SlideShare a Scribd company logo

Stronger Authentication with Biometric SSO

Ramesh Nagappan, profile picture
Ramesh Nagappan

This document discusses enabling stronger authentication for single sign-on (SSO) using OpenSSO Enterprise and BiObex biometric middleware. It provides an overview of OpenSSO Enterprise and BiObex architecture and services. It outlines the prerequisites, configuration steps, and testing process for integrating BiObex fingerprint authentication with OpenSSO SSO. It also discusses multi-factor authentication, policy enforcement, attribute retrieval, troubleshooting, supported environments, and deployment scenarios like software as a service. Contact information is provided for acquiring the BiObex software.

Technology
1 of 30
Downloaded 107 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
Stronger Authentication with Biometric SSO using OpenSSO Enterprise and BiObexTM Ramesh Nagappan Sun Microsystems, Burlington, MA ramesh.nagappan@sun.com http://www.coresecuritypatterns.com/blogs
Setting Expectations What you can take away !  OpenSSO Enterprise and BiObex - Architectural Overview  Pre-requisites for enabling Biometric SSO authentication.  Configuration of BiObex AMLoginModule in OpenSSO environment.  Deployment and Testing of Biometrics enabled SSO.  Multi-factor/Biometric authentication based SSO - Moving forward and next steps ! 2
OpenSSO Enterprise • Identity Services Infrastructure facilitates Single Sign-On (SSO) for Web applications residing within an enterprise or across networks. • Open standards based framework supports centralized authentication, authorization and auditing. > JAAS based authentication services > Agent-based and XACML based policy enforcement > User session management > Identity-enabled XML Web services for AuthN, AuthX, Audit and Provisioning > Identity Federation Protocols support include SAMLv2, ID-*, WS-Federation,WS-Policy) > XML Web Services Security (WS-Security, WS-Trust, WS-I Basic Security Profile) > Multi-factor authentication via chaining > Centralized configuration, logging and auditing services > Supports multiple Java EE application servers and Web containers • Deployed as a Web application (single WAR file) 3
OpenSSO Enterprise Architecture and Services 4
OpenSSO Enterprise Deployment (SSO, Federation and Web Services Security) 5
BiObexTM Interoperable Biometric Middleware • Biometric Assurance Infrastructure facilitates User enrollment and Physical/Logical access control using Biometric credentials. > Fingerprints, Iris, Facial geometry and Hand geometry > Biometric enrollment and device management. > Biometrics based Logical access control enables Web Single Sign-On and Desktop authentication (Windows, Solaris/Linux and Sun Rays). > Biometrics based Physical access control restricts personnel access to doors, buildings, locations and restricted areas. > Standards support include CBEFF, BioAPI, MINEX/INCITS-378 and FIPS-201. • Integrates with Sun OpenSSO for addressing Web SSO and Federation scenarios. > Enables stronger/multi-factor authentication by chaining of Biometric authentication with other credentials such as Smartcard/Tokens, PKI/Digital certificate and Password. • Integrates with Sun Identity Manager for provisioning and de- provisioning of Biometric credentials for Credential issuance and authentication. 6
Biometric SSO - Logical Architecture Architecture and its core building blocks 7
Tools of the Trade OpenSSO/BiObex Integration Pre-Requisites • OpenSSO Enterprise 8.x > Deployed on Glassfish Enterprise V2.x > Configured with NSS Keystore (FIPS mode) or JKS (Non-FIPS mode). • BiObex 2.8.x Authentication and Enrollment Middleware > OpenSSO BiObex LoginModule artifacts (Available as part of BiObex 2.8 and above). > BiObex enrollment client for user enrollment. • SecuGen Hamster Plus/IV (preferred) or CrossMatch Verifier-E Fingerprint scanners. • Solaris 10 (preferred) or Solaris Trusted Extensions, Sun Ray, RHEL/SUSE Linux and Microsoft Windows environments. 8
Configuration/Deployment Steps Install Unpack Create Configure BiObex Configure Glassfish V2 w. BiObex BiObex BiObex/OpenSSO OpenSSO Enterprise AMLoginModule AMLoginModule AMLoginModule Attributes Trust Comm. (FIPS) Service Schema 1. Install OpenSSO v8.x Enterprise on Glassfish v2.x Enterprise.  Ensure that NSS Keystore is available to support FIPS-mode communication.  Ensure OpenSSO access to BiObex authentication server (up and running). 2. Unpack BiObex-LoginModule bundle and deploy the LoginModule artifacts to OpenSSO. 3. Install the BiObex AMLoginModule Service Schema in OpenSSO. 4. Configure the BiObex AMLoginModule Global attributes. 5. Configure the BiObex/OpenSSO truststore to support SSL with FIPS-mode communication. 9
BiObex AMLoginModule Installation 1. Unpack the BiObex module archive: jar –xf BiobexAMLoginModuleWebDevices- unix-glassfish.zip cd biobex-am-loginmodule 2. Use GlassFish’s ant tool to deploy into OpenSSO: /opt/SUNWappserver/lib/ant/bin/ant 10
Configure BiObex/OpenSSO Service Schema Create a new OpenSSO BiObexLoginModule service 3. Configure the BiObexLoginModule service schema via SSOadm console.  http://<glassfish>/opensso/ssoadm.jsp  Click ‘create-svc’.  Copy ‘BiObexService.xml’  Paste to ‘create-svc’ entry box. 11
Configure BiObex AMLoginModule Configure the BiometricLoginModule in OpenSSO 4. Configure the BiometricLoginModule in OpenSSO pluggable authentication classes.  Login to OpenSSO admin console as ‘amadmin’  Goto ‘Configuration’ and click on ‘Core’.  In pluggable authentication, add com.biobex.jaas.BiometricLoginModule 12
Configure BiObex Global Attributes 5. Specify the BiObex Global attributes.  Goto ‘Authentication’ and click “Biobex Login” to configure global attributes. 13
Configure BiObex Global Attributes 5. Specify the BiObex Global Attributes  Enable SSL/TLS communication to BiObex by choosing NSS (FIPS) or Java SE (Non-FIPS). 14
Configure BiObex/Glassfish SSL Truststore SSL communication between BiObex and OpenSSO 6. BiObex requires the Glassfish’s SSL implementation to enable trusted communication with the BiObex Authentication Server.  In case of NSS (FIPS-Mode), use the NSS certutil tool to import the CA certificate for the BiObex Authentication Server. 1. Note the “-t C” option restricts trust in the Biobex CA to issuing SSL certificates, NOT client certificates. cd /opt/SUNWappserver/domains/domain1/config certutil -A -d . -t C -i ~bioauth/biobex2/certs/bootstrapCA.cer -n biobex-authserver  In case of Java Key Store, use the Java Keytool to import the CA certificate. keytool -import -keystore cacerts.jks –file ~bioauth/biobex2/certs/bootstrapCA.cer 15
Configure Biometric Authentication Setting up a Fingerprint authentication module instance. • Configure the BiObex Login Module Instance  Goto ‘Authentication’, select ‘Module instances’ and click “New”.  Add a module instance named ‘Fingerprint’ and choose “BiObex Login”.  The new module named “Fingerprint” will showup in Module instance list. 16
Configure BiObex Login Realm Attributes • Specify the realm attributes of BiObex AuthN server.  Enter the BiObex Authentication server hostname and port (ex. 10443)  Set “Terminal Discovery Method” to “Specify a fixed terminal”.  Set “User Discovery Method” to “SSO, JAAS Shared State” and then “Save”. Important: Circled option enables ‘username’ discovery through various methods and facilitates multi-factor authentication and/or session-upgrade scenarios. 17
Verifying and Testing Biometric AuthN Quick sanity check 1. Install and verify the Fingerprint scanner drivers and test the scanner by capturing sample fingerprints.  Make sure the USB or Ethernet based scanner is connected and working properly. 2. Make sure the user has already enrolled his/her fingerprints in BioBex.  Verify the user account exist in both BiObex and OpenSSO. 3. Now you are ready to test Biometric authentication…  Goto: http://<GlassFish>/opensso/UI/Login?module=Fingerprint 18
Testing the Biometric Login… OpenSSO login will prompt for random fingerprints as enrolled in BiObex 19
Multi-factor AuthN and Session Upgrade OpenSSO Authentication Chain and Session upgrade thru’ AuthN • OpenSSO facilitates stronger/ multi-factor authentication through authentication chain including multiple authentication providers. > Enables an authentication process where an user must pass credentials to one or more authentication modules before session validation. > Session validation is determined based on the control flag (Required, Requisite, Sufficient, Optional) configured to the authentication module instance chain. > The overall authentication success or failure is determined based on the control flag assigned to each module in the authentication stack. > OpenSSO is tested and verified to provide multi-factor authentication chain that include BiObex Login, Smartcard/PKI and other OpenSSO supported authentication providers. • Session Upgrade allows upgrading a valid session based on a successful “second-factor authentication” performed by the same user. > Allows user authenticate to access second resource under the same or different realm > If authentication is successful - OpenSSO updates the session based on the second- level authentication. If authentication fails, the current session will be maintained. 20
Configuring Authentication Chain Goto: “Authentication” Select “Authentication Chaining” ….. 21
Testing Multi-factor/Biometric SSO 1. Goto: Authentication - Configure “PasswordFinger” as Default Authentication Chain.  Make sure the ldapService remains as Administrator AuthN chain.  Goto: http://<GlassFish>/opensso 22
Role of OpenSSO Policy Agents Authorization and Policy enforcement • Policies are managed by Policy configuration service in OpenSSO. > Policy service authorizes a user based on the policies stored in OpenSSO. > Policies consists of Rules, Subjects, Conditions and Response providers.. • OpenSSO Policy Agents enforce policies and policy decisions on protected resources . > Intercepts requests from clients/applications and redirects the requests to OpenSSO for authentication - if no valid session token is present. > Once authenticated, the policy agent communicates with OpenSSO Policy service to grant/deny access to the user based on policy evaluation. 23
Attribute Retrieval for Application Use • User Profile Attributes > J2EE Agent allows retrieving LDAP Attributes and sets them as HTTP Headers or Cookies. > com.sun.identity.agents.config.profile.attribute.fetch.mode (Possible values are HTTP_HEADER, HTTP_COOKIE, REQUEST_ATTRIBUTE, NONE) > Attribute mapping can be done using com.sun.identity.agents.config.profile.attribute.map • Response Attributes > J2EE Agent allows retrieving Response Attributes and sets them as HTTP Headers or Cookies. > com.sun.identity.agents.config.response.attribute.fetch.mode (Possible values are HTTP_HEADER, HTTP_COOKIE, REQUEST_ATTRIBUTE, NONE). > Attribute mapping can be done using com.sun.identity.agents.config.response.attribute.map • Session Attributes > J2EE Agent allows retrieving Session Attributes and sets them as HTTP Headers or Cookies. > com.sun.identity.agents.config.session.attribute.fetch.mode (Possible values are HTTP_HEADER, HTTP_COOKIE, REQUEST_ATTRIBUTE, NONE) > Attribute mapping can be done using com.sun.identity.agents.config.session.attribute.map • Privileged Attributes 24
OpenSSO / BiObex Troubleshooting • Enable Message-level Debugging in OpenSSO > Goto Administration page, select ‘Configuration’ tab. > Select your OpenSSO server, In Debug section, select Debug Level to “Message”. > Restart your Web container. • View BiObex AMLoginModule logs > Goto ~/opensso/debug/ and view the following files. > “Biobex”: Contains tracing when the login module in action > “BiobexSSL”: Contains OpenSSO-Biobex server communication related messages, SSL related configuration errors. > “amAuth”: Contains message related to LoginModule instance and issues related to configuration of BiObex AMLoginModule. • View BiObex Authentication server logs for issues related to user authentication failure. • Make sure user has an account in OpenSSO and also enrolled his/her fingerprints in BiObex Enrollment server. 25
Environment Requirements Supported/verified BiObex environment Components Software Products (Provided) Supported Environment Application Server GlassFish V2 Sun Application Server 7.1 Authentication and OpenSSO/BiObex AMLoginModule OpenSSO Enterprise Authorization Server Sun Access Manager 7.1 Oracle 10g Database Server DB2 PostgreSQL 7.3 + MySQL 5.x JRE 1.5.12 + User Enrollment BiObex Enrollment Client Windows XP/2003/Vista Workstation SecuGen Hamster Plus/IV Sensors RHEL/SUSE Linux Solaris / Sun Ray / Solaris TX Client Workstation BiObex 2.8 Client Windows XP/2003 (Microsoft Windows / BioGINA RHEL/SUSE Linux SunRay) SecuGen Hamster Plus/IV Sensors Solaris / Sun Ray / Solaris TX JRE 1.5.12 + BiObex Server BiObex Authentication Server Windows XP/2003 BiObex Enrollment Server RHEL/SUSE Linux Solaris / Sun Ray / Solaris TX 26
Real-world Deployment Biometrics and Smartcard/PKI based Logical Access Control * User Desktops/Browsers configured to use Biometric Scanners and Smartcard Readers. 27
SaaS/Cloud Deployment Deploying Biometric Assurance as “SaaS” over Web 28
Acquiring BiObex Software Contact/Support information Advanced Biometric Controls, LLC 11501 Sunset Hills Rd., Suite 200 Reston, Virginia 20190-4731 Toll-free: 1-877-4 BIOBEX 877-424-6239 571-313-0969 Main 571-313-0962 Fax Internet: www.biobex.com E-mail: support@biobex.com 29
Q&A Ramesh Nagappan Sun Microsystems, Burlington, MA ramesh.nagappan@sun.com http://www.coresecuritypatterns.com/blogs

More Related Content

PDF
Getting Started with FIDO2
FIDO Alliance
 
PDF
Mini-Training: SSO with Windows Identity Foundation
Betclic Everest Group Tech Team
 
PDF
“Secure Portal” or WebSphere Portal – Security with Everything
Dave Hay
 
PPTX
Microservices security - jpmc tech fest 2018
MOnCloud
 
PPTX
Securing online services by combining smart cards and web-based applications
Olivier Potonniée
 
PDF
SAML and Other Types of Federation for Your Enterprise
Denis Gundarev
 
PDF
Enterprise Single Sign-On - SSO
Oliver Mueller
 
PDF
Single sign on using SAML
Programming Talents
 
Getting Started with FIDO2
FIDO Alliance
 
Mini-Training: SSO with Windows Identity Foundation
Betclic Everest Group Tech Team
 
“Secure Portal” or WebSphere Portal – Security with Everything
Dave Hay
 
Microservices security - jpmc tech fest 2018
MOnCloud
 
Securing online services by combining smart cards and web-based applications
Olivier Potonniée
 
SAML and Other Types of Federation for Your Enterprise
Denis Gundarev
 
Enterprise Single Sign-On - SSO
Oliver Mueller
 
Single sign on using SAML
Programming Talents
 

More from Ramesh Nagappan (15)

PDF
Post Quantum Cryptography: Technical Overview
Ramesh Nagappan
 
PDF
Biometric Authentication for J2EE applications - JavaONE 2005
Ramesh Nagappan
 
PDF
Interoperable Provisioning in a distributed world
Ramesh Nagappan
 
PDF
Secure Multitenancy on Oracle SuperCluster
Ramesh Nagappan
 
PDF
Secure Multi-tenancy on Private Cloud Environment (Oracle SuperCluster)
Ramesh Nagappan
 
PDF
High Performance Security and Virtualization for Oracle Database and Cloud-En...
Ramesh Nagappan
 
PDF
High Performance Security With SPARC T4 Hardware Assisted Cryptography
Ramesh Nagappan
 
PDF
Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...
Ramesh Nagappan
 
PDF
ICAM - Demo Architecture review
Ramesh Nagappan
 
PDF
Government Citizen ID using Java Card Platform
Ramesh Nagappan
 
PDF
PIV Card based Identity Assurance in Sun Ray and IDM environment
Ramesh Nagappan
 
PDF
Java Platform Security Architecture
Ramesh Nagappan
 
PDF
Managing PIV Card Lifecycle and Converging Physical & Logical Access Control
Ramesh Nagappan
 
PDF
Stronger/Multi-factor Authentication for Enterprise Applications
Ramesh Nagappan
 
PDF
Wire-speed Cryptographic Acceleration for SOA and Java EE Security
Ramesh Nagappan
 
Post Quantum Cryptography: Technical Overview
Ramesh Nagappan
 
Biometric Authentication for J2EE applications - JavaONE 2005
Ramesh Nagappan
 
Interoperable Provisioning in a distributed world
Ramesh Nagappan
 
Secure Multitenancy on Oracle SuperCluster
Ramesh Nagappan
 
Secure Multi-tenancy on Private Cloud Environment (Oracle SuperCluster)
Ramesh Nagappan
 
High Performance Security and Virtualization for Oracle Database and Cloud-En...
Ramesh Nagappan
 
High Performance Security With SPARC T4 Hardware Assisted Cryptography
Ramesh Nagappan
 
Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...
Ramesh Nagappan
 
ICAM - Demo Architecture review
Ramesh Nagappan
 
Government Citizen ID using Java Card Platform
Ramesh Nagappan
 
PIV Card based Identity Assurance in Sun Ray and IDM environment
Ramesh Nagappan
 
Java Platform Security Architecture
Ramesh Nagappan
 
Managing PIV Card Lifecycle and Converging Physical & Logical Access Control
Ramesh Nagappan
 
Stronger/Multi-factor Authentication for Enterprise Applications
Ramesh Nagappan
 
Wire-speed Cryptographic Acceleration for SOA and Java EE Security
Ramesh Nagappan
 
Ad

Recently uploaded (20)

PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PPTX
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PPT
Teaching material agriculture food technology
LiaRayya
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Teaching material agriculture food technology
LiaRayya
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Encapsulation theory and applications.pdf
gurumoop
 
Cloud computing and distributed systems.
kkkkkhan
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Ad

Stronger Authentication with Biometric SSO

  • 1. Stronger Authentication with Biometric SSO using OpenSSO Enterprise and BiObexTM Ramesh Nagappan Sun Microsystems, Burlington, MA ramesh.nagappan@sun.com http://www.coresecuritypatterns.com/blogs
  • 2. Setting Expectations What you can take away !  OpenSSO Enterprise and BiObex - Architectural Overview  Pre-requisites for enabling Biometric SSO authentication.  Configuration of BiObex AMLoginModule in OpenSSO environment.  Deployment and Testing of Biometrics enabled SSO.  Multi-factor/Biometric authentication based SSO - Moving forward and next steps ! 2
  • 3. OpenSSO Enterprise • Identity Services Infrastructure facilitates Single Sign-On (SSO) for Web applications residing within an enterprise or across networks. • Open standards based framework supports centralized authentication, authorization and auditing. > JAAS based authentication services > Agent-based and XACML based policy enforcement > User session management > Identity-enabled XML Web services for AuthN, AuthX, Audit and Provisioning > Identity Federation Protocols support include SAMLv2, ID-*, WS-Federation,WS-Policy) > XML Web Services Security (WS-Security, WS-Trust, WS-I Basic Security Profile) > Multi-factor authentication via chaining > Centralized configuration, logging and auditing services > Supports multiple Java EE application servers and Web containers • Deployed as a Web application (single WAR file) 3
  • 5. OpenSSO Enterprise Deployment (SSO, Federation and Web Services Security) 5
  • 6. BiObexTM Interoperable Biometric Middleware • Biometric Assurance Infrastructure facilitates User enrollment and Physical/Logical access control using Biometric credentials. > Fingerprints, Iris, Facial geometry and Hand geometry > Biometric enrollment and device management. > Biometrics based Logical access control enables Web Single Sign-On and Desktop authentication (Windows, Solaris/Linux and Sun Rays). > Biometrics based Physical access control restricts personnel access to doors, buildings, locations and restricted areas. > Standards support include CBEFF, BioAPI, MINEX/INCITS-378 and FIPS-201. • Integrates with Sun OpenSSO for addressing Web SSO and Federation scenarios. > Enables stronger/multi-factor authentication by chaining of Biometric authentication with other credentials such as Smartcard/Tokens, PKI/Digital certificate and Password. • Integrates with Sun Identity Manager for provisioning and de- provisioning of Biometric credentials for Credential issuance and authentication. 6
  • 7. Biometric SSO - Logical Architecture Architecture and its core building blocks 7
  • 8. Tools of the Trade OpenSSO/BiObex Integration Pre-Requisites • OpenSSO Enterprise 8.x > Deployed on Glassfish Enterprise V2.x > Configured with NSS Keystore (FIPS mode) or JKS (Non-FIPS mode). • BiObex 2.8.x Authentication and Enrollment Middleware > OpenSSO BiObex LoginModule artifacts (Available as part of BiObex 2.8 and above). > BiObex enrollment client for user enrollment. • SecuGen Hamster Plus/IV (preferred) or CrossMatch Verifier-E Fingerprint scanners. • Solaris 10 (preferred) or Solaris Trusted Extensions, Sun Ray, RHEL/SUSE Linux and Microsoft Windows environments. 8
  • 9. Configuration/Deployment Steps Install Unpack Create Configure BiObex Configure Glassfish V2 w. BiObex BiObex BiObex/OpenSSO OpenSSO Enterprise AMLoginModule AMLoginModule AMLoginModule Attributes Trust Comm. (FIPS) Service Schema 1. Install OpenSSO v8.x Enterprise on Glassfish v2.x Enterprise.  Ensure that NSS Keystore is available to support FIPS-mode communication.  Ensure OpenSSO access to BiObex authentication server (up and running). 2. Unpack BiObex-LoginModule bundle and deploy the LoginModule artifacts to OpenSSO. 3. Install the BiObex AMLoginModule Service Schema in OpenSSO. 4. Configure the BiObex AMLoginModule Global attributes. 5. Configure the BiObex/OpenSSO truststore to support SSL with FIPS-mode communication. 9
  • 10. BiObex AMLoginModule Installation 1. Unpack the BiObex module archive: jar –xf BiobexAMLoginModuleWebDevices- unix-glassfish.zip cd biobex-am-loginmodule 2. Use GlassFish’s ant tool to deploy into OpenSSO: /opt/SUNWappserver/lib/ant/bin/ant 10
  • 11. Configure BiObex/OpenSSO Service Schema Create a new OpenSSO BiObexLoginModule service 3. Configure the BiObexLoginModule service schema via SSOadm console.  http://<glassfish>/opensso/ssoadm.jsp  Click ‘create-svc’.  Copy ‘BiObexService.xml’  Paste to ‘create-svc’ entry box. 11
  • 12. Configure BiObex AMLoginModule Configure the BiometricLoginModule in OpenSSO 4. Configure the BiometricLoginModule in OpenSSO pluggable authentication classes.  Login to OpenSSO admin console as ‘amadmin’  Goto ‘Configuration’ and click on ‘Core’.  In pluggable authentication, add com.biobex.jaas.BiometricLoginModule 12
  • 13. Configure BiObex Global Attributes 5. Specify the BiObex Global attributes.  Goto ‘Authentication’ and click “Biobex Login” to configure global attributes. 13
  • 14. Configure BiObex Global Attributes 5. Specify the BiObex Global Attributes  Enable SSL/TLS communication to BiObex by choosing NSS (FIPS) or Java SE (Non-FIPS). 14
  • 15. Configure BiObex/Glassfish SSL Truststore SSL communication between BiObex and OpenSSO 6. BiObex requires the Glassfish’s SSL implementation to enable trusted communication with the BiObex Authentication Server.  In case of NSS (FIPS-Mode), use the NSS certutil tool to import the CA certificate for the BiObex Authentication Server. 1. Note the “-t C” option restricts trust in the Biobex CA to issuing SSL certificates, NOT client certificates. cd /opt/SUNWappserver/domains/domain1/config certutil -A -d . -t C -i ~bioauth/biobex2/certs/bootstrapCA.cer -n biobex-authserver  In case of Java Key Store, use the Java Keytool to import the CA certificate. keytool -import -keystore cacerts.jks –file ~bioauth/biobex2/certs/bootstrapCA.cer 15
  • 16. Configure Biometric Authentication Setting up a Fingerprint authentication module instance. • Configure the BiObex Login Module Instance  Goto ‘Authentication’, select ‘Module instances’ and click “New”.  Add a module instance named ‘Fingerprint’ and choose “BiObex Login”.  The new module named “Fingerprint” will showup in Module instance list. 16
  • 17. Configure BiObex Login Realm Attributes • Specify the realm attributes of BiObex AuthN server.  Enter the BiObex Authentication server hostname and port (ex. 10443)  Set “Terminal Discovery Method” to “Specify a fixed terminal”.  Set “User Discovery Method” to “SSO, JAAS Shared State” and then “Save”. Important: Circled option enables ‘username’ discovery through various methods and facilitates multi-factor authentication and/or session-upgrade scenarios. 17
  • 18. Verifying and Testing Biometric AuthN Quick sanity check 1. Install and verify the Fingerprint scanner drivers and test the scanner by capturing sample fingerprints.  Make sure the USB or Ethernet based scanner is connected and working properly. 2. Make sure the user has already enrolled his/her fingerprints in BioBex.  Verify the user account exist in both BiObex and OpenSSO. 3. Now you are ready to test Biometric authentication…  Goto: http://<GlassFish>/opensso/UI/Login?module=Fingerprint 18
  • 19. Testing the Biometric Login… OpenSSO login will prompt for random fingerprints as enrolled in BiObex 19
  • 20. Multi-factor AuthN and Session Upgrade OpenSSO Authentication Chain and Session upgrade thru’ AuthN • OpenSSO facilitates stronger/ multi-factor authentication through authentication chain including multiple authentication providers. > Enables an authentication process where an user must pass credentials to one or more authentication modules before session validation. > Session validation is determined based on the control flag (Required, Requisite, Sufficient, Optional) configured to the authentication module instance chain. > The overall authentication success or failure is determined based on the control flag assigned to each module in the authentication stack. > OpenSSO is tested and verified to provide multi-factor authentication chain that include BiObex Login, Smartcard/PKI and other OpenSSO supported authentication providers. • Session Upgrade allows upgrading a valid session based on a successful “second-factor authentication” performed by the same user. > Allows user authenticate to access second resource under the same or different realm > If authentication is successful - OpenSSO updates the session based on the second- level authentication. If authentication fails, the current session will be maintained. 20
  • 21. Configuring Authentication Chain Goto: “Authentication” Select “Authentication Chaining” ….. 21
  • 22. Testing Multi-factor/Biometric SSO 1. Goto: Authentication - Configure “PasswordFinger” as Default Authentication Chain.  Make sure the ldapService remains as Administrator AuthN chain.  Goto: http://<GlassFish>/opensso 22
  • 23. Role of OpenSSO Policy Agents Authorization and Policy enforcement • Policies are managed by Policy configuration service in OpenSSO. > Policy service authorizes a user based on the policies stored in OpenSSO. > Policies consists of Rules, Subjects, Conditions and Response providers.. • OpenSSO Policy Agents enforce policies and policy decisions on protected resources . > Intercepts requests from clients/applications and redirects the requests to OpenSSO for authentication - if no valid session token is present. > Once authenticated, the policy agent communicates with OpenSSO Policy service to grant/deny access to the user based on policy evaluation. 23
  • 24. Attribute Retrieval for Application Use • User Profile Attributes > J2EE Agent allows retrieving LDAP Attributes and sets them as HTTP Headers or Cookies. > com.sun.identity.agents.config.profile.attribute.fetch.mode (Possible values are HTTP_HEADER, HTTP_COOKIE, REQUEST_ATTRIBUTE, NONE) > Attribute mapping can be done using com.sun.identity.agents.config.profile.attribute.map • Response Attributes > J2EE Agent allows retrieving Response Attributes and sets them as HTTP Headers or Cookies. > com.sun.identity.agents.config.response.attribute.fetch.mode (Possible values are HTTP_HEADER, HTTP_COOKIE, REQUEST_ATTRIBUTE, NONE). > Attribute mapping can be done using com.sun.identity.agents.config.response.attribute.map • Session Attributes > J2EE Agent allows retrieving Session Attributes and sets them as HTTP Headers or Cookies. > com.sun.identity.agents.config.session.attribute.fetch.mode (Possible values are HTTP_HEADER, HTTP_COOKIE, REQUEST_ATTRIBUTE, NONE) > Attribute mapping can be done using com.sun.identity.agents.config.session.attribute.map • Privileged Attributes 24
  • 25. OpenSSO / BiObex Troubleshooting • Enable Message-level Debugging in OpenSSO > Goto Administration page, select ‘Configuration’ tab. > Select your OpenSSO server, In Debug section, select Debug Level to “Message”. > Restart your Web container. • View BiObex AMLoginModule logs > Goto ~/opensso/debug/ and view the following files. > “Biobex”: Contains tracing when the login module in action > “BiobexSSL”: Contains OpenSSO-Biobex server communication related messages, SSL related configuration errors. > “amAuth”: Contains message related to LoginModule instance and issues related to configuration of BiObex AMLoginModule. • View BiObex Authentication server logs for issues related to user authentication failure. • Make sure user has an account in OpenSSO and also enrolled his/her fingerprints in BiObex Enrollment server. 25
  • 26. Environment Requirements Supported/verified BiObex environment Components Software Products (Provided) Supported Environment Application Server GlassFish V2 Sun Application Server 7.1 Authentication and OpenSSO/BiObex AMLoginModule OpenSSO Enterprise Authorization Server Sun Access Manager 7.1 Oracle 10g Database Server DB2 PostgreSQL 7.3 + MySQL 5.x JRE 1.5.12 + User Enrollment BiObex Enrollment Client Windows XP/2003/Vista Workstation SecuGen Hamster Plus/IV Sensors RHEL/SUSE Linux Solaris / Sun Ray / Solaris TX Client Workstation BiObex 2.8 Client Windows XP/2003 (Microsoft Windows / BioGINA RHEL/SUSE Linux SunRay) SecuGen Hamster Plus/IV Sensors Solaris / Sun Ray / Solaris TX JRE 1.5.12 + BiObex Server BiObex Authentication Server Windows XP/2003 BiObex Enrollment Server RHEL/SUSE Linux Solaris / Sun Ray / Solaris TX 26
  • 27. Real-world Deployment Biometrics and Smartcard/PKI based Logical Access Control * User Desktops/Browsers configured to use Biometric Scanners and Smartcard Readers. 27
  • 28. SaaS/Cloud Deployment Deploying Biometric Assurance as “SaaS” over Web 28
  • 29. Acquiring BiObex Software Contact/Support information Advanced Biometric Controls, LLC 11501 Sunset Hills Rd., Suite 200 Reston, Virginia 20190-4731 Toll-free: 1-877-4 BIOBEX 877-424-6239 571-313-0969 Main 571-313-0962 Fax Internet: www.biobex.com E-mail: support@biobex.com 29
  • 30. Q&A Ramesh Nagappan Sun Microsystems, Burlington, MA ramesh.nagappan@sun.com http://www.coresecuritypatterns.com/blogs