Presentation is loading. Please wait.

Presentation is loading. Please wait.

Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.

Published byDavis Meigs Modified over 9 years ago

Similar presentations

Presentation on theme: "Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR."— Presentation transcript:

1 Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR Final Project February 7 th, 2007 -------------------------------------------- Eunice Mondésir Pierre Weill-Tessier --------------------------------------------

2 Eunice Mondésir Pierre Weill-Tessier 2 Agenda 1. Introduction 2. Federated Identity concepts 3. Presentation of Ping Federate server 4. Platform implementation 5. Demonstrations 6. Conclusion

3 Introduction

4 Federated Identity Concepts

5 Eunice Mondésir Pierre Weill-Tessier 5 Federated Identity concepts 1. Why Federated Identity? 2. What is Federated Identity? 3. Participants of Circle of Trust 4. Single Sign On and Single Log Out 5. SAML langage

6 Eunice Mondésir Pierre Weill-Tessier 6 1. Why federated identity? Federated Identity Concepts

7 Eunice Mondésir Pierre Weill-Tessier 7 1. Why federated identity? Multiple authentication parameters Heterogeneous authentification and access control methods No control on personal information’s exhibition Need for easier and faster acces to services Federated Identity Concepts

8 Eunice Mondésir Pierre Weill-Tessier 8 2. What is federated identity? Set of agreements, standards and technologies Trust relationships between organizations Integrity and privacy perserved Independance of organizations Federated Identity Concepts

9 Eunice Mondésir Pierre Weill-Tessier 9 3. Circle of Trust (CoT) participants Service Provider (SP):  Provides one or more services within a federation  Access control policy Identity Provider (IdP):  Creates, maintains, manages identity information  user must authenticate at an IdP recognized by a SP Federated Identity Concepts

10 Eunice Mondésir Pierre Weill-Tessier 10 3. Circle of Trust (CoT) participants Circle of trust:  Federation of IdP and SP  Business relationships  Operational agreements  Secured communication channels  Seamless environment Federated Identity Concepts CoT IdP SP

11 Eunice Mondésir Pierre Weill-Tessier 11 4.SSO and SLO Liberty alliance Single Sign On (SSO):  Sign on once at a site (single account)  Seamless signed-on for other sites  No extra authentication  SP both within and across circles of trusts Single Log Out (SLO):  Synchronized session logout  All sessions authenticated by an IdP closed Federated Identity Concepts

12 Eunice Mondésir Pierre Weill-Tessier 12 5. SAML (Security Assertion Markup Langage) XML standard developped by OASIS Exchanging authentication & authorization data between security domains (IdP and SP) SSO solution beyond the intranet Exchange of assertions between IdP and SP Federated Identity Concepts

13 Presentation of Ping Federate

14 Eunice Mondésir Pierre Weill-Tessier 14 Presentation of Ping Federate server 1. How does Ping Federate work ? 2. Communication tools of Ping Federate

15 Eunice Mondésir Pierre Weill-Tessier 15 1. How does Ping Federate work ? Server that passes identities between CoTs Distinction between two roles: IdP and SP  Both roles can be combined Ping Federate does not interfere with local usage of the application Presentation of Ping Federate server

16 Eunice Mondésir Pierre Weill-Tessier 16 2. Communication tools in PF server different environments: how communicate?  Ping Federate provides Integration Toolkits** Application or IdM X programming language PF Token agent adapter SAML Presentation of Ping Federate server

17 Plateform Implementation

18 Eunice Mondésir Pierre Weill-Tessier 18 Platform Implementation 1. Needs 2. LDAP 3. Postfix 4. Tomcat 5. Ping Federate server

19 Eunice Mondésir Pierre Weill-Tessier 19 1. Needs Applications often interacts with a database for authentication Ping Federate server asks for parameters of a mail server to send notification mail Ping Federate’s sample application runs on Tomcat Application Server Platform Implementation

20 Eunice Mondésir Pierre Weill-Tessier 20 2. LDAP Why this protocol ?  LDAP adapter proposed by PF  Authentication to IdPs via pop-up window Our configuration:  Server OpenLDAP  Client LDAPBrowser to check our entries  Simple tree: root + inetOrgPerson class instances Platform Implementation

21 Eunice Mondésir Pierre Weill-Tessier 21 dn: o=INT,c=FR dn: cn=Eunice, o=INT, c=FR dn: cn=Pierre, o=INT, c=FR 2. LDAP Example of LDAP Tree: Attributes we used:  cn, sn  mail, userPassword  title Platform Implementation

22 Eunice Mondésir Pierre Weill-Tessier 22 3. Postfix Why ?  mail server working on Linux O.S  “Lighter” configuration than Sendmail No database associated : only one user !  liberty@cubitus.int-evry.fr liberty@cubitus.int-evry.fr  IdpAdmin@cubitus.int-evry.fr is a “fake” address used for the notification only. IdpAdmin@cubitus.int-evry.fr IMAP server as a MDA Platform Implementation

23 Eunice Mondésir Pierre Weill-Tessier 23 4. Tomcat Why ?  Required applications server to test the samples  Multi-technologies support server (jsp, html) Identification tools:  Double authentication based on Role and Login  Default configuration  LDAP-using configuration  JNDI Platform Implementation

24 Eunice Mondésir Pierre Weill-Tessier 24 4. Tomcat Key configuration files  server.xml: defines the database connection  web.xml: defines the security constraint Platform Implementation

25 Eunice Mondésir Pierre Weill-Tessier 25 5. Ping Federate Standalone web administration  https://cubitus.int-evry.fr:9999/pingfederate/app https://cubitus.int-evry.fr:9999/pingfederate/app  Support of multi-account administration  Modifiable role selection (IdP, SP or both) Ease of management  Server configuration  Partner configuration Platform Implementation

26 Eunice Mondésir Pierre Weill-Tessier 26 5. Ping Federate Server settings  Local settings Base URL: where reaching the server ? Federation Info: choice of technologies Entity ID / realm: outside Ping Federate alias IdP/SP events: systematic redirections Platform Implementation

27 Eunice Mondésir Pierre Weill-Tessier 27 5. Ping Federate Server settings  Local settings  IdP/SP adapters management  Data Store management  Metadata export Platform Implementation

28 Eunice Mondésir Pierre Weill-Tessier 28 5. Ping Federate Partner settings’ connections  IdP connections = we are SP  SP connections = we are IdP  SP affiliations = 2+ partners’ Federation  According to partners’ configuration = Each CoT defines its policy independently Platform Implementation

29 Demonstrations

30 Eunice Mondésir Pierre Weill-Tessier 30 Test Platform implementation 1. Before Ping Federate servers 2. Simplification 3. Ping Federate servers setting-up 4. IdP initiated SSO with ITAM 5. SP initiated SSO with ITAM 6. SP initiated SSO with LDAP adapter

31 Eunice Mondésir Pierre Weill-Tessier 31 1. Before Ping Federate servers INT CoT IdM S1 S2 S3 INT Services ITAM CoT S1 S2 S3 ITAM Services IdM Connection to INT services within INT

32 Eunice Mondésir Pierre Weill-Tessier 32 1. Before Ping Federate servers INT CoT IdM S1 S2 S3 INT Services ITAM CoT S1 S2 S3 ITAM Services IdM Connection to INT services from outside INT

33 Eunice Mondésir Pierre Weill-Tessier 33 1. Before Ping Federate servers INT CoT IdM S1 S2 S3 INT Services ITAM CoT S1 S2 S3 ITAM Services IdM Connection to ITAM services within INT or from outside INT not possible

34 Eunice Mondésir Pierre Weill-Tessier 34 INT CoT ITAM CoT 2. Simplification IdM S1 S2 S3 INT Services S1 S2 S3 ITAM Services IdM S1 IdM All aplications hosted by tomcat server Authentcation files serving as database

35 Eunice Mondésir Pierre Weill-Tessier 35 3. PF servers setting up For INT CoT: only one PF server (IdP and SP server) For ITAM CoT: two PF servers, one IdP and one SP INT CoT IdM S1 ITAM CoT S1 IdM IdP & SP cubitus SP titania IdP oberon

36 Eunice Mondésir Pierre Weill-Tessier 36 ITAM CoT S1 IdM SP titania IdP oberon 4. IdP initiated SSO with ITAM INT CoT IdM S1 SSOSAML 2.0 Sarah connected to S1 without having passed by ITAM IdM Sarah IdP cubitus

37 Eunice Mondésir Pierre Weill-Tessier 37 ITAM CoT S1 IdM 5. SP initiated SSO with ITAM INT CoT IdM S1 IdP cubitus SP titania IdP oberon Bob SAML 2.0 SSO

38 Eunice Mondésir Pierre Weill-Tessier 38 ITAM CoT S1 IdM 6. SP initiated SSO with LDAP adapter S1 IdP cubitus SP titania IdP oberon Sam SAML 2.0 INT IdP interaction with LDAP directory via a pop-up window LDAP IdM LDAP adapterstandard adapter SSO INT CoT SAML 2.0

39 Conclusion

40 Eunice Mondésir Pierre Weill-Tessier 40 What remains to do ?  Adapt INTest with Ping Federate (Token)  Test Multi-partners federation  Perform tests on security and privacy Other solutions ?  Microsoft CardSpace (.NET)  WS-Federation  Servers (Sun One Identity Server, IBM Tivoli, Microsoft ADFS…) Conclusion

41 Eunice Mondésir Pierre Weill-Tessier 41 Thanks for your attention Questions ?

Download ppt "Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR."

Similar presentations

Secure Single Sign-On Across Security Domains

Secure Single Sign-On Across Security Domains
Identity Network Ideals – Heterogeneity & Co-existence

Identity Network Ideals – Heterogeneity & Co-existence
Welcome to Middleware Joseph Amrithraj

Welcome to Middleware Joseph Amrithraj
NRL Security Architecture: A Web Services-Based Solution

NRL Security Architecture: A Web Services-Based Solution
Office 365 Identity June 2013 Microsoft Office365 4/2/2017

Office 365 Identity June 2013 Microsoft Office365 4/2/2017
Authentication solutions for Outlook and Office 365 Multi-factor authentication for Office 365 Outlook client futures.

Authentication solutions for Outlook and Office 365 Multi-factor authentication for Office 365 Outlook client futures.
Implementing and Administering AD FS

Implementing and Administering AD FS
Infocard and Eduroam Enrique de la Hoz, Diego R. L ó pez, Antonio Garc í a, Samuel Mu ñ oz.

Infocard and Eduroam Enrique de la Hoz, Diego R. L ó pez, Antonio Garc í a, Samuel Mu ñ oz.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Active Directory: Final Solution to Enterprise System Integration

Active Directory: Final Solution to Enterprise System Integration
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
WebFTS as a first WLCG/HEP FIM pilot

WebFTS as a first WLCG/HEP FIM pilot
Authenticating REST/Mobile clients using LDAP and OERealm

Authenticating REST/Mobile clients using LDAP and OERealm
#CONVERGE2014 Session 1304 Managing Telecom Directories in a Distributed or Multi-Vendor Environment David Raanan Starfish Associates.

#CONVERGE2014 Session 1304 Managing Telecom Directories in a Distributed or Multi-Vendor Environment David Raanan Starfish Associates.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
Identity Management Report By Jean Carreon and Marlon Gonzales.

Identity Management Report By Jean Carreon and Marlon Gonzales.
© 2012 Cisco and/or its affiliates. All rights reserved. BRKUCC- 2004 Cisco Public (SAML) Single Sign-On (SSO) for Cisco Unified Communications 10.x By.

© 2012 Cisco and/or its affiliates. All rights reserved. BRKUCC Cisco Public (SAML) Single Sign-On (SSO) for Cisco Unified Communications 10.x By.

Similar presentations

Ads by Google