Federated Identity and SSO Using Layer 7

FederatedIdentity&SingleSignOnUsingLayer7
FederationforWebsites,Webservices,APIsandtheCloud
Layer7Technologies
WhitePaper

FederatedIdentityandSingleSignOn(SSO)UsingLayer7
Contents
WhydoINeedtoFederateIdentity?........................................................................................................... 3 IsFederationtheSameasSingleSignOn(SSO)?......................................................................................... 3 WhatStandardsAddressFederatedIdentity&SSO?................................................................................... 4 HowDoesLayer7HelpMetoFederateSOAPWebServices?..................................................................... 4 SecureSpanSTS.........................................................................................................................................5 SecureSpanGatewaysforServiceProtection........................................................................................... 7 XMLVPNClientforFederatingClientApplications.................................................................................. 8 CanLayer7HelpMeFederateAPIs?............................................................................................................ 9 CanYouDescribetheLayer7DropinFederationSolution? ...................................................................... 10 HowDoIUseLayer7toProvideSingleSignOntoMyWebSites?...........................................................11 WhyShouldIUseLayer7forAttributeBasedAccessControl?.................................................................12 HowCanLayer7FederateExistingLDAPorIAMSystemswithCloudBasedSaaSServicesLike Salesforce.com&GoogleDocs?................................................................................................................. 12 HowDoesOAuthRelatetoFederation&SSO?.......................................................................................... 13 AboutLayer7Technologies........................................................................................................................ 15 ContactLayer7Technologies..................................................................................................................... 15 LegalInformation........................................................................................................................................15
Copyright2012byLayer7Technologies,Inc.(www.layer7.com)
Why do I Need to Federate Identity?

Youneedafederatedidentitysolutionifyouhaveanyofthefollowingproblems: Yourorganizationhasdifferentdivisionorbranchofficesthathavetheirowndirectoriesand remoteusersneedaccesstocentralITresources. Youhaveuserswithmultiplepasswordsorothercredentialsthatneedtobemapped acrossapplications. Yourorganizationismergingwithanotherthatalreadyhasitsownidentitymanagementsystem andyouneedtoprovidenewuserswithaccesstoexistingapplications. YouneedtoprovideinternaluserswithSingleSignOn(SSO)servicesacrossvariousdifferent Webapplications. Youaredevelopingamobiledevicestrategyandneedtomanageaccessfromawidevarietyof remoteapplications. YouneedtoprovidelocaluserswithaccesstoCloudservicessuchasSalesforce.comand GoogleDocs.
Alltheseproblemsrelatetodifferentpartsoffederatedidentity.Layer7Technologiesprovides solutionsthatfederateidentityandprovideSSOservicesforWebapplications,Webservices,APIs, mobileapplicationsandtheCloud.
Is Federation the Same as Single Sign-On (SSO)?

ItisacommonmisconceptionthatfederationandSSOaresimplydifferentnamesforthesamepractice. Whilethereiscertainlyoverlapbetweentheterms,SSOshouldbeconsideredasubsetofthelarger categoryofidentityfederation. Identityfederationaddressestheproblemofhowtointegrateseparateidentitysilos.Identitysilos(or islands)areverycommonoccurrenceinorganizations.Theyoccurwhennewapplicationsintroduce theirownidentitystores,suchasdirectoriesoridentitydatabases,insteadofleveragingacentralized identitymanagementsystem.Theywillalsocommonlyoccurduringamergeroracquisition entrenchedpracticesandtechnologiesmaymakeitdifficulttomergeexistingidentitystoresintoa singleunified,authoritativesource. Theproblemofsiloedidentityalsoextendsbeyondtheboundariesoftheenterprise.Aspartnerships andsupplychainsbecomeincreasinglyinterconnected,theneedarisestomanageapplicationsand usersthatarenotunderdirectcontrolofanycentralizedauthoritybutinsteadexistinautonomous securitydomains.Suchintercompanyconnectionsareparticularlydifficulttomanagebecauseidentity inbothorganizationsmaybechangingcontinuouslyaspeoplecomeandgo,withnocoordination betweenbusinesspartners.
Federatedidentitymanagementisabouttheprocessandtechnologybehindmanagingsiloedidentity.It describesthepoliciesandproceduresthatgovernaccesstoapplicationsanddatafromentitiesresiding inanotherdistinctsecuritydomain.Thisincludestheoverallmanagementoftrustrelationships,access controlstrategies,identitymappingmechanics,policiesandcommonprotocols. SSOissubsetoffederationthatdealsspecificallywithreusingasingleidentitytoauthenticateacross multipledomains.Federationislargelyaboutarchitecturalconcepts,processandprocedures.SSO,in contrast,ismoreconcernedwithtechnologicalapproachestosolvingtheproblemofindividualusers havingtomanagedifferentidentitiesfordifferentapplications.
What Standards Address Federated Identity & SSO?

ThereareanumberofstandardsassociatedwithfederatedidentitymanagementandSSO.Oneofthe mostimportantistheSecurityAssertionMarkupLanguageorSAMLforshort.SAMLprovidesa cryptographicallysecuremechanismforcommunicatingactsofauthentication,entitlementsand attributesbetweensecuritydomains.ItdefinesboththeprotocolandtheprocesstoenactSSOacross domainsandtoimplementcomponentsofanoverallfederationstrategy. SAMLincludesprofilesforbothbrowserbased(passive)andservice/APIbased(active)communication scenarios.Thepassiveprofile,inparticular,isthebasisofmostCloudbasedSSOsolutions,suchasthose offeredbyleadingSaaSvendorsSalesforce.comandGoogleDocs.ItisalsothemostcommonSSO solutiondeployedwithintheenterprise. TheactiveprofilesareaugmentedbyadditionalstandardssuchasWSTrustandWSFederation.The WSTruststandarddefinesaSOAPbasedprotocolfortokeninteractionwithaSecurityTokenService (STS),whichcanincludevalidationandexchangeoftokens,aswellastrustbrokeragebetweenparties. Forexample,itdescribeshowtoexchangelocalcredentialsinreturnforissuanceofaSAMLtoken.WS FederationbuildsonWSTrust,definingtypicalfederationscenariosandsolutionsforidentitymapping, augmentation,tokenmanagementetc.Itcoversbothactiveandpassiveprofiles.
How Does Layer 7 Help Me to Federate SOAP Web Services?

Layer7providesinfrastructurethatallowsorganizationstofederatetheirWebservicessimplyand easily,withnochangestocode.Layer7providesfederationsolutionsasdeploymentpatternsofexisting productlines,ratherthansinglepurposesolutions.Thishastheadvantagethatthetechnologycanalso beappliedtoaddressgeneralWebservicessecurityandmanagementchallenges.
Figure1:Layer7'sSecureSpanlinecoversallaspectsoffederationandSSO,usinggeneralGatewaysolutions.Each componentcanworkindependently,withothervendorcomponentsorwithotherLayer7components.
Layer7sSecureSpanGatewayproductlinecanbedeployedtoprovideSecurityTokenServicesfora rangeofclientsandtoprovidefederatedaccesscontrolforindividualservices.Layer7alsooffers clientsidefederationsupportusingitsXMLVPNClientproduct.Eachofthesedeploymentpatternsis outlinedbelow.
SecureSpan STS
TheSTSisthefoundationinfrastructurecomponentofanyfederationorSSOstrategy.Itprovidesthe abilitytovalidatetokensorexchangetokensfromoneformtoanother(e.g.theexchangeofusername andpasswordforaSAMLtoken). AnyLayer7SecureSpanGatewaycanbedeployedasaWSTrustcompliantSTS.TheGatewayprovides bothanativeWSTrustendpointfordropinfederationsolutions(describedbelow)andaWSTrust policytemplatethatcaneasilybecustomizedtomeetanylocalintegrationchallengesthatacustomer maybefacedwith. TheSecureSpanGatewaySTScanbeusedforlocalSSOintheenterpriseandtosupportfederation scenariosbetweendifferentorganizations.Layer7sCloudSpanCloudConnectproduct(describedin detailbelow)isanSTSdeploymentforconnectingtoCloudSaaSapplicationssuchasSalesforce.comor GoogleDocs.
Figure2:Layer7'sSecureSpanlinesupportsthemostcommonenterprisefederationandSSOscenarios.
ThissolutionisabletoleverageSecureSpansexistingidentityproviderframework.Thisoffersdirect connectionintomostdirectoryandIdentityandAccessManagement(IAM)products,including: GenericLDAP Genericdatabase MicrosoftActiveDirectory TivoliAccessManager OracleAccessManager OpenSSO CA/NetegritySiteMinder RSAClearTrust
TheseconnectorsalloworganizationstopreserveinvestmentsandleverageexpertiseinexistingIAM infrastructure,extendingitintotheSSOspace.TheSecureSpanSTSdeploymentactsasaminimally intrusivelayeroveranorganizationsidentitystoresandcanleverageexistinggroups,rolesandaccess controlrulesets.ThisisafarmorecosteffectiveandflexiblesolutionthanvendorspecificSTSaddons, whicharetypicallyveryexpensiveandlimitedinthefederationscenariostheysupport. Layer7stemplatedrivenapproachtoprovidingSTSmeanstokenexchangecanbeentirelycustomized tomeetanorganizationsfederationchallenges.TheWSTrusttemplatesconstituteascriptthat validatesidentity,interactswithidentitystoresandgeneratesreturntokens.Itworksoutoftheboxfor commonfederationandSSOscenariosbutcaneasilybeaugmentedtomeetthemostdemanding specializedrequirements. Thistemplatebasedapproachpromotescustomizedidentitymappingfunctionswithinthecontextofa WSTrusttransaction.Forexample,formulaicmappings,suchasstringtransformationsofnames,can easilybeintegratedwithinthepolicyandusedasinputintogeneratedSAMLassertions.Thisis invaluableforfederationchallengeswherenamingconventionsdifferbetweensecuritydomainsand needtobereconciledatruntime. SecureSpanGatewaysalsohavefullaccesstodirectoryattributesassociatedwithidentities.Thisallows customtokenstobeconstructedwithauthoritativeattributedeclarationsanessentialfeaturein AttributeBasedAccessControl(ABAC)regimes.
SecureSpansWSTrustpolicycanleveragethefullrangeofpotentialincomingsecurity tokens,including: HTTPbasicauthentication HTTPdigest SSLClientsidecertificateauthentication X.509signaturesinSOAPmessages SAMLtokeninHTTPheaders SAMLTokenProfileinWSSecurity Kerberos(WindowsIntegratedAuthentication) KerberosbindingtoSOAPmessages
WSTrustisnotlimitedtoSAMLtokenissuance.TheSecureSpanSTScanalternativelyreturnmostofthe credentialtypeslistedabove,providingabsoluteflexibilityincomplexfederationscenarios.
SecureSpan Gateways for Service Protection

SecureSpanGatewayscanalsobedeployedinfrontofWebservicesserverstoprovideaccesscontrol forfederatedservices.Thisremovesthecomplexityoftokenprocessing,administrationoftrust relationshipsandauditfromtheapplicationandcentralizesthisforallservices.Thislogicalshifttoa moredeclarativestyleofsecuritymanagementmeansthatdedicatedsecurityadministratorscan assumeresponsibilitytoallapplicationaccesscontrol,ensuringthatthesecuritypolicyisconsistentwith corporaterequirements.
Figure3:SecureSpanGatewaysdeployedtofederateandprotectservicesandAPIs.
Layer7spolicybasedaccesscontrolsystemcanaccommodatemostsecuritytokentypes.Also,it integrateswithexistinginfrastructuresuchasdirectoriesandIAM.TheinternalSTScapabilitiesofthe Gatewaycanbeleveragedforidentitymappingfunctionsorstricttokenvalidation. SecureSpanGatewaysadditionallyprovidearichtrustmanagementinterfacethatsimplifies managementoffederatedpartners.ThisfeaturesintegralCRLandOCSPsupport,toensurethatthe integrityoftheweboftrustismaintained.AllcryptographicfunctionsareFIPScompliantandhardware GatewayinstancesfeatureavailableintegrationwithleadingHardwareSecurityModules(HSMs)from ThalesandSafeNet. GatewayscanalsoincorporateXACMLaccesscontrolrulesdirectlyintopolicyorcommunicatewith remoteXACMLPolicyDecisionPoints(PDPs)usingtheXACMLprotocol.Integrationwithotherexternal PDPsispossibleusingSAMLPandWSTrustprotocols. TheGatewaysfeatureveryrichandconfigurableSAMLtokenprocessing,allowingsupportforvirtually anyfederationorSSOscenario.SAMLtokenscanbeextractedfromtransportheaders(suchasHTTP)or isolatedinSOAPmessagesundertheWSSecuritySAMLtokenprofilestandard.TheGatewayssupport bothSAMLbearertokensprotectedwithSSLandmoresophisticatedWSSecuritybasedbindingsfor SAML,includingholderofkeyandsendervouchesstyletokenscryptographicallyboundintomessages. Tokenevaluationiscompletelyflexible,allowingsimpleaccesscontrolbasedontrustrelationshipor adoptionofmoresophisticatedmethodssuchasABACusingSAMLattributeassertions. Finally,allotheraspectsofsecuritysupportedbySecureSpanGatewaysareavailabletoensurethat servicesarefullyprotectedinoneplace.Thisincludesfeaturessuchasmessagecontentvalidation, automatedthreatdetection,audit,transformation,throttling,trafficshapingandcontentor statebasedrouting.
XML VPN Client for Federating Client Applications

Layer7sXMLVPNClientisasmallfootprint,clientsideapplicationthathelpstorapidlyonboard clientsinWebservicesfederationscenarios.Thiseliminatestheburdenofimplementingfederationand SSOfunctionsincode,thusensuringthatfederationisdonerightthefirsttime. TheXMLVPNclientinteractswitharemoteSecureSpanGatewaytoloadthemostuptodatepolicyin effect.ItthenautomaticallycoordinatesSAMLsecuritytokenacquisitionwithalocalSTS,bufferingthe tokenforalltransactionsacrossthetokenslifetimeandautomaticallyinsertingitintotransactions destinedforaremoteservice.
Figure4:TheSecureSpanXMLVPNClientcanfederateclientapplicationswithoutrequiringanychangestocode.
TheXMLVPNClientintegrateswithlocalSTSusingthestandardsbasedWSTrustprotocol.Itcan integratewitheitheraSecureSpanbasedSTSorathirdpartySTSsuchasMicrosoftsADFS. TheXMLVPNclientsolutionisparticularlywellsuitedtofederatingbranchofficeapplicationsandto rapidlyfederatingapplicationsduringorganizationalmergersandacquisitions.
Can Layer 7 Help Me Federate APIs?

TheemergingAPIparadigmisbasedonRESTfuldesign,JSONdatastructuresandOAuthsecuritytokens. Layer7GatewayshavealwayssupportedRESTstylemessaging.ThepolicylanguagetreatsJSONasa firstclasscitizenbesideXML.TheOAuthtoolkitprovidesrichOAuthintegrationcapabilities1. SecureSpansSAMLcapabilitiesareentirelyapplicabletoSAMLbearertokenscarriedastransport payload.Thisallowssophisticatedfederationmodelsincludingaccesscontrolparadigmssuchas ABACtobeappliedtoAPIs,notjustSOAPendpoints.
OAuthsupportinLayer7SecureSpanGatewaysisdescribedinadedicatedwhitepaper.
9
Figure5:FederatingAPIsusingOAuthandSAML.EnforcementusesSecureSpanGatewaytoenactaccesscontrolpolicies.
SecureSpancanalsobeusedtobridgebetweenexistingSAMLSSOsystemsandnewerOAuthbasedAPI interactions.TheSecureSpanpolicylanguageprovidestheperfectvehicleforarticulatingrulesdesigned tobridgebetweenthesetwoimportanttokenformats.
Can You Describe The Layer 7 Drop-in Federation Solution?

Layer7canprovideacomplete,turnkeyfederationsolutionthatisabletofederateSOAPWebservices withnomodificationstoclientorservercode.Thesolutionconsistsof: AserviceaccessGatewaydeployedintheenterprise,tomanagesecureserviceaccess AGatewaydeployedasanSTSattheclientsite TheXMLVPNClient,tocoordinatetokenacquisitionandsecuringofmessagesfortheclient
10
Thisisdepictedinthefigurebelow:
Figure6:DropinfederationforWebservices,usingLayer7.
Thissolutionisparticularlywellsuitedtobranchdeployments,whereacentralauthorityneedstodrive rapidfederationofapplicationsusinglocaluserstores.
How do I Use Layer 7 to Provide SSO to My Web Sites?

Layer7canprovideSecurityTokenServicesthatallowbrowserbasedclientstoperformSSOwith internalorpartnerWebapplications.ThisdeploymentpatternforSecureSpanGatewaysisdescribed above.ItmakesuseofstandardsbasedSAMLprofilestoallowasinglecredentialtobeusedoncein ordertoaccessanynumberoflocalWebsites. TheWebapplicationsmustbeconfiguredtolocallyperformaccesscontrolbasedonstandardSAMLSSO profiles.MostmodernWebapplicationserverscaneasilybeconfiguredtoconsumeSAMLtokensand enforcetrustrelationships.
11
Why Should I Use Layer 7 for Attribute-Based Access Control?

Layer7SecureSpanGatewaysprovideanexcellentsolutionforimplementingABACschemes.TheLayer 7policylanguagecaneasilybeconfiguredtoevaluaterulesbasedonanycombinationofattributes associatedwithatransaction.AttributescanbeminedfromSAMLassertions,extractedfromX.509 certificatefieldsordynamicallyqueriedfromdirectoryorproprietaryattributeservices.Rulesetscan easilybeexpressedusingthepolicylanguage.TheGatewayalsoincorporatesanonboardXACML engine,allowingattributeevaluationrulestobeexpressedinastandardsbasedway.Additionally,the Gatewaycanintegratewithexternal,standaloneXACMLpolicyservers,usingtheXACMLPDPquery language,aswellanyotherPDPsthatsupporttheSAMLPprotocol.
How Can Layer 7 Federate Existing LDAP or IAM Systems with CloudBased SaaS Services Like Salesforce.com or Google Docs?
Layer7sCloudSpanCloudConnectGatewayincludestemplatesthatenableSSOtoanyCloudbased SaaSapplicationsthatuseSAMLasameansofaccess.CloudConnectisdeployedasanSTSoverlayon theusersexistingIdentityandAccessManagement(IAM)infrastructure,thusextendingexisting identityassetsintotheCloud.
Figure7:CloudSingleSignOnusingCloudConnect.
CloudConnectsupportsstandardizedSAMLbrowserprofiles.Becausethereisconsiderablevariation betweendifferentSaaSimplementations,Layer7hasprovidedSaaSSSOtemplatesthatcaneasilybe adaptedtoaccommodatelocaldifferences.Therichpolicylanguagecaneasilybeusedtobuildcustom authorizationschemes,exchangetokensorintegratewithlocalIAMinfrastructure.
12
Figure8:AdministratorshavefullaccesstoSaaSSSOtemplates,allowingsimplecustomizationtoaccommodatelocal securitydirectives.
How Does OAuth Relate to Federation & SSO?

OAuthisprimarilyameansofauthenticationandlimited,delegatedfederation,ratherthana fullblownfederationorSSOmodel.Itwasdevelopedasasolutiontothepasswordantipattern, abadpracticethatmultisiteWebapplicationssometimesresortedtoasameansoflightweight, userdrivenfederation. OAuthallowsauserwhohasseparateaccountsontwositestoeffectivelyfederatetheseforcertain functions.Forexample,auserofTwittermightwanttoposttweetsonhisorherFacebookwall(thus federatingtheaccounts).OAuthprovidesameanstodothiswithoutforcingtheusertoshare credentialsbetweensites. ThereareinterestingoverlapsbetweenwhatcanbeaccomplishedwithSAMLandwhatcanbedone withtheemergingOAuthspecifications(particularlytheOAuth2.0spec).Thesearebeyondthescopeof thiswhitepaper.Atpresent,OAuthismainlyfindingapplicationinuserdelegatedaccountfederation onWebsites,withanemphasisonsocialnetworkingsites(largelybecauseofthedevelopercultureat theseorganizations).Inthesecases,OAuthisusedasthesecuritytokeninAPIcalls. SAMLappearsmorecommonlyinenterpriseorCloudbasedSaaSapplications.Therearesome interestingemergingapproachesforexchangingSAMLtokensacquiredusingabrowserbasedprofile forOAuthtokensthatcanbeusedbyAPIsrunningwithinthecontextofabrowseruseragent.Layer7 haspolicytemplatesavailablethatimplementsomeofthesescenarios.However,thisispresentlyvery muchamovingtargetwithlittlestandardizationbetweenimplementations. Layer7providesanOAuthToolkit,consistingofseveralpolicyassertionsthatconstitutethebuilding blocksofOAuthapplications.TheToolkitalsoincludespolicytemplatesthatleveragetheseassertionsto providebasicOAuthfunctionssuchasdistributedauthorizationservices,useraccessmanagementand APIaccesscontrol.
13
Figure9:Layer7GatewaysdeployedasanOAuthAuthorizationServer(AS)andprotectingaResourceServer(RS).
14
About Layer 7 Technologies

Layer7Technologieshelpsenterprisessecureandgoverninteractionsbetweentheirorganizationsandthe servicestheyuseintheCloud,acrosstheInternetandouttomobiledevices.Throughitsawardwinninglineof SOAGateways,CloudBrokersandAPIProxies,Layer7givesenterprisestheabilitytocontrolidentity,data security,SLAandvisibilityrequirementsforsharingapplicationdataandfunctionalityacrossorganizational boundaries.Withmorethan150customersspanningsixcontinents,Layer7supportsthemostdemanding commercialandgovernmentorganizations.Layer7solutionsareFIPScompliant,STIGvulnerabilitytestedand havemetCommonCriteriaEAL4+securityassurance. Contact Layer 7 Technologies Layer7Technologieswelcomesyourquestions,commentsandgeneralfeedback.

Email: info@layer7.com

Web Site: www.layer7.com

Phone: (+1)6046819377 18006819377(tollfreewithinNorthAmerica)

Fax: 6046819387

Address: Layer7Technologies Suite4051100MelvilleStreet Vancouver,BCV6E4A6 Canada
Legal Information
Copyright2012byLayer7Technologies,Inc.(www.layer7.com).Contentsconfidential.Allrightsreserved. SecureSpanandCloudSpanareregisteredtrademarksofLayer7Technologies,Inc.Allothermentionedtrade namesand/ortrademarksarethepropertyoftheirrespectiveowners.
15

Federated Identity and SSO Using Layer 7

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Federated Identity and SSO Using Layer 7

Hochgeladen von

Copyright:

Verfügbare Formate

FederatedIdentity&SingleSignOnUsingLayer7

Why do I Need to Federate Identity?

Alltheseproblemsrelatetodifferentpartsoffederatedidentity.Layer7Technologiesprovides solutionsthatfederateidentityandprovideSSOservicesforWebapplications,Webservices,APIs, mobileapplicationsandtheCloud.

Is Federation the Same as Single Sign-On (SSO)?

What Standards Address Federated Identity & SSO?

How Does Layer 7 Help Me to Federate SOAP Web Services?

Layer7sSecureSpanGatewayproductlinecanbedeployedtoprovideSecurityTokenServicesfora rangeofclientsandtoprovidefederatedaccesscontrolforindividualservices.Layer7alsooffers clientsidefederationsupportusingitsXMLVPNClientproduct.Eachofthesedeploymentpatternsis outlinedbelow.

SecureSpan Gateways for Service Protection

XML VPN Client for Federating Client Applications

Can Layer 7 Help Me Federate APIs?

SecureSpancanalsobeusedtobridgebetweenexistingSAMLSSOsystemsandnewerOAuthbasedAPI interactions.TheSecureSpanpolicylanguageprovidestheperfectvehicleforarticulatingrulesdesigned tobridgebetweenthesetwoimportanttokenformats.

Can You Describe The Layer 7 Drop-in Federation Solution?

How do I Use Layer 7 to Provide SSO to My Web Sites?

Why Should I Use Layer 7 for Attribute-Based Access Control?

How Does OAuth Relate to Federation & SSO?

About Layer 7 Technologies

Das könnte Ihnen auch gefallen