Federated Identity and SSO Using Layer 7

8/12/2019 Federated Identity and SSO Using Layer 7

1/15

L a y e r 7 T e c h n o l o g i e s

W h i t e P a p e r

FederatedIdentity&SingleSignOnUsingLayer7FederationforWebsites,Webservices,APIsandtheCloud


2/15

FederatedIdentityandSingleSignOn(SSO)UsingLayer7

Copyright2012byLayer7Technologies,Inc.(www.layer7.com) 2

Contents

WhydoINeedtoFederateIdentity?........................................................................................................... 3IsFederationtheSameasSingleSignOn(SSO)?......................................................................................... 3WhatStandardsAddressFederatedIdentity&SSO?................................................................................... 4HowDoesLayer7HelpMetoFederateSOAPWebServices?..................................................................... 4

SecureSpanSTS......................................................................................................................................... 5SecureSpanGatewaysforServiceProtection........................................................................................... 7XMLVPNClientforFederatingClientApplications.................................................................................. 8

CanLayer7HelpMeFederateAPIs?............................................................................................................ 9CanYouDescribetheLayer7DropinFederationSolution?...................................................................... 10How

Do

IUse

Layer

7to

Provide

Single

Sign

On

to

My

Web

Sites?

...........................................................

11

WhyShouldIUseLayer7forAttributeBasedAccessControl?................................................................. 12HowCanLayer7FederateExistingLDAPorIAMSystemswithCloudBasedSaaSServicesLike

Salesforce.com&GoogleDocs?................................................................................................................. 12HowDoesOAuthRelatetoFederation&SSO?.......................................................................................... 13AboutLayer7Technologies........................................................................................................................ 15ContactLayer7Technologies..................................................................................................................... 15LegalInformation........................................................................................................................................ 15


3/15



Why do I Need to Federate Identity?Youneedafederatedidentitysolutionifyouhaveanyofthefollowingproblems:

YourorganizationhasdifferentdivisionorbranchofficesthathavetheirowndirectoriesandremoteusersneedaccesstocentralITresources.

Youhaveuserswithmultiplepasswordsorothercredentialsthatneedtobemappedacrossapplications.

Yourorganizationismergingwithanotherthatalreadyhasitsownidentitymanagementsystemandyouneedtoprovidenewuserswithaccesstoexistingapplications.

YouneedtoprovideinternaluserswithSingleSignOn(SSO)servicesacrossvariousdifferentWebapplications.

Youaredevelopingamobiledevicestrategyandneedtomanageaccessfromawidevarietyofremoteapplications.

YouneedtoprovidelocaluserswithaccesstoCloudservicessuchasSalesforce.comandGoogleDocs.

Alltheseproblemsrelatetodifferentpartsoffederatedidentity.Layer7Technologiesprovides

solutionsthatfederateidentityandprovideSSOservicesforWebapplications,Webservices,APIs,

mobileapplicationsandtheCloud.

Is Federation the Same as Single Sign-On (SSO)?ItisacommonmisconceptionthatfederationandSSOaresimplydifferentnamesforthesamepractice.

Whilethereiscertainlyoverlapbetweentheterms,SSOshouldbeconsideredasubsetofthelarger

categoryofidentityfederation.

Identityfederation

addresses

the

problem

of

how

to

integrate

separate

identity

silos.

Identity

silos

(or

islands)areverycommonoccurrenceinorganizations.Theyoccurwhennewapplicationsintroduce

theirownidentitystores,suchasdirectoriesoridentitydatabases,insteadofleveragingacentralized

identitymanagementsystem.Theywillalsocommonlyoccurduringamergeroracquisition

entrenchedpracticesandtechnologiesmaymakeitdifficulttomergeexistingidentitystoresintoa

singleunified,authoritativesource.

Theproblemofsiloedidentityalsoextendsbeyondtheboundariesoftheenterprise.Aspartnerships

andsupplychainsbecomeincreasinglyinterconnected,theneedarisestomanageapplicationsand

usersthatarenotunderdirectcontrolofanycentralizedauthoritybutinsteadexistinautonomous

securitydomains.

Such

inter

company

connections

are

particularly

difficult

to

manage

because

identity

inbothorganizationsmaybechangingcontinuouslyaspeoplecomeandgo,withnocoordination

betweenbusinesspartners.


4/15



Federatedidentitymanagementisabouttheprocessandtechnologybehindmanagingsiloedidentity.It

describesthepoliciesandproceduresthatgovernaccesstoapplicationsanddatafromentitiesresiding

inanotherdistinctsecuritydomain.Thisincludestheoverallmanagementoftrustrelationships,access

controlstrategies,

identity

mapping

mechanics,

policies

and

common

protocols.

SSOissubsetoffederationthatdealsspecificallywithreusingasingleidentitytoauthenticateacross

multipledomains.Federationislargelyaboutarchitecturalconcepts,processandprocedures.SSO,in

contrast,ismoreconcernedwithtechnologicalapproachestosolvingtheproblemofindividualusers

havingtomanagedifferentidentitiesfordifferentapplications.

What Standards Address Federated Identity & SSO?ThereareanumberofstandardsassociatedwithfederatedidentitymanagementandSSO.Oneofthe

mostimportantistheSecurityAssertionMarkupLanguageorSAMLforshort.SAMLprovidesa

cryptographicallysecure

mechanism

for

communicating

acts

of

authentication,

entitlements

and

attributesbetweensecuritydomains.ItdefinesboththeprotocolandtheprocesstoenactSSOacross

domainsandtoimplementcomponentsofanoverallfederationstrategy.

SAMLincludesprofilesforbothbrowserbased(passive)andservice/APIbased(active)communication

scenarios.Thepassiveprofile,inparticular,isthebasisofmostCloudbasedSSOsolutions,suchasthose

offeredbyleadingSaaSvendorsSalesforce.comandGoogleDocs.ItisalsothemostcommonSSO

solutiondeployedwithintheenterprise.

TheactiveprofilesareaugmentedbyadditionalstandardssuchasWSTrustandWSFederation.The

WSTruststandarddefinesaSOAPbasedprotocolfortokeninteractionwithaSecurityTokenService

(STS),which

can

include

validation

and

exchange

of

tokens,

as

well

as

trust

brokerage

between

parties.

Forexample,itdescribeshowtoexchangelocalcredentialsinreturnforissuanceofaSAMLtoken.WS

FederationbuildsonWSTrust,definingtypicalfederationscenariosandsolutionsforidentitymapping,

augmentation,tokenmanagementetc.Itcoversbothactiveandpassiveprofiles.

How Does Layer 7 Help Me to Federate SOAP Web Services?Layer7providesinfrastructurethatallowsorganizationstofederatetheirWebservicessimplyand

easily,withnochangestocode.Layer7providesfederationsolutionsasdeploymentpatternsofexisting

productlines,ratherthansinglepurposesolutions.Thishastheadvantagethatthetechnologycanalso

beapplied

to

address

general

Web

services

security

and

management

challenges.


5/15



Figure1:Layer7'sSecureSpanlinecoversallaspectsoffederationandSSO,usinggeneralGatewaysolutions.Each

componentcanworkindependently,withothervendorcomponentsorwithotherLayer7components.

Layer7sSecureSpanGatewayproductlinecanbedeployedtoprovideSecurityTokenServicesfora

rangeofclientsandtoprovidefederatedaccesscontrolforindividualservices.Layer7alsooffers

clientside

federation

support

using

its

XML

VPN

Client

product.

Each

of

these

deployment

patterns

is

outlinedbelow.

SecureSpan STS

TheSTSisthefoundationinfrastructurecomponentofanyfederationorSSOstrategy.Itprovidesthe

abilitytovalidatetokensorexchangetokensfromoneformtoanother(e.g.theexchangeofusername

andpasswordforaSAMLtoken).

AnyLayer7SecureSpanGatewaycanbedeployedasaWSTrustcompliantSTS.TheGatewayprovides

bothanativeWSTrustendpointfordropinfederationsolutions(describedbelow)andaWSTrust

policytemplatethatcaneasilybecustomizedtomeetanylocalintegrationchallengesthatacustomer

maybefacedwith.

TheSecureSpanGatewaySTScanbeusedforlocalSSOintheenterpriseandtosupportfederation

scenariosbetweendifferentorganizations.Layer7sCloudSpanCloudConnectproduct(describedin

detailbelow)isanSTSdeploymentforconnectingtoCloudSaaSapplicationssuchasSalesforce.comor

GoogleDocs.


6/15



Figure2:Layer7'sSecureSpanlinesupportsthemostcommonenterprisefederationandSSOscenarios.

ThissolutionisabletoleverageSecureSpansexistingidentityproviderframework.Thisoffersdirect

connectionintomostdirectoryandIdentityandAccessManagement(IAM)products,including:

GenericLDAP Genericdatabase MicrosoftActiveDirectory TivoliAccessManager

OracleAccessManager OpenSSO CA/NetegritySiteMinder RSAClearTrust

TheseconnectorsalloworganizationstopreserveinvestmentsandleverageexpertiseinexistingIAM

infrastructure,extendingitintotheSSOspace.TheSecureSpanSTSdeploymentactsasaminimally

intrusivelayeroveranorganizationsidentitystoresandcanleverageexistinggroups,rolesandaccess

controlrulesets.ThisisafarmorecosteffectiveandflexiblesolutionthanvendorspecificSTSaddons,

whichare

typically

very

expensive

and

limited

in

the

federation

scenarios

they

support.

Layer7stemplatedrivenapproachtoprovidingSTSmeanstokenexchangecanbeentirelycustomized

tomeetanorganizationsfederationchallenges.TheWSTrusttemplatesconstituteascriptthat

validatesidentity,interactswithidentitystoresandgeneratesreturntokens.Itworksoutoftheboxfor

commonfederationandSSOscenariosbutcaneasilybeaugmentedtomeetthemostdemanding

specializedrequirements.

Thistemplatebasedapproachpromotescustomizedidentitymappingfunctionswithinthecontextofa

WSTrusttransaction.Forexample,formulaicmappings,suchasstringtransformationsofnames,can

easilybeintegratedwithinthepolicyandusedasinputintogeneratedSAMLassertions.Thisis

invaluableforfederationchallengeswherenamingconventionsdifferbetweensecuritydomainsand

needtobereconciledatruntime.

SecureSpanGatewaysalsohavefullaccesstodirectoryattributesassociatedwithidentities.Thisallows

customtokenstobeconstructedwithauthoritativeattributedeclarationsanessentialfeaturein

AttributeBasedAccessControl(ABAC)regimes.


7/15



SecureSpansWSTrustpolicycanleveragethefullrangeofpotentialincomingsecurity

tokens,including:

HTTPbasicauthentication HTTPdigest SSLClientsidecertificateauthentication X.509signaturesinSOAPmessages SAMLtokeninHTTPheaders SAMLTokenProfileinWSSecurity Kerberos(WindowsIntegratedAuthentication) KerberosbindingtoSOAPmessages

WSTrustisnotlimitedtoSAMLtokenissuance.TheSecureSpanSTScanalternativelyreturnmostofthe

credentialtypeslistedabove,providingabsoluteflexibilityincomplexfederationscenarios.

SecureSpan Gateways for Service Protection

SecureSpanGatewayscanalsobedeployedinfrontofWebservicesserverstoprovideaccesscontrol

forfederatedservices.Thisremovesthecomplexityoftokenprocessing,administrationoftrust

relationshipsandauditfromtheapplicationandcentralizesthisforallservices.Thislogicalshifttoa

moredeclarativestyleofsecuritymanagementmeansthatdedicatedsecurityadministratorscan

assumeresponsibilitytoallapplicationaccesscontrol,ensuringthatthesecuritypolicyisconsistentwith

corporaterequirements.

Figure3:SecureSpanGatewaysdeployedtofederateandprotectservicesandAPIs.


8/15



Layer7spolicybasedaccesscontrolsystemcanaccommodatemostsecuritytokentypes.Also,it

integrateswithexistinginfrastructuresuchasdirectoriesandIAM.TheinternalSTScapabilitiesofthe

Gatewaycanbeleveragedforidentitymappingfunctionsorstricttokenvalidation.

SecureSpanGatewaysadditionallyprovidearichtrustmanagementinterfacethatsimplifies

managementoffederatedpartners.ThisfeaturesintegralCRLandOCSPsupport,toensurethatthe

integrityoftheweboftrustismaintained.AllcryptographicfunctionsareFIPScompliantandhardware

GatewayinstancesfeatureavailableintegrationwithleadingHardwareSecurityModules(HSMs)from

ThalesandSafeNet.

GatewayscanalsoincorporateXACMLaccesscontrolrulesdirectlyintopolicyorcommunicatewith

remoteXACMLPolicyDecisionPoints(PDPs)usingtheXACMLprotocol.Integrationwithotherexternal

PDPsispossibleusingSAMLPandWSTrustprotocols.

TheGateways

feature

very

rich

and

configurable

SAML

token

processing,

allowing

support

for

virtually

anyfederationorSSOscenario.SAMLtokenscanbeextractedfromtransportheaders(suchasHTTP)or

isolatedinSOAPmessagesundertheWSSecuritySAMLtokenprofilestandard.TheGatewayssupport

bothSAMLbearertokensprotectedwithSSLandmoresophisticatedWSSecuritybasedbindingsfor

SAML,includingholderofkeyandsendervouchesstyletokenscryptographicallyboundintomessages.

Tokenevaluationiscompletelyflexible,allowingsimpleaccesscontrolbasedontrustrelationshipor

adoptionofmoresophisticatedmethodssuchasABACusingSAMLattributeassertions.

Finally,allotheraspectsofsecuritysupportedbySecureSpanGatewaysareavailabletoensurethat

servicesarefullyprotectedinoneplace.Thisincludesfeaturessuchasmessagecontentvalidation,

automatedthreat

detection,

audit,

transformation,

throttling,

traffic

shaping

and

content

or

statebasedrouting.

XML VPN Client for Federating Client Applications

Layer7sXMLVPNClientisasmallfootprint,clientsideapplicationthathelpstorapidlyonboard

clientsinWebservicesfederationscenarios.Thiseliminatestheburdenofimplementingfederationand

SSOfunctionsincode,thusensuringthatfederationisdonerightthefirsttime.

TheXMLVPNclientinteractswitharemoteSecureSpanGatewaytoloadthemostuptodatepolicyin

effect.ItthenautomaticallycoordinatesSAMLsecuritytokenacquisitionwithalocalSTS,bufferingthe

token

for

all

transactions

across

the

tokens

lifetime

and

automatically

inserting

it

into

transactions

destinedforaremoteservice.


9/15



Figure4:TheSecureSpanXMLVPNClientcanfederateclientapplicationswithoutrequiringanychangestocode.

TheXMLVPNClientintegrateswithlocalSTSusingthestandardsbasedWSTrustprotocol.Itcan

integratewith

either

aSecureSpan

based

STS

or

athird

party

STS

such

as

Microsofts

ADFS.

TheXMLVPNclientsolutionisparticularlywellsuitedtofederatingbranchofficeapplicationsandto

rapidlyfederatingapplicationsduringorganizationalmergersandacquisitions.

Can Layer 7 Help Me Federate APIs?TheemergingAPIparadigmisbasedonRESTfuldesign,JSONdatastructuresandOAuthsecuritytokens.

Layer7GatewayshavealwayssupportedRESTstylemessaging.ThepolicylanguagetreatsJSONasa

firstclasscitizenbesideXML.TheOAuthtoolkitprovidesrichOAuthintegrationcapabilities1.

SecureSpans

SAML

capabilities

are

entirely

applicable

to

SAML

bearer

tokens

carried

as

transport

payload.Thisallowssophisticatedfederationmodelsincludingaccesscontrolparadigmssuchas

ABACtobeappliedtoAPIs,notjustSOAPendpoints.

1OAuthsupportinLayer7SecureSpanGatewaysisdescribedinadedicatedwhitepaper.


10/15


11/15



Thisisdepictedinthefigurebelow:

Figure6:DropinfederationforWebservices,usingLayer7.

Thissolutionisparticularlywellsuitedtobranchdeployments,whereacentralauthorityneedstodrive

rapidfederationofapplicationsusinglocaluserstores.

How do I Use Layer 7 to Provide SSO to My Web Sites?Layer7canprovideSecurityTokenServicesthatallowbrowserbasedclientstoperformSSOwith

internalorpartnerWebapplications.ThisdeploymentpatternforSecureSpanGatewaysisdescribed

above.ItmakesuseofstandardsbasedSAMLprofilestoallowasinglecredentialtobeusedoncein

ordertoaccessanynumberoflocalWebsites.

TheWebapplicationsmustbeconfiguredtolocallyperformaccesscontrolbasedonstandardSAMLSSO

profiles.MostmodernWebapplicationserverscaneasilybeconfiguredtoconsumeSAMLtokensand

enforcetrustrelationships.


12/15


13/15



Figure8:AdministratorshavefullaccesstoSaaSSSOtemplates,allowingsimplecustomizationtoaccommodatelocal

securitydirectives.

How Does OAuth Relate to Federation & SSO?OAuthisprimarilyameansofauthenticationandlimited,delegatedfederation,ratherthana

fullblownfederationorSSOmodel.Itwasdevelopedasasolutiontothepasswordantipattern,

abadpracticethatmultisiteWebapplicationssometimesresortedtoasameansoflightweight,

userdrivenfederation.

OAuthallowsauserwhohasseparateaccountsontwositestoeffectivelyfederatetheseforcertain

functions.Forexample,auserofTwittermightwanttoposttweetsonhisorherFacebookwall(thus

federatingtheaccounts).OAuthprovidesameanstodothiswithoutforcingtheusertoshare

credentialsbetween

sites.

ThereareinterestingoverlapsbetweenwhatcanbeaccomplishedwithSAMLandwhatcanbedone

withtheemergingOAuthspecifications(particularlytheOAuth2.0spec).Thesearebeyondthescopeof

thiswhitepaper.Atpresent,OAuthismainlyfindingapplicationinuserdelegatedaccountfederation

onWebsites,withanemphasisonsocialnetworkingsites(largelybecauseofthedevelopercultureat

theseorganizations).Inthesecases,OAuthisusedasthesecuritytokeninAPIcalls.

SAMLappearsmorecommonlyinenterpriseorCloudbasedSaaSapplications.Therearesome

interestingemergingapproachesforexchangingSAMLtokensacquiredusingabrowserbasedprofile

forOAuthtokensthatcanbeusedbyAPIsrunningwithinthecontextofabrowseruseragent.Layer7

haspolicy

templates

available

that

implement

some

of

these

scenarios.

However,

this

is

presently

very

muchamovingtargetwithlittlestandardizationbetweenimplementations.

Layer7providesanOAuthToolkit,consistingofseveralpolicyassertionsthatconstitutethebuilding

blocksofOAuthapplications.TheToolkitalsoincludespolicytemplatesthatleveragetheseassertionsto

providebasicOAuthfunctionssuchasdistributedauthorizationservices,useraccessmanagementand

APIaccesscontrol.


14/15



Figure9:Layer7GatewaysdeployedasanOAuthAuthorizationServer(AS)andprotectingaResourceServer(RS).


15/15



About Layer 7 Technologies

Layer7Technologieshelpsenterprisessecureandgoverninteractionsbetweentheirorganizationsandthe

servicestheyuseintheCloud,acrosstheInternetandouttomobiledevices.Throughitsawardwinninglineof

SOAGateways,CloudBrokersandAPIProxies,Layer7givesenterprisestheabilitytocontrolidentity,data

security,SLA

and

visibility

requirements

for

sharing

application

data

and

functionality

across

organizational

boundaries.Withmorethan150customersspanningsixcontinents,Layer7supportsthemostdemanding

commercialandgovernmentorganizations.Layer7solutionsareFIPScompliant,STIGvulnerabilitytestedand

havemetCommonCriteriaEAL4+securityassurance.

Contact Layer 7 TechnologiesLayer7Technologieswelcomesyourquestions,commentsandgeneralfeedback.

Email:[email protected]

Web Site:www.layer7.com

Phone:(+1)6046819377

18006819377(tollfreewithinNorthAmerica)

Fax:6046819387

Address:Layer7Technologies

Suite405

1100

Melville

Street

Vancouver,BCV6E4A6

Canada

Legal InformationCopyright2012byLayer7Technologies,Inc.(www.layer7.com).Contentsconfidential.Allrightsreserved.

SecureSpanandCloudSpanareregisteredtrademarksofLayer7Technologies,Inc.Allothermentionedtrade

namesand/ortrademarksarethepropertyoftheirrespectiveowners.

Federated Identity and SSO Using Layer 7

Documents

Transcript of Federated Identity and SSO Using Layer 7