Web single sign on with novell ichain and novell access manager
1 / 18

Web Single-Sign-On with Novell iChain and Novell Access Manager - PowerPoint PPT Presentation

  • Uploaded on

Web Single-Sign-On with Novell iChain and Novell Access Manager. E. Axel Larsson (elarsson@drew.edu) Enterprise Integration Specialist Drew University TTP Summer Conference 2007. Agenda. iChain and Access Manager fundamentals What are iChain and Access Manager

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Web Single-Sign-On with Novell iChain and Novell Access Manager' - doli

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Web single sign on with novell ichain and novell access manager

Web Single-Sign-On with Novell iChain and Novell Access Manager

E. Axel Larsson (elarsson@drew.edu)

Enterprise Integration Specialist

Drew University

TTP Summer Conference 2007

Agenda Manager

  • iChain and Access Manager fundamentals

    • What are iChain and Access Manager

    • How does web-SSO relate to IDM

    • Networking Considerations

    • Access Control, Form-Fill, and Identity Injection

  • Troubleshooting Tools and Tips

  • Advanced Functionality

A few ssso enabled apps at drew

Ad-Astra Portal Manager

Adobe Connect (Macromedia Breeze)

Aptron CampusWeb

Blackboard 6

Ektron Content Management


GWGuardian Web Quarantine

GroupWise WebAccess

GroupWise Mobile


SIRSI Web2 Library Web Catalog

SupportWorks Helpdesk Self-Service

vBulletin Forums

A few SSSO-enabled apps at Drew

Fundamentals Manager

  • What is iChain? What is Access Manager?

  • Networking Considerations

  • Access Control Policies

  • Basic Form-Fill

  • Basic Identity Injection (OLAC)

What is ichain
What is iChain? Manager

  • Reverse proxy based SSO soft-appliance

    • Sits in front of web servers

    • Authenticates clients and applies access control policies

    • Authenticates clients to backend web servers on the behalf of users.

  • Two principle facilities for providing single-sign-on

    • Form-Fill

    • OLAC - Object Level Access Control (now called Identity Injection in AM3)

    • Non-invasive integration

What does access manager add
What does Access Manager add? Manager

  • Unified administration console

    • iManager-based

    • Manage configuration for proxy appliances, identity servers, policies, etc. from one place

  • Identity Server

  • Federation

    • SAML 1.1, SAML 2, and Liberty Alliance


  • J2EE Agents

  • Access Gateway appliance is the direct replacement for the iChain appliance

How does web sso relate to identity management
How does Web-SSO relate to ManagerIdentity Management?

  • Enterprise Identity Management system

    • Sits in between applications and authoritative data sources.

    • Provisions security principals in backend directory services, applications’ local data stores

    • Based upon entitlements which correspond with organizational roles or established workflows.

  • Web Single-Sign-On system

    • Sits in between users and web applications.

    • Provides credentials or assertions to apps on behalf of the user

    • For user convenience and/orto enforce a security policy.

Networking considerations
Networking Considerations Manager

  • AuthN/AuthZ for your web apps are delegated to the Access Gateway proxy

    • Web servers trust injected identity information provided by the Access Gateway

    • Clients should not have direct access to backend web servers.

    • Web servers should be placed in a private network behind the Access Gateway

  • Fault tolerance for the Access Gateway will require use of an L4 switch (load balancer)

  • Collaboration with your networking team is essential for a successful Web-SSO deployment!

At drew
At Drew Manager

Load Balancer

(Zeus ZXTM)

Public Resource (I.e. www.drew.edu)

iChain 1

iChain 2

Post-iChain load balancer resource

Web Server

Web Server

Web Server

Private Post-iChain VLANs

Authentication and access policies
Authentication and Access Policies Manager

  • Protected resources defined by URL path:

    • i.e. www.drew.edu/secret-stuff/*

  • iChain – three levels

    • Public – Allows anonymous access

    • Restricted – Requires any authenticated user

    • Secure – Uses ACLs (static or dynamic membership) to determine access

  • Access Manager adds

    • Identity server roles – Based upon a number of criteria. LDAP attributes, Liberty profile fields, client IP address, time of day, etc.

Acl policies for sso applications
ACL policies for SSO applications Manager

  • Blanket approach

    • Protected resource for the entire site:

      • i.e. webmail.drew.edu/*

    • Require auth for all access

  • Surgical approach

    • Trust the application’s session management

      • Application may offer differentiated content for anonymous and authenticated users

    • Only protected the login “endpoint” (either a page with a login form, or basic auth)

    • Example:

      • Spam.drew.edu/* -- Public

      • Spam.drew.edu/Quarantine/login.aspx -- Restricted

The basics of form fill
The basics of Form Fill Manager

  • Non-invasive integration method

  • Fills out login forms on behalf of user

    • Done client-side, form HTML is substituted with JavaScript generated by the appliance

  • Form matching criteria

    • URL

    • Text on page

  • Form filling

    • User’s login credentials

    • LDAP attributes

  • Can pass embedded JavaScript back to client

Identity injection called olac in ichain
Identity Injection (Called OLAC in ManageriChain)

  • Injects identity information into HTTP requests

    • HTTP Authorization header (HTTP Basic Auth)

    • Arbitrary HTTP Headers or query string (GET parameters)

  • Useful for

    • Applications that support basic auth

    • Applications designed for SSO integration (look for header based SSO in the docs)

    • Home-grown apps designed only for deployment behind the access gateway

  • Protects against client request forgeries.

    • Appliance scrubs client HTTP requests of all headers used in an injection policy.

When things go wrong
When things go wrong… Manager

  • Troubleshooting tools

    • Firefox

      • Web-developer’s toolbar

      • Tamper data extension

    • Interception proxy

      • Burp Proxy – portswigger.net/proxy

    • Test scripts

      • On the web server – to print out request variables and compare with expected

    • Traffic analysis

      • On the Access Gateway appliance (tcpdump or pktscan) to capture traffic

      • On the client – Wireshark

Cool value add path based multi homing
Cool value add: Path-based multi-homing Manager

  • Allows you to stitch together multiple applications under a single URL namespace

  • Example setup at Drew:

    • http://www.drew.edu/*

      • An ASP.NET based content management system running under IIS 6 on Windows Server 2003

    • http://www.drew.edu/admblog/*

      • A Drupal based blog running under Apache on a SLES 9 server

    • http://www.drew.edu/qfsearch/*

      • The Novell QuickFinder engine running on NetWare

Web single sign on with novell ichain and novell access manager

  • Questions? Manager

  • E. Axel LarssonEnterprise Integration SpecialistDrew Universityelarsson@drew.edu