single sign on
play

Single Sign On SimpleSAMLphp CivicActions | SSO | Dan Gurin | - PowerPoint PPT Presentation

Feb 26, 2023 •425 likes •669 views

Single Sign On SimpleSAMLphp CivicActions | SSO | Dan Gurin | tweeter@dgurin | Drupal.org + GitHub + LinkedIn = DANGUR Enterprise level user account costs Administration Setup Retire Support Password resets

  1. Single Sign On SimpleSAMLphp CivicActions | SSO | Dan Gurin | tweeter@dgurin | Drupal.org + GitHub + LinkedIn = DANGUR

  2. Enterprise level user account costs ● Administration ○ Setup ○ Retire ● Support ○ Password resets ● Security ○ Policy ■ Password ■ Multi Factor authentication CivicActions | SSO | Dan Gurin | tweeter@dgurin | Drupal.org + GitHub + LinkedIn = DANGUR

  3. CivicActions | SSO | Dan Gurin | tweeter@dgurin | Drupal.org + GitHub + LinkedIn = DANGUR

  4. Single Sign On (SSO) ● Many applications ● Same ○ Username / password ○ Two Factor Authentication ○ Password policies ■ No unnecessary passwords changes ● Centralized user management ○ Authentication ■ Disable ○ Authorization ■ Roles CivicActions | SSO | Dan Gurin | tweeter@dgurin | Drupal.org + GitHub + LinkedIn = DANGUR

  5. Providers ● Identity Provider (idP) ○ Lightweight Directory Access Protocol (LDAP) ○ Centralized Authentication Service (CAS) ● Service Provider (SP) ○ SAML ○ Shibboleth ● Authentication ● Authorization ○ Drupal role(s) ○ Groups CivicActions | SSO | Dan Gurin | tweeter@dgurin | Drupal.org + GitHub + LinkedIn = DANGUR

  6. SimpleSAMLphp Service Provider (SP) ● Scenario ○ External authentication system ○ Use Drupal for something other than just authentication ● Installation ○ SimpleSAMLphp Library ○ SimpleSAMLphp Auth Drupal Module CivicActions | SSO | Dan Gurin | tweeter@dgurin | Drupal.org + GitHub + LinkedIn = DANGUR

  7. Let’s Get It Started ● PHP ○ php -m | grep 'date\|dom\|hash\|json\|mbstring\|openssl\|pcre\|SPL\|zlib' ● Download ○ https://simplesamlphp.org/download ○ https://simplesamlphp.org/docs/stable/simplesamlphp-install-repo ● Untar or clone to repo root ○ Not web root! REPO root ○ Untar ■ tar -zxvf simplesamlphp-1.16.2.tar.gz ○ Clone ■ git clone git@github.com:simplesamlphp/simplesamlphp.git repo_root/simplesamlphp CivicActions | SSO | Dan Gurin | tweeter@dgurin | Drupal.org + GitHub + LinkedIn = DANGUR

  8. Service Provider/Point (SP) ● Common use case with Drupal ● Drupal does other things than manage users CivicActions | SSO | Dan Gurin | tweeter@dgurin | Drupal.org + GitHub + LinkedIn = DANGUR

  9. Copy config and metadata templates ● Copy config from config-templates directory to config directory mkdir config cp config-templates/config.php config/config.php cp config-templates/authsources.php config/authsources.php ● Copy metadata from metadata-templates directory to metadata directory mkdir metadata cp metadata-templates/saml20-idp-remote.php metadata/saml20-idp-remote.php CivicActions | SSO | Dan Gurin | tweeter@dgurin | Drupal.org + GitHub + LinkedIn = DANGUR

  10. Session Store Options ● PHP ○ Default, Built in, Simplest :) ○ Usually does not work in load balanced environments :( ● SQL ○ Data Source Name (DSN) to access PHP Data Objects (PDO)s ○ Tables created automatically, prefix if many SimpleSAML installations using single DB ● Memcache ○ Can load balance and failover on different servers ● Redis ○ Default connection is localhost over port 6379 ● Write your own plugin :O CivicActions | SSO | Dan Gurin | tweeter@dgurin | Drupal.org + GitHub + LinkedIn = DANGUR

  11. Configure SQL Session Store config/config.php $config array end under DATA STORE CONFIGURATION ‘store.type’ => 'sql', 'store.sql.dsn' => 'mysql:host=database;dbname=mysql', 'store.sql.username' => ‘username’, 'store.sql.password' => ‘password’, CivicActions | SSO | Dan Gurin | tweeter@dgurin | Drupal.org + GitHub + LinkedIn = DANGUR

  12. Symbolic Links ● Access simplesaml from yoursite.com/simplesaml ln -s web/simplesaml simplesaml/www ● Point key folders to composer managed directories ○ Definitely ■ config ■ metadata ln -s simplesamlphp/config vendor/simplesamlphp/simplesamlphp/config ln -s simplesamlphp/metadata vendor/simplesamlphp/simplesamlphp/metadata ○ Call Me Maybe ■ cert ■ log CivicActions | SSO | Dan Gurin | tweeter@dgurin | Drupal.org + GitHub + LinkedIn = DANGUR

  13. Let’s Talk About Certs ● SP may sign requests & receive encrypted responses from idP ● Only one current authentication source ○ authX509userCert validate against LDAP userCertificate attribute ● Cert dir ○ simplesaml/cert ● Create cert ○ openssl req -newkey rsa:2048 -new -x509 -days 3652 -nodes -out saml.crt -keyout saml.pem ● Add to authsources.php 'default-sp' => array( 'saml:SP', 'privatekey' => 'saml.pem', 'certificate' => 'saml.crt') CivicActions | SSO | Dan Gurin | tweeter@dgurin | Drupal.org + GitHub + LinkedIn = DANGUR

  14. HTTPS ● SSL required ● Free certificates https://letsencrypt.org/ ● Base URL Path in $config array ○ simplesaml/config/config.php 'baseurlpath' => 'https://your.drupal.site/simplesaml/' CivicActions | SSO | Dan Gurin | tweeter@dgurin | Drupal.org + GitHub + LinkedIn = DANGUR

  15. Identity Provider (idP) Metadata ● Get metadata XML file from Identity Provider ● Parse XML to SimpleSAMLphp metadata ● Add metadata file to /simplesaml/metadata/saml20-idp-remote.php CivicActions | SSO | Dan Gurin | tweeter@dgurin | Drupal.org + GitHub + LinkedIn = DANGUR

  16. Set Default idP ● Prevents from asking each time ● Super annoying if there is only one! In /simplesaml/config/authsources.php file Add to $config array: 'entityid' => 'https://adfs.your-idp.gov/adfs/services/trust', CivicActions | SSO | Dan Gurin | tweeter@dgurin | Drupal.org + GitHub + LinkedIn = DANGUR

  17. Logging ● Levels ○ DEBUG, INFO, NOTICE, WARNING, ERR ● Handlers ○ syslog, file, or errorlog ● /simplesaml/config/config.php $config array 'logging.level' => SimpleSAML\Logger::DEBUG, 'logging.handler' => 'file', 'logging.logfile' => 'simplesamlphp.log', CivicActions | SSO | Dan Gurin | tweeter@dgurin | Drupal.org + GitHub + LinkedIn = DANGUR

  18. idP sets attributes ● Unique ID ○ UserPrincipalName ● User ○ Email without the @domain.gov ● Email CivicActions | SSO | Dan Gurin | tweeter@dgurin | Drupal.org + GitHub + LinkedIn = DANGUR

  19. Use the full exact name of the attribute CivicActions | SSO | Dan Gurin | tweeter@dgurin | Drupal.org + GitHub + LinkedIn = DANGUR

  20. Local dev ● Config Split ● Drush / Drupal Console ● Deactivate ● Disable SimpleSAMLphp Auth module CivicActions | SSO | Dan Gurin | tweeter@dgurin | Drupal.org + GitHub + LinkedIn = DANGUR

  21. Activation ● Delete test entities in metadata files ● Install a new certificate if your cert has been exposed ● config.php 'logging.level' => SimpleSAML\Logger::NOTICE, ● simplesamlphp_auth.settings.yml activate: true CivicActions | SSO | Dan Gurin | tweeter@dgurin | Drupal.org + GitHub + LinkedIn = DANGUR

  22. Resources ● SimpleSAMLphp homepage ● List of all available SimpleSAMLphp documentation ● Join the SimpleSAMLphp user's mailing list CivicActions | SSO | Dan Gurin | tweeter@dgurin | Drupal.org + GitHub + LinkedIn = DANGUR

  23. Free Open Source Symposium Q & A CivicActions | SSO | Dan Gurin | tweeter@dgurin | Drupal.org + GitHub + LinkedIn = DANGUR

  24. Thank you! CivicActions | SSO | Dan Gurin | tweeter@dgurin | Drupal.org + GitHub + LinkedIn = DANGUR

Recommend

Single sign-on enabled OpenCms Architecture for Single sign-on implementation into OpenCms

Single sign-on enabled OpenCms Architecture for Single sign-on implementation into OpenCms

Single sign-on enabled OpenCms Architecture for Single sign-on implementation into OpenCms Pavel Slav ek, pavel.slavicek@qbizm.cz Brno, The Czech Republic, 2. 5. 2008 Content Single sign-on introduction (SSO) Introduction to

959 views • 24 slides
I know who you are, but you can't come in Authentication and single sign-on in the SAS platform

I know who you are, but you can't come in Authentication and single sign-on in the SAS platform

I know who you are, but you can't come in Authentication and single sign-on in the SAS platform Agenda Authentication Inbound authentication Outbound authentication Single Sign-on Definitions Stage Process Method Physical

781 views • 48 slides
Single Sign- -On across On across Single Sign Web Services Web Services Ernest Artiaga

Single Sign- -On across On across Single Sign Web Services Web Services Ernest Artiaga

Single Sign- -On across On across Single Sign Web Services Web Services Ernest Artiaga Artiaga Ernest CERN - - OpenLab OpenLab Security Workshop Security Workshop April 2004 April 2004 CERN Outline Outline Motivation and

352 views • 23 slides
Kerberos and Single Sign-On with HTTP Joe Orton Red Hat Overview Introduction The

Kerberos and Single Sign-On with HTTP Joe Orton Red Hat Overview Introduction The

Kerberos and Single Sign-On with HTTP Joe Orton Red Hat Overview Introduction The Problem Current Solutions Future Solutions Conclusion Introduction WebDAV: common complaint of poor support for authentication in

917 views • 34 slides
Centralized user management and Single Sign On for the WeNMR gateway through the WeNMR Virtual

Centralized user management and Single Sign On for the WeNMR gateway through the WeNMR Virtual

Centralized user management and Single Sign On for the WeNMR gateway through the WeNMR Virtual Research Community Marc van Dijk , Andrea Giachetti, Marco Verlato, Antonio Rosato, Alexandre Bonvin EGI Technical Forum 2012 zondag 16 september 12

413 views • 13 slides
Search for four-top-quark production in in the single-lepton and opposite-sign dilepton final

Search for four-top-quark production in in the single-lepton and opposite-sign dilepton final

Search for four-top-quark production in in the single-lepton and opposite-sign dilepton final states in in pp pp collisions at at = 13 13 TeV with the ATLAS detector MOHAMMED FARAJ UNIVERSITA DI UDINE/INFN TRIESTE -GRUPPO COLLEGATO

601 views • 23 slides
Single sign-on (SSO) Presentation Tiit Erm 106572 IVCMM Main points Introduction Old

Single sign-on (SSO) Presentation Tiit Erm 106572 IVCMM Main points Introduction Old

Single sign-on (SSO) Presentation Tiit Erm 106572 IVCMM Main points Introduction Old approach in multiple systems SSO Security Benefits Common SSO based configurations Examples of SSO usage Conclusion 15/12/11

379 views • 16 slides
Single Sign-On for the Internet: A Security Story eugene@tsyrklevich.name vlad902@gmail.com

Single Sign-On for the Internet: A Security Story eugene@tsyrklevich.name vlad902@gmail.com

Single Sign-On for the Internet: A Security Story eugene@tsyrklevich.name vlad902@gmail.com BlackHat USA, Las Vegas 2007 How do you manage your 169 Web 2.0 accounts today? Does your SSO consist of A login (e.g. johndoe) + 2

599 views • 46 slides
of Workstation Single Sign-On George A. Gellert, MD, MPH, MPA Associate CMIO, CHRISTUS Health

of Workstation Single Sign-On George A. Gellert, MD, MPH, MPA Associate CMIO, CHRISTUS Health

Clinical Impact and Value of Workstation Single Sign-On George A. Gellert, MD, MPH, MPA Associate CMIO, CHRISTUS Health San Antonio, Texas The Challenge: Providers using EHRs must maintain the security of protected health information and

588 views • 26 slides
What is Classlink? Classlink is a single sign on solution for Hamilton County Schools staff and

What is Classlink? Classlink is a single sign on solution for Hamilton County Schools staff and

What is Classlink? Classlink is a single sign on solution for Hamilton County Schools staff and students. - One place to log in and access websites and resources 2 Lets Log In! 1. Use the classlink desktop icon pushed to your HCDE

668 views • 10 slides
The role of directories in Single Sign on Systems Victoriano Giralt Central Computing Facility

The role of directories in Single Sign on Systems Victoriano Giralt Central Computing Facility

The Dark Ages The Enlightenment The Industrial Revolution The XXI century Summary The role of directories in Single Sign on Systems Victoriano Giralt Central Computing Facility University of Malaga TERENA EuroCAMP Ljubljana April 3rd

1.39k views • 105 slides
Single Sign On and Authorization Infrastructure using CAS 2 Shoji KAJITA (Information Technology

Single Sign On and Authorization Infrastructure using CAS 2 Shoji KAJITA (Information Technology

Single Sign On and Authorization Infrastructure using CAS 2 Shoji KAJITA (Information Technology Center, Nagoya University) and Hisashi NAITO (Graduate School of Mathematics, Nagoya University) Jan. 22 2006, APAN 21st Conference p. 1/16

303 views • 16 slides
Single Sign-On: Myth vs Reality Mark Wilcox mark@mjwilcox.com My Involvement Chief

Single Sign-On: Myth vs Reality Mark Wilcox mark@mjwilcox.com My Involvement Chief

Single Sign-On: Myth vs Reality Mark Wilcox mark@mjwilcox.com My Involvement Chief Integration Geek for WebCT Wrote a book on LDAP Became expert on authentication Participant in Internet 2 authentication working groups

789 views • 19 slides
Extending a Legacy Platform Providing a Minimalistic, Secure Single-Sign-On-Library 20/11/2015

Extending a Legacy Platform Providing a Minimalistic, Secure Single-Sign-On-Library 20/11/2015

Extending a Legacy Platform Providing a Minimalistic, Secure Single-Sign-On-Library 20/11/2015 Gschlberger/Gttfert 1 Introduction Research Studios Austria FG MicroLearning and Information Environments Bernhard Gschlberger

488 views • 19 slides
Oracle Buys Passlogix Adds Enterprise Single Sign-On and Network Authentication Capabilities to

Oracle Buys Passlogix Adds Enterprise Single Sign-On and Network Authentication Capabilities to

Oracle Buys Passlogix Adds Enterprise Single Sign-On and Network Authentication Capabilities to Oracles Identity Management Suite October 29, 2010 Oracle is currently reviewing the existing Passlogix product roadmap and will be providing

489 views • 12 slides
Kerberos and Single Sign-On with HTTP Joe Orton Senior Software Engineer, Red Hat Overview

Kerberos and Single Sign-On with HTTP Joe Orton Senior Software Engineer, Red Hat Overview

Kerberos and Single Sign-On with HTTP Joe Orton Senior Software Engineer, Red Hat Overview Introduction The Problem Current Solutions Future Solutions Conclusion Introduction WebDAV: common complaint of poor

481 views • 26 slides
NCCoE: Mobile App Single-Sign On Achieving a secure, reliable, accessible SSO solution for Public

NCCoE: Mobile App Single-Sign On Achieving a secure, reliable, accessible SSO solution for Public

NCCoE: Mobile App Single-Sign On Achieving a secure, reliable, accessible SSO solution for Public Safety & First Responders 2017 PUBLIC SAFETY BROADBAND STAKEHOLDER MEETING 1 #PSCR2017 Introductions Bill Fisher NIST, National

453 views • 29 slides
for a sign! But none will be given it except the sign of the prophet Jonah. 40 40 For as Jonah was

for a sign! But none will be given it except the sign of the prophet Jonah. 40 40 For as Jonah was

Then some of the Pharisees and teachers of the law said to him, Teacher, we want to see a sign from you. 39 39 He answered, A wicked and adulterous generation asks for a sign! But none will be given it except the sign of the prophet

841 views • 27 slides
The Long, Long Road to True Single Sign On at Fermilab Al Lilianstrom and Dr. Olga Terlyga NLIT

The Long, Long Road to True Single Sign On at Fermilab Al Lilianstrom and Dr. Olga Terlyga NLIT

FERMILAB-SLIDES-18-123-CD The Long, Long Road to True Single Sign On at Fermilab Al Lilianstrom and Dr. Olga Terlyga NLIT 2018 This manuscript has been authored by Fermi Research Alliance, LLC under Contract No. DE-AC02-07CH11359 with the U.S.

558 views • 30 slides
Integration of N-tiers application Using CAS Single Sign On system with Horde webmail Jan Du

Integration of N-tiers application Using CAS Single Sign On system with Horde webmail Jan Du

EuroCAMP 8may2008 Integration of N-tiers application Using CAS Single Sign On system with Horde webmail Jan Du Caju ICT security officer K.U.Leuven Belgium Jan.DuCaju@icts.KULeuven.be EuroCAMP 8may2008 Integration of N-tiers application

792 views • 36 slides
Integration of N-tiers application Using CAS Single Sign On system with a webmail application,

Integration of N-tiers application Using CAS Single Sign On system with a webmail application,

Integration of N-tiers application Using CAS Single Sign On system with a webmail application, Horde K.U.Leuven Association velpi@groupt.be http://shib.kuleuven.be Integration of N-tiers application http://associatie.kuleuven.be/

911 views • 58 slides
mod_auth_pubtkt a pragmatic Web Single Sign-On solution by Manuel Kasper, Monzoon Networks AG

mod_auth_pubtkt a pragmatic Web Single Sign-On solution by Manuel Kasper, Monzoon Networks AG

mod_auth_pubtkt a pragmatic Web Single Sign-On solution by Manuel Kasper, Monzoon Networks AG mkasper@monzoon.net The login hell mod_auth_pubtkt ::: Manuel Kasper, Monzoon Networks AG ::: SwiNOG 16, 14.5.2008 Solutions use client

243 views • 22 slides
NET ETCard Card Ci Citibank tibank Merging usernames under single log-in Presented by:

NET ETCard Card Ci Citibank tibank Merging usernames under single log-in Presented by:

Procu Procurem rement ent, , Travel, el, and nd NET ETCard Card Ci Citibank tibank Merging usernames under single log-in Presented by: Department of Finance Merging Cards, such as PCard and TCard, under a single username sign-on

342 views • 9 slides
and Presentation submissions 1.0 Sign up / Register 2.0 Sign in 3.0 Manage submissions 3.1 New

and Presentation submissions 1.0 Sign up / Register 2.0 Sign in 3.0 Manage submissions 3.1 New

GCSI Project Information Form and Presentation submissions 1.0 Sign up / Register 2.0 Sign in 3.0 Manage submissions 3.1 New Submission 1.0 Sign up / Register Create a new account at first time, please press the Sign up /Register

200 views • 5 slides

More recommend