SlideShare a Scribd company logo

Simplifying The S's: Single Sign-On, SPNEGO and SAML

Gabriella Davis
Gabriella Davis

This document provides an overview and comparison of several technologies for single sign-on (SSO) and federated identity: Single Password, SPNEGO, SAML, and OAuth. It defines each technology and provides examples of how they work. Single Password involves authenticating against a single password stored in a centralized location. SPNEGO uses Kerberos tickets to authenticate users logged into Active Directory. SAML allows users to authenticate once at an identity provider and gain access to connected service providers without reauthenticating. OAuth allows third-party applications to access user data with their permission. The document explains the requirements, limitations, and use cases for each technology. It emphasizes choosing solutions based on specific business needs and priorities.

Technology
1 of 48
Download to read offline
BP104: Simplifying The S's: Single Sign-On, SPNEGO and SAML Gabriella Davis - The Turtle Partnership Chris Miller - Connectria © 2014 IBM Corporation
Single Sign On vs Password Synchronisation Subtitle © 2014 IBM Corporation 6
What is this presentation about? ▪ We are here to talk about concepts ▪ Once you understand the concepts, their requirements, limitations and benefits you can make decisions about what you need ▪ Hopefully we will give you a good overview of a bunch of confusing acronyms ! ▪ If you want an awesome step by step presentation on configuring SAML for Notes client access then Rob Axelrod and Andy Pedisich have a Show and Tell this week for you 
 
 SHOW100 AD + SAML + Kerberos + IBM Notes and Domino = SSO!
 Tue, 28/Jan 04:30 PM - 06:15 PM Swan Osprey 1 & 2 !3
I do not think that means what you think it means… !4
Password Synchronisation You may have the same password but you’re not the same person !5
Single Sign On ! Hello, have you met my friend? I can vouch for him completely ! Is trust transferable? !6
One Password, One Location !7 6
ail Authenticating against a single password in a single place Mail Sametime LDAP Password Network Login !8 Connections
Password Synchronisation Tool Sametime LDAP Traveler Authentication Synchronising passwords across different systems !9 Connections LDAP
Steps For Single Password, Single Place ▪ For LDAP compliant applications ensure you use the same LDAP directory source ! ▪ For Domino systems, configure Directory Assistance to point to an LDAP source ▪ ensure you have an attribute in your LDAP directory that contains the user’s distinguished name so Domino is returned a valid user name ▪ You can then empty out the HTTP Password field for all users ▪ This will work for any Domino application, mail , traveler, Sametime etc ▪ The user can be entirely remote and with no access to LDAP directly and this will still work !10
SPNEGO !11 6
S imple P rotected GSSAPI N egotiation Mechanism known as NTLM or Kerberos in Active Directory !12
SPNEGO Example For Domino STEPS 1 USER LOGS INTO WINDOWS !13
SPNEGO Example For Domino STEPS 1 USER LOGS INTO WINDOWS !14 2 ACTIVE DIRECTORY GENERATES SPNEGO TOKEN
SPNEGO Example For Domino STEPS 1 3 USER LOGS INTO WINDOWS !15 2 ACTIVE DIRECTORY GENERATES SPNEGO TOKEN USER TRIES TO ACCESS DOMINO WEBSITE
SPNEGO Example For Domino STEPS 1 3 USER LOGS INTO WINDOWS !16 2 ACTIVE DIRECTORY GENERATES SPNEGO TOKEN USER TRIES TO ACCESS DOMINO WEBSITE 4 BROWSER SENDS SPNEGO TOKEN TO DOMINO ALONG WITH USER NAME
SPNEGO Example For Domino STEPS 1 3 USER LOGS INTO WINDOWS !17 2 ACTIVE DIRECTORY GENERATES SPNEGO TOKEN USER TRIES TO ACCESS DOMINO WEBSITE 4 BROWSER SENDS SPNEGO TOKEN TO DOMINO ALONG WITH USER NAME 5 DOMINO CONTACTS ACTIVE DIRECTORY TO VALIDATE TOKEN AND RETRIEVE THE USER’S NAME
Domino Creates a LTPAToken For The Validated User And Grants Access Enable Multi Server Single Sign-On To Extend Access To Other Servers !18
Setting Up SPNEGO ▪ Create a Domino Web SSO document ▪ Set up a SPN for the Domino server in Active Directory ▪ Domino must run under whatever account you set up for it ▪ Run domspnego ▪ Take the output and give it to your AD administrator to run setspn with ▪ Run setspn -a http://<dominohostname> <accountnamerunningdomino> ▪ Update person documents with AD name appended to FullName (and optional others like krbPrincipalName and LTPA User Name) !19
Why Not SPNEGO ▪ It requires Active Directory ▪ It requires users to login to Active Directory ▪ It requires Microsoft Supported browsers ▪ It requires a Windows client for the users ▪ It requires Domino to be on a Windows platform ▪ at least the first Domino server that’s accessed, the rest can then be reached via Multi Server SSO token generated by Domino ! ▪ It doesn’t work at all if the user is remotely connecting and not logging into Active Directory ▪ It has a very specific use case !20
SAML !21 6
S ecurity A ssertion M arkup L anguage SAML is a protocol and process for exchanging authorisation and authentication data for a user between services and servers !22
No Passwords…..
 To Compromise
 To Expire
 
 To Intercept !23 Once a user has authenticated with the IdP they won’t be asked again
Sp (Service Provider) Sp (Service Provider) Sp (Service Provider) IdP (Identity Provider)
SAML Example STEPS 1 USER ATTEMPTS TO LOG IN TO A WEBSITE !25
SAML Example STEPS 1 USER ATTEMPTS TO LOG IN TO A WEBSITE !26 2 USER IS REDIRECTED TO IDENTITY PROVIDER
SAML Example STEPS 1 3 USER ATTEMPTS TO LOG IN TO A WEBSITE !27 2 USER IS REDIRECTED TO IDENTITY PROVIDER IDENTITY PROVIDER REQUESTS AUTHENTICATION OR (IF USER IS LOGGED IN) RETURNS CREDENTIALS
SAML Example STEPS 1 3 4 USER ATTEMPTS TO LOG IN TO A WEBSITE !28 2 USER IS REDIRECTED TO IDENTITY PROVIDER IDENTITY PROVIDER REQUESTS AUTHENTICATION OR (IF USER IS LOGGED IN) RETURNS CREDENTIALS USER IS REDIRECTED BACK TO ORIGINAL SITE WITH SAML ASSERTION ATTACHED
SAML Example STEPS 1 3 4 USER ATTEMPTS TO LOG IN TO A WEBSITE !29 2 USER IS REDIRECTED TO IDENTITY PROVIDER IDENTITY PROVIDER REQUESTS AUTHENTICATION OR (IF USER IS LOGGED IN) RETURNS CREDENTIALS USER IS REDIRECTED BACK TO ORIGINAL SITE WITH SAML ASSERTION ATTACHED 5 ORIGINAL SITE USES ITS SAML SERVICE PROVIDER TO CONFIRM SAML ASSERTION AND GRANT ACCESS
Definitions ▪ IdP - Identity Provider (SSO) ▪ ADFS (Active Directory Federation Services in Windows 2008 and Windows 2012) ▪ SAML 2.0 only ▪ can be combined with SPNEGO ▪ Enhances Integrated Windows Authentication (IWA) ▪ TFIM (Tivoli Federated Identity Manager) ▪ SAML 1.1 and 2.0 !30
Definitions ▪ SP - Service Provider ▪ IBM Domino (web federated login) ▪ IBM WebSphere ▪ IBM Notes (requires ID Vault) (notes federated login) !31
More Definitions ▪ IdP (Identity Providers) use HTTP or SOAP to communicate to SP (Service Providers) via XML based assertions
 ▪ Assertions have three roles ▪ Authentication ▪ Authorisation ▪ Retrieving Attributes !32
An IdP can service many SPs An IdP can use a variety of authentication methods including multi factor !33 A SP can be connected to several IdPs
Setting Up SAML ▪ Choose your IdP if you don’t already have one ▪ which fits best in your business ▪ Build the IdP ▪ Configure the SP ! ▪ Sounds easy doesn’t it? ▪ It’s really not easy by any means but it is worth the investment in time !34
Why Not SAML ▪ Not everything supports it ▪ Traveler doesn’t ▪ Sametime doesn’t ▪ ID Vault is a requirement so IDs that can’t be vaulted can’t be used ▪ multiple passwords, smartcards etc !35
OAUTH !36 6
Not Everything Belongs To You OAuth is an authentication standard supported by most major cloud providers !37
The User & The Consumer Let’s say you want Facebook to post on your Connections Activity Stream. ! We need OAuth for that..
 
 You are the User
 Facebook is the Consumer !38
The Service Provider & Its Secrets The consumer (Facebook) wanders over to the Service Provider (IBM Connections) and asks for permission to post on the Activity Stream The Service Provider issues a Secret to go with every URL request from the user which authorises access !39
OAuth Simplified Example STEPS 1 USER ASKS FACEBOOK (THE CONSUMER) TO POST ON THEIR ACTIVITY STREAM !40
OAuth Simplified Example STEPS 1 2 USER ASKS FACEBOOK FACEBOOK GOES TO (THE CONNECTIONS CONSUMER) (THE SERVICE TO POST ON PROVIDER) THEIR AND ASKS FOR ACTIVITY PERMISSION STREAM TO POST !41
OAuth Simplified Example STEPS 1 2 3 USER ASKS FACEBOOK THE SERVICE FACEBOOK GOES TO PROVIDER GIVES (THE CONNECTIONS THE CONSUMER A CONSUMER) (THE SERVICE SECRET KEY TO GIVE TO POST ON PROVIDER) TO THE USER AND A THEIR AND ASKS FOR URL FOR THE USER ACTIVITY PERMISSION TO CLICK ON STREAM TO POST !42
OAuth Simplified Example STEPS 1 2 3 USER ASKS FACEBOOK THE SERVICE FACEBOOK GOES TO PROVIDER GIVES (THE CONNECTIONS THE CONSUMER A CONSUMER) (THE SERVICE SECRET KEY TO GIVE TO POST ON PROVIDER) TO THE USER AND A THEIR AND ASKS FOR URL FOR THE USER ACTIVITY PERMISSION TO CLICK ON STREAM TO POST !43 4 THE USER CLICKS ON THE URL AND AUTHENTICATES WITH THE SERVICE PROVIDER
OAuth Simplified Example STEPS 1 2 3 USER ASKS FACEBOOK THE SERVICE FACEBOOK GOES TO PROVIDER GIVES (THE CONNECTIONS THE CONSUMER A CONSUMER) (THE SERVICE SECRET KEY TO GIVE TO POST ON PROVIDER) TO THE USER AND A THEIR AND ASKS FOR URL FOR THE USER ACTIVITY PERMISSION TO CLICK ON STREAM TO POST !44 4 THE USER CLICKS ON THE URL AND AUTHENTICATES WITH THE SERVICE PROVIDER 5 THE SERVICE PROVIDER , SATISFIED THE SECRET KEY IS GOOD, WILL NOW ALLOW THE CONSUMER ACCESS TO ITS SERVICES
That Was REALLY Simplified ▪ There are other steps and other secrets to ensure traffic is not intercepted once authorisation is granted ▪ There are checks to ensure the Service Provider is who it claims to be ▪ You don’t want to accidentally authorise a phishing site ▪ There are also lots of timeouts on the authorisation ! ▪ Make sure you understand the security of both the Consumer and the Service Provider as well as what access you are granting the Consumer on your behalf !45
In Summary ▪ Think about what your problem actually is, there are plenty of technologies to make the user experience seamless but they become ever more complex to build and maintain ▪ What are your priorities. Single password? No password? No authentication with a particular service ▪ Many solutions require specific operating systems, software and client versions ▪ Make sure you meet all requirements before building a plan you can’t deliver on ▪ Some things are very easy (Single password, SPNEGO) ▪ Some things are very hard (SAML, OAuth)
 ▪ There is no one solution, you need to choose the combination that delivers for you !46
gabriella@turtlepartnership.com GabriellaDavis (skype) http://turtleblog.info gabturtle on twitter and elsewhere idonotes on EVERYTHING Twitter, blogs, Instagram, Facebook and more HOW TO FIND US !47
!48 8

Recommended

Domino Adminblast
Domino AdminblastDomino Adminblast
Domino Adminblast
Gabriella Davis
 
Best Practice TLS for IBM Domino
Best Practice TLS for IBM DominoBest Practice TLS for IBM Domino
Best Practice TLS for IBM Domino
Jared Roberts
 
HCL Domino V12 - TOTP
HCL Domino V12 - TOTPHCL Domino V12 - TOTP
HCL Domino V12 - TOTP
Ales Lichtenberg
 
Enable Domino Data Access Services (DAS)
Enable Domino Data Access Services (DAS)Enable Domino Data Access Services (DAS)
Enable Domino Data Access Services (DAS)
Slobodan Lohja
 
Engage2022 - Domino Admin Tips
Engage2022 - Domino Admin TipsEngage2022 - Domino Admin Tips
Engage2022 - Domino Admin Tips
Gabriella Davis
 
HCL Domino V12 Key Security Features Overview
HCL Domino V12 Key Security Features Overview HCL Domino V12 Key Security Features Overview
HCL Domino V12 Key Security Features Overview
hemantnaik
 
April, 2021 OpenNTF Webinar - Domino Administration Best Practices
April, 2021 OpenNTF Webinar - Domino Administration Best PracticesApril, 2021 OpenNTF Webinar - Domino Administration Best Practices
April, 2021 OpenNTF Webinar - Domino Administration Best Practices
Howard Greenberg
 
Deep Dive AdminP Process - Admin and Infrastructure Track at UKLUG 2012
Deep Dive AdminP Process - Admin and Infrastructure Track at UKLUG 2012Deep Dive AdminP Process - Admin and Infrastructure Track at UKLUG 2012
Deep Dive AdminP Process - Admin and Infrastructure Track at UKLUG 2012
BCC - Solutions for IBM Collaboration Software
 

Recommended

Domino Adminblast
Domino AdminblastDomino Adminblast
Domino Adminblast
Gabriella Davis
 
Best Practice TLS for IBM Domino
Best Practice TLS for IBM DominoBest Practice TLS for IBM Domino
Best Practice TLS for IBM Domino
Jared Roberts
 
HCL Domino V12 - TOTP
HCL Domino V12 - TOTPHCL Domino V12 - TOTP
HCL Domino V12 - TOTP
Ales Lichtenberg
 
Enable Domino Data Access Services (DAS)
Enable Domino Data Access Services (DAS)Enable Domino Data Access Services (DAS)
Enable Domino Data Access Services (DAS)
Slobodan Lohja
 
Engage2022 - Domino Admin Tips
Engage2022 - Domino Admin TipsEngage2022 - Domino Admin Tips
Engage2022 - Domino Admin Tips
Gabriella Davis
 
HCL Domino V12 Key Security Features Overview
HCL Domino V12 Key Security Features Overview HCL Domino V12 Key Security Features Overview
HCL Domino V12 Key Security Features Overview
hemantnaik
 
April, 2021 OpenNTF Webinar - Domino Administration Best Practices
April, 2021 OpenNTF Webinar - Domino Administration Best PracticesApril, 2021 OpenNTF Webinar - Domino Administration Best Practices
April, 2021 OpenNTF Webinar - Domino Administration Best Practices
Howard Greenberg
 
Deep Dive AdminP Process - Admin and Infrastructure Track at UKLUG 2012
Deep Dive AdminP Process - Admin and Infrastructure Track at UKLUG 2012Deep Dive AdminP Process - Admin and Infrastructure Track at UKLUG 2012
Deep Dive AdminP Process - Admin and Infrastructure Track at UKLUG 2012
BCC - Solutions for IBM Collaboration Software
 
Your Path to HCL Nomad Web goes from Domino through SafeLinx
Your Path to HCL Nomad Web goes from Domino through SafeLinxYour Path to HCL Nomad Web goes from Domino through SafeLinx
Your Path to HCL Nomad Web goes from Domino through SafeLinx
panagenda
 
RNUG - HCL Notes V11 Performance Boost
RNUG - HCL Notes V11 Performance BoostRNUG - HCL Notes V11 Performance Boost
RNUG - HCL Notes V11 Performance Boost
Christoph Adler
 
Domino Server Health - Monitoring and Managing
Domino Server Health - Monitoring and Managing Domino Server Health - Monitoring and Managing
Domino Server Health - Monitoring and Managing
Gabriella Davis
 
60 Admin Tips
60 Admin Tips60 Admin Tips
60 Admin Tips
Gabriella Davis
 
HTTP - The Other Face Of Domino
HTTP - The Other Face Of DominoHTTP - The Other Face Of Domino
HTTP - The Other Face Of Domino
Gabriella Davis
 
From frustration to fascination: dissecting Replication
From frustration to fascination: dissecting ReplicationFrom frustration to fascination: dissecting Replication
From frustration to fascination: dissecting Replication
Benedek Menesi
 
Engage 2018: IBM Notes and Domino Performance Boost - Reloaded
Engage 2018: IBM Notes and Domino Performance Boost - Reloaded Engage 2018: IBM Notes and Domino Performance Boost - Reloaded
Engage 2018: IBM Notes and Domino Performance Boost - Reloaded
Christoph Adler
 
HCL Sametime 12.0 – Converting from native Domino Directory to LDAP and Migra...
HCL Sametime 12.0 – Converting from native Domino Directory to LDAP and Migra...HCL Sametime 12.0 – Converting from native Domino Directory to LDAP and Migra...
HCL Sametime 12.0 – Converting from native Domino Directory to LDAP and Migra...
Ales Lichtenberg
 
Spnego configuration
Spnego configurationSpnego configuration
Spnego configuration
Gabriella Davis
 
RNUG - Dirty Secrets of the Notes Client
RNUG - Dirty Secrets of the Notes ClientRNUG - Dirty Secrets of the Notes Client
RNUG - Dirty Secrets of the Notes Client
Christoph Adler
 
HCL Sametime 12.0 on Docker - Step-By-Step.pdf
HCL Sametime 12.0 on Docker - Step-By-Step.pdf HCL Sametime 12.0 on Docker - Step-By-Step.pdf
HCL Sametime 12.0 on Docker - Step-By-Step.pdf
Ales Lichtenberg
 
Compact, Compress, De-Duplicate (DAOS)
Compact, Compress, De-Duplicate (DAOS)Compact, Compress, De-Duplicate (DAOS)
Compact, Compress, De-Duplicate (DAOS)
Ulrich Krause
 
IBM Domino / IBM Notes Performance Tuning
IBM Domino / IBM Notes Performance Tuning IBM Domino / IBM Notes Performance Tuning
IBM Domino / IBM Notes Performance Tuning
Vladislav Tatarincev
 
How to use the new Domino Query Language
How to use the new Domino Query LanguageHow to use the new Domino Query Language
How to use the new Domino Query Language
Tim Davis
 
dachnug49 - panagenda Workshop - 100 new things in Notes, Nomad Web & MarvelC...
dachnug49 - panagenda Workshop - 100 new things in Notes, Nomad Web & MarvelC...dachnug49 - panagenda Workshop - 100 new things in Notes, Nomad Web & MarvelC...
dachnug49 - panagenda Workshop - 100 new things in Notes, Nomad Web & MarvelC...
Christoph Adler
 
Domino Tech School - Upgrading to Notes/Domino V10: Best Practices
Domino Tech School - Upgrading to Notes/Domino V10: Best PracticesDomino Tech School - Upgrading to Notes/Domino V10: Best Practices
Domino Tech School - Upgrading to Notes/Domino V10: Best Practices
Christoph Adler
 
January OpenNTF Webinar - Backup your Domino Server - New Options in V12
January OpenNTF Webinar - Backup your Domino Server - New Options in V12January OpenNTF Webinar - Backup your Domino Server - New Options in V12
January OpenNTF Webinar - Backup your Domino Server - New Options in V12
Howard Greenberg
 
MES102 - Verse on Premises 2.0 Best Practices
MES102 - Verse on Premises 2.0 Best PracticesMES102 - Verse on Premises 2.0 Best Practices
MES102 - Verse on Premises 2.0 Best Practices
Dylan Redfield
 
HCL Sametime V11 installation - tips
HCL Sametime V11 installation - tipsHCL Sametime V11 installation - tips
HCL Sametime V11 installation - tips
Ales Lichtenberg
 
dominocamp2022.t1s1.dde.pptx
dominocamp2022.t1s1.dde.pptxdominocamp2022.t1s1.dde.pptx
dominocamp2022.t1s1.dde.pptx
Ulrich Krause
 
A Technical Guide To Deploying Single Sign On
A Technical Guide To Deploying Single Sign OnA Technical Guide To Deploying Single Sign On
A Technical Guide To Deploying Single Sign On
Gabriella Davis
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0
Mika Koivisto
 

More Related Content

What's hot

Your Path to HCL Nomad Web goes from Domino through SafeLinx
Your Path to HCL Nomad Web goes from Domino through SafeLinxYour Path to HCL Nomad Web goes from Domino through SafeLinx
Your Path to HCL Nomad Web goes from Domino through SafeLinx
panagenda
 
RNUG - HCL Notes V11 Performance Boost
RNUG - HCL Notes V11 Performance BoostRNUG - HCL Notes V11 Performance Boost
RNUG - HCL Notes V11 Performance Boost
Christoph Adler
 
Domino Server Health - Monitoring and Managing
Domino Server Health - Monitoring and Managing Domino Server Health - Monitoring and Managing
Domino Server Health - Monitoring and Managing
Gabriella Davis
 
60 Admin Tips
60 Admin Tips60 Admin Tips
60 Admin Tips
Gabriella Davis
 
HTTP - The Other Face Of Domino
HTTP - The Other Face Of DominoHTTP - The Other Face Of Domino
HTTP - The Other Face Of Domino
Gabriella Davis
 
From frustration to fascination: dissecting Replication
From frustration to fascination: dissecting ReplicationFrom frustration to fascination: dissecting Replication
From frustration to fascination: dissecting Replication
Benedek Menesi
 
Engage 2018: IBM Notes and Domino Performance Boost - Reloaded
Engage 2018: IBM Notes and Domino Performance Boost - Reloaded Engage 2018: IBM Notes and Domino Performance Boost - Reloaded
Engage 2018: IBM Notes and Domino Performance Boost - Reloaded
Christoph Adler
 
HCL Sametime 12.0 – Converting from native Domino Directory to LDAP and Migra...
HCL Sametime 12.0 – Converting from native Domino Directory to LDAP and Migra...HCL Sametime 12.0 – Converting from native Domino Directory to LDAP and Migra...
HCL Sametime 12.0 – Converting from native Domino Directory to LDAP and Migra...
Ales Lichtenberg
 
Spnego configuration
Spnego configurationSpnego configuration
Spnego configuration
Gabriella Davis
 
RNUG - Dirty Secrets of the Notes Client
RNUG - Dirty Secrets of the Notes ClientRNUG - Dirty Secrets of the Notes Client
RNUG - Dirty Secrets of the Notes Client
Christoph Adler
 
HCL Sametime 12.0 on Docker - Step-By-Step.pdf
HCL Sametime 12.0 on Docker - Step-By-Step.pdf HCL Sametime 12.0 on Docker - Step-By-Step.pdf
HCL Sametime 12.0 on Docker - Step-By-Step.pdf
Ales Lichtenberg
 
Compact, Compress, De-Duplicate (DAOS)
Compact, Compress, De-Duplicate (DAOS)Compact, Compress, De-Duplicate (DAOS)
Compact, Compress, De-Duplicate (DAOS)
Ulrich Krause
 
IBM Domino / IBM Notes Performance Tuning
IBM Domino / IBM Notes Performance Tuning IBM Domino / IBM Notes Performance Tuning
IBM Domino / IBM Notes Performance Tuning
Vladislav Tatarincev
 
How to use the new Domino Query Language
How to use the new Domino Query LanguageHow to use the new Domino Query Language
How to use the new Domino Query Language
Tim Davis
 
dachnug49 - panagenda Workshop - 100 new things in Notes, Nomad Web & MarvelC...
dachnug49 - panagenda Workshop - 100 new things in Notes, Nomad Web & MarvelC...dachnug49 - panagenda Workshop - 100 new things in Notes, Nomad Web & MarvelC...
dachnug49 - panagenda Workshop - 100 new things in Notes, Nomad Web & MarvelC...
Christoph Adler
 
Domino Tech School - Upgrading to Notes/Domino V10: Best Practices
Domino Tech School - Upgrading to Notes/Domino V10: Best PracticesDomino Tech School - Upgrading to Notes/Domino V10: Best Practices
Domino Tech School - Upgrading to Notes/Domino V10: Best Practices
Christoph Adler
 
January OpenNTF Webinar - Backup your Domino Server - New Options in V12
January OpenNTF Webinar - Backup your Domino Server - New Options in V12January OpenNTF Webinar - Backup your Domino Server - New Options in V12
January OpenNTF Webinar - Backup your Domino Server - New Options in V12
Howard Greenberg
 
MES102 - Verse on Premises 2.0 Best Practices
MES102 - Verse on Premises 2.0 Best PracticesMES102 - Verse on Premises 2.0 Best Practices
MES102 - Verse on Premises 2.0 Best Practices
Dylan Redfield
 
HCL Sametime V11 installation - tips
HCL Sametime V11 installation - tipsHCL Sametime V11 installation - tips
HCL Sametime V11 installation - tips
Ales Lichtenberg
 
dominocamp2022.t1s1.dde.pptx
dominocamp2022.t1s1.dde.pptxdominocamp2022.t1s1.dde.pptx
dominocamp2022.t1s1.dde.pptx
Ulrich Krause
 

What's hot (20)

Your Path to HCL Nomad Web goes from Domino through SafeLinx
Your Path to HCL Nomad Web goes from Domino through SafeLinxYour Path to HCL Nomad Web goes from Domino through SafeLinx
Your Path to HCL Nomad Web goes from Domino through SafeLinx
 
RNUG - HCL Notes V11 Performance Boost
RNUG - HCL Notes V11 Performance BoostRNUG - HCL Notes V11 Performance Boost
RNUG - HCL Notes V11 Performance Boost
 
Domino Server Health - Monitoring and Managing
Domino Server Health - Monitoring and Managing Domino Server Health - Monitoring and Managing
Domino Server Health - Monitoring and Managing
 
60 Admin Tips
60 Admin Tips60 Admin Tips
60 Admin Tips
 
HTTP - The Other Face Of Domino
HTTP - The Other Face Of DominoHTTP - The Other Face Of Domino
HTTP - The Other Face Of Domino
 
From frustration to fascination: dissecting Replication
From frustration to fascination: dissecting ReplicationFrom frustration to fascination: dissecting Replication
From frustration to fascination: dissecting Replication
 
Engage 2018: IBM Notes and Domino Performance Boost - Reloaded
Engage 2018: IBM Notes and Domino Performance Boost - Reloaded Engage 2018: IBM Notes and Domino Performance Boost - Reloaded
Engage 2018: IBM Notes and Domino Performance Boost - Reloaded
 
HCL Sametime 12.0 – Converting from native Domino Directory to LDAP and Migra...
HCL Sametime 12.0 – Converting from native Domino Directory to LDAP and Migra...HCL Sametime 12.0 – Converting from native Domino Directory to LDAP and Migra...
HCL Sametime 12.0 – Converting from native Domino Directory to LDAP and Migra...
 
Spnego configuration
Spnego configurationSpnego configuration
Spnego configuration
 
RNUG - Dirty Secrets of the Notes Client
RNUG - Dirty Secrets of the Notes ClientRNUG - Dirty Secrets of the Notes Client
RNUG - Dirty Secrets of the Notes Client
 
HCL Sametime 12.0 on Docker - Step-By-Step.pdf
HCL Sametime 12.0 on Docker - Step-By-Step.pdf HCL Sametime 12.0 on Docker - Step-By-Step.pdf
HCL Sametime 12.0 on Docker - Step-By-Step.pdf
 
Compact, Compress, De-Duplicate (DAOS)
Compact, Compress, De-Duplicate (DAOS)Compact, Compress, De-Duplicate (DAOS)
Compact, Compress, De-Duplicate (DAOS)
 
IBM Domino / IBM Notes Performance Tuning
IBM Domino / IBM Notes Performance Tuning IBM Domino / IBM Notes Performance Tuning
IBM Domino / IBM Notes Performance Tuning
 
How to use the new Domino Query Language
How to use the new Domino Query LanguageHow to use the new Domino Query Language
How to use the new Domino Query Language
 
dachnug49 - panagenda Workshop - 100 new things in Notes, Nomad Web & MarvelC...
dachnug49 - panagenda Workshop - 100 new things in Notes, Nomad Web & MarvelC...dachnug49 - panagenda Workshop - 100 new things in Notes, Nomad Web & MarvelC...
dachnug49 - panagenda Workshop - 100 new things in Notes, Nomad Web & MarvelC...
 
Domino Tech School - Upgrading to Notes/Domino V10: Best Practices
Domino Tech School - Upgrading to Notes/Domino V10: Best PracticesDomino Tech School - Upgrading to Notes/Domino V10: Best Practices
Domino Tech School - Upgrading to Notes/Domino V10: Best Practices
 
January OpenNTF Webinar - Backup your Domino Server - New Options in V12
January OpenNTF Webinar - Backup your Domino Server - New Options in V12January OpenNTF Webinar - Backup your Domino Server - New Options in V12
January OpenNTF Webinar - Backup your Domino Server - New Options in V12
 
MES102 - Verse on Premises 2.0 Best Practices
MES102 - Verse on Premises 2.0 Best PracticesMES102 - Verse on Premises 2.0 Best Practices
MES102 - Verse on Premises 2.0 Best Practices
 
HCL Sametime V11 installation - tips
HCL Sametime V11 installation - tipsHCL Sametime V11 installation - tips
HCL Sametime V11 installation - tips
 
dominocamp2022.t1s1.dde.pptx
dominocamp2022.t1s1.dde.pptxdominocamp2022.t1s1.dde.pptx
dominocamp2022.t1s1.dde.pptx
 

Viewers also liked

A Technical Guide To Deploying Single Sign On
A Technical Guide To Deploying Single Sign OnA Technical Guide To Deploying Single Sign On
A Technical Guide To Deploying Single Sign On
Gabriella Davis
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0
Mika Koivisto
 
New Single Sign-on Options for IBM Lotus Notes & Domino (We4IT)
New Single Sign-on Options for IBM Lotus Notes & Domino (We4IT)New Single Sign-on Options for IBM Lotus Notes & Domino (We4IT)
New Single Sign-on Options for IBM Lotus Notes & Domino (We4IT)We4IT Group
 
Domino in the Back, Party In The Front
Domino in the Back, Party In The FrontDomino in the Back, Party In The Front
Domino in the Back, Party In The Front
Gabriella Davis
 
Becoming A Connections Administrator
Becoming A Connections AdministratorBecoming A Connections Administrator
Becoming A Connections Administrator
Gabriella Davis
 
ISBG The 3 S's a guide to single sign on
ISBG The 3 S's a guide to single sign onISBG The 3 S's a guide to single sign on
ISBG The 3 S's a guide to single sign on
Gabriella Davis
 
IBM Traveler Management, Security and Performance
IBM Traveler Management, Security and PerformanceIBM Traveler Management, Security and Performance
IBM Traveler Management, Security and Performance
Gabriella Davis
 
Benefits and Risks of a Single Identity - IBM Connect 2017
Benefits and Risks of a Single Identity - IBM Connect 2017Benefits and Risks of a Single Identity - IBM Connect 2017
Benefits and Risks of a Single Identity - IBM Connect 2017
Gabriella Davis
 
White Paper: Saml as an SSO Standard for Customer Identity Management
White Paper: Saml as an SSO Standard for Customer Identity ManagementWhite Paper: Saml as an SSO Standard for Customer Identity Management
White Paper: Saml as an SSO Standard for Customer Identity Management
Gigya
 
SAML Smackdown
SAML SmackdownSAML Smackdown
SAML Smackdown
Pat Patterson
 
SAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your EnterpriseSAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your Enterprise
Denis Gundarev
 
SAML Protocol Overview
SAML Protocol OverviewSAML Protocol Overview
SAML Protocol Overview
Mike Schwartz
 
Single sign on using SAML
Single sign on using SAML Single sign on using SAML
Single sign on using SAML
Programming Talents
 
Enterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSOEnterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSOOliver Mueller
 
IdP, SAML, OAuth
IdP, SAML, OAuthIdP, SAML, OAuth
IdP, SAML, OAuth
Dan Brinkmann
 
Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Anil Saldanha
 
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-onFast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Craig Dickson
 
What We Wish We Had Known: Becoming an IBM Connections Administrator
What We Wish We Had Known: Becoming an IBM Connections AdministratorWhat We Wish We Had Known: Becoming an IBM Connections Administrator
What We Wish We Had Known: Becoming an IBM Connections Administrator
Gabriella Davis
 
Fixing Domino Server Sickness
Fixing Domino Server SicknessFixing Domino Server Sickness
Fixing Domino Server Sickness
Gabriella Davis
 

Viewers also liked (20)

A Technical Guide To Deploying Single Sign On
A Technical Guide To Deploying Single Sign OnA Technical Guide To Deploying Single Sign On
A Technical Guide To Deploying Single Sign On
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0
 
New Single Sign-on Options for IBM Lotus Notes & Domino (We4IT)
New Single Sign-on Options for IBM Lotus Notes & Domino (We4IT)New Single Sign-on Options for IBM Lotus Notes & Domino (We4IT)
New Single Sign-on Options for IBM Lotus Notes & Domino (We4IT)
 
Domino in the Back, Party In The Front
Domino in the Back, Party In The FrontDomino in the Back, Party In The Front
Domino in the Back, Party In The Front
 
Becoming A Connections Administrator
Becoming A Connections AdministratorBecoming A Connections Administrator
Becoming A Connections Administrator
 
ISBG The 3 S's a guide to single sign on
ISBG The 3 S's a guide to single sign onISBG The 3 S's a guide to single sign on
ISBG The 3 S's a guide to single sign on
 
IBM Traveler Management, Security and Performance
IBM Traveler Management, Security and PerformanceIBM Traveler Management, Security and Performance
IBM Traveler Management, Security and Performance
 
Benefits and Risks of a Single Identity - IBM Connect 2017
Benefits and Risks of a Single Identity - IBM Connect 2017Benefits and Risks of a Single Identity - IBM Connect 2017
Benefits and Risks of a Single Identity - IBM Connect 2017
 
White Paper: Saml as an SSO Standard for Customer Identity Management
White Paper: Saml as an SSO Standard for Customer Identity ManagementWhite Paper: Saml as an SSO Standard for Customer Identity Management
White Paper: Saml as an SSO Standard for Customer Identity Management
 
SAML Smackdown
SAML SmackdownSAML Smackdown
SAML Smackdown
 
SAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your EnterpriseSAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your Enterprise
 
SAML Protocol Overview
SAML Protocol OverviewSAML Protocol Overview
SAML Protocol Overview
 
Introduction to SAML
Introduction to SAMLIntroduction to SAML
Introduction to SAML
 
Single sign on using SAML
Single sign on using SAML Single sign on using SAML
Single sign on using SAML
 
Enterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSOEnterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSO
 
IdP, SAML, OAuth
IdP, SAML, OAuthIdP, SAML, OAuth
IdP, SAML, OAuth
 
Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?
 
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-onFast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
 
What We Wish We Had Known: Becoming an IBM Connections Administrator
What We Wish We Had Known: Becoming an IBM Connections AdministratorWhat We Wish We Had Known: Becoming an IBM Connections Administrator
What We Wish We Had Known: Becoming an IBM Connections Administrator
 
Fixing Domino Server Sickness
Fixing Domino Server SicknessFixing Domino Server Sickness
Fixing Domino Server Sickness
 

Similar to Simplifying The S's: Single Sign-On, SPNEGO and SAML

Patterns to Bring Enterprise and Social Identity to the Cloud
Patterns to Bring Enterprise and Social Identity to the Cloud Patterns to Bring Enterprise and Social Identity to the Cloud
Patterns to Bring Enterprise and Social Identity to the Cloud
CA API Management
 
Open Id, O Auth And Webservices
Open Id, O Auth And WebservicesOpen Id, O Auth And Webservices
Open Id, O Auth And Webservices
Myles Eftos
 
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
CA API Management
 
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CloudIDSummit
 
Identity as a Matter of Public Safety
Identity as a Matter of Public SafetyIdentity as a Matter of Public Safety
Identity as a Matter of Public Safety
Adam Lewis
 
DataHero / Eventbrite - API Best Practices
DataHero / Eventbrite - API Best PracticesDataHero / Eventbrite - API Best Practices
DataHero / Eventbrite - API Best Practices
Jeff Zabel
 
IAM Overview Identiverse 2018
IAM Overview Identiverse 2018IAM Overview Identiverse 2018
IAM Overview Identiverse 2018
Brian Campbell
 
CIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You EatCIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You Eat
CloudIDSummit
 
CIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You EatCIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You Eat
CloudIDSummit
 
Building the Eventbrite API Ecosystem
Building the Eventbrite API EcosystemBuilding the Eventbrite API Ecosystem
Building the Eventbrite API Ecosystem
Mitch Colleran
 
SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...
SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...
SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...
NCCOMMS
 
Building with linked_in_api
Building with linked_in_apiBuilding with linked_in_api
Building with linked_in_apiMatchFWD
 
COSMO-Tracing ip address behind vpn and proxy servers.pptx
COSMO-Tracing ip address behind vpn and proxy servers.pptxCOSMO-Tracing ip address behind vpn and proxy servers.pptx
COSMO-Tracing ip address behind vpn and proxy servers.pptx
Cheenuthiru
 
Using Wireframes
Using WireframesUsing Wireframes
Using Wireframes
Mark Calkins
 
DO WE HAVE A ROUND WHEEL YET?
DO WE HAVE A ROUND WHEEL YET?DO WE HAVE A ROUND WHEEL YET?
DO WE HAVE A ROUND WHEEL YET?
ForgeRock
 
Our road to Single Sign-On, DocPlanner
Our road to Single Sign-On, DocPlannerOur road to Single Sign-On, DocPlanner
Our road to Single Sign-On, DocPlanner
Tomasz Wójcik
 
JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...
PROIDEA
 
CIS13: Federation Protocol Cross-Section
CIS13: Federation Protocol Cross-SectionCIS13: Federation Protocol Cross-Section
CIS13: Federation Protocol Cross-Section
CloudIDSummit
 
CIS 2015 Extreme SAML - Hans Zandbelt
CIS 2015 Extreme SAML - Hans ZandbeltCIS 2015 Extreme SAML - Hans Zandbelt
CIS 2015 Extreme SAML - Hans Zandbelt
CloudIDSummit
 

Similar to Simplifying The S's: Single Sign-On, SPNEGO and SAML (20)

Patterns to Bring Enterprise and Social Identity to the Cloud
Patterns to Bring Enterprise and Social Identity to the Cloud Patterns to Bring Enterprise and Social Identity to the Cloud
Patterns to Bring Enterprise and Social Identity to the Cloud
 
Open Id, O Auth And Webservices
Open Id, O Auth And WebservicesOpen Id, O Auth And Webservices
Open Id, O Auth And Webservices
 
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
 
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
 
Identity as a Matter of Public Safety
Identity as a Matter of Public SafetyIdentity as a Matter of Public Safety
Identity as a Matter of Public Safety
 
DataHero / Eventbrite - API Best Practices
DataHero / Eventbrite - API Best PracticesDataHero / Eventbrite - API Best Practices
DataHero / Eventbrite - API Best Practices
 
IAM Overview Identiverse 2018
IAM Overview Identiverse 2018IAM Overview Identiverse 2018
IAM Overview Identiverse 2018
 
CIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You EatCIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You Eat
 
CIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You EatCIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You Eat
 
Building the Eventbrite API Ecosystem
Building the Eventbrite API EcosystemBuilding the Eventbrite API Ecosystem
Building the Eventbrite API Ecosystem
 
SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...
SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...
SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...
 
Building with linked_in_api
Building with linked_in_apiBuilding with linked_in_api
Building with linked_in_api
 
COSMO-Tracing ip address behind vpn and proxy servers.pptx
COSMO-Tracing ip address behind vpn and proxy servers.pptxCOSMO-Tracing ip address behind vpn and proxy servers.pptx
COSMO-Tracing ip address behind vpn and proxy servers.pptx
 
Using Wireframes
Using WireframesUsing Wireframes
Using Wireframes
 
DO WE HAVE A ROUND WHEEL YET?
DO WE HAVE A ROUND WHEEL YET?DO WE HAVE A ROUND WHEEL YET?
DO WE HAVE A ROUND WHEEL YET?
 
Single Sign-On Best Practices
Single Sign-On Best PracticesSingle Sign-On Best Practices
Single Sign-On Best Practices
 
Our road to Single Sign-On, DocPlanner
Our road to Single Sign-On, DocPlannerOur road to Single Sign-On, DocPlanner
Our road to Single Sign-On, DocPlanner
 
JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...
 
CIS13: Federation Protocol Cross-Section
CIS13: Federation Protocol Cross-SectionCIS13: Federation Protocol Cross-Section
CIS13: Federation Protocol Cross-Section
 
CIS 2015 Extreme SAML - Hans Zandbelt
CIS 2015 Extreme SAML - Hans ZandbeltCIS 2015 Extreme SAML - Hans Zandbelt
CIS 2015 Extreme SAML - Hans Zandbelt
 

More from Gabriella Davis

A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
Gabriella Davis
 
. Design Decisions: Developing for Mobile - The Template Experience Project
. Design Decisions: Developing for Mobile - The Template Experience Project. Design Decisions: Developing for Mobile - The Template Experience Project
. Design Decisions: Developing for Mobile - The Template Experience Project
Gabriella Davis
 
Face Off Domino vs Exchange On Premises
Face Off Domino vs Exchange On PremisesFace Off Domino vs Exchange On Premises
Face Off Domino vs Exchange On Premises
Gabriella Davis
 
Adminlicious - A Guide To TCO Features In Domino v10
Adminlicious - A Guide To TCO Features In Domino v10Adminlicious - A Guide To TCO Features In Domino v10
Adminlicious - A Guide To TCO Features In Domino v10
Gabriella Davis
 
An Introduction to Configuring Domino for Docker
An Introduction to Configuring Domino for DockerAn Introduction to Configuring Domino for Docker
An Introduction to Configuring Domino for Docker
Gabriella Davis
 
An Introduction To The DMARC SMTP Validation Requirements
An Introduction To The DMARC SMTP Validation RequirementsAn Introduction To The DMARC SMTP Validation Requirements
An Introduction To The DMARC SMTP Validation Requirements
Gabriella Davis
 
× The Road To A #Perfect10 - How To Get Ready For Domino, Sametime, VOP and T...
× The Road To A #Perfect10 - How To Get Ready For Domino, Sametime, VOP and T...× The Road To A #Perfect10 - How To Get Ready For Domino, Sametime, VOP and T...
× The Road To A #Perfect10 - How To Get Ready For Domino, Sametime, VOP and T...
Gabriella Davis
 
An introduction to configuring Domino for Docker
An introduction to configuring Domino for DockerAn introduction to configuring Domino for Docker
An introduction to configuring Domino for Docker
Gabriella Davis
 
How To Approach GDPR Preparation & Discovery
How To Approach GDPR Preparation & DiscoveryHow To Approach GDPR Preparation & Discovery
How To Approach GDPR Preparation & Discovery
Gabriella Davis
 
An Introduction To The DMARC SMTP Validation Requirements
An Introduction To The DMARC SMTP Validation RequirementsAn Introduction To The DMARC SMTP Validation Requirements
An Introduction To The DMARC SMTP Validation Requirements
Gabriella Davis
 
Brand Yourself
Brand YourselfBrand Yourself
Brand Yourself
Gabriella Davis
 
Home Working
Home WorkingHome Working
Home Working
Gabriella Davis
 
A Guide To Single Sign-On for IBM Collaboration Solutions
A Guide To Single Sign-On for IBM Collaboration SolutionsA Guide To Single Sign-On for IBM Collaboration Solutions
A Guide To Single Sign-On for IBM Collaboration Solutions
Gabriella Davis
 
The Imposter Syndrome
The Imposter SyndromeThe Imposter Syndrome
The Imposter Syndrome
Gabriella Davis
 
What's New in Notes, Sametime and Verse On-Premises
What's New in Notes, Sametime and Verse On-PremisesWhat's New in Notes, Sametime and Verse On-Premises
What's New in Notes, Sametime and Verse On-Premises
Gabriella Davis
 
An Introduction To Docker
An Introduction To DockerAn Introduction To Docker
An Introduction To Docker
Gabriella Davis
 
An Introduction To Docker
An Introduction To DockerAn Introduction To Docker
An Introduction To Docker
Gabriella Davis
 
Setting Up a Hybrid Domino Environment to Ease your Way to the Cloud
Setting Up a Hybrid Domino Environment to Ease your Way to the CloudSetting Up a Hybrid Domino Environment to Ease your Way to the Cloud
Setting Up a Hybrid Domino Environment to Ease your Way to the Cloud
Gabriella Davis
 
Embracing iot in the enterprise
Embracing iot in the enterpriseEmbracing iot in the enterprise
Embracing iot in the enterprise
Gabriella Davis
 
Penumbra briefing
Penumbra briefingPenumbra briefing
Penumbra briefing
Gabriella Davis
 

More from Gabriella Davis (20)

A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
. Design Decisions: Developing for Mobile - The Template Experience Project
. Design Decisions: Developing for Mobile - The Template Experience Project. Design Decisions: Developing for Mobile - The Template Experience Project
. Design Decisions: Developing for Mobile - The Template Experience Project
 
Face Off Domino vs Exchange On Premises
Face Off Domino vs Exchange On PremisesFace Off Domino vs Exchange On Premises
Face Off Domino vs Exchange On Premises
 
Adminlicious - A Guide To TCO Features In Domino v10
Adminlicious - A Guide To TCO Features In Domino v10Adminlicious - A Guide To TCO Features In Domino v10
Adminlicious - A Guide To TCO Features In Domino v10
 
An Introduction to Configuring Domino for Docker
An Introduction to Configuring Domino for DockerAn Introduction to Configuring Domino for Docker
An Introduction to Configuring Domino for Docker
 
An Introduction To The DMARC SMTP Validation Requirements
An Introduction To The DMARC SMTP Validation RequirementsAn Introduction To The DMARC SMTP Validation Requirements
An Introduction To The DMARC SMTP Validation Requirements
 
× The Road To A #Perfect10 - How To Get Ready For Domino, Sametime, VOP and T...
× The Road To A #Perfect10 - How To Get Ready For Domino, Sametime, VOP and T...× The Road To A #Perfect10 - How To Get Ready For Domino, Sametime, VOP and T...
× The Road To A #Perfect10 - How To Get Ready For Domino, Sametime, VOP and T...
 
An introduction to configuring Domino for Docker
An introduction to configuring Domino for DockerAn introduction to configuring Domino for Docker
An introduction to configuring Domino for Docker
 
How To Approach GDPR Preparation & Discovery
How To Approach GDPR Preparation & DiscoveryHow To Approach GDPR Preparation & Discovery
How To Approach GDPR Preparation & Discovery
 
An Introduction To The DMARC SMTP Validation Requirements
An Introduction To The DMARC SMTP Validation RequirementsAn Introduction To The DMARC SMTP Validation Requirements
An Introduction To The DMARC SMTP Validation Requirements
 
Brand Yourself
Brand YourselfBrand Yourself
Brand Yourself
 
Home Working
Home WorkingHome Working
Home Working
 
A Guide To Single Sign-On for IBM Collaboration Solutions
A Guide To Single Sign-On for IBM Collaboration SolutionsA Guide To Single Sign-On for IBM Collaboration Solutions
A Guide To Single Sign-On for IBM Collaboration Solutions
 
The Imposter Syndrome
The Imposter SyndromeThe Imposter Syndrome
The Imposter Syndrome
 
What's New in Notes, Sametime and Verse On-Premises
What's New in Notes, Sametime and Verse On-PremisesWhat's New in Notes, Sametime and Verse On-Premises
What's New in Notes, Sametime and Verse On-Premises
 
An Introduction To Docker
An Introduction To DockerAn Introduction To Docker
An Introduction To Docker
 
An Introduction To Docker
An Introduction To DockerAn Introduction To Docker
An Introduction To Docker
 
Setting Up a Hybrid Domino Environment to Ease your Way to the Cloud
Setting Up a Hybrid Domino Environment to Ease your Way to the CloudSetting Up a Hybrid Domino Environment to Ease your Way to the Cloud
Setting Up a Hybrid Domino Environment to Ease your Way to the Cloud
 
Embracing iot in the enterprise
Embracing iot in the enterpriseEmbracing iot in the enterprise
Embracing iot in the enterprise
 
Penumbra briefing
Penumbra briefingPenumbra briefing
Penumbra briefing
 

Recently uploaded

GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
Neo4j
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
Peter Spielvogel
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
James Anderson
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 

Recently uploaded (20)

GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 

Simplifying The S's: Single Sign-On, SPNEGO and SAML

  • 1. BP104: Simplifying The S's: Single Sign-On, SPNEGO and SAML Gabriella Davis - The Turtle Partnership Chris Miller - Connectria © 2014 IBM Corporation
  • 2. Single Sign On vs Password Synchronisation Subtitle © 2014 IBM Corporation 6
  • 3. What is this presentation about? ▪ We are here to talk about concepts ▪ Once you understand the concepts, their requirements, limitations and benefits you can make decisions about what you need ▪ Hopefully we will give you a good overview of a bunch of confusing acronyms ! ▪ If you want an awesome step by step presentation on configuring SAML for Notes client access then Rob Axelrod and Andy Pedisich have a Show and Tell this week for you 
 
 SHOW100 AD + SAML + Kerberos + IBM Notes and Domino = SSO!
 Tue, 28/Jan 04:30 PM - 06:15 PM Swan Osprey 1 & 2 !3
  • 4. I do not think that means what you think it means… !4
  • 5. Password Synchronisation You may have the same password but you’re not the same person !5
  • 6. Single Sign On ! Hello, have you met my friend? I can vouch for him completely ! Is trust transferable? !6
  • 8. ail Authenticating against a single password in a single place Mail Sametime LDAP Password Network Login !8 Connections
  • 10. Steps For Single Password, Single Place ▪ For LDAP compliant applications ensure you use the same LDAP directory source ! ▪ For Domino systems, configure Directory Assistance to point to an LDAP source ▪ ensure you have an attribute in your LDAP directory that contains the user’s distinguished name so Domino is returned a valid user name ▪ You can then empty out the HTTP Password field for all users ▪ This will work for any Domino application, mail , traveler, Sametime etc ▪ The user can be entirely remote and with no access to LDAP directly and this will still work !10
  • 12. S imple P rotected GSSAPI N egotiation Mechanism known as NTLM or Kerberos in Active Directory !12
  • 13. SPNEGO Example For Domino STEPS 1 USER LOGS INTO WINDOWS !13
  • 14. SPNEGO Example For Domino STEPS 1 USER LOGS INTO WINDOWS !14 2 ACTIVE DIRECTORY GENERATES SPNEGO TOKEN
  • 15. SPNEGO Example For Domino STEPS 1 3 USER LOGS INTO WINDOWS !15 2 ACTIVE DIRECTORY GENERATES SPNEGO TOKEN USER TRIES TO ACCESS DOMINO WEBSITE
  • 16. SPNEGO Example For Domino STEPS 1 3 USER LOGS INTO WINDOWS !16 2 ACTIVE DIRECTORY GENERATES SPNEGO TOKEN USER TRIES TO ACCESS DOMINO WEBSITE 4 BROWSER SENDS SPNEGO TOKEN TO DOMINO ALONG WITH USER NAME
  • 17. SPNEGO Example For Domino STEPS 1 3 USER LOGS INTO WINDOWS !17 2 ACTIVE DIRECTORY GENERATES SPNEGO TOKEN USER TRIES TO ACCESS DOMINO WEBSITE 4 BROWSER SENDS SPNEGO TOKEN TO DOMINO ALONG WITH USER NAME 5 DOMINO CONTACTS ACTIVE DIRECTORY TO VALIDATE TOKEN AND RETRIEVE THE USER’S NAME
  • 18. Domino Creates a LTPAToken For The Validated User And Grants Access Enable Multi Server Single Sign-On To Extend Access To Other Servers !18
  • 19. Setting Up SPNEGO ▪ Create a Domino Web SSO document ▪ Set up a SPN for the Domino server in Active Directory ▪ Domino must run under whatever account you set up for it ▪ Run domspnego ▪ Take the output and give it to your AD administrator to run setspn with ▪ Run setspn -a http://<dominohostname> <accountnamerunningdomino> ▪ Update person documents with AD name appended to FullName (and optional others like krbPrincipalName and LTPA User Name) !19
  • 20. Why Not SPNEGO ▪ It requires Active Directory ▪ It requires users to login to Active Directory ▪ It requires Microsoft Supported browsers ▪ It requires a Windows client for the users ▪ It requires Domino to be on a Windows platform ▪ at least the first Domino server that’s accessed, the rest can then be reached via Multi Server SSO token generated by Domino ! ▪ It doesn’t work at all if the user is remotely connecting and not logging into Active Directory ▪ It has a very specific use case !20
  • 22. S ecurity A ssertion M arkup L anguage SAML is a protocol and process for exchanging authorisation and authentication data for a user between services and servers !22
  • 23. No Passwords…..
 To Compromise
 To Expire
 
 To Intercept !23 Once a user has authenticated with the IdP they won’t be asked again
  • 24. Sp (Service Provider) Sp (Service Provider) Sp (Service Provider) IdP (Identity Provider)
  • 26. SAML Example STEPS 1 USER ATTEMPTS TO LOG IN TO A WEBSITE !26 2 USER IS REDIRECTED TO IDENTITY PROVIDER
  • 27. SAML Example STEPS 1 3 USER ATTEMPTS TO LOG IN TO A WEBSITE !27 2 USER IS REDIRECTED TO IDENTITY PROVIDER IDENTITY PROVIDER REQUESTS AUTHENTICATION OR (IF USER IS LOGGED IN) RETURNS CREDENTIALS
  • 28. SAML Example STEPS 1 3 4 USER ATTEMPTS TO LOG IN TO A WEBSITE !28 2 USER IS REDIRECTED TO IDENTITY PROVIDER IDENTITY PROVIDER REQUESTS AUTHENTICATION OR (IF USER IS LOGGED IN) RETURNS CREDENTIALS USER IS REDIRECTED BACK TO ORIGINAL SITE WITH SAML ASSERTION ATTACHED
  • 29. SAML Example STEPS 1 3 4 USER ATTEMPTS TO LOG IN TO A WEBSITE !29 2 USER IS REDIRECTED TO IDENTITY PROVIDER IDENTITY PROVIDER REQUESTS AUTHENTICATION OR (IF USER IS LOGGED IN) RETURNS CREDENTIALS USER IS REDIRECTED BACK TO ORIGINAL SITE WITH SAML ASSERTION ATTACHED 5 ORIGINAL SITE USES ITS SAML SERVICE PROVIDER TO CONFIRM SAML ASSERTION AND GRANT ACCESS
  • 30. Definitions ▪ IdP - Identity Provider (SSO) ▪ ADFS (Active Directory Federation Services in Windows 2008 and Windows 2012) ▪ SAML 2.0 only ▪ can be combined with SPNEGO ▪ Enhances Integrated Windows Authentication (IWA) ▪ TFIM (Tivoli Federated Identity Manager) ▪ SAML 1.1 and 2.0 !30
  • 31. Definitions ▪ SP - Service Provider ▪ IBM Domino (web federated login) ▪ IBM WebSphere ▪ IBM Notes (requires ID Vault) (notes federated login) !31
  • 32. More Definitions ▪ IdP (Identity Providers) use HTTP or SOAP to communicate to SP (Service Providers) via XML based assertions
 ▪ Assertions have three roles ▪ Authentication ▪ Authorisation ▪ Retrieving Attributes !32
  • 33. An IdP can service many SPs An IdP can use a variety of authentication methods including multi factor !33 A SP can be connected to several IdPs
  • 34. Setting Up SAML ▪ Choose your IdP if you don’t already have one ▪ which fits best in your business ▪ Build the IdP ▪ Configure the SP ! ▪ Sounds easy doesn’t it? ▪ It’s really not easy by any means but it is worth the investment in time !34
  • 35. Why Not SAML ▪ Not everything supports it ▪ Traveler doesn’t ▪ Sametime doesn’t ▪ ID Vault is a requirement so IDs that can’t be vaulted can’t be used ▪ multiple passwords, smartcards etc !35
  • 37. Not Everything Belongs To You OAuth is an authentication standard supported by most major cloud providers !37
  • 38. The User & The Consumer Let’s say you want Facebook to post on your Connections Activity Stream. ! We need OAuth for that..
 
 You are the User
 Facebook is the Consumer !38
  • 39. The Service Provider & Its Secrets The consumer (Facebook) wanders over to the Service Provider (IBM Connections) and asks for permission to post on the Activity Stream The Service Provider issues a Secret to go with every URL request from the user which authorises access !39
  • 40. OAuth Simplified Example STEPS 1 USER ASKS FACEBOOK (THE CONSUMER) TO POST ON THEIR ACTIVITY STREAM !40
  • 41. OAuth Simplified Example STEPS 1 2 USER ASKS FACEBOOK FACEBOOK GOES TO (THE CONNECTIONS CONSUMER) (THE SERVICE TO POST ON PROVIDER) THEIR AND ASKS FOR ACTIVITY PERMISSION STREAM TO POST !41
  • 42. OAuth Simplified Example STEPS 1 2 3 USER ASKS FACEBOOK THE SERVICE FACEBOOK GOES TO PROVIDER GIVES (THE CONNECTIONS THE CONSUMER A CONSUMER) (THE SERVICE SECRET KEY TO GIVE TO POST ON PROVIDER) TO THE USER AND A THEIR AND ASKS FOR URL FOR THE USER ACTIVITY PERMISSION TO CLICK ON STREAM TO POST !42
  • 43. OAuth Simplified Example STEPS 1 2 3 USER ASKS FACEBOOK THE SERVICE FACEBOOK GOES TO PROVIDER GIVES (THE CONNECTIONS THE CONSUMER A CONSUMER) (THE SERVICE SECRET KEY TO GIVE TO POST ON PROVIDER) TO THE USER AND A THEIR AND ASKS FOR URL FOR THE USER ACTIVITY PERMISSION TO CLICK ON STREAM TO POST !43 4 THE USER CLICKS ON THE URL AND AUTHENTICATES WITH THE SERVICE PROVIDER
  • 44. OAuth Simplified Example STEPS 1 2 3 USER ASKS FACEBOOK THE SERVICE FACEBOOK GOES TO PROVIDER GIVES (THE CONNECTIONS THE CONSUMER A CONSUMER) (THE SERVICE SECRET KEY TO GIVE TO POST ON PROVIDER) TO THE USER AND A THEIR AND ASKS FOR URL FOR THE USER ACTIVITY PERMISSION TO CLICK ON STREAM TO POST !44 4 THE USER CLICKS ON THE URL AND AUTHENTICATES WITH THE SERVICE PROVIDER 5 THE SERVICE PROVIDER , SATISFIED THE SECRET KEY IS GOOD, WILL NOW ALLOW THE CONSUMER ACCESS TO ITS SERVICES
  • 45. That Was REALLY Simplified ▪ There are other steps and other secrets to ensure traffic is not intercepted once authorisation is granted ▪ There are checks to ensure the Service Provider is who it claims to be ▪ You don’t want to accidentally authorise a phishing site ▪ There are also lots of timeouts on the authorisation ! ▪ Make sure you understand the security of both the Consumer and the Service Provider as well as what access you are granting the Consumer on your behalf !45
  • 46. In Summary ▪ Think about what your problem actually is, there are plenty of technologies to make the user experience seamless but they become ever more complex to build and maintain ▪ What are your priorities. Single password? No password? No authentication with a particular service ▪ Many solutions require specific operating systems, software and client versions ▪ Make sure you meet all requirements before building a plan you can’t deliver on ▪ Some things are very easy (Single password, SPNEGO) ▪ Some things are very hard (SAML, OAuth)
 ▪ There is no one solution, you need to choose the combination that delivers for you !46
  • 47. gabriella@turtlepartnership.com GabriellaDavis (skype) http://turtleblog.info gabturtle on twitter and elsewhere idonotes on EVERYTHING Twitter, blogs, Instagram, Facebook and more HOW TO FIND US !47
  • 48. !48 8