tam ste series 2008 webseal sso session 1
Download
Skip this Video
Download Presentation
TAM STE Series 2008 - WebSEAL SSO, Session 1

Loading in 2 Seconds...

play fullscreen
1 / 38

TAM STE Series 2008 - WebSEAL SSO, Session 1 - PowerPoint PPT Presentation


  • 156 Views
  • Uploaded on

TAM STE Series 2008 - WebSEAL SSO, Session 1. Presented by: Andrew Quap. Itinerary for WebSEAL single-signon (SSO). Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) CDSSO eCDSSO. SPNEGO. Generic Security Service Application Program Interface (GSS-API)

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' TAM STE Series 2008 - WebSEAL SSO, Session 1' - leighanna-gamble


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
tam ste series 2008 webseal sso session 1

TAM STE Series 2008- WebSEAL SSO, Session 1

Presented by: Andrew Quap

WebSEAL SSO, Session 1

itinerary for webseal single signon sso
Itinerary for WebSEAL single-signon (SSO)
  • Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO)
  • CDSSO
  • eCDSSO

WebSEAL SSO, Session 1

spnego
SPNEGO
  • Generic Security Service Application Program Interface (GSS-API)
    • “an application programming interface for programs to access security services. “-wikipedia
    • RFC 2478
    • Describes a set of standard API’s
  • GSS-API can implement any security protocol
    • GSS-API implementation of Kerberos is best known

WebSEAL SSO, Session 1

spnego1
SPNEGO
  • Microsoft started to use SPNEGO in IE 5.01 and IIS 5.0 as an authentication extension – wikipedia
    • Requires the use of AD server acting as KDC
    • Nowadays Microsoft markets the use of NTLM instead of SPNEGO
    • Used to provide desktop single sign-on into IIS server
  • TAM WebSEAL SPNEGO allows users to SSO into WebSEAL

WebSEAL SSO, Session 1

kerberos basics
Kerberos basics
  • MIT Kerberos v5
  • RFC 1510
    • Kerberos tickets
    • Kerberos Realm
    • KDC (Key Distribution Center)
      • Server that issues Kerberos tickets
      • Typically listen on port 88
  • For UNIX implementations “krb5.conf” contains Kerberos client configuration

WebSEAL SSO, Session 1

kerberos basics1
Kerberos basics
  • keytab file
    • Allows a service (ie a server) to automatically authenticate into Kerberos realm
  • ‘kinit’ command
    • Command used to authenticate a user into a Kerberos realm
      • Input User/password
      • Or input keytab file

WebSEAL SSO, Session 1

spnego2
SPNEGO
  • SPNEGO uses GSS-API Kerberos implementation
  • WebSEAL and WebPI use the "HTTP Negotiate" extension defined by Microsoft.
  • Client Web Browser does HTTP request to WebSEAL.
  • WebSEAL returns HTTP 401 (Unauthorized) status and the following header: "WWW-Authenticate: Negotiate".
  • Client chooses a Service Principal Name for the host and calls InitializeSecurityContext() to generate a NegTokenInit token.

WebSEAL SSO, Session 1

spnego3
SPNEGO
  • Client resends the request with the following header: "Authorization: Negotiate <base64 encoding>" (e.g. Authorization: Negotiate YIIGUQY<remainder of base64 encoded string>).
  • WebSEAL decodes the NegTokenInit token.
  • WebSEAL verifies the encryption type and authenticates using gss_accept_sec_context.
  • The next step depends on what the gss_accept_sec_context function returns.

WebSEAL SSO, Session 1

spnego flow
SPNEGO Flow
  • All Entities share a secret key with the 3rd party
    • Allows 3rd party to authenticate any known entity
    • 3rd party can encrypt data for any known entity

WebSEAL SSO, Session 1

webseal spnego configuration and setup
WebSEAL SPNEGO configuration and setup
  • AD server typically is configured as TAM registry
    • Can have separate LDAP server, but AD and LDAP server must be user synchronized
  • WebSEAL administration document, v6, on SPNEGO is very detailed.

WebSEAL SSO, Session 1

webseal spnego configuration and setup1
WebSEAL SPNEGO configuration and setup
  • WebSEAL installed on Windows OS
    • ‘ktpass’ command creates Server Principal Names (SPN’s) in AD server
    • Setup WebSEAL service to authenticate as new SPN
    • The WebSEAL server must be configured as a client into the AD domain

WebSEAL SSO, Session 1

webseal spnego configuration and setup2
WebSEAL SPNEGO configuration and setup
  • WebSEAL installed on UNIX setup
    • Requires keytab file generated from ‘ktpass’ command
    • Modify WebSEAL configuration file to include principal name and keytab file
    • Setup Kerberos client on WebSEAL machine

WebSEAL SSO, Session 1

webseal spnego configuration and setup3
WebSEAL SPNEGO configuration and setup
  • Supports load balanced WebSEAL setup
    • WebSEAL admin guide details steps needed for basic setup, case does matter
    • Forward and reverse lookup must match on the WebSEAL machine for the load balanced hostname
    • WebSEAL on windows
      • The server instances must all be running under the same ID
    • WebSEAL on UNIX
      • The servers must all share the same keytab

WebSEAL SSO, Session 1

webseal spnego problem determination
WebSEAL SPNEGO problem determination
  • Invoke ‘bst’ trace or per-process trace
  • Determine if Kerberos error
    • Review Kerberos client config in ‘krb5.conf’
  • UNIX
    • Ensure keytab file is valid
      • Use ‘kinit’ test
  • Windows
    • Ensure WebSEAL service authenticates as user created during ‘ktpass’ command

WebSEAL SSO, Session 1

webseal spnego typical issues
WebSEAL SPNEGO typical issues
  • TAM 6.0 provides SPNEGO problem determination guide
  • WebSEAL will not start
    • Invoke per-process tracing
      • Look for Kerberos error
        • Example of error

WebSEAL SSO, Session 1

webseal spnego typical issues1
WebSEAL SPNEGO typical issues
  • WebSEAL starts but user SSO fails
    • Invoke ‘bst’ tracing
    • Invoke network trace from end user’s browser
      • Look for AD server response
    • Check ‘krb5.conf’
      • Make sure AD domain is defined or default
      • If WebSEAL domain is different from AD domain make sure both domains are mapped
    • Ensure trusted site is entered in IE browser

WebSEAL SSO, Session 1

webseal spnego typical issues2
WebSEAL SPNEGO typical issues
  • Multiple SPN’s mapped into WebSEAL AD account
    • Issue only occurs when WebSEAL is installed on UNIX
    • Must use ‘-mapOp set’ option for ktpass command.
    • When you use ‘–mapOp set’ which is required to create a keytab it removes the other SPN’s that existed on the account
    • One account per SPN when using Unix

WebSEAL SSO, Session 1

webseal spnego limitations
WebSEAL SPNEGO limitations
  • Does not provide SSO into a IIS backend server
  • If SPNEGO fails, fallback using WebSEAL forms login requires IE fix
    • WebSEAL’s NTLM error page can be modified for ‘pkmslogin’
    • Use E-community SSO to login user
  • WebSEAL cannot handle NTLM responses from IE
  • SPNEGO clients cannot log out

WebSEAL SSO, Session 1

kerberos junctions
Kerberos Junctions
  • Not SSO to WebSEAL, but SSO from WebSEAL to IIS

WebSEAL SSO, Session 1

spnego questions
SPNEGO questions

WebSEAL SSO, Session 1

cross domain single signon cdsso
Cross Domain Single Signon (CDSSO)
  • “A mechanism to transfer a user credentials between servers in different domains-”WebSEAL administration guide
  • Uses an encrypted token to transfer an user identity
    • “token creation” creates and encrypts the token
    • “token consumption” decrypts the token
  • Can use CDSSO between TAM Web plug-in and WebSEAL

WebSEAL SSO, Session 1

cross domain single sign on cdsso
Cross Domain Single Sign-on (CDSSO)
  • Supports cross-domain mapping framework (CDMF)
    • Allows additional attributes to be encrypted in token in addition to user’s identity
    • Provides the ability to customized CDSSO using TAM C-api’s

WebSEAL SSO, Session 1

cdsso configuration and setup
CDSSO configuration and setup
  • Configuring CDSSO token create functionality
    • The following procedures are appropriate for the initial WebSEAL server
      • Enable WebSEAL to generate CDSSO tokens (cdsso-create).
      • Configure the built-in token creation module (sso-create).
      • Create the key file used to encode and decode the token. Copy the key file to all appropriate participating servers ([cdsso-peers] stanza).
      • Configure the token time stamp (authtoken-lifetime)
      • Configure the token label (cdsso-argument).
      • Create the CDSSO HTML link (/pkmscdsso?destination-URL).

WebSEAL SSO, Session 1

cdsso setup and configuration
CDSSO setup and configuration
  • Configuring CDSSO token consume functionality
    • The following procedures are appropriate for the destination WebSEAL server:
      • Enable WebSEAL to consume CDSSO tokens (cdsso-auth) for authentication.
      • Configure the built-in token consumption module (sso-consume).
      • Assign the appropriate key file ([cdsso-peers] stanza).
      • Configure the token time stamp (authtoken-lifetime)
      • Configure the token label (cdsso-argument).

WebSEAL SSO, Session 1

cdsso flow
CDSSO flow

WebSEAL SSO, Session 1

cdsso requirements
CDSSO requirements
  • “All WebSEAL servers participating in CDSSO must have machine times synchronized.”-WebSEAL administration guide
  • “For CDSSO to function successfully, each participating WebSEAL server must reveal its fully qualified host name to the other participating servers in the cross-domain environment.”-WebSEAL administration guide

WebSEAL SSO, Session 1

cdsso requirements1
CDSSO requirements
  • “Do not reuse key pairs (used to encrypt and decrypt token data) generated for a specific CDSSO environment in any other CDSSO environments.” –WebSEAL administration guide

WebSEAL SSO, Session 1

cdsso problem determination
CDSSO problem determination
  • Determine if error occurs during “token creation” or “token consumption”
  • Enable specific CDSSO tracing pdweb.wan.cdsso
  • Enable ‘pdweb.snoop’ trace
  • Analyze ‘msg__WebSEALd-<instance name>.log’
  • Is customer using default libraries

WebSEAL SSO, Session 1

cdsso typical issues
CDSSO typical issues
  • Time issues different timezones not setup correctly or skew
  • Mismatched keys
  • CDSSO peers incorrectly set up

WebSEAL SSO, Session 1

cdsso limitations
CDSSO limitations
  • UTF-8 encoding for strings
  • Providing compatibility for tokens across WebSEAL versions

WebSEAL SSO, Session 1

cdsso questions
CDSSO questions

WebSEAL SSO, Session 1

e community single sign on ecsso
E-community Single Sign-on (ECSSO)
  • Concept is similar to CDSSO
  • Master authentication server (MAS) provides single point for authentication
    • WebSEAL and WebPI provides MAS functionality
  • Domain-specific cookies are used to identify the server that can provide "vouch for" services
  • The e-community implementation allows for "local" authentication in remote domains

WebSEAL SSO, Session 1

ecdsso flow
eCDSSO flow

WebSEAL SSO, Session 1

ecsso setup and configuration
ECSSO setup and configuration
  • Enabling and Disabling e-Community Members
  • Including credential attributes in the vouch-for tokens
  • Specify the sso-create and sso-consume libraries

WebSEAL SSO, Session 1

ecsso problem determination
ECSSO problem determination
  • Determine if error occurs during “token creation” or “token consumption”
  • Enable ‘pdweb.snoop’ trace on servers involved
  • Analyze ‘msg__WebSEALd-<instance name>.log

WebSEAL SSO, Session 1

ecsso typical issues
ECSSO typical issues
  • Time issues different timezones not setup correctly or skew
  • Mismatched keys
  • ECDSSO domains incorrectly set up

WebSEAL SSO, Session 1

ecsso limitations
ECSSO limitations
  • One server, or group, provides authentication for a group of servers
    • Each server can still do local authentication

WebSEAL SSO, Session 1

ecdsso questions
eCDSSO questions

WebSEAL SSO, Session 1

ad