Presentation is loading. Please wait.

Presentation is loading. Please wait.

Implementing B2B and B2C Using Novell Affiliate Connector

Published byKathleen Black Modified over 6 years ago

Similar presentations

Presentation on theme: "Implementing B2B and B2C Using Novell Affiliate Connector"— Presentation transcript:

1 Implementing B2B and B2C Using Novell Affiliate Connector
Novell BrainShare 2002 Implementing B2B and B2C Using Novell Affiliate Connector Kevin Ward Engineering Manager/Affiliate Connector Novell, Inc. Loren Russon Product Management/Access and Security IO124—Implementing B2B and B2C Using Novell Affiliate Connector

2 Agenda Customer Challenges and Business Problems
Novell BrainShare 2002 Agenda Customer Challenges and Business Problems The Security Assertion Markup Language (SAML) Novell Affiliate Connector 1 Summary Question and Answer IO124—Implementing B2B and B2C Using Novell Affiliate Connector

3 Vision…one Net Mission
A world where networks of all types—corporate and public, intranets, extranets, and the Internet—work together as one Net and securely connect employees, customers, suppliers, and partners across organizational boundaries Mission To solve complex business and technical challenges with Net business solutions that enable people, processes, and systems to work together and our customers to profit from the opportunities of a networked world

4

5 Novell Vision and Security
Novell BrainShare 2002 Novell Vision and Security The Novell “one Net” vision provides the basis for “best practice” deployment of Identity Management, Access Management and Trusted eBusiness communities The one Net approach provides eBusiness solutions for Business-to-Consumer (B2C), Business-to-Business (B2B), and Enterprise web (B2E) applications Secure “digital identity” framework for trusted relationships Platform-independent solutions IO124—Implementing B2B and B2C Using Novell Affiliate Connector

6 Customer Challenges and Business Problems

7 Today’s Typical Environment
Novell BrainShare 2002 Today’s Typical Environment Firewall Web Servers and Applications Security ERP CRM Partner Extranet Customer Internet Employee Intranet GabeW - xxx WatG - yyy zzz Employee Intranet Employee Intranet KenS - xxx 7748-zzz SmithK - yyy ScottB - xxx BellS - yyy Customer 2298- zzz IO124—Implementing B2B and B2C Using Novell Affiliate Connector

8 Further Complicated when Affiliates are Added for B2x Environments
Novell BrainShare 2002 Further Complicated when Affiliates are Added for B2x Environments Firewall Web Servers and Applications Partner Extranet Customer Internet Employee Intranet GabeW - xxx WatG - yyy zzz Employee Intranet KenS - xxx 7748-zzz SmithK - yyy Employee Intranet Security Security ScottB - xxx ERP BellS - yyy Customer 2298- zzz Company.com Security Travel.com IO124—Implementing B2B and B2C Using Novell Affiliate Connector

9 Web Servers and Applications
Novell BrainShare 2002 Novell iChain® Employee One Net Customer Partner ScottB - xxx KenS - xxx GabeW - xxx Web Servers and Applications Firewall 1. Authentication 2. Access Control 3. Single Sign-On ERP 4. OLAC (Personalization) Security Infrastructure 5. Data Confidentiality CRM eDirectory™ IO124—Implementing B2B and B2C Using Novell Affiliate Connector

10 Novell iChain with Affiliate Connector
Novell BrainShare 2002 Novell iChain with Affiliate Connector Firewall One Net Security Infrastructure Company.com KenS - xxx 1. Authentication Employee 2. Access Control ScottB - xxx ERP 3. Single Sign-On Intra-domain Cross-domain Customer eDirectory 4. OLAC (Personalization) GabeW - xxx 5. Data Confidentiality Security Partner Travel.com IO124—Implementing B2B and B2C Using Novell Affiliate Connector

11 Technical and Operational Challenges
Novell BrainShare 2002 Technical and Operational Challenges Integrate heterogeneous environments Integrate with business partners Leverage existing IT investments Reduce development time to market Build on open standards IO124—Implementing B2B and B2C Using Novell Affiliate Connector

12 Security Assertion Markup Language (SAML)

13 What Is SAML? SAML—the Security Assertion Markup Language—is a standard which is being developed by the Security Services technical committee of the OASIS standards organization ( The goal of SAML is to define an XML-based security standard for exchanging authentication and authorization information SAML defines XML-encoded security “assertions” XML-encoded request/response protocol Rules on using assertions with standard transport and messaging frameworks

14 Novell BrainShare 2002 SAML Assertions An assertion is a statement of fact about a subject (e.g., a user or a service), according to the assertion issuer SAML defines three assertion types Authentication Attribute Authorization decision You can extend SAML to make your own kinds of assertions Assertions can be digitally signed using the XML digital signature standard IO124—Implementing B2B and B2C Using Novell Affiliate Connector

15 Authentication Assertion
Novell BrainShare 2002 Authentication Assertion An authentication assertion demonstrates that an authority has authenticated a subject SAML does not control the authentication itself, but rather makes statements about an authentication that occurred previously For example, an issuing authority asserts that subject Bob authenticated to Company.com at 8:30 on July 3, 2002 using the password method IO124—Implementing B2B and B2C Using Novell Affiliate Connector

16 Novell BrainShare 2002 Attribute Assertion An attribute assertion binds a subject with attributes Typically attribute values are pulled from a data repository of user information (e.g., LDAP) For example, an issuing authority asserts that subject Bob in Company.com is a member of a department called Engineering IO124—Implementing B2B and B2C Using Novell Affiliate Connector

17 Authorization Decision Assertion
Novell BrainShare 2002 Authorization Decision Assertion An authorization decision assertion declares that a subject is authorized to access a resource For example, a Policy Decision Point decides whether to grant the request: Can Bob in Company.com have execute privileges on The response is in the form of Yes/No The Policy Enforcement Point allows or denies access based on the response IO124—Implementing B2B and B2C Using Novell Affiliate Connector

18 SAML Request/Response Protocol
Novell BrainShare 2002 SAML Request/Response Protocol An XML-based protocol used to ask for, and to obtain SAML assertions A relying party (requester) makes a request for an assertion An asserting party (responder) issues a response containing the assertion Some environments may need to use their own protocol They can use assertions without the rest of the request/response structure The full benefit of SAML is realized when parties with no direct knowledge of each other can interact Via a “third-party introduction” IO124—Implementing B2B and B2C Using Novell Affiliate Connector

19 SAML Protocol Bindings
Novell BrainShare 2002 SAML Protocol Bindings A binding is a way to transport SAML requests and responses over a messaging protocol SOAP-over-HTTP binding is mandatory Other bindings to follow, e.g., raw HTTP SAML 1.0 is secured through the transport binding IO124—Implementing B2B and B2C Using Novell Affiliate Connector

20 Novell BrainShare 2002 SAML Profiles A profile describes how SAML assertions are embedded into and extracted from a protocol, e.g., how SAML can be used to solve real business problems Web browser profile for SSO (push and pull models) SOAP profile for securing SOAP payloads IO124—Implementing B2B and B2C Using Novell Affiliate Connector

21 Web Browser Profile This profile assumes
A standard commercial browser and HTTP(S) User has authenticated to a local source site Assertion’s subject refers implicitly to the user When a user accesses a target site An authentication assertion reference travels with the request so the real assertion can be de-referenced Or the real assertion is passed through an HTTP POST

22 Novell Affiliate Connector 1

23 Novell Affiliate Connector’s Use of SAML
Novell Affiliate Connector 1 implements a multi-domain SSO push model Creates authentication and attribute assertions Attribute values are typically retrieved from an LDAP directory or other database Assertions can be digitally signed Assertions are HTTP POSTed and travel as a payload through the browser Requires the use of SSL for securing assertions during transport

24 General Setup Source site Affiliate site Directory or Database
Novell SAML Agent API Custom Logic Browser Affiliate site iChain® 2.1 Web Servers

25 Step 1 Source site Directory or Database Novell SAML Agent API Custom Logic Authenticate Browser User connects to the source site, and authenticates, registers or otherwise identifies himself—this process is defined by the source site and is not part of SAML Affiliate site iChain 2.1 Web Servers

26 Step 2 Source site Directory or Database Novell SAML Agent API Custom Logic Click link Policy Browser User clicks on a link to get to the affiliate site—the web server calls the Custom Logic layer and passes identification information about the user The Custom Logic layer consults policy information and optionally retrieves additional information about the user that will be used to build the assertion(s) The Custom Logic layer is developed by the source site and represents its custom business policies and practice Affiliate site iChain 2.1 Web Servers

27 Step 3 Source site Directory or Database Novell SAML Agent API Custom Logic Assertions Browser The Custom Logic layer passes information about the user to the Novell SAML Agent API, which then formats the information into one or more SAML assertions The assertions are returned to the Custom Logic layer, which then places the assertions into a HTML FORM document that is returned to the browser Affiliate site iChain 2.1 Web Servers

28 Step 4 Source site Browser Redirect If the browser has JavaScript enabled, the HTML form containing the assertion(s) is automatically posted into the HTML header during the redirect to the affiliate site If the client does not have JavaScript enabled, the user must submit the form by pressing the submit button Affiliate site iChain 2.1 Web Servers

29 Step 5 Source site Browser Authenticated eDirectory The Affiliate Connector engine running on iChain reads the assertion from the incoming request and consults policy information to validate it Once validated, the engine uses its policy to map the user to an identity at the affiliate site The user is authenticated at the affiliate site Policy Affiliate site iChain 2.1 Web Servers

30 Step 6 Source site Browser eDirectory LDAP read The Affiliate Connector engine recognizes the session to be affiliate-based According to policy, if any OLAC data is required for the session it is pulled from the user’s assertions Any other required OLAC data not found in the user’s assertions are retrieved from LDAP for the mapped user Affiliate site iChain 2.1 Web Servers

31 Step 7 Source site Browser When a web application is accessed, the complete OLAC parameter string is sent along with the user request for the web server resource Web single sign-on has been achieved OLAC Affiliate site iChain 2.1 Web Servers

32 Novell Affiliate Connector 1 Requirements
Source site Novell SAML Agent API requires one of the following Solaris 2.7 or 2.8 with Apache web server Microsoft Windows NT or Windows 2000 with Microsoft IIS Novell SAML Agent API must be installed and configured on every web server where a user can be redirected to the affiliate site iChain can be installed, but Novell Affiliate Connector doesn’t take advantage of it Affiliate site Requires iChain 2.1 Configuration The source site and the affiliate site must agree on policy The source site and the affiliate site each generate a key pair and certificate, and exchange public key certificate with the other site

33 Summary

34 Affiliate Connector Messages
Novell BrainShare 2002 Affiliate Connector Messages Strategy Leverage the strengths of the iChain architecture and install base to deliver an easy-to-use access and security infrastructure for building B2x web services Value Propositions Provide a security infrastructure for all B2x web-based applications Simplify identity management between disparate organizations Extends the value of iChain and other SAML compliant access and identity management services Reduce password-related help desk costs to create a lower cost of ownership and administration Enables authentication and single sign-on across affiliate partner sites Provides common authentication services for web services deployments Key Messages Affiliate Connector extends the value of iChain across all of your affiliate partner sites Affiliate Connector is extensible and customizable, taking full advantage of standard SAML implementations Affiliate Connector deploys faster and is easier to manage than other competitive products IO124—Implementing B2B and B2C Using Novell Affiliate Connector

35 Important Efforts Related to SAML
IETF/W3C XML Signature Built into SAML for digitally signing assertions W3C XML Encryption Robust encryption capabilities for XML documents Intended to be used for encrypting SAML traffic Posted for Last Call in October 2001 XKMS An XML-based mechanism for utilizing PKI services Intended to simplify the integration of PKI into XML environments SAML traffic might be secured by XKMS-based PKI, by other PKI, or by other means entirely

36 Important Efforts Related to Security and Identity
OASIS XACML An XML-based format for expressing access control policy information Intent is to be used in conjunction with SAML when processing assertions, especially Authorization Decision Assertions OASIS Provisioning XML-based framework for user, resource, and service provisioning Liberty Alliance Identity solution for SSO of consumers and businesses Still too early to tell if Liberty will utilize SAML

37 Novell BrainShare 2002 What about Microsoft? Didn’t participate in early SAML work, but received some “encouragement” later Has contributed design ideas, mostly about Kerberos support Subcommittee formed to pursue this further Latest .NET/Passport story addresses “federated” functions, based on Kerberos No commitment to SAML, but at the table Introduced WS Security—Microsoft’s Web Services security IO124—Implementing B2B and B2C Using Novell Affiliate Connector

38 Conclusion SAML meets important interoperability requirements
Novell BrainShare 2002 Conclusion SAML meets important interoperability requirements The right players are involved The specification is moving along, expected final submission to OASIS by March Software vendors are just starting to integrate SAML Product thrust for next few years will be SSO Early SAML-based software won’t offer turn-key solutions Will be an important technology for enabling authentication and conveying authorization Other IETF and W3C efforts will extend and collaborate with SAML IO124—Implementing B2B and B2C Using Novell Affiliate Connector

39

Download ppt "Implementing B2B and B2C Using Novell Affiliate Connector"

Similar presentations

Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Active Directory Federation Services How does it really work?

Active Directory Federation Services How does it really work?
Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.

Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.
Novell eDirectory™ Deployment at Hydro Quebec Richard Cabana Enterprise Technology Account Manager Novell Canada Ltd.

Novell eDirectory™ Deployment at Hydro Quebec Richard Cabana Enterprise Technology Account Manager Novell Canada Ltd.
1 Security Assertion Markup Language (SAML). 2 SAML Goals Create trusted security statements –Example: Bill’s address is and he was authenticated.

1 Security Assertion Markup Language (SAML). 2 SAML Goals Create trusted security statements –Example: Bill’s address is and he was authenticated.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Novell iChain ® 2.x Configuration Using the Web Server Accelerator Wizard Cary Andrews Senior Software Engineer Novell, Inc.

Novell iChain ® 2.x Configuration Using the Web Server Accelerator Wizard Cary Andrews Senior Software Engineer Novell, Inc.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
SAML basics A technical introduction to the Security Assertion Markup Language Eve Maler XML Standards Architect XML Technology Center Sun Microsystems,

SAML basics A technical introduction to the Security Assertion Markup Language Eve Maler XML Standards Architect XML Technology Center Sun Microsystems,
Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.

Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.
95-804 Applied Cryptography Week 13 SAML 1 95-804 Applied Cryptography SAML and XACML Mike McCarthy Week 13.

Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.
Identity and Access Management: Strategy and Solution Sandeep Sinha Lead Product Manager Windows Server Product Management Redmond,

Identity and Access Management: Strategy and Solution Sandeep Sinha Lead Product Manager Windows Server Product Management Redmond,
Copyright B. Wilkinson, 2008. This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.
Web services security I

Web services security I
Securing Your GroupWise ® System Morris Blackham Software Engineer Novell, Inc. Danita Zanrè Senior Consultant Caledonia.

Securing Your GroupWise ® System Morris Blackham Software Engineer Novell, Inc. Danita Zanrè Senior Consultant Caledonia.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Web Service Standards, Security & Management Chris Peiris www.ChrisPeiris.com.

Web Service Standards, Security & Management Chris Peiris
Session 11: Security with ASP.NET

Session 11: Security with ASP.NET
Identity Management Report By Jean Carreon and Marlon Gonzales.

Identity Management Report By Jean Carreon and Marlon Gonzales.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Similar presentations

Ads by Google