Web single sign on with novell ichain and novell access manager
This presentation is the property of its rightful owner.
Sponsored Links
1 / 18

Web Single-Sign-On with Novell iChain and Novell Access Manager PowerPoint PPT Presentation


  • 84 Views
  • Uploaded on
  • Presentation posted in: General

Web Single-Sign-On with Novell iChain and Novell Access Manager. E. Axel Larsson ([email protected]) Enterprise Integration Specialist Drew University TTP Summer Conference 2007. Agenda. iChain and Access Manager fundamentals What are iChain and Access Manager

Download Presentation

Web Single-Sign-On with Novell iChain and Novell Access Manager

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Web single sign on with novell ichain and novell access manager

Web Single-Sign-On with Novell iChain and Novell Access Manager

E. Axel Larsson ([email protected])

Enterprise Integration Specialist

Drew University

TTP Summer Conference 2007


Agenda

Agenda

  • iChain and Access Manager fundamentals

    • What are iChain and Access Manager

    • How does web-SSO relate to IDM

    • Networking Considerations

    • Access Control, Form-Fill, and Identity Injection

  • Troubleshooting Tools and Tips

  • Advanced Functionality


A few ssso enabled apps at drew

Ad-Astra Portal

Adobe Connect (Macromedia Breeze)

Aptron CampusWeb

Blackboard 6

Ektron Content Management

EZProxy

GWGuardian Web Quarantine

GroupWise WebAccess

GroupWise Mobile

NetStorage

SIRSI Web2 Library Web Catalog

SupportWorks Helpdesk Self-Service

vBulletin Forums

A few SSSO-enabled apps at Drew


Fundamentals

Fundamentals

  • What is iChain? What is Access Manager?

  • Networking Considerations

  • Access Control Policies

  • Basic Form-Fill

  • Basic Identity Injection (OLAC)


What is ichain

What is iChain?

  • Reverse proxy based SSO soft-appliance

    • Sits in front of web servers

    • Authenticates clients and applies access control policies

    • Authenticates clients to backend web servers on the behalf of users.

  • Two principle facilities for providing single-sign-on

    • Form-Fill

    • OLAC - Object Level Access Control (now called Identity Injection in AM3)

    • Non-invasive integration


What does access manager add

What does Access Manager add?

  • Unified administration console

    • iManager-based

    • Manage configuration for proxy appliances, identity servers, policies, etc. from one place

  • Identity Server

  • Federation

    • SAML 1.1, SAML 2, and Liberty Alliance

  • SSL VPN

  • J2EE Agents

  • Access Gateway appliance is the direct replacement for the iChain appliance


How does web sso relate to identity management

How does Web-SSO relate toIdentity Management?

  • Enterprise Identity Management system

    • Sits in between applications and authoritative data sources.

    • Provisions security principals in backend directory services, applications’ local data stores

    • Based upon entitlements which correspond with organizational roles or established workflows.

  • Web Single-Sign-On system

    • Sits in between users and web applications.

    • Provides credentials or assertions to apps on behalf of the user

    • For user convenience and/orto enforce a security policy.


Networking considerations

Networking Considerations

  • AuthN/AuthZ for your web apps are delegated to the Access Gateway proxy

    • Web servers trust injected identity information provided by the Access Gateway

    • Clients should not have direct access to backend web servers.

    • Web servers should be placed in a private network behind the Access Gateway

  • Fault tolerance for the Access Gateway will require use of an L4 switch (load balancer)

  • Collaboration with your networking team is essential for a successful Web-SSO deployment!


At drew

At Drew

Load Balancer

(Zeus ZXTM)

Public Resource (I.e. www.drew.edu)

iChain 1

iChain 2

Post-iChain load balancer resource

Web Server

Web Server

Web Server

Private Post-iChain VLANs


Authentication and access policies

Authentication and Access Policies

  • Protected resources defined by URL path:

    • i.e. www.drew.edu/secret-stuff/*

  • iChain – three levels

    • Public – Allows anonymous access

    • Restricted – Requires any authenticated user

    • Secure – Uses ACLs (static or dynamic membership) to determine access

  • Access Manager adds

    • Identity server roles – Based upon a number of criteria. LDAP attributes, Liberty profile fields, client IP address, time of day, etc.


Acl policies for sso applications

ACL policies for SSO applications

  • Blanket approach

    • Protected resource for the entire site:

      • i.e. webmail.drew.edu/*

    • Require auth for all access

  • Surgical approach

    • Trust the application’s session management

      • Application may offer differentiated content for anonymous and authenticated users

    • Only protected the login “endpoint” (either a page with a login form, or basic auth)

    • Example:

      • Spam.drew.edu/* -- Public

      • Spam.drew.edu/Quarantine/login.aspx -- Restricted


The basics of form fill

The basics of Form Fill

  • Non-invasive integration method

  • Fills out login forms on behalf of user

    • Done client-side, form HTML is substituted with JavaScript generated by the appliance

  • Form matching criteria

    • URL

    • Text on page

  • Form filling

    • User’s login credentials

    • LDAP attributes

  • Can pass embedded JavaScript back to client


Identity injection called olac in ichain

Identity Injection (Called OLAC in iChain)

  • Injects identity information into HTTP requests

    • HTTP Authorization header (HTTP Basic Auth)

    • Arbitrary HTTP Headers or query string (GET parameters)

  • Useful for

    • Applications that support basic auth

    • Applications designed for SSO integration (look for header based SSO in the docs)

    • Home-grown apps designed only for deployment behind the access gateway

  • Protects against client request forgeries.

    • Appliance scrubs client HTTP requests of all headers used in an injection policy.


When things go wrong

When things go wrong…

  • Troubleshooting tools

    • Firefox

      • Web-developer’s toolbar

      • Tamper data extension

    • Interception proxy

      • Burp Proxy – portswigger.net/proxy

    • Test scripts

      • On the web server – to print out request variables and compare with expected

    • Traffic analysis

      • On the Access Gateway appliance (tcpdump or pktscan) to capture traffic

      • On the client – Wireshark


Cool value add path based multi homing

Cool value add: Path-based multi-homing

  • Allows you to stitch together multiple applications under a single URL namespace

  • Example setup at Drew:

    • http://www.drew.edu/*

      • An ASP.NET based content management system running under IIS 6 on Windows Server 2003

    • http://www.drew.edu/admblog/*

      • A Drupal based blog running under Apache on a SLES 9 server

    • http://www.drew.edu/qfsearch/*

      • The Novell QuickFinder engine running on NetWare


Web single sign on with novell ichain and novell access manager

  • Questions?

  • E. Axel LarssonEnterprise Integration SpecialistDrew [email protected]


  • Login