Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Why you should use true single-sign-on in Icinga Web 2 - Icinga Camp Stockholm 2019

113 views

Published on

Talk by Luke Gripenberg:
Many organizations use dozens of web-based applications that all require local user accounts or AD-connections. Icinga Web 2 is just one more to think about. Using a good SSO solution will help you avoid the pitfalls of local accounts and LDAP.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Why you should use true single-sign-on in Icinga Web 2 - Icinga Camp Stockholm 2019

  1. 1. Your observability expert
  2. 2. Why you should use true SSO Luke Gripenberg 2
  3. 3. Who am I? ● Senior consultant ○ Developer ■ Web applications, monitoring ● Working in the monitoring space since 2008 ● System administrator ● Built my first SSO application in 2007 ● Avid password manager user ○ Reluctantly so
  4. 4. What is SSO? ● Single-Sign On ● A seamless sign in experience ○ No need to retype credentials ○ Just use the application ● Less passwords needed ● Today will cover web-based applications
  5. 5. What SSO types are there? ● Kerberos ○ Often requires browser configuration ● SAML ○ Security Assertion Markup Language ● OAuth ○ Version 1 ○ Version 2 ● Others
  6. 6. Others ● CAS ● Apache Authtkt ● OpenID ● OpenID Connect ● IndieAuth ● WS-Fed ● CAS ● Client certificates ● SCIM ● ZXID ● LTPA ● DACS ● IceWall SSO ● Company-specific SSO ○ Microsoft, Twitter, etc. ● Authpubtkt ● Shibboleth
  7. 7. LDAP ● Lightweight Directory Access Protocol ● Sometimes conflated with SSO ● Most applications support this ● Require firewall rules ● Passthru authentication
  8. 8. LDAP ● Security risks ○ Passthru authentication ■ All applications must be trusted to handle these correctly ■ Certificates do not protect this ○ Login processes for different applications look different ● Passwords must be typed in every time a logon has expired
  9. 9. Passthru authentication Icingaweb2 Password Vault Ticketing System HR system Messaging system E-mail system Username Password Active Directory
  10. 10. But SSL certificates? ● Often reused ○ Wildcard certificate: *.example.com ● Often untrusted
  11. 11. Use SSO instead ● Applications do not handle credentials at all ● No firewall openings needed ○ On premise / off premise difference doesn’t matter any more ● If sign in is needed, same dialog every time ● No plugins needed ● Delegate security concerns ○ Reduce attack surface ● Customers can sign in with their own accounts ● Compliance responsibility lies with SSO provider
  12. 12. Our contribution ● A guide to setting up Icingaweb2 SSO with Active Directory Federation Services ● Group mapping ○ No generic users needed ○ Open-source code ● Local sign in without multiple ports ● Available today
  13. 13. Based on ● mod_auth_mellon (UNINETT) ○ https://github.com/Uninett/mod_auth_mellon ● MySQL group backend ○ Built-in
  14. 14. Demo
  15. 15. Monitoring - Endpoints - Sign-in process - Services on ADFS server - SAML endpoints on Service Provider end - Internal tests in ADFS - Powershell: Test-ADFSServerHealth - Run on NSClient++
  16. 16. Monitoring - ADFS - Event Viewer - Application and Services Log -> AD FS -> Admin
  17. 17. Check it out - github.com/opsdis/icinga-adfs - Pull requests welcome
  18. 18. Q&A 18
  19. 19. Sources https://ehloes.wordpress.com/2016/07/07/monitoring-adfs/ https://www.uoguelph.ca/ccs/security/internet/single-sign-sso/ benefits https://www.csoonline.com/article/2115776/what-is-single-sig n-on-how-sso-improves-security-and-the-user-experience.html https://ldapcon.org/2017/wp-content/uploads/2017/08/16_Cl% C3%A9ment-Oudot_PRE_LDAPCon2017_SSO-1.pdf

×