562: Power of Single Sign-On in OpenEdge

Slides:

Advertisements

Similar presentations

Implementing Tableau Server in an Enterprise Environment

Advertisements

Server Access The REST of the Story David Cleary

FI-WARE Testbed Access Control temporary solution.

External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.

Client Principal in the wild

REST support for B2B access to your AppServer PUG Challenge Americas Michael Jacobs : Senior Software Architect Edsel Garcia : Principal Software.

FIspace Security Components FIspace Security Components NetFutures 2015 FIspace project Javier Romero Negrín Javier Hitado Simarro ATOS Serdar Arslan KoçSistem.

1 June 1, 2015 Secure access to project budget information for OAR Principal Investigators Eugene F Burger Sylvia Scott Tracey Nakamura John L Forbes PMEL.

OE Realm & Your Application’s Authentication Process

Authenticating REST/Mobile clients using LDAP and OERealm

DEV-14: Understanding and Programming for the AppServer™

A New Object Model for WebSpeed and HTTP

Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd

DB-19: OpenEdge® Authentication Without the _User Table

Copyright 2007, Information Builders. Slide 1 WebFOCUS Authentication Mark Nesson, Vashti Ragoonath Information Builders Summit 2008 User Conference June.

Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.

IT Unity Webinar Series September 2015 Using Azure Active Directory to Secure Your Apps.

FIspace SPT Seyhun Futaci. Technology behind FIspace Authentication and Authorization IDM service of Fispace provides SSO solution for web apps, mobile.

Developing Applications for SSO Justen Stepka Authentisoft, LLC

PAPI Points of Access to Providers of Information.

ArcGIS Server and Portal for ArcGIS An Introduction to Security

SSL, Single Sign On, and External Authentication Presented By Jeff Kelley April 12, 2005.

Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.

TWSd - Security Workshop Part I of III T302 Tuesday, 4/20/2010 TWS Distributed & Mainframe User Education April 18-21, 2010  Carefree Resort  Carefree,

DEV-09: User Authentication in an OpenEdge™ 10.1 Distributed Computing Environment Michael Jacobs Development Architect.

Extending ISA/IAG beyond the limit. AGAT Security suite - introduction AGAT Security suite is a set of unique components that allow extending ISA / IAG.

© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 The SqlConnection Object ADO.NET - Lesson 02  Training time: 10 minutes 

Progress Software Identity Management 101 Sarah Marshall OpenEdge QA Architect May 2012.

ARCH-08 A Common Business Service Approach to Application Development Anthony Swindells Progress Fellow.

PAPI: Simple and Ubiquitous Access to Internet Information Services JISC/CNI Conference - Edinburgh, 27 June 2002.

A New Object Model for WebSpeed and HTTP

Access control 2/18/2009. TOMCAT Security Model Declarative Security:  the expression of application security external to the application, and it allows.

Satisfy Your Technical Curiosity 27, 28 & 29 March 2007 International Convention Center (ICC) Ghent, Belgium.

February, TRANSCEND SHIRO-CAS INTEGRATION ANALYSIS.

DEV-8: AppServer ™ Mode Case Studies Simon Epps Solutions Engineer.

15 Copyright © 2004, Oracle. All rights reserved. Adding JAAS Security to the Client.

8 Copyright © 2004, Oracle. All rights reserved. Making the Model Secure.

Secure Mobile Development with NetIQ Access Manager

Building a SaaS Satellite Application for an Existing OpenEdge Application in Less than 60 mins 29 th June 2016 Dr Ganesh Neelakanta Iyer Ganesh Cherivirala.

Jawahar Surapaneni 26 th June 2016 Monitoring OpenEdge Applications using BPM Workshop.

19 Copyright © 2008, Oracle. All rights reserved. Security.

ArcGIS for Server Security: Advanced

Ask the Experts – Building Login-Based Sites in AEM

Introduction to Windows Azure AppFabric

Federation made simple

2-Factor Authentication with PASOE

Using E-Business Suite Attachments

Secure Sockets Layer (SSL)

Radius, LDAP, Radius used in Authenticating Users

Windows Azure AppFabric

9/17/2018 Future TIME Kevin R Banning, R&D Director Sept 17, 2014.

ESA Single Sign On (SSO) and Federated Identity Management

BY: SHIVI AGRAWAL ( ) CSE-(6)C

SUBMISSION TITLE Srinivas Munigala & Principal QA Engineer

IOS SDK v1.0 with NAM 4.2.

ARCH-1: Application Architecture made Simple

Authorization in Asp.Net Core

Office 365 Identity Management

Agenda OAuth Concepts Programming OAuth.

Proposal Presentation

Office 365 Development.

Token-based Authentication

Device Registration and Multi-Factor Authentication

Management Application for all segments

4/15/2019 1:57 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.

CS5220 Advanced Topics in Web Programming Secure REST API

JAAS AuthN Tokens in uPortal and Beyond

Salesforce.com Salesforce.com is the world leader in on-demand customer relationship management (CRM) services Manages sales, marketing, customer service,

D Guidance 26-Jun: Would like to see a refresh of this title slide

The new EDAMIS and its security

Presentation transcript:

562: Power of Single Sign-On in OpenEdge June 4th – June 7th Manchester, NH Srinivas Munigala – Principal QA Engineer Progress Software Progress

Agenda Introduction to Single Sign-On SSO in OpenEdge SSO for ABL Applications SSO for Web Applications SSO for HTTP Clients SSO Security Best Practices Demo Questions & Answers Progress

Introduction to SSO

Problem: Login… Login… Login… Progress

Solution: SSO Progress

SSO Definition Advantage SSO is property of access control of multiple, related, but independent software systems Advantage Improved user productivity Progress

SSO in OpenEdge Progress

Major categories SSO for ABL Applications Client-Principal Pre-Auth Filter SSO for Web Applications ( Progress Clients ) SSO support for HTTP Clients Progress

SSO for ABL applications Introduction to Client-Principal

The ABL Client-Principal (C-P) OE 10.1A The ABL Client-Principal (C-P) Represents a user login session Sets user id for ABL application Database connection Two states Un-sealed Sealed Authentication System Data PRINCIPAL Domain: LDAP State: Login User-ID: NewUser Login-token: BW3G1&2G1836D872 Login-date: 10/03/06 08:15:33.12 Login-expires: 10/03/06 19:30.00.00 Roles: Accountant App-data: Company=Acme ... User Account Data User Account Restrictions Application Defined Data

Direct Login vs Single Sign-on C-P is NOT sealed Authenticates every time Single Sign-on Authenticated already C-P is sealed Validates integrity Progress

Example: AppServer SSO Physical user account storage ( OE-DB |LDAP |… ) CREATE CLIENT-PRINCIPAL hCP. hCP:INITIALIZE(c_uname,?,?,c_pwd). hCP:SEAL(domain-access-code) SESSION:CURRENT-RESPONSE-INFO:SETCLIENTPRINCIPAL(hCP) ABL SESSION:CURRENT-REQUESTINFO:GetClientPrincipal() VALIDATE-SEAL(domain-access-code) SESSION:CURRENT-REQUESTINFO:GetClientPrincipal() VALIDATE-SEAL(domain-access-code) Inventory Order Shared-secret Progress

SSO for Web Applications Introduction to Pre-Auth filter

Spring security: REST/Web application architecture Pre-Auth Filter Progress

PRE-AUTH filter User has already been reliably authenticated by some external system prior to accessing the REST application Spring security: Identifies the user making the request. Obtains the authorities for the user. Progress

Pre-Authentication Filter configuration Update “enabled” property to to “true” Progress

Example: Rollbase SSO sso OE Realm AppServer REST AppServer Tomcat 1 User account system library OE Realm server class User account system library Request for User account 1 Authn Process login 2 3 User account details 4 Sealed C-P SSO Pre-authenticated REST Request for OE Service 5 “X-OE-CLIENT-CONTEXT-ID” “OECP <base64(C-P)> ” REST AppServer Tomcat OpenEdge DB Business Entity 6 sso Pre-auth Filter OE Webapp hCP = SESSION:CURRENT-REQUEST-INFO:GetClientPrincipal(). Progress

SSO support for HTTP Clients

Use Case Travels.com Cars.com Hotels.com Airline.com Progress

Airline.com Cars.com Travels.com How does it work? Form Login: PUG XXXXX Token Producer / Token Consumer / Both Travels.com (IfRequired or always) /static/auth/j_spring_security_check?OECP=yes { “token_type” : “oecp”, “access_token” : “<b64-oecp-sso-token>” , “refresh_token” : “<oecp-ref-token>” , “expires_in” : <int-seconds> } Authorization: oecp <access token> Token Consumer Token Consumer Airline.com Cars.com /rest/airline /rest/cars Progress

OE 11.7.0 Key Points Extended to Mobile / Browser clients for OE ABL web applications Standard, simple & secure way to generate a Client-Principal by Web Server Generate tokens based on configuration HTTP / HTTPS access control Ability to refresh security tokens when expired Authorize users based on Client-Type Progress

Security Best Practices

Security Best Practices Verify valid Client-Principal with proper roles are coming or not Domain Access Key value should be in the form of “oech1::<hex-string>” Use Activate / De-activate procedures in your AppServer Use SSL/TLS for non-local network connections Progress

Summary Secure user authentication is necessary in today’s world Distributed authentication presents many challenges Single Sign-On operations avoids password fatigue OpenEdge has solution Progress

Progress

Progress