Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dispatcher Conditional Expression Static Request Filter Attribute Filter Portal 1 1 2 2 4 4 3,6 5 5 7 7 8 8 9 9 1010 1010 DNS Hello User Sample (Gateway)

Published byGordon Heyward Modified over 10 years ago

Similar presentations

Presentation on theme: "Dispatcher Conditional Expression Static Request Filter Attribute Filter Portal 1 1 2 2 4 4 3,6 5 5 7 7 8 8 9 9 1010 1010 DNS Hello User Sample (Gateway)"— Presentation transcript:

1 Dispatcher Conditional Expression Static Request Filter Attribute Filter Portal 1 1 2 2 4 4 3,6 5 5 7 7 8 8 9 9 1010 1010 DNS Hello User Sample (Gateway)

2 Dispatcher Conditional Expression Static Request Filter Extract Filter MediaWiki 1 1 2 2 4 4 3,3, 3,3, 5 5 6 6 9 9 DNS Media Wiki Hosted Sample 10 8 8 (Gateway) 7 7

3 Gateway Gateway OpenAM OpenAM Agent WordPress 2 2 1 1 3 3 6 6 4 4 5 5 8 8 7 7 9 9

4 Simple SSSO with WordPress and MediaWiki 1. Browse to MediaWiki Browser Gateway WordPress MediaWiki 3. MediaWiki login page returned 5. WordPress login page 9. POST MediaWiki login form with stored credentials 2. Pass through request 10. MediaWiki home page 4. Redirect to WordPress login 6. User submits credentials 7. Pass through and record 8. WordPress home page

5 HR Application Gateway Flat File Flat File Browser 1. http://hr.company.com 2. Pass request through 4. Intercepts App redirect, fetches credentials 3. No session, redirect to login 5. POST App login form 6. Validate login, redirect to HR 7. http://hr.company.com Password replay sample hr application and flat file db (sso1) Figure 1

6 Hello User Gateway Browser HelloUser Sample Application Flow DNS

7 Password replay with Access Management integration (sso2) 1. http://hr.company.com 2. Agent Redirects User to AM Login Browser Access Manager Access Manager Agent Gateway HR App 3. AM Logs in user, redirects back to HR App 5. No App session 6. POST App login form 7. Redirect to HR 4. Pass through request 8. http://hr.company.com Figure 2

8 SP initiated SAML2 Post Profile SSO-2 (ssoFedSP) Alternative style 1. http://hr.company.com Browser IDP Gateway HR App 3. No session, redirect to login 4. Intercepts login request, send SAML2 AuthN Request 2. Pass through request 9. http://hr.company.com Figure 2 7. POST App login form 8. Redirect to HR App 6. SAML2 POST AuthN Statement

9 IDP initiated SAML2 Post Profile SSO (ssoFedIDP) 1. Authenticate User Browser IDP Gateway HR App 2. SAML2 POST AuthN 8. http://hr.company.com Figure 4 7. Redirect to HR App 3. Post App login form

10 Standards Based AM Plugin/Agent (ssoFedAgent) 1. http://hr.company.com Browser Access Manager Access Manager Gateway HR App 4. No session, redirect to login 5. Intercepts login request, send SAML2 AuthN request 3. Pass through request 6. SAML2 POST Profile AuthN 8. http://hr.company.com Figure 5 7. POST App login form 7. Redirect to HR App 7. Authenticate user

11 Identity Gateway Identity Gateway Agent LegacyUnsupported Custom Agent OpenAM OpenAM Payroll HR

12 Agent OpenAM OpenAM LegacyUnsupported Custom HR Payroll Limited SSO

13 Identity Gateway Identity Gateway Agent LegacyUnsupported Custom Agent OpenAM OpenAM Payroll HR SSO

14 Identity Provider SAML2 Ringtones Federation Gateway Apps Federation Gateway Accessories Federation Gateway

15 How SSO Works Traffic to Legacy Application is routed through the Gateway. Gateway is deployed as a web app protected by the OpenAM agent. OpenAM agent is configured to pass user identifying headers to the Gateway. Gateway filters are configured to intercept the Legacy application login pages. When a login or timeout page is processed, the user is logged in with credentials passed from the OpenAM agent or by looking them up in an external database or vault. Gateway optionally manages, filters, or transforms, cookies, headers, and general application content. OpenAM Legacy Identity Gateway Agent

16 How Federation Works Traffic to Legacy Application is routed through the Gateway. Gateway is deployed as a web app or standalone java application. Gateway is configured as a SAML2 endpoint in a Circle of Trust with the WAM. Gateway filters are configured to recognize Legacy application login pages. When the Gateway sees a login or timeout page, an SP initiated SAML2 AuthN request is sent to the WAM. Upon receiving and processing the assertion, the Gateway logs the user in with credentials from the assertion or by looking them up in an external database or vault. Gateway optionally manages, filters, or transforms, cookies, headers, and general application content. Web Access Management SAML2 Web Access Management SAML2 Legacy Federation Identity Gateway Federation Identity Gateway

17 Proxy Agent Payroll Agent Portal OpenAM Services HR Identity Gateway Legacy Custom OpenAM Single Sign-on Authentication Session Authorization Auditing

18 Agent Portal Fedlet CRM.com OpenAM Federated SSO OpenAM Services Liberty ID-FF SAML2 SAML1 WS-Fed Identity Gateway Wiki.co m Federation Enabled 3 rd Party Access Manager

Download ppt "Dispatcher Conditional Expression Static Request Filter Attribute Filter Portal 1 1 2 2 4 4 3,6 5 5 7 7 8 8 9 9 1010 1010 DNS Hello User Sample (Gateway)"

Similar presentations

Suchin Rengan Principal Technical Architect Salesforce.com

Suchin Rengan Principal Technical Architect Salesforce.com
Secure Single Sign-On Across Security Domains

Secure Single Sign-On Across Security Domains
Lousy Introduction into SWITCHaai

Lousy Introduction into SWITCHaai
AAI for Apps Using AAI with your Smartphone Daniel Latzer Zürich, April 2013

AAI for Apps Using AAI with your Smartphone Daniel Latzer Zürich, April 2013
Eric Raff. Usergroup up

Eric Raff. Usergroup up
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
Infrastructure for Multi-Professional Education and Training Using Shibboleth.

Infrastructure for Multi-Professional Education and Training Using Shibboleth.
Architecting a Complete Solution for the Cloud Economy Delivering Standards-Based Access Control Marc Chanliau Oracle Identity Management Bernard Diwakar.

Architecting a Complete Solution for the Cloud Economy Delivering Standards-Based Access Control Marc Chanliau Oracle Identity Management Bernard Diwakar.
Troubleshooting Federation, AD FS 2.0, and More…

Troubleshooting Federation, AD FS 2.0, and More…
Shibboleth 2.0 : An Overview for Developers Scott Cantor The Ohio State University / Internet2 Scott Cantor The Ohio.

Shibboleth 2.0 : An Overview for Developers Scott Cantor The Ohio State University / Internet2 Scott Cantor The Ohio.
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.

Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Access Gateway Operation

Access Gateway Operation
SASL-SAML update Klaas Wierenga Kitten WG 9-Nov-2010.

SASL-SAML update Klaas Wierenga Kitten WG 9-Nov-2010.
Troubleshooting Federation, AD FS 2.0, and More…

Troubleshooting Federation, AD FS 2.0, and More…
© 2012 Cisco and/or its affiliates. All rights reserved. BRKUCC- 2004 Cisco Public (SAML) Single Sign-On (SSO) for Cisco Unified Communications 10.x By.

© 2012 Cisco and/or its affiliates. All rights reserved. BRKUCC Cisco Public (SAML) Single Sign-On (SSO) for Cisco Unified Communications 10.x By.
External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.

External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Single Sign-On Multiple Benefits via Alaska K20 Identity Federation 20 May 2011 BTOP Partner Meeting Anchorage, Alaska 20 May 2011 BTOP Partner Meeting.

Single Sign-On Multiple Benefits via Alaska K20 Identity Federation 20 May 2011 BTOP Partner Meeting Anchorage, Alaska 20 May 2011 BTOP Partner Meeting.

Similar presentations

Ads by Google