Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland www.cern.ch/i t OIS CERN Single Sign-On Summer 2012 Updates Emmanuel.

Slides:



Advertisements
Similar presentations
Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.
Advertisements

1 Wolfgang Lierz Staff IT-Services / Network & Security Admin ETH-Bibliothek Zurich Integration Primo-Aleph-PDS-SSO- AAI Wolfgang Lierz / IGeLU 2012 Zurich.
ELAG Trondheim Distributed Access Control - BIBSYS and the FEIDE solution Sigbjørn Holmslet, BIBSYS, Norway Ingrid Melve, UNINET, Norway.
Authentication solutions for Outlook and Office 365 Multi-factor authentication for Office 365 Outlook client futures.
Dan Usher Joel Ward. Who we are… What we’ve seen… Security Concerns in today’s world Why SmartCards? Authentication & Authorization of SharePoint IIS.
FIspace Security Components FIspace Security Components NetFutures 2015 FIspace project Javier Romero Negrín Javier Hitado Simarro ATOS Serdar Arslan KoçSistem.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Provisioning of Services Authentication Requirements David Henry Office of Information Technology University of Maryland
WSO2 Identity Server Road Map
Introduction To Windows NT ® Server And Internet Information Server.
CUWebAuth Technical Presentation Pete Bosanko Identity Management Team.
Remote User Authentication. Module Objectives By the end of this module participants will be able to: Describe the methods available for authenticating.
GRDevDay March 21, 2015 Cloud-based Identity for Applications.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
Identity and Access Management (IAM) What’s in it for Me? NC State University - Computer Security Day October 26, 2009 Mark Scheible Manager, Identity.
Copyright 2007, Information Builders. Slide 1 WebFOCUS Authentication Mark Nesson, Vashti Ragoonath Information Builders Summit 2008 User Conference June.
CERN IT Department CH-1211 Geneva 23 Switzerland t OIS Ideas for 2011 Prepare must be done work items –Warranty –Software maintenance –Commitments.
Forms Authentication, Users, Roles, Membership Svetlin Nakov Telerik Corporation
Identity Management in Education. Welcome Scott Johnson, NetProf, Inc. Creator of OmnID Identity Management for Education
CERN IT Department CH-1211 Genève 23 Switzerland t Identity Management Alberto Pace CERN, Information Technology Department
Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland t OIS Make the most of Office 2010, Expression.
Philadelphia Area SharePoint User Group Building Customer/Partner Extranets Designing a Secure Extranet with Sharepoint 2007 Russ Basiura RJB Technical.
FIspace SPT Seyhun Futaci. Technology behind FIspace Authentication and Authorization IDM service of Fispace provides SSO solution for web apps, mobile.
Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland t OIS Working with Windows 7 at CERN Michał Budzowski.
ArcGIS Server and Portal for ArcGIS An Introduction to Security
CERN IT Department CH-1211 Geneva 23 Switzerland t OIS CERN IT-OIS Tim Bell, Eduardo Alvarez Fernandez, Andreas Wagner HEPiX Fall 2010 Workshop.
Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.
SharePoint Security Fundamentals Introduction to Claims-based Security Configuring Claims-based Security Development Opportunities.
CERN IT Department CH-1211 Geneva 23 Switzerland t OIS Andreas Wagner – CERN IT/OIS Eduardo Alvarez – CERN IT/OIS Sergio Fernandez – CERN.
Microsoft ® Official Course Module 13 Implementing Windows Azure Active Directory.
An Overview of Single Sign-On, Federation, Its Benefits, and Basic Procedures for Integrating Applications.
EduGain Federation – Web SSO
Claims-Based Identity Solution Architect Briefing zoli.herczeg.ro Taken from David Chappel’s work at TechEd Berlin 2009.
MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.
Session: MIX09-T27F. Web Developers Customizable identity UX Single Sign On Access to user data ISVs Federation for selling their applications to organizations.
Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland t OIS First look at the Mobile Framework Ivan Deloose,
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Adxstudio Portals Training
Security E-Learning Chapter 08. Security Control access to your web site –3 Techinques for Identifying users Giving users access to your site Securing.
2003 © SWITCH Authentication and Authorisation Infrastructure - AAI Christoph Graf Project Leader AAI SWITCH.
DNS DNS changes required to validate domains in Office 365 UPN – User Principal Name Every user must have a UPN UPN suffixes must match a validated.
Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland t OIS Drupal at CERN Juraj Sucik Jarosław Polok.
Linus Joyeux Valerie Alonso Managing consultantLead consultant blue-infinity (Switzerland) Active Directory Federation Services v2.
Using PIV Cards with NIH Login Chris Leggett NIH Login Technical Lead CIT/NIH.
CERN IT Department CH-1211 Genève 23 Switzerland t Single Sign On, Identity and Access management at CERN Alex Lossent Emmanuel Ormancey,
ASP.NET 2.0 Security Alex Mackman CM Group Ltd
Agenda  Microsoft Directory Synchronization Tool  Active Directory Federation Server  ADFS Proxy  Hybrid Features – LAB.
F5 APM & Security Assertion Markup Language ‘sam-el’
Kipper – a Grid bridge to Identity Federation Andrey Kiryanov.
Business Objects XIr2 Windows NT Authentication Single Sign-on 18 August 2006.
2007© SWITCH SWITCHslcs the new AAI-based short-lived credential service for Grid users C.Witzig Swiss Grid Day, Berne, May 7, 2007.
CERN IT Department CH-1211 Geneva 23 Switzerland t OIS Web site lifecycles Problem is that web sites live forever –Out of date sites with.
CERN IT Department CH-1211 Geneva 23 Switzerland t OIS Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland.
Enabling the Modern Workstyle with Windows 10 & Azure Active Directory Venkatesh Gopalakrishnan 2016 Redmond Summit | Identity Without Boundaries May 25,
EMS in action Hugh Simpson-Wells and Mark Riley 2016 Redmond Summit | Identity Without Boundaries
Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland t OIS Discussing possibility of deleting archives.
Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland t OIS The new Account Management Identity, Authentication,
Azure Active Directory Uday Hegde 2016 Redmond Summit | Identity Without Boundaries May 26, 2016 Group Program Manager, Azure AD
Office of Information Technology GT Identity and Access Management JA-SIG CAS project (introducing login.gatech.edu) April 29th,
IT Services Shibboleth Single Sign-On overview. Overview What/where/why? The UK-Federation/Registration Terminology Configuration Protecting Content Benefits.
11 | Managing User Info Jeremy Foster Michael Palermo
SharePoint Authentication and Authorization
WLCG Update Hannah Short, CERN Computer Security.
Federation made simple
Addressing the Beast: Single Sign-On II
Matthew Levy Azure AD B2B vs B2C Matthew Levy
SharePoint Online Authentication Patterns
Office 365 Development.
Provisioning of Services Authentication Requirements
Presentation transcript:

Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland t OIS CERN Single Sign-On Summer 2012 Updates Emmanuel Ormancey (IT-OIS)

CERN IT Department CH-1211 Geneva 23 Switzerland t OIS SSO - Summer 2012 Updates - 2 Primary objective Prepare CERN Authentication for IAA Extend SSO to HEP community through Federation –Allow HEP members to access CERN resources with their local IDs. –Decrease the ‘CERN Account’ requirement Extend SSO to Public Services authentication (Google, Facebook, etc.) –Allow people to access CERN resources with their public credentials (e.g. Gmail account) –Decrease the ‘Lightweight Account’ requirement

CERN IT Department CH-1211 Geneva 23 Switzerland t OIS SSO - Summer 2012 Updates - 3 Technical objectives Improve service, fix issues and requests Provide Strong Authentication methods –SMS one time password, Yubikey, Smartcard Allow SSO Authentication using scripts & programs Facilitate SSO management for Application owners Address the large number of E-Groups problems –‘Header too big’ Apache issue

CERN IT Department CH-1211 Geneva 23 Switzerland t OIS SSO - Summer 2012 Updates - 4 SSO Management Site Application registration & lifecycle –Reassign the registration to another account. Identity Class (Basic) Authorization –Using the Identity Class, restrict access to the Application at the SSO level. –Lightweight accounts not authorized by default E-Groups Authorization –Filter E-Groups needed for Authorization –User token size decreased, containing E-Group membership only within the E-Groups filter.

CERN IT Department CH-1211 Geneva 23 Switzerland t OIS SSO - Summer 2012 Updates - 5 Identity Class Authorization Provide Basic Authorization using a unique value representing the level of assurance (LoA) of the user and the authentication method used. CERN Registered Represents the currently active CERN primary accounts. ​ CERN TrustedRepresents the currently active CERN secondary and service accounts. HEP Trusted ​ HEP people registered in the CERN HR database, authenticating using their HEP systems (through Federation). Named Identity ​ Ex-members of personnel, like retirees, former staff, etc. They still have an entry in the CERN HR database but no CERN account anymore. Anonymous Identity ​ Anonymous unverified people, like external/lightweight accounts, Facebook/Google accounts, Federation accounts not verified. Default basic authorization set to CERN Registered only. Configuration at SSO level through managementhttp://cern.ch/sso- management Configuration at Application level through usual configuration files.

Operating Systems & Information Services The Road to 5 Identity Classes Types Summary Identity TypesAuth Types Auth LevelsComments CERN_REGCERN 1st STDCERN Accounts / CERN Users CERN_EXCERN 2nd 2FAEXTN and RETR UNREGCERN service UNREG are all available in AD/LDAP as disabled lightweight, same as E-Groups members FED SOCIAL Types Expanded Identity TypesAuth TypesResult/identifier/levelAuth LevelsComments CERN_REGCERN 1st CERN Registered STD CERN_REGCERN 1st CERN Registered 2FA CERN_REGCERN 2nd CERN Trusted STD CERN_REGCERN 2nd 2FA No 2FA (no card,yubikey or gsm) CERN_REGCERN service CERN Trusted STD CERN_REGCERN service 2FA No 2FA (no card,yubikey or gsm) CERN_REGFED HEP Trusted STD Could be CERN Trusted, but making the difference between CERN and HEP could be interesting CERN_REGFED HEP Trusted 2FA CERN_REGSOCIAL STD Social auth forbidden for CERN_REG CERN_REGSOCIAL 2FA Social auth forbidden for CERN_REG CERN_EXCERN 1st Named Identity STD Lightweight EXMP account as today. RETR to be moved to REG CERN_EXCERN 1st 2FA No 2FA (no card,yubikey or gsm) CERN_EXCERN 2nd STD CERN_EX cannot own CERN 2nd CERN_EXCERN 2nd 2FA No 2FA (no card,yubikey or gsm) CERN_EXCERN service STD CERN_EX cannot own CERN service CERN_EXCERN service 2FA No 2FA (no card,yubikey or gsm) CERN_EXFED STD EXMP/RETR can auth with FedID ? No, as trust-relation is void. CERN_EXFED 2FA EXMP/RETR can auth with FedID ? No, as trust-relation is void. CERN_EXSOCIAL STD Social auth forbidden for CERN_EX CERN_EXSOCIAL 2FA Social auth forbidden for CERN_EX UNREGCERN 1st Anonymous Identity STD Lightweight external account as today UNREGCERN 1st 2FA No 2FA (no card,yubikey or gsm) UNREGCERN 2nd STD UNREG cannot own CERN 2nd UNREGCERN 2nd 2FA No 2FA (no card,yubikey or gsm) UNREGCERN service STD UNREG cannot own CERN service UNREGCERN service 2FA No 2FA (no card,yubikey or gsm) UNREGFED Anonymous Identity STD UNREGFED 2FA We don't care UNREGSOCIAL Anonymous Identity STD UNREGSOCIAL 2FA We don't care

CERN IT Department CH-1211 Geneva 23 Switzerland t OIS SSO - Summer 2012 Updates - 7 E-Groups Authorization Current situation: –An account can be member of hundreds of E- Groups –The token size can be huge when the Application needs only some to handle Authorization. New Authorization E-Groups Filter: –Define the list of E-Groups needed for Authorizations. –The User token will contain E-Group membership only within the E-Groups filter.

CERN IT Department CH-1211 Geneva 23 Switzerland t OIS SSO - Summer 2012 Updates - 8 Authentication Methods Standard Authentication: –Forms: user types in his login and password. –Kerberos or Windows: reuse the current Kerberos or Windows (NTLM) credentials for authentication. –Certificates: use your CERN CA or EuGridPMA (IGTF) trusted certificate to authenticate. Two Factor Authentication: –Smartcard: use a CERN Smartcard to authenticate (pilot, see –Yubikey: use a Yubikey hardware token to authenticate. –SMS One Time Password: validate your authentication with a PIN code sent by SMS to your CERN GSM. Federation Authentication: –USATLAS/BNL, INFN, Switch AAI, etc... : coming soon. Public Services Authentication: –Google, Facebook, Live, Yahoo, Orange.

CERN IT Department CH-1211 Geneva 23 Switzerland t OIS SSO - Summer 2012 Updates - 9 Federation & Social ID Federation Authentication: –USATLAS/BNL & INFN: testing, Switch AAI: coming soon. –Can be used to authenticate a CERN Account: IdentityClass = HEP Trusted –Can be used to authenticate any other: IdentityClass = Anonymous Identity Public Services Authentication: –Using standards: OAuth, OpenID –Cannot be used to authenticate a CERN Account. –IdentityClass = Anonymous Identity –Can be added in E-Groups ( based)

CERN IT Department CH-1211 Geneva 23 Switzerland t OIS Web App login.cern.ch UPN: IdentityClass: CERN Registered E-Groups: it-dep-ois; atlas-members; UPN: IdentityClass: CERN Registered E-Groups: it-dep-ois; atlas-members; Web App login.cern.ch UPN: IdentityClass: Anonymous Identity E-Groups: alice-friends; twiki-reader; UPN: IdentityClass: Anonymous Identity E-Groups: alice-friends; twiki-reader; Active Directory Login or lookup Active Directory lookup Login on SSO process CERN Account or Federation/Social Account Authorization based on E-Groups, IdentityClass and any other available attribute Authorization based on E-Groups, IdentityClass and any other available attribute Authentication + Authorization based on IdentityClass Authentication + Authorization based on IdentityClass Federation / Social site login.cern.ch

CERN IT Department CH-1211 Geneva 23 Switzerland t OIS SSO - Summer 2012 Updates - 11 Demo… –List applications & Management page –Authenticate with Facebook (and display Application authorization page) –Show Strong Authentication systems Demo SMS Otp

CERN IT Department CH-1211 Geneva 23 Switzerland t OIS SSO - Summer 2012 Updates - 12 More… Help and Documentation: – SSO Management: – Demo site: – Support:

CERN IT Department CH-1211 Geneva 23 Switzerland t OIS Questions? Contact:

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.