Www.uni-c.dk1 WWW.UNI-C.DK Single Sign-On in the Danish Educational Sector Per Thorboll Deputy director UNI-C.

Slides:



Advertisements
Similar presentations
The Future: Evolution of the Technology Ravi Sandhu Chief Scientist TriCipher, Inc. Los Gatos, California Executive Director and Chaired Professor Institute.
Advertisements

GridWorld 2006 Use of MyProxy for the FusionGrid Mary Thompson Monte Goode GridWorld 2006.
Agenda 2 factor authentication Smart cards Virtual smart cards FIM CM
Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
MyProxy: A Multi-Purpose Grid Authentication Service
Inter-Institutional Registration UNC Cause December 4, 2007.
Secure Sockets Layer eXtended (SSLX) Next Generation Internet Security Overview Presentation April 2011.
1 Federated Identity and Single-Sign On Prof. Ravi Sandhu Executive Director and Endowed Chair February 15, 2013
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.
Implementing and Administering AD FS
Support for schools NORDUNet 2003 Kurt Bøge
Grid Security. Typical Grid Scenario Users Resources.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
5 Copyright © 2006, Oracle. All rights reserved. Securing Grid Control.
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
GGF15 Workshop MyProxy Integration with PubCookie Marty Humphrey*, Jim Jokl*, and Jim Basney** *Department of Computer Science, University of Virginia,
Understanding Active Directory
Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.
Identity and Access Management: Strategy and Solution Sandeep Sinha Lead Product Manager Windows Server Product Management Redmond,
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
Authentication Systems and Single Sign-On (SSO) David Orrell, Eduserv Athens 1st EuroCAMP, 2-4 March 2005, Turin, Italy.
The Homegrown Single Sign On (SSO) Project at UM – St. Louis.
CONFIDENTIAL & PROPRIETARY 1 WAF and Identity and Access Management Integration The Next Step in the Evolution of Application Security Best Practices Jan.
Enterprise Single Sign On Identity management for web applications.
A centralized system.  Active Directory is Microsoft's trademarked directory service, an integral part of the Windows architecture. Like other directory.
TeraGrid ’06 National Center for Supercomputing Applications Managing Credentials on the TeraGrid with MyProxy Jim Basney.
Brian Arkills Software Engineer, LDAP geek, AD bum, Senior Heckler, and Associate Troublemaking Officer State of Windows Services at the UW.
Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.
May 30 th – 31 st, 2006 Sheraton Ottawa. Microsoft Certificate Lifecycle Manager Saleem Kanji Technology Solutions Professional - Windows Server Microsoft.
August 25, SSO with Microsoft Active Directory Presented by: Craig Larrabee.
Best Practices in Deploying a PKI Solution BIEN Nguyen Thanh Product Consultant – M.Tech Vietnam
Session 11: Security with ASP.NET
USCGrid A (Very Quick) Introduction To PubCookie
ArcGIS Server and Portal for ArcGIS An Introduction to Security
SSL, Single Sign On, and External Authentication Presented By Jeff Kelley April 12, 2005.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
Helsinki Institute of Physics (HIP) Liberty Alliance Overview of the Liberty Alliance Architecture Helsinki Institute of Physics (HIP), May 9 th.
Simplify and Strengthen Security with Oracle Application Server Allan L Haensgen Senior Principal Instructor Oracle Corporation Session id:
Module 9: Fundamentals of Securing Network Communication.
Grid Chemistry System Architecture Overview Akylbek Zhumabayev.
® Gradient Technologies, Inc. Inter-Cell Interworking Access Control Across the Boundary Open Group Members Meeting Sand Diego, CA USA April 1998 Brian.
Single Sign-On
One Platform, One Solution: eToken TMS 5.1 Customer Presentation November 2009.
Securing Data in Transit and Storage Sanjay Beri Co-Founder & Senior Director of Product Management Ingrian Networks.
Using RADIUS as a AAA backbone for Windows networks Kostas Kalevras NTUA Network Operations Centre.
January 9, 2002 Internet2 WebISO Project RL "Bob" Morgan, University of Washington.
Extending ISA/IAG beyond the limit. AGAT Security suite - introduction AGAT Security suite is a set of unique components that allow extending ISA / IAG.
National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.
Access and Information Protection Product Overview Andrew McMurray Technical Evangelist – Windows
Problems With Centralized Passwords Dartmouth College PKI Lab.
February, TRANSCEND SHIRO-CAS INTEGRATION ANALYSIS.
Part V Electronic Commerce Security Online Security Issues Overview Managing Risk Computer Security Classifications. Security.
Web Services Security Patterns Alex Mackman CM Group Ltd
Sektornet Per Thorbøll
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
1 Example security systems n Kerberos n Secure shell.
What is Cloud Computing 1. Cloud computing is a service that helps you to perform the tasks over the Internet. The users can access resources as they.
Secure Connected Infrastructure
Federation made simple
Grid Security.
CAS and Web Single Sign-on at UConn
Data and Applications Security Developments and Directions
Prime Service Catalog 12.0 SAML 2.0 Single Sign-On Support
Forefront Security ISA
Presentation transcript:

Single Sign-On in the Danish Educational Sector Per Thorboll Deputy director UNI-C

2 Background UNI-C – The Danish computing center for education and research Nationwide – in a small country Large spectrum of products/services : Basic network Security Infrastructure and Services (VANS) Content services Intranet / LMS SIS and ERP

3 The products The Toolbox Abuse & CERT Schoolbag SkoDa Newspaper in education VPN at Home Antivirus SkoleKom X-IT BlackBoard School-ict InfoGuide Single Sign On EMU – the education portal MVU Net (Lotus Notes) School Intra ERP (EASY, XAL-Stat) SIS And more …….

4 Single Sign On Vision To provide a unified login for all IT-services in the Danish educational sector. Not practically possible with the technologies available today. A pragmatic approach is necessary. Current goal is to build a national authentication and authorization framework and provide unified login for web- based services.

5 HUGO – Central user database Centralized user administration for the Danish educational sector. Approx users registered today. Delegated administration ensures quality of data. Forms the immediate basis for authentication and authorization control for the unified login.

6 First step: Single Login HUGO populates a central LDAP-database with passwords and access rights (service codes). Provides the authentication and authorization service called Single Login. Users must login to each service. Username and password must be entered in several places, which makes them more difficult to protect. In some cases passwords are sent unencrypted between systems. Risk of snooping passwords in transit or at end system.

7 Next step – Single Sign On Proxy PKI Cookie P A A A A A A A A A L

8 SSO proxy Independence of applications All protocols are supported Developed and maintained in-house Does not scale Non-standard

9 SSO PKI Based on standard SSL user certificates Many protocols and applications support SSL Certificates and keys are stored locally Hard to use for end-users Certificate management is cumbersome

SSO Cookie Non-standard – until now ! Only support for web applications Only support for one domain (Initially) Scales well

Single Sign-On – the cookie solution Login is done only once for all services. Username and password entered at a single well- protected login server. Passwords never sent to other web servers. Solution at UNI-C is based on Pubcookie from U. of Washington. ( Related to Internet2 WebISO efforts. (Web Initial Sign-On: middleware.internet2.edu/webiso).

Single Sign-On – Pubcookie features Cookie based solution using a central login-server. Cookies and passwords are protected by SSL and host domains. No browser extensions required. Platform neutral, both on client and server side. Plug-in architecture for backend verifiers. Ships with LDAP and Kerberos5. Plug-in modules available for Apache and IIS webservers.

Pubcookie – How does it work? Login Server App1 App2 Principal App3

Integration of external applications In some cases it is not possible or desirable to use Pubcookie directly with a given application. Causes: SSL not wanted, external DNS domain, no Pubcookie module available, multiple auth. models. UNI-C has developed an SSO proxy solution. Auth. Info is communicated in a short-lived URL-encoded fingerprint. Security model is based on a shared secret.

SSOproxy Login Server Proxy Extern Principal App2 App3 5

Next steps More applications Synchronization with local user administration Client certificates to replace the uid/pwd dialogue Integration of more external parties. Development of a more sophisticated logout model for SSO. (Today you have to close the browser to ensure you are logged out of everything).

Conclusion UNI-C has deployed a web-based Single Login and Single Sign-On infrastructure In the process of migrating our web-based services to it. Made possible by the central HUGO user database with delegated administration. Much interest from third party partners to hook into the SSO-infrastructure in order offer their services online.