Contenu connexe Similaire à Using Federation to Simplify Access to SharePoint, SaaS and Partner Applications (20) Using Federation to Simplify Access to SharePoint, SaaS and Partner Applications1. Simplify Access to Microsoft
SharePoint and SaaS Applications
with Novell Access Manager ®
™
Lloyd Burch
Distinguished Engineer
Novell/lburch@novell.com
Eduardo Barragan
Senior Engineer
Novacoast/ebarragan@novacoast.com
2. Novell Access Manager ®
™
Federation Overview
• What does Novell Access Manager Do?
– Access Control to Protected Resources
– Authentication
> Name Password, X509, Smart Cards, Kerberos, Others
– Federation
> Liberty, SAML 1.x SAML 2.0, WS-Fed, CardSpace
> Identity Provider (Builds Tokens)
> Relying Party / Service Provider (Uses Tokens)
> Manages Trust
– SSL-VPN
> Secure external access
2 © Novell, Inc. All rights reserved.
3. Novell Access Manager ®
™
Federation Overview
• What is Federation?
– Established trust between two parties (IDP/SP)
> How will IDP authenticate?
> What claims/attributes can be exchanged?
> What identifier will be used to identify user account at SP?
> Is automatic provisioning of an account needed?
– How does it work?
> Administrator defined – IDP sends transparent authentication
> User links accounts – Requests authentication
> Open standards define the rules for how this is done
> There can be many trusted providers or consumers of Identity
3 © Novell, Inc. All rights reserved.
4. Simple Federated Identity
ZZYZX Car Rental
Identity Provider 2–
Ge
tA
tte
ste
d Ide
nti
ty T
oke
n
3 – Set Token and Receive Service
1 – Request Service and Get Requirements
ABC Travel
Service
4 © Novell, Inc. All rights reserved.
5. User-Driven Identity
My Employer
Identity
My Hobby My Family
Identity Identity
- Novell claims this is LBurch
- My Hobby Group claims this is Lloyd
- My Family claims this is “Son of Dad”
- Lloyd claims this is Me
My Local
Identity
Login Request
Web Service
5 © Novell, Inc. All rights reserved.
6. Open Standards allow Interoperability
Open Standard
Open Standard
Open Standard
Open Standard
6 © Novell, Inc. All rights reserved.
7. Achieving Cost Savings
• Industry trends enabling Identity Federation
– Open Standards support for identity
– Multiple vendor support
– Oasis and other standards bodies
– Open Source reference code
– Interoperability testing and certification
– Lower cost
– Partners can be added and removed quickly
– Single store front from multiple vendors
– Cost saving by sharing resources
7 © Novell, Inc. All rights reserved.
8. The Cost of Interoperability
as Partners Increase
$25
$20
$15
$10
$5
$-
1
2 Openstandards
3
4
ProprietaryCode
8 © Novell, Inc. All rights reserved.
9. Achieving the Vision
• Industry trends enabling Identity Federation
– The role of the firewall is changing
– Outside partners, customers and employees have access
– Applications must be protected from inside attacks
– Firewalls are becoming identity aware
– Increasing bandwidth for devices
– Most devices are connected (work, home, mobile)
9 © Novell, Inc. All rights reserved.
10. SharePoint and
Novell Access Manager ®
™
• What are the components?
• How do they work?
• What is the value to the customer?
10 © Novell, Inc. All rights reserved.
11. SharePoint and
Novell Access Manager ®
™
• WS-Federation is used as the binding protocol to share
identities
• ADFS is the connecting point to Microsoft SharePoint
• Access Manager is the connection point to multiple
identity stores
• Together single sign-on and shared identity works
11 © Novell, Inc. All rights reserved.
12. SharePoint and
Novell Access Manager ®
™
Novell Simplified Access to MS SharePoint
Access eDirectory
Manager “Employees”
• User authenticates to Access Manager
(Direct or Federated)
• Access Manager can validate Identities
across multiple Identity Stores as well as
Active Directory federated authentication from partners
“Business Units” using SAML, WS-Fed or Alliance
• User access SharePoint
Acess Manager
transforms • Access Manager transforms LDAP and
LDAP and Federated Identity into claims that are
Federated forwarded to Active Directory Federation
Identity into Sun One Services (ADFS)
ADFS Claims “Customers” • SharePoint Administrator – Mr. Happy
• Associates claim to SharePoint Groups
• No need to manage individual identities
for all users that need to SharePoint
• Improved user experience
• Single Sign-On to SharePoint and other
web resources protected by Access
Manager
Microsoft Active Directory
SharePoint “SharePoint”
12 © Novell, Inc. All rights reserved.
13. SharePoint and
Novell Access Manager ®
™
LDAP Novell Access Manager ADFS SharePoint
Server Identity Server Windows Windows
Legacy Novell Access Manager
Webserver Gateway
Internal User
13 © Novell, Inc. All rights reserved.
14. SharePoint and
Novell Access Manager ®
™
LDAP Novell Access Manager ADFS SharePoint
Server Identity Server Windows Windows
Step Step
A B
Legacy Novell Access Manager
Webserver Gateway
Internal User
14 © Novell, Inc. All rights reserved.
15. SharePoint and
Novell Access Manager ®
™
15 © Novell, Inc. All rights reserved.
16. SharePoint and
Novell Access Manager ®
™
• Benefits to the customer
– Novell Access Manager can validate identities across multiple
identity stores as well as federated authentication from partners
using SAML, WS-Federation or Liberty Alliance
– Non Active Directory user can use SharePoint
– SharePoint administrator does not need to manage individual
identities for all users that need access to SharePoint
– Single sign-on to SharePoint and other web resources protected
by Novell Access Manager
– Novell Access Manager policy can control SharePoint access
via roles
16 © Novell, Inc. All rights reserved.
18. Force.com CRM and
Novell Access Manager ®
™
• Just an example of SaaS vendors embracing industry
standards like SAML 2.0
– Salesforce.com offers Federated and Delegated SSO
> Federated is simple, based on SAML 2.0 HTTP-POST profile
» You define NameID
» You create Metadata
» Easy with Access Manager
> Delegated requires Web services to be setup and uses SOAP to authenticate
» You host Web Service
» SOAP call back
– Delegated is not in scope of this presentation
18 © Novell, Inc. All rights reserved.
19. SAML Terms
(Security Assertion Markup Language)
• Identity Provider (IDP)
– Producer of assertions
– Novell Access Manager
®
™
– Usually verifies credentials against LDAP
• Service Provider (SP)
– Consumer of assertions
– Provides the application
– SalesforceCRM is a cloud SP
19 © Novell, Inc. All rights reserved.
20. SAML Terms
(Security Assertion Markup Language)
• Metadata
“SAML profiles require agreements between system entities regarding
identifiers, binding support and endpoints, certificates and keys, and so
forth. A metadata specification is useful for describing this information in a
standardized way” -
http://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf
• Assertion (response)
– Synonym to Claim
– A trusted authentication – replaces password with COT
• Name Identifier – NameID
– How to refer to the subject
– Many supported formats
20 © Novell, Inc. All rights reserved.
21. SAML References
Novell -
http://www.novell.com/documentation/novellaccessmanager/index.html
Wikipedia -
http://en.wikipedia.org/wiki/SAML_2.0
– this is a good overview
OASIS -
http://saml.xml.org/saml-specifications and http://docs.oasis-
open.org/security/saml/v2.0/– saml.xml.org
– is the wiki for the OASIS group which maintains the SAML specifications.
The link is to the specifications page.
21 © Novell, Inc. All rights reserved.
23. Typical Three Step Process - COT
1. Circle or Trust
• Metadata
– Need to create SP metadata
– Access Manager provides metadata
• X.509 Certificates
– SP does not provide certificate (you can create a self-signed
cert)
– IDP should always use SSL especially since this is HTTP-POST
profile
• End points which resolve via DNS
23 © Novell, Inc. All rights reserved.
24. Typical Three Step Process - SP
2. Setup SP side first
• Why?
– The login URL contains specific data to handle NameID and
Attribute names
– e.q. https://login.salesforce.com/?
saml=MgoTx78aEPXRoZ2hRrHg2wwl5GLiR0qVpDJYXG4e5wzM83LxYv4TgrzVZsOpNK76
ItidNdsqihgDsiG2horV_wCGmSN.N1pVNrfRKMIW0QwpMQyrV_QZw94y_TvXB08Jyhi9l32
PLM_RH3LQ==
• Have your IDP certificate handy
– Export the signing certificate public key, save in .der format
24 © Novell, Inc. All rights reserved.
25. Typical Three Step Process – SP
• Login to salesforce.com
– ebarragan@novacoast.com - Admin user
– Go to Setup > under Administration Setup
– Select Security Controls > Single Sign-On Settings
• Issuer
– https://idpsrv.novacoast.com/nidp/saml2/metadata
• Name ID format
– urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified
25 © Novell, Inc. All rights reserved.
26. SP Details
Good Help Reference
26 © Novell, Inc. All rights reserved.
28. Typical Three Step Process - IDP
3. Setup IDP – Novell Access Manager ®
™
• Create Attribute Map
28 © Novell, Inc. All rights reserved.
29. IDP Details
• SP Metadata:
<EntityDescriptor entityID="https://saml.salesforce.com"
xmlns="urn:oasis:names:tc:SAML:2.0:metadata"><SPSSODes
criptor AuthnRequestsSigned="false"
WantAssertionsSigned="false"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.
0:protocol"><NameIDFormat>urn:oasis:names:tc:SAML:2.0:
nameid-
format:transient</NameIDFormat><AssertionConsumerServi
ce index="1"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-
POST" Location="https://login.salesforce.com/?
saml=MgoTx78aEPXToZ2hRrHg2wwl5GLiR0qVpDJYXG4e5wzM83LxY
v4TgrzVZsOpNK76ItidNdsqIhgDsi2horU_wCGmSM.N1pVNrfRKMIW
0QwpMQyrV_QZw94y_TvXB08Oyhi9l32PLM_RH3LQ=="/></SPSSODe
scriptor></EntityDescriptor>
29 © Novell, Inc. All rights reserved.
30. IDP Details
Create Trusted Service Provider
30 © Novell, Inc. All rights reserved.
31. IDP Details
Configure Response
31 © Novell, Inc. All rights reserved.
32. IDP Details
Configure Target (Inter-site Transfer URL)
https://idpsrv.novacoast.com/nidp/saml2/idpsend?PID=https://saml.salesforce.com
TARGET=https://na7.salesforce.com/home/home.jsp
32 © Novell, Inc. All rights reserved.
34. Google Apps and
Novell Access Manager ®
™
• Very similar to force.com SSO setup
– Have a look at Neil Cashell's Cool solution on the subject for
details
– http://www.novell.com/communities/node/8645/integrating-
google-apps-and-novell-access-manager-using-saml2
34 © Novell, Inc. All rights reserved.
35. Google Apps and
Novell Access Manager ®
™
Same three step process
1 - Create COT
– In this case, it's the same as previous process, the public key of
the IDP's signing and encryption certificate is all that's required
2 - Configure SP
– Everything you need for this page is in the IDP metadata
> Login URL
> Logout URL
> Password management URL
3 - Configure IDP (Novell Access Manager)
35 © Novell, Inc. All rights reserved.
36. Google Apps and
Novell Access Manager ®
™
Main Points
Use this metadata, but replace the “Location” attribute. It
must contain your domain
<EntityDescriptor entityID="google.com"
xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<SPSSODescriptor
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress
</NameIDFormat>
<AssertionConsumerService index="1"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://www.google.com/a/domain/acs" />
</SPSSODescriptor>
</EntityDescriptor>
36 © Novell, Inc. All rights reserved.
37. Google Apps and
Novell Access Manager ®
™
Main Points
The Authentication Response is slightly different than
force.com
37 © Novell, Inc. All rights reserved.
40. Unpublished Work of Novell, Inc. All Rights Reserved.
This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc.
Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope
of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified,
translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc.
Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.
General Disclaimer
This document is not to be construed as a promise by any participating company to develop, deliver, or market a
product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in
making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents
of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any
particular purpose. The development, release, and timing of features or functionality described for Novell products
remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to
make changes to its content, at any time, without obligation to notify any person or entity of such revisions or
changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc.
in the United States and other countries. All third-party trademarks are the property of their respective owners.