Slide1 l.jpg
This presentation is the property of its rightful owner.
Sponsored Links
1 / 41

Federated Identity with Ping Federate PowerPoint PPT Presentation


  • 433 Views
  • Uploaded on
  • Presentation posted in: General

ASR Final Project February 7 th , 2007. Federated Identity with Ping Federate. -------------------------------------------- Eunice Mondésir Pierre Weill-Tessier --------------------------------------------. Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard. Agenda.

Download Presentation

Federated Identity with Ping Federate

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Slide1 l.jpg

ASR Final Project February 7th, 2007

Federated Identity withPing Federate

--------------------------------------------

Eunice Mondésir

Pierre Weill-Tessier

--------------------------------------------

Project Supervisor: M. Maknavicius-Laurent

ASR Coordinator: G. Bernard


Agenda l.jpg

Agenda

  • Introduction

  • Federated Identity concepts

  • Presentation of Ping Federate server

  • Platform implementation

  • Demonstrations

  • Conclusion


Introduction l.jpg

Introduction


Federated identity concepts l.jpg

Federated Identity Concepts


Federated identity concepts5 l.jpg

Federated Identity concepts

  • Why Federated Identity?

  • What is Federated Identity?

  • Participants of Circle of Trust

  • Single Sign On and Single Log Out

  • SAML langage


1 why federated identity l.jpg

Federated Identity Concepts

1. Why federated identity?


1 why federated identity7 l.jpg

Federated Identity Concepts

1. Why federated identity?

  • Multiple authentication parameters

  • Heterogeneous authentification and access control methods

  • No control on personal information’s exhibition

  • Need for easier and faster acces to services


2 what is federated identity l.jpg

Federated Identity Concepts

2. What is federated identity?

  • Set of agreements, standards and technologies

  • Trust relationships between organizations

  • Integrity and privacy perserved

  • Independance of organizations


3 circle of trust cot participants l.jpg

Federated Identity Concepts

3. Circle of Trust (CoT) participants

  • Service Provider (SP):

    • Provides one or more services within a federation

    • Access control policy

  • Identity Provider (IdP):

    • Creates, maintains, manages identity information

    • user must authenticate at an IdP recognized by a SP


3 circle of trust cot participants10 l.jpg

Federated Identity Concepts

3. Circle of Trust (CoT) participants

CoT

  • Circle of trust:

    • Federation of IdP and SP

    • Business relationships

    • Operational agreements

    • Secured communication channels

    • Seamless environment

SP

SP

SP

IdP

SP

SP

SP


4 sso and slo l.jpg

Federated Identity Concepts

4.SSO and SLO

  • Liberty alliance

  • Single Sign On (SSO):

    • Sign on once at a site (single account)

    • Seamless signed-on for other sites

    • No extra authentication

    • SP both within and across circles of trusts

  • Single Log Out (SLO):

    • Synchronized session logout

    • All sessions authenticated by an IdP closed


5 saml security assertion markup langage l.jpg

Federated Identity Concepts

5. SAML (Security Assertion Markup Langage)

  • XML standard developped by OASIS

  • Exchanging authentication & authorization data between security domains (IdP and SP)

  • SSO solution beyond the intranet

  • Exchange of assertions between IdP and SP


Presentation of ping federate l.jpg

Presentation of Ping Federate


Presentation of ping federate server l.jpg

Presentation of Ping Federate server

  • How does Ping Federate work ?

  • Communication tools of Ping Federate


1 how does ping federate work l.jpg

Presentation of Ping Federate server

1. How does Ping Federate work ?

  • Server that passes identities between CoTs

  • Distinction between two roles: IdP and SP

    • Both roles can be combined

  • Ping Federate does not interfere with local usage of the application


2 communication tools in pf server l.jpg

Application or IdM

X

programming

language

PF Token

SAML

adapter

agent

Presentation of Ping Federate server

2. Communication tools in PF server

  • different environments: how communicate?

    • Ping Federate provides Integration Toolkits**


Plateform implementation l.jpg

Plateform Implementation


Platform implementation l.jpg

Platform Implementation

  • Needs

  • LDAP

  • Postfix

  • Tomcat

  • Ping Federate server


1 needs l.jpg

Platform Implementation

1. Needs

  • Applications often interacts with a database for authentication

  • Ping Federate server asks for parameters of a mail server to send notification mail

  • Ping Federate’s sample application runs on Tomcat Application Server


2 ldap l.jpg

Platform Implementation

2. LDAP

  • Why this protocol ?

    • LDAP adapter proposed by PF

    • Authentication to IdPs via pop-up window

  • Our configuration:

    • Server OpenLDAP

    • Client LDAPBrowser to check our entries

    • Simple tree: root + inetOrgPerson class instances


2 ldap21 l.jpg

Platform Implementation

2. LDAP

  • Example of LDAP Tree:

dn: o=INT,c=FR

dn: cn=Eunice, o=INT, c=FR

dn: cn=Pierre, o=INT, c=FR

  • Attributes we used:

    • cn, sn

    • mail, userPassword

    • title


3 postfix l.jpg

Platform Implementation

3. Postfix

  • Why ?

    • mail server working on Linux O.S

    • “Lighter” configuration than Sendmail

  • No database associated : only one user !

    • [email protected]

    • [email protected] is a “fake” address used for the notification only.

  • IMAP server as a MDA


4 tomcat l.jpg

Platform Implementation

4. Tomcat

  • Why ?

    • Required applications server to test the samples

    • Multi-technologies support server (jsp, html)

  • Identification tools:

    • Double authentication based on Role and Login

    • Default configuration

    • LDAP-using configuration  JNDI


4 tomcat24 l.jpg

Platform Implementation

4. Tomcat

  • Key configuration files

    • server.xml: defines the database connection

    • web.xml: defines the security constraint


5 ping federate l.jpg

Platform Implementation

5. Ping Federate

  • Standalone web administration

    • https://cubitus.int-evry.fr:9999/pingfederate/app

    • Support of multi-account administration

    • Modifiable role selection (IdP, SP or both)

  • Ease of management

    • Server configuration

    • Partner configuration


5 ping federate26 l.jpg

Platform Implementation

5. Ping Federate

  • Server settings

    • Local settings

      • Base URL: where reaching the server ?

      • Federation Info: choice of technologies

      • Entity ID / realm: outside Ping Federate alias

      • IdP/SP events: systematic redirections


5 ping federate27 l.jpg

Platform Implementation

5. Ping Federate

  • Server settings

    • Local settings

    • IdP/SP adapters management

    • Data Store management

    • Metadata export


5 ping federate28 l.jpg

Platform Implementation

5. Ping Federate

  • Partner settings’ connections

    • IdP connections = we are SP

    • SP connections = we are IdP

    • SP affiliations = 2+ partners’ Federation

 According to partners’ configuration

= Each CoT defines its policy independently


Demonstrations l.jpg

Demonstrations


Test platform implementation l.jpg

Test Platform implementation

  • Before Ping Federate servers

  • Simplification

  • Ping Federate servers setting-up

  • IdP initiated SSO with ITAM

  • SP initiated SSO with ITAM

  • SP initiated SSO with LDAP adapter


1 before ping federate servers l.jpg

ITAM CoT

IdM

INT CoT

INT Services

S1

S1

S2

S2

S3

IdM

S3

ITAM Services

1. Before Ping Federate servers

Connection to INT services within INT


1 before ping federate servers32 l.jpg

ITAM CoT

IdM

INT CoT

INT Services

S1

S1

S2

S2

S3

IdM

S3

ITAM Services

1. Before Ping Federate servers

Connection to INT services from outside INT


1 before ping federate servers33 l.jpg

ITAM CoT

IdM

INT CoT

INT Services

S1

S1

S2

S2

S3

IdM

S3

ITAM Services

1. Before Ping Federate servers

Connection to ITAM serviceswithin INT or from outside INT not possible


2 simplification l.jpg

IdM

S1

S1

ITAM CoT

IdM

IdM

INT CoT

S1

S2

S3

INT Services

S1

S2

S3

IdM

ITAM Services

2. Simplification

  • All aplications hosted by tomcat server

  • Authentcation files serving as database


3 pf servers setting up l.jpg

IdM

S1

S1

IdM

INT CoT

IdP & SP

ITAM CoT

cubitus

IdP

oberon

SP

titania

3. PF servers setting up

  • For INT CoT: only one PF server (IdP and SP server)

  • For ITAM CoT: two PF servers, one IdP and one SP


4 idp initiated sso with itam l.jpg

IdM

S1

S1

SSO

SAML 2.0

IdM

INT CoT

IdP

ITAM CoT

Sarah

IdP

oberon

SP

titania

cubitus

4. IdP initiated SSO with ITAM

Sarah connected to S1 without having passed by ITAM IdM


5 sp initiated sso with itam l.jpg

IdM

S1

S1

SAML 2.0

IdM

INT CoT

IdP

ITAM CoT

SAML 2.0

Bob

IdP

oberon

SSO

SP

titania

cubitus

5. SP initiated SSO with ITAM


6 sp initiated sso with ldap adapter l.jpg

IdM

S1

S1

SAML 2.0

IdM

INT CoT

IdP

ITAM CoT

SAML 2.0

Sam

IdP

oberon

SSO

SP

LDAP

titania

cubitus

6. SP initiated SSO with LDAP adapter

LDAP adapter

standard adapter

INT IdP interaction with LDAP directory via a pop-up window


Conclusion l.jpg

Conclusion


Slide40 l.jpg

Conclusion

  • What remains to do ?

    • Adapt INTest with Ping Federate (Token)

    • Test Multi-partners federation

    • Perform tests on security and privacy

  • Other solutions ?

    • Microsoft CardSpace (.NET)

    • WS-Federation

    • Servers (Sun One Identity Server, IBM Tivoli, Microsoft ADFS…)


Slide41 l.jpg

Thanks for your attention

Questions ?


  • Login