Federated Identity with Ping Federate - PowerPoint PPT Presentation

1 / 41
About This Presentation
Title:

Federated Identity with Ping Federate

Description:

oberon. 4. IdP initiated SSO with ITAM. INT CoT. IdM. S1. SSO. SAML 2.0 ... oberon. Sam. SAML 2.0. INT IdP interaction with LDAP directory via a pop-up window. LDAP ... – PowerPoint PPT presentation

Number of Views:1637
Avg rating:3.0/5.0
Slides: 42
Provided by: wwwinfI
Category:

less

Transcript and Presenter's Notes

Title: Federated Identity with Ping Federate


1
ASR Final Project
February 7th, 2007
Federated Identity withPing Federate
-------------------------------------------- Eunic
e Mondésir Pierre Weill-Tessier ------------------
--------------------------
Project Supervisor M. Maknavicius-Laurent ASR
Coordinator G. Bernard
2
Agenda
  1. Introduction
  2. Federated Identity concepts
  3. Presentation of Ping Federate server
  4. Platform implementation
  5. Demonstrations
  6. Conclusion

3
Introduction
4
Federated Identity Concepts
5
Federated Identity concepts
  • Why Federated Identity?
  • What is Federated Identity?
  • Participants of Circle of Trust
  • Single Sign On and Single Log Out
  • SAML langage

6
1. Why federated identity?
Federated Identity Concepts
7
1. Why federated identity?
Federated Identity Concepts
  • Multiple authentication parameters
  • Heterogeneous authentification and access control
    methods
  • No control on personal informations exhibition
  • Need for easier and faster acces to services

8
2. What is federated identity?
Federated Identity Concepts
  • Set of agreements, standards and technologies
  • Trust relationships between organizations
  • Integrity and privacy perserved
  • Independance of organizations

9
3. Circle of Trust (CoT) participants
Federated Identity Concepts
  • Service Provider (SP)
  • Provides one or more services within a federation
  • Access control policy
  • Identity Provider (IdP)
  • Creates, maintains, manages identity information
  • user must authenticate at an IdP recognized by a
    SP

10
3. Circle of Trust (CoT) participants
Federated Identity Concepts
CoT
  • Circle of trust
  • Federation of IdP and SP
  • Business relationships
  • Operational agreements
  • Secured communication channels
  • Seamless environment

SP
SP
SP
IdP
SP
SP
SP
11
4.SSO and SLO
Federated Identity Concepts
  • Liberty alliance
  • Single Sign On (SSO)
  • Sign on once at a site (single account)
  • Seamless signed-on for other sites
  • No extra authentication
  • SP both within and across circles of trusts
  • Single Log Out (SLO)
  • Synchronized session logout
  • All sessions authenticated by an IdP closed

12
5. SAML (Security Assertion Markup Langage)
Federated Identity Concepts
  • XML standard developped by OASIS
  • Exchanging authentication authorization data
    between security domains (IdP and SP)
  • SSO solution beyond the intranet
  • Exchange of assertions between IdP and SP

13
Presentation of Ping Federate
14
Presentation of Ping Federate server
  1. How does Ping Federate work ?
  2. Communication tools of Ping Federate

15
1. How does Ping Federate work ?
Presentation of Ping Federate server
  • Server that passes identities between CoTs
  • Distinction between two roles IdP and SP
  • Both roles can be combined
  • Ping Federate does not interfere with local usage
    of the application

16
2. Communication tools in PF server
Presentation of Ping Federate server
  • different environments how communicate?
  • Ping Federate provides Integration Toolkits

17
Plateform Implementation
18
Platform Implementation
  1. Needs
  2. LDAP
  3. Postfix
  4. Tomcat
  5. Ping Federate server

19
1. Needs
Platform Implementation
  • Applications often interacts with a database for
    authentication
  • Ping Federate server asks for parameters of a
    mail server to send notification mail
  • Ping Federates sample application runs on Tomcat
    Application Server

20
2. LDAP
Platform Implementation
  • Why this protocol ?
  • LDAP adapter proposed by PF
  • Authentication to IdPs via pop-up window
  • Our configuration
  • Server OpenLDAP
  • Client LDAPBrowser to check our entries
  • Simple tree root inetOrgPerson class instances

21
2. LDAP
Platform Implementation
  • Example of LDAP Tree

dn oINT,cFR dn cnEunice, oINT, cFR dn
cnPierre, oINT, cFR
  • Attributes we used
  • cn, sn
  • mail, userPassword
  • title

22
3. Postfix
Platform Implementation
  • Why ?
  • mail server working on Linux O.S
  • Lighter configuration than Sendmail
  • No database associated only one user !
  • liberty_at_cubitus.int-evry.fr
  • IdpAdmin_at_cubitus.int-evry.fr is a fake address
    used for the notification only.
  • IMAP server as a MDA

23
4. Tomcat
Platform Implementation
  • Why ?
  • Required applications server to test the samples
  • Multi-technologies support server (jsp, html)
  • Identification tools
  • Double authentication based on Role and Login
  • Default configuration
  • LDAP-using configuration ? JNDI

24
4. Tomcat
Platform Implementation
  • Key configuration files
  • server.xml defines the database connection
  • web.xml defines the security constraint

25
5. Ping Federate
Platform Implementation
  • Standalone web administration
  • https//cubitus.int-evry.fr9999/pingfederate/app
  • Support of multi-account administration
  • Modifiable role selection (IdP, SP or both)
  • Ease of management
  • Server configuration
  • Partner configuration

26
5. Ping Federate
Platform Implementation
  • Server settings
  • Local settings
  • Base URL where reaching the server ?
  • Federation Info choice of technologies
  • Entity ID / realm outside Ping Federate alias
  • IdP/SP events systematic redirections

27
5. Ping Federate
Platform Implementation
  • Server settings
  • Local settings
  • IdP/SP adapters management
  • Data Store management
  • Metadata export

28
5. Ping Federate
Platform Implementation
  • Partner settings connections
  • IdP connections we are SP
  • SP connections we are IdP
  • SP affiliations 2 partners Federation

? According to partners configuration Each
CoT defines its policy independently

29
Demonstrations
30
Test Platform implementation
  1. Before Ping Federate servers
  2. Simplification
  3. Ping Federate servers setting-up
  4. IdP initiated SSO with ITAM
  5. SP initiated SSO with ITAM
  6. SP initiated SSO with LDAP adapter

31
1. Before Ping Federate servers
Connection to INT services within INT
32
1. Before Ping Federate servers
Connection to INT services from outside INT
33
1. Before Ping Federate servers
Connection to ITAM services within INT or from
outside INT not possible
34
2. Simplification
  • All aplications hosted by tomcat server
  • Authentcation files serving as database

35
3. PF servers setting up
  • For INT CoT only one PF server (IdP and SP
    server)
  • For ITAM CoT two PF servers, one IdP and one SP

36
4. IdP initiated SSO with ITAM
Sarah connected to S1 without having passed by
ITAM IdM
37
5. SP initiated SSO with ITAM
38
6. SP initiated SSO with LDAP adapter
LDAP adapter
standard adapter
INT IdP interaction with LDAP directory via a
pop-up window
39
Conclusion
40
Conclusion
  • What remains to do ?
  • Adapt INTest with Ping Federate (Token)
  • Test Multi-partners federation
  • Perform tests on security and privacy
  • Other solutions ?
  • Microsoft CardSpace (.NET)
  • WS-Federation
  • Servers (Sun One Identity Server, IBM Tivoli,
    Microsoft ADFS)


41
Thanks for your attention Questions ?
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Federated Identity with Ping Federate" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!