Embed Size (px)
Citation preview
KeyShield SSO
SSO infrastructure for Novell technologiesVáclav Šamša & dear Novell guests:Dean LythgoeRichard LindstedtKai Reichert
KeyShield SSO Connects eDir/AD desktop login and mobile devices with SSO
Novell solutions
Novell products?
We are talking about Filr, Vibe, GroupWise Mobility Service, GroupWise, iPrint, Messenger, Service Desk ...
All are or getting pretty standard, working with a principal – the only thing they need is to identify the user's object within a directory (eDirectory, Active Directory ...).
Btw, the vaste majority of users is still consuming Novell products service from the Windows desktop, cca 30% still with XP ...
Before, the integration point for SSO was the Novell Client for Windows, now, there is no connection in between the client and browser, web client...
So, back in 2009, the question was, how to make everything working together, on Windows, Linux, Mac and, of course, all mobile devices
KeyShield SSO Connects eDir/AD desktop login and mobile devices with SSO
SSO infrastructure for Novell solutions
How do KeyShield SSO do it?
SAML support
ReST API interface for easy and fast direct integrations
The integrated system needs a short and easy piece of code, which will ask KeyShield SSO for the principal (UserID). Let's see the simplified schema
KeyShield SSO Connects eDir/AD desktop login and mobile devices with SSO
KeyShield SSO - authenticationKeyShield SSO - authentication
Windows WorkstationWindows Workstation Browser or Native clientBrowser or Native client Integrated systemIntegrated system KeyShield SSO serverKeyShield SSO server
Check user by IP of theWindows Workstation(Address of the Client)Send user ID (Principal)
Valid session? No – ask KeyShield SSO server for the principal
Search user profiles database for user ID provided by the KeyShield SSO server. Found – start session
User is successfully authenticated by IS
Run client/browser
Client connect to the IS
KeyShield SSO Connects eDir/AD desktop login and mobile devices with SSO
SSO infrastructure for Novell solutions
How do KeyShield SSO do it?
The user is identified by the IP address which is currently used by the user's device
This is working with anything which communicates via IP from the device
This includes any browser, any WebDAV. Let's see the simplified schema for Filr and Vibe
KeyShield SSO Connects eDir/AD desktop login and mobile devices with SSO
KeyShield SSO – Filr WebDAV exampleKeyShield SSO – Filr WebDAV example
BrowserBrowser Web ClientWeb Client Novell Filr or VibeNovell Filr or Vibe KeyShield SSO serverKeyShield SSO server
Check user by IP of theWindows Workstation(Address of the Client)Send user ID (Principal)
WebDAV has no access to the browser cookie or session – ask KeyShield SSO server for the user's identity
Search user profile foruser ID provided by theKeyShield SSO server. Found. Session created.
User can edit the file
User clicks the Edit button for a particular document
Windows built in Web Client gets request via WebDAV
KeyShield SSO Connects eDir/AD desktop login and mobile devices with SSO
SSO infrastructure for Novell solutions
How do KeyShield SSO do it?
The user can authenticate to the SSO system, but means at least 2 authentications a day – to the environment/desktop and to the SSO
The demand we clearly see is for really tight integration – once the user is authenticated to the environment/desktop (eDirectory, ActiveDirectory etc), no further authentication is necessary for any systém
Any system means everything inside the LAN/WAN and also anything hosted (clouded)
There can be a SSO solution supporting NTLM and there is the KeyShield SSO – we support both. Let's see Novell Client for Windows integration simplified schema
KeyShield SSO Connects eDir/AD desktop login and mobile devices with SSO
Novell ClientNovell Client KeyShield clientKeyShield client KeyShield serverKeyShield server
Authentication to eDirectory & to the workstation
Authentication detected. Send user info to theKeyShield SSO server together with workstationIP address.
Generates token which writes to the user's object in eDirectory. Token ID together with an authentication challenge is than sent to the KeyShield SSO client.
Receive token ID and challenge
eDirectory search for token ID, return value tothe KeyShield client
Generate response
Validity check
Authentication OK!
KeyShield SSOKeyShield SSO
KeyShield SSO Connects eDir/AD desktop login and mobile devices with SSO
SSO infrastructure for Novell solutions
How do KeyShield SSO do it?
The integration mechanism is rock solid.
With this kind of integration, the whole Novell environment, can be much more efficient and convenient then Microsoft.
Together with our colleagues from Novell, we support all scenarios, user platforms, server platforms, mobile devices
If you have any home brewed system, you are lucky with us – the integration is piece of cake
Let's discuss the SSO support for Novell technologies, following slides are pretty theoretical and boring ..
KeyShield SSO
SSO infrastructure for Novell technologiesvsamsa@tdp.czwww.keyshieldsso.comwww.securewinbox.com
