SlideShare a Scribd company logo

ISBG The 3 S's a guide to single sign on

Gabriella Davis, profile picture
Gabriella Davis

This document provides an overview of single sign-on technologies including Single Sign-On (SSO), Security Assertion Markup Language (SAML), Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO), and OAuth. It defines each technology, provides examples of how they work, and discusses their requirements, limitations, and use cases. The presenter emphasizes choosing solutions based on specific business needs and priorities, as technologies range from relatively easy to implement like single password or SPNEGO, to more complex such as SAML or OAuth.

Technology
1 of 47
Downloaded 49 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
THETHREE S’ - SINGLE SIGN-ON, SPNEGO & SAML Gabriella Davis gabriella@turtlepartnership.com The Turtle Partnership
WHO AM I? Gab Davis Administrator, Problem Solver, Stubborn Fixer of Things Working with IBM technologies and all the things surrounding and integrating with those Based in London, about half the time
WHAT ISTHIS PRESENTATION ABOUT? We are here to talk about concepts Once you understand the concepts, their requirements, limitations and benefits you can make decisions about what you need Hopefully we will give you a good overview of a bunch of confusing acronyms
I DO NOTTHINKTHAT MEANS WHATYOUTHINK IT MEANS…
PASSWORD SYNCHRONISATION You may have the same password but you’re not the same person
SINGLE SIGN ON ! HELLO, HAVE YOU MET MY FRIEND? I can vouch for him completely ! Is trust transferable?
ONE PASSWORD, ONE LOCATION
Authenticating against a single password in a single place Sametime Network Login Connections Mail Mail LDAP Password
Synchronising passwords across different systems Sametime LDAP Connections LDAP Traveler Authentication Password Synchronisation Tool
STEPS FOR SINGLE PASSWORD, SINGLE PLACE For LDAP compliant applications ensure you use the same LDAP directory source For Domino systems, configure Directory Assistance to point to an LDAP source ensure you have an attribute in your LDAP directory that contains the user’s distinguished name so Domino is returned a valid user name You can then empty out the HTTP Password field for all users This will work for any Domino application, mail , traveler, Sametime etc The user can be entirely remote and with no access to LDAP directly and this will still work
SPNEGO
S imPle N eGotiation known as NTLM or Kerberos in Active Directory GSSAPI Mechanism
SPNEGO EXAMPLE FOR DOMINO 1 USER LOGS INTO WINDOWS STEPS
SPNEGO EXAMPLE FOR DOMINO 1 2 ACTIVE DIRECTORY GENERATES SPNEGO TOKEN STEPS USER LOGS INTO WINDOWS
SPNEGO EXAMPLE FOR DOMINO 1 2 3 ACTIVE DIRECTORY GENERATES SPNEGO TOKEN USER TRIES TO ACCESS DOMINO WEBSITE STEPS USER LOGS INTO WINDOWS
SPNEGO EXAMPLE FOR DOMINO 1 2 3 4 ACTIVE DIRECTORY GENERATES SPNEGO TOKEN USER TRIES TO ACCESS DOMINO WEBSITE BROWSER SENDS SPNEGO TOKEN TO DOMINO ALONG WITH USER NAME STEPS USER LOGS INTO WINDOWS
SPNEGO EXAMPLE FOR DOMINO 1 2 3 4 5 ACTIVE DIRECTORY GENERATES SPNEGO TOKEN USER TRIES TO ACCESS DOMINO WEBSITE BROWSER SENDS SPNEGO TOKEN TO DOMINO ALONG WITH USER NAME DOMINO CONTACTS ACTIVE DIRECTORY TO VALIDATE TOKEN AND RETRIEVE THE USER’S NAME STEPS USER LOGS INTO WINDOWS
DOMINO CREATES A LTPATOKEN FORTHE VALIDATED USER AND GRANTS ACCESS Enable Multi Server Single Sign-On To Extend Access To Other Servers
SETTING UP SPNEGO Create a Domino Web SSO document Set up a SPN for the Domino server in Active Directory Domino must run under whatever account you set up for it Run domspnego Take the output and give it to your AD administrator to run setspn with Run setspn -a http://<dominohostname> <accountnamerunningdomino> Update person documents with AD name appended to FullName (and optional others like krbPrincipalName and LTPA User Name)
WHY NOT SPNEGO It requires Active Directory It requires users to login to Active Directory It requires Microsoft Supported browsers It requires a Windows client for the users It requires Domino to be on a Windows platform at least the first Domino server that’s accessed, the rest can then be reached via Multi Server SSO token generated by Domino ! It doesn’t work at all if the user is remotely connecting and not logging into Active Directory It has a very specific use case
SAML
A ssertion M arkup L anguage SAML is a protocol and process for exchanging authorisation and authentication data for a user between services and servers S ecurity
IDP (IDENTITY PROVIDER) Sp (Service Provider) Sp (Service Provider) Sp (Service Provider)
NO PASSWORDS…..
 TO COMPROMISE
 TO EXPIRE
 
 TO INTERCEPT Once a user has authenticated with the IdP they won’t be asked again
SAML EXAMPLE 25 1 USER ATTEMPTS TO LOG IN TO A WEBSITE STEPS
SAML EXAMPLE 26 1 2 USER ATTEMPTS TO LOG IN TO A WEBSITE USER IS REDIRECTED TO IDENTITY PROVIDER STEPS
SAML EXAMPLE 27 1 2 3 USER ATTEMPTS TO LOG IN TO A WEBSITE USER IS REDIRECTED TO IDENTITY PROVIDER IDENTITY PROVIDER REQUESTS AUTHENTICATION OR (IF USER IS LOGGED IN) RETURNS CREDENTIALS STEPS
SAML EXAMPLE 28 1 2 3 4 USER ATTEMPTS TO LOG IN TO A WEBSITE USER IS REDIRECTED TO IDENTITY PROVIDER IDENTITY PROVIDER REQUESTS AUTHENTICATION OR (IF USER IS LOGGED IN) RETURNS CREDENTIALS USER IS REDIRECTED BACK TO ORIGINAL SITE WITH SAML ASSERTION ATTACHED STEPS
SAML EXAMPLE 29 1 2 3 4 5 USER ATTEMPTS TO LOG IN TO A WEBSITE USER IS REDIRECTED TO IDENTITY PROVIDER IDENTITY PROVIDER REQUESTS AUTHENTICATION OR (IF USER IS LOGGED IN) RETURNS CREDENTIALS USER IS REDIRECTED BACK TO ORIGINAL SITE WITH SAML ASSERTION ATTACHED ORIGINAL SITE USES ITS SAML SERVICE PROVIDER TO CONFIRM SAML ASSERTION AND GRANT ACCESS STEPS
DEFINITIONS IdP - Identity Provider (SSO) ADFS (Active Directory Federation Services in Windows 2008 and Windows 2012) SAML 2.0 only can be combined with SPNEGO Enhances Integrated Windows Authentication (IWA) TFIM (Tivoli Federated Identity Manager) SAML 1.1 and 2.0
DEFINITIONS SP - Service Provider IBM Domino (web federated login) IBM WebSphere IBM Notes (requires IDVault) (notes federated login)
MORE DEFINITIONS IdP (Identity Providers) use HTTP or SOAP to communicate to SP (Service Providers) via XML based assertions
 Assertions have three roles Authentication Authorisation Retrieving Attributes
AN IDP CAN SERVICE MANY SERVICE PROVIDERS A SP can be connected to several IdPs An IdP can use a variety of authentication methods including multi factor
SETTING UP SAML Choose your IdP if you don’t already have one which fits best in your business Build the IdP Configure the SP ! Sounds easy doesn’t it? It’s really not easy by any means but it is worth the investment in time
WHY NOT SAML Not everything supports it Traveler doesn’t Sametime doesn’t IDVault is a requirement so IDs that can’t be vaulted can’t be used multiple passwords, smartcards etc
OAUTH
NOT EVERYTHING BELONGSTO YOU OAuth is an authentication standard supported by most major cloud providers
THE USER &THE CONSUMER Let’s say you want Facebook to post on your Connections Activity Stream. ! We need OAuth for that..
 
 You are the User
 Facebook is the Consumer
THE SERVICE PROVIDER & ITS SECRETS The consumer (Facebook) wanders over to the Service Provider (IBM Connections) and asks for permission to post on the Activity Stream The Service Provider issues a Secret to go with every URL request from the user which authorises access
OAUTH SIMPLIFIED EXAMPLE 40 1 USER ASKS FACEBOOK (THE CONSUMER) TO POST ON THEIR ACTIVITY STREAM STEPS
OAUTH SIMPLIFIED EXAMPLE 41 1 2 USER ASKS FACEBOOK (THE CONSUMER) TO POST ON THEIR ACTIVITY STREAM FACEBOOK GOES TO CONNECTIONS (THE SERVICE PROVIDER) AND ASKS FOR PERMISSION TO POST STEPS
OAUTH SIMPLIFIED EXAMPLE 42 1 2 3 USER ASKS FACEBOOK (THE CONSUMER) TO POST ON THEIR ACTIVITY STREAM FACEBOOK GOES TO CONNECTIONS (THE SERVICE PROVIDER) AND ASKS FOR PERMISSION TO POST THE SERVICE PROVIDER GIVES THE CONSUMER A SECRET KEY TO GIVE TO THE USER AND A URL FOR THE USER TO CLICK ON STEPS
OAUTH SIMPLIFIED EXAMPLE 43 1 2 3 4 USER ASKS FACEBOOK (THE CONSUMER) TO POST ON THEIR ACTIVITY STREAM FACEBOOK GOES TO CONNECTIONS (THE SERVICE PROVIDER) AND ASKS FOR PERMISSION TO POST THE SERVICE PROVIDER GIVES THE CONSUMER A SECRET KEY TO GIVE TO THE USER AND A URL FOR THE USER TO CLICK ON THE USER CLICKS ON THE URL AND AUTHENTICATES WITH THE SERVICE PROVIDER STEPS
OAUTH SIMPLIFIED EXAMPLE 44 1 2 3 4 5 USER ASKS FACEBOOK (THE CONSUMER) TO POST ON THEIR ACTIVITY STREAM FACEBOOK GOES TO CONNECTIONS (THE SERVICE PROVIDER) AND ASKS FOR PERMISSION TO POST THE SERVICE PROVIDER GIVES THE CONSUMER A SECRET KEY TO GIVE TO THE USER AND A URL FOR THE USER TO CLICK ON THE USER CLICKS ON THE URL AND AUTHENTICATES WITH THE SERVICE PROVIDER THE SERVICE PROVIDER , SATISFIED THE SECRET KEY IS GOOD, WILL NOW ALLOW THE CONSUMER ACCESS TO ITS SERVICES STEPS
THAT WAS REALLY SIMPLIFIED There are other steps and other secrets to ensure traffic is not intercepted once authorisation is granted There are checks to ensure the Service Provider is who it claims to be You don’t want to accidentally authorise a phishing site There are also lots of timeouts on the authorisation ! Make sure you understand the security of both the Consumer and the Service Provider as well as what access you are granting the Consumer on your behalf
IN SUMMARY Think about what your problem actually is, there are plenty of technologies to make the user experience seamless but they become ever more complex to build and maintain What are your priorities. Single password? No password? No authentication with a particular service Many solutions require specific operating systems, software and client versions Make sure you meet all requirements before building a plan you can’t deliver on Some things are very easy (Single password, SPNEGO) Some things are very hard (SAML, OAuth)
 There is no one solution, you need to choose the combination that delivers for you
HOWTO FIND ME Twitter, blogs, Instagram, Facebook and more gabriella@turtlepartnership.com GabriellaDavis (skype) http://turtleblog.info gabturtle on twitter and elsewhere

More Related Content

PDF
A Technical Guide To Deploying Single Sign On
Gabriella Davis
 
PDF
Simplifying The S's: Single Sign-On, SPNEGO and SAML
Gabriella Davis
 
PDF
New Single Sign-on Options for IBM Lotus Notes & Domino (We4IT)
We4IT Group
 
PDF
Domino in the Back, Party In The Front
Gabriella Davis
 
PPTX
IBM Single Sign-On
Van Staub, MBA
 
PDF
External Users Accessing Connections
Gabriella Davis
 
PDF
Open Mic "Notes Federated Login"
Ranjit Rai
 
PDF
A Guide To Single Sign-On for IBM Collaboration Solutions
Gabriella Davis
 
A Technical Guide To Deploying Single Sign On
Gabriella Davis
 
Simplifying The S's: Single Sign-On, SPNEGO and SAML
Gabriella Davis
 
New Single Sign-on Options for IBM Lotus Notes & Domino (We4IT)
We4IT Group
 
Domino in the Back, Party In The Front
Gabriella Davis
 
IBM Single Sign-On
Van Staub, MBA
 
External Users Accessing Connections
Gabriella Davis
 
Open Mic "Notes Federated Login"
Ranjit Rai
 
A Guide To Single Sign-On for IBM Collaboration Solutions
Gabriella Davis
 

What's hot (18)

PDF
Introduction to OAuth 2.0 - Part 2
Nabeel Yoosuf
 
PPTX
Introduction to OAuth 2.0 - the technology you need but never really learned
Mikkel Flindt Heisterberg
 
PPTX
Introduction to OAuth 2.0 - Part 1
Nabeel Yoosuf
 
PPTX
IdP, SAML, OAuth
Dan Brinkmann
 
PDF
Introduction to OAuth 2.0 - Part 1
Nabeel Yoosuf
 
PDF
Building an SSO platform in php (Zendcon 2010)
Ivo Jansch
 
PPTX
Introduction to OAuth
Mikkel Flindt Heisterberg
 
PDF
Connect2016 - 1172 Shipping domino
Matteo Bisi
 
PPT
Open Mic IBM connections and IBM Verse on premise integration
jayeshpar2006
 
PDF
How to -_implement_clientless_single_sign_on_authentication_in_single_active_...
SaNju MuLak
 
PDF
Enterprise Single Sign-On - SSO
Oliver Mueller
 
PDF
How to -_implement_clientless_single_sign_on_authentication_in_multiple_activ...
SaNju MuLak
 
PDF
IBM Sametime 9 Installation Woes and Proactive Repairs by Keith Brooks
Keith Brooks
 
PPTX
SAML Smackdown
Pat Patterson
 
PDF
SSL Setup for Oracle 10g AS
Enkitec
 
PDF
Introduction to SAML 2.0
Mika Koivisto
 
PDF
Introduction to SAML
Clément OUDOT
 
PDF
Open mic activity logging
Ranjit Rai
 
Introduction to OAuth 2.0 - Part 2
Nabeel Yoosuf
 
Introduction to OAuth 2.0 - the technology you need but never really learned
Mikkel Flindt Heisterberg
 
Introduction to OAuth 2.0 - Part 1
Nabeel Yoosuf
 
IdP, SAML, OAuth
Dan Brinkmann
 
Introduction to OAuth 2.0 - Part 1
Nabeel Yoosuf
 
Building an SSO platform in php (Zendcon 2010)
Ivo Jansch
 
Introduction to OAuth
Mikkel Flindt Heisterberg
 
Connect2016 - 1172 Shipping domino
Matteo Bisi
 
Open Mic IBM connections and IBM Verse on premise integration
jayeshpar2006
 
How to -_implement_clientless_single_sign_on_authentication_in_single_active_...
SaNju MuLak
 
Enterprise Single Sign-On - SSO
Oliver Mueller
 
How to -_implement_clientless_single_sign_on_authentication_in_multiple_activ...
SaNju MuLak
 
IBM Sametime 9 Installation Woes and Proactive Repairs by Keith Brooks
Keith Brooks
 
SAML Smackdown
Pat Patterson
 
SSL Setup for Oracle 10g AS
Enkitec
 
Introduction to SAML 2.0
Mika Koivisto
 
Introduction to SAML
Clément OUDOT
 
Open mic activity logging
Ranjit Rai
 
Ad

Viewers also liked (10)

PDF
Becoming A Connections Administrator
Gabriella Davis
 
PDF
Installing & Configuring IBM Domino 9 on CentOS
Devin Olson
 
PPTX
Domino Security - not knowing is not an option (2016 edition)
Darren Duke
 
PDF
The Sametime Mobile Experience
Gabriella Davis
 
PDF
IBM Traveler Management, Security and Performance
Gabriella Davis
 
PDF
The SSL Problem and How to Deploy SHA2 Certificates
Gabriella Davis
 
PDF
Upgrading to Sametime 9.0.1
Gabriella Davis
 
PDF
Domino Adminblast
Gabriella Davis
 
PDF
A Guide To Sametime 9.0.1 Audio & Video
Gabriella Davis
 
PDF
Benefits and Risks of a Single Identity - IBM Connect 2017
Gabriella Davis
 
Becoming A Connections Administrator
Gabriella Davis
 
Installing & Configuring IBM Domino 9 on CentOS
Devin Olson
 
Domino Security - not knowing is not an option (2016 edition)
Darren Duke
 
The Sametime Mobile Experience
Gabriella Davis
 
IBM Traveler Management, Security and Performance
Gabriella Davis
 
The SSL Problem and How to Deploy SHA2 Certificates
Gabriella Davis
 
Upgrading to Sametime 9.0.1
Gabriella Davis
 
Domino Adminblast
Gabriella Davis
 
A Guide To Sametime 9.0.1 Audio & Video
Gabriella Davis
 
Benefits and Risks of a Single Identity - IBM Connect 2017
Gabriella Davis
 
Ad

Similar to ISBG The 3 S's a guide to single sign on (20)

PPTX
Help! I Have An Identity Crisis: A look at various mechanisms of Single Sign On
Saloni Shah
 
PDF
Single sign on across drupal 8
Iwantha Lekamge
 
PDF
Patterns to Bring Enterprise and Social Identity to the Cloud
CA API Management
 
PPTX
SSO IN/With Drupal and Identitiy Management
Manish Harsh
 
PPTX
SSO - Presentation
Christopher Thant
 
PDF
Open sso fisl9.0
Startup Cursos
 
PDF
Simplifying identity management with SSO tools
Pol Jane
 
PPTX
Presentation
Laxman Kumar
 
PDF
CIS13: Federation Protocol Cross-Section
CloudIDSummit
 
PDF
Single Sign On Across Drupal 8 - DrupalCon Global 2020
Iwantha Lekamge
 
PPTX
Single Sign On 101
Mike Schwartz
 
PPTX
Lecture 20101124
Anderson Liang
 
PDF
TrustBearer - CTST 2009 - OpenID & Strong Authentication
TrustBearer
 
PDF
Saml
Roger Xia
 
PDF
Synergies of Cloud Identity: Putting it All Together
Twobo Technologies
 
PDF
“Secure Portal” or WebSphere Portal – Security with Everything
Dave Hay
 
PDF
Open Source Identity Integration with OpenSSO
elliando dias
 
PPTX
A recipe for standards-based Cloud IdM
Paul Madsen
 
PDF
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
TrustBearer
 
PPTX
Access management
Venkatesh Jambulingam
 
Help! I Have An Identity Crisis: A look at various mechanisms of Single Sign On
Saloni Shah
 
Single sign on across drupal 8
Iwantha Lekamge
 
Patterns to Bring Enterprise and Social Identity to the Cloud
CA API Management
 
SSO IN/With Drupal and Identitiy Management
Manish Harsh
 
SSO - Presentation
Christopher Thant
 
Open sso fisl9.0
Startup Cursos
 
Simplifying identity management with SSO tools
Pol Jane
 
Presentation
Laxman Kumar
 
CIS13: Federation Protocol Cross-Section
CloudIDSummit
 
Single Sign On Across Drupal 8 - DrupalCon Global 2020
Iwantha Lekamge
 
Single Sign On 101
Mike Schwartz
 
Lecture 20101124
Anderson Liang
 
TrustBearer - CTST 2009 - OpenID & Strong Authentication
TrustBearer
 
Saml
Roger Xia
 
Synergies of Cloud Identity: Putting it All Together
Twobo Technologies
 
“Secure Portal” or WebSphere Portal – Security with Everything
Dave Hay
 
Open Source Identity Integration with OpenSSO
elliando dias
 
A recipe for standards-based Cloud IdM
Paul Madsen
 
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
TrustBearer
 
Access management
Venkatesh Jambulingam
 

More from Gabriella Davis (20)

PDF
A Domino Admins Adventures (Engage 2024)
Gabriella Davis
 
PDF
Engage2022 - Domino Admin Tips
Gabriella Davis
 
PDF
. Design Decisions: Developing for Mobile - The Template Experience Project
Gabriella Davis
 
PDF
Domino Server Health - Monitoring and Managing
Gabriella Davis
 
PDF
Face Off Domino vs Exchange On Premises
Gabriella Davis
 
PDF
60 Admin Tips
Gabriella Davis
 
PDF
Adminlicious - A Guide To TCO Features In Domino v10
Gabriella Davis
 
PDF
An Introduction to Configuring Domino for Docker
Gabriella Davis
 
PDF
An Introduction To The DMARC SMTP Validation Requirements
Gabriella Davis
 
PDF
× The Road To A #Perfect10 - How To Get Ready For Domino, Sametime, VOP and T...
Gabriella Davis
 
PDF
An introduction to configuring Domino for Docker
Gabriella Davis
 
PDF
How To Approach GDPR Preparation & Discovery
Gabriella Davis
 
PDF
An Introduction To The DMARC SMTP Validation Requirements
Gabriella Davis
 
PDF
Brand Yourself
Gabriella Davis
 
PDF
Home Working
Gabriella Davis
 
PDF
The Imposter Syndrome
Gabriella Davis
 
PDF
What's New in Notes, Sametime and Verse On-Premises
Gabriella Davis
 
PDF
An Introduction To Docker
Gabriella Davis
 
PDF
An Introduction To Docker
Gabriella Davis
 
PDF
Setting Up a Hybrid Domino Environment to Ease your Way to the Cloud
Gabriella Davis
 
A Domino Admins Adventures (Engage 2024)
Gabriella Davis
 
Engage2022 - Domino Admin Tips
Gabriella Davis
 
. Design Decisions: Developing for Mobile - The Template Experience Project
Gabriella Davis
 
Domino Server Health - Monitoring and Managing
Gabriella Davis
 
Face Off Domino vs Exchange On Premises
Gabriella Davis
 
60 Admin Tips
Gabriella Davis
 
Adminlicious - A Guide To TCO Features In Domino v10
Gabriella Davis
 
An Introduction to Configuring Domino for Docker
Gabriella Davis
 
An Introduction To The DMARC SMTP Validation Requirements
Gabriella Davis
 
× The Road To A #Perfect10 - How To Get Ready For Domino, Sametime, VOP and T...
Gabriella Davis
 
An introduction to configuring Domino for Docker
Gabriella Davis
 
How To Approach GDPR Preparation & Discovery
Gabriella Davis
 
An Introduction To The DMARC SMTP Validation Requirements
Gabriella Davis
 
Brand Yourself
Gabriella Davis
 
Home Working
Gabriella Davis
 
The Imposter Syndrome
Gabriella Davis
 
What's New in Notes, Sametime and Verse On-Premises
Gabriella Davis
 
An Introduction To Docker
Gabriella Davis
 
An Introduction To Docker
Gabriella Davis
 
Setting Up a Hybrid Domino Environment to Ease your Way to the Cloud
Gabriella Davis
 

Recently uploaded (20)

PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PPTX
TechTalks-8-2019-Service-Management-ITIL-Refresh-ITIL-4-Framework-Supports-Ou...
bonakiduza1024
 
PDF
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
PDF
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
PDF
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
PDF
Heart disease approach using modified random forest and particle swarm optimi...
IAESIJAI
 
PPTX
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
TechTalks-8-2019-Service-Management-ITIL-Refresh-ITIL-4-Framework-Supports-Ou...
bonakiduza1024
 
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
Heart disease approach using modified random forest and particle swarm optimi...
IAESIJAI
 
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 

ISBG The 3 S's a guide to single sign on

  • 1. THETHREE S’ - SINGLE SIGN-ON, SPNEGO & SAML Gabriella Davis gabriella@turtlepartnership.com The Turtle Partnership
  • 2. WHO AM I? Gab Davis Administrator, Problem Solver, Stubborn Fixer of Things Working with IBM technologies and all the things surrounding and integrating with those Based in London, about half the time
  • 3. WHAT ISTHIS PRESENTATION ABOUT? We are here to talk about concepts Once you understand the concepts, their requirements, limitations and benefits you can make decisions about what you need Hopefully we will give you a good overview of a bunch of confusing acronyms
  • 4. I DO NOTTHINKTHAT MEANS WHATYOUTHINK IT MEANS…
  • 5. PASSWORD SYNCHRONISATION You may have the same password but you’re not the same person
  • 6. SINGLE SIGN ON ! HELLO, HAVE YOU MET MY FRIEND? I can vouch for him completely ! Is trust transferable?
  • 7. ONE PASSWORD, ONE LOCATION
  • 8. Authenticating against a single password in a single place Sametime Network Login Connections Mail Mail LDAP Password
  • 9. Synchronising passwords across different systems Sametime LDAP Connections LDAP Traveler Authentication Password Synchronisation Tool
  • 10. STEPS FOR SINGLE PASSWORD, SINGLE PLACE For LDAP compliant applications ensure you use the same LDAP directory source For Domino systems, configure Directory Assistance to point to an LDAP source ensure you have an attribute in your LDAP directory that contains the user’s distinguished name so Domino is returned a valid user name You can then empty out the HTTP Password field for all users This will work for any Domino application, mail , traveler, Sametime etc The user can be entirely remote and with no access to LDAP directly and this will still work
  • 12. S imPle N eGotiation known as NTLM or Kerberos in Active Directory GSSAPI Mechanism
  • 13. SPNEGO EXAMPLE FOR DOMINO 1 USER LOGS INTO WINDOWS STEPS
  • 14. SPNEGO EXAMPLE FOR DOMINO 1 2 ACTIVE DIRECTORY GENERATES SPNEGO TOKEN STEPS USER LOGS INTO WINDOWS
  • 15. SPNEGO EXAMPLE FOR DOMINO 1 2 3 ACTIVE DIRECTORY GENERATES SPNEGO TOKEN USER TRIES TO ACCESS DOMINO WEBSITE STEPS USER LOGS INTO WINDOWS
  • 16. SPNEGO EXAMPLE FOR DOMINO 1 2 3 4 ACTIVE DIRECTORY GENERATES SPNEGO TOKEN USER TRIES TO ACCESS DOMINO WEBSITE BROWSER SENDS SPNEGO TOKEN TO DOMINO ALONG WITH USER NAME STEPS USER LOGS INTO WINDOWS
  • 17. SPNEGO EXAMPLE FOR DOMINO 1 2 3 4 5 ACTIVE DIRECTORY GENERATES SPNEGO TOKEN USER TRIES TO ACCESS DOMINO WEBSITE BROWSER SENDS SPNEGO TOKEN TO DOMINO ALONG WITH USER NAME DOMINO CONTACTS ACTIVE DIRECTORY TO VALIDATE TOKEN AND RETRIEVE THE USER’S NAME STEPS USER LOGS INTO WINDOWS
  • 18. DOMINO CREATES A LTPATOKEN FORTHE VALIDATED USER AND GRANTS ACCESS Enable Multi Server Single Sign-On To Extend Access To Other Servers
  • 19. SETTING UP SPNEGO Create a Domino Web SSO document Set up a SPN for the Domino server in Active Directory Domino must run under whatever account you set up for it Run domspnego Take the output and give it to your AD administrator to run setspn with Run setspn -a http://<dominohostname> <accountnamerunningdomino> Update person documents with AD name appended to FullName (and optional others like krbPrincipalName and LTPA User Name)
  • 20. WHY NOT SPNEGO It requires Active Directory It requires users to login to Active Directory It requires Microsoft Supported browsers It requires a Windows client for the users It requires Domino to be on a Windows platform at least the first Domino server that’s accessed, the rest can then be reached via Multi Server SSO token generated by Domino ! It doesn’t work at all if the user is remotely connecting and not logging into Active Directory It has a very specific use case
  • 21. SAML
  • 22. A ssertion M arkup L anguage SAML is a protocol and process for exchanging authorisation and authentication data for a user between services and servers S ecurity
  • 23. IDP (IDENTITY PROVIDER) Sp (Service Provider) Sp (Service Provider) Sp (Service Provider)
  • 24. NO PASSWORDS…..
 TO COMPROMISE
 TO EXPIRE
 
 TO INTERCEPT Once a user has authenticated with the IdP they won’t be asked again
  • 25. SAML EXAMPLE 25 1 USER ATTEMPTS TO LOG IN TO A WEBSITE STEPS
  • 26. SAML EXAMPLE 26 1 2 USER ATTEMPTS TO LOG IN TO A WEBSITE USER IS REDIRECTED TO IDENTITY PROVIDER STEPS
  • 27. SAML EXAMPLE 27 1 2 3 USER ATTEMPTS TO LOG IN TO A WEBSITE USER IS REDIRECTED TO IDENTITY PROVIDER IDENTITY PROVIDER REQUESTS AUTHENTICATION OR (IF USER IS LOGGED IN) RETURNS CREDENTIALS STEPS
  • 28. SAML EXAMPLE 28 1 2 3 4 USER ATTEMPTS TO LOG IN TO A WEBSITE USER IS REDIRECTED TO IDENTITY PROVIDER IDENTITY PROVIDER REQUESTS AUTHENTICATION OR (IF USER IS LOGGED IN) RETURNS CREDENTIALS USER IS REDIRECTED BACK TO ORIGINAL SITE WITH SAML ASSERTION ATTACHED STEPS
  • 29. SAML EXAMPLE 29 1 2 3 4 5 USER ATTEMPTS TO LOG IN TO A WEBSITE USER IS REDIRECTED TO IDENTITY PROVIDER IDENTITY PROVIDER REQUESTS AUTHENTICATION OR (IF USER IS LOGGED IN) RETURNS CREDENTIALS USER IS REDIRECTED BACK TO ORIGINAL SITE WITH SAML ASSERTION ATTACHED ORIGINAL SITE USES ITS SAML SERVICE PROVIDER TO CONFIRM SAML ASSERTION AND GRANT ACCESS STEPS
  • 30. DEFINITIONS IdP - Identity Provider (SSO) ADFS (Active Directory Federation Services in Windows 2008 and Windows 2012) SAML 2.0 only can be combined with SPNEGO Enhances Integrated Windows Authentication (IWA) TFIM (Tivoli Federated Identity Manager) SAML 1.1 and 2.0
  • 31. DEFINITIONS SP - Service Provider IBM Domino (web federated login) IBM WebSphere IBM Notes (requires IDVault) (notes federated login)
  • 32. MORE DEFINITIONS IdP (Identity Providers) use HTTP or SOAP to communicate to SP (Service Providers) via XML based assertions
 Assertions have three roles Authentication Authorisation Retrieving Attributes
  • 33. AN IDP CAN SERVICE MANY SERVICE PROVIDERS A SP can be connected to several IdPs An IdP can use a variety of authentication methods including multi factor
  • 34. SETTING UP SAML Choose your IdP if you don’t already have one which fits best in your business Build the IdP Configure the SP ! Sounds easy doesn’t it? It’s really not easy by any means but it is worth the investment in time
  • 35. WHY NOT SAML Not everything supports it Traveler doesn’t Sametime doesn’t IDVault is a requirement so IDs that can’t be vaulted can’t be used multiple passwords, smartcards etc
  • 36. OAUTH
  • 37. NOT EVERYTHING BELONGSTO YOU OAuth is an authentication standard supported by most major cloud providers
  • 38. THE USER &THE CONSUMER Let’s say you want Facebook to post on your Connections Activity Stream. ! We need OAuth for that..
 
 You are the User
 Facebook is the Consumer
  • 39. THE SERVICE PROVIDER & ITS SECRETS The consumer (Facebook) wanders over to the Service Provider (IBM Connections) and asks for permission to post on the Activity Stream The Service Provider issues a Secret to go with every URL request from the user which authorises access
  • 40. OAUTH SIMPLIFIED EXAMPLE 40 1 USER ASKS FACEBOOK (THE CONSUMER) TO POST ON THEIR ACTIVITY STREAM STEPS
  • 41. OAUTH SIMPLIFIED EXAMPLE 41 1 2 USER ASKS FACEBOOK (THE CONSUMER) TO POST ON THEIR ACTIVITY STREAM FACEBOOK GOES TO CONNECTIONS (THE SERVICE PROVIDER) AND ASKS FOR PERMISSION TO POST STEPS
  • 42. OAUTH SIMPLIFIED EXAMPLE 42 1 2 3 USER ASKS FACEBOOK (THE CONSUMER) TO POST ON THEIR ACTIVITY STREAM FACEBOOK GOES TO CONNECTIONS (THE SERVICE PROVIDER) AND ASKS FOR PERMISSION TO POST THE SERVICE PROVIDER GIVES THE CONSUMER A SECRET KEY TO GIVE TO THE USER AND A URL FOR THE USER TO CLICK ON STEPS
  • 43. OAUTH SIMPLIFIED EXAMPLE 43 1 2 3 4 USER ASKS FACEBOOK (THE CONSUMER) TO POST ON THEIR ACTIVITY STREAM FACEBOOK GOES TO CONNECTIONS (THE SERVICE PROVIDER) AND ASKS FOR PERMISSION TO POST THE SERVICE PROVIDER GIVES THE CONSUMER A SECRET KEY TO GIVE TO THE USER AND A URL FOR THE USER TO CLICK ON THE USER CLICKS ON THE URL AND AUTHENTICATES WITH THE SERVICE PROVIDER STEPS
  • 44. OAUTH SIMPLIFIED EXAMPLE 44 1 2 3 4 5 USER ASKS FACEBOOK (THE CONSUMER) TO POST ON THEIR ACTIVITY STREAM FACEBOOK GOES TO CONNECTIONS (THE SERVICE PROVIDER) AND ASKS FOR PERMISSION TO POST THE SERVICE PROVIDER GIVES THE CONSUMER A SECRET KEY TO GIVE TO THE USER AND A URL FOR THE USER TO CLICK ON THE USER CLICKS ON THE URL AND AUTHENTICATES WITH THE SERVICE PROVIDER THE SERVICE PROVIDER , SATISFIED THE SECRET KEY IS GOOD, WILL NOW ALLOW THE CONSUMER ACCESS TO ITS SERVICES STEPS
  • 45. THAT WAS REALLY SIMPLIFIED There are other steps and other secrets to ensure traffic is not intercepted once authorisation is granted There are checks to ensure the Service Provider is who it claims to be You don’t want to accidentally authorise a phishing site There are also lots of timeouts on the authorisation ! Make sure you understand the security of both the Consumer and the Service Provider as well as what access you are granting the Consumer on your behalf
  • 46. IN SUMMARY Think about what your problem actually is, there are plenty of technologies to make the user experience seamless but they become ever more complex to build and maintain What are your priorities. Single password? No password? No authentication with a particular service Many solutions require specific operating systems, software and client versions Make sure you meet all requirements before building a plan you can’t deliver on Some things are very easy (Single password, SPNEGO) Some things are very hard (SAML, OAuth)
 There is no one solution, you need to choose the combination that delivers for you
  • 47. HOWTO FIND ME Twitter, blogs, Instagram, Facebook and more gabriella@turtlepartnership.com GabriellaDavis (skype) http://turtleblog.info gabturtle on twitter and elsewhere