SAML and Other Types of Federation for Your Enterprise

4,705 views
4,190 views

Published on

SAML and Other Types of Federation for Your Enterprise, session from BriForum London 2014

Published in: Technology
0 Comments
6 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
4,705
On SlideShare
0
From Embeds
0
Number of Embeds
54
Actions
Shares
0
Downloads
209
Comments
0
Likes
6
Embeds 0
No embeds

No notes for slide

SAML and Other Types of Federation for Your Enterprise

  1. 1. @fdwl #BriForum @entisys SAML and Other Types of Federation for Your Enterprise Denis Gundarev, Senior Consultant, Entisys Solutions May 20, 2014
  2. 2. @fdwl #BriForum @entisys Based on a true story
  3. 3. @fdwl #BriForum @entisys About me
  4. 4. @fdwl #BriForum @entisys Agenda  What is federated authentication  How to add federation support for your legacy applications
  5. 5. @fdwl #BriForum @entisys Identity and Account Management Basics  Identity Management (IdM) describes the management of individual principals, their authentication, authorization, and privileges within enterprise  Integral components of identity and access management:  Identification  Authentication  Authorization
  6. 6. @fdwl #BriForum @entisys Identification vs. Authentication vs. Authorization
  7. 7. @fdwl #BriForum @entisys Entity vs Identity vs Credential vs Attribute Entity • Person • Computer Identity • Active Directory Account • Passport Number • Serial Number Credential • Passport • Credit Card • Kerberos token Attribute • Address • Qualification • Criminal record
  8. 8. @fdwl #BriForum @entisys Attribute Assertion  An attribute assertion is a claim made by someone (the asserter) that a particular person possesses a particular attribute.  College can confirm that person is graduated.  Active Directory can confirm that password is correct  A digitally signed attribute assertion = authorization credential. Source: David W Chadwick Federated Identity Management http://kar.kent.ac.uk/30609/1/FederatedIdManChapter.pdf
  9. 9. @fdwl #BriForum @entisys Credential Types Credentials Authenticity  Credentials Not been tampered  Received exactly as issued by the issuing authority  Digitally signed to prove authenticity Credentials Validity  Monopoly money is authentic if obtained from the Monopoly game pack.  valid for buying stuff in the game  NOT valid in a grocery store  Credit card is an authentic credential.  Valid in Marks & Spencer  Not valid in a fisherman village in the middle of nowhere during the night Source: David W Chadwick Federated Identity Management http://kar.kent.ac.uk/30609/1/FederatedIdManChapter.pdf
  10. 10. @fdwl #BriForum @entisys What is Federation? A set of standards-based technology & IT processes to facilitate distributed identification, authentication & authorization across boundaries (security, departmental, organizational or platform).
  11. 11. @fdwl #BriForum @entisys Federation Example Identity Provider (IdP) Entity Attribute Assertion Service Provider (SP) Resources
  12. 12. @fdwl #BriForum @entisys Federation Example  Facebook perform authentication and generate a signed attributes assertion with user name and unique user ID  Digg maintain a user database and authorization
  13. 13. @fdwl #BriForum @entisys Why Do I Need Federation?  Provide access to your applications to suppliers or partners  Quickly onboard acquired organization  Provide access for temporary workers by using “bring your own identity” model  Service Providers
  14. 14. @fdwl #BriForum @entisys Can’t I Just Create User Accounts?  More work for you  Less security for your network  No control over the user population
  15. 15. @fdwl #BriForum @entisys Can’t I Just Use Forest Trusts?  Network connection between partners  User principal name (UPN) suffixes, service principal name (SPN) suffixes, and security ID (SID) namespaces are replicated  DNS configuration is required
  16. 16. @fdwl #BriForum @entisys Benefits of Federation  Better Access Experience  Single sign-on across networks & organizational boundaries  Increased Security & Simpler Administration  Heightened identity assurance  No passwords involved  Account de-activation is handled by the account partner  Account partner can easily be disabled at the organizational level  Strong authentication such as user certificates or OTP tokens can be layered on top of federation claim
  17. 17. @fdwl #BriForum @entisys Benefits of Federation •Active Directory •LDAP •Kerberos •Anonymous users •One-time Access •ADFS •OpenSSO •PingIdentiy •Office365 •Google •Microsoft •Facebook •Twitter Private- Sector IDPs Partners Corporate Directories Special Cases
  18. 18. @fdwl #BriForum @entisys SAML  SAML – Security Assertions Markup Language  XML-based security specification for exchanging authentication and authorization information  Developed by the OASIS standards organisation  Use HTTP as a communication protocol  Designed to addresses the complexities of establishing Business-to-Business communication between differing systems.
  19. 19. @fdwl #BriForum @entisys SAML Assertion  A set of statements (claims) made by a SAML authority (Identity provider or IdP)  Authentication statement: subject was authenticated using a particular technique at a particular time  Attribute statement: particular attribute values are associated with the subject  Optional authorization decision statement: subject is authorized to perform certain actions 19
  20. 20. @fdwl #BriForum @entisys SAML Assertion
  21. 21. @fdwl #BriForum @entisys X.509 Certificates  Trust is managed through certificates  Certificates for  HTTPS Communications  Security token signing and encryption  Require PKI for A & B certificates, C & D can be self-signed CommunicationA Signing Relying party Issuer ST Encyption ST B Public key of C C Public key of DD Root for ARoot for B
  22. 22. @fdwl #BriForum @entisys Federation Metadata  During the establishment of the issuer / relying party trust, both parties will require configuration which includes  End-points for communication  Claims offered by issuer  Claims accepted by replying party  Public keys for signing and encryption  This information can be manually configured or automatically via the exchange of federation metadata  Federation metadata can be automatically updated
  23. 23. @fdwl #BriForum @entisys SAML IdP Example
  24. 24. @fdwl #BriForum @entisys Active Directory Federation Services  AD FS 1.0 - released with Windows Server 2003 R2 as part of the operating system  AD FS 1.1 - released with Windows Server 2008 and was carried into Windows Server 2008 R2  AD FS 2.0 was released after Windows Server 2008 R2. It was released to the web and is free to download.  ADFS 2.1 was released to Windows Server 2012 as part of the operating system
  25. 25. @fdwl #BriForum @entisys ADFS 1.x  AD FS 1.x is limited  WS-Federation Passive Requestor Profile (browser)  SAML 1.0 TOKENS  SAML 2.x is not backward compatible with SAML 1.x, so forget about ADFS 1.x
  26. 26. @fdwl #BriForum @entisys ADFS 2.x  A SAML implementation (both IdP and SP) from Microsoft  An AD-based single sign-on system  SAMLv2 Authentication  Allows for Single Sign on support for Web based applications.  ADFS for Windows 2008 R2 has SAML 2.0 support.
  27. 27. @fdwl #BriForum @entisys Can I Have it Out of the Box?  Not with StoreFront   Web Interface 5.4 supports ADFS out of the box!  ADFS version 1.1 only  Windows Server 2003 R2 only  32-bit edition of 2003 R2 only  Not supported with NetScaler, Secure Gateway only  Does not work with XenDesktop  
  28. 28. @fdwl #BriForum @entisys Authentication in XenApp/XenDesktop  Support for several authentication methods  Smart cards, client certificates, RSA SecurID, etc.  Support for OS and non-OS credentials stores  OS: Active Directory and eDirectory  Non-OS: LDAP, RADIUS, 3rd party authentication methods.  Leverage Authentication methods supported by Windows:  Smartcard support  Client certificates support  Custom 3rd party authentication mechanisms through GINA extensions.  Leverage Windows authentication to flow the OS identity tokens between Access Infrastructure services  Example: flowing Kerberos tickets between ICA client and XA server.
  29. 29. @fdwl #BriForum @entisys
  30. 30. @fdwl #BriForum @entisys SAML SP Example
  31. 31. @fdwl #BriForum @entisys NetScaler & SAML Authentication  NetScaler can act as a Service Provider (SP)  User can be authenticated on LB or CS vserver  NetScaler Gateway 10.1 supports SAML 2.0  Configuring SAML Authentication on NetScaler Gateway  http://support.citrix.com/proddocs/topic/nets caler-gateway-101/ng-authen-saml-con.html  NetScaler practical / SAML AAA against simplesamlphp IdP  http://blogs.citrix.com/2012/08/24/174193098/  How to Configure NetScaler SAML to Work with Microsoft AD FS 2.0 IdP  https://support.citrix.com/article/CTX133919  Does not provide metadata  Use Metadata builder http://samlmetajs.simplesamlphp.org/demo
  32. 32. @fdwl #BriForum @entisys Authentication flow IdPNetScaler (SP) Active Directory Browse to NG Not authenticated Redirected to IdP Authenticate User Query for user attributes Return Security Token Return page and cookie Send Token ST ST SP trusts IdP
  33. 33. @fdwl #BriForum @entisys MetaData NetScaler does not provide metadata Use Metadata builder http://samlmetajs.simplesamlphp.org/demo
  34. 34. @fdwl #BriForum @entisys Authentication in XenApp/XenDesktop  Support for several authentication methods  Smart cards, client certificates, RSA SecurID, etc.  Support for OS and non-OS credentials stores  OS: Active Directory and eDirectory  Non-OS: LDAP, RADIUS, 3rd party authentication methods.  Leverage Authentication methods supported by Windows:  Smartcard support  Client certificates support  Custom 3rd party authentication mechanisms through GINA extensions.  Leverage Windows authentication to flow the OS identity tokens between Access Infrastructure services  Example: flowing Kerberos tickets between ICA client and XA server.
  35. 35. @fdwl #BriForum @entisys Federation Example  Facebook perform authentication and generate a signed attributes assertion with user name and unique user ID  Digg maintain a user database and authorization Shadow Accounts
  36. 36. @fdwl #BriForum @entisys Shadow Accounts  Required to delegate access to non- claim aware resources  Regular user account  Mapped to the attribute received from IdP  Can be mapped to any attribute
  37. 37. @fdwl #BriForum @entisys SAML for XenApp/XenDesktop Options  S4U (Service-for-User) Kerberos Extensions  Kerberos delegation and S4U on NetScaler – too complicated  S4U on WebInterface? No future!  S4U on StoreFront? You mean StoreFront code customization?
  38. 38. @fdwl #BriForum @entisys SAML for XenApp/XenDesktop Options
  39. 39. @fdwl #BriForum @entisys Explicit Auth in XD/XA Client WI DDC VDA Servers (File Server, Exchange, …) DC Winlogon SSOn IE Desktop Toolbar ICA Client Engine Winlogon VDA IMA / DDC pwd pwd pwd auth pwd WI ticket WI ticket WI ticket WI ticket pwd pwd Authenticate & get TGT Get svc ticket Svc ticket
  40. 40. @fdwl #BriForum @entisys Solution  NetScaler SAML authentication  NetScaler FormFill SSO profile  Custom Account Manager Service  NetScaler HTTP Callout  NetScaler Rewrite Policy
  41. 41. @fdwl #BriForum @entisys Account Manager Service  Web Application  Create and shadow user accounts with random password in AD  Store password securely  Respond on HTTP request with user password  GET /GetPassword/gundarev@partner.com  Response: 0@J4y9jCv9CHzP2Q!rhMHY@7AOk7vfF2Rf1! T!i29QG^se^RQZbhjt4fOOmn$CN4
  42. 42. @fdwl #BriForum @entisys SAML Authentication Profile  add authentication samlAction PartnerIdp -samlIdPCertName Partner-idp - samlSigningCertName ns-server-certificate - samlRedirectUrl "https://osso.parner.com:443/opensso/SSOPOST/metaAlias/partnernet/idp " -samlUserField mail -samlRejectUnsignedAssertion OFF -samlIssuerName "https://go.example.com/"  add authentication samlPolicy PartnerIdp ns_true PartnerIdp
  43. 43. @fdwl #BriForum @entisys Form SSO Profile add vpn formSSOAction WebInterfaceFormSSOProfile -actionURL "/SSO/auth/login.aspx" - userField email -passwdField donotuse - ssoSuccessRule"Http.RES.SET_COOKIE.COOKIE("WIAuthId").VALUE("WIAuthId").LENGTH.GT (10) && Http.RES.STATUS.EQ(302)" -nameValuePair "password=&LoginType=Explicit" - nvtype STATIC -submitMethod POST add vpn trafficAction WebInterfaceFormSSOTrafficProfile http -appTimeout 120 -SSO ON - formSSOAction WebInterfaceFormSSOProfile add vpn trafficPolicy WebInterfaceFormSSOTrafficPolicy "(URL CONTAINS /sso/auth/login.aspx) && METHOD == GET && HEADER Cookie CONTAINS WIClientInfo" WebInterfaceFormSSOTrafficProfile
  44. 44. @fdwl #BriForum @entisys Callout and Rewrite add policy httpCallout AccountManager set policy httpCallout AccountManager -vServer AccountManager -returnType TEXT - hostExpr ""CN1-ACCMAN01.example.com"" - urlStemExpr""/GetPassword/" +http.REQ.BODY(500).AFTER_REGEX(re#email=#).BEFORE_REG EX(re#&#)" -resultExpr"http.RES.BODY(1000).XPATH(xp%/%)“ add rewrite action ReplaceEmptyPasswordAction replace_all "HTTP.REQ.BODY(500)" ""&password="+SYS.HTTP_CALLOUT(AccountManager).HT TP_URL_SAFE+"&"" -search"regex(re/&password=[ -~]*&/)" -bypassSafetyCheck YES add rewrite policy ReplaceEmptyPasswordPolicy "http.req.method.eq(POST) && HTTP.REQ.URL.PATH.TO_LOWER.EQ("/sso/auth/login.aspx")" ReplaceEmptyPasswordAction
  45. 45. @fdwl #BriForum @entisys Communication flow Active Directory User Browser ADFS Active Directory Account Manager StoreFront 1. User Authenticates at SSO portal 2. SSO Send SAML Response to the user s browser NetScaler 3. User s browser POST SAML response to NetScaler Gateway 4. Netscaler request shadow user credentials from Account Manager 5. Account Manager send credentials back to NetScaler 6.Netscalersubmitshadowuser credentialstoStoreFront XenDesktop Controller 7. StoreFront request XenDesktop token from DDC 8. DDC send XenDesktop token back to StoreFRont 9.StoreFront sends ICA file 10. Citrix receiver connects to access gateway 11. NetScaler gateway connects to the desktop VDA 12Shadow userloggedon
  46. 46. @fdwl #BriForum @entisys SAML-enabled solutions Cloud  www.pingidentity.com  www.ssoeasy.com  www.forumsys.com  www.okta.com  www.onelogin.com  www.cloudentr.com  Azure Active Directory  Google Apps On prem  Microsoft ADFS  Oracle OpenSSO  ForgeRock OpenAM  PingFederation  RCDevs OpenID  Novell Access Manager  IBM Tivoli Access Manager  JBoss SSO
  47. 47. @fdwl #BriForum @entisys Q&A j.mp/gundarev @fdwl DenisG@entisys.com

×