web single sign on with novell ichain and novell access manager
Skip this Video
Download Presentation
Web Single-Sign-On with Novell iChain and Novell Access Manager

Loading in 2 Seconds...

play fullscreen
1 / 18

Web Single-Sign-On with Novell iChain and Novell Access Manager - PowerPoint PPT Presentation

  • Uploaded on

Web Single-Sign-On with Novell iChain and Novell Access Manager. E. Axel Larsson ([email protected]) Enterprise Integration Specialist Drew University TTP Summer Conference 2007. Agenda. iChain and Access Manager fundamentals What are iChain and Access Manager

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' Web Single-Sign-On with Novell iChain and Novell Access Manager' - doli

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
web single sign on with novell ichain and novell access manager

Web Single-Sign-On with Novell iChain and Novell Access Manager

E. Axel Larsson ([email protected])

Enterprise Integration Specialist

Drew University

TTP Summer Conference 2007

  • iChain and Access Manager fundamentals
    • What are iChain and Access Manager
    • How does web-SSO relate to IDM
    • Networking Considerations
    • Access Control, Form-Fill, and Identity Injection
  • Troubleshooting Tools and Tips
  • Advanced Functionality
a few ssso enabled apps at drew
Ad-Astra Portal

Adobe Connect (Macromedia Breeze)

Aptron CampusWeb

Blackboard 6

Ektron Content Management


GWGuardian Web Quarantine

GroupWise WebAccess

GroupWise Mobile


SIRSI Web2 Library Web Catalog

SupportWorks Helpdesk Self-Service

vBulletin Forums

A few SSSO-enabled apps at Drew
  • What is iChain? What is Access Manager?
  • Networking Considerations
  • Access Control Policies
  • Basic Form-Fill
  • Basic Identity Injection (OLAC)
what is ichain
What is iChain?
  • Reverse proxy based SSO soft-appliance
    • Sits in front of web servers
    • Authenticates clients and applies access control policies
    • Authenticates clients to backend web servers on the behalf of users.
  • Two principle facilities for providing single-sign-on
    • Form-Fill
    • OLAC - Object Level Access Control (now called Identity Injection in AM3)
    • Non-invasive integration
what does access manager add
What does Access Manager add?
  • Unified administration console
    • iManager-based
    • Manage configuration for proxy appliances, identity servers, policies, etc. from one place
  • Identity Server
  • Federation
    • SAML 1.1, SAML 2, and Liberty Alliance
  • J2EE Agents
  • Access Gateway appliance is the direct replacement for the iChain appliance
how does web sso relate to identity management
How does Web-SSO relate toIdentity Management?
  • Enterprise Identity Management system
    • Sits in between applications and authoritative data sources.
    • Provisions security principals in backend directory services, applications’ local data stores
    • Based upon entitlements which correspond with organizational roles or established workflows.
  • Web Single-Sign-On system
    • Sits in between users and web applications.
    • Provides credentials or assertions to apps on behalf of the user
    • For user convenience and/orto enforce a security policy.
networking considerations
Networking Considerations
  • AuthN/AuthZ for your web apps are delegated to the Access Gateway proxy
    • Web servers trust injected identity information provided by the Access Gateway
    • Clients should not have direct access to backend web servers.
    • Web servers should be placed in a private network behind the Access Gateway
  • Fault tolerance for the Access Gateway will require use of an L4 switch (load balancer)
  • Collaboration with your networking team is essential for a successful Web-SSO deployment!
at drew
At Drew

Load Balancer

(Zeus ZXTM)

Public Resource (I.e. www.drew.edu)

iChain 1

iChain 2

Post-iChain load balancer resource

Web Server

Web Server

Web Server

Private Post-iChain VLANs

authentication and access policies
Authentication and Access Policies
  • Protected resources defined by URL path:
    • i.e. www.drew.edu/secret-stuff/*
  • iChain – three levels
    • Public – Allows anonymous access
    • Restricted – Requires any authenticated user
    • Secure – Uses ACLs (static or dynamic membership) to determine access
  • Access Manager adds
    • Identity server roles – Based upon a number of criteria. LDAP attributes, Liberty profile fields, client IP address, time of day, etc.
acl policies for sso applications
ACL policies for SSO applications
  • Blanket approach
    • Protected resource for the entire site:
      • i.e. webmail.drew.edu/*
    • Require auth for all access
  • Surgical approach
    • Trust the application’s session management
      • Application may offer differentiated content for anonymous and authenticated users
    • Only protected the login “endpoint” (either a page with a login form, or basic auth)
    • Example:
      • Spam.drew.edu/* -- Public
      • Spam.drew.edu/Quarantine/login.aspx -- Restricted
the basics of form fill
The basics of Form Fill
  • Non-invasive integration method
  • Fills out login forms on behalf of user
    • Done client-side, form HTML is substituted with JavaScript generated by the appliance
  • Form matching criteria
    • URL
    • Text on page
  • Form filling
    • User’s login credentials
    • LDAP attributes
  • Can pass embedded JavaScript back to client
identity injection called olac in ichain
Identity Injection (Called OLAC in iChain)
  • Injects identity information into HTTP requests
    • HTTP Authorization header (HTTP Basic Auth)
    • Arbitrary HTTP Headers or query string (GET parameters)
  • Useful for
    • Applications that support basic auth
    • Applications designed for SSO integration (look for header based SSO in the docs)
    • Home-grown apps designed only for deployment behind the access gateway
  • Protects against client request forgeries.
    • Appliance scrubs client HTTP requests of all headers used in an injection policy.
when things go wrong
When things go wrong…
  • Troubleshooting tools
    • Firefox
      • Web-developer’s toolbar
      • Tamper data extension
    • Interception proxy
      • Burp Proxy – portswigger.net/proxy
    • Test scripts
      • On the web server – to print out request variables and compare with expected
    • Traffic analysis
      • On the Access Gateway appliance (tcpdump or pktscan) to capture traffic
      • On the client – Wireshark
cool value add path based multi homing
Cool value add: Path-based multi-homing
  • Allows you to stitch together multiple applications under a single URL namespace
  • Example setup at Drew:
    • http://www.drew.edu/*
      • An ASP.NET based content management system running under IIS 6 on Windows Server 2003
    • http://www.drew.edu/admblog/*
      • A Drupal based blog running under Apache on a SLES 9 server
    • http://www.drew.edu/qfsearch/*
      • The Novell QuickFinder engine running on NetWare