Upload
others
View
6
Download
0
Embed Size (px)
Citation preview
An introductionVincent Lasfargues – Atrium Customer EngineeringContributors: John Stamps, Murali Balijepally, Karl Miller, Rahul Vedak, Volodymyr Zaporozhets
BMC Software Webinars 2013Atrium Single Sign On (Atrium SSO)
© Copyright 2/15/2013 BMC Software, Inc 2
Agenda
1. What is Single Sign‐On?
2. Why use Single Sign‐On?
3. Atrium SSO ‐ Architecture overview
4. Atrium SSO ‐ Features
5. Deployment considerations
6. Typical installation use cases and best practices
7. Examples: typical installation, Kerberos & SAML v2 IdP
8. A few important notes
9. Q&A
© Copyright 2/15/2013 BMC Software, Inc 3
What is Single Sign‐On?
A mechanism that allows users to enter their credentials (usually a user ID and password) once to get authenticated with multiple related but independent software systems.
- The user logs in only once
- The user is authenticated to multiple applications within the Enterprise
- From 1 application to the other, the user does not have to authenticate again As long as the session is valid
- Federated authentication allows SSO authentication between Enterprises Enables SSO across business partners’ applications
© Copyright 2/15/2013 BMC Software, Inc 4
Use case 1 ‐ Better Customer Experience - Users only have to remember one UserID & password for multiple applications
Why use Single Sign‐On?Better Customer Experience
Before After
Benefits to Enterprise- Fewer tickets: Lower administration cost and effort- Improved Security: Single password encourages better behavior
© Copyright 2/15/2013 BMC Software, Inc 5
Use case 2 ‐ Proper cross‐product launch- For BMC Solutions that include multiple products, user can navigate one application and another in a seamless fashion
Before After
Consistent user login experience- BMC Applications have a single common login page
Why Use Atrium Single Sign‐On: BMC ContextProper Cross‐product Launch
© Copyright 2/15/2013 BMC Software, Inc 6
Use case 3 ‐ Single point of integration- for SSO enabled BMC products to the Enterprise SSO
- Without Atrium SSO: BMC Applications must integrate directly with the Enterprise SSO
– Feasibility depends on the application and the Enterprise SSO– When feasible, it requires configuration for each application– The user will benefit of SSO from fewer SSO enabled applications.
- With Atrium SSO installed: The BMC applications are easily configured to work with Atrium SSO The BMC applications support ‐ through Atrium SSO ‐multiple authentication technologies.
Atrium SSO then offers a single point of integration and bridge to Enterprise SSO systems– Allows integration with a larger set of Enterprise SSO systems– Quick initial configuration and centralized re‐configuration
Why Use Atrium Single Sign‐On: BMC ContextSingle Point of Integration
© Copyright 2/15/2013 BMC Software, Inc 7
Atrium Single Sign‐On ArchitectureExample of How it Works
© Copyright 2/15/2013 BMC Software, Inc 8
LDAPv3/Active Directory
Certificates (CAC)
RSA SecurID Authentication Engine 5.x, 6.x, and 7.x
BMC Remedy AR System since 7.6.04
Kerberos v5
3rd party SSO integration/federation through- SAML v2
Atrium Single Sign‐On ‐ FeaturesSupported Authentications
© Copyright 2/15/2013 BMC Software, Inc 9
Atrium Single Sign‐On is part of the BMC Atrium Shared Components- BASC: Atrium CMDB, AI, AR system & Atrium SSO- No separate license is required for using Atrium SSO
=> Atrium SSO is FREE for qualified BMC customers
Download Atrium SSO from BMC’s EPD:
Atrium Single Sign‐On – Deployment ConsiderationsLicensing
© Copyright 2/15/2013 BMC Software, Inc 10
Supported Operating Systems- Windows Server 2003 (and above)- Solaris 10 (and above)- Red Hat Enterprise Linux 5 (and above)
Supported Web/Application Servers- Tomcat 6.x (Atrium SSO installation embeds it)
Java Support- Java SE 6 and above Java 7 is required for IPv6 support (Atrium SSO 8.1)
For latest information on Product compatibility, please visit BMC Solution and Product Availability and Compatibility Utility at:
https://docs.bmc.com/docs/display/public/sso80/Checking+the+compatibility+matrix+for+system+requirements+and+supported+configurations
Atrium Single Sign‐On – Deployment ConsiderationPlatform Requirements
© Copyright 2/15/2013 BMC Software, Inc 11
Atrium Single Sign‐On – Deployment ConsiderationProduct/Solution Compatibility with Atrium SSO v8.0 & 8.1
Application Supported Since(Application Version)
1 BMC Dashboards 7.6.03
2 BMC Analytics 7.6.05
3 BMC ProactiveNet Performance Management
9.0
4 BMC Remedy AR System Server(including BMC CMDB & ITSM Suite)
7.6.04
5 BMC IT Business Management Suite 7.6.04
6 Remedy OnDemand 2012.01
7 8.1: Atrium Orchestrator (BAO) 7.7
© Copyright 2/15/2013 BMC Software, Inc 12
Atrium Single Sign‐On – NotesIntegration with BMC Products/Solution
1. Supported BMC applications include an SSO agent.- Easy configuration
2. The Atrium SSO options are set during the installation. - The BMC application is configured to work with Atrium SSO once the
installation is complete
3. Already deployed systems can be configured to leverage SSO using BMC utilities
© Copyright 2/15/2013 BMC Software, Inc 13
Atrium SSO – Typical deployment use cases – Version 8.1
Starting from scratch ‐ Fresh AR & SSO deployment:1. Install Atrium SSO first2. Install AR
– Fill in the information about the Atrium SSO server/LB3. Install the Mid Tiers
– Fill in the information about the Atrium SSO server/LB
AR systems are already deployed ‐ Configure SSO on deployed AR systems:1. Install Atrium SSO2. Run the AR‐SSO integration utility.3. Run the Mid Tier‐SSO integration utility.
© Copyright 2/15/2013 BMC Software, Inc 14
Typical Production Architecture ‐ High Availability
Each component is fronted by a Load Balancer (LB)
- Atrium SSO Cluster behind a LB- Mid Tiers behind a LB
- AR Servers group behind a LB
- Replicated DBs
© Copyright 2/15/2013 BMC Software, Inc 15
Atrium SSO Best practices
Dedicated Dual Core system for the SSO server- Performance- Resources stability => Availability
Atrium SSO footprint- HD space: ~700 MB - RAM: ~1 GB
Deploy with the embedded Tomcat- Ease of deployment and configuration- Better test coverage
Cluster of SSO servers and a Load Balancer- High Availability- Scalability
Always use Fully Qualified Domain Names (FQDN)
© Copyright 2/15/2013 BMC Software, Inc 16
Installation Demo (Video)
The following Installation Video will cover:
1. SSO server, AR and Mid Tier installation
2. The step by step configuration for AR and MT to leverage SSO
© Copyright 2/15/2013 BMC Software, Inc 17
Installation Demonstration
© Copyright 2/15/2013 BMC Software, Inc 18
Atrium SSO and Kerberos
Windows Desktop SSO- Used to integrate Atrium SSO with Active Directory so no userID & password re‐entry is required.
Atrium SSO – Kerberos basic configuration steps1. Register Atrium SSO server as a service in the Domain2. Generate a “keytab”‐file3. Configure Atrium SSO4. Configure browsers (IE/Firefox)
Important Note:- NTLM v2 is not supported!
© Copyright 2/15/2013 BMC Software, Inc 19
Kerberos – ASSO integration – Service User account setup 1/3
© Copyright 2/15/2013 BMC Software, Inc 20
Kerberos – ASSO integration – Service User account setup 2/3
© Copyright 2/15/2013 BMC Software, Inc 21
Kerberos – ASSO integration – Service User account setup 3/3
© Copyright 2/15/2013 BMC Software, Inc 22
Kerberos – ASSO integration – Keytab file generation 1/3
© Copyright 2/15/2013 BMC Software, Inc 23
Kerberos – ASSO integration – Keytab file generation 2/3
© Copyright 2/15/2013 BMC Software, Inc 24
Kerberos – ASSO integration – Keytab file generation 3/3
© Copyright 2/15/2013 BMC Software, Inc 25
Kerberos – ASSO integration – Kerberos module definition 1/5
© Copyright 2/15/2013 BMC Software, Inc 26
Kerberos – ASSO integration – Kerberos module definition 2/5
© Copyright 2/15/2013 BMC Software, Inc 27
Kerberos – ASSO integration – Kerberos module definition 3/5
© Copyright 2/15/2013 BMC Software, Inc 28
Kerberos – ASSO integration – Kerberos module definition 4/5
© Copyright 2/15/2013 BMC Software, Inc 29
Kerberos – ASSO integration – Kerberos module definition 5/5
© Copyright 2/15/2013 BMC Software, Inc 30
Kerberos – ASSO integration – Browser configuration 1/3
© Copyright 2/15/2013 BMC Software, Inc 31
Kerberos – ASSO integration – Browser configuration 2/3
© Copyright 2/15/2013 BMC Software, Inc 32
Kerberos – ASSO integration – Browser configuration 3/3
© Copyright 2/15/2013 BMC Software, Inc 33
Kerberos – ASSO integration – Testing 1/4
© Copyright 2/15/2013 BMC Software, Inc 34
Kerberos – ASSO integration – Testing 2/4
© Copyright 2/15/2013 BMC Software, Inc 35
Kerberos – ASSO integration – Testing 3/4
© Copyright 2/15/2013 BMC Software, Inc 36
Kerberos – ASSO integration – Testing 4/4
© Copyright 2/15/2013 BMC Software, Inc 37
Atrium SSO and Kerberos
© Copyright 2/15/2013 BMC Software, Inc 38
Atrium SSO & IdP Integration via SAML V2
Integrate Atrium SSO with remote identity providers (IdP)- Ping Federate, SiteMinder, etc…
The following slides will cover the basic configuration steps:1. Create a Local Service Provider within Atrium SSO server2. Exchange certificates between Atrium SSO and IdP3. Restart the servers.4. Configure the remote IdP to work with Atrium SSO5. Configure Atrium SSO as a remote service provider for remote IdP6. Configure the Agent(s) to leverage the federated IdP
7. Test login with a federated user
© Copyright 2/15/2013 BMC Software, Inc 39
SAML v2 Integration – 1/19
© Copyright 2/15/2013 BMC Software, Inc 40
Edit the BMC Realm – 2/19
© Copyright 2/15/2013 BMC Software, Inc 41
Add a Local Service Provider – 3/19
© Copyright 2/15/2013 BMC Software, Inc 42
Configure & save the SP – 4/19
© Copyright 2/15/2013 BMC Software, Inc 43
SP Created – 5/19
© Copyright 2/15/2013 BMC Software, Inc 44
Exchange certificates – 6/19
© Copyright 2/15/2013 BMC Software, Inc 45
Log into the IdP console – 7/19
© Copyright 2/15/2013 BMC Software, Inc 46
Edit the IdP BMC Realm – 8/19
© Copyright 2/15/2013 BMC Software, Inc 47
Add a Local IdP – 9/19
© Copyright 2/15/2013 BMC Software, Inc 48
Configure & Save the local IdP – 10/19
© Copyright 2/15/2013 BMC Software, Inc 49
Local IdP created – 11/19
© Copyright 2/15/2013 BMC Software, Inc 50
Add the SP as a Remote SP in the IdP – 12/19
© Copyright 2/15/2013 BMC Software, Inc 51
Import the remote SP’s Metadata – 13/19
© Copyright 2/15/2013 BMC Software, Inc 52
Done with the IdP – Back to the Atrium SSO server
Create a test user (Demo/8chars passwd) - and we are done with the IdP …
Now back to our Atrium SSO server …
© Copyright 2/15/2013 BMC Software, Inc 53
Add the IdP as a Remote IdP in Atrium SSO server – 14/19
© Copyright 2/15/2013 BMC Software, Inc 54
Import the remote IdP’s Metadata – 15/19
© Copyright 2/15/2013 BMC Software, Inc 55
Remote IdP created, remove the AR user store – 16/19
© Copyright 2/15/2013 BMC Software, Inc 56
Configure the agent for federation – 17/19
© Copyright 2/15/2013 BMC Software, Inc 57
Edit the Agents – 18/19
© Copyright 2/15/2013 BMC Software, Inc 58
Edit the Agent login and logout URIs & save ‐ 19/19
© Copyright 2/15/2013 BMC Software, Inc 59
Test the configuration – Login with a Federated User
Now the configuration is complete- Test login with our federated “Demo” user
© Copyright 2/15/2013 BMC Software, Inc 60
Atrium SSO integrated with an IdP via SAML v2
© Copyright 2/15/2013 BMC Software, Inc 61
Atrium Single Sign‐On – Important NotesAuthorization
Authentication is NOT Profile or User Mgmt; For a given user, each BMC Product/Solution still manages details (authorization)- Roles, Permissions- Locale, etc.
© Copyright 2/15/2013 BMC Software, Inc 62
Atrium Single Sign‐On – Important NotesAtrium SSO and OpenAM
Atrium Single Sign‐On is based on open source OpenAM- OpenSSO developed originally by Sun Microsystems- Now available as OpenAM and supported by ForgeRock. - Atrium SSO 8.1.00 is based on OpenAM 9.5.4- No additional license of OpenAM in order to use Atrium SSO
BMC Atrium SSO supports a sub‐set of the OpenAM features
BMC Atrium SSO features
OpenAM featuresAdditional functionalities (unsupported)
© Copyright 2/15/2013 BMC Software, Inc 63
Atrium Single Sign‐On – Important NotesSupported Configurations
BMC Atrium SSO certifies a subset of platforms and technologies supported by OpenAM
- BMC Atrium Single Sign‐On is certified on the configurations explicitly stated in the Help section (https://docs.bmc.com/docs/display/public/sso80/Home)
- Reported defects either found to be unique to an unconfirmed configuration or not reproducible within a supported environment will be addressed at BMC’s discretion.
© Copyright 2/15/2013 BMC Software, Inc 64
Wiki Helphttps://docs.bmc.com/docs/display/public/sso80/Home
BMC Communities – Discussion forumhttps://communities.bmc.com/communities/community/bmcdn/bmc_atrium_and_foundation_technologies/atrium_sso
Background on OpenAMhttp://en.wikipedia.org/wiki/OpenAM
Technical Enablement https://docs.bmc.com/docs/display/NP/BMC+Atrium+SSO
Atrium Single Sign‐On Additional Resources
© Copyright 2/15/2013 BMC Software, Inc 65
Learn more at www.bmc.com