Federated Identity and SSO Using Layer 7
-
Upload
ohaha-omama -
Category
Documents
-
view
219 -
download
0
Transcript of Federated Identity and SSO Using Layer 7
-
8/12/2019 Federated Identity and SSO Using Layer 7
1/15
L a y e r 7 T e c h n o l o g i e s
W h i t e P a p e r
FederatedIdentity&SingleSignOnUsingLayer7FederationforWebsites,Webservices,APIsandtheCloud
-
8/12/2019 Federated Identity and SSO Using Layer 7
2/15
FederatedIdentityandSingleSignOn(SSO)UsingLayer7
Copyright2012byLayer7Technologies,Inc.(www.layer7.com) 2
Contents
WhydoINeedtoFederateIdentity?........................................................................................................... 3IsFederationtheSameasSingleSignOn(SSO)?......................................................................................... 3WhatStandardsAddressFederatedIdentity&SSO?................................................................................... 4HowDoesLayer7HelpMetoFederateSOAPWebServices?..................................................................... 4
SecureSpanSTS......................................................................................................................................... 5SecureSpanGatewaysforServiceProtection........................................................................................... 7XMLVPNClientforFederatingClientApplications.................................................................................. 8
CanLayer7HelpMeFederateAPIs?............................................................................................................ 9CanYouDescribetheLayer7DropinFederationSolution?...................................................................... 10How
Do
IUse
Layer
7to
Provide
Single
Sign
On
to
My
Web
Sites?
...........................................................
11
WhyShouldIUseLayer7forAttributeBasedAccessControl?................................................................. 12HowCanLayer7FederateExistingLDAPorIAMSystemswithCloudBasedSaaSServicesLike
Salesforce.com&GoogleDocs?................................................................................................................. 12HowDoesOAuthRelatetoFederation&SSO?.......................................................................................... 13AboutLayer7Technologies........................................................................................................................ 15ContactLayer7Technologies..................................................................................................................... 15LegalInformation........................................................................................................................................ 15
-
8/12/2019 Federated Identity and SSO Using Layer 7
3/15
FederatedIdentityandSingleSignOn(SSO)UsingLayer7
Copyright2012byLayer7Technologies,Inc.(www.layer7.com) 3
Why do I Need to Federate Identity?Youneedafederatedidentitysolutionifyouhaveanyofthefollowingproblems:
YourorganizationhasdifferentdivisionorbranchofficesthathavetheirowndirectoriesandremoteusersneedaccesstocentralITresources.
Youhaveuserswithmultiplepasswordsorothercredentialsthatneedtobemappedacrossapplications.
Yourorganizationismergingwithanotherthatalreadyhasitsownidentitymanagementsystemandyouneedtoprovidenewuserswithaccesstoexistingapplications.
YouneedtoprovideinternaluserswithSingleSignOn(SSO)servicesacrossvariousdifferentWebapplications.
Youaredevelopingamobiledevicestrategyandneedtomanageaccessfromawidevarietyofremoteapplications.
YouneedtoprovidelocaluserswithaccesstoCloudservicessuchasSalesforce.comandGoogleDocs.
Alltheseproblemsrelatetodifferentpartsoffederatedidentity.Layer7Technologiesprovides
solutionsthatfederateidentityandprovideSSOservicesforWebapplications,Webservices,APIs,
mobileapplicationsandtheCloud.
Is Federation the Same as Single Sign-On (SSO)?ItisacommonmisconceptionthatfederationandSSOaresimplydifferentnamesforthesamepractice.
Whilethereiscertainlyoverlapbetweentheterms,SSOshouldbeconsideredasubsetofthelarger
categoryofidentityfederation.
Identityfederation
addresses
the
problem
of
how
to
integrate
separate
identity
silos.
Identity
silos
(or
islands)areverycommonoccurrenceinorganizations.Theyoccurwhennewapplicationsintroduce
theirownidentitystores,suchasdirectoriesoridentitydatabases,insteadofleveragingacentralized
identitymanagementsystem.Theywillalsocommonlyoccurduringamergeroracquisition
entrenchedpracticesandtechnologiesmaymakeitdifficulttomergeexistingidentitystoresintoa
singleunified,authoritativesource.
Theproblemofsiloedidentityalsoextendsbeyondtheboundariesoftheenterprise.Aspartnerships
andsupplychainsbecomeincreasinglyinterconnected,theneedarisestomanageapplicationsand
usersthatarenotunderdirectcontrolofanycentralizedauthoritybutinsteadexistinautonomous
securitydomains.
Such
inter
company
connections
are
particularly
difficult
to
manage
because
identity
inbothorganizationsmaybechangingcontinuouslyaspeoplecomeandgo,withnocoordination
betweenbusinesspartners.
-
8/12/2019 Federated Identity and SSO Using Layer 7
4/15
FederatedIdentityandSingleSignOn(SSO)UsingLayer7
Copyright2012byLayer7Technologies,Inc.(www.layer7.com) 4
Federatedidentitymanagementisabouttheprocessandtechnologybehindmanagingsiloedidentity.It
describesthepoliciesandproceduresthatgovernaccesstoapplicationsanddatafromentitiesresiding
inanotherdistinctsecuritydomain.Thisincludestheoverallmanagementoftrustrelationships,access
controlstrategies,
identity
mapping
mechanics,
policies
and
common
protocols.
SSOissubsetoffederationthatdealsspecificallywithreusingasingleidentitytoauthenticateacross
multipledomains.Federationislargelyaboutarchitecturalconcepts,processandprocedures.SSO,in
contrast,ismoreconcernedwithtechnologicalapproachestosolvingtheproblemofindividualusers
havingtomanagedifferentidentitiesfordifferentapplications.
What Standards Address Federated Identity & SSO?ThereareanumberofstandardsassociatedwithfederatedidentitymanagementandSSO.Oneofthe
mostimportantistheSecurityAssertionMarkupLanguageorSAMLforshort.SAMLprovidesa
cryptographicallysecure
mechanism
for
communicating
acts
of
authentication,
entitlements
and
attributesbetweensecuritydomains.ItdefinesboththeprotocolandtheprocesstoenactSSOacross
domainsandtoimplementcomponentsofanoverallfederationstrategy.
SAMLincludesprofilesforbothbrowserbased(passive)andservice/APIbased(active)communication
scenarios.Thepassiveprofile,inparticular,isthebasisofmostCloudbasedSSOsolutions,suchasthose
offeredbyleadingSaaSvendorsSalesforce.comandGoogleDocs.ItisalsothemostcommonSSO
solutiondeployedwithintheenterprise.
TheactiveprofilesareaugmentedbyadditionalstandardssuchasWSTrustandWSFederation.The
WSTruststandarddefinesaSOAPbasedprotocolfortokeninteractionwithaSecurityTokenService
(STS),which
can
include
validation
and
exchange
of
tokens,
as
well
as
trust
brokerage
between
parties.
Forexample,itdescribeshowtoexchangelocalcredentialsinreturnforissuanceofaSAMLtoken.WS
FederationbuildsonWSTrust,definingtypicalfederationscenariosandsolutionsforidentitymapping,
augmentation,tokenmanagementetc.Itcoversbothactiveandpassiveprofiles.
How Does Layer 7 Help Me to Federate SOAP Web Services?Layer7providesinfrastructurethatallowsorganizationstofederatetheirWebservicessimplyand
easily,withnochangestocode.Layer7providesfederationsolutionsasdeploymentpatternsofexisting
productlines,ratherthansinglepurposesolutions.Thishastheadvantagethatthetechnologycanalso
beapplied
to
address
general
Web
services
security
and
management
challenges.
-
8/12/2019 Federated Identity and SSO Using Layer 7
5/15
FederatedIdentityandSingleSignOn(SSO)UsingLayer7
Copyright2012byLayer7Technologies,Inc.(www.layer7.com) 5
Figure1:Layer7'sSecureSpanlinecoversallaspectsoffederationandSSO,usinggeneralGatewaysolutions.Each
componentcanworkindependently,withothervendorcomponentsorwithotherLayer7components.
Layer7sSecureSpanGatewayproductlinecanbedeployedtoprovideSecurityTokenServicesfora
rangeofclientsandtoprovidefederatedaccesscontrolforindividualservices.Layer7alsooffers
clientside
federation
support
using
its
XML
VPN
Client
product.
Each
of
these
deployment
patterns
is
outlinedbelow.
SecureSpan STS
TheSTSisthefoundationinfrastructurecomponentofanyfederationorSSOstrategy.Itprovidesthe
abilitytovalidatetokensorexchangetokensfromoneformtoanother(e.g.theexchangeofusername
andpasswordforaSAMLtoken).
AnyLayer7SecureSpanGatewaycanbedeployedasaWSTrustcompliantSTS.TheGatewayprovides
bothanativeWSTrustendpointfordropinfederationsolutions(describedbelow)andaWSTrust
policytemplatethatcaneasilybecustomizedtomeetanylocalintegrationchallengesthatacustomer
maybefacedwith.
TheSecureSpanGatewaySTScanbeusedforlocalSSOintheenterpriseandtosupportfederation
scenariosbetweendifferentorganizations.Layer7sCloudSpanCloudConnectproduct(describedin
detailbelow)isanSTSdeploymentforconnectingtoCloudSaaSapplicationssuchasSalesforce.comor
GoogleDocs.
-
8/12/2019 Federated Identity and SSO Using Layer 7
6/15
FederatedIdentityandSingleSignOn(SSO)UsingLayer7
Copyright2012byLayer7Technologies,Inc.(www.layer7.com) 6
Figure2:Layer7'sSecureSpanlinesupportsthemostcommonenterprisefederationandSSOscenarios.
ThissolutionisabletoleverageSecureSpansexistingidentityproviderframework.Thisoffersdirect
connectionintomostdirectoryandIdentityandAccessManagement(IAM)products,including:
GenericLDAP Genericdatabase MicrosoftActiveDirectory TivoliAccessManager
OracleAccessManager OpenSSO CA/NetegritySiteMinder RSAClearTrust
TheseconnectorsalloworganizationstopreserveinvestmentsandleverageexpertiseinexistingIAM
infrastructure,extendingitintotheSSOspace.TheSecureSpanSTSdeploymentactsasaminimally
intrusivelayeroveranorganizationsidentitystoresandcanleverageexistinggroups,rolesandaccess
controlrulesets.ThisisafarmorecosteffectiveandflexiblesolutionthanvendorspecificSTSaddons,
whichare
typically
very
expensive
and
limited
in
the
federation
scenarios
they
support.
Layer7stemplatedrivenapproachtoprovidingSTSmeanstokenexchangecanbeentirelycustomized
tomeetanorganizationsfederationchallenges.TheWSTrusttemplatesconstituteascriptthat
validatesidentity,interactswithidentitystoresandgeneratesreturntokens.Itworksoutoftheboxfor
commonfederationandSSOscenariosbutcaneasilybeaugmentedtomeetthemostdemanding
specializedrequirements.
Thistemplatebasedapproachpromotescustomizedidentitymappingfunctionswithinthecontextofa
WSTrusttransaction.Forexample,formulaicmappings,suchasstringtransformationsofnames,can
easilybeintegratedwithinthepolicyandusedasinputintogeneratedSAMLassertions.Thisis
invaluableforfederationchallengeswherenamingconventionsdifferbetweensecuritydomainsand
needtobereconciledatruntime.
SecureSpanGatewaysalsohavefullaccesstodirectoryattributesassociatedwithidentities.Thisallows
customtokenstobeconstructedwithauthoritativeattributedeclarationsanessentialfeaturein
AttributeBasedAccessControl(ABAC)regimes.
-
8/12/2019 Federated Identity and SSO Using Layer 7
7/15
FederatedIdentityandSingleSignOn(SSO)UsingLayer7
Copyright2012byLayer7Technologies,Inc.(www.layer7.com) 7
SecureSpansWSTrustpolicycanleveragethefullrangeofpotentialincomingsecurity
tokens,including:
HTTPbasicauthentication HTTPdigest SSLClientsidecertificateauthentication X.509signaturesinSOAPmessages SAMLtokeninHTTPheaders SAMLTokenProfileinWSSecurity Kerberos(WindowsIntegratedAuthentication) KerberosbindingtoSOAPmessages
WSTrustisnotlimitedtoSAMLtokenissuance.TheSecureSpanSTScanalternativelyreturnmostofthe
credentialtypeslistedabove,providingabsoluteflexibilityincomplexfederationscenarios.
SecureSpan Gateways for Service Protection
SecureSpanGatewayscanalsobedeployedinfrontofWebservicesserverstoprovideaccesscontrol
forfederatedservices.Thisremovesthecomplexityoftokenprocessing,administrationoftrust
relationshipsandauditfromtheapplicationandcentralizesthisforallservices.Thislogicalshifttoa
moredeclarativestyleofsecuritymanagementmeansthatdedicatedsecurityadministratorscan
assumeresponsibilitytoallapplicationaccesscontrol,ensuringthatthesecuritypolicyisconsistentwith
corporaterequirements.
Figure3:SecureSpanGatewaysdeployedtofederateandprotectservicesandAPIs.
-
8/12/2019 Federated Identity and SSO Using Layer 7
8/15
FederatedIdentityandSingleSignOn(SSO)UsingLayer7
Copyright2012byLayer7Technologies,Inc.(www.layer7.com) 8
Layer7spolicybasedaccesscontrolsystemcanaccommodatemostsecuritytokentypes.Also,it
integrateswithexistinginfrastructuresuchasdirectoriesandIAM.TheinternalSTScapabilitiesofthe
Gatewaycanbeleveragedforidentitymappingfunctionsorstricttokenvalidation.
SecureSpanGatewaysadditionallyprovidearichtrustmanagementinterfacethatsimplifies
managementoffederatedpartners.ThisfeaturesintegralCRLandOCSPsupport,toensurethatthe
integrityoftheweboftrustismaintained.AllcryptographicfunctionsareFIPScompliantandhardware
GatewayinstancesfeatureavailableintegrationwithleadingHardwareSecurityModules(HSMs)from
ThalesandSafeNet.
GatewayscanalsoincorporateXACMLaccesscontrolrulesdirectlyintopolicyorcommunicatewith
remoteXACMLPolicyDecisionPoints(PDPs)usingtheXACMLprotocol.Integrationwithotherexternal
PDPsispossibleusingSAMLPandWSTrustprotocols.
TheGateways
feature
very
rich
and
configurable
SAML
token
processing,
allowing
support
for
virtually
anyfederationorSSOscenario.SAMLtokenscanbeextractedfromtransportheaders(suchasHTTP)or
isolatedinSOAPmessagesundertheWSSecuritySAMLtokenprofilestandard.TheGatewayssupport
bothSAMLbearertokensprotectedwithSSLandmoresophisticatedWSSecuritybasedbindingsfor
SAML,includingholderofkeyandsendervouchesstyletokenscryptographicallyboundintomessages.
Tokenevaluationiscompletelyflexible,allowingsimpleaccesscontrolbasedontrustrelationshipor
adoptionofmoresophisticatedmethodssuchasABACusingSAMLattributeassertions.
Finally,allotheraspectsofsecuritysupportedbySecureSpanGatewaysareavailabletoensurethat
servicesarefullyprotectedinoneplace.Thisincludesfeaturessuchasmessagecontentvalidation,
automatedthreat
detection,
audit,
transformation,
throttling,
traffic
shaping
and
content
or
statebasedrouting.
XML VPN Client for Federating Client Applications
Layer7sXMLVPNClientisasmallfootprint,clientsideapplicationthathelpstorapidlyonboard
clientsinWebservicesfederationscenarios.Thiseliminatestheburdenofimplementingfederationand
SSOfunctionsincode,thusensuringthatfederationisdonerightthefirsttime.
TheXMLVPNclientinteractswitharemoteSecureSpanGatewaytoloadthemostuptodatepolicyin
effect.ItthenautomaticallycoordinatesSAMLsecuritytokenacquisitionwithalocalSTS,bufferingthe
token
for
all
transactions
across
the
tokens
lifetime
and
automatically
inserting
it
into
transactions
destinedforaremoteservice.
-
8/12/2019 Federated Identity and SSO Using Layer 7
9/15
FederatedIdentityandSingleSignOn(SSO)UsingLayer7
Copyright2012byLayer7Technologies,Inc.(www.layer7.com) 9
Figure4:TheSecureSpanXMLVPNClientcanfederateclientapplicationswithoutrequiringanychangestocode.
TheXMLVPNClientintegrateswithlocalSTSusingthestandardsbasedWSTrustprotocol.Itcan
integratewith
either
aSecureSpan
based
STS
or
athird
party
STS
such
as
Microsofts
ADFS.
TheXMLVPNclientsolutionisparticularlywellsuitedtofederatingbranchofficeapplicationsandto
rapidlyfederatingapplicationsduringorganizationalmergersandacquisitions.
Can Layer 7 Help Me Federate APIs?TheemergingAPIparadigmisbasedonRESTfuldesign,JSONdatastructuresandOAuthsecuritytokens.
Layer7GatewayshavealwayssupportedRESTstylemessaging.ThepolicylanguagetreatsJSONasa
firstclasscitizenbesideXML.TheOAuthtoolkitprovidesrichOAuthintegrationcapabilities1.
SecureSpans
SAML
capabilities
are
entirely
applicable
to
SAML
bearer
tokens
carried
as
transport
payload.Thisallowssophisticatedfederationmodelsincludingaccesscontrolparadigmssuchas
ABACtobeappliedtoAPIs,notjustSOAPendpoints.
1OAuthsupportinLayer7SecureSpanGatewaysisdescribedinadedicatedwhitepaper.
-
8/12/2019 Federated Identity and SSO Using Layer 7
10/15
-
8/12/2019 Federated Identity and SSO Using Layer 7
11/15
FederatedIdentityandSingleSignOn(SSO)UsingLayer7
Copyright2012byLayer7Technologies,Inc.(www.layer7.com) 11
Thisisdepictedinthefigurebelow:
Figure6:DropinfederationforWebservices,usingLayer7.
Thissolutionisparticularlywellsuitedtobranchdeployments,whereacentralauthorityneedstodrive
rapidfederationofapplicationsusinglocaluserstores.
How do I Use Layer 7 to Provide SSO to My Web Sites?Layer7canprovideSecurityTokenServicesthatallowbrowserbasedclientstoperformSSOwith
internalorpartnerWebapplications.ThisdeploymentpatternforSecureSpanGatewaysisdescribed
above.ItmakesuseofstandardsbasedSAMLprofilestoallowasinglecredentialtobeusedoncein
ordertoaccessanynumberoflocalWebsites.
TheWebapplicationsmustbeconfiguredtolocallyperformaccesscontrolbasedonstandardSAMLSSO
profiles.MostmodernWebapplicationserverscaneasilybeconfiguredtoconsumeSAMLtokensand
enforcetrustrelationships.
-
8/12/2019 Federated Identity and SSO Using Layer 7
12/15
-
8/12/2019 Federated Identity and SSO Using Layer 7
13/15
FederatedIdentityandSingleSignOn(SSO)UsingLayer7
Copyright2012byLayer7Technologies,Inc.(www.layer7.com) 13
Figure8:AdministratorshavefullaccesstoSaaSSSOtemplates,allowingsimplecustomizationtoaccommodatelocal
securitydirectives.
How Does OAuth Relate to Federation & SSO?OAuthisprimarilyameansofauthenticationandlimited,delegatedfederation,ratherthana
fullblownfederationorSSOmodel.Itwasdevelopedasasolutiontothepasswordantipattern,
abadpracticethatmultisiteWebapplicationssometimesresortedtoasameansoflightweight,
userdrivenfederation.
OAuthallowsauserwhohasseparateaccountsontwositestoeffectivelyfederatetheseforcertain
functions.Forexample,auserofTwittermightwanttoposttweetsonhisorherFacebookwall(thus
federatingtheaccounts).OAuthprovidesameanstodothiswithoutforcingtheusertoshare
credentialsbetween
sites.
ThereareinterestingoverlapsbetweenwhatcanbeaccomplishedwithSAMLandwhatcanbedone
withtheemergingOAuthspecifications(particularlytheOAuth2.0spec).Thesearebeyondthescopeof
thiswhitepaper.Atpresent,OAuthismainlyfindingapplicationinuserdelegatedaccountfederation
onWebsites,withanemphasisonsocialnetworkingsites(largelybecauseofthedevelopercultureat
theseorganizations).Inthesecases,OAuthisusedasthesecuritytokeninAPIcalls.
SAMLappearsmorecommonlyinenterpriseorCloudbasedSaaSapplications.Therearesome
interestingemergingapproachesforexchangingSAMLtokensacquiredusingabrowserbasedprofile
forOAuthtokensthatcanbeusedbyAPIsrunningwithinthecontextofabrowseruseragent.Layer7
haspolicy
templates
available
that
implement
some
of
these
scenarios.
However,
this
is
presently
very
muchamovingtargetwithlittlestandardizationbetweenimplementations.
Layer7providesanOAuthToolkit,consistingofseveralpolicyassertionsthatconstitutethebuilding
blocksofOAuthapplications.TheToolkitalsoincludespolicytemplatesthatleveragetheseassertionsto
providebasicOAuthfunctionssuchasdistributedauthorizationservices,useraccessmanagementand
APIaccesscontrol.
-
8/12/2019 Federated Identity and SSO Using Layer 7
14/15
FederatedIdentityandSingleSignOn(SSO)UsingLayer7
Copyright2012byLayer7Technologies,Inc.(www.layer7.com) 14
Figure9:Layer7GatewaysdeployedasanOAuthAuthorizationServer(AS)andprotectingaResourceServer(RS).
-
8/12/2019 Federated Identity and SSO Using Layer 7
15/15
FederatedIdentityandSingleSignOn(SSO)UsingLayer7
Copyright2012byLayer7Technologies,Inc.(www.layer7.com) 15
About Layer 7 Technologies
Layer7Technologieshelpsenterprisessecureandgoverninteractionsbetweentheirorganizationsandthe
servicestheyuseintheCloud,acrosstheInternetandouttomobiledevices.Throughitsawardwinninglineof
SOAGateways,CloudBrokersandAPIProxies,Layer7givesenterprisestheabilitytocontrolidentity,data
security,SLA
and
visibility
requirements
for
sharing
application
data
and
functionality
across
organizational
boundaries.Withmorethan150customersspanningsixcontinents,Layer7supportsthemostdemanding
commercialandgovernmentorganizations.Layer7solutionsareFIPScompliant,STIGvulnerabilitytestedand
havemetCommonCriteriaEAL4+securityassurance.
Contact Layer 7 TechnologiesLayer7Technologieswelcomesyourquestions,commentsandgeneralfeedback.
Email:[email protected]
Web Site:www.layer7.com
Phone:(+1)6046819377
18006819377(tollfreewithinNorthAmerica)
Fax:6046819387
Address:Layer7Technologies
Suite405
1100
Melville
Street
Vancouver,BCV6E4A6
Canada
Legal InformationCopyright2012byLayer7Technologies,Inc.(www.layer7.com).Contentsconfidential.Allrightsreserved.
SecureSpanandCloudSpanareregisteredtrademarksofLayer7Technologies,Inc.Allothermentionedtrade
namesand/ortrademarksarethepropertyoftheirrespectiveowners.