Integrated Security Demo - Web Services Security ,Oracle 9iAS, PKI
description
Transcript of Integrated Security Demo - Web Services Security ,Oracle 9iAS, PKI
1
Integrated Security Demo - Web Services Security ,Oracle 9iAS, PKI
CSCI 5931 – Web Security
Instructor: Dr. Andrew Yang
Team: Web Warriors
Rohan Bairat, Shashank Dhond, Mohd A Azeem
23 rd April 2003
2
Single Sign on In any client/server relationship, single sign-on is a
session/user authentication process that permits a user to enter one name and password in order to access multiple applications
In e-commerce, the single sign-on is designed to centralize consumer financial information on one server - not only for the consumer's convenience, but also to offer increased security by limiting the number of times the consumer enters credit card numbers or other sensitive information used in billing
Two Types of Single Sign-on Web Single Sign-on Legacy Single Sign-on
3
Web Single Sign-on The Web is made up of portals which act as gateways to
many layers of web sites Earlier Web security was based on protecting URLs, not
applications and SSL was suppose to be a complete solution
As applications and databases started being attached to the backend of URLs SSL limitations showed up.
SSL is CPU intensive cannot create a user experience SSL only can work between two endpoints A single sign-on solution will write the front-end
authentication through to a central management console on the backend, and share this information between applications for the extent of the user session
4
Legacy Single Sign-on Legacy single sign-on enables smooth
navigation of the various applications on an intranet through one authentication session
Industry analysts refer to legacy single sign-on as employee single sign-on
It conceptually uses the same authentication and authorization architecture structure as Web single sign-on, except a portal is not part of the front-end picture
5
More on Single Sign-on Single sign-on and password synchronization are two
different things A password synchronization system does is distribute and
synchronize a main password to other systems true single sign-on products that offer advanced and
sophisticated capabilities, a user can actually have different passwords for every application
The single sign-on server stores these passwords in a protected database, and makes them available to the user upon login
Players in Single Sign-on Entrust, Evidian, Netegrity, and RSA Security. All three of these
products can be run on UNIX platforms, and offer rules-based capabilities, roles-based capabilities, and LDAP compliancy
6
Agenda – Web Services single sign-on
Web Services Security Single Sign-on in Web Services Methods Available Solutions
7
Web Services Security Different companies had posted
their own standards for securing web services
IBM WS Security The Java WSDP Security The Liberty Alliance SSO Architecture
8
Single sign-on in Web Service Single sign-on security architecture is to shift
the complexity of the security architecture to the called SSO service
In the SSO architecture, all security algorithms are found in the single SSO server which acts as the single and only authentication point for a defined domain
SSO approach can be used for authentication /registration: a user has to sign-on only once
The SSO server can be a Web service
9
The Simple SSO Scenario Modus Operandi
The authenticated party first calls the SSO server and requests the authentication token that identifies it in the particular domain
Token is available only when party provides the correct authentication credentials
username/password Certificates Other methods
The SSO server performs a validation of the users' credentials using the underlying security infrastructure
The Token is issued to the user Token is a unique identification for the user in Simple SSO
Scenario
10
Simple Single sign on Scenario
11
Advantage Encapsulation of the underlying security infrastructure
in the SSO server Implementation, deployment and maintenance are
much easier as all communicating parties in the distributed system don't need to individually implement all of the security features and mechanisms.
The SOAP interface to the SSO server makes the SSO architecture universal
The SSO server enhances security of the whole system as the security credentials don't need to be passed around
Authentication can be performed outside the security domain but security credentials stay within a security domain
12
Advanced SSO-using SAML In the previous simple SSO scenario each time the
user is challenged for identity verification In this approach the token itself contains valuable
security information that allows validation without having to call the SSO server each time
The token contains the authentication or authorization information signed by SSO server
There is a new standard for exchanging security-related information in XML called Security Assertions Markup Language (SAML) (developed by OASIS)
13
Security Assertions Markup Language
SAML defines the protocol by which the service consumer issues the SAML request and the so-called SAML authority returns the SAML response with assertions
The security information described by SAML is expressed in the form of assertion statements about security subjects (e.g. users, machines or services)
Assertions The Authentication statement informs about the authentication
of a particular subject in a specific time and scope. The Authorization decision allows or denies a subject access to
a specific resource. The Attributes further qualify the subject (e.g. credit line info,
citizenship etc.)
14
Advanced SSO-using SAML
15
Agenda - Oracle 9iAS single Sign-On
• Overview of Single Sign-On• Web Single Sign-On• Legacy Single Sign-On• Features of Single Sign-On• SSO Components & Application Types• SSO Authentication Methods• Functional Overview of Oracle 9i AS SSO• Oracle 9i AS Security Architecture
16
Overview of Single Sign on
In any client/server relationship, single sign-on is a session/user authentication process that permits a user to enter one name and password in order to access multiple applications
In e-commerce, the single sign-on is designed to centralize consumer financial information on one server - not only for the consumer's convenience, but also to offer increased security by limiting the number of times the consumer enters credit card numbers or other sensitive information used in billing
Two Types of Single Sign-on Web Single Sign-on Legacy Single Sign-on
17
Web Single Sign-on The Web is made up of portals which act as gateways to many
layers of web sites Earlier Web security was based on protecting URLs, not
applications and SSL was suppose to be a complete solution As applications and databases started being attached to the
backend of URLs SSL limitations showed up. SSL is CPU intensive cannot create a user experience SSL only can work between two endpoints A single sign-on solution will write the front-end authentication
through to a central management console on the backend, and share this information between applications for the extent of the user session
18
Legacy Single Sign-on
Legacy single sign-on enables smooth navigation of the various applications on an intranet through one authentication session
Industry analysts refer to legacy single sign-on as employee single sign-on
It conceptually uses the same authentication and authorization architecture structure as Web single sign-on, except a portal is not part of the front-end picture
19
More on Single Sign-on
Single sign-on and password synchronization are two different things A password synchronization system does is distribute
and synchronize a main password to other systems The single sign-on server stores these passwords in a
protected database, and makes them available to the user upon login
Players in Single Sign-on Entrust, Evidian, Netegrity, and RSA Security. All three
of these products can be run on UNIX platforms, and offer rules-based capabilities, roles-based capabilities, and LDAP compliancy
20
Features of Single Sign-On (SSO)
Centralized authentication for web applications• Secure • Inexpensive• PKI support• 3rd party integration
21
SSO Components
• Applications - Partner - External
• Centralized SSO Server – Verifies SSO password – Sets SSO cookie at client – External app username/password store
• Username/Password managed in LDAP directory – Oracle Internet Directory (OID) – Other LDAPv3 directory requires OID gateway – Users provisioned through OID Delegated Administrative Services (DAS)
22
SSO Authentication Methods
Oracle9iAS Single Sign-On uses one of these authentication methods:
Local user authentication: Uses a lookup table within the Login Server schema. This table contains user name, password, Login Server privilege level, and other auditing fields for the user. The incoming password is one-way hashed and compared to the entry in the table.
External repository authentication:Typically relies on an LDAP-compliant directory. In this case, the Login Server binds to the LDAP-compliant directory, then looks up the user credentials stored there. External Authentication includes LDAP and Database Authentication and any others that may be custom-developed
23
Functional Overview of Oracle9i AS SSO
1. User accesses Partner App A which determines user isn’t authenticated.
2. App A redirects user to SSO server.
3. SSO server prompts user to give username and password.
4. SSO server verifies password and sets SSO cookie on client machine for authentication by Partner App.
5. SSO credentials may be stored in external server.
6. SSO server redirects user to partner App and also provides the partner App with an encrypted copy of the SSO cookie for it to verify the client’s identity.
7. Partner App A sets its own cookie after verifying the client with the copy of the SSO cookie obtained from the SSO server.
Initial Authentication
24
Functional Overview of Oracle9i AS SSO
Authentication to partner applications
Once a user has been authenticated and an SSO cookie has been set, Oracle 9i AS SSO directs the user back to the partner application and includes an encrypted token which contains the user’s identity in the partner application URL. Then the token is encrypted in a key which is shared only by Oracle 9i AS SSO and the partner application. This assures the partner application that the token is authentic and was created by Oracle 9i AS SSO.
25
Functional Overview of Oracle9i AS SSO
1. Client requests access to external App. is redirected to SSO server.
2. SSO server prompts client for username and password.
3. Clients username and password are encrypted and sent to External App for authentication.
4. After external app verifies client, SSO server sets SSO cookie on client and redirects client to App.
5. It sends a copy to the App for verification.
The SSO server uses external App’s verification module to authenticate user and sets the SSO cookie on the client.
Authentication to External Applications
4 5
26
Functional Overview of Oracle9i AS SSO
LDAP integration
Directories supporting the Lightweight Directory Access Protocol (LDAP) are increasingly used as a single source of enterprise-wide information about users.
Oracle9iAS SSO verifies usernames and passwords using OID. When a user submits username and password as part of the initial authentication, Oracle9iAS SSO compares the username and password with that maintained in OID. If the comparison succeeds, username and password are considered to be verified.
27
Oracle 9i AS Security Architecture
28
What is PKI?
PKI is a security architecture that has been introduced to provide an increased level of confidence for exchanging information over an increasingly insecure Internet.
PKI is based on the use of digital certificates that allow users to verify the identity of the person or institution that they're communicating with, and to digitally sign transactions.
29
What PKI offers…
A certificate-based system that provides: Authentication to verify the identity of the sender and
the recipient. Data integrity to verify that information is received
unaltered from the sender. Data confidentiality to ensure that sensitive
information does not fall into the wrong hands. Non-repudiation to ensure that transactions are legally
binding, protecting your business from fraud.
30
PKI Technology and Architecture
31
The Primary Technical Components of PKI
End Entity Application (EE). Registration Authority (RA): It performs the necessary
checks to make sure the person requesting the certificate is the same that he/she claims to be.
Certification Authority (CA): Issues and verifies certificates.
PKI directories: They are databases that are X.500/LDAP compliant. They contain certificates in X.500/LDAP in th X.509format, and that they provide specific search Facilities.
32
How PKI can be used with SSO
SSO layer of the application is built on top of a PKI layer. PKI handles the LDAP directory part. The SSO server
refers to the Certificate Authority (CA) to verify the credibility of the user and to authenticate his certificate.
Thus, in a SSO implemented with PKI: The user first obtains a certificate from the CA using
PKI. The user then calls the SSO server, provides the SSO
server with its certificate and requests for a token identifying its domain.
33
How PKI can be used with SSO…
The SSO server refers to the CA to verify the users certificate.
The CA checks its PKI directory to verify the certificate provided by the SSO server.
If the certificate checks out to be good the SSO server issues the user with a token.
34
References
o http://www.certicom.com/pdfs/whitepapers/Trustpoint_PKI.pdf
o http://www.articsoft.com/wp_pki_intro.htmo http://technet.oracle.com/sample_code/deploy/security/
files/ssosecurity/Readme.htmlo http://technet.oracle.com/sample_code/deploy/security/
files/ssosecurity/Readme.html
35
Wrapping Up…