Upload
denis-gundarev
View
2.027
Download
0
Tags:
Embed Size (px)
DESCRIPTION
SAML and Other Types of Federation for Your Enterprise, session from BriForum London 2014
Citation preview
@fdwl #BriForum @entisys
SAML and Other Types of
Federation for Your Enterprise
Denis Gundarev, Senior Consultant, Entisys Solutions
May 20, 2014
@fdwl #BriForum @entisys
Based on a true story
@fdwl #BriForum @entisys
About me
@fdwl #BriForum @entisys
Agenda
What is federated authentication
How to add federation support for your legacy applications
@fdwl #BriForum @entisys
Identity and Account Management Basics
Identity Management (IdM) describes the
management of individual principals,
their authentication, authorization, and
privileges within enterprise
Integral components of identity and
access management:
Identification
Authentication
Authorization
@fdwl #BriForum @entisys
Identification vs. Authentication vs.
Authorization
@fdwl #BriForum @entisys
Entity vs Identity vs Credential vs Attribute
Entity
• Person
• Computer
Identity
• Active Directory Account
• Passport Number
• Serial Number
Credential
• Passport
• Credit Card
• Kerberos token
Attribute
• Address
• Qualification
• Criminal record
@fdwl #BriForum @entisys
Attribute Assertion
An attribute assertion is a claim made by someone (the asserter) that a particular person
possesses a particular attribute.
College can confirm that person is graduated.
Active Directory can confirm that password is correct
A digitally signed attribute assertion = authorization credential.
Source: David W Chadwick Federated Identity Management http://kar.kent.ac.uk/30609/1/FederatedIdManChapter.pdf
@fdwl #BriForum @entisys
Credential Types
Credentials Authenticity
Credentials Not been tampered
Received exactly as issued by the issuing
authority
Digitally signed to prove authenticity
Credentials Validity
Monopoly money is authentic if obtained
from the Monopoly game pack.
valid for buying stuff in the game
NOT valid in a grocery store
Credit card is an authentic credential.
Valid in Marks & Spencer
Not valid in a fisherman village in the
middle of nowhere during the night
Source: David W Chadwick Federated Identity Management http://kar.kent.ac.uk/30609/1/FederatedIdManChapter.pdf
@fdwl #BriForum @entisys
What is Federation?
A set of standards-based technology & IT processes
to facilitate distributed identification, authentication
& authorization across boundaries (security,
departmental, organizational or platform).
@fdwl #BriForum @entisys
Federation Example
Identity Provider (IdP)
Entity
Attribute Assertion
Service Provider (SP)
Resources
@fdwl #BriForum @entisys
Federation Example
Facebook perform authentication and
generate a signed attributes assertion
with user name and unique user ID
Digg maintain a user database and
authorization
@fdwl #BriForum @entisys
Why Do I Need Federation?
Provide access to your applications to suppliers or partners
Quickly onboard acquired organization
Provide access for temporary workers by using “bring your own identity” model
Service Providers
@fdwl #BriForum @entisys
Can’t I Just Create User Accounts?
More work for you
Less security for your network
No control over the user population
@fdwl #BriForum @entisys
Can’t I Just Use Forest Trusts?
Network connection between partners
User principal name (UPN) suffixes, service
principal name (SPN) suffixes, and security
ID (SID) namespaces are replicated
DNS configuration is required
@fdwl #BriForum @entisys
Benefits of Federation
Better Access Experience
Single sign-on across networks & organizational boundaries
Increased Security & Simpler Administration
Heightened identity assurance
No passwords involved
Account de-activation is handled by the account partner
Account partner can easily be disabled at the organizational level
Strong authentication such as user certificates or OTP tokens can be layered on top of federation
claim
@fdwl #BriForum @entisys
Benefits of Federation
•Active Directory
•LDAP
•Kerberos
•Anonymous users
•One-time Access
•ADFS
•OpenSSO
•PingIdentiy
•Office365
•Microsoft
Private-Sector
IDPsPartners
Corporate Directories
Special Cases
@fdwl #BriForum @entisys
SAML
SAML – Security Assertions Markup Language
XML-based security specification for exchanging authentication and authorization information
Developed by the OASIS standards organisation
Use HTTP as a communication protocol
Designed to addresses the complexities of establishing Business-to-Business communication
between differing systems.
@fdwl #BriForum @entisys
SAML Assertion
A set of statements (claims) made by a SAML authority (Identity provider or IdP)
Authentication statement: subject was authenticated using a particular technique at a particular
time
Attribute statement: particular attribute values are associated with the subject
Optional authorization decision statement: subject is authorized to perform certain actions
19
@fdwl #BriForum @entisys
SAML Assertion
@fdwl #BriForum @entisys
X.509 Certificates
Trust is managed through
certificates
Certificates for
HTTPS Communications
Security token signing and
encryption
Require PKI for A & B
certificates, C & D can be
self-signed
CommunicationA
Signing
Relying party Issuer
ST
Encyption ST
B
Public key of C C
Public key of DD
Root for ARoot for B
@fdwl #BriForum @entisys
Federation Metadata
During the establishment of the issuer / relying party trust, both parties will require
configuration which includes
End-points for communication
Claims offered by issuer
Claims accepted by replying party
Public keys for signing and encryption
This information can be manually configured or automatically via the exchange of
federation metadata
Federation metadata can be automatically updated
@fdwl #BriForum @entisys
SAML IdP Example
@fdwl #BriForum @entisys
Active Directory Federation Services
AD FS 1.0 - released with Windows Server 2003 R2 as part of the operating system
AD FS 1.1 - released with Windows Server 2008 and was carried into Windows Server 2008
R2
AD FS 2.0 was released after Windows Server 2008 R2. It was released to the web and is
free to download.
ADFS 2.1 was released to Windows Server 2012 as part of the operating system
@fdwl #BriForum @entisys
ADFS 1.x
AD FS 1.x is limited
WS-Federation Passive Requestor Profile (browser)
SAML 1.0 TOKENS
SAML 2.x is not backward compatible with SAML 1.x, so forget about ADFS 1.x
@fdwl #BriForum @entisys
ADFS 2.x
A SAML implementation (both IdP and SP) from Microsoft
An AD-based single sign-on system
SAMLv2 Authentication
Allows for Single Sign on support for Web based applications.
ADFS for Windows 2008 R2 has SAML 2.0 support.
@fdwl #BriForum @entisys
Can I Have it Out of the Box?
Not with StoreFront
Web Interface 5.4 supports ADFS out of the box!
ADFS version 1.1 only
Windows Server 2003 R2 only
32-bit edition of 2003 R2 only
Not supported with NetScaler, Secure Gateway only
Does not work with XenDesktop
@fdwl #BriForum @entisys
Authentication in XenApp/XenDesktop
Support for several authentication methods
Smart cards, client certificates, RSA SecurID, etc.
Support for OS and non-OS credentials stores
OS: Active Directory and eDirectory
Non-OS: LDAP, RADIUS, 3rd party authentication methods.
Leverage Authentication methods supported by Windows:
Smartcard support
Client certificates support
Custom 3rd party authentication mechanisms through GINA extensions.
Leverage Windows authentication to flow the OS identity tokens between Access Infrastructure services
Example: flowing Kerberos tickets between ICA client and XA server.
@fdwl #BriForum @entisys
@fdwl #BriForum @entisys
SAML SP Example
@fdwl #BriForum @entisys
NetScaler & SAML Authentication
NetScaler can act as a Service Provider (SP)
User can be authenticated on LB or CS vserver
NetScaler Gateway 10.1 supports SAML 2.0
Configuring SAML Authentication on NetScaler Gateway
http://support.citrix.com/proddocs/topic/netscaler-gateway-101/ng-authen-saml-con.html
NetScaler practical / SAML AAA against simplesamlphp IdP
http://blogs.citrix.com/2012/08/24/174193098/
How to Configure NetScaler SAML to Work with Microsoft AD FS 2.0 IdP
https://support.citrix.com/article/CTX133919
Does not provide metadata
Use Metadata builder http://samlmetajs.simplesamlphp.org/demo
@fdwl #BriForum @entisys
Authentication flow
IdPNetScaler (SP) Active Directory
Browse to NG
Not authenticated
Redirected to IdPAuthenticate
User
Query for user attributesReturn Security Token
Return page
and cookie
Send Token
ST
ST
SP trusts IdP
@fdwl #BriForum @entisys
MetaData
NetScaler does not provide metadata
Use Metadata builder
http://samlmetajs.simplesamlphp.org/demo
@fdwl #BriForum @entisys
Authentication in XenApp/XenDesktop
Support for several authentication methods
Smart cards, client certificates, RSA SecurID, etc.
Support for OS and non-OS credentials stores
OS: Active Directory and eDirectory
Non-OS: LDAP, RADIUS, 3rd party authentication methods.
Leverage Authentication methods supported by Windows:
Smartcard support
Client certificates support
Custom 3rd party authentication mechanisms through GINA extensions.
Leverage Windows authentication to flow the OS identity tokens between Access Infrastructure services
Example: flowing Kerberos tickets between ICA client and XA server.
@fdwl #BriForum @entisys
Federation Example
Facebook perform authentication and
generate a signed attributes assertion
with user name and unique user ID
Digg maintain a user database and
authorizationShadow Accounts
@fdwl #BriForum @entisys
Shadow Accounts
Required to delegate access to non-
claim aware resources
Regular user account
Mapped to the attribute received from
IdP
Can be mapped to any attribute
@fdwl #BriForum @entisys
SAML for XenApp/XenDesktop Options
S4U (Service-for-User) Kerberos Extensions
Kerberos delegation and S4U on NetScaler – too complicated
S4U on WebInterface? No future!
S4U on StoreFront? You mean StoreFront code customization?
@fdwl #BriForum @entisys
SAML for XenApp/XenDesktop Options
@fdwl #BriForum @entisys
Explicit Auth in XD/XAClient
WIDDC
VDA
Servers (File Server,
Exchange, …)
DC
Winlogon
SSOn
IE
Desktop Toolbar
ICA Client Engine
Winlogon
VDA
IMA / DDC
pwd
pwdpwd
auth
pwd
WI ticket
WI ticket
WI ticket
WI ticket
pwd
pwd
Authenticate
& get TGT
Get svc ticket
Svc ticket
@fdwl #BriForum @entisys
Solution
NetScaler SAML authentication
NetScaler FormFill SSO profile
Custom Account Manager Service
NetScaler HTTP Callout
NetScaler Rewrite Policy
@fdwl #BriForum @entisys
Account Manager Service
Web Application
Create and shadow user accounts with
random password in AD
Store password securely
Respond on HTTP request with user
password
GET /GetPassword/[email protected]
Response:
0@J4y9jCv9CHzP2Q!rhMHY@7AOk7vfF2Rf1!
T!i29QG^se^RQZbhjt4fOOmn$CN4
@fdwl #BriForum @entisys
SAML Authentication Profile
add authentication samlAction PartnerIdp -samlIdPCertName Partner-idp -
samlSigningCertName ns-server-certificate -
samlRedirectUrl "https://osso.parner.com:443/opensso/SSOPOST/metaAlias/partnernet/idp
" -samlUserField mail -samlRejectUnsignedAssertion OFF -samlIssuerName
"https://go.example.com/"
add authentication samlPolicy PartnerIdp ns_true PartnerIdp
@fdwl #BriForum @entisys
Form SSO Profile
add vpn formSSOAction WebInterfaceFormSSOProfile -actionURL "/SSO/auth/login.aspx" -
userField email -passwdField donotuse -
ssoSuccessRule"Http.RES.SET_COOKIE.COOKIE(\"WIAuthId\").VALUE(\"WIAuthId\").LENGTH.GT
(10) && Http.RES.STATUS.EQ(302)" -nameValuePair "password=&LoginType=Explicit" -
nvtype STATIC -submitMethod POST
add vpn trafficAction WebInterfaceFormSSOTrafficProfile http -appTimeout 120 -SSO ON -
formSSOAction WebInterfaceFormSSOProfile
add vpn trafficPolicy WebInterfaceFormSSOTrafficPolicy "(URL CONTAINS
/sso/auth/login.aspx) && METHOD == GET && HEADER Cookie CONTAINS
WIClientInfo" WebInterfaceFormSSOTrafficProfile
@fdwl #BriForum @entisys
Callout and Rewrite
add policy httpCallout AccountManager
set policy httpCallout AccountManager -vServer AccountManager -returnType TEXT -
hostExpr "\"CN1-ACCMAN01.example.com\"" -
urlStemExpr"\"/GetPassword/\" +http.REQ.BODY(500).AFTER_REGEX(re#email=#).BEFORE_REG
EX(re#&#)" -resultExpr"http.RES.BODY(1000).XPATH(xp%/%)“
add rewrite action ReplaceEmptyPasswordAction
replace_all "HTTP.REQ.BODY(500)" "\"&password=\"+SYS.HTTP_CALLOUT(AccountManager).HT
TP_URL_SAFE+\"&\"" -search"regex(re/&password=[ -~]*&/)" -bypassSafetyCheck YES
add rewrite policy ReplaceEmptyPasswordPolicy "http.req.method.eq(POST) &&
HTTP.REQ.URL.PATH.TO_LOWER.EQ(\"/sso/auth/login.aspx\")" ReplaceEmptyPasswordAction
@fdwl #BriForum @entisys
Communication flow
Active Directory
User
Browser
ADFS Active Directory
Account Manager
StoreFront
1. User Authenticates at SSO portal
2. SSO Send SAML Response to
the user s browser
NetScaler
3. User s browser POST SAML response to NetScaler
Gateway
4. Netscaler request shadow user credentials from Account
Manager
5. Account Manager send credentials back to NetScaler
6. N
etscaler su
bm
it shad
ow
use
r cre
de
ntials to
StoreFro
nt
XenDesktop
Controller
7. StoreFront request XenDesktop token from DDC
8. DDC send XenDesktop token back to StoreFRont
9.StoreFront sends ICA file
10. Citrix receiver connects to access gateway
11. NetScaler gateway connects
to the desktop
VDA
12 S
hado
w u
ser l
ogge
d on
@fdwl #BriForum @entisys
SAML-enabled solutions
Cloud
www.pingidentity.com
www.ssoeasy.com
www.forumsys.com
www.okta.com
www.onelogin.com
www.cloudentr.com
Azure Active Directory
Google Apps
On prem
Microsoft ADFS
Oracle OpenSSO
ForgeRock OpenAM
PingFederation
RCDevs OpenID
Novell Access Manager
IBM Tivoli Access Manager
JBoss SSO