SAML and Other Types of Federation for Your Enterprise

@fdwl #BriForum @entisys

SAML and Other Types of

Federation for Your Enterprise

Denis Gundarev, Senior Consultant, Entisys Solutions

May 20, 2014

Based on a true story

About me

Agenda

What is federated authentication

How to add federation support for your legacy applications

Identity and Account Management Basics

Identity Management (IdM) describes the

management of individual principals,

their authentication, authorization, and

privileges within enterprise

Integral components of identity and

access management:

Identification

Authentication

Authorization

Identification vs. Authentication vs.

Authorization

Entity vs Identity vs Credential vs Attribute

Entity

• Person

• Computer

Identity

• Active Directory Account

• Passport Number

• Serial Number

Credential

• Passport

• Credit Card

• Kerberos token

Attribute

• Address

• Qualification

• Criminal record

Attribute Assertion

An attribute assertion is a claim made by someone (the asserter) that a particular person

possesses a particular attribute.

College can confirm that person is graduated.

Active Directory can confirm that password is correct

A digitally signed attribute assertion = authorization credential.

Source: David W Chadwick Federated Identity Management http://kar.kent.ac.uk/30609/1/FederatedIdManChapter.pdf

Credential Types

Credentials Authenticity

Credentials Not been tampered

Received exactly as issued by the issuing

authority

Digitally signed to prove authenticity

Credentials Validity

Monopoly money is authentic if obtained

from the Monopoly game pack.

valid for buying stuff in the game

NOT valid in a grocery store

Credit card is an authentic credential.

Valid in Marks & Spencer

Not valid in a fisherman village in the

middle of nowhere during the night

Source: David W Chadwick Federated Identity Management http://kar.kent.ac.uk/30609/1/FederatedIdManChapter.pdf

What is Federation?

A set of standards-based technology & IT processes

to facilitate distributed identification, authentication

& authorization across boundaries (security,

departmental, organizational or platform).

Federation Example

Identity Provider (IdP)

Entity

Attribute Assertion

Service Provider (SP)

Resources

Federation Example

Facebook perform authentication and

generate a signed attributes assertion

with user name and unique user ID

Digg maintain a user database and

authorization

Why Do I Need Federation?

Provide access to your applications to suppliers or partners

Quickly onboard acquired organization

Provide access for temporary workers by using “bring your own identity” model

Service Providers

Can’t I Just Create User Accounts?

More work for you

Less security for your network

No control over the user population

Can’t I Just Use Forest Trusts?

Network connection between partners

User principal name (UPN) suffixes, service

principal name (SPN) suffixes, and security

ID (SID) namespaces are replicated

DNS configuration is required

Benefits of Federation

Better Access Experience

Single sign-on across networks & organizational boundaries

Increased Security & Simpler Administration

Heightened identity assurance

No passwords involved

Account de-activation is handled by the account partner

Account partner can easily be disabled at the organizational level

Strong authentication such as user certificates or OTP tokens can be layered on top of federation

Benefits of Federation

•Active Directory

•LDAP

•Kerberos

•Anonymous users

•One-time Access

•ADFS

•OpenSSO

•PingIdentiy

•Office365

•Google

•Microsoft

•Facebook

•Twitter

Private-Sector

IDPsPartners

Corporate Directories

Special Cases

SAML – Security Assertions Markup Language

XML-based security specification for exchanging authentication and authorization information

Developed by the OASIS standards organisation

Use HTTP as a communication protocol

Designed to addresses the complexities of establishing Business-to-Business communication

between differing systems.

SAML Assertion

A set of statements (claims) made by a SAML authority (Identity provider or IdP)

Authentication statement: subject was authenticated using a particular technique at a particular

Attribute statement: particular attribute values are associated with the subject

Optional authorization decision statement: subject is authorized to perform certain actions

SAML Assertion

X.509 Certificates

Trust is managed through

certificates

Certificates for

HTTPS Communications

Security token signing and

encryption

Require PKI for A & B

certificates, C & D can be

self-signed

CommunicationA

Signing

Relying party Issuer

Encyption ST

Public key of C C

Public key of DD

Root for ARoot for B

Federation Metadata

During the establishment of the issuer / relying party trust, both parties will require

configuration which includes

End-points for communication

Claims offered by issuer

Claims accepted by replying party

Public keys for signing and encryption

This information can be manually configured or automatically via the exchange of

federation metadata

Federation metadata can be automatically updated

SAML IdP Example

Active Directory Federation Services

AD FS 1.0 - released with Windows Server 2003 R2 as part of the operating system

AD FS 1.1 - released with Windows Server 2008 and was carried into Windows Server 2008

AD FS 2.0 was released after Windows Server 2008 R2. It was released to the web and is

free to download.

ADFS 2.1 was released to Windows Server 2012 as part of the operating system

ADFS 1.x

AD FS 1.x is limited

WS-Federation Passive Requestor Profile (browser)

SAML 1.0 TOKENS

SAML 2.x is not backward compatible with SAML 1.x, so forget about ADFS 1.x

ADFS 2.x

A SAML implementation (both IdP and SP) from Microsoft

An AD-based single sign-on system

SAMLv2 Authentication

Allows for Single Sign on support for Web based applications.

ADFS for Windows 2008 R2 has SAML 2.0 support.

Can I Have it Out of the Box?

Not with StoreFront

Web Interface 5.4 supports ADFS out of the box!

ADFS version 1.1 only

Windows Server 2003 R2 only

32-bit edition of 2003 R2 only

Not supported with NetScaler, Secure Gateway only

Does not work with XenDesktop

Authentication in XenApp/XenDesktop

Support for several authentication methods

Smart cards, client certificates, RSA SecurID, etc.

Support for OS and non-OS credentials stores

OS: Active Directory and eDirectory

Non-OS: LDAP, RADIUS, 3rd party authentication methods.

Leverage Authentication methods supported by Windows:

Smartcard support

Client certificates support

Custom 3rd party authentication mechanisms through GINA extensions.

Leverage Windows authentication to flow the OS identity tokens between Access Infrastructure services

Example: flowing Kerberos tickets between ICA client and XA server.

SAML SP Example

NetScaler & SAML Authentication

NetScaler can act as a Service Provider (SP)

User can be authenticated on LB or CS vserver

NetScaler Gateway 10.1 supports SAML 2.0

Configuring SAML Authentication on NetScaler Gateway

http://support.citrix.com/proddocs/topic/netscaler-gateway-101/ng-authen-saml-con.html

NetScaler practical / SAML AAA against simplesamlphp IdP

http://blogs.citrix.com/2012/08/24/174193098/

How to Configure NetScaler SAML to Work with Microsoft AD FS 2.0 IdP

https://support.citrix.com/article/CTX133919

Does not provide metadata

Use Metadata builder http://samlmetajs.simplesamlphp.org/demo

Authentication flow

IdPNetScaler (SP) Active Directory

Browse to NG

Not authenticated

Redirected to IdPAuthenticate

Query for user attributesReturn Security Token

Return page

and cookie

Send Token

SP trusts IdP

MetaData

NetScaler does not provide metadata

Use Metadata builder

http://samlmetajs.simplesamlphp.org/demo

Authentication in XenApp/XenDesktop

Support for several authentication methods

Smart cards, client certificates, RSA SecurID, etc.

Support for OS and non-OS credentials stores

OS: Active Directory and eDirectory

Non-OS: LDAP, RADIUS, 3rd party authentication methods.

Leverage Authentication methods supported by Windows:

Smartcard support

Client certificates support

Custom 3rd party authentication mechanisms through GINA extensions.

Leverage Windows authentication to flow the OS identity tokens between Access Infrastructure services

Example: flowing Kerberos tickets between ICA client and XA server.

Federation Example

Facebook perform authentication and

generate a signed attributes assertion

with user name and unique user ID

Digg maintain a user database and

authorizationShadow Accounts

Shadow Accounts

Required to delegate access to non-

claim aware resources

Regular user account

Mapped to the attribute received from

Can be mapped to any attribute

SAML for XenApp/XenDesktop Options

S4U (Service-for-User) Kerberos Extensions

Kerberos delegation and S4U on NetScaler – too complicated

S4U on WebInterface? No future!

S4U on StoreFront? You mean StoreFront code customization?

SAML for XenApp/XenDesktop Options

Explicit Auth in XD/XAClient

Servers (File Server,

Exchange, …)

Winlogon

Desktop Toolbar

ICA Client Engine

Winlogon

IMA / DDC

pwdpwd

WI ticket

Authenticate

& get TGT

Get svc ticket

Svc ticket

Solution

NetScaler SAML authentication

NetScaler FormFill SSO profile

Custom Account Manager Service

NetScaler HTTP Callout

NetScaler Rewrite Policy

Account Manager Service

Web Application

Create and shadow user accounts with

random password in AD

Store password securely

Respond on HTTP request with user

password

GET /GetPassword/gundarev@partner.com

Response:

0@J4y9jCv9CHzP2Q!rhMHY@7AOk7vfF2Rf1!

T!i29QG^se^RQZbhjt4fOOmn$CN4

SAML Authentication Profile

add authentication samlAction PartnerIdp -samlIdPCertName Partner-idp -

samlSigningCertName ns-server-certificate -

samlRedirectUrl "https://osso.parner.com:443/opensso/SSOPOST/metaAlias/partnernet/idp

" -samlUserField mail -samlRejectUnsignedAssertion OFF -samlIssuerName

"https://go.example.com/"

add authentication samlPolicy PartnerIdp ns_true PartnerIdp

Form SSO Profile

add vpn formSSOAction WebInterfaceFormSSOProfile -actionURL "/SSO/auth/login.aspx" -

userField email -passwdField donotuse -

ssoSuccessRule"Http.RES.SET_COOKIE.COOKIE(\"WIAuthId\").VALUE(\"WIAuthId\").LENGTH.GT

(10) && Http.RES.STATUS.EQ(302)" -nameValuePair "password=&LoginType=Explicit" -

nvtype STATIC -submitMethod POST

add vpn trafficAction WebInterfaceFormSSOTrafficProfile http -appTimeout 120 -SSO ON -

formSSOAction WebInterfaceFormSSOProfile

add vpn trafficPolicy WebInterfaceFormSSOTrafficPolicy "(URL CONTAINS

/sso/auth/login.aspx) && METHOD == GET && HEADER Cookie CONTAINS

WIClientInfo" WebInterfaceFormSSOTrafficProfile

Callout and Rewrite

add policy httpCallout AccountManager

set policy httpCallout AccountManager -vServer AccountManager -returnType TEXT -

hostExpr "\"CN1-ACCMAN01.example.com\"" -

urlStemExpr"\"/GetPassword/\" +http.REQ.BODY(500).AFTER_REGEX(re#email=#).BEFORE_REG

EX(re#&#)" -resultExpr"http.RES.BODY(1000).XPATH(xp%/%)“

add rewrite action ReplaceEmptyPasswordAction

replace_all "HTTP.REQ.BODY(500)" "\"&password=\"+SYS.HTTP_CALLOUT(AccountManager).HT

TP_URL_SAFE+\"&\"" -search"regex(re/&password=[ -~]*&/)" -bypassSafetyCheck YES

add rewrite policy ReplaceEmptyPasswordPolicy "http.req.method.eq(POST) &&

HTTP.REQ.URL.PATH.TO_LOWER.EQ(\"/sso/auth/login.aspx\")" ReplaceEmptyPasswordAction

Communication flow

Active Directory

Browser

ADFS Active Directory

Account Manager

StoreFront

1. User Authenticates at SSO portal

2. SSO Send SAML Response to

the user s browser

NetScaler

3. User s browser POST SAML response to NetScaler

Gateway

4. Netscaler request shadow user credentials from Account

Manager

5. Account Manager send credentials back to NetScaler

etscaler su

it shad

ntials to

StoreFro

XenDesktop

Controller

7. StoreFront request XenDesktop token from DDC

8. DDC send XenDesktop token back to StoreFRont

9.StoreFront sends ICA file

10. Citrix receiver connects to access gateway

11. NetScaler gateway connects

to the desktop

SAML-enabled solutions

www.pingidentity.com

www.ssoeasy.com

www.forumsys.com

www.okta.com

www.onelogin.com

www.cloudentr.com

Azure Active Directory

Google Apps

On prem

Microsoft ADFS

Oracle OpenSSO

ForgeRock OpenAM

PingFederation

RCDevs OpenID

Novell Access Manager

IBM Tivoli Access Manager

JBoss SSO

j.mp/gundarev

DenisG@entisys.com

SAML and Other Types of Federation for Your Enterprise

Technology

Cloud Single Sign-On and On-Premise Identity Federation with SAP ...€¦ · Cloud Single Sign-On and On-Premise Identity Federation with SAP NetWeaver Cloud 4 Figure 1 SAML Message

Dynamic Identity Federation usingSecurity Assertion ...sadekf/DynamicSAML.pdfDynamic Identity Federation usingSecurity Assertion MarkupLanguage (SAML) ... Security Assertion Markup

Bindings for SAML 2.0 - OASISdocs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf · 1 Introduction This document specifies SAML protocol bindings for the use of SAML assertions

Identity Federation with SAML 2 - Security

SAML V2.0 Implementation Profile for Federation ... · PDF file3/4/2016 SAML V2.0 Implementation Profile for Federation Interoperability 2/20 sector

Cross-Enterprise Security and Privacy Authorization (XSPA ...docs.oasis-open.org/xspa/saml-xspa/v2.0/csprd01/... · This profile describes a framework in which SAML is encompassed

PingFederate - EB2BCOM · SAML (1.0, 1.1, AND 2.0), WS-Trust, WS-Federation, OAuth and OpenID. These standards are the foundational protocols for the secure use of multiple enterprise

Informatica 10.2.x Domain Enabling SAML Authentication in an Library/1/1090... · SAML Authentication Setup Configure Active Director y Federation Ser vices (AD FS), the Informatica

A Browser-Based Kerberos Authentication Scheme · 116 S. Gajek et al. for university identity federation, or WS-Federation, whereby SAML is an open protocol standard and basis for

Enabling SAML Single Sign-On with Microsoft Active ......Adobe Sign Adobe Sign Enabling SAML Single Sign On with Microsoft Active Directory Federation Services 16 9. In the Configure

(ATS4-PLAT09) Kerberos & SAML with Accelrys Enterprise Platform 9.0

App Configuration for Enterprise ACE · 2015-10-02 · SAML Apple . Google Google

SAML 2.0 – Standard-of-choice in the Public Sector...SAML 2.0 - An Overview SAML V1.1 ID-FF V1.1 (Liberty Federation) Shib 1.0/1.1 APIs SAML V1.0 SAML V2.0 “P has e 1” ID-FF

Cross-enterprise Identity Federation (OASIS - SAML ...€¦ · The case study can be used by access managers or information security managers to guide them with the selection of the

Enterprise Integration, iPaaS and Enterprise Service Businessinfo.technologyonecorp.com › rs › 741-DMG-815 › images... · CMIS SOAP/XML Platform SAML SMTP File Interfaces Ci

Dynamic Identity Federation using Security Assertion ... · Dynamic Identity Federation using Security Assertion Markup Language (SAML) Md. Sadek Ferdous & Ron Poet IDMAN 2013 9 April,

Enterprise Federation through Web Services based Contracts

Department of the Navy Enterprise Architecture Federation

SAML Version 2.0 Errata 05docs.oasis-open.org/security/saml/v2.0/sstc-saml...SAML Version 2.0 Errata 05 ... 2 6

EMC Enterprise Hybrid Cloud 2.5.1, Federation Software ... · PDF fileReference Architecture December 2014 EMC Enterprise Hybrid Cloud 2.5.1, Federation Software-Defined Data Center