GWAVACon 2013: Keyshield SSO Infrastructure for Novell Technologies
1. KeyShield SSO
SSO infrastructure for Novell
technologiesVáclav Šamša & dear Novell guests:
Dean Lythgoe
Richard Lindstedt
Kai Reichert
2. KeyShield SSO Connects eDir/AD desktop login and mobile devices with SSO
Novell solutions
Novell products?
We are talking about Filr, Vibe, GroupWise Mobility Service,
GroupWise, iPrint, Messenger, Service Desk ...
All are or getting pretty standard, working with a principal – the only
thing they need is to identify the user's object within a directory
(eDirectory, Active Directory ...).
Btw, the vaste majority of users is still consuming Novell products
service from the Windows desktop, cca 30% still with XP ...
Before, the integration point for SSO was the Novell Client for
Windows, now, there is no connection in between the client and
browser, web client...
So, back in 2009, the question was, how to make everything working
together, on Windows, Linux, Mac and, of course, all mobile devices
3. KeyShield SSO Connects eDir/AD desktop login and mobile devices with SSO
SSO infrastructure for Novell solutions
How do KeyShield SSO do it?
SAML support
ReST API interface for easy and fast direct integrations
The integrated system needs a short and easy piece of code, which will ask
KeyShield SSO for the principal (UserID). Let's see the simplified schema
4. KeyShield SSO Connects eDir/AD desktop login and mobile devices with SSO
KeyShield SSO - authenticationKeyShield SSO - authentication
Windows WorkstationWindows Workstation Browser or Native clientBrowser or Native client Integrated systemIntegrated system KeyShield SSO serverKeyShield SSO server
Check user by IP of the
Windows Workstation
(Address of the Client)
Send user ID (Principal)
Valid session? No – ask
KeyShield SSO server
for the principal
Search user profiles
database for user ID
provided by the
KeyShield SSO server.
Found – start session
User is successfully
authenticated by IS
Run
client/browser
Client connect to the IS
5. KeyShield SSO Connects eDir/AD desktop login and mobile devices with SSO
SSO infrastructure for Novell solutions
How do KeyShield SSO do it?
The user is identified by the IP address which is currently used by the
user's device
This is working with anything which communicates via IP from the device
This includes any browser, any WebDAV. Let's see the simplified schema
for Filr and Vibe
6. KeyShield SSO Connects eDir/AD desktop login and mobile devices with SSO
KeyShield SSO – Filr WebDAV exampleKeyShield SSO – Filr WebDAV example
BrowserBrowser Web ClientWeb Client Novell Filr or VibeNovell Filr or Vibe KeyShield SSO serverKeyShield SSO server
Check user by IP of the
Windows Workstation
(Address of the Client)
Send user ID (Principal)
WebDAV has no access
to the browser cookie or
session – ask KeyShield
SSO server for the
user's identity
Search user profile for
user ID provided by the
KeyShield SSO server.
Found. Session created.
User can edit the file
User clicks the Edit
button for a particular
document
Windows built in Web
Client gets request via
WebDAV
7. KeyShield SSO Connects eDir/AD desktop login and mobile devices with SSO
SSO infrastructure for Novell solutions
How do KeyShield SSO do it?
The user can authenticate to the SSO system, but means at least 2
authentications a day – to the environment/desktop and to the SSO
The demand we clearly see is for really tight integration – once the user is
authenticated to the environment/desktop (eDirectory, ActiveDirectory etc),
no further authentication is necessary for any systém
Any system means everything inside the LAN/WAN and also anything
hosted (clouded)
There can be a SSO solution supporting NTLM and there is the KeyShield
SSO – we support both. Let's see Novell Client for Windows integration
simplified schema
8. KeyShield SSO Connects eDir/AD desktop login and mobile devices with SSO
Novell ClientNovell Client KeyShield clientKeyShield client KeyShield serverKeyShield server
Authentication to
eDirectory &
to the workstation
Authentication detected.
Send user info to the
KeyShield SSO server
together with workstation
IP address.
Generates token which
writes to the user's object
in eDirectory. Token ID
together with an
authentication challenge
is than sent to the
KeyShield SSO client.
Receive token
ID and challenge
eDirectory search for
token ID, return value to
the KeyShield client
Generate response
Validity check
Authentication OK!
KeyShield SSOKeyShield SSO
9. KeyShield SSO Connects eDir/AD desktop login and mobile devices with SSO
SSO infrastructure for Novell solutions
How do KeyShield SSO do it?
The integration mechanism is rock solid.
With this kind of integration, the whole Novell environment, can be much
more efficient and convenient then Microsoft.
Together with our colleagues from Novell, we support all scenarios, user
platforms, server platforms, mobile devices
If you have any home brewed system, you are lucky with us – the
integration is piece of cake
Let's discuss the SSO support for Novell technologies, following slides are
pretty theoretical and boring ..