TAM STE Series 2008 © 2008 IBM Corporation WebSEAL SSO, Session 108/2008 TAM STE Series 2008 -...

TAM STE Series 2008

TAM STE Series 2008- WebSEAL SSO, Session 1

Presented by: Andrew Quap

Itinerary for WebSEAL single-signon (SSO)

Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO)

eCDSSO

SPNEGO

Generic Security Service Application Program Interface (GSS-API)

– “an application programming interface for programs to access security services. “-wikipedia

– RFC 2478

– Describes a set of standard API’s

GSS-API can implement any security protocol

– GSS-API implementation of Kerberos is best known

SPNEGO

Microsoft started to use SPNEGO in IE 5.01 and IIS 5.0 as an authentication extension – wikipedia

– Requires the use of AD server acting as KDC

– Nowadays Microsoft markets the use of NTLM instead of SPNEGO

– Used to provide desktop single sign-on into IIS server

TAM WebSEAL SPNEGO allows users to SSO into WebSEAL

Kerberos basics

MIT Kerberos v5

RFC 1510

– Kerberos tickets

– Kerberos Realm

– KDC (Key Distribution Center)• Server that issues Kerberos tickets• Typically listen on port 88

For UNIX implementations “krb5.conf” contains Kerberos client configuration

Kerberos basics

keytab file

– Allows a service (ie a server) to automatically authenticate into Kerberos realm

‘kinit’ command

– Command used to authenticate a user into a Kerberos realm

• Input User/password• Or input keytab file

SPNEGO

SPNEGO uses GSS-API Kerberos implementation

WebSEAL and WebPI use the "HTTP Negotiate" extension defined by Microsoft.

Client Web Browser does HTTP request to WebSEAL.

WebSEAL returns HTTP 401 (Unauthorized) status and the following header: "WWW-Authenticate: Negotiate".

Client chooses a Service Principal Name for the host and calls InitializeSecurityContext() to generate a NegTokenInit token.

SPNEGO

Client resends the request with the following header: "Authorization: Negotiate <base64 encoding>" (e.g. Authorization: Negotiate YIIGUQY<remainder of base64 encoded string>).

WebSEAL decodes the NegTokenInit token.

WebSEAL verifies the encryption type and authenticates using gss_accept_sec_context.

The next step depends on what the gss_accept_sec_context function returns.

SPNEGO Flow All Entities share a secret key with the 3rd party

– Allows 3rd party to authenticate any known entity

– 3rd party can encrypt data for any known entity

WebSEAL SPNEGO configuration and setup

AD server typically is configured as TAM registry

– Can have separate LDAP server, but AD and LDAP server must be user synchronized

WebSEAL administration document, v6, on SPNEGO is very detailed.

WebSEAL installed on Windows OS

– ‘ktpass’ command creates Server Principal Names (SPN’s) in AD server

– Setup WebSEAL service to authenticate as new SPN

– The WebSEAL server must be configured as a client into the AD domain

WebSEAL installed on UNIX setup

– Requires keytab file generated from ‘ktpass’ command

– Modify WebSEAL configuration file to include principal name and keytab file

– Setup Kerberos client on WebSEAL machine

Supports load balanced WebSEAL setup

– WebSEAL admin guide details steps needed for basic setup, case does matter

– Forward and reverse lookup must match on the WebSEAL machine for the load balanced hostname

– WebSEAL on windows• The server instances must all be running under the same ID

– WebSEAL on UNIX• The servers must all share the same keytab

WebSEAL SPNEGO problem determination

Invoke ‘bst’ trace or per-process trace

Determine if Kerberos error

– Review Kerberos client config in ‘krb5.conf’

– Ensure keytab file is valid

• Use ‘kinit’ test

Windows

– Ensure WebSEAL service authenticates as user created during ‘ktpass’ command

WebSEAL SPNEGO typical issues

TAM 6.0 provides SPNEGO problem determination guide

WebSEAL will not start

– Invoke per-process tracing

• Look for Kerberos error– Example of error

WebSEAL starts but user SSO fails

– Invoke ‘bst’ tracing

– Invoke network trace from end user’s browser

• Look for AD server response

– Check ‘krb5.conf’

• Make sure AD domain is defined or default• If WebSEAL domain is different from AD domain make sure

both domains are mapped

– Ensure trusted site is entered in IE browser

Multiple SPN’s mapped into WebSEAL AD account

– Issue only occurs when WebSEAL is installed on UNIX

– Must use ‘-mapOp set’ option for ktpass command.

– When you use ‘–mapOp set’ which is required to create a keytab it removes the other SPN’s that existed on the account

– One account per SPN when using Unix

WebSEAL SPNEGO limitations

Does not provide SSO into a IIS backend server

If SPNEGO fails, fallback using WebSEAL forms login requires IE fix

– WebSEAL’s NTLM error page can be modified for ‘pkmslogin’

– Use E-community SSO to login user

WebSEAL cannot handle NTLM responses from IE

SPNEGO clients cannot log out

Kerberos Junctions

Not SSO to WebSEAL, but SSO from WebSEAL to IIS

SPNEGO questions

Cross Domain Single Signon (CDSSO)

“A mechanism to transfer a user credentials between servers in different domains-”WebSEAL administration guide

Uses an encrypted token to transfer an user identity

– “token creation” creates and encrypts the token

– “token consumption” decrypts the token

Can use CDSSO between TAM Web plug-in and WebSEAL

Cross Domain Single Sign-on (CDSSO)

Supports cross-domain mapping framework (CDMF)

– Allows additional attributes to be encrypted in token in addition to user’s identity

– Provides the ability to customized CDSSO using TAM C-api’s

CDSSO configuration and setup

Configuring CDSSO token create functionality

– The following procedures are appropriate for the initial WebSEAL server• Enable WebSEAL to generate CDSSO tokens (cdsso-create). • Configure the built-in token creation module (sso-create). • Create the key file used to encode and decode the token.

Copy the key file to all appropriate participating servers ([cdsso-peers] stanza).

• Configure the token time stamp (authtoken-lifetime) • Configure the token label (cdsso-argument). • Create the CDSSO HTML link (/pkmscdsso?destination-URL).

CDSSO setup and configuration

Configuring CDSSO token consume functionality

– The following procedures are appropriate for the destination WebSEAL server:

• Enable WebSEAL to consume CDSSO tokens (cdsso-auth) for authentication.

• Configure the built-in token consumption module (sso-consume).

• Assign the appropriate key file ([cdsso-peers] stanza). • Configure the token time stamp (authtoken-lifetime) • Configure the token label (cdsso-argument).

CDSSO flow

CDSSO requirements

“All WebSEAL servers participating in CDSSO must have machine times synchronized.”-WebSEAL administration guide

“For CDSSO to function successfully, each participating WebSEAL server must reveal its fully qualified host name to the other participating servers in the cross-domain environment.”-WebSEAL administration guide

CDSSO requirements

“Do not reuse key pairs (used to encrypt and decrypt token data) generated for a specific CDSSO environment in any other CDSSO environments.” –WebSEAL administration guide

CDSSO problem determination

Determine if error occurs during “token creation” or “token consumption”

Enable specific CDSSO tracing pdweb.wan.cdsso

Enable ‘pdweb.snoop’ trace

Analyze ‘msg__WebSEALd-<instance name>.log’

Is customer using default libraries

CDSSO typical issues

Time issues different timezones not setup correctly or skew

Mismatched keys

CDSSO peers incorrectly set up

CDSSO limitations

UTF-8 encoding for strings

Providing compatibility for tokens across WebSEAL versions

CDSSO questions

E-community Single Sign-on (ECSSO)

Concept is similar to CDSSO

Master authentication server (MAS) provides single point for authentication

– WebSEAL and WebPI provides MAS functionality

Domain-specific cookies are used to identify the server that can provide "vouch for" services

The e-community implementation allows for "local" authentication in remote domains

eCDSSO flow

ECSSO setup and configuration

Enabling and Disabling e-Community Members

Including credential attributes in the vouch-for tokens

Specify the sso-create and sso-consume libraries

ECSSO problem determination

Determine if error occurs during “token creation” or “token consumption”

Enable ‘pdweb.snoop’ trace on servers involved

Analyze ‘msg__WebSEALd-<instance name>.log

ECSSO typical issues

Time issues different timezones not setup correctly or skew

Mismatched keys

ECDSSO domains incorrectly set up

ECSSO limitations

One server, or group, provides authentication for a group of servers

– Each server can still do local authentication

eCDSSO questions

TAM STE Series 2008 © 2008 IBM Corporation WebSEAL SSO, Session 108/2008 TAM STE Series 2008 -...

Documents

Tivoli WebSEAL - Sizing and Capacity Planning · improvement by the hardware cryptographic support up to a factor of three. See “Enable and run WebSEAL with cryptographic hardware

O365/Outlook Integration with SSO - view.zendesk.com · O365/Outlook Integration with SSO FAQs Can we utilize SSO without the O365/Outlook integration and vice versa? • SSO and

2008 TTU/HHMI SSO Research Workshop

CWEA NTC 2008: Statewide SSO General OrderSlide 1 “You, Me and the SSO GWDR” (Order No. 2006-0003-DWQ) James Fischer, P.E. Water Resource Control Engineer

WebSEAL Administratorâ€™s Guide - IBM

IBM Tivoli Access Manager.. WebSEAL€¦ · Z 4 B + WebSEAL S V3.8}6A 4.1.....23 Z AIX O}6 WebSEAL .....23 Z HP-UX O}6 WebSEAL .....24 Z Solaris O}6 WebSEAL .....26

STATE SAFETY VERSIGHT CORE FEATURES...1. SSO commitment 2. SSO authority, organization 3. SSO minimum standards 4. SSO enforcement apparatus 5. Methodology for accident investigations,

Am51 Webseal Guide

STUDENT SSO

WebSEAL Administration Guide

Generic SSO

WebSEAL Installation Guide - IBM

Design Considerations for Integrated Features · DesignConsiderationsforIntegratedFeatures •SingleSign-On(SSO)Considerations,onpage1 Single Sign-On (SSO)Considerations TheSingleSign-on(SSO

Tririga sso

WebSEAL Configuration Stanza Reference - IBM · IBM SecurityAccess Manager Version 7.0 WebSEAL Configuration Stanza Reference SC27-4442-01

WebSEAL Developerâ€™s Reference - RZ DOC Server

2008 TTU/HHMI SSO Research Workshop Saturday, January 26, 2008 Merket Alumni Center Sponsored by Texas Tech University undergraduate research programs:

Single Sign-On Sign-On (SSO) - mbuth.de · auth_param basic realm Squid AD auth_param basic credentialsttl 2 hours 23 Donnerstag, 27. November 2008 23. Single Sign-On (SSO) 11/27/08

WebSEAL Developerâ€™s Reference - IBM - United States

SSO CitrixNetScalerMultipleauthenticationmethods