In the past, users have authenticated with Pipeline Pilot by providing a username and password. Starting with 8.5 and continuing with 9.0 we now support additional authentication mechanisms such as Kerberos and SAML. Both Kerberos and SAML can provide a Single Sign On capability; SAML also provides the ability to run secure SOAP web services. This session will detail the current state of support for Kerberos and SAML in AEP 9.0 and discuss future enhancements.

1. (ATS4-PLAT09) Kerberos and SAML
with Accelrys Enterprise Platform 9.0
Jon Hurley
Senior Manager, Platform R&D
Jon.Hurley@accelrys.com

2. The information on the roadmap and future software development efforts are
intended to outline general product direction and should not be relied on in making
a purchasing decision.

3. Security in AEP 9.0
• (ATS-PLAT02) Security Enhancements in Accelrys
Enterprise Platform 9.0
– Discussion of authorization enhancements in AEP 9.0
• New Authentication Methods
– Kerberos
– SAML
• Sender Vouches
– Why?

4. I am NOT a security expert

5. What is Kerberos?
• Kerberos is ticket based authentication baked into the
Operating System
– Many components (e.g. Web Browsers) are able to transmit
Kerberos tickets
• Provides Single Sign On – if you are already signed on to the browser,
the Kerberos ticket can log you in to another system
– The server requests an ‘authentication negotiation’ with the
browser
• If the browser (and OS account) is appropriately configured, a Kerberos
ticket can be transmitted in response

6. Kerberos Sequence Diagram

7. Support for Kerberos/SPNEGO
• In the AEP 8.5 release, Kerberos authentication was only
supported on Windows Servers
– The authentication method was termed WIA (Windows
Integrated Authentication)
– The mechanism used to perform the authentication is termed
SPNEGO which allows authentication with Kerberos tickets
• On Windows, NTLM can also be used with SPNEGO
– Kerberos requires clients that support SPNEGO:
• Web browsers: IE, Firefox, Chrome
• SDKs: .NET Client SDK, JavaScript Client SDK, RunProtocol
• Not supported: other SDKs (Java) or Pipeline Pilot client

8. Enhanced support for Kerberos/SPNEGO
• Additional Kerberos support in AEP 9.0
– Delegation on Windows using Full Impersonation
• If your AEP server is configured for Full Impersonation and if your
Kerberos realm (e.g. Active Directory) is configured to allow
Delegation, this is supported through Pipeline Pilot
– Protocols can use their Kerberos token to connect to other Kerberized
resources (e.g. UNC files, HTTP services, SQL Server databases)
– Delegation with Restricted Impersonation is planned

9. Enhanced support for Kerberos/SPNEGO
• Kerberos Authentication on Linux
– Kerberos authentication is now supported on Linux
– We do NOT support delegation in AEP 9.0
• Just Kerberos Authentication on Linux

10. Kerberos Configuration
• On the authentication page, enable SPNEGO

11. Demo

12. Kerberos Client Configuration – Internet Explorer
• Internet Explorer
– Add the server as a trusted site (Tools > Internet Options >
Security > Trusted Sites > Custom Level > User Authentication >
Logon).
– Select Automatic logon with current user name and password.
– If your server is already part of the Local Intranet, select
Automatic logon only in Intranet zone.
– These settings may be provided by IT using a group policy

13. Kerberos Client Configuration – Firefox
– Browse to "about:config" and add the server names to the
following preferences:
• network.negotiate-auth.trusted-uris
• network.negotiate-auth.delegation-uris
– If wish to support delegation on AEP server

14. SAML Support
• SAML is Security Assertions Markup Language
• Commonly associated to SOAP services
• SAML Sender Vouches Sender Confirmation
– Web Services securely calling AEP
– AEP securely calling SAML protected Web Services
• Externalization
– SAML allows federation of multiple Identify Providers (IdP)

15. SAML Sender Vouches - Outbound
Clients AEP Server Other Web Server
http(s) http(s)
Browse
r Kerberos
WebLog
Container
Service
IE, FF,
SAML
AEP SAML ic
Chrome Kerberos
9.0 Server
Username
Form Based Serv Token
er Other
SDK Custom
Server
Basic Cookie
Clients
Token
CALPP,
NALPP,
JALPP
15

16. SAML Sender Vouches - Outbound
• AEP Protocol securely calling a SAML protected web
service
– Need to create our SAML Certificate used to self-sign our
outbound SAML Sender Vouches messages
– We use the AEP server’s SSL Certificate
– Use the Security > SAML Certificates admin portal page
– Click the Import KeyPair button to store the SSL Certificate as
the SAML Certficate
• AEP 9.0 self-signs all outbound Sender Vouches messages (does not
use an external IdP for message signing)

17. SAML Sender Vouches – Outbound: SOAP Connector
• Call the service with the SOAP Connector
– Set the Token Type parameter to ‘SAML 2.0 Sender Vouches’
• Coming by 9.0 – support for a policy engine (map to a ws-policy file)

18. SAML Sender Vouches - Outbound

19. SAML Sender Vouches - Inbound
Clients Other Web Server AEP Server
http(s) http(s)
Browse
r
WebLo
Container
AEP
SAML SAML
IE, FF,
Service
Chrome Kerberos gic Kerberos
9.0
Username Server Form Serv
Based
Custom
Other er
Other
Cookie
Basic
Server
Clients
19

20. SAML Sender Vouches - Inbound
• Web Services securely calling AEP
– Need to import a certificate from the outside web
service agent so that we trust it
• Use the Security > SAML Certificates admin portal page
• Click the Import button on the Available Certificates grid
and paste in the server’s SAML Certificate
– Optionally specify one or more SAML Issuer Ids to restrict this
certificate to certain services
– If none specified, any service using this certificate will be
supported

21. SAML Sender Vouches - Inbound

22. SAML Sender Vouches – Example Protocol
• Example protocol that demonstrates an
outbound/inbound round trip
– The Protocol uses the SOAP Connector to make an Outbound
SAML Sender Vouches call to an Inbound SAML Sender
Vouches endpoint
– This Inbound endpoint is a SAML protected web service on the
same AEP server that runs a protocol echoing the request

23. SAML Sender Vouches – Example Protocol

24. SAML Sender Vouches – SOAP Request Packet
…

25. SAML Sender Vouches – SOAP Request Packet (Body)
<soap-env:Body>
<ns1:echo>
<hello>jhurley</hello>
</ns1:echo>
</soap-env:Body>

26. SAML Sender Vouches – SOAP Response Packet
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:ns1="urn:examples:soap:echoservice"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soapenv:Body>
<echoResponse xmlns="urn:examples:soap:echoservice">
<return>jhurley</return>
</echoResponse>
</soapenv:Body>
</soapenv:Envelope>

27. SAML Sender Vouches – Example Protocol
• Results from the protocol
– Successful execution echoing the username (SAML assertion)
TestResult
Passed
echoResponse/return
jhurley

28. WSDL-First Protocols
• This example calls the Echo Service protocol
– This is an example of a WSDL-First protocol
– As a user, create the WSDL file and then your protocol is designed to operate
with a SOAP packet conforming to that WSDL
– Invoke the protocol with a suitable SOAP URL:
• $(ServerRoot)/wsse/wservice/{Full Path of Protocol}
– The framework validates the request and passes in the contents of the soap-
env:body element as a global property xmldocin:
<ns1:echo>
<hello>jhurley</hello>
</ns1:echo>

29. WSDL First Protocols
• Using an XML Reader and the setting ‘Properties Are:
Leaf Elements’ results in this data record

30. Summary
• AEP 9.0 supports Kerberos SSO and SAML Sender
Vouches
• Communicate with us – let us know what authentication
providers are important now and in the future
• Forthcoming documentation on configuring protocols as
WSDL-first Web Services
• (ATS-PLAT02) Security Enhancements in Accelrys
Enterprise Platform 9.0