Your SlideShare is downloading. ×
0
Extending Oracle SSO
Extending Oracle SSO
Extending Oracle SSO
Extending Oracle SSO
Extending Oracle SSO
Extending Oracle SSO
Extending Oracle SSO
Extending Oracle SSO
Extending Oracle SSO
Extending Oracle SSO
Extending Oracle SSO
Extending Oracle SSO
Extending Oracle SSO
Extending Oracle SSO
Extending Oracle SSO
Extending Oracle SSO
Extending Oracle SSO
Extending Oracle SSO
Extending Oracle SSO
Extending Oracle SSO
Extending Oracle SSO
Extending Oracle SSO
Extending Oracle SSO
Extending Oracle SSO
Extending Oracle SSO
Extending Oracle SSO
Extending Oracle SSO
Extending Oracle SSO
Extending Oracle SSO
Extending Oracle SSO
Extending Oracle SSO
Extending Oracle SSO
Extending Oracle SSO
Extending Oracle SSO
Extending Oracle SSO
Extending Oracle SSO
Extending Oracle SSO
Extending Oracle SSO
Extending Oracle SSO
Extending Oracle SSO
Extending Oracle SSO
Extending Oracle SSO
Extending Oracle SSO
Extending Oracle SSO
Extending Oracle SSO
Extending Oracle SSO
Extending Oracle SSO
Extending Oracle SSO
Extending Oracle SSO
Extending Oracle SSO
Extending Oracle SSO
Extending Oracle SSO
Extending Oracle SSO
Extending Oracle SSO
Extending Oracle SSO
Extending Oracle SSO
Extending Oracle SSO
Extending Oracle SSO
Extending Oracle SSO
Extending Oracle SSO
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Extending Oracle SSO

10,278

Published on

With a complete new Identity/Access Management Suite on the Oracle market, …

With a complete new Identity/Access Management Suite on the Oracle market,
one might forget the good old SSO server, bundled with each and every IAS server.
Although it has some out-of-the-box capabilities like WNA and X509 certificate support,
it can be quite hard to set up an authentication scheme just the way you (or your customers) like it.
Using a case study, this presentation discusses how you can extend Oracle’s Single
Sign On (SSO) server to your needs. It will discuss :
- Integration & authentication with smartcard passports (eID)

- Authentication with digital certificates

- Implementing fallback authentication schemes

- Integration with SSL terminators and reverse proxies

- DIY federated authentication

- writing your own SSO plugin

The solutions presented are part of AXI NV/BV's portfolio.

Published in: Technology
2 Comments
1 Like
Statistics
Notes
No Downloads
Views
Total Views
10,278
On Slideshare
0
From Embeds
0
Number of Embeds
12
Actions
Shares
0
Downloads
331
Comments
2
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Extending the Oracle Single Sign On (SSO) Server Kurt Van Meerbeeck AXI NV/BV [email_address] www.axi.be www.axi.nl session 389
  • 2. Extending Oracle SSO Server
    • Who am i
      • Kurt Van Meerbeeck
        • Engineer in electronics
        • Working with Java since 1996 (jdk 1.0.2)
        • Working with Oracle products since 1997 (Oracle 7.3.x, OAS 3.0)
      • Currently work for AXI NV/BV
        • Oracle Partner in the Benelux area ( www.axi.be/www.axi.nl )
        • Oracle rdbms/ias
      • Author of DUDE
        • Data Unloader tool (www.ora600.be)
      • Member of the Oaktable Network
        • www.oaktable.net
  • 3. Extending Oracle SSO Server
    • Agenda
      • Case study – the challenge
        • Customer requirements
      • SSO – a small recap
        • Components
        • Workflow
        • SSO Plugins
      • Solution
        • LAN access
        • Internet access using OCA certificate
        • Internet access using eID passport
        • DIY federated authentication
  • 4. Presenting the case
    • Insurance company
    • 800 broker offices
      • 3000 brokers
    • Backoffice application
        • Visual Basic
        • Citrix
        • Oracle RDBMS
        • All business logic in PLSQL
  • 5. Presenting the case Database tier Citrix Farm COM+ servers Fax Brokers Backoffice App
    • Proposal processing via
    • FAX
    Company A Company C
  • 6. Presenting the case Database tier COM+ servers Private Network Portima Brokers Company A Company n Company B Broker App Broker App Broker App Broker App Third party app (PORTIMA) Authentication using Office ID & suboffice ID
    • Proposal processing via
    • 3th party broker app
  • 7. Presenting the case
    • Web-enable it !!!
    • Technology – Internet Application Server
      • Oracle Portal
      • Oracle Webforms
      • Using existing PLSQL packages – business logic
  • 8. Presenting the case
    • 3 options to connect
    LAN Backoffice user INTERNET broker PORTIMA broker private network internet
  • 9. Presenting the case
    • 4 ways to authenticate
    LAN Backoffice user
    • INTERNET
    • Broker
    • eID (certificate) + pincode
    • OCA digital certificate+password
    PORTIMA broker private network (http) Internet (https) Username+password Office ID/Suboffice ID Portima Authentication server Map portima ID to oracle ID
  • 10. The challenge
    • Multiple complex authentication schemes
      • using Belgian eID
        • only eID pin code required
        • automatic logon to IAS
      • authentication using certificates signed by OCA
        • SSO password required to logon to IAS
      • federated authentication
        • private network
        • brokers already authenticated with our partners SSO server
        • map partner identity to IAS SSO identity
        • automatic logon to IAS
      • internal LAN users
        • SSO username/password required
    internet private LAN
  • 11. The challenge
    • Other requirements (challenges)
    • only develop in PLSQL
      • Technology : Oracle Webforms & Portal
        • only java / signed jar files
          • eID
          • printing
      • custom multiple logon screens
        • Holding has multiple companies
        • Company Look & feel
        • PLSQL using OWA, UTL_HTTP, & Mod_plsql
      • custom PLSQL APIs (for use in webforms)
        • Oracle Certificate Authority (OCA) (integration with openSSL)
        • Single Sign On Server (SSO)
        • Identity Management (IM) instead of OIDDAS ( dbms_ldap )
  • 12. Yeah well ... and I WANT A PORSCHE
  • 13. Extending Oracle SSO Server
    • Agenda
      • Case study – the challenge
        • Customer requirements
      • SSO – a small recap
        • Components
        • Workflow
        • SSO Plugins
      • Solution
        • LAN access
        • Internet access using OCA certificate
        • Internet access using eID passport
        • DIY federated authentication
  • 14. A small recap
    • Oracle AS Components
      • Middle tiers
        • OHS – apache 1.3, mod_oc4j, mod_plsql, mod_rewrite, mod_osso, ...
        • Webcache
        • J2EE
        • Forms, Reports, Disco
        • Portal
  • 15. A small recap
    • Oracle AS Components
      • Infrastructure
        • OHS – apache 1.3, mod_oc4j, mod_plsql, mod_rewrite, mod_osso, ...
        • OID – LDAP
        • J2EE
        • SSO server
        • OCA
        • Rdbms – portal, sso, oca and other configuration & meta data
  • 16. Understanding the SSO Architectuur
    • Lots of moving parts
      • http redirects
      • SSO & Partner cookies
      • Token obfuscation
    PLSQL API in case of Oracle Portal
  • 17. SSO workflow – not yet authenticated INFRA.axi.be MID.axi.be apache Mod_osso Mod_oc4j Mod_plsql J2ee apache Mod_osso Mod_oc4j Mod_plsql J2ee Oc4j_security oca OID LDAP IASDB http://my.company.com
    • Apache virtual host
    • Make it a SSO partner app
    • register it
      • ptlconfig – portal
      • ossoreg.jar – mod_osso
        • mod_osso.conf
        • <location /app>
        • require valid-user
        • AuthType basic
        • </location>
  • 18. SSO workflow – not yet authenticated INFRA.axi.be MID.axi.be apache Mod_osso Mod_oc4j Mod_plsql J2ee apache Mod_osso Mod_oc4j Mod_plsql J2ee Oc4j_security oca OID LDAP IASDB http://my.company.com NameVirtualHost *:80 <VirtualHost *:80> ServerName my.company.com Port 80 # Include the configuration files # needed for mod_osso OssoConfigFile /OH/my_comp_osso.conf </VirtualHost> infra.axi.be/pls/orasso/orasso.wwsso_app_admin.ls_login?Site2pstoreToken=<y> Partner cookie available ? SSO cookie ? -> Generate Redirect to logon page http://infra.axi.be/sso/jsp/login.jsp $OH/sso/policy.properties
  • 19. SSO workflow – not yet authenticated INFRA.axi.be MID.axi.be apache Mod_osso Mod_oc4j Mod_plsql J2ee apache Mod_osso Mod_oc4j Mod_plsql J2ee Oc4j_security oca OID LDAP IASDB http://my.company.com
  • 20. SSO workflow – not yet authenticated INFRA.axi.be MID.axi.be apache Mod_osso Mod_oc4j Mod_plsql J2ee apache Mod_osso Mod_oc4j Mod_plsql J2ee Oc4j_security oca OID LDAP IASDB http://my.company.com
    • HTTP POST
    • Username
    • Password
    • Site-token
    Check credentials in LDAP/OID
    • If OK
    • Generate SSO cookie (SSO_ID)
    • Generate redirect to
    • http://my.company.com/osso_login_success?urlc=<sitetoken>
    Generate Partner cookie Generate redirect to the original URL (sitetoken)
  • 21. SSO workflow – already authenticated INFRA.axi.be MID.axi.be apache Mod_osso Mod_oc4j Mod_plsql J2ee apache Mod_osso Mod_oc4j Mod_plsql J2ee Oc4j_security oca OID LDAP IASDB http://my.company.com
    • Mod_osso intercepts URL
    • finds partner cookie on client
    • request continues ...
  • 22. SSO workflow – already authenticated INFRA.axi.be MID.axi.be apache Mod_osso Mod_oc4j Mod_plsql J2ee apache Mod_osso Mod_oc4j Mod_plsql J2ee Oc4j_security oca OID LDAP IASDB http://my.company.com
    • Mod_osso intercepts URL
    • NO partner cookie on client
    • (there is one – but the cookie
    • Domain is .company.com)
    http://my.other-company.com Redirect to infra.axi.be/pls/orasso/orasso.wwsso_app_admin.ls_login?Site2pstoreToken=<y>
    • There’s already an SSO cookie (SSO_ID)
    • on the client – and my.other-company.com
    • is a partner app
    • Generate redirect to
    • http://my.other-company.com/osso_login_success?urlc=<sitetoken>
    Mod_osso deobfuscates the site-token Redirects to original URL
  • 23. SSO workflow - recap
    • Things to remember
      • Cookies
        • 1 SSO cookie – infrastructure – shared
        • 1 cookie / partner app (virtual host)
      • Site-token
        • Obfuscated in the beginning
        • De-obfuscated at the end
      • Lots of moving parts
        • Different technologies
  • 24. SSO plugins
    • Out-of-the box
      • Default : username/password
      • supports X509 digital certificates
        • supports fallback authentication (but we don’t want that)
        • SSOX509CertAuth plugin
      • supports WNA
        • supports fallback authentication (but we don’t want that)
        • SSOKerbeAuth plugin
      • multilevel authentication (but we don’t need that)
        • <location x> requires username/password
        • <location y> requires digital certificate
  • 25. SSO plugins
    • But we need more complex authentication
      • LAN: username/password
      • Private network : federated authentication
      • Internet : digital certificates/passwords & pincodes
    • SSO server allows custom plugins !
  • 26. SSO plugins
    • Plugins mostly used for integrating
      • Third party authentication devices
      • (example RSA ClearThrust)
    • [ Bootstrap ID’s
    • [ Exchange ID tokens through HTTP
    • headers
    • [ Lookup the ID token and map it on
    • a Oracle SSO ID
  • 27. SSO plugins – object model
      • Plugin can either
      • [ Extend SSOServerAuth class
      • - fallback authentication possible
      • [ Implement IPASAuthInterface interface
      • Plugin implements methods
      • [ authenticate(HttpServletRequest)
      • returns instance of IPASUserInfo
      • package oracle.security.sso.server.auth;
      • Read the user token from HTTP headers ;
      • No token found in HTTP headers ?
      • -> throw new IPASInsufficientCredException(“No EID header found)
      • -> fallback authentication : super.authenticate(httpservletrequest)
      • Decode the token to a SSO username ;
      • IPASUserInfo authUser = new IPASUserInfo(username);
      • Return authUser ; -> you’re authenticated !!!
      • Return new IPASUserInfo(“orcladmin”) ;
    IPASAuthInterface SSOServerAuth Custom Plugin SSOX509CertAuth SSOKerbeAuth implements extends
  • 28. SSO plugins – object model
      • Plugin implements methods
      • [ getUserCredentialPage
      • (HttpServletRequest,
      • String)
      • returns instance of URL
      • return super.getUserCredentialPage
      • (httpservletrequest, msg);
    IPASAuthInterface SSOServerAuth Custom Plugin SSOX509CertAuth SSOKerbeAuth implements extends
  • 29. SSO plugins – object model
      • [ Compiling & enabling your plugin
      • Compiling
        • [ CLASSPATH : ipastoolkit.jar, servlet.jar,
        • ossocls.jar
        • [ Put it in the right place !
        • INFRA:$OH/j2ee/OC4J_SECURITY/
        • applications/sso/web/WEB-INF/lib
      • Enabling
        • [ INFRA:$OH/sso/conf/policy.properties
        • MediumSecurity_AuthPlugin = oracle.security.sso.server.auth. eIDSSOAuth
        • [ Restart SSO server
        • opmnctl restartproc process-type=OC4J_SECURITY
    IPASAuthInterface SSOServerAuth Custom Plugin SSOX509CertAuth SSOKerbeAuth implements extends
  • 30. SSO plugins
    • SSO plugins
      • Authenticate users the way you want
      • Trust 3th party authentication
        • EID
        • PORTIMA authentication server
      • But it’s java
        • Deal with it
  • 31. Extending Oracle SSO Server
    • Agenda
      • Case study – the challenge
        • Customer requirements
      • SSO – a small recap
        • Components
        • Workflow
        • SSO Plugins
      • Solution
        • LAN access
        • Internet access using OCA certificate
        • Internet access using eID passport
        • DIY federated authentication
  • 32. SSO custom logon screen INFRA.axi.be MID.axi.be apache J2ee SSO PLUGIN OID LDAP IASDB http://my.company.com apache J2ee OID LDAP PLSQL using OWA_UTIL $OH/sso/policy.properties http://infra.axi.be/pls/login_page Plsql Login_page What site do you want to enter ? ORASSO.WWSSO_UTL.unbake_site2pstore_token -> my.company.com Generate a different logon screen
  • 33. SSO custom logon screen apache Plsql Login_proxy INFRA.axi.be MID.axi.be apache J2ee SSO PLUGIN OID LDAP IASDB J2ee OID LDAP Plsql Login_page
    • Submit credentials to plsql proxy
    • SSO cookie, http redirect, sitetoken are proxy’d
    • offloading functionality from SSO plugin to PLSQL
    • easier integration with reverse proxies
    • manipulate redirects/sitetokens (Vista)
  • 34. SSO custom login
    • LAN users – check !
    • Internet brokers ?
      • PKI
    LAN Backoffice user
    • INTERNET
    • Broker
    • eID (certificate) + pincode
    • OCA digital certificate+password
    PORTIMA broker private network (http) Internet (https) Username+password Office ID/Suboffice ID Portima Authentication server Map portima ID to oracle ID
  • 35. Public Key Infrastructure
    • A few slides on PKI ...
    • PKI is a collection of
    • services,
    • protocols
    • and
      • standards
      • supporting
      • public key cryptography
  • 36. Public Key Infrastructure
    • Certificate Authorities (CA)
      • Request/revoke/renw certificates
    • Registration Authorities (RA)
      • Verify identities
    • Online repositories
      • LDAP
    • Certificate Revocation List (CRL)
      • List with revoked certficates
    • Entities
      • Clients, servers, applications
    • Public key certificate (X509, PKCS#)
  • 37. Public Key Infrastructure Chain of trust PKI equivalent Root CA Ex. GlobalSign, Verisign United Nations company CA Ex. AXI CA Belgium, Netherlands ... Registration Authority (RA) City hall, police office, court house
    • Digital Certificate
    • Signing
    • Authentication
    Driver’s license Passport
  • 38. Public Key Infrastructure Chain of trust Valid ? (CRL) Example of authenticatie United Nations US Belgium Me and my passport The nice officer at JFK And his passport
  • 39. Public Key Infrastructure Chain of trust Valid ? (CRL) Example of authenticatie United Nations US Belgium Flanders region Walloon region If Belgium splits in the Flanders region and Walloon Region I will be screwed if the United Nations do not recognize them
  • 40. Public Key Infrastructure - eID
    • Belgium
    • The Netherlands
    • Germany
    • Austria
    • Italy
    • Portugal
    • Estonia
    • eID emerging in europe
    • Smartcard passport
    SPECIMEN
  • 41. Public Key Infrastructure - eID
    • name
    • first 2 Christian names
    • first letter of third Christian name
    • nationality
    • place and date of birth
    • sex
    • place of issue
    • start and end dates of validity
    • card number
    • owner’s photograph
    • owner’s signature
    • National Register Number
    From a visual point of view, the information shown will be the same as on the present identity card:
  • 42. Public Key Infrastructure - eID From an electronic point of view, the data on the chip is the same as the information printed on the card, plus:
    • address
    • identity and signature keys
    • identity and signature certificate
    • Certificate Service Provider
    • security information (chip number, etc.)
    • Some information is protected by a pin code
  • 43. Public Key Infrastructure - eID
  • 44. Public Key Infrastructure - eID
  • 45. SSO integration with PKI apache Plsql Login_proxy INFRA.axi.be MID.axi.be apache J2ee SSO OCA OID LDAP IASDB J2ee OID LDAP Plsql Login_page Client certificate (OCA, eID) (private/public key in keystore) Root certificate Government CA Oracle CA Server Certificate Server Certificate Root Certificate Root Certificate SSL SSL
  • 46. SSO integration with PKI – SSL terminator apache Plsql Login_proxy INFRA.axi.be MID.axi.be apache J2ee SSO OCA OID LDAP IASDB J2ee OID LDAP Plsql Login_page HTTPS SSL Terminator Accelerator HTTP HTTP OCSP LDAP Download CRL Government CA’s (eID) LDAP Download CRL OCA
  • 47.
    • What kind of SSL terminator to choose ???
      • Juniper SSL/VPN 4000 Series
        • Recommend by the network partner
        • Should be easy to configure in PKI environment
        • It requires no low level http proxy/reverse proxy rules
        • Expensive license (per session)
        • Encryption of cookies – url masquerading
      • Threw it out because
        • It did not work with the combo Vista/Oracle Forms/JPI 1.5.x
        • Too high level configuration – no low level http manipulation possible
        • SSO integration had to be done using HTTP POSTs of the certificate subject to our PLSQL SSO proxy
        • Every switch to another partner app resulted in having to logon again ( ... Euh ... That’s not SSO)
    SSO integration with PKI – SSL terminator
  • 48.
    • What kind of SSL terminator to choose ???
      • Blue Coat reverse proxy (RP)
        • SSO – lots of moving parts – made the network guys dizzy
        • 6 different consultants in 6 days
        • Gave up on it ...
        • Blue Coat can probably do it ... Just find the right people
      • Apache2 based RP
        • On ubuntu linux/HA with mod_proxy/mod_proxy_html
        • Very low level http manipulation possible
        • Mod_ssl does not support OCSP
        • Managed to set it up in 2 days (incl clustering)
    SSO integration with PKI – SSL terminator
  • 49. SSO integration with PKI – workflow apache Plsql Login_proxy INFRA.axi.be MID.axi.be apache J2ee SSO OCA OID LDAP IASDB J2ee OID LDAP Plsql Login_page HTTPS SSL Terminator Accelerator HTTP HTTP OCSP LDAP Download CRL Government CA’s (eID) LDAP Download CRL OCA OCA Digital certificate My.company.com Login.company.com ProxyPass /forms/ http://MID.axi.be:7782/forms/ ProxyPass /osso_login_success http://MID.axi.be:7782/osso_login_success ProxyPass /login/ http://INFRA.axi.be:7780/ ProxyPassReverse /forms/ http://MID.axi.be:7782/ ProxyPassReverse /sso/ http://INFRA.axi.be:7780/ ProxyHTMLURLMap http://INFRA.axi.be:7780 /login <Location /sso/> SSLVerifyClient require RequestHeader set SUBJECT &quot;%{SSL_CLIENT_S_DN}e&quot; </location>
  • 50. SSO integration with PKI – workflow apache Plsql Login_proxy INFRA.axi.be MID.axi.be apache J2ee SSO OCA OID LDAP IASDB J2ee OID LDAP Plsql Login_page HTTPS SSL Terminator Accelerator HTTP HTTP OCSP LDAP Download CRL Government CA’s (eID) LDAP Download CRL OCA My.company.com Login.company.com Only need to enter SSO password Map certificate subject to SSO username
  • 51. SSO integration with PKI – workflow apache Plsql Login_proxy INFRA.axi.be MID.axi.be apache J2ee SSO OCA OID LDAP IASDB J2ee OID LDAP Plsql Login_page HTTPS SSL Terminator Accelerator HTTP HTTP OCSP LDAP Download CRL Government CA’s (eID) LDAP Download CRL OCA OCA Digital certificate
  • 52. SSO custom login
    • LAN users – check !
    • Internet brokers ?
      • OCA – check
      • EID?
    LAN Backoffice user
    • INTERNET
    • Broker
    • eID (certificate) + pincode
    • OCA digital certificate+password
    PORTIMA broker private network (http) Internet (https) Username+password Office ID/Suboffice ID Portima Authentication server Map portima ID to oracle ID
  • 53. SSO integration with PKI – workflow apache Plsql Login_proxy INFRA.axi.be MID.axi.be apache J2ee SSO OCA OID LDAP IASDB J2ee OID LDAP Plsql Login_page HTTPS SSL Terminator Accelerator HTTP HTTP OCSP LDAP Download CRL Government CA’s (eID) LDAP Download CRL OCA eID Digital certificate My.company.com Login.company.com ProxyPass /forms/ http://MID.axi.be:7782/forms/ ProxyPass /osso_login_success http://MID.axi.be:7782/osso_login_success ProxyPass /login/ http://INFRA.axi.be:7780/ ProxyPassReverse /forms/ http://MID.axi.be:7782/ ProxyPassReverse /sso/ http://INFRA.axi.be:7780/ ProxyHTMLURLMap http://INFRA.axi.be:7780 /login <Location /sso/> SSLVerifyClient require RequestHeader set SUBJECT &quot;%{SSL_CLIENT_S_DN}e&quot; </location>
  • 54. SSO integration with PKI – workflow apache Plsql Login_proxy INFRA.axi.be MID.axi.be apache J2ee SSO OCA OID LDAP IASDB J2ee OID LDAP Plsql Login_page HTTPS SSL Terminator Accelerator HTTP HTTP OCSP LDAP Download CRL Government CA’s (eID) LDAP Download CRL OCA eID Digital certificate My.company.com Login.company.com <Location /sso/> SSLVerifyClient require RequestHeader set SUBJECT &quot;%{SSL_CLIENT_S_DN}e&quot; </location>
  • 55. SSO custom login
    • LAN users – check !
    • Internet brokers ?
      • OCA – check
      • EID - check
    LAN Backoffice user
    • INTERNET
    • Broker
    • eID (certificate) + pincode
    • OCA digital certificate+password
    PORTIMA broker private network (http) Internet (https) Username+password Office ID/Suboffice ID Portima Authentication server Map portima ID to oracle ID
  • 56. DIY federated authentication - workflow Plsql Login_page apache Apache 2.x RP Plsql Login_proxy INFRA.axi.be MID.axi.be apache J2ee SSO PLUGIN OID LDAP IASDB J2ee OID LDAP Portima Authentication server My.private-company.com Login.private-company.com Officeid/suboffice password
  • 57. DIY federated authentication - workflow Plsql Login_page apache Apache 2.x RP Plsql Login_proxy INFRA.axi.be MID.axi.be apache J2ee SSO PLUGIN OID LDAP IASDB J2ee OID LDAP Portima Authentication server My.private-company.com Login.private-company.com Officeid/suboffice password Replaced with SAML v2 Federated Authentication In 2008 (integrated with Oracle SSO)
  • 58. Architecture HTTP/S HTTP CA LB (linux vips ldirector) INFRA MID CRL HTTP HTTP SSL/RP (apache2) RP (apache2)
  • 59. Solved problem ... And more
      • Multiple authentication schemes
        • Depending on physical location
        • Automatic logon + identity bootstrapping
        • DIY Federated authentication
      • Access control
        • Ex. Internet broker is not allowed to logon via a LAN connection and/or vice versa
        • Must change password with first logon
      • Multi-language support in logon page
      • Integration with reverse proxies
        • Passing/generating extra http headers for logon logic
      • Detection of windows Vista
        • Manipulate http headers (eg Vista/IE bugs)
        • Manipulate sitetoken to redirect to other URL
        • Custom plugin download pages for forms/java plugin
      • Multiple logon screens for different apps
        • Based on unbaking the site token
  • 60. Questions [email_address]

×