Beruflich Dokumente
Kultur Dokumente
FederationforWebsites,Webservices,APIsandtheCloud
Layer7Technologies
WhitePaper
FederatedIdentityandSingleSignOn(SSO)UsingLayer7
Contents
WhydoINeedtoFederateIdentity?........................................................................................................... 3 IsFederationtheSameasSingleSignOn(SSO)?......................................................................................... 3 WhatStandardsAddressFederatedIdentity&SSO?................................................................................... 4 HowDoesLayer7HelpMetoFederateSOAPWebServices?..................................................................... 4 SecureSpanSTS.........................................................................................................................................5 SecureSpanGatewaysforServiceProtection........................................................................................... 7 XMLVPNClientforFederatingClientApplications.................................................................................. 8 CanLayer7HelpMeFederateAPIs?............................................................................................................ 9 CanYouDescribetheLayer7DropinFederationSolution? ...................................................................... 10 HowDoIUseLayer7toProvideSingleSignOntoMyWebSites?...........................................................11 WhyShouldIUseLayer7forAttributeBasedAccessControl?.................................................................12 HowCanLayer7FederateExistingLDAPorIAMSystemswithCloudBasedSaaSServicesLike Salesforce.com&GoogleDocs?................................................................................................................. 12 HowDoesOAuthRelatetoFederation&SSO?.......................................................................................... 13 AboutLayer7Technologies........................................................................................................................ 15 ContactLayer7Technologies..................................................................................................................... 15 LegalInformation........................................................................................................................................15
Copyright2012byLayer7Technologies,Inc.(www.layer7.com)
FederatedIdentityandSingleSignOn(SSO)UsingLayer7
Copyright2012byLayer7Technologies,Inc.(www.layer7.com)
FederatedIdentityandSingleSignOn(SSO)UsingLayer7
Copyright2012byLayer7Technologies,Inc.(www.layer7.com)
FederatedIdentityandSingleSignOn(SSO)UsingLayer7
Figure1:Layer7'sSecureSpanlinecoversallaspectsoffederationandSSO,usinggeneralGatewaysolutions.Each componentcanworkindependently,withothervendorcomponentsorwithotherLayer7components.
SecureSpan STS
TheSTSisthefoundationinfrastructurecomponentofanyfederationorSSOstrategy.Itprovidesthe abilitytovalidatetokensorexchangetokensfromoneformtoanother(e.g.theexchangeofusername andpasswordforaSAMLtoken). AnyLayer7SecureSpanGatewaycanbedeployedasaWSTrustcompliantSTS.TheGatewayprovides bothanativeWSTrustendpointfordropinfederationsolutions(describedbelow)andaWSTrust policytemplatethatcaneasilybecustomizedtomeetanylocalintegrationchallengesthatacustomer maybefacedwith. TheSecureSpanGatewaySTScanbeusedforlocalSSOintheenterpriseandtosupportfederation scenariosbetweendifferentorganizations.Layer7sCloudSpanCloudConnectproduct(describedin detailbelow)isanSTSdeploymentforconnectingtoCloudSaaSapplicationssuchasSalesforce.comor GoogleDocs.
Copyright2012byLayer7Technologies,Inc.(www.layer7.com)
FederatedIdentityandSingleSignOn(SSO)UsingLayer7
Figure2:Layer7'sSecureSpanlinesupportsthemostcommonenterprisefederationandSSOscenarios.
ThissolutionisabletoleverageSecureSpansexistingidentityproviderframework.Thisoffersdirect connectionintomostdirectoryandIdentityandAccessManagement(IAM)products,including: GenericLDAP Genericdatabase MicrosoftActiveDirectory TivoliAccessManager OracleAccessManager OpenSSO CA/NetegritySiteMinder RSAClearTrust
TheseconnectorsalloworganizationstopreserveinvestmentsandleverageexpertiseinexistingIAM infrastructure,extendingitintotheSSOspace.TheSecureSpanSTSdeploymentactsasaminimally intrusivelayeroveranorganizationsidentitystoresandcanleverageexistinggroups,rolesandaccess controlrulesets.ThisisafarmorecosteffectiveandflexiblesolutionthanvendorspecificSTSaddons, whicharetypicallyveryexpensiveandlimitedinthefederationscenariostheysupport. Layer7stemplatedrivenapproachtoprovidingSTSmeanstokenexchangecanbeentirelycustomized tomeetanorganizationsfederationchallenges.TheWSTrusttemplatesconstituteascriptthat validatesidentity,interactswithidentitystoresandgeneratesreturntokens.Itworksoutoftheboxfor commonfederationandSSOscenariosbutcaneasilybeaugmentedtomeetthemostdemanding specializedrequirements. Thistemplatebasedapproachpromotescustomizedidentitymappingfunctionswithinthecontextofa WSTrusttransaction.Forexample,formulaicmappings,suchasstringtransformationsofnames,can easilybeintegratedwithinthepolicyandusedasinputintogeneratedSAMLassertions.Thisis invaluableforfederationchallengeswherenamingconventionsdifferbetweensecuritydomainsand needtobereconciledatruntime. SecureSpanGatewaysalsohavefullaccesstodirectoryattributesassociatedwithidentities.Thisallows customtokenstobeconstructedwithauthoritativeattributedeclarationsanessentialfeaturein AttributeBasedAccessControl(ABAC)regimes.
Copyright2012byLayer7Technologies,Inc.(www.layer7.com)
FederatedIdentityandSingleSignOn(SSO)UsingLayer7
SecureSpansWSTrustpolicycanleveragethefullrangeofpotentialincomingsecurity tokens,including: HTTPbasicauthentication HTTPdigest SSLClientsidecertificateauthentication X.509signaturesinSOAPmessages SAMLtokeninHTTPheaders SAMLTokenProfileinWSSecurity Kerberos(WindowsIntegratedAuthentication) KerberosbindingtoSOAPmessages
WSTrustisnotlimitedtoSAMLtokenissuance.TheSecureSpanSTScanalternativelyreturnmostofthe credentialtypeslistedabove,providingabsoluteflexibilityincomplexfederationscenarios.
Figure3:SecureSpanGatewaysdeployedtofederateandprotectservicesandAPIs.
Copyright2012byLayer7Technologies,Inc.(www.layer7.com)
FederatedIdentityandSingleSignOn(SSO)UsingLayer7
Layer7spolicybasedaccesscontrolsystemcanaccommodatemostsecuritytokentypes.Also,it integrateswithexistinginfrastructuresuchasdirectoriesandIAM.TheinternalSTScapabilitiesofthe Gatewaycanbeleveragedforidentitymappingfunctionsorstricttokenvalidation. SecureSpanGatewaysadditionallyprovidearichtrustmanagementinterfacethatsimplifies managementoffederatedpartners.ThisfeaturesintegralCRLandOCSPsupport,toensurethatthe integrityoftheweboftrustismaintained.AllcryptographicfunctionsareFIPScompliantandhardware GatewayinstancesfeatureavailableintegrationwithleadingHardwareSecurityModules(HSMs)from ThalesandSafeNet. GatewayscanalsoincorporateXACMLaccesscontrolrulesdirectlyintopolicyorcommunicatewith remoteXACMLPolicyDecisionPoints(PDPs)usingtheXACMLprotocol.Integrationwithotherexternal PDPsispossibleusingSAMLPandWSTrustprotocols. TheGatewaysfeatureveryrichandconfigurableSAMLtokenprocessing,allowingsupportforvirtually anyfederationorSSOscenario.SAMLtokenscanbeextractedfromtransportheaders(suchasHTTP)or isolatedinSOAPmessagesundertheWSSecuritySAMLtokenprofilestandard.TheGatewayssupport bothSAMLbearertokensprotectedwithSSLandmoresophisticatedWSSecuritybasedbindingsfor SAML,includingholderofkeyandsendervouchesstyletokenscryptographicallyboundintomessages. Tokenevaluationiscompletelyflexible,allowingsimpleaccesscontrolbasedontrustrelationshipor adoptionofmoresophisticatedmethodssuchasABACusingSAMLattributeassertions. Finally,allotheraspectsofsecuritysupportedbySecureSpanGatewaysareavailabletoensurethat servicesarefullyprotectedinoneplace.Thisincludesfeaturessuchasmessagecontentvalidation, automatedthreatdetection,audit,transformation,throttling,trafficshapingandcontentor statebasedrouting.
Copyright2012byLayer7Technologies,Inc.(www.layer7.com)
FederatedIdentityandSingleSignOn(SSO)UsingLayer7
Figure4:TheSecureSpanXMLVPNClientcanfederateclientapplicationswithoutrequiringanychangestocode.
OAuthsupportinLayer7SecureSpanGatewaysisdescribedinadedicatedwhitepaper.
9
Copyright2012byLayer7Technologies,Inc.(www.layer7.com)
FederatedIdentityandSingleSignOn(SSO)UsingLayer7
Figure5:FederatingAPIsusingOAuthandSAML.EnforcementusesSecureSpanGatewaytoenactaccesscontrolpolicies.
Copyright2012byLayer7Technologies,Inc.(www.layer7.com)
10
FederatedIdentityandSingleSignOn(SSO)UsingLayer7
Thisisdepictedinthefigurebelow:
Figure6:DropinfederationforWebservices,usingLayer7.
Thissolutionisparticularlywellsuitedtobranchdeployments,whereacentralauthorityneedstodrive rapidfederationofapplicationsusinglocaluserstores.
Copyright2012byLayer7Technologies,Inc.(www.layer7.com)
11
FederatedIdentityandSingleSignOn(SSO)UsingLayer7
How Can Layer 7 Federate Existing LDAP or IAM Systems with CloudBased SaaS Services Like Salesforce.com or Google Docs?
Layer7sCloudSpanCloudConnectGatewayincludestemplatesthatenableSSOtoanyCloudbased SaaSapplicationsthatuseSAMLasameansofaccess.CloudConnectisdeployedasanSTSoverlayon theusersexistingIdentityandAccessManagement(IAM)infrastructure,thusextendingexisting identityassetsintotheCloud.
Figure7:CloudSingleSignOnusingCloudConnect.
Copyright2012byLayer7Technologies,Inc.(www.layer7.com)
12
FederatedIdentityandSingleSignOn(SSO)UsingLayer7
Figure8:AdministratorshavefullaccesstoSaaSSSOtemplates,allowingsimplecustomizationtoaccommodatelocal securitydirectives.
Copyright2012byLayer7Technologies,Inc.(www.layer7.com)
13
FederatedIdentityandSingleSignOn(SSO)UsingLayer7
Figure9:Layer7GatewaysdeployedasanOAuthAuthorizationServer(AS)andprotectingaResourceServer(RS).
Copyright2012byLayer7Technologies,Inc.(www.layer7.com)
14
FederatedIdentityandSingleSignOn(SSO)UsingLayer7
Email: info@layer7.com
Web Site: www.layer7.com
Phone: (+1)6046819377 18006819377(tollfreewithinNorthAmerica)
Fax: 6046819387
Address: Layer7Technologies Suite4051100MelvilleStreet Vancouver,BCV6E4A6 Canada
Legal Information
Copyright2012byLayer7Technologies,Inc.(www.layer7.com).Contentsconfidential.Allrightsreserved. SecureSpanandCloudSpanareregisteredtrademarksofLayer7Technologies,Inc.Allothermentionedtrade namesand/ortrademarksarethepropertyoftheirrespectiveowners.
Copyright2012byLayer7Technologies,Inc.(www.layer7.com)
15