Siren Federate User Guide · Table of Contents Siren Federate ..... 1
Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M....
-
Upload
davis-meigs -
Category
Documents
-
view
218 -
download
0
Transcript of Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M....
![Page 1: Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.](https://reader030.fdocuments.in/reader030/viewer/2022032516/56649c7d5503460f94931c4b/html5/thumbnails/1.jpg)
1
Eunice Mondésir Pierre Weill-Tessier
Federated Identity withFederated Identity withPing FederatePing Federate
Project Supervisor: M. Maknavicius-Laurent
ASR Coordinator: G. Bernard
ASR Final Project February 7th, 2007
--------------------------------------------
Eunice Mondésir
Pierre Weill-Tessier
--------------------------------------------
![Page 2: Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.](https://reader030.fdocuments.in/reader030/viewer/2022032516/56649c7d5503460f94931c4b/html5/thumbnails/2.jpg)
2
Eunice Mondésir Pierre Weill-Tessier
Agenda
1. Introduction
2. Federated Identity concepts
3. Presentation of Ping Federate server
4. Platform implementation
5. Demonstrations
6. Conclusion
![Page 3: Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.](https://reader030.fdocuments.in/reader030/viewer/2022032516/56649c7d5503460f94931c4b/html5/thumbnails/3.jpg)
Introduction
![Page 4: Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.](https://reader030.fdocuments.in/reader030/viewer/2022032516/56649c7d5503460f94931c4b/html5/thumbnails/4.jpg)
Federated Identity Concepts
![Page 5: Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.](https://reader030.fdocuments.in/reader030/viewer/2022032516/56649c7d5503460f94931c4b/html5/thumbnails/5.jpg)
5
Eunice Mondésir Pierre Weill-Tessier
Federated Identity concepts
1. Why Federated Identity?
2. What is Federated Identity?
3. Participants of Circle of Trust
4. Single Sign On and Single Log Out
5. SAML langage
![Page 6: Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.](https://reader030.fdocuments.in/reader030/viewer/2022032516/56649c7d5503460f94931c4b/html5/thumbnails/6.jpg)
6
Eunice Mondésir Pierre Weill-Tessier
1. Why federated identity?
Federated Identity Concepts
![Page 7: Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.](https://reader030.fdocuments.in/reader030/viewer/2022032516/56649c7d5503460f94931c4b/html5/thumbnails/7.jpg)
7
Eunice Mondésir Pierre Weill-Tessier
1. Why federated identity?
Multiple authentication parameters Heterogeneous authentification and access
control methods No control on personal information’s exhibition Need for easier and faster acces to services
Federated Identity Concepts
![Page 8: Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.](https://reader030.fdocuments.in/reader030/viewer/2022032516/56649c7d5503460f94931c4b/html5/thumbnails/8.jpg)
8
Eunice Mondésir Pierre Weill-Tessier
2. What is federated identity?
Set of agreements, standards and technologies Trust relationships between organizations
Integrity and privacy perserved Independance of organizations
Federated Identity Concepts
![Page 9: Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.](https://reader030.fdocuments.in/reader030/viewer/2022032516/56649c7d5503460f94931c4b/html5/thumbnails/9.jpg)
9
Eunice Mondésir Pierre Weill-Tessier
3. Circle of Trust (CoT) participants
Service Provider (SP): Provides one or more services within a federation Access control policy
Identity Provider (IdP): Creates, maintains, manages identity information user must authenticate at an IdP recognized by a SP
Federated Identity Concepts
![Page 10: Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.](https://reader030.fdocuments.in/reader030/viewer/2022032516/56649c7d5503460f94931c4b/html5/thumbnails/10.jpg)
10
Eunice Mondésir Pierre Weill-Tessier
3. Circle of Trust (CoT) participants
Circle of trust: Federation of IdP and SP Business relationships Operational agreements Secured communication
channels Seamless environment
Federated Identity Concepts
CoT
IdP
SP
SP
SP
SP
SP
SP
![Page 11: Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.](https://reader030.fdocuments.in/reader030/viewer/2022032516/56649c7d5503460f94931c4b/html5/thumbnails/11.jpg)
11
Eunice Mondésir Pierre Weill-Tessier
4.SSO and SLO
Liberty alliance
Single Sign On (SSO): Sign on once at a site (single account) Seamless signed-on for other sites No extra authentication SP both within and across circles of trusts
Single Log Out (SLO): Synchronized session logout All sessions authenticated by an IdP closed
Federated Identity Concepts
![Page 12: Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.](https://reader030.fdocuments.in/reader030/viewer/2022032516/56649c7d5503460f94931c4b/html5/thumbnails/12.jpg)
12
Eunice Mondésir Pierre Weill-Tessier
5. SAML (Security Assertion Markup Langage)
XML standard developped by OASIS
Exchanging authentication & authorization data between security domains (IdP and SP)
SSO solution beyond the intranet
Exchange of assertions between IdP and SP
Federated Identity Concepts
![Page 13: Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.](https://reader030.fdocuments.in/reader030/viewer/2022032516/56649c7d5503460f94931c4b/html5/thumbnails/13.jpg)
Presentation of Ping Federate
![Page 14: Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.](https://reader030.fdocuments.in/reader030/viewer/2022032516/56649c7d5503460f94931c4b/html5/thumbnails/14.jpg)
14
Eunice Mondésir Pierre Weill-Tessier
Presentation of Ping Federate server
1. How does Ping Federate work ?
2. Communication tools of Ping Federate
![Page 15: Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.](https://reader030.fdocuments.in/reader030/viewer/2022032516/56649c7d5503460f94931c4b/html5/thumbnails/15.jpg)
15
Eunice Mondésir Pierre Weill-Tessier
1. How does Ping Federate work ?
Server that passes identities between CoTs
Distinction between two roles: IdP and SP Both roles can be combined
Ping Federate does not interfere with local usage of the application
Presentation of Ping Federate server
![Page 16: Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.](https://reader030.fdocuments.in/reader030/viewer/2022032516/56649c7d5503460f94931c4b/html5/thumbnails/16.jpg)
16
Eunice Mondésir Pierre Weill-Tessier
2. Communication tools in PF server
different environments: how communicate? Ping Federate provides Integration Toolkits**
Application or IdM
X
programming
language
PF Token
agent adapter
SAML
Presentation of Ping Federate server
![Page 17: Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.](https://reader030.fdocuments.in/reader030/viewer/2022032516/56649c7d5503460f94931c4b/html5/thumbnails/17.jpg)
Plateform Implementation
![Page 18: Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.](https://reader030.fdocuments.in/reader030/viewer/2022032516/56649c7d5503460f94931c4b/html5/thumbnails/18.jpg)
18
Eunice Mondésir Pierre Weill-Tessier
Platform Implementation
1. Needs
2. LDAP
3. Postfix
4. Tomcat
5. Ping Federate server
![Page 19: Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.](https://reader030.fdocuments.in/reader030/viewer/2022032516/56649c7d5503460f94931c4b/html5/thumbnails/19.jpg)
19
Eunice Mondésir Pierre Weill-Tessier
1. Needs
Applications often interacts with a database for authentication
Ping Federate server asks for parameters of a mail server to send notification mail
Ping Federate’s sample application runs on Tomcat Application Server
Platform Implementation
![Page 20: Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.](https://reader030.fdocuments.in/reader030/viewer/2022032516/56649c7d5503460f94931c4b/html5/thumbnails/20.jpg)
20
Eunice Mondésir Pierre Weill-Tessier
2. LDAP
Why this protocol ? LDAP adapter proposed by PF Authentication to IdPs via pop-up window
Our configuration: Server OpenLDAP Client LDAPBrowser to check our entries Simple tree: root + inetOrgPerson class instances
Platform Implementation
![Page 21: Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.](https://reader030.fdocuments.in/reader030/viewer/2022032516/56649c7d5503460f94931c4b/html5/thumbnails/21.jpg)
21
Eunice Mondésir Pierre Weill-Tessier
dn: o=INT,c=FR
dn: cn=Eunice, o=INT, c=FR
dn: cn=Pierre, o=INT, c=FR
2. LDAP
Example of LDAP Tree:
Attributes we used: cn, sn mail, userPassword title
Platform Implementation
![Page 22: Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.](https://reader030.fdocuments.in/reader030/viewer/2022032516/56649c7d5503460f94931c4b/html5/thumbnails/22.jpg)
22
Eunice Mondésir Pierre Weill-Tessier
3. Postfix
Why ? mail server working on Linux O.S “Lighter” configuration than Sendmail
No database associated : only one user ! [email protected] [email protected] is a “fake” address used for the
notification only.
IMAP server as a MDA
Platform Implementation
![Page 23: Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.](https://reader030.fdocuments.in/reader030/viewer/2022032516/56649c7d5503460f94931c4b/html5/thumbnails/23.jpg)
23
Eunice Mondésir Pierre Weill-Tessier
4. Tomcat
Why ? Required applications server to test the samples Multi-technologies support server (jsp, html)
Identification tools: Double authentication based on Role and Login Default configuration LDAP-using configuration JNDI
Platform Implementation
![Page 24: Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.](https://reader030.fdocuments.in/reader030/viewer/2022032516/56649c7d5503460f94931c4b/html5/thumbnails/24.jpg)
24
Eunice Mondésir Pierre Weill-Tessier
4. Tomcat
Key configuration files server.xml: defines the database connection web.xml: defines the security constraint
Platform Implementation
![Page 25: Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.](https://reader030.fdocuments.in/reader030/viewer/2022032516/56649c7d5503460f94931c4b/html5/thumbnails/25.jpg)
25
Eunice Mondésir Pierre Weill-Tessier
5. Ping Federate
Standalone web administration https://cubitus.int-evry.fr:9999/pingfederate/app Support of multi-account administration Modifiable role selection (IdP, SP or both)
Ease of management Server configuration Partner configuration
Platform Implementation
![Page 26: Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.](https://reader030.fdocuments.in/reader030/viewer/2022032516/56649c7d5503460f94931c4b/html5/thumbnails/26.jpg)
26
Eunice Mondésir Pierre Weill-Tessier
5. Ping Federate
Server settings Local settings
Base URL: where reaching the server ? Federation Info: choice of technologies Entity ID / realm: outside Ping Federate
alias IdP/SP events: systematic redirections
Platform Implementation
![Page 27: Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.](https://reader030.fdocuments.in/reader030/viewer/2022032516/56649c7d5503460f94931c4b/html5/thumbnails/27.jpg)
27
Eunice Mondésir Pierre Weill-Tessier
5. Ping Federate
Server settings Local settings IdP/SP adapters management Data Store management Metadata export
Platform Implementation
![Page 28: Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.](https://reader030.fdocuments.in/reader030/viewer/2022032516/56649c7d5503460f94931c4b/html5/thumbnails/28.jpg)
28
Eunice Mondésir Pierre Weill-Tessier
5. Ping Federate
Partner settings’ connections IdP connections = we are SP SP connections = we are IdP
SP affiliations = 2+ partners’ Federation
According to partners’ configuration
= Each CoT defines its policy independently
Platform Implementation
![Page 29: Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.](https://reader030.fdocuments.in/reader030/viewer/2022032516/56649c7d5503460f94931c4b/html5/thumbnails/29.jpg)
Demonstrations
![Page 30: Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.](https://reader030.fdocuments.in/reader030/viewer/2022032516/56649c7d5503460f94931c4b/html5/thumbnails/30.jpg)
30
Eunice Mondésir Pierre Weill-Tessier
Test Platform implementation
1. Before Ping Federate servers
2. Simplification
3. Ping Federate servers setting-up
4. IdP initiated SSO with ITAM
5. SP initiated SSO with ITAM
6. SP initiated SSO with LDAP adapter
![Page 31: Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.](https://reader030.fdocuments.in/reader030/viewer/2022032516/56649c7d5503460f94931c4b/html5/thumbnails/31.jpg)
31
Eunice Mondésir Pierre Weill-Tessier
1. Before Ping Federate servers
INT CoT
IdM S1S2S3
INT Services
ITAM CoT
S1S2S3
ITAM Services
IdM
Connection to INT services within INT
![Page 32: Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.](https://reader030.fdocuments.in/reader030/viewer/2022032516/56649c7d5503460f94931c4b/html5/thumbnails/32.jpg)
32
Eunice Mondésir Pierre Weill-Tessier
1. Before Ping Federate servers
INT CoT
IdM S1S2S3
INT Services
ITAM CoT
S1S2S3
ITAM Services
IdM
Connection to INT services from outside INT
![Page 33: Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.](https://reader030.fdocuments.in/reader030/viewer/2022032516/56649c7d5503460f94931c4b/html5/thumbnails/33.jpg)
33
Eunice Mondésir Pierre Weill-Tessier
1. Before Ping Federate servers
INT CoT
IdM S1S2S3
INT Services
ITAM CoT
S1S2S3
ITAM Services
IdM
Connection to ITAM services within INT or from outside INT
not possible
![Page 34: Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.](https://reader030.fdocuments.in/reader030/viewer/2022032516/56649c7d5503460f94931c4b/html5/thumbnails/34.jpg)
34
Eunice Mondésir Pierre Weill-Tessier
INT CoT
ITAM CoT
2. Simplification
IdM S1S2S3
INT Services
S1S2S3
ITAM Services
IdM
S1
S1IdM
IdM
•All aplications hosted by tomcat server
•Authentcation files serving as database
![Page 35: Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.](https://reader030.fdocuments.in/reader030/viewer/2022032516/56649c7d5503460f94931c4b/html5/thumbnails/35.jpg)
35
Eunice Mondésir Pierre Weill-Tessier
3. PF servers setting up
•For INT CoT: only one PF server (IdP and SP server)
•For ITAM CoT: two PF servers, one IdP and one SP
INT CoT
IdMS1
ITAM CoT
S1
IdM
IdP &
SP
cubitus
SP
titania
IdP
oberon
![Page 36: Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.](https://reader030.fdocuments.in/reader030/viewer/2022032516/56649c7d5503460f94931c4b/html5/thumbnails/36.jpg)
36
Eunice Mondésir Pierre Weill-Tessier
ITAM CoT
S1
IdM
SP
titania
IdP
oberon
4. IdP initiated SSO with ITAM
INT CoT
IdMS1
SSO SAML 2.0
Sarah connected to S1 without having
passed by ITAM IdM
Sarah
IdP
cubitus
![Page 37: Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.](https://reader030.fdocuments.in/reader030/viewer/2022032516/56649c7d5503460f94931c4b/html5/thumbnails/37.jpg)
37
Eunice Mondésir Pierre Weill-Tessier
ITAM CoT
S1
IdM
5. SP initiated SSO with ITAM
INT CoT
IdMS1
IdP
cubitus
SP
titania
IdP
oberon
Bob
SAML 2.0
SAML 2.0
SSO
![Page 38: Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.](https://reader030.fdocuments.in/reader030/viewer/2022032516/56649c7d5503460f94931c4b/html5/thumbnails/38.jpg)
38
Eunice Mondésir Pierre Weill-Tessier
ITAM CoT
S1
IdM
6. SP initiated SSO with LDAP adapter
S1
IdP
cubitus
SP
titania
IdP
oberon
Sam SAML 2.0
INT IdP interaction with LDAP directory via a pop-up window
LDAP
IdM
LDAP adapter standard adapter
SSO
INT CoT
SAML 2.0
![Page 39: Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.](https://reader030.fdocuments.in/reader030/viewer/2022032516/56649c7d5503460f94931c4b/html5/thumbnails/39.jpg)
Conclusion
![Page 40: Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.](https://reader030.fdocuments.in/reader030/viewer/2022032516/56649c7d5503460f94931c4b/html5/thumbnails/40.jpg)
40
Eunice Mondésir Pierre Weill-Tessier
What remains to do ? Adapt INTest with Ping Federate (Token) Test Multi-partners federation Perform tests on security and privacy
Other solutions ? Microsoft CardSpace (.NET) WS-Federation Servers (Sun One Identity Server, IBM Tivoli,
Microsoft ADFS…)
Conclusion
![Page 41: Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.](https://reader030.fdocuments.in/reader030/viewer/2022032516/56649c7d5503460f94931c4b/html5/thumbnails/41.jpg)
41
Eunice Mondésir Pierre Weill-Tessier
Thanks for your attentionThanks for your attention
Questions ?Questions ?