SAML and Other Types of Federation for Your Enterprise

@fdwl #BriForum @entisys

SAML and Other Types of

Federation for Your Enterprise

Denis Gundarev, Senior Consultant, Entisys Solutions

May 20, 2014


Based on a true story


About me


Agenda

What is federated authentication

How to add federation support for your legacy applications


Identity and Account Management Basics

Identity Management (IdM) describes the

management of individual principals,

their authentication, authorization, and

privileges within enterprise

Integral components of identity and

access management:

Identification

Authentication

Authorization


Identification vs. Authentication vs.

Authorization


Entity vs Identity vs Credential vs Attribute

Entity

• Person

• Computer

Identity

• Active Directory Account

• Passport Number

• Serial Number

Credential

• Passport

• Credit Card

• Kerberos token

Attribute

• Address

• Qualification

• Criminal record


Attribute Assertion

An attribute assertion is a claim made by someone (the asserter) that a particular person

possesses a particular attribute.

College can confirm that person is graduated.

Active Directory can confirm that password is correct

A digitally signed attribute assertion = authorization credential.

Source: David W Chadwick Federated Identity Management http://kar.kent.ac.uk/30609/1/FederatedIdManChapter.pdf

http://kar.kent.ac.uk/30609/1/FederatedIdManChapter.pdf


Credential Types

Credentials Authenticity

Credentials Not been tampered

Received exactly as issued by the issuing

authority

Digitally signed to prove authenticity

Credentials Validity

Monopoly money is authentic if obtained

from the Monopoly game pack.

valid for buying stuff in the game

NOT valid in a grocery store

Credit card is an authentic credential.

Valid in Marks & Spencer

Not valid in a fisherman village in the

middle of nowhere during the night

Source: David W Chadwick Federated Identity Management http://kar.kent.ac.uk/30609/1/FederatedIdManChapter.pdf

http://kar.kent.ac.uk/30609/1/FederatedIdManChapter.pdf


What is Federation?

A set of standards-based technology & IT processes

to facilitate distributed identification, authentication

& authorization across boundaries (security,

departmental, organizational or platform).


Federation Example

Identity Provider (IdP)

Entity

Attribute Assertion

Service Provider (SP)

Resources


Federation Example

Facebook perform authentication and

generate a signed attributes assertion

with user name and unique user ID

Digg maintain a user database and

authorization


Why Do I Need Federation?

Provide access to your applications to suppliers or partners

Quickly onboard acquired organization

Provide access for temporary workers by using “bring your own identity” model

Service Providers


Can’t I Just Create User Accounts?

More work for you

Less security for your network

No control over the user population


Can’t I Just Use Forest Trusts?

Network connection between partners

User principal name (UPN) suffixes, service

principal name (SPN) suffixes, and security

ID (SID) namespaces are replicated

DNS configuration is required


Benefits of Federation

Better Access Experience

Single sign-on across networks & organizational boundaries

Increased Security & Simpler Administration

Heightened identity assurance

No passwords involved

Account de-activation is handled by the account partner

Account partner can easily be disabled at the organizational level

Strong authentication such as user certificates or OTP tokens can be layered on top of federation

claim


Benefits of Federation

•Active Directory

•LDAP

•Kerberos

•Anonymous users

•One-time Access

•ADFS

•OpenSSO

•PingIdentiy

•Office365

•Google

•Microsoft

•Facebook

•Twitter

Private-Sector

IDPsPartners

Corporate Directories

Special Cases


SAML

SAML – Security Assertions Markup Language

XML-based security specification for exchanging authentication and authorization information

Developed by the OASIS standards organisation

Use HTTP as a communication protocol

Designed to addresses the complexities of establishing Business-to-Business communication

between differing systems.


SAML Assertion

A set of statements (claims) made by a SAML authority (Identity provider or IdP)

Authentication statement: subject was authenticated using a particular technique at a particular

time

Attribute statement: particular attribute values are associated with the subject

Optional authorization decision statement: subject is authorized to perform certain actions

19


SAML Assertion


X.509 Certificates

Trust is managed through

certificates

Certificates for

HTTPS Communications

Security token signing and

encryption

Require PKI for A & B

certificates, C & D can be

self-signed

CommunicationA

Signing

Relying party Issuer

ST

Encyption ST

B

Public key of C C

Public key of DD

Root for ARoot for B


Federation Metadata

During the establishment of the issuer / relying party trust, both parties will require

configuration which includes

End-points for communication

Claims offered by issuer

Claims accepted by replying party

Public keys for signing and encryption

This information can be manually configured or automatically via the exchange of

federation metadata

Federation metadata can be automatically updated


SAML IdP Example


Active Directory Federation Services

AD FS 1.0 - released with Windows Server 2003 R2 as part of the operating system

AD FS 1.1 - released with Windows Server 2008 and was carried into Windows Server 2008

R2

AD FS 2.0 was released after Windows Server 2008 R2. It was released to the web and is

free to download.

ADFS 2.1 was released to Windows Server 2012 as part of the operating system


ADFS 1.x

AD FS 1.x is limited

WS-Federation Passive Requestor Profile (browser)

SAML 1.0 TOKENS

SAML 2.x is not backward compatible with SAML 1.x, so forget about ADFS 1.x


ADFS 2.x

A SAML implementation (both IdP and SP) from Microsoft

An AD-based single sign-on system

SAMLv2 Authentication

Allows for Single Sign on support for Web based applications.

ADFS for Windows 2008 R2 has SAML 2.0 support.


Can I Have it Out of the Box?

Not with StoreFront

Web Interface 5.4 supports ADFS out of the box!

ADFS version 1.1 only

Windows Server 2003 R2 only

32-bit edition of 2003 R2 only

Not supported with NetScaler, Secure Gateway only

Does not work with XenDesktop


Authentication in XenApp/XenDesktop

Support for several authentication methods

Smart cards, client certificates, RSA SecurID, etc.

Support for OS and non-OS credentials stores

OS: Active Directory and eDirectory

Non-OS: LDAP, RADIUS, 3rd party authentication methods.

Leverage Authentication methods supported by Windows:

Smartcard support

Client certificates support

Custom 3rd party authentication mechanisms through GINA extensions.

Leverage Windows authentication to flow the OS identity tokens between Access Infrastructure services

Example: flowing Kerberos tickets between ICA client and XA server.


SAML SP Example


NetScaler & SAML Authentication

NetScaler can act as a Service Provider (SP)

User can be authenticated on LB or CS vserver

NetScaler Gateway 10.1 supports SAML 2.0

Configuring SAML Authentication on NetScaler Gateway

http://support.citrix.com/proddocs/topic/netscaler-gateway-101/ng-authen-saml-con.html

NetScaler practical / SAML AAA against simplesamlphp IdP

http://blogs.citrix.com/2012/08/24/174193098/

How to Configure NetScaler SAML to Work with Microsoft AD FS 2.0 IdP

https://support.citrix.com/article/CTX133919

Does not provide metadata

Use Metadata builder http://samlmetajs.simplesamlphp.org/demo

http://support.citrix.com/proddocs/topic/netscaler-gateway-101/ng-authen-saml-con.html

http://blogs.citrix.com/2012/08/24/174193098/

https://support.citrix.com/article/CTX133919

http://samlmetajs.simplesamlphp.org/demo


Authentication flow

IdPNetScaler (SP) Active Directory

Browse to NG

Not authenticated

Redirected to IdPAuthenticate

User

Query for user attributesReturn Security Token

Return page

and cookie

Send Token

ST

ST

SP trusts IdP


MetaData

NetScaler does not provide metadata

Use Metadata builder




Authentication in XenApp/XenDesktop

Support for several authentication methods

Smart cards, client certificates, RSA SecurID, etc.

Support for OS and non-OS credentials stores

OS: Active Directory and eDirectory

Non-OS: LDAP, RADIUS, 3rd party authentication methods.

Leverage Authentication methods supported by Windows:

Smartcard support

Client certificates support

Custom 3rd party authentication mechanisms through GINA extensions.

Leverage Windows authentication to flow the OS identity tokens between Access Infrastructure services

Example: flowing Kerberos tickets between ICA client and XA server.


Federation Example

Facebook perform authentication and

generate a signed attributes assertion

with user name and unique user ID

Digg maintain a user database and

authorizationShadow Accounts


Shadow Accounts

Required to delegate access to non-

claim aware resources

Regular user account

Mapped to the attribute received from

IdP

Can be mapped to any attribute


SAML for XenApp/XenDesktop Options

S4U (Service-for-User) Kerberos Extensions

Kerberos delegation and S4U on NetScaler – too complicated

S4U on WebInterface? No future!

S4U on StoreFront? You mean StoreFront code customization?


SAML for XenApp/XenDesktop Options


Explicit Auth in XD/XAClient

WIDDC

VDA

Servers (File Server,

Exchange, …)

DC

Winlogon

SSOn

IE

Desktop Toolbar

ICA Client Engine

Winlogon

VDA

IMA / DDC

pwd

pwdpwd

auth

pwd

WI ticket

WI ticket

WI ticket

WI ticket

pwd

pwd

Authenticate

& get TGT

Get svc ticket

Svc ticket


Solution

NetScaler SAML authentication

NetScaler FormFill SSO profile

Custom Account Manager Service

NetScaler HTTP Callout

NetScaler Rewrite Policy


Account Manager Service

Web Application

Create and shadow user accounts with

random password in AD

Store password securely

Respond on HTTP request with user

password

GET /GetPassword/[email protected]

Response:

0@J4y9jCv9CHzP2Q!rhMHY@7AOk7vfF2Rf1!

T!i29QG^se^RQZbhjt4fOOmn$CN4

mailto:/GetPassword/[email protected]


SAML Authentication Profile

add authentication samlAction PartnerIdp -samlIdPCertName Partner-idp -

samlSigningCertName ns-server-certificate -

samlRedirectUrl "https://osso.parner.com:443/opensso/SSOPOST/metaAlias/partnernet/idp

" -samlUserField mail -samlRejectUnsignedAssertion OFF -samlIssuerName

"https://go.example.com/"

add authentication samlPolicy PartnerIdp ns_true PartnerIdp


Form SSO Profile

add vpn formSSOAction WebInterfaceFormSSOProfile -actionURL "/SSO/auth/login.aspx" -

userField email -passwdField donotuse -

ssoSuccessRule"Http.RES.SET_COOKIE.COOKIE(\"WIAuthId\").VALUE(\"WIAuthId\").LENGTH.GT

(10) && Http.RES.STATUS.EQ(302)" -nameValuePair "password=&LoginType=Explicit" -

nvtype STATIC -submitMethod POST

add vpn trafficAction WebInterfaceFormSSOTrafficProfile http -appTimeout 120 -SSO ON -

formSSOAction WebInterfaceFormSSOProfile

add vpn trafficPolicy WebInterfaceFormSSOTrafficPolicy "(URL CONTAINS

/sso/auth/login.aspx) && METHOD == GET && HEADER Cookie CONTAINS

WIClientInfo" WebInterfaceFormSSOTrafficProfile


Callout and Rewrite

add policy httpCallout AccountManager

set policy httpCallout AccountManager -vServer AccountManager -returnType TEXT -

hostExpr "\"CN1-ACCMAN01.example.com\"" -

urlStemExpr"\"/GetPassword/\" +http.REQ.BODY(500).AFTER_REGEX(re#email=#).BEFORE_REG

EX(re#&#)" -resultExpr"http.RES.BODY(1000).XPATH(xp%/%)“

add rewrite action ReplaceEmptyPasswordAction

replace_all "HTTP.REQ.BODY(500)" "\"&password=\"+SYS.HTTP_CALLOUT(AccountManager).HT

TP_URL_SAFE+\"&\"" -search"regex(re/&password=[ -~]*&/)" -bypassSafetyCheck YES

add rewrite policy ReplaceEmptyPasswordPolicy "http.req.method.eq(POST) &&

HTTP.REQ.URL.PATH.TO_LOWER.EQ(\"/sso/auth/login.aspx\")" ReplaceEmptyPasswordAction


Communication flow

Active Directory

User

Browser

ADFS Active Directory

Account Manager

StoreFront

1. User Authenticates at SSO portal

2. SSO Send SAML Response to

the user s browser

NetScaler

3. User s browser POST SAML response to NetScaler

Gateway

4. Netscaler request shadow user credentials from Account

Manager

5. Account Manager send credentials back to NetScaler

6. N

etscaler su

bm

it shad

ow

use

r cre

de

ntials to

StoreFro

nt

XenDesktop

Controller

7. StoreFront request XenDesktop token from DDC

8. DDC send XenDesktop token back to StoreFRont

9.StoreFront sends ICA file

10. Citrix receiver connects to access gateway

11. NetScaler gateway connects

to the desktop

VDA

12 S

hado

w u

ser l

ogge

d on


SAML-enabled solutions

Cloud

www.pingidentity.com

www.ssoeasy.com

www.forumsys.com

www.okta.com

www.onelogin.com

www.cloudentr.com

Azure Active Directory

Google Apps

On prem

Microsoft ADFS

Oracle OpenSSO

ForgeRock OpenAM

PingFederation

RCDevs OpenID

Novell Access Manager

IBM Tivoli Access Manager

JBoss SSO

http://www.pingidentity.com/

http://www.ssoeasy.com/

http://www.forumsys.com/

http://www.okta.com/

http://www.onelogin.com/

http://www.cloudentr.com/


Q&A

j.mp/gundarev

@fdwl

[email protected]

SAML and Other Types of Federation for Your Enterprise

Technology

Transcript of SAML and Other Types of Federation for Your Enterprise