Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Identity Federation 101Mark Pelzel, Client Solutions DirectorJune 12, 2015
Upstate New York Oracle Users’ GroupEducational Workshop
Rolta AdvizeX
Mark PelzelClient Solutions Director of Managed Services
• 22+ years of Engineering & software solution delivery
• Responsible for development of solutions for a wide variety of customers
• TUSC – Early member - Mark developed skills in developing Oracle solutions
• Specialties: IT Business Solutions Architect & Realization Security & Identity & Access Management Cloud Solutions Oracle Solution Development
UNYOUG
• Brief Rolta AdvizeX Background
• Definitions
• Business and Technical Drivers for Federated Identity
• Technical Approach and Oracle Solutions
• Alternate Common Solutions
• Questions
Agenda
3
InfrastructurePlan, Build, Integrate
Data CentersCloud and Virtualization
Mobility and Security
ApplicationsCreate, Innovate, Manage
StrategyImplementation
Managed Services
Rolta AdvizeXNobody Does IT Better
UNYOUG
About Rolta & AdvizeX
• Formerly TUSC, only better Oracle Experts since 1988
• Over 38 years in business
• Doing business in over 40 countries
• Employing over 4,000 globally
• Revenues over $600MM
• Both acquisition and organic growth
• Multiple vendor and industry awards
5
Rolta + AdvizeX
Applications EBS and ERP Cloud
Business Intelligence and Big Data
Enterprise Performance Management and PBCS
Infrastructure Applications – Exchange, SharePoint
Storage and Server Platform
ExaData, Database and Middleware
Managed Services and Management Tools
Network
Desktop, Mobility, and End User Compute
Synergies = Increased Value and Solutions for Our Customers
6
6
Our Solutions Spectrum
7
Do you know some of our customers?
8
UNYOUG9
• Federated system – integrates existing, possibly heterogeneous systems while preserving their autonomy
• Identity Federation – the process and relationship of exchanging user or resource identity information between two enterprises or “realms”
• Single Sign-On (SSO) – a mechanism for user authentication to an application, database, resource/device, etc. which requires the user to present their credentials (identifier and password, at least) just one single time Consistent Credentials Reduced Sign-On True Desktop SSO
• Federated identity – a shared name identifier agreed between partner services in order to share information about the user across organizational boundaries
Definitions
10
• Security Assertion Markup Language (SAML) – an XML schema-based standard language for managing the user authentication and authorization and related processes
• Identity Provider (IdP) – the entity from which the user (or process) identification is provided and which initiates the Federated authentication
• Service Provider (SP) – the entity which provides application and other services in a Federated relationship which consumes the identity provided by the IdP and provides an authenticated user application “session”
• SAML Assertion – delivery of a session request from an IdP to an SP in the form of an HTTP Post including information about the IdP, key and certificate details, and (usually) user information
• Don’t forget about… Single Sign-Off – the process for ending an authenticated user session in one or more established application sessions
More Definitions
11
• Most Federated relationships provide web browser-based application access to end usersOther Federated services support WebService
Security – WS-Federation Liberty Identity FederationAuthorization Management
Additional Concepts
12
***Deliver Single Sign-On!!!• Support dynamic collaboration
• Provide a single, central point of access to all services – internal and distributed – aka CLOUDservices
• Consolidate user identities and authentication mechanisms
• Leverage a single security mechanism
Why Use Identity Federation?
13
• Leverages the identification/authentication of a trusted member of the federation (e.g. SAML IdP)
• May or may not require local accounts at all service providers – “transient federation”
• Requires out-of-band business agreements between members of the federation Legal, Technical, and Operational Agreements
• Really, all that happens is an assertion of a claim as to the identity of a user or request within a given context – “trust me…”
What Does Identity Federation Do?
14
• Federation defines the semantics of a particular set of profile attributes
• Service provider association and access control is based on the presence of one or more attributes
• Can be used in conjunction with federated identities or without them for dynamic collaboration
• Still requires out-of-band business agreements between members of the federation
• Can be used for more flexible and dynamic collaboration, but attribute negotiation may have privacy implications
In the End, It’s Just Authentication
15
• Following or assuming authentication at the IdP, a user initiates a request for access to an application service provided by the SP. This process is known as an Inter-Site Transfer request
• Usually though a portal End-User may not know
they are leaving the IdP’senvironment for the service
• The IdP’s Federation server handles the request
How Does Federation Work?The Federated Session Process – Step 1
Step 1
Identity Provider
Service Provider
Por
tal/A
pplic
atio
n E
ntry
Poi
nt
AuthenticationAuthority
AttributeAuthority
Inter-siteTransferService
AssertionConsumer
Service
Resource
16
• The Federation server responds to the request with an HTML form which includes a target component and a SAML response which is base64 encoded and which is digitally signed by the IdP Federation server
• The end user won’t see this unless they’re watching closely for responses on their browser or are tracing the HTML at the browser
The Federated Session Process – Step 2
Step 2
Step 1
Identity Provider
Service Provider
AuthenticationAuthority
AttributeAuthority
Inter-siteTransferService
AssertionConsumer
Service
Resource
Por
tal/A
pplic
atio
n E
ntry
Poi
nt
17
• The end user’s browser POSTs the form to the targeted SP’s Federation Server
• The form includes a SAMLResponse which is evaluated for format and content
• The end user doesn’t see any of this (unless something goes wrong)
The Federated Session Process – Step 3
Step 3
Step 2
Step 1
Identity Provider
Service Provider
AuthenticationAuthority
AttributeAuthority
Inter-siteTransferService
AssertionConsumer
Service
Resource
Por
tal/A
pplic
atio
n E
ntry
Poi
nt
18
• The SP’s Assertion Consumer Service on their Federation Server evaluates the signature (valid security key and identifiers) and initiates a security context – a session
• The SP then redirects the end user to the targeted resource/application
• The end user just sees that they’re in the application
The Federated Session Process – Step 4
Por
tal/A
pplic
atio
n E
ntry
Poi
ntStep 4
Step 3
Step 2
Step 1
Identity Provider
Service Provider
AuthenticationAuthority
AttributeAuthority
Inter-siteTransferService
AssertionConsumer
Service
Resource
19
• The end user’s browser POSTs a call to the application for access to the resource
• An authenticated user session is achieved with the user accessing the application either with transient application authorization or a mapped/actual user authorization, depending on Federation details and the capabilities and configuration of the application
The Federated Session Process – Steps 5 and 6
Por
tal/A
pplic
atio
n E
ntry
Poi
nt
Step 5
Step 4
Step 3
Step 2
Step 1
Identity Provider
Service Provider
AuthenticationAuthority
AttributeAuthority
Inter-siteTransferService
AssertionConsumer
Service
ResourceStep 6
20
• More secure and complex sessions are processed
• The IdP issues an artifactinstead of a SAML assertion which requires communication between the IdP and SP Federation servers
• The SP makes a behind-the-scenes call to the IdP based on additional SAML parameters
• An artifact encodes the following data: 2-byte type code 20-byte SourceID (usually IdP
providerId) 20-byte AssertionHandle
The Artifact-Based Federated Session Process –Alternative
Por
tal/A
pplic
atio
n E
ntry
Poi
nt
8
7
6
54
3
2
1
Service Provider
AuthenticationAuthority
AttributeAuthority
Inter-siteTransferService
AssertionConsumer
Service
Resource
ArtifactResolution
Service
• The SAML query is bound to a SAML SOAP Request and includes the artifact
21
• Governed by OASIS development standards www.oasis-open.org saml.xml.org
• Three versions of SAML 1.0 – basic assertion model 1.1 – expanded XML schema and profile management 2.0 – further extension of schema and standards
SAML Details and Considerations
22
• Allows SP initiated session
SAML 2.0 – SP Initiated
23
• In a statement, the SAML Subject is important:<saml:Subject>
<saml:NameIdentifierFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"NameQualifier="https://idp.org/shibboleth">[email protected]
</saml:NameIdentifier>…
</saml:Subject>
• A basic SAML Response element:<samlp:Response
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"InResponseTo="aaf23196-1773-2113-474a-fe114412ab72"IssueInstant="2004-12-05T09:22:05Z" MajorVersion="1" MinorVersion="1"ResponseID="b07b804c-7c29-ea16-7300-4f3d6f7928ac"><samlp:Status>
<samlp:StatusCode Value="samlp:Success"/></samlp:Status><!-- insert SAML assertion here -->
</samlp:Response>
What Does the SAML Assertion Look Like?
24
• Transient Federation Emphasis on the Federated relationship Actual end user may not be identified, session may be independent or
generic of user
• Account Mapping (most common) User account exists on both IdP and SP as same identity
• Account Linking Similar to Mapping, but user linked on a unique non-identity attribute
• Attribute Federation Account “Type” or Role exists on both IdP and SP
• Combined Federation Multiple attributes combined to identify user from IdP to SP
Types of Identity Federation
25
Oracle’s Solutions
• Oracle Identity Federation – OIF Supports all common Federation protocols/types SAML 1.x, 2.0, WS-Federation, Liberty
IAM Suite/Governance Directory Services – OID, OUD, OVD
26
OIF Is Easy to Use
• Oracle Identity Federation – OIF Common Oracle Administration Actually easy to adapt WebLogic and Middleware knowledge for administration
27
Alternative Solutions
• Get to know the capabilities of these… OpenSAML / OpenSSO Sun Identity Manager and Java
System Federation Manager ShibbolethExpect to see this at the other endGood open solution
MS Active Directory Federation Services – ADFSCore to MS environmentsGood to use for testingAzure/Cloud
28
•Applications are most definitely moving to public or private cloud servicesFederated Identity Management is key to making this work
•Overall Identity Management in the cloud is more difficultSecurity/Risk, separation, data ownershipToday’s CISOs won’t risk the headline of their company’s data being compromised
Be Wary of the Cloud Trend
29
• Oracle Identity Federation (OIF) works well with Oracle and Non-Oracle solutions
• ADFS is expanding and becoming popular with Azure-based deployments
• Get on the same SSO page! Insist on an Executive Sponsor/Owner who has
authority
• Provide thorough training of Service Desk and Support staff
• Set a goal for complete adoption in two years
Some Considerations
30
31
• OASIS www.oasis-open.org
• SOA Federated Identity Management Andrew S. Townley, Archistry Limited
• Wikipedia Various SAML, Federation, and SSO references from wikipedia.org
• 101 Things to Know About SingleSignOn www.authenticationworld.com, Guy Huntington
• Security Assertion Markup Languate www.globus.org, Tom Scavo, NCSA
• Oracle Identity Management www.oracle.com onlineappsdba.com
Credits (thank you to these sources!)
32
Mark Pelzel | [email protected]
33