Web Single-Sign-On with Novell iChain and Novell Access Manager E. Axel Larsson ([email protected])...
-
date post
18-Dec-2015 -
Category
Documents
-
view
214 -
download
0
Transcript of Web Single-Sign-On with Novell iChain and Novell Access Manager E. Axel Larsson ([email protected])...
Web Single-Sign-On with Novell iChain and Novell Access Manager
E. Axel Larsson ([email protected])Enterprise Integration SpecialistDrew UniversityTTP Summer Conference 2007
Agenda
iChain and Access Manager fundamentals What are iChain and Access Manager How does web-SSO relate to IDM Networking Considerations Access Control, Form-Fill, and Identity Injection
Troubleshooting Tools and Tips Advanced Functionality
A few SSSO-enabled apps at Drew Ad-Astra Portal Adobe Connect
(Macromedia Breeze) Aptron CampusWeb Blackboard 6 Ektron Content
Management EZProxy
GWGuardian Web Quarantine
GroupWise WebAccess GroupWise Mobile NetStorage SIRSI Web2 Library
Web Catalog SupportWorks
Helpdesk Self-Service vBulletin Forums
Fundamentals
What is iChain? What is Access Manager? Networking Considerations Access Control Policies Basic Form-Fill Basic Identity Injection (OLAC)
What is iChain?
Reverse proxy based SSO soft-appliance Sits in front of web servers Authenticates clients and applies access control policies Authenticates clients to backend web servers on the behalf
of users. Two principle facilities for providing single-sign-on
Form-Fill OLAC - Object Level Access Control (now called Identity
Injection in AM3) Non-invasive integration
What does Access Manager add? Unified administration console
iManager-based Manage configuration for proxy appliances, identity
servers, policies, etc. from one place Identity Server Federation
SAML 1.1, SAML 2, and Liberty Alliance SSL VPN J2EE Agents Access Gateway appliance is the direct replacement
for the iChain appliance
How does Web-SSO relate toIdentity Management? Enterprise Identity Management system
Sits in between applications and authoritative data sources.
Provisions security principals in backend directory services, applications’ local data stores
Based upon entitlements which correspond with organizational roles or established workflows.
Web Single-Sign-On system Sits in between users and web applications. Provides credentials or assertions to apps on behalf of
the user For user convenience and/or to enforce a security
policy.
Networking Considerations
AuthN/AuthZ for your web apps are delegated to the Access Gateway proxy Web servers trust injected identity information provided by
the Access Gateway Clients should not have direct access to backend web
servers. Web servers should be placed in a private network behind
the Access Gateway Fault tolerance for the Access Gateway will require
use of an L4 switch (load balancer) Collaboration with your networking team is
essential for a successful Web-SSO deployment!
At Drew
Load Balancer(Zeus ZXTM)
Web Server Web Server Web Server
iChain 1 iChain 2
Public Resource (I.e. www.drew.edu)
Post-iChain load balancer resource
Private Post-iChain VLANs
Authentication and Access Policies Protected resources defined by URL path:
i.e. www.drew.edu/secret-stuff/* iChain – three levels
Public – Allows anonymous access Restricted – Requires any authenticated user Secure – Uses ACLs (static or dynamic membership) to
determine access Access Manager adds
Identity server roles – Based upon a number of criteria. LDAP attributes, Liberty profile fields, client IP address, time of day, etc.
ACL policies for SSO applications Blanket approach
Protected resource for the entire site: i.e. webmail.drew.edu/*
Require auth for all access Surgical approach
Trust the application’s session management Application may offer differentiated content for anonymous
and authenticated users Only protected the login “endpoint” (either a page with a
login form, or basic auth) Example:
Spam.drew.edu/* -- Public Spam.drew.edu/Quarantine/login.aspx -- Restricted
The basics of Form Fill
Non-invasive integration method Fills out login forms on behalf of user
Done client-side, form HTML is substituted with JavaScript generated by the appliance
Form matching criteria URL Text on page
Form filling User’s login credentials LDAP attributes
Can pass embedded JavaScript back to client
Identity Injection (Called OLAC in iChain) Injects identity information into HTTP requests
HTTP Authorization header (HTTP Basic Auth) Arbitrary HTTP Headers or query string (GET parameters)
Useful for Applications that support basic auth Applications designed for SSO integration (look for header
based SSO in the docs) Home-grown apps designed only for deployment behind
the access gateway Protects against client request forgeries.
Appliance scrubs client HTTP requests of all headers used in an injection policy.
When things go wrong… Troubleshooting tools
Firefox Web-developer’s toolbar Tamper data extension
Interception proxy Burp Proxy – portswigger.net/proxy
Test scripts On the web server – to print out request variables and
compare with expected Traffic analysis
On the Access Gateway appliance (tcpdump or pktscan) to capture traffic
On the client – Wireshark
Cool value add: Path-based multi-homing Allows you to stitch together multiple
applications under a single URL namespace Example setup at Drew:
http://www.drew.edu/* An ASP.NET based content management system
running under IIS 6 on Windows Server 2003 http://www.drew.edu/admblog/*
A Drupal based blog running under Apache on a SLES 9 server
http://www.drew.edu/qfsearch/* The Novell QuickFinder engine running on NetWare