Download   Report
  1. No category

Federated Identity with Ping Federate

February 7th, 20071
ASR Final Project
Federated Identity with
Ping Federate
-------------------------------------------Eunice Mondésir
Pierre Weill-Tessier
--------------------------------------------
Project Supervisor: M. Maknavicius-Laurent
ASR Coordinator: G. Bernard
Eunice Mondésir
Pierre Weill-Tessier
2
Agenda
1.
2.
3.
4.
5.
6.
Introduction
Federated Identity concepts
Presentation of Ping Federate server
Platform implementation
Demonstrations
Conclusion
Eunice Mondésir
Pierre Weill-Tessier
Introduction
Federated Identity
Concepts
5
Federated Identity concepts
1.
2.
3.
4.
5.
Why Federated Identity?
What is Federated Identity?
Participants of Circle of Trust
Single Sign On and Single Log Out
SAML langage
Eunice Mondésir
Pierre Weill-Tessier
Federated Identity Concepts
6
1. Why federated identity?
Eunice Mondésir
Pierre Weill-Tessier
7
Federated Identity Concepts
1. Why federated identity?




Multiple authentication parameters
Heterogeneous authentification and access
control methods
No control on personal information’s exhibition
Need for easier and faster acces to services
Eunice Mondésir
Pierre Weill-Tessier
8
Federated Identity Concepts
2. What is federated identity?




Set of agreements, standards and technologies
Trust relationships between organizations
Integrity and privacy perserved
Independance of organizations
Eunice Mondésir
Pierre Weill-Tessier
9
Federated Identity Concepts
3. Circle of Trust (CoT) participants

Service Provider (SP):
 Provides
one or more services within a federation
 Access control policy

Identity Provider (IdP):
 Creates,
maintains, manages identity information
 user must authenticate at an IdP recognized by a SP
Eunice Mondésir
Pierre Weill-Tessier
10
Federated Identity Concepts
3. Circle of Trust (CoT) participants

CoT
Circle of trust:
 Federation
of IdP and SP
 Business relationships
 Operational agreements
 Secured communication
channels
 Seamless environment
Eunice Mondésir
SP
SP
SP
IdP
SP
SP
SP
Pierre Weill-Tessier
11
Federated Identity Concepts
4.SSO and SLO

Liberty alliance

Single Sign On (SSO):
 Sign on once at a site (single account)
 Seamless signed-on for other sites
 No extra authentication
 SP both within and across circles of trusts

Single Log Out (SLO):
 Synchronized session logout
 All sessions authenticated by
Eunice Mondésir
an IdP closed
Pierre Weill-Tessier
12
Federated Identity Concepts
5. SAML (Security Assertion Markup Langage)

XML standard developped by OASIS

Exchanging authentication & authorization data
between security domains (IdP and SP)

SSO solution beyond the intranet

Exchange of assertions between IdP and SP
Eunice Mondésir
Pierre Weill-Tessier
Presentation of Ping
Federate
14
Presentation of Ping Federate server
1.
2.
How does Ping Federate work ?
Communication tools of Ping Federate
Eunice Mondésir
Pierre Weill-Tessier
15
Presentation of Ping Federate server
1. How does Ping Federate work ?

Server that passes identities between CoTs

Distinction between two roles: IdP and SP


Both roles can be combined
Ping Federate does not interfere with local
usage of the application
Eunice Mondésir
Pierre Weill-Tessier
16
Presentation of Ping Federate server
2. Communication tools in PF server
different environments: how communicate?


Ping Federate provides Integration Toolkits**
Application or IdM
X
PF Token
programming
SAML
language
agent
Eunice Mondésir
adapter
Pierre Weill-Tessier
Plateform
Implementation
18
Platform Implementation
1.
2.
3.
4.
5.
Needs
LDAP
Postfix
Tomcat
Ping Federate server
Eunice Mondésir
Pierre Weill-Tessier
19
Platform Implementation
1. Needs

Applications often interacts with a database for
authentication

Ping Federate server asks for parameters of a
mail server to send notification mail

Ping Federate’s sample application runs on
Tomcat Application Server
Eunice Mondésir
Pierre Weill-Tessier
20
Platform Implementation
2. LDAP

Why this protocol ?



LDAP adapter proposed by PF
Authentication to IdPs via pop-up window
Our configuration:



Server OpenLDAP
Client LDAPBrowser to check our entries
Simple tree: root + inetOrgPerson class instances
Eunice Mondésir
Pierre Weill-Tessier
Platform Implementation
21
2. LDAP

Example of LDAP Tree:
dn: o=INT,c=FR
dn: cn=Eunice, o=INT, c=FR
dn: cn=Pierre, o=INT, c=FR

Attributes we used:



Eunice Mondésir
cn, sn
mail, userPassword
title
Pierre Weill-Tessier
22
Platform Implementation
3. Postfix

Why ?



No database associated : only one user !



mail server working on Linux O.S
“Lighter” configuration than Sendmail
[email protected]
[email protected] is a “fake” address
used for the notification only.
IMAP server as a MDA
Eunice Mondésir
Pierre Weill-Tessier
23
Platform Implementation
4. Tomcat

Why ?



Required applications server to test the samples
Multi-technologies support server (jsp, html)
Identification tools:



Eunice Mondésir
Double authentication based on Role and Login
Default configuration
LDAP-using configuration  JNDI
Pierre Weill-Tessier
24
Platform Implementation
4. Tomcat

Key configuration files


Eunice Mondésir
server.xml: defines the database connection
web.xml: defines the security constraint
Pierre Weill-Tessier
25
Platform Implementation
5. Ping Federate

Standalone web administration




https://cubitus.int-evry.fr:9999/pingfederate/app
Support of multi-account administration
Modifiable role selection (IdP, SP or both)
Ease of management


Eunice Mondésir
Server configuration
Partner configuration
Pierre Weill-Tessier
26
Platform Implementation
5. Ping Federate

Server settings

Eunice Mondésir
Local settings

Base URL: where reaching the server ?

Federation Info: choice of technologies

Entity ID / realm: outside Ping Federate
alias

IdP/SP events: systematic redirections
Pierre Weill-Tessier
Platform Implementation
27
5. Ping Federate

Server settings




Eunice Mondésir
Local settings
IdP/SP adapters management
Data Store management
Metadata export
Pierre Weill-Tessier
28
Platform Implementation
5. Ping Federate

Partner settings’ connections


IdP connections = we are SP
SP connections = we are IdP
 According to partners’ configuration
= Each CoT defines its policy independently

Eunice Mondésir
SP affiliations = 2+ partners’ Federation
Pierre Weill-Tessier
Demonstrations
30
Test Platform implementation
1.
2.
3.
4.
5.
6.
Before Ping Federate servers
Simplification
Ping Federate servers setting-up
IdP initiated SSO with ITAM
SP initiated SSO with ITAM
SP initiated SSO with LDAP adapter
Eunice Mondésir
Pierre Weill-Tessier
31
1. Before Ping Federate servers
Connection to INT services
within INT
INT CoT
S1
S2
S3
IdM
ITAM CoT
INT
Services
IdM
S1
S2
S3
ITAM
Services
Eunice Mondésir
Pierre Weill-Tessier
32
1. Before Ping Federate servers
Connection to INT services
from outside INT
INT CoT
S1
S2
S3
IdM
ITAM CoT
INT
Services
IdM
S1
S2
S3
ITAM
Services
Eunice Mondésir
Pierre Weill-Tessier
33
1. Before Ping Federate servers
Connection to ITAM services
within INT or from outside INT
not possible
INT CoT
S1
S2
S3
IdM
ITAM CoT
INT
Services
IdM
S1
S2
S3
ITAM
Services
Eunice Mondésir
Pierre Weill-Tessier
34
2. Simplification
•All aplications hosted by tomcat
server
INT CoT
S1
S1
S2
S3
IdM IdM
•Authentcation files serving as
database
ITAM CoT
INT
Services
S1
S1
S2
S3
IdM
IdM
ITAM
Services
Eunice Mondésir
Pierre Weill-Tessier
35
3. PF servers setting up
INT CoT
IdM
IdP
&
SP
S1
ITAM CoT
cubitus
IdP
IdM
•For INT CoT: only one PF server
(IdP and SP server)
•For ITAM CoT: two PF servers, one
IdP and one SP
Eunice Mondésir
S1
SP
oberon
titania
Pierre Weill-Tessier
36
4. IdP initiated SSO with ITAM
INT CoT
SSO
IdP
IdM
SAML 2.0
S1
cubitus
ITAM CoT
Sarah
IdP
IdM
Sarah connected to
S1 without having
passed by ITAM IdM
Eunice Mondésir
S1
SP
oberon
titania
Pierre Weill-Tessier
37
5. SP initiated SSO with ITAM
INT CoT
SAML 2.0
IdP
IdM
S1
cubitus
Bob
ITAM CoT
SAML 2.0
IdP
IdM
S1
SSO SP
oberon
titania
Eunice Mondésir
Pierre Weill-Tessier
38
6. SP initiated SSO with LDAP adapter
LDAP adapter
INT CoT
standard adapter
SAML 2.0
IdP
IdM
LDAP
S1
cubitus
Sam
ITAM CoT
SAML 2.0
IdP
IdM
S1
INT IdP interaction with LDAP
directory via a pop-up window
Eunice Mondésir
SSO SP
oberon
titania
Pierre Weill-Tessier
Conclusion
40
Conclusion

What remains to do ?




Adapt INTest with Ping Federate (Token)
Test Multi-partners federation
Perform tests on security and privacy
Other solutions ?



Eunice Mondésir
Microsoft CardSpace (.NET)
WS-Federation
Servers (Sun One Identity Server, IBM Tivoli,
Microsoft ADFS…)
Pierre Weill-Tessier
41
Thanks for your attention
Questions ?
Eunice Mondésir
Pierre Weill-Tessier
Pierre Fabre International Graduate Program 2014 Application Form

Pierre Fabre International Graduate Program 2014 Application Form

Children www.touchwoodcots.co.nz CHANGE TABLE COLLECTION

Children www.touchwoodcots.co.nz CHANGE TABLE COLLECTION

Sample file

Sample file

Essential Tips on How to Win the IT Asset Management Challenge

Essential Tips on How to Win the IT Asset Management Challenge

L Fill in the following table, showing the A

L Fill in the following table, showing the A

Second-hand cots

Second-hand cots

How To Diagnose Problems with your broadband account

How To Diagnose Problems with your broadband account

Federated Sample Hires Andy Ellis as Senior Vice President of Corporate Development

Federated Sample Hires Andy Ellis as Senior Vice President of Corporate Development

S AFETY ALERT Remember

S AFETY ALERT Remember

How to Submit a Request to Renew Current 1

How to Submit a Request to Renew Current 1

abcdocz.com

© Copyright 2024