Embed Size (px)
DESCRIPTION
In the past, users have authenticated with Pipeline Pilot by providing a username and password. Starting with 8.5 and continuing with 9.0 we now support additional authentication mechanisms such as Kerberos and SAML. Both Kerberos and SAML can provide a Single Sign On capability; SAML also provides the ability to run secure SOAP web services. This session will detail the current state of support for Kerberos and SAML in AEP 9.0 and discuss future enhancements.
Citation preview
(ATS4-PLAT09) Kerberos and SAML with Accelrys Enterprise Platform 9.0
Jon HurleySenior Manager, Platform R&D
The information on the roadmap and future software development efforts are intended to outline general product direction and should not be relied on in making a purchasing decision.
• (ATS-PLAT02) Security Enhancements in Accelrys Enterprise Platform 9.0– Discussion of authorization enhancements in AEP 9.0
• New Authentication Methods– Kerberos– SAML
• Sender Vouches
– Why?
Security in AEP 9.0
I am NOT a security expert
• Kerberos is ticket based authentication baked into the Operating System– Many components (e.g. Web Browsers) are able to transmit
Kerberos tickets• Provides Single Sign On – if you are already signed on to the browser,
the Kerberos ticket can log you in to another system
– The server requests an ‘authentication negotiation’ with the browser• If the browser (and OS account) is appropriately configured, a Kerberos
ticket can be transmitted in response
What is Kerberos?
Kerberos Sequence Diagram
• In the AEP 8.5 release, Kerberos authentication was only supported on Windows Servers– The authentication method was termed WIA (Windows
Integrated Authentication)– The mechanism used to perform the authentication is termed
SPNEGO which allows authentication with Kerberos tickets• On Windows, NTLM can also be used with SPNEGO
– Kerberos requires clients that support SPNEGO:• Web browsers: IE, Firefox, Chrome• SDKs: .NET Client SDK, JavaScript Client SDK, RunProtocol• Not supported: other SDKs (Java) or Pipeline Pilot client
Support for Kerberos/SPNEGO
• Additional Kerberos support in AEP 9.0– Delegation on Windows using Full Impersonation
• If your AEP server is configured for Full Impersonation and if your Kerberos realm (e.g. Active Directory) is configured to allow Delegation, this is supported through Pipeline Pilot– Protocols can use their Kerberos token to connect to other Kerberized
resources (e.g. UNC files, HTTP services, SQL Server databases)
– Delegation with Restricted Impersonation is planned
Enhanced support for Kerberos/SPNEGO
• Kerberos Authentication on Linux– Kerberos authentication is now supported on Linux– We do NOT support delegation in AEP 9.0
• Just Kerberos Authentication on Linux
Enhanced support for Kerberos/SPNEGO
Kerberos Configuration
• On the authentication page, enable SPNEGO
Demo
Kerberos Client Configuration – Internet Explorer
• Internet Explorer– Add the server as a trusted site (Tools > Internet Options >
Security > Trusted Sites > Custom Level > User Authentication > Logon).
– Select Automatic logon with current user name and password. – If your server is already part of the Local Intranet, select
Automatic logon only in Intranet zone.– These settings may be provided by IT using a group policy
Kerberos Client Configuration – Firefox
– Browse to "about:config" and add the server names to the following preferences: • network.negotiate-auth.trusted-uris• network.negotiate-auth.delegation-uris
– If wish to support delegation on AEP server
• SAML is Security Assertions Markup Language• Commonly associated to SOAP services• SAML Sender Vouches Sender Confirmation– Web Services securely calling AEP– AEP securely calling SAML protected Web Services
• Externalization– SAML allows federation of multiple Identify Providers (IdP)
SAML Support
SAML
Username Token
Custom Cookie
SAML
Form Based
Basic
Kerberos
SAML Sender Vouches - Outbound
SDK Clients
CALPP, NALPP, JALPP
Clients AEP Server Other Web Serverhttp(s) http(s)
Browser
IE, FF, Chrome
15
Serv
ice
Con
tain
erOther
Server
WebLogic
ServerKerberos
Toke
n
AEP 9.0
Server
• AEP Protocol securely calling a SAML protected web service– Need to create our SAML Certificate used to self-sign our
outbound SAML Sender Vouches messages– We use the AEP server’s SSL Certificate– Use the Security > SAML Certificates admin portal page– Click the Import KeyPair button to store the SSL Certificate as
the SAML Certficate• AEP 9.0 self-signs all outbound Sender Vouches messages (does not
use an external IdP for message signing)
SAML Sender Vouches - Outbound
SAML Sender Vouches – Outbound: SOAP Connector
• Call the service with the SOAP Connector– Set the Token Type parameter to ‘SAML 2.0 Sender Vouches’
• Coming by 9.0 – support for a policy engine (map to a ws-policy file)
SAML Sender Vouches - Outbound
Kerberos
Form Based
Basic
SAML
Username
Custom Cookie
SAML
SAML Sender Vouches - Inbound
Other Clients
Clients Other Web Server AEP Serverhttp(s) http(s)
Browser
IE, FF, Chrome
19
Serv
ice
Con
tain
erOther
Server
WebLogic
ServerKerberos
AEP 9.0 Server
• Web Services securely calling AEP– Need to import a certificate from the outside web
service agent so that we trust it• Use the Security > SAML Certificates admin portal page• Click the Import button on the Available Certificates grid
and paste in the server’s SAML Certificate– Optionally specify one or more SAML Issuer Ids to restrict this
certificate to certain services– If none specified, any service using this certificate will be
supported
SAML Sender Vouches - Inbound
SAML Sender Vouches - Inbound
• Example protocol that demonstrates an outbound/inbound round trip– The Protocol uses the SOAP Connector to make an Outbound
SAML Sender Vouches call to an Inbound SAML Sender Vouches endpoint
– This Inbound endpoint is a SAML protected web service on the same AEP server that runs a protocol echoing the request
SAML Sender Vouches – Example Protocol
SAML Sender Vouches – Example Protocol
…
SAML Sender Vouches – SOAP Request Packet
<soap-env:Body>
<ns1:echo><hello>jhurley</hello>
</ns1:echo>
</soap-env:Body>
SAML Sender Vouches – SOAP Request Packet (Body)
<?xml version="1.0" encoding="UTF-8"?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="urn:examples:soap:echoservice" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <soapenv:Body> <echoResponse xmlns="urn:examples:soap:echoservice">
<return>jhurley</return> </echoResponse> </soapenv:Body></soapenv:Envelope>
SAML Sender Vouches – SOAP Response Packet
• Results from the protocol – Successful execution echoing the username (SAML assertion)
TestResult PassedechoResponse/return jhurley
SAML Sender Vouches – Example Protocol
WSDL-First Protocols
• This example calls the Echo Service protocol– This is an example of a WSDL-First protocol– As a user, create the WSDL file and then your protocol is designed to operate
with a SOAP packet conforming to that WSDL– Invoke the protocol with a suitable SOAP URL:
• $(ServerRoot)/wsse/wservice/{Full Path of Protocol}– The framework validates the request and passes in the contents of the soap-
env:body element as a global property xmldocin:
<ns1:echo><hello>jhurley</hello>
</ns1:echo>
WSDL First Protocols
• Using an XML Reader and the setting ‘Properties Are: Leaf Elements’ results in this data record
• AEP 9.0 supports Kerberos SSO and SAML Sender Vouches• Communicate with us – let us know what authentication
providers are important now and in the future• Forthcoming documentation on configuring protocols as
WSDL-first Web Services
• (ATS-PLAT02) Security Enhancements in Accelrys Enterprise Platform 9.0
Summary
