE Architecture
Interface Implementation
(Published by Actuate)
iServer Endpoint HTTP request
RSSE Endpoint
DB Access API
Java Interface
SOAP 3rd party
database
HTTP response (e.g. LDAP)
iServer
RSSE Service
13
© Actuate Corporation 2008
- 14. Transport Security
Web Tier J2EE Server Farm(e.g. WebSphere) Report Server Farm
SSl Encrypted Web Browser session Internal traffic SOAP/http
Optionally Encrypted using
Stunnel or IPSEC
`
`
` FW1 FW2 FW3
Application
Web Server Server farm Actuate iServer Actuate
Farm running Active nodes Encycl.
Portal
14
© Actuate Corporation 2008
- 15. Microsoft IIS Web Tier Integration
• Reverse HTTP Proxy – using AJP plug-in
• Supports IIS forwarding requests to iPortal
• AJP plug-in configured with Microsoft IIS
Microsoft
IIS Oracle
Actuate Oracle
Containers for
AJP 13
HTTP Containers for or
iServer Cluster
J2EE
AJP connector Server J2EE
iServer Express
15
© Actuate Corporation 2008
- 16. How It Works: ASP.net Forms Authentication & SSO
with Actuate
Active Directory
1 Microsoft
IIS /ASP.NET
2 RSSE
4 8
3 4. App authentication
5
6
Actuate Oracle
Oracle
7 HTTP Containers for
AJP connector Server
Containers for or
iServer Cluster
J2EE
J2EE
iServer Express
1. GET default.aspx HTTP/1.1 7. Submit Actuate URL from ASP
page
2. 302 Redirect
Location: login.aspx 8. Report Server Security Extension
provides external authentication
3. POST default.aspx HTTP/1.1
& registration services
<form data containing credentials>
5. 200 OK
Set-Cookie: .ASPXAUTH Auth Ticket
6. GET default.aspx HTTP/1.1
16 Cookie: .ASPXAUTH
Auth Ticket
© Actuate Corporation 2008