2a Role-based Security en Secure Authentication met SSO 10 ... · Title: 2a_Role-based Security en...
Transcript of 2a Role-based Security en Secure Authentication met SSO 10 ... · Title: 2a_Role-based Security en...
Copyright©1995-2015QuestionmarkCorporationand/orQuestionmarkComputingLimited,knowncollectivelyasQuestionmark.Allrightsreserved.QuestionmarkisaregisteredtrademarkofQuestionmarkComputingLimited.Allothertrademarksareacknowledged.
2016DutchUsersConferenceAmsterdam| 15th November
Role-basedSecurityen SecureAuthenticationmetSSO
BartHendrickx,QuestionmarkMauroChieppa,UPlearning
Copyright©1995-2015QuestionmarkCorporationand/orQuestionmarkComputingLimited,knowncollectivelyasQuestionmark.Allrightsreserved.QuestionmarkisaregisteredtrademarkofQuestionmarkComputingLimited.Allothertrademarksareacknowledged.
2016DutchUsersConference= Amsterdam
Contents
Slide2
1. Role-basedSecurity
2. SingleSign-On(SAML)
3. Q&A
Copyright©1995-2015QuestionmarkCorporationand/orQuestionmarkComputingLimited,knowncollectivelyasQuestionmark.Allrightsreserved.QuestionmarkisaregisteredtrademarkofQuestionmarkComputingLimited.Allothertrademarksareacknowledged.
2016DutchUsersConference= Amsterdam
Role-basedSecurity
Slide3
Copyright©1995-2015QuestionmarkCorporationand/orQuestionmarkComputingLimited,knowncollectivelyasQuestionmark.Allrightsreserved.QuestionmarkisaregisteredtrademarkofQuestionmarkComputingLimited.Allothertrademarksareacknowledged.
2016DutchUsersConference= Amsterdam
} NotEveryoneShouldBeAbletoDoEverything…
UserManagement:Role-basedsecurity
Slide4
Hi.I’mElla.Iamfillinginfor
Wendywhoisonmaternity
leave.
Cool.Wendyisourreportingrockstar.Shealsoassists
withmanagingouritembank. Iwill
setyouupwithanaccount.
Copyright©1995-2015QuestionmarkCorporationand/orQuestionmarkComputingLimited,knowncollectivelyasQuestionmark.Allrightsreserved.QuestionmarkisaregisteredtrademarkofQuestionmarkComputingLimited.Allothertrademarksareacknowledged.
2016DutchUsersConference= Amsterdam
WhenEllaLogsOn,SheSees…
Slide5
Shedoesn'tseethePeopleorAdministrationmenus
Copyright©1995-2015QuestionmarkCorporationand/orQuestionmarkComputingLimited,knowncollectivelyasQuestionmark.Allrightsreserved.QuestionmarkisaregisteredtrademarkofQuestionmarkComputingLimited.Allothertrademarksareacknowledged.
2016DutchUsersConference= Amsterdam
GotoPeople>Rolestodothefollowingwithroles:
§ Add§ Edit§ Delete
ManagingRoles
Slide6
Copyright©1995-2015QuestionmarkCorporationand/orQuestionmarkComputingLimited,knowncollectivelyasQuestionmark.Allrightsreserved.QuestionmarkisaregisteredtrademarkofQuestionmarkComputingLimited.Allothertrademarksareacknowledged.
2016DutchUsersConference= Amsterdam
Definewhichrolesarolecanassign(andremove)
RoleDelegation
Slide7
Copyright©1995-2015QuestionmarkCorporationand/orQuestionmarkComputingLimited,knowncollectivelyasQuestionmark.Allrightsreserved.QuestionmarkisaregisteredtrademarkofQuestionmarkComputingLimited.Allothertrademarksareacknowledged.
2016DutchUsersConference= Amsterdam
WhichfeaturesofAuthoringcanyouuse?
Forwhichtopicsandassessmentfolderscanyouusethosefeatures?
Authors:TwoSetsofPermissions
Slide8
Portal Authoring
Youcancreateitems. YoucancreateitemsintopicAbutnotintopicB.
Example
Copyright©1995-2015QuestionmarkCorporationand/orQuestionmarkComputingLimited,knowncollectivelyasQuestionmark.Allrightsreserved.QuestionmarkisaregisteredtrademarkofQuestionmarkComputingLimited.Allothertrademarksareacknowledged.
2016DutchUsersConference= Amsterdam
AssignAccesstoaTopic
Slide9
Copyright©1995-2015QuestionmarkCorporationand/orQuestionmarkComputingLimited,knowncollectivelyasQuestionmark.Allrightsreserved.QuestionmarkisaregisteredtrademarkofQuestionmarkComputingLimited.Allothertrademarksareacknowledged.
2016DutchUsersConference= Amsterdam
AssignAccesstoanAssessment Folder
Slide10
Copyright©1995-2015QuestionmarkCorporationand/orQuestionmarkComputingLimited,knowncollectivelyasQuestionmark.Allrightsreserved.QuestionmarkisaregisteredtrademarkofQuestionmarkComputingLimited.Allothertrademarksareacknowledged.
2016DutchUsersConference= Amsterdam
SingleSign-On
Slide11
Copyright©1995-2015QuestionmarkCorporationand/orQuestionmarkComputingLimited,knowncollectivelyasQuestionmark.Allrightsreserved.QuestionmarkisaregisteredtrademarkofQuestionmarkComputingLimited.Allothertrademarksareacknowledged.
2016DutchUsersConference= Amsterdam
Toomanypasswordstoremember!
Slide12
ERP
Myemployergivesmeaccesstoallthesewonderfultools,but
theyallcomewiththeirownpasswords.
Copyright©1995-2015QuestionmarkCorporationand/orQuestionmarkComputingLimited,knowncollectivelyasQuestionmark.Allrightsreserved.QuestionmarkisaregisteredtrademarkofQuestionmarkComputingLimited.Allothertrademarksareacknowledged.
2016DutchUsersConference= Amsterdam
Thechallengeofusermanagement…
Slide13
ERP
CRM
PersonXisnolongerwiththeorganization.
û
û
û
û
Copyright©1995-2015QuestionmarkCorporationand/orQuestionmarkComputingLimited,knowncollectivelyasQuestionmark.Allrightsreserved.QuestionmarkisaregisteredtrademarkofQuestionmarkComputingLimited.Allothertrademarksareacknowledged.
2016DutchUsersConference= Amsterdam
} Theabilityforoneapplication,theidentityprovider,totellanotherapplication,theserviceprovider,whoyouare.
SSO:Whatisit?
Slide14
IdentityProviderE.g.MicrosoftActiveDirectory
ServiceProviderE.g.QuestionmarkOnDemand
Authenticationdata
Copyright©1995-2015QuestionmarkCorporationand/orQuestionmarkComputingLimited,knowncollectivelyasQuestionmark.Allrightsreserved.QuestionmarkisaregisteredtrademarkofQuestionmarkComputingLimited.Allothertrademarksareacknowledged.
2016DutchUsersConference= Amsterdam
WhySSO?
Slide15
ConsPros
1
2
3
2
3
Reducespasswordfatigue
Simplifiesuserandpasswordmanagement
Savestimeforusersinthelong-term
1 Givesyouthekeystothecastle
Doesn’tworkifIdPisdown
Takestimetosetup
Copyright©1995-2015QuestionmarkCorporationand/orQuestionmarkComputingLimited,knowncollectivelyasQuestionmark.Allrightsreserved.QuestionmarkisaregisteredtrademarkofQuestionmarkComputingLimited.Allothertrademarksareacknowledged.
2016DutchUsersConference= Amsterdam
SecurityAssertionMarkupLanguage
Forexchangingauthentication andauthorizationdatabetweenparties§ Identityprovider(IdP)§Serviceprovider(SP)
SAML
Slide16
Copyright©1995-2015QuestionmarkCorporationand/orQuestionmarkComputingLimited,knowncollectivelyasQuestionmark.Allrightsreserved.QuestionmarkisaregisteredtrademarkofQuestionmarkComputingLimited.Allothertrademarksareacknowledged.
2016DutchUsersConference= Amsterdam
WebSSO
Slide17
CustomerInc.
Intranet
ERP
CRM
QM
DifferentDomains
Copyright©1995-2015QuestionmarkCorporationand/orQuestionmarkComputingLimited,knowncollectivelyasQuestionmark.Allrightsreserved.QuestionmarkisaregisteredtrademarkofQuestionmarkComputingLimited.Allothertrademarksareacknowledged.
2016DutchUsersConference= Amsterdam
HelpswithwebSSO:loginacrossdomains
Supportedbymanyidentityproviders:leverageauthenticationcapabilities,suchasmultifactorauthentication
AdvantagesofSAML
Slide18
Copyright©1995-2015QuestionmarkCorporationand/orQuestionmarkComputingLimited,knowncollectivelyasQuestionmark.Allrightsreserved.QuestionmarkisaregisteredtrademarkofQuestionmarkComputingLimited.Allothertrademarksareacknowledged.
2016DutchUsersConference= Amsterdam
Makemetadata available
Includethepersonorteamwhomanagesyouridentityprovider(expertise)
SAMLLessonsLearnedatUP learning
Slide19
Copyright©1995-2015QuestionmarkCorporationand/orQuestionmarkComputingLimited,knowncollectivelyasQuestionmark.Allrightsreserved.QuestionmarkisaregisteredtrademarkofQuestionmarkComputingLimited.Allothertrademarksareacknowledged.
2016DutchUsersConference= Amsterdam
TalktoyourAccountManager,whowillhelpsetupadiscoverycall
InterestedinSAML?
Slide20
Copyright©1995-2015QuestionmarkCorporationand/orQuestionmarkComputingLimited,knowncollectivelyasQuestionmark.Allrightsreserved.QuestionmarkisaregisteredtrademarkofQuestionmarkComputingLimited.Allothertrademarksareacknowledged.
2016DutchUsersConference= Amsterdam
Q&A
Slide21
Copyright©1995-2015QuestionmarkCorporationand/orQuestionmarkComputingLimited,knowncollectivelyasQuestionmark.Allrightsreserved.QuestionmarkisaregisteredtrademarkofQuestionmarkComputingLimited.Allothertrademarksareacknowledged.
2016DutchUsersConference= Amsterdam
BEDANKT!
Copyright©1995-2015QuestionmarkCorporationand/orQuestionmarkComputingLimited,knowncollectivelyasQuestionmark.Allrightsreserved.QuestionmarkisaregisteredtrademarkofQuestionmarkComputingLimited.Allothertrademarksareacknowledged.
2016DutchUsersConferenceAmsterdam| 15th November
Role-basedSecurityen SecureAuthenticationmetSSO
BartHendrickx,QuestionmarkMauroChieppa,UPlearning
Copyright©1995-2015QuestionmarkCorporationand/orQuestionmarkComputingLimited,knowncollectivelyasQuestionmark.Allrightsreserved.QuestionmarkisaregisteredtrademarkofQuestionmarkComputingLimited.Allothertrademarksareacknowledged.
2016DutchUsersConference= Amsterdam
Bonus
Slide24
Copyright©1995-2015QuestionmarkCorporationand/orQuestionmarkComputingLimited,knowncollectivelyasQuestionmark.Allrightsreserved.QuestionmarkisaregisteredtrademarkofQuestionmarkComputingLimited.Allothertrademarksareacknowledged.
2016DutchUsersConference= Amsterdam
SAMLInteractionDiagram
Slide25
Copyright©1995-2015QuestionmarkCorporationand/orQuestionmarkComputingLimited,knowncollectivelyasQuestionmark.Allrightsreserved.QuestionmarkisaregisteredtrademarkofQuestionmarkComputingLimited.Allothertrademarksareacknowledged.
2016DutchUsersConference= Amsterdam
<samlp:AuthnRequest […] ID="_d17c957f15359e4e8e7665ce75b06c9b9620e6b9fa" […]
} Thisistherequest} ThisrequesthasanID(therewillbeanewIDforeachrequest,cf.multipleusersloggingon)
ContentsofaSAMLRequest(Example)
Slide26
Copyright©1995-2015QuestionmarkCorporationand/orQuestionmarkComputingLimited,knowncollectivelyasQuestionmark.Allrightsreserved.QuestionmarkisaregisteredtrademarkofQuestionmarkComputingLimited.Allothertrademarksareacknowledged.
2016DutchUsersConference= Amsterdam
<samlp:Response ID="_113da1b8-b2a9-4c59-b5e1-97cca4fa107d" [...] InResponseTo="_d17c957f15359e4e8e7665ce75b06c9b9620e6b9fa"[...]<Attribute Name="http://schemas.microsoft.com/identity/claims/objectidentifier"><AttributeValue>ddf6d451-2735-4349-aa6e-86cf5c657967</AttributeValue></Attribute><Attribute Name="http://schemas.microsoft.com/identity/claims/displayname"> <AttributeValue>jane.doe</AttributeValue></Attribute><Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"><AttributeValue>[email protected]</AttributeValue></Attribute>
} Thisistheresponse} Itisaresponseto therequestwiththeIDxyz(cf.therequest)
} Thisuserhasattributeswiththesevalues
ContentsofaSAMLResponse(Example)
Slide27
Copyright©1995-2015QuestionmarkCorporationand/orQuestionmarkComputingLimited,knowncollectivelyasQuestionmark.Allrightsreserved.QuestionmarkisaregisteredtrademarkofQuestionmarkComputingLimited.Allothertrademarksareacknowledged.
2016DutchUsersConference= Amsterdam
} CreateusersautomaticallyinthePortalwhentheylogonviaSAML
} EnableexistingparticipantstologonviaSAMLbyupdatingthemthroughCSVimport
} GiveusersarolebasedonaSAMLattributethathasadefinedvalue
} Definewhichuserscanstilllogonlocally§ Peruser§ Perrole
} MapSAMLattributesto§ Portalprofilefields§ Groups(new)
} QuestionmarkTechSupport configuresonyourbehalf
PossiblewithSAML(today)
Slide28
Copyright©1995-2015QuestionmarkCorporationand/orQuestionmarkComputingLimited,knowncollectivelyasQuestionmark.Allrightsreserved.QuestionmarkisaregisteredtrademarkofQuestionmarkComputingLimited.Allothertrademarksareacknowledged.
2016DutchUsersConference= Amsterdam
} Automatically enableexisting participantstologonviaSAML§ AninterventionthroughCSVimportisneeded§ Administratorswillneedtobere-createdonlogin
} Updatevaluesfor(i.e.initialsyncispossiblebutcannotbeupdatedifvalueschange)§ Username§ UniqueuserID§ Emailaddress(“primary”)
NotPossiblewithSAML(today)
Slide29
Copyright©1995-2015QuestionmarkCorporationand/orQuestionmarkComputingLimited,knowncollectivelyasQuestionmark.Allrightsreserved.QuestionmarkisaregisteredtrademarkofQuestionmarkComputingLimited.Allothertrademarksareacknowledged.
2016DutchUsersConference= Amsterdam
} WhataresomefrequentlyaskedquestionsaboutSAMLintegration?§ https://www.questionmark.com/content/saml-integration-faq-ondemand
} WhatisSAMLandhowdoesitwork?§ https://www.questionmark.com/content/what-is-saml
} WhatiscurrentlypossiblewhenintegratingOnDemandwithSAML?§ https://www.questionmark.com/content/what-is-possible-with-saml
} CanImapSAMLattributestoOnDemandprofilefields?§ https://www.questionmark.com/content/mapping-saml-attributes
} WhoinitiatesloginswhenusingSAML?§ https://www.questionmark.com/content/who-initiates-login-when-using-saml-
questionmark} WhatinformationdoesQuestionmarkneedwhenconfiguringSAMLforan
OnDemandarea?§ https://www.questionmark.com/content/information-required-for-saml-configuration
} UsingSingleSign-OnwithQuestionmark§ https://www.questionmark.com/content/best-practice-using-single-sign-questionmark-
perception
MoreInformation
Slide30