Microsoft ADFS based Single Sign On (SSO) Solution for

Imam University

14-فبراير-22

 

   

TABLE OF CONTENTS

Table of Contents ............................................................................................................ 2

Executive Overview ........................................................................................................ 3

Top Features ..................................................................................................................... 7

Solution architecture ...................................................................................................... 8

Requirements for Deploying the Active Directory based Federation services Single Sign on .................................................................................................................. 9

The Architecture components ....................................................................................... 9

A brief Description on each and every component: ............................................... 10

General Architecture Notes ......................................................................................... 11

Solution Authorization Architecture ........................................................................ 11

Benefits of using proposed solution ......................................................................... 12 About Addvantum ..................................................................................................... 16 Relevant Experience - Oracle Fusion Middleware ................................................ 20

Royal Saudi Air Force: ........................................................................................... 20 University of Dammam: ........................................................................................ 22 The General Organization for Social Insurance (GOSI) .................................... 23 National manufacturing and Gas Company (GASCO): ................................... 24 Samba Bank: ............................................................................................................ 25

Financial Proposal ......................................................................................................... 27

 

 

EXECUTIVE OVERVIEW

The goal of the project is to deploy Single Sign on Solution for the Current

SharePoint 2013 Farm Environment in Imam University. The Microsoft ADFS based

solution will provide a seamless integration for the existing SharePoint environment

using Active Directory Federation services.

After the Deployment of the solution the existing SharePoint 2013 Farm will be

available online with integration with current student and staff portals. The solution

will provide single sign on ability for users and it will provide the authentication for

all existing SharePoint portals using only one time login password. These credentials

will be automatically being available to the user without any repetition providing

ease of use and enhancing usability and efficiency.

The initial goals of this project include, but are not limited to finding a solution that

will be able to:

! Provide an efficient and seamless Single Sign on solution for existing

SharePoint Portal for all users local (LAN) as well as online.

! Increase the accessibility of information documents to those who need it

while maintaining a secure environment

! Align with Information and IT Governance to establish a maintainable ECM

foundation

In order to achieve such goals we understand that the desired solution must be

extensible. In other words, the required components must be available in the

 

   

existing setup without the need to be purchased and could be configured as needed

and ‘snapped’ into the overall existing SharePoint2013 platform. This will provide

Imam University with the necessary flexibility to implement Single Sign on without

any changes in the current licensing model.

The Microsoft Active Directory, industry-leading solution that delivers a new level of

integration and productivity across the entire spectrum of unstructured content.

Active Directory Federation Services (ADFS) is based on the emerging, industry-

supported Web Services Architecture, which is defined in WS-* specifications. ADFS

helps provide single sign-on (SSO) to authenticate users to multiple, related Web

applications over the life of a single online session. ADFS accomplishes this by

securely sharing digital identity and entitlement rights across security and enterprise

boundaries.

The macro-level features of the Single Sign on Solution include:

Terminology used in proposed Solution

ADFS uses terminology from several different technologies, including certificate services, Internet Information Services (IIS), Active Directory, ADAM, and Web Services (WS-*). The following table describes these terms.

Term Description

account partner

A federation partner that is trusted by the Federation Service to provide security tokens. The account partner issues these tokens to its users (that is, users in the account partner realm) so that they can access Web-based applications in the resource partner.

Active Directory Federation Services (ADFS)

A Windows Server 2012 R2 component that provides Web SSO technologies to authenticate a user to multiple Web applications over the life of a single online session. ADFS accomplishes this by securely sharing digital identity and entitlement rights across security and enterprise boundaries. ADFS in Windows Server 2012 R2 supports the WS-F PRP.

 

 

claim A statement that an issuer makes (for example, name, identity, key, group, privilege, or capability) about a client.

claim mapping The act of mapping, removing or filtering, or passing claims between various claim sets.

claims-aware application

An ASP.NET application that performs authorization based on the claims that are present in an ADFS security token, such as SharePoint 2013.

client account partner discovery Web page

The Web page that is used to interact with the user to determine which account partner the user belongs to when ADFS cannot automatically determine which of the account partners should authenticate the user.

federation A pair of realms or domains that have established a federation trust.

Federation Service A security token service that is built into Windows Server 2012 R2. The Federation Service provides tokens in response to requests for security tokens.

Federation Service Proxy

A proxy to the Federation Service in the perimeter network (also known as a DMZ or a screened subnet). The Federation Service Proxy uses WS-F PRP protocols to collect user credential information from browser clients and Web applications and send the information to the Federation Service on their behalf.

passive client

A Hypertext Transfer Protocol (HTTP) browser, capable of broadly supported HTTP, which can make use of cookies. ADFS in Windows Server 2012 R2 supports only passive clients, and it adheres to the WS-F PRP specification.

resource partner

A federation partner that trusts the Federation Service to issue claims-based security tokens. The resource partner contains published Web-based applications that users in the account partner can access.

security token A cryptographically signed data unit that expresses one or more claims.

security token service (STS)

A Web service that issues security tokens. An STS makes assertions based on evidence that it trusts, to whoever trusts it (or to specific recipients). To communicate trust, a service requires proof, such as a signature, to prove knowledge of a security token or set of security tokens. A service itself can generate tokens or it can rely on a separate STS to issue a security token with its own trust statement. This forms the basis of trust brokering. In ADFS, the Federation Service is an STS.

 

   

server farm In ADFS, a collection of load-balanced federation servers, federation server proxies, or Web servers hosting the ADFS Web Agent.

single sign-on (SSO) An optimization of the authentication sequence to remove the burden of repeated logon actions by an end user.

token-signing certificate

An X509 certificate whose associated public/private key pair is used to provide integrity for security tokens.

Uniform Resource Identifier (URI)

A compact string of characters that identifies an abstract resource or physical resource. In ADFS, URIs are used to uniquely identify partners and account stores.

Web Services (WS-*)

The specifications for a Web Services Architecture that is based on industry standards such as Simple Object Access Protocol (SOAP); XML; Web Service Description Language (WSDL); and Universal Description, Discovery, and Integration (UDDI). WS-* provides a foundation for delivering complete, interoperable business solutions for the extended enterprise, including the ability to manage federated identity and security.

The Web services model is based on the idea that enterprise systems are written in different languages, with different programming models, which run on and are accessed from many different types of devices. Web services are a means of building distributed systems that can connect and interact with one another easily and efficiently across the Internet, regardless of what language they are written in or what platform they run on.

Web Services Security (WS-Security)

A series of specifications that describes how to attach signature and encryption headers to SOAP messages. In addition, WA series of specifications that describes how to attach signature and encryption headers to SOAP messages. In addition, WS-Security describes how to attach security tokens, including binary security tokens such as X.509 certificates and Kerberos tickets, to messages. In ADFS, WS-Security is used when Kerberos signs security tokens.

WS-Federation

A specification that defines a model and set of messages for brokering trust and the federation of identity and authentication information across different trust realms.

 

 

The WS-Federation specification identifies two sources of identity and authentication requests across trust realms: active requestors, such as SOAP-enabled applications, and passive requestors, which are defined as HTTP browsers capable of supporting broadly supported HTTP, for example, HTTP 1.1.

WS-Federation Passive Requestor Profile (WS-F PRP)

An implementation of the WS-Federation specification that proposes a standard protocol for how passive clients (such as Web browsers) apply the federation framework. Within this protocol, Web service requestors are expected to understand the new security mechanisms and be capable of interacting with Web service providers.

Top Features ! Authenticate only once and use multiple portals or partner sites or resources.

! Improved User Productivity

! Ease of Administration

These and many other features, combined with a reputation for industry leading

technology, will help drive rapid success, increased user adoption and a faster ROI

for Imam University. Addvantum innovative technology is proposing Microsoft

Active Directory based Single sign on solution and associated consulting services

meet Imam University initial requirements.

 

   

Solution architecture

Figure 1: Recommended Architecture (courtesy by Microsoft)

 

 

Requirements for Deploying the Active Directory based Federation services Single Sign on

• Active Directory running in Windows Server 2008, Windows Server

2012, or Windows Server 2012 R2 with a functional level of mixed or

native mode

• AD FS 2.x deployed on separate Windows Server 2008/R2 or Windows

Server 2012

• AD FS 2.x Proxy deployed, as users are connecting from outside the

company’s network

• Windows Azure Active Directory Module for Windows PowerShell to

establish a trust

• Required updates installations

• A unique third-party certificate when installing and configuring

federation servers and federation server proxies

The Architecture components • Windows Server 2008/2008 R2 or Windows Server 2012

• PowerShell

• Web Server (IIS)

• .NET 3.5 SP1

• Windows Identity Foundation

 

   

• Publicly registered domain name

• SSL Trusted Public Certificates

• High-availability design

End User in the primary can connect directly from intranet to the SharePoint

web front end Server.

While remote site users can connect through internet (HTTP/HTTPS) with

the user friendly web-based interface.

A brief Description on each and every component:

Component Function

SharePoint 2013 - Document Management & Archiving - In-context Web site contribution, preview,

updates, and approvals - Library services, including full-text search,

check-in or check-out, and version control - Native content conversion to Webviewable

formats, including HTML, XML, and PDF - Full digital asset and records management

features included

ADFS 2.0 Server DC1 (co-hosted with the domain controller) ( Required server)

Microsoft Active Directory Federation Services component based on MS ADFS V2.0 Profile and user Synchronization

IIS Microsoft Internet information Server V7.0

 

 

SSL Certificate This is to be used by the IP-STS and RP-STS, and will be the “glue” for establishing trust between these token services.

Identity server configuration Making SharePoint based Identity aware server using federation services

SSO web verification Configuration and single sign on web based verifications.

DNS Configurations Configure DNS for external user’s access.

Group Policy Configuration of Group policy for Active directory users.

Synchronization Manager Monitor Synchronization after deploying synchronization.

Network Configurations Placing the ADFS Server in DMZ and allowing access by enhancing Firewall/ Network access related configurations.

Load Balancing Optimization of Load balancing devices for external and internal access management.

General Architecture Notes By using the recommended architecture, Imam University has the advantage of

starting deployment with fewer servers. If Imam University discovers when user

population starts to grow over time that the initial servers are becoming saturated,

they can simply add more nodes to the configuration (horizontal scalability).

Solution Authorization Architecture This particular SharePoint 2013 custom made solution for Imam University

has three-tier architecture. After the successful deployment of the solution for

Single sign on SharePoint Portal the users both on premises/ Local intranet

and online users will be able to experience same single sign on capability

without the redundancy of multiple login for each portal. The installation and

configuration of the client consists of logging in with an appropriate name

and password and dynamically executing using the browser based

authentication. Specific configuration information for the client is stored in

 

   

the other tiers (STS a SharePoint based store) not on the desktop/web

browser.

Benefits of using proposed solution

• Web single sign on (SSO)

AD FS provides Web SSO to federated partners outside your organization,

which enables their users to have a SSO experience when they access your

organization’s Web-based applications.

• Web Services (WS)-* interoperability

AD FS provides a federated identity management solution that interoperates

with other security products that support the WS-* Web Services

Architecture. AD FS follows the WS-Federation specification (for passive

clients; that is, browsers), which makes it possible for environments that do

not use the Windows identity model to federate with Windows

environments.

• External user account management not required

the federated partner's Identity Provider (IP) sends claims that reflect its

users' identity, groups, and attribute data. Therefore, your organization no

longer needs to revoke, change, or reset the credentials for the partner's users,

since the credentials are managed by the partner organization. Additionally,

if a partnership needs to be terminated, it can be performed with a single

trust policy change. Without AD FS, individual accounts for each partner

user would need to be deactivated.

 

 

• Claim mapping

Claims are defined in terms that each partner understands and appropriately

mapped in the AD FS trust policy for exchange between federation partners.

• Centralized federated partner management

All federated partner management is performed using the AD FS Microsoft

Management Console (MMC) snap-in.

• Extensible architecture

AD FS provides an extensible architecture for claim augmentation, for

example, adding or modifying claims using custom business logic during

claims processing. Organizations can use this extensibility to modify AD FS

to finely support their business policies.

 

   

SharePoint 2013 Tasks Schedule for SSO implementation

Deployment task Task Description Duration

1. System Analysis and Prepare for implementing SSO.

Analysis Phase

5 days

2. Review the Imam university infrastructure requirements for deploying AD FS.

Review the requirements for Imam university infrastructure deploying AD FS

2 days

3. Planning and installation of AD FS server

Plan your AD FS deployment 5 days

4. Prepare your network infrastructure for federation servers.

Prepare your network infrastructure for federation servers

5 days

5. Deploy your federation server farm. Depending on the version of AD FS that you want to use, complete the tasks in either of these checklists.

Checklist: Deploy your federation server farm on Windows Server 2012 R2 or Checklist: Deploy your federation server farm on legacy versions of Windows Server

4 days

6. Prepare your network infrastructure for configuring extranet access.

Prepare your network infrastructure for configuring extranet access

2 days

7. Configure extranet access. Depending on the version of AD FS that you want to use, complete the tasks outlined in either the following topic or checklist.

Configure extranet access for AD FS on Windows Server 2012 R2 or Checklist: Configure extranet access for AD FS on legacy versions of Windows Server

2 days

 

 

8. Install Windows PowerShell for SSO with AD FS.

Install Windows PowerShell for single sign-on with AD FS

1 day

9. Set up a trust between AD FS and Windows AD.

Set up a trust between AD FS and Windows AD

5 days

10 Enabling auditing for AD FS.

Enabling auditing for AD FS might be beneficial in situations in which you place a high value on the security of your identity deployment and prefer to monitor it closely for suspicious or unintended activity. The process of enabling auditing for AD FS requires changes that you make using the Local Security Policy snap-in for your federation server as well as changes in the Service properties that you set using the AD FS Management console. For more information, see the “Configure Auditing for AD FS 2.0” section in

2 days

11. Set up Active Directory synchronization.

Directory synchronization roadmap 2 days

12. Verify and manage your SSO implementation with AD FS.

Verify and manage single sign-on with AD FS

3 days

Note: The tasks listed and timelines mentioned does not include any time required for the network and infrastructure related changes such as Firewall, Load balancer changes, as well as acquiring and deploying SSL certificate required for Single sign on web portal authentication. Also it must be kept in consideration that the setup changes required for domain level changes will be managed and updated by Imam University as well. While the whole process of solution deployment and configuration will be carried on the current environment further time will be required for moving the setup to new production environment.

 

 

 

   

 

 

About Addvantum Addvantum Innovative Technologies is a technology partner of choice for global organizations looking to strategically transform, grow, and lead in today’s challenging business environment. Head quartered in UAE, Addvantum is a global provider of IT Consulting, Business Process Outsourcing, Business Technology Services, Enterprise Application Services, Software Testing, Product Engineering, Engineering Design and Product Support. Addvantum’s mainly focuses on EMEA and ASEAN regions and maintains offices in USA, UK, Riyadh, Al-Khobar, Bahrain, Lahore, Islamabad and Karachi. Addvantum stands ready to assist your enterprise with the most up-to-date IT solutions and consulting services. Addvantum matches the most advanced global IT expertise to today’s challenging information technology projects. Addvantum is a global IT consulting and IT services company specializing in providing your organization with true integration of Enterprise applications and middleware solutions. The world of business is increasingly shaped by globalization creating pressures to constantly adapt and change. These pressures can be mitigated by the creation of efficient IT platforms that possess the flexibility to meet the ever-changing requirements within today’s business environment. Addvantum continues to expand the focus on providing the best in class unconventional workflows to a global community through new international onshore and offshore centers, business partnerships and acquisitions in areas of strategic interest. Backed with unmatched technical expertise and insights through global delivery centers, we have maintained the highest levels of compliance and quality that go with the changing times and technologies. Our Global Partners’ knowledge investments are backed by years of R&D and have led to the creation of labs and ‘Centers of Excellence’ that have produced innovative solutions. Addvantum has set up Centers of Excellence in partnership with Oracle Corporation in, Riyadh, Dubai and Lahore. The centers of excellence focus on providing innovative solutions to Education sector globally. Addvantum’s client list includes major global enterprises from various different Industry verticals. Addvantum has traditionally focused on

 

 

education, telecom & media, banking, energy, manufacturing and retail/distribution sectors. Our core expertise lies in Middleware and Higher Education Solutions. Our middlware practise inculdes Core Technologies ( Virtualization, Security, Server Consolidation & High availibilty Solution) and Fusion Middleware (SOA, IDAM, BPM, BI, Content management and WebCenter Portal). Higher education Solutions include PeopleSoft Campus Solutions, PeopleSoft HRMS & Financials. Addvantum also focuses on providing Oracle ERP Applications and is exponentially growing in MEA and ASEAN regions respectively. Addvantum provides domain experts and strong technology implementation teams in PeopleSoft Campus Solutions, PeopleSoft HRMS & Financials, Oracle ERP Applications and Middleware solutions who deliver breakthrough performance for our customers. With over 1,000 employees worldwide, we have the ability to deliver complex solutions for large enterprises. A key factor in our success are practice specific methodologies developed by Addvantum which have been optimized for delivering solutions on key platforms. Leveraging these, Addvantum is able to deliver fixed price implementations for our largest projects.

 

 

 

 

 

 

 

 

 

 

 

 

   

 

 

 

 

 

 

Company Details

Saudi Arabia Office

Dubai Office Address

Office # G 01-02, Building # 11 Dubai Internet City Dubai, UAE (T) +971 4448 3026 (F) +971 4449 6085

Global Offices Contact Details

Addvantum Innovative Technologies Pvt. Ltd. Lahore Office: 4th Floor 4th Office, Arfa Software Technology Park Ferozepur Road, Lahore Pakistan (T) +92 423 597 2005 (F) +92 423 5972006 Doha Office: Level 14, Commercial Bank Plaza West Bay, Doha, Qatar P.O. Box 27111 (T) +974 4 452 8165 (F) +974 4 452 8165 U.S. Office: Suite 4925 300 North Lasalle Street, Chicago, IL 60654,USA (T) +1 312 803 0363 (F) +1 312 803 0363

Email: sales@addvantum.com

Website

www.addvantum.com

Email

sales@addvantum.com aon.rana@ddvantum.com noman.mazoor@addvantum.com

 

 

   

Relevant Experience - Oracle Fusion Middleware

Royal Saudi Air Force:

Background: The Royal Saudi Air Force is the aviation branch of the Saudi Arabian armed forces. The RSAF has developed from a largely defensive military force into one with an advanced offensive capability. The RSAF maintains the third largest fleet of F-15s after the USAF and the JASDF with a user base of 5000+. The client was undergoing a transformation towards a more secure and centralized model to manage various applications running in there. RSAF was looking for a solution for de-provisioning users from 8 different bases by using IDM solution and to provide thousands of its employees, staff members and a few external stakeholders with direct, online access to the information within the air force. Solution: There were 11 different applications running in there that need to be integrated. Addvantum suggested Oracle IDM Solution for the client that included: IDM Software Components, Oracle Internet Directory, Oracle Identity Manager, IDM Management Pack, Access Manager, Adaptive Access Manager, Oracle database, ESSO and Web Server (Oracle HTTP Server). Addvantum implemented IDM on all the 8 bases along with Disaster Recovery site for HQ. Outcomes: The solution helped realizing the vision for a more secure and centralized approach to share information between different applications and client staff members. The Oracle Identity Manager (OIM) enabled the right employees to gain access to the right information at the right time for the right purpose, while ensuring and enhancing the security and confidentiality of RSAF.

 

 

 

         Applications  integrated  at  RSAF        

S/No Resources

1 MS Exchange

2 SharePoint Portal

3 BMC Remedy Business Service Management

4 EMC Documentum

5 ASG Safari Business Intelligence System

6 AQD Quality and Safety Management System

7 Servisgistics SPM

8 Gold system

9 Morasalat

10 Oracle E-Business Suite

11 Active Directory (AD)

 

 

 

   

University of Dammam:  Background: Established in 1975, the University of Dammam (UoD) is one of the largest and oldest Universities in Saudi Arabia. The university consists of 24 Colleges, 123 departments, 1,414 faculty members and 24,950 students. In addition to a higher education solution, the university was looking for a solution to integrate all the existing applications such as learning management system, Blackboard LMS, Symphony library management system, and Active Directory. Solution: Addvantum implemented Oracle WebCenter Suite, consisting of Content Management System and complete Portal at University of Dammam. For all integrations we suggested Single Sign-on, using Oracle Identity Manager that took care of all security concerns as well. In addition, a custom integrated mobile application was also developed for students and faculty of UoD. Outcomes: The solution enabled all system users (with 16000 concurrent users for admission are with total no. of 60000-70000 users) to access the applications in a secure and convenient manner with multiple ways to access information. The information is accurate as well as a reliable, serving the needs of management, faculty, students and even their parents.                              

 

 

   

The General Organization for Social Insurance (GOSI)    Background: The General Organization for Social Insurance (GOSI) administers the Kingdom's national insurance scheme. GOSI pays allowances and makes payments for compensation to individuals and families within the scheme. GOSI was looking to change their SUN directory services solution and migrate to Oracle Internet Directory. Having in excess of 500,000 users was really causing them repeated issues and their existing solution was not being able to manage the user load and change requests. With Oracle’s solution, we were able to swiftly migrate 500,000 users into Oracle Internet Directory and integrate with their Critical Applications. Solution

• Implementation of OID in clustered environment • Migration of users to OID • Migrate Objects from Sun One to OID • Integrate with One Application “SIMS” • Test the OID in the Pre-Production environment • Read/Write on the Directory Server “LDAP”

Outcomes User provisioning, de-provisioning times reduced significantly and considerable performance improvements achieved.                  

 

   

National manufacturing and Gas Company (GASCO):

Background: National manufacturing and Gas Company (GASCO) serves consumer via provision of LPG at the highest efficiency levels and commitment to protect and develop the local environment. It transports, fills and markets LPG (butane and/or propane). GASCO’s had a host of IT Applications in following areas of technology: an ERP System based on Oracle E-Business Suite, a CRM System based on Oracle Siebel CRM, a SOA Architecture that will compose of Oracle Fusion Middleware and a few third party applications (Motabi, Avaya, and others). GASCO was looking for some middleware solution to integrate its various IT applications across the board for its 10,000+ users. Solution Addvantum suggested and implemented a host of Oracle middleware applications including Weblogic Suite, SOA Suite, Oracle Applications Adapter, SOA Management Pack, WebLogic Management Pack and Oracle Enterprise Gateway. The SOA layer composed of two main parts, the Enterprise Service Bus Layer and a Service Consumers layer on one side, and a Service Providers Layer., on the other. Each service in the ESB layer was architected and implemented with its own tools/components to achieve the intended business and functional objectives. With the fulfillment of these requirements, application (Service Consumers and Service Providers) become eligible to exchange data and information in a transparent manner. Outcomes Oracle SOA Suite's hot-pluggable architecture helped GASCO lowered upfront costs by allowing maximum re-use of existing IT investments and assets, regardless of the environment (OS, application server, etc.) they run in, or the technology they were built upon. It’s easy-to-use, re-use focused,

 

 

unified application development tooling and end-to-end lifecycle management support further reduced development and maintenance cost and complexity.      

Samba Bank:

 Background: Samba Financial Group was formed, to take over the then existing branches of Citibank, N.A. in Jeddah and Riyadh. Samba was formed in accordance with a program adopted by the Kingdom in the mid-1970s, under which all foreign banks were required to sell majority equity interests to Saudi nationals. Samba Bank requires a middleware solution to integrate its various applications, especially in the post T24 implementation scenario. It has over 2500 users. For this purpose, Samba Bank has invited various vendors to demonstrate their products. Solution: Oracle Saudi Arabia has brought its implementation partner, Addvantum onboard, based on its experience in implementing Oracle applications and technologies for a large number of customers, especially in the Oracle Fusion Middleware and Oracle Applications implementations. Addvantum suggested implementation of Enterprise Service Bus (ESB). EBS is a piece of software that connects multiple applications together through reusing application to application interfaces, covering a wide variety of disparate protocols and transport mechanisms. EBS also has the ability to transform messages on the fly, and perform message routing between multiple applications, based on the contents of the message. Outcomes: A good number of messages and integrations have been accommodated as per Samba’s requirements. The implementation integrated multiple

 

   

applications and heterogeneous messages relatively quickly, and with a reasonably low engagement of development resources. It successfully provided the client an integration middleware platform between the existing and future Systems.            Applications  integrated  at  Samba  Bank      

 

 

 

 

 

 

 

 

 

 

Financial Proposal  

Addvantum  will  charge  around  SAR  144,956/-­‐  for  the  two  months  project.  This  is  exclusive  of  

all  taxes.