SlideShare ist ein Scribd-Unternehmen logo

ISBG The 3 S's a guide to single sign on

Gabriella Davis
Gabriella Davis

Presentation given at ISBG in Larvik, Norway May 2014

Technologie
1 von 47
Downloaden Sie, um offline zu lesen
THETHREE S’ - SINGLE SIGN-ON, SPNEGO & SAML Gabriella Davis gabriella@turtlepartnership.com The Turtle Partnership
WHO AM I? Gab Davis Administrator, Problem Solver, Stubborn Fixer of Things Working with IBM technologies and all the things surrounding and integrating with those Based in London, about half the time
WHAT ISTHIS PRESENTATION ABOUT? We are here to talk about concepts Once you understand the concepts, their requirements, limitations and benefits you can make decisions about what you need Hopefully we will give you a good overview of a bunch of confusing acronyms
I DO NOTTHINKTHAT MEANS WHATYOUTHINK IT MEANS…
PASSWORD SYNCHRONISATION You may have the same password but you’re not the same person
SINGLE SIGN ON ! HELLO, HAVE YOU MET MY FRIEND? I can vouch for him completely ! Is trust transferable?
ONE PASSWORD, ONE LOCATION
Authenticating against a single password in a single place Sametime Network Login Connections Mail Mail LDAP Password
Synchronising passwords across different systems Sametime LDAP Connections LDAP Traveler Authentication Password Synchronisation Tool
STEPS FOR SINGLE PASSWORD, SINGLE PLACE For LDAP compliant applications ensure you use the same LDAP directory source For Domino systems, configure Directory Assistance to point to an LDAP source ensure you have an attribute in your LDAP directory that contains the user’s distinguished name so Domino is returned a valid user name You can then empty out the HTTP Password field for all users This will work for any Domino application, mail , traveler, Sametime etc The user can be entirely remote and with no access to LDAP directly and this will still work
SPNEGO
S imPle N eGotiation known as NTLM or Kerberos in Active Directory GSSAPI Mechanism
SPNEGO EXAMPLE FOR DOMINO 1 USER LOGS INTO WINDOWS STEPS
SPNEGO EXAMPLE FOR DOMINO 1 2 ACTIVE DIRECTORY GENERATES SPNEGO TOKEN STEPS USER LOGS INTO WINDOWS
SPNEGO EXAMPLE FOR DOMINO 1 2 3 ACTIVE DIRECTORY GENERATES SPNEGO TOKEN USER TRIES TO ACCESS DOMINO WEBSITE STEPS USER LOGS INTO WINDOWS
SPNEGO EXAMPLE FOR DOMINO 1 2 3 4 ACTIVE DIRECTORY GENERATES SPNEGO TOKEN USER TRIES TO ACCESS DOMINO WEBSITE BROWSER SENDS SPNEGO TOKEN TO DOMINO ALONG WITH USER NAME STEPS USER LOGS INTO WINDOWS
SPNEGO EXAMPLE FOR DOMINO 1 2 3 4 5 ACTIVE DIRECTORY GENERATES SPNEGO TOKEN USER TRIES TO ACCESS DOMINO WEBSITE BROWSER SENDS SPNEGO TOKEN TO DOMINO ALONG WITH USER NAME DOMINO CONTACTS ACTIVE DIRECTORY TO VALIDATE TOKEN AND RETRIEVE THE USER’S NAME STEPS USER LOGS INTO WINDOWS
DOMINO CREATES A LTPATOKEN FORTHE VALIDATED USER AND GRANTS ACCESS Enable Multi Server Single Sign-On To Extend Access To Other Servers
SETTING UP SPNEGO Create a Domino Web SSO document Set up a SPN for the Domino server in Active Directory Domino must run under whatever account you set up for it Run domspnego Take the output and give it to your AD administrator to run setspn with Run setspn -a http://<dominohostname> <accountnamerunningdomino> Update person documents with AD name appended to FullName (and optional others like krbPrincipalName and LTPA User Name)
WHY NOT SPNEGO It requires Active Directory It requires users to login to Active Directory It requires Microsoft Supported browsers It requires a Windows client for the users It requires Domino to be on a Windows platform at least the first Domino server that’s accessed, the rest can then be reached via Multi Server SSO token generated by Domino ! It doesn’t work at all if the user is remotely connecting and not logging into Active Directory It has a very specific use case
SAML
A ssertion M arkup L anguage SAML is a protocol and process for exchanging authorisation and authentication data for a user between services and servers S ecurity
IDP (IDENTITY PROVIDER) Sp (Service Provider) Sp (Service Provider) Sp (Service Provider)
NO PASSWORDS…..
 TO COMPROMISE
 TO EXPIRE
 
 TO INTERCEPT Once a user has authenticated with the IdP they won’t be asked again
SAML EXAMPLE 25 1 USER ATTEMPTS TO LOG IN TO A WEBSITE STEPS
SAML EXAMPLE 26 1 2 USER ATTEMPTS TO LOG IN TO A WEBSITE USER IS REDIRECTED TO IDENTITY PROVIDER STEPS
SAML EXAMPLE 27 1 2 3 USER ATTEMPTS TO LOG IN TO A WEBSITE USER IS REDIRECTED TO IDENTITY PROVIDER IDENTITY PROVIDER REQUESTS AUTHENTICATION OR (IF USER IS LOGGED IN) RETURNS CREDENTIALS STEPS
SAML EXAMPLE 28 1 2 3 4 USER ATTEMPTS TO LOG IN TO A WEBSITE USER IS REDIRECTED TO IDENTITY PROVIDER IDENTITY PROVIDER REQUESTS AUTHENTICATION OR (IF USER IS LOGGED IN) RETURNS CREDENTIALS USER IS REDIRECTED BACK TO ORIGINAL SITE WITH SAML ASSERTION ATTACHED STEPS
SAML EXAMPLE 29 1 2 3 4 5 USER ATTEMPTS TO LOG IN TO A WEBSITE USER IS REDIRECTED TO IDENTITY PROVIDER IDENTITY PROVIDER REQUESTS AUTHENTICATION OR (IF USER IS LOGGED IN) RETURNS CREDENTIALS USER IS REDIRECTED BACK TO ORIGINAL SITE WITH SAML ASSERTION ATTACHED ORIGINAL SITE USES ITS SAML SERVICE PROVIDER TO CONFIRM SAML ASSERTION AND GRANT ACCESS STEPS
DEFINITIONS IdP - Identity Provider (SSO) ADFS (Active Directory Federation Services in Windows 2008 and Windows 2012) SAML 2.0 only can be combined with SPNEGO Enhances Integrated Windows Authentication (IWA) TFIM (Tivoli Federated Identity Manager) SAML 1.1 and 2.0
DEFINITIONS SP - Service Provider IBM Domino (web federated login) IBM WebSphere IBM Notes (requires IDVault) (notes federated login)
MORE DEFINITIONS IdP (Identity Providers) use HTTP or SOAP to communicate to SP (Service Providers) via XML based assertions
 Assertions have three roles Authentication Authorisation Retrieving Attributes
AN IDP CAN SERVICE MANY SERVICE PROVIDERS A SP can be connected to several IdPs An IdP can use a variety of authentication methods including multi factor
SETTING UP SAML Choose your IdP if you don’t already have one which fits best in your business Build the IdP Configure the SP ! Sounds easy doesn’t it? It’s really not easy by any means but it is worth the investment in time
WHY NOT SAML Not everything supports it Traveler doesn’t Sametime doesn’t IDVault is a requirement so IDs that can’t be vaulted can’t be used multiple passwords, smartcards etc
OAUTH
NOT EVERYTHING BELONGSTO YOU OAuth is an authentication standard supported by most major cloud providers
THE USER &THE CONSUMER Let’s say you want Facebook to post on your Connections Activity Stream. ! We need OAuth for that..
 
 You are the User
 Facebook is the Consumer
THE SERVICE PROVIDER & ITS SECRETS The consumer (Facebook) wanders over to the Service Provider (IBM Connections) and asks for permission to post on the Activity Stream The Service Provider issues a Secret to go with every URL request from the user which authorises access
OAUTH SIMPLIFIED EXAMPLE 40 1 USER ASKS FACEBOOK (THE CONSUMER) TO POST ON THEIR ACTIVITY STREAM STEPS
OAUTH SIMPLIFIED EXAMPLE 41 1 2 USER ASKS FACEBOOK (THE CONSUMER) TO POST ON THEIR ACTIVITY STREAM FACEBOOK GOES TO CONNECTIONS (THE SERVICE PROVIDER) AND ASKS FOR PERMISSION TO POST STEPS
OAUTH SIMPLIFIED EXAMPLE 42 1 2 3 USER ASKS FACEBOOK (THE CONSUMER) TO POST ON THEIR ACTIVITY STREAM FACEBOOK GOES TO CONNECTIONS (THE SERVICE PROVIDER) AND ASKS FOR PERMISSION TO POST THE SERVICE PROVIDER GIVES THE CONSUMER A SECRET KEY TO GIVE TO THE USER AND A URL FOR THE USER TO CLICK ON STEPS
OAUTH SIMPLIFIED EXAMPLE 43 1 2 3 4 USER ASKS FACEBOOK (THE CONSUMER) TO POST ON THEIR ACTIVITY STREAM FACEBOOK GOES TO CONNECTIONS (THE SERVICE PROVIDER) AND ASKS FOR PERMISSION TO POST THE SERVICE PROVIDER GIVES THE CONSUMER A SECRET KEY TO GIVE TO THE USER AND A URL FOR THE USER TO CLICK ON THE USER CLICKS ON THE URL AND AUTHENTICATES WITH THE SERVICE PROVIDER STEPS
OAUTH SIMPLIFIED EXAMPLE 44 1 2 3 4 5 USER ASKS FACEBOOK (THE CONSUMER) TO POST ON THEIR ACTIVITY STREAM FACEBOOK GOES TO CONNECTIONS (THE SERVICE PROVIDER) AND ASKS FOR PERMISSION TO POST THE SERVICE PROVIDER GIVES THE CONSUMER A SECRET KEY TO GIVE TO THE USER AND A URL FOR THE USER TO CLICK ON THE USER CLICKS ON THE URL AND AUTHENTICATES WITH THE SERVICE PROVIDER THE SERVICE PROVIDER , SATISFIED THE SECRET KEY IS GOOD, WILL NOW ALLOW THE CONSUMER ACCESS TO ITS SERVICES STEPS
THAT WAS REALLY SIMPLIFIED There are other steps and other secrets to ensure traffic is not intercepted once authorisation is granted There are checks to ensure the Service Provider is who it claims to be You don’t want to accidentally authorise a phishing site There are also lots of timeouts on the authorisation ! Make sure you understand the security of both the Consumer and the Service Provider as well as what access you are granting the Consumer on your behalf
IN SUMMARY Think about what your problem actually is, there are plenty of technologies to make the user experience seamless but they become ever more complex to build and maintain What are your priorities. Single password? No password? No authentication with a particular service Many solutions require specific operating systems, software and client versions Make sure you meet all requirements before building a plan you can’t deliver on Some things are very easy (Single password, SPNEGO) Some things are very hard (SAML, OAuth)
 There is no one solution, you need to choose the combination that delivers for you
HOWTO FIND ME Twitter, blogs, Instagram, Facebook and more gabriella@turtlepartnership.com GabriellaDavis (skype) http://turtleblog.info gabturtle on twitter and elsewhere

Empfohlen

A Technical Guide To Deploying Single Sign On
A Technical Guide To Deploying Single Sign OnA Technical Guide To Deploying Single Sign On
A Technical Guide To Deploying Single Sign OnGabriella Davis
 
Simplifying The S's: Single Sign-On, SPNEGO and SAML
Simplifying The S's: Single Sign-On, SPNEGO and SAMLSimplifying The S's: Single Sign-On, SPNEGO and SAML
Simplifying The S's: Single Sign-On, SPNEGO and SAMLGabriella Davis
 
New Single Sign-on Options for IBM Lotus Notes & Domino (We4IT)
New Single Sign-on Options for IBM Lotus Notes & Domino (We4IT)New Single Sign-on Options for IBM Lotus Notes & Domino (We4IT)
New Single Sign-on Options for IBM Lotus Notes & Domino (We4IT)We4IT Group
 
Domino in the Back, Party In The Front
Domino in the Back, Party In The FrontDomino in the Back, Party In The Front
Domino in the Back, Party In The FrontGabriella Davis
 
IBM Single Sign-On
IBM Single Sign-OnIBM Single Sign-On
IBM Single Sign-OnVan Staub, MBA
 
External Users Accessing Connections
External Users Accessing Connections External Users Accessing Connections
External Users Accessing Connections Gabriella Davis
 
Open Mic "Notes Federated Login"
Open Mic "Notes Federated Login"Open Mic "Notes Federated Login"
Open Mic "Notes Federated Login"Ranjit Rai
 
A Guide To Single Sign-On for IBM Collaboration Solutions
A Guide To Single Sign-On for IBM Collaboration SolutionsA Guide To Single Sign-On for IBM Collaboration Solutions
A Guide To Single Sign-On for IBM Collaboration SolutionsGabriella Davis
 

Empfohlen

A Technical Guide To Deploying Single Sign On
A Technical Guide To Deploying Single Sign OnA Technical Guide To Deploying Single Sign On
A Technical Guide To Deploying Single Sign OnGabriella Davis
 
Simplifying The S's: Single Sign-On, SPNEGO and SAML
Simplifying The S's: Single Sign-On, SPNEGO and SAMLSimplifying The S's: Single Sign-On, SPNEGO and SAML
Simplifying The S's: Single Sign-On, SPNEGO and SAMLGabriella Davis
 
New Single Sign-on Options for IBM Lotus Notes & Domino (We4IT)
New Single Sign-on Options for IBM Lotus Notes & Domino (We4IT)New Single Sign-on Options for IBM Lotus Notes & Domino (We4IT)
New Single Sign-on Options for IBM Lotus Notes & Domino (We4IT)We4IT Group
 
Domino in the Back, Party In The Front
Domino in the Back, Party In The FrontDomino in the Back, Party In The Front
Domino in the Back, Party In The FrontGabriella Davis
 
IBM Single Sign-On
IBM Single Sign-OnIBM Single Sign-On
IBM Single Sign-OnVan Staub, MBA
 
External Users Accessing Connections
External Users Accessing Connections External Users Accessing Connections
External Users Accessing Connections Gabriella Davis
 
Open Mic "Notes Federated Login"
Open Mic "Notes Federated Login"Open Mic "Notes Federated Login"
Open Mic "Notes Federated Login"Ranjit Rai
 
A Guide To Single Sign-On for IBM Collaboration Solutions
A Guide To Single Sign-On for IBM Collaboration SolutionsA Guide To Single Sign-On for IBM Collaboration Solutions
A Guide To Single Sign-On for IBM Collaboration SolutionsGabriella Davis
 
Introduction to OAuth 2.0 - Part 2
Introduction to OAuth 2.0 - Part 2Introduction to OAuth 2.0 - Part 2
Introduction to OAuth 2.0 - Part 2Nabeel Yoosuf
 
Introduction to OAuth 2.0 - the technology you need but never really learned
Introduction to OAuth 2.0 - the technology you need but never really learnedIntroduction to OAuth 2.0 - the technology you need but never really learned
Introduction to OAuth 2.0 - the technology you need but never really learnedMikkel Flindt Heisterberg
 
Introduction to OAuth 2.0 - Part 1
Introduction to OAuth 2.0 - Part 1Introduction to OAuth 2.0 - Part 1
Introduction to OAuth 2.0 - Part 1Nabeel Yoosuf
 
IdP, SAML, OAuth
IdP, SAML, OAuthIdP, SAML, OAuth
IdP, SAML, OAuthDan Brinkmann
 
Introduction to OAuth 2.0 - Part 1
Introduction to OAuth 2.0 - Part 1Introduction to OAuth 2.0 - Part 1
Introduction to OAuth 2.0 - Part 1Nabeel Yoosuf
 
Building an SSO platform in php (Zendcon 2010)
Building an SSO platform in php (Zendcon 2010)Building an SSO platform in php (Zendcon 2010)
Building an SSO platform in php (Zendcon 2010)Ivo Jansch
 
Introduction to OAuth
Introduction to OAuthIntroduction to OAuth
Introduction to OAuthMikkel Flindt Heisterberg
 
Connect2016 - 1172 Shipping domino
Connect2016 - 1172 Shipping dominoConnect2016 - 1172 Shipping domino
Connect2016 - 1172 Shipping dominoMatteo Bisi
 
Open Mic IBM connections and IBM Verse on premise integration
Open Mic IBM connections and IBM Verse on premise integrationOpen Mic IBM connections and IBM Verse on premise integration
Open Mic IBM connections and IBM Verse on premise integrationjayeshpar2006
 
Saml in cloud
Saml in cloudSaml in cloud
Saml in cloudNagraj Rao
 
How to -_implement_clientless_single_sign_on_authentication_in_single_active_...
How to -_implement_clientless_single_sign_on_authentication_in_single_active_...How to -_implement_clientless_single_sign_on_authentication_in_single_active_...
How to -_implement_clientless_single_sign_on_authentication_in_single_active_...SaNju MuLak
 
Enterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSOEnterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSOOliver Mueller
 
How to -_implement_clientless_single_sign_on_authentication_in_multiple_activ...
How to -_implement_clientless_single_sign_on_authentication_in_multiple_activ...How to -_implement_clientless_single_sign_on_authentication_in_multiple_activ...
How to -_implement_clientless_single_sign_on_authentication_in_multiple_activ...SaNju MuLak
 
IBM Sametime 9 Installation Woes and Proactive Repairs by Keith Brooks
IBM Sametime 9 Installation Woes and Proactive Repairs by Keith BrooksIBM Sametime 9 Installation Woes and Proactive Repairs by Keith Brooks
IBM Sametime 9 Installation Woes and Proactive Repairs by Keith BrooksKeith Brooks
 
SAML Smackdown
SAML SmackdownSAML Smackdown
SAML SmackdownPat Patterson
 
SSL Setup for Oracle 10g AS
SSL Setup for Oracle 10g ASSSL Setup for Oracle 10g AS
SSL Setup for Oracle 10g ASEnkitec
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0Mika Koivisto
 
Introduction to SAML
Introduction to SAMLIntroduction to SAML
Introduction to SAMLClément OUDOT
 
Open mic activity logging
Open mic activity loggingOpen mic activity logging
Open mic activity loggingRanjit Rai
 
Becoming A Connections Administrator
Becoming A Connections AdministratorBecoming A Connections Administrator
Becoming A Connections AdministratorGabriella Davis
 
Installing & Configuring IBM Domino 9 on CentOS
Installing & Configuring IBM Domino 9 on CentOSInstalling & Configuring IBM Domino 9 on CentOS
Installing & Configuring IBM Domino 9 on CentOSDevin Olson
 
Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)Darren Duke
 

Weitere ähnliche Inhalte

Was ist angesagt?

Introduction to OAuth 2.0 - Part 2
Introduction to OAuth 2.0 - Part 2Introduction to OAuth 2.0 - Part 2
Introduction to OAuth 2.0 - Part 2Nabeel Yoosuf
 
Introduction to OAuth 2.0 - the technology you need but never really learned
Introduction to OAuth 2.0 - the technology you need but never really learnedIntroduction to OAuth 2.0 - the technology you need but never really learned
Introduction to OAuth 2.0 - the technology you need but never really learnedMikkel Flindt Heisterberg
 
Introduction to OAuth 2.0 - Part 1
Introduction to OAuth 2.0 - Part 1Introduction to OAuth 2.0 - Part 1
Introduction to OAuth 2.0 - Part 1Nabeel Yoosuf
 
Introduction to OAuth 2.0 - Part 1
Introduction to OAuth 2.0 - Part 1Introduction to OAuth 2.0 - Part 1
Introduction to OAuth 2.0 - Part 1Nabeel Yoosuf
 
Building an SSO platform in php (Zendcon 2010)
Building an SSO platform in php (Zendcon 2010)Building an SSO platform in php (Zendcon 2010)
Building an SSO platform in php (Zendcon 2010)Ivo Jansch
 
Connect2016 - 1172 Shipping domino
Connect2016 - 1172 Shipping dominoConnect2016 - 1172 Shipping domino
Connect2016 - 1172 Shipping dominoMatteo Bisi
 
Open Mic IBM connections and IBM Verse on premise integration
Open Mic IBM connections and IBM Verse on premise integrationOpen Mic IBM connections and IBM Verse on premise integration
Open Mic IBM connections and IBM Verse on premise integrationjayeshpar2006
 
How to -_implement_clientless_single_sign_on_authentication_in_single_active_...
How to -_implement_clientless_single_sign_on_authentication_in_single_active_...How to -_implement_clientless_single_sign_on_authentication_in_single_active_...
How to -_implement_clientless_single_sign_on_authentication_in_single_active_...SaNju MuLak
 
Enterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSOEnterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSOOliver Mueller
 
How to -_implement_clientless_single_sign_on_authentication_in_multiple_activ...
How to -_implement_clientless_single_sign_on_authentication_in_multiple_activ...How to -_implement_clientless_single_sign_on_authentication_in_multiple_activ...
How to -_implement_clientless_single_sign_on_authentication_in_multiple_activ...SaNju MuLak
 
IBM Sametime 9 Installation Woes and Proactive Repairs by Keith Brooks
IBM Sametime 9 Installation Woes and Proactive Repairs by Keith BrooksIBM Sametime 9 Installation Woes and Proactive Repairs by Keith Brooks
IBM Sametime 9 Installation Woes and Proactive Repairs by Keith BrooksKeith Brooks
 
SSL Setup for Oracle 10g AS
SSL Setup for Oracle 10g ASSSL Setup for Oracle 10g AS
SSL Setup for Oracle 10g ASEnkitec
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0Mika Koivisto
 
Open mic activity logging
Open mic activity loggingOpen mic activity logging
Open mic activity loggingRanjit Rai
 

Was ist angesagt? (19)

Introduction to OAuth 2.0 - Part 2
Introduction to OAuth 2.0 - Part 2Introduction to OAuth 2.0 - Part 2
Introduction to OAuth 2.0 - Part 2
 
Introduction to OAuth 2.0 - the technology you need but never really learned
Introduction to OAuth 2.0 - the technology you need but never really learnedIntroduction to OAuth 2.0 - the technology you need but never really learned
Introduction to OAuth 2.0 - the technology you need but never really learned
 
Introduction to OAuth 2.0 - Part 1
Introduction to OAuth 2.0 - Part 1Introduction to OAuth 2.0 - Part 1
Introduction to OAuth 2.0 - Part 1
 
IdP, SAML, OAuth
IdP, SAML, OAuthIdP, SAML, OAuth
IdP, SAML, OAuth
 
Introduction to OAuth 2.0 - Part 1
Introduction to OAuth 2.0 - Part 1Introduction to OAuth 2.0 - Part 1
Introduction to OAuth 2.0 - Part 1
 
Building an SSO platform in php (Zendcon 2010)
Building an SSO platform in php (Zendcon 2010)Building an SSO platform in php (Zendcon 2010)
Building an SSO platform in php (Zendcon 2010)
 
Introduction to OAuth
Introduction to OAuthIntroduction to OAuth
Introduction to OAuth
 
Connect2016 - 1172 Shipping domino
Connect2016 - 1172 Shipping dominoConnect2016 - 1172 Shipping domino
Connect2016 - 1172 Shipping domino
 
Open Mic IBM connections and IBM Verse on premise integration
Open Mic IBM connections and IBM Verse on premise integrationOpen Mic IBM connections and IBM Verse on premise integration
Open Mic IBM connections and IBM Verse on premise integration
 
Saml in cloud
Saml in cloudSaml in cloud
Saml in cloud
 
How to -_implement_clientless_single_sign_on_authentication_in_single_active_...
How to -_implement_clientless_single_sign_on_authentication_in_single_active_...How to -_implement_clientless_single_sign_on_authentication_in_single_active_...
How to -_implement_clientless_single_sign_on_authentication_in_single_active_...
 
Enterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSOEnterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSO
 
How to -_implement_clientless_single_sign_on_authentication_in_multiple_activ...
How to -_implement_clientless_single_sign_on_authentication_in_multiple_activ...How to -_implement_clientless_single_sign_on_authentication_in_multiple_activ...
How to -_implement_clientless_single_sign_on_authentication_in_multiple_activ...
 
IBM Sametime 9 Installation Woes and Proactive Repairs by Keith Brooks
IBM Sametime 9 Installation Woes and Proactive Repairs by Keith BrooksIBM Sametime 9 Installation Woes and Proactive Repairs by Keith Brooks
IBM Sametime 9 Installation Woes and Proactive Repairs by Keith Brooks
 
SAML Smackdown
SAML SmackdownSAML Smackdown
SAML Smackdown
 
SSL Setup for Oracle 10g AS
SSL Setup for Oracle 10g ASSSL Setup for Oracle 10g AS
SSL Setup for Oracle 10g AS
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0
 
Introduction to SAML
Introduction to SAMLIntroduction to SAML
Introduction to SAML
 
Open mic activity logging
Open mic activity loggingOpen mic activity logging
Open mic activity logging
 

Andere mochten auch

Becoming A Connections Administrator
Becoming A Connections AdministratorBecoming A Connections Administrator
Becoming A Connections AdministratorGabriella Davis
 
Installing & Configuring IBM Domino 9 on CentOS
Installing & Configuring IBM Domino 9 on CentOSInstalling & Configuring IBM Domino 9 on CentOS
Installing & Configuring IBM Domino 9 on CentOSDevin Olson
 
Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)Darren Duke
 
The Sametime Mobile Experience
The Sametime Mobile ExperienceThe Sametime Mobile Experience
The Sametime Mobile ExperienceGabriella Davis
 
IBM Traveler Management, Security and Performance
IBM Traveler Management, Security and PerformanceIBM Traveler Management, Security and Performance
IBM Traveler Management, Security and PerformanceGabriella Davis
 
The SSL Problem and How to Deploy SHA2 Certificates
The SSL Problem and How to Deploy SHA2 CertificatesThe SSL Problem and How to Deploy SHA2 Certificates
The SSL Problem and How to Deploy SHA2 CertificatesGabriella Davis
 
Upgrading to Sametime 9.0.1
Upgrading to Sametime 9.0.1Upgrading to Sametime 9.0.1
Upgrading to Sametime 9.0.1Gabriella Davis
 
A Guide To Sametime 9.0.1 Audio & Video
A Guide To Sametime 9.0.1 Audio & VideoA Guide To Sametime 9.0.1 Audio & Video
A Guide To Sametime 9.0.1 Audio & VideoGabriella Davis
 
Benefits and Risks of a Single Identity - IBM Connect 2017
Benefits and Risks of a Single Identity - IBM Connect 2017Benefits and Risks of a Single Identity - IBM Connect 2017
Benefits and Risks of a Single Identity - IBM Connect 2017Gabriella Davis
 

Andere mochten auch (10)

Becoming A Connections Administrator
Becoming A Connections AdministratorBecoming A Connections Administrator
Becoming A Connections Administrator
 
Installing & Configuring IBM Domino 9 on CentOS
Installing & Configuring IBM Domino 9 on CentOSInstalling & Configuring IBM Domino 9 on CentOS
Installing & Configuring IBM Domino 9 on CentOS
 
Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)
 
The Sametime Mobile Experience
The Sametime Mobile ExperienceThe Sametime Mobile Experience
The Sametime Mobile Experience
 
IBM Traveler Management, Security and Performance
IBM Traveler Management, Security and PerformanceIBM Traveler Management, Security and Performance
IBM Traveler Management, Security and Performance
 
The SSL Problem and How to Deploy SHA2 Certificates
The SSL Problem and How to Deploy SHA2 CertificatesThe SSL Problem and How to Deploy SHA2 Certificates
The SSL Problem and How to Deploy SHA2 Certificates
 
Upgrading to Sametime 9.0.1
Upgrading to Sametime 9.0.1Upgrading to Sametime 9.0.1
Upgrading to Sametime 9.0.1
 
Domino Adminblast
Domino AdminblastDomino Adminblast
Domino Adminblast
 
A Guide To Sametime 9.0.1 Audio & Video
A Guide To Sametime 9.0.1 Audio & VideoA Guide To Sametime 9.0.1 Audio & Video
A Guide To Sametime 9.0.1 Audio & Video
 
Benefits and Risks of a Single Identity - IBM Connect 2017
Benefits and Risks of a Single Identity - IBM Connect 2017Benefits and Risks of a Single Identity - IBM Connect 2017
Benefits and Risks of a Single Identity - IBM Connect 2017
 

Ähnlich wie ISBG The 3 S's a guide to single sign on

Open Id, O Auth And Webservices
Open Id, O Auth And WebservicesOpen Id, O Auth And Webservices
Open Id, O Auth And WebservicesMyles Eftos
 
Patterns to Bring Enterprise and Social Identity to the Cloud
Patterns to Bring Enterprise and Social Identity to the Cloud Patterns to Bring Enterprise and Social Identity to the Cloud
Patterns to Bring Enterprise and Social Identity to the Cloud CA API Management
 
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...CA API Management
 
SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...
SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...
SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...NCCOMMS
 
DataHero / Eventbrite - API Best Practices
DataHero / Eventbrite - API Best PracticesDataHero / Eventbrite - API Best Practices
DataHero / Eventbrite - API Best PracticesJeff Zabel
 
Unstoppable Domains Workshop
Unstoppable Domains WorkshopUnstoppable Domains Workshop
Unstoppable Domains WorkshopTinaBregovi
 
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...CloudIDSummit
 
Devteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystifiedDevteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystifiedTaswar Bhatti
 
Liferay as a headless platform
Liferay as a headless platform Liferay as a headless platform
Liferay as a headless platform Jorge Ferrer
 
Serverless OAuth: Authorizing Third-Party Applications to Your Serverless API...
Serverless OAuth: Authorizing Third-Party Applications to Your Serverless API...Serverless OAuth: Authorizing Third-Party Applications to Your Serverless API...
Serverless OAuth: Authorizing Third-Party Applications to Your Serverless API...Amazon Web Services
 
APIdays Paris 2018 - Learning the OAuth Dance (Without Stepping on Anyone's T...
APIdays Paris 2018 - Learning the OAuth Dance (Without Stepping on Anyone's T...APIdays Paris 2018 - Learning the OAuth Dance (Without Stepping on Anyone's T...
APIdays Paris 2018 - Learning the OAuth Dance (Without Stepping on Anyone's T...apidays
 
Setup ephemeral password for TURN, Learn RTC in less than 200 Lines of code
Setup ephemeral password for TURN, Learn RTC in less than 200 Lines of codeSetup ephemeral password for TURN, Learn RTC in less than 200 Lines of code
Setup ephemeral password for TURN, Learn RTC in less than 200 Lines of codeAmitesh Madhur
 
Identity as a Matter of Public Safety
Identity as a Matter of Public SafetyIdentity as a Matter of Public Safety
Identity as a Matter of Public SafetyAdam Lewis
 
Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)
Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)
Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)gemziebeth
 
Geoff Huston's presentation on DANE (Keys in the DNS) at the New Zealand Inte...
Geoff Huston's presentation on DANE (Keys in the DNS) at the New Zealand Inte...Geoff Huston's presentation on DANE (Keys in the DNS) at the New Zealand Inte...
Geoff Huston's presentation on DANE (Keys in the DNS) at the New Zealand Inte...Siena Perry
 
Building the Eventbrite API Ecosystem
Building the Eventbrite API EcosystemBuilding the Eventbrite API Ecosystem
Building the Eventbrite API EcosystemMitch Colleran
 

Ähnlich wie ISBG The 3 S's a guide to single sign on (20)

Open Id, O Auth And Webservices
Open Id, O Auth And WebservicesOpen Id, O Auth And Webservices
Open Id, O Auth And Webservices
 
Patterns to Bring Enterprise and Social Identity to the Cloud
Patterns to Bring Enterprise and Social Identity to the Cloud Patterns to Bring Enterprise and Social Identity to the Cloud
Patterns to Bring Enterprise and Social Identity to the Cloud
 
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
 
SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...
SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...
SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...
 
DataHero / Eventbrite - API Best Practices
DataHero / Eventbrite - API Best PracticesDataHero / Eventbrite - API Best Practices
DataHero / Eventbrite - API Best Practices
 
Unstoppable Domains Workshop
Unstoppable Domains WorkshopUnstoppable Domains Workshop
Unstoppable Domains Workshop
 
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
 
Identity as a Service
Identity as a ServiceIdentity as a Service
Identity as a Service
 
Devteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystifiedDevteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystified
 
Liferay as a headless platform
Liferay as a headless platform Liferay as a headless platform
Liferay as a headless platform
 
Serverless OAuth: Authorizing Third-Party Applications to Your Serverless API...
Serverless OAuth: Authorizing Third-Party Applications to Your Serverless API...Serverless OAuth: Authorizing Third-Party Applications to Your Serverless API...
Serverless OAuth: Authorizing Third-Party Applications to Your Serverless API...
 
APIdays Paris 2018 - Learning the OAuth Dance (Without Stepping on Anyone's T...
APIdays Paris 2018 - Learning the OAuth Dance (Without Stepping on Anyone's T...APIdays Paris 2018 - Learning the OAuth Dance (Without Stepping on Anyone's T...
APIdays Paris 2018 - Learning the OAuth Dance (Without Stepping on Anyone's T...
 
Setup ephemeral password for TURN, Learn RTC in less than 200 Lines of code
Setup ephemeral password for TURN, Learn RTC in less than 200 Lines of codeSetup ephemeral password for TURN, Learn RTC in less than 200 Lines of code
Setup ephemeral password for TURN, Learn RTC in less than 200 Lines of code
 
Identity as a Matter of Public Safety
Identity as a Matter of Public SafetyIdentity as a Matter of Public Safety
Identity as a Matter of Public Safety
 
Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)
Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)
Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)
 
AIR & API
AIR & APIAIR & API
AIR & API
 
Using Wireframes
Using WireframesUsing Wireframes
Using Wireframes
 
Geoff Huston's presentation on DANE (Keys in the DNS) at the New Zealand Inte...
Geoff Huston's presentation on DANE (Keys in the DNS) at the New Zealand Inte...Geoff Huston's presentation on DANE (Keys in the DNS) at the New Zealand Inte...
Geoff Huston's presentation on DANE (Keys in the DNS) at the New Zealand Inte...
 
End to End Security with MVC and Web API
End to End Security with MVC and Web APIEnd to End Security with MVC and Web API
End to End Security with MVC and Web API
 
Building the Eventbrite API Ecosystem
Building the Eventbrite API EcosystemBuilding the Eventbrite API Ecosystem
Building the Eventbrite API Ecosystem
 

Mehr von Gabriella Davis

Engage2022 - Domino Admin Tips
Engage2022 - Domino Admin TipsEngage2022 - Domino Admin Tips
Engage2022 - Domino Admin TipsGabriella Davis
 
. Design Decisions: Developing for Mobile - The Template Experience Project
. Design Decisions: Developing for Mobile - The Template Experience Project. Design Decisions: Developing for Mobile - The Template Experience Project
. Design Decisions: Developing for Mobile - The Template Experience ProjectGabriella Davis
 
Domino Server Health - Monitoring and Managing
Domino Server Health - Monitoring and Managing Domino Server Health - Monitoring and Managing
Domino Server Health - Monitoring and ManagingGabriella Davis
 
Face Off Domino vs Exchange On Premises
Face Off Domino vs Exchange On PremisesFace Off Domino vs Exchange On Premises
Face Off Domino vs Exchange On PremisesGabriella Davis
 
Adminlicious - A Guide To TCO Features In Domino v10
Adminlicious - A Guide To TCO Features In Domino v10Adminlicious - A Guide To TCO Features In Domino v10
Adminlicious - A Guide To TCO Features In Domino v10Gabriella Davis
 
An Introduction to Configuring Domino for Docker
An Introduction to Configuring Domino for DockerAn Introduction to Configuring Domino for Docker
An Introduction to Configuring Domino for DockerGabriella Davis
 
An Introduction To The DMARC SMTP Validation Requirements
An Introduction To The DMARC SMTP Validation RequirementsAn Introduction To The DMARC SMTP Validation Requirements
An Introduction To The DMARC SMTP Validation RequirementsGabriella Davis
 
× The Road To A #Perfect10 - How To Get Ready For Domino, Sametime, VOP and T...
× The Road To A #Perfect10 - How To Get Ready For Domino, Sametime, VOP and T...× The Road To A #Perfect10 - How To Get Ready For Domino, Sametime, VOP and T...
× The Road To A #Perfect10 - How To Get Ready For Domino, Sametime, VOP and T...Gabriella Davis
 
An introduction to configuring Domino for Docker
An introduction to configuring Domino for DockerAn introduction to configuring Domino for Docker
An introduction to configuring Domino for DockerGabriella Davis
 
How To Approach GDPR Preparation & Discovery
How To Approach GDPR Preparation & DiscoveryHow To Approach GDPR Preparation & Discovery
How To Approach GDPR Preparation & DiscoveryGabriella Davis
 
An Introduction To The DMARC SMTP Validation Requirements
An Introduction To The DMARC SMTP Validation RequirementsAn Introduction To The DMARC SMTP Validation Requirements
An Introduction To The DMARC SMTP Validation RequirementsGabriella Davis
 
What's New in Notes, Sametime and Verse On-Premises
What's New in Notes, Sametime and Verse On-PremisesWhat's New in Notes, Sametime and Verse On-Premises
What's New in Notes, Sametime and Verse On-PremisesGabriella Davis
 
An Introduction To Docker
An Introduction To DockerAn Introduction To Docker
An Introduction To DockerGabriella Davis
 
An Introduction To Docker
An Introduction To DockerAn Introduction To Docker
An Introduction To DockerGabriella Davis
 
Setting Up a Hybrid Domino Environment to Ease your Way to the Cloud
Setting Up a Hybrid Domino Environment to Ease your Way to the CloudSetting Up a Hybrid Domino Environment to Ease your Way to the Cloud
Setting Up a Hybrid Domino Environment to Ease your Way to the CloudGabriella Davis
 
Embracing iot in the enterprise
Embracing iot in the enterpriseEmbracing iot in the enterprise
Embracing iot in the enterpriseGabriella Davis
 

Mehr von Gabriella Davis (20)

Engage2022 - Domino Admin Tips
Engage2022 - Domino Admin TipsEngage2022 - Domino Admin Tips
Engage2022 - Domino Admin Tips
 
. Design Decisions: Developing for Mobile - The Template Experience Project
. Design Decisions: Developing for Mobile - The Template Experience Project. Design Decisions: Developing for Mobile - The Template Experience Project
. Design Decisions: Developing for Mobile - The Template Experience Project
 
Domino Server Health - Monitoring and Managing
Domino Server Health - Monitoring and Managing Domino Server Health - Monitoring and Managing
Domino Server Health - Monitoring and Managing
 
Face Off Domino vs Exchange On Premises
Face Off Domino vs Exchange On PremisesFace Off Domino vs Exchange On Premises
Face Off Domino vs Exchange On Premises
 
60 Admin Tips
60 Admin Tips60 Admin Tips
60 Admin Tips
 
Adminlicious - A Guide To TCO Features In Domino v10
Adminlicious - A Guide To TCO Features In Domino v10Adminlicious - A Guide To TCO Features In Domino v10
Adminlicious - A Guide To TCO Features In Domino v10
 
An Introduction to Configuring Domino for Docker
An Introduction to Configuring Domino for DockerAn Introduction to Configuring Domino for Docker
An Introduction to Configuring Domino for Docker
 
An Introduction To The DMARC SMTP Validation Requirements
An Introduction To The DMARC SMTP Validation RequirementsAn Introduction To The DMARC SMTP Validation Requirements
An Introduction To The DMARC SMTP Validation Requirements
 
× The Road To A #Perfect10 - How To Get Ready For Domino, Sametime, VOP and T...
× The Road To A #Perfect10 - How To Get Ready For Domino, Sametime, VOP and T...× The Road To A #Perfect10 - How To Get Ready For Domino, Sametime, VOP and T...
× The Road To A #Perfect10 - How To Get Ready For Domino, Sametime, VOP and T...
 
An introduction to configuring Domino for Docker
An introduction to configuring Domino for DockerAn introduction to configuring Domino for Docker
An introduction to configuring Domino for Docker
 
How To Approach GDPR Preparation & Discovery
How To Approach GDPR Preparation & DiscoveryHow To Approach GDPR Preparation & Discovery
How To Approach GDPR Preparation & Discovery
 
An Introduction To The DMARC SMTP Validation Requirements
An Introduction To The DMARC SMTP Validation RequirementsAn Introduction To The DMARC SMTP Validation Requirements
An Introduction To The DMARC SMTP Validation Requirements
 
Brand Yourself
Brand YourselfBrand Yourself
Brand Yourself
 
Home Working
Home WorkingHome Working
Home Working
 
The Imposter Syndrome
The Imposter SyndromeThe Imposter Syndrome
The Imposter Syndrome
 
What's New in Notes, Sametime and Verse On-Premises
What's New in Notes, Sametime and Verse On-PremisesWhat's New in Notes, Sametime and Verse On-Premises
What's New in Notes, Sametime and Verse On-Premises
 
An Introduction To Docker
An Introduction To DockerAn Introduction To Docker
An Introduction To Docker
 
An Introduction To Docker
An Introduction To DockerAn Introduction To Docker
An Introduction To Docker
 
Setting Up a Hybrid Domino Environment to Ease your Way to the Cloud
Setting Up a Hybrid Domino Environment to Ease your Way to the CloudSetting Up a Hybrid Domino Environment to Ease your Way to the Cloud
Setting Up a Hybrid Domino Environment to Ease your Way to the Cloud
 
Embracing iot in the enterprise
Embracing iot in the enterpriseEmbracing iot in the enterprise
Embracing iot in the enterprise
 

Kürzlich hochgeladen

Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...itnewsafrica
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxfnnc6jmgwh
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesBernd Ruecker
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 

Kürzlich hochgeladen (20)

Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architectures
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App Framework
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 

ISBG The 3 S's a guide to single sign on

  • 1. THETHREE S’ - SINGLE SIGN-ON, SPNEGO & SAML Gabriella Davis gabriella@turtlepartnership.com The Turtle Partnership
  • 2. WHO AM I? Gab Davis Administrator, Problem Solver, Stubborn Fixer of Things Working with IBM technologies and all the things surrounding and integrating with those Based in London, about half the time
  • 3. WHAT ISTHIS PRESENTATION ABOUT? We are here to talk about concepts Once you understand the concepts, their requirements, limitations and benefits you can make decisions about what you need Hopefully we will give you a good overview of a bunch of confusing acronyms
  • 4. I DO NOTTHINKTHAT MEANS WHATYOUTHINK IT MEANS…
  • 5. PASSWORD SYNCHRONISATION You may have the same password but you’re not the same person
  • 6. SINGLE SIGN ON ! HELLO, HAVE YOU MET MY FRIEND? I can vouch for him completely ! Is trust transferable?
  • 7. ONE PASSWORD, ONE LOCATION
  • 8. Authenticating against a single password in a single place Sametime Network Login Connections Mail Mail LDAP Password
  • 9. Synchronising passwords across different systems Sametime LDAP Connections LDAP Traveler Authentication Password Synchronisation Tool
  • 10. STEPS FOR SINGLE PASSWORD, SINGLE PLACE For LDAP compliant applications ensure you use the same LDAP directory source For Domino systems, configure Directory Assistance to point to an LDAP source ensure you have an attribute in your LDAP directory that contains the user’s distinguished name so Domino is returned a valid user name You can then empty out the HTTP Password field for all users This will work for any Domino application, mail , traveler, Sametime etc The user can be entirely remote and with no access to LDAP directly and this will still work
  • 12. S imPle N eGotiation known as NTLM or Kerberos in Active Directory GSSAPI Mechanism
  • 13. SPNEGO EXAMPLE FOR DOMINO 1 USER LOGS INTO WINDOWS STEPS
  • 14. SPNEGO EXAMPLE FOR DOMINO 1 2 ACTIVE DIRECTORY GENERATES SPNEGO TOKEN STEPS USER LOGS INTO WINDOWS
  • 15. SPNEGO EXAMPLE FOR DOMINO 1 2 3 ACTIVE DIRECTORY GENERATES SPNEGO TOKEN USER TRIES TO ACCESS DOMINO WEBSITE STEPS USER LOGS INTO WINDOWS
  • 16. SPNEGO EXAMPLE FOR DOMINO 1 2 3 4 ACTIVE DIRECTORY GENERATES SPNEGO TOKEN USER TRIES TO ACCESS DOMINO WEBSITE BROWSER SENDS SPNEGO TOKEN TO DOMINO ALONG WITH USER NAME STEPS USER LOGS INTO WINDOWS
  • 17. SPNEGO EXAMPLE FOR DOMINO 1 2 3 4 5 ACTIVE DIRECTORY GENERATES SPNEGO TOKEN USER TRIES TO ACCESS DOMINO WEBSITE BROWSER SENDS SPNEGO TOKEN TO DOMINO ALONG WITH USER NAME DOMINO CONTACTS ACTIVE DIRECTORY TO VALIDATE TOKEN AND RETRIEVE THE USER’S NAME STEPS USER LOGS INTO WINDOWS
  • 18. DOMINO CREATES A LTPATOKEN FORTHE VALIDATED USER AND GRANTS ACCESS Enable Multi Server Single Sign-On To Extend Access To Other Servers
  • 19. SETTING UP SPNEGO Create a Domino Web SSO document Set up a SPN for the Domino server in Active Directory Domino must run under whatever account you set up for it Run domspnego Take the output and give it to your AD administrator to run setspn with Run setspn -a http://<dominohostname> <accountnamerunningdomino> Update person documents with AD name appended to FullName (and optional others like krbPrincipalName and LTPA User Name)
  • 20. WHY NOT SPNEGO It requires Active Directory It requires users to login to Active Directory It requires Microsoft Supported browsers It requires a Windows client for the users It requires Domino to be on a Windows platform at least the first Domino server that’s accessed, the rest can then be reached via Multi Server SSO token generated by Domino ! It doesn’t work at all if the user is remotely connecting and not logging into Active Directory It has a very specific use case
  • 21. SAML
  • 22. A ssertion M arkup L anguage SAML is a protocol and process for exchanging authorisation and authentication data for a user between services and servers S ecurity
  • 23. IDP (IDENTITY PROVIDER) Sp (Service Provider) Sp (Service Provider) Sp (Service Provider)
  • 24. NO PASSWORDS…..
 TO COMPROMISE
 TO EXPIRE
 
 TO INTERCEPT Once a user has authenticated with the IdP they won’t be asked again
  • 25. SAML EXAMPLE 25 1 USER ATTEMPTS TO LOG IN TO A WEBSITE STEPS
  • 26. SAML EXAMPLE 26 1 2 USER ATTEMPTS TO LOG IN TO A WEBSITE USER IS REDIRECTED TO IDENTITY PROVIDER STEPS
  • 27. SAML EXAMPLE 27 1 2 3 USER ATTEMPTS TO LOG IN TO A WEBSITE USER IS REDIRECTED TO IDENTITY PROVIDER IDENTITY PROVIDER REQUESTS AUTHENTICATION OR (IF USER IS LOGGED IN) RETURNS CREDENTIALS STEPS
  • 28. SAML EXAMPLE 28 1 2 3 4 USER ATTEMPTS TO LOG IN TO A WEBSITE USER IS REDIRECTED TO IDENTITY PROVIDER IDENTITY PROVIDER REQUESTS AUTHENTICATION OR (IF USER IS LOGGED IN) RETURNS CREDENTIALS USER IS REDIRECTED BACK TO ORIGINAL SITE WITH SAML ASSERTION ATTACHED STEPS
  • 29. SAML EXAMPLE 29 1 2 3 4 5 USER ATTEMPTS TO LOG IN TO A WEBSITE USER IS REDIRECTED TO IDENTITY PROVIDER IDENTITY PROVIDER REQUESTS AUTHENTICATION OR (IF USER IS LOGGED IN) RETURNS CREDENTIALS USER IS REDIRECTED BACK TO ORIGINAL SITE WITH SAML ASSERTION ATTACHED ORIGINAL SITE USES ITS SAML SERVICE PROVIDER TO CONFIRM SAML ASSERTION AND GRANT ACCESS STEPS
  • 30. DEFINITIONS IdP - Identity Provider (SSO) ADFS (Active Directory Federation Services in Windows 2008 and Windows 2012) SAML 2.0 only can be combined with SPNEGO Enhances Integrated Windows Authentication (IWA) TFIM (Tivoli Federated Identity Manager) SAML 1.1 and 2.0
  • 31. DEFINITIONS SP - Service Provider IBM Domino (web federated login) IBM WebSphere IBM Notes (requires IDVault) (notes federated login)
  • 32. MORE DEFINITIONS IdP (Identity Providers) use HTTP or SOAP to communicate to SP (Service Providers) via XML based assertions
 Assertions have three roles Authentication Authorisation Retrieving Attributes
  • 33. AN IDP CAN SERVICE MANY SERVICE PROVIDERS A SP can be connected to several IdPs An IdP can use a variety of authentication methods including multi factor
  • 34. SETTING UP SAML Choose your IdP if you don’t already have one which fits best in your business Build the IdP Configure the SP ! Sounds easy doesn’t it? It’s really not easy by any means but it is worth the investment in time
  • 35. WHY NOT SAML Not everything supports it Traveler doesn’t Sametime doesn’t IDVault is a requirement so IDs that can’t be vaulted can’t be used multiple passwords, smartcards etc
  • 36. OAUTH
  • 37. NOT EVERYTHING BELONGSTO YOU OAuth is an authentication standard supported by most major cloud providers
  • 38. THE USER &THE CONSUMER Let’s say you want Facebook to post on your Connections Activity Stream. ! We need OAuth for that..
 
 You are the User
 Facebook is the Consumer
  • 39. THE SERVICE PROVIDER & ITS SECRETS The consumer (Facebook) wanders over to the Service Provider (IBM Connections) and asks for permission to post on the Activity Stream The Service Provider issues a Secret to go with every URL request from the user which authorises access
  • 40. OAUTH SIMPLIFIED EXAMPLE 40 1 USER ASKS FACEBOOK (THE CONSUMER) TO POST ON THEIR ACTIVITY STREAM STEPS
  • 41. OAUTH SIMPLIFIED EXAMPLE 41 1 2 USER ASKS FACEBOOK (THE CONSUMER) TO POST ON THEIR ACTIVITY STREAM FACEBOOK GOES TO CONNECTIONS (THE SERVICE PROVIDER) AND ASKS FOR PERMISSION TO POST STEPS
  • 42. OAUTH SIMPLIFIED EXAMPLE 42 1 2 3 USER ASKS FACEBOOK (THE CONSUMER) TO POST ON THEIR ACTIVITY STREAM FACEBOOK GOES TO CONNECTIONS (THE SERVICE PROVIDER) AND ASKS FOR PERMISSION TO POST THE SERVICE PROVIDER GIVES THE CONSUMER A SECRET KEY TO GIVE TO THE USER AND A URL FOR THE USER TO CLICK ON STEPS
  • 43. OAUTH SIMPLIFIED EXAMPLE 43 1 2 3 4 USER ASKS FACEBOOK (THE CONSUMER) TO POST ON THEIR ACTIVITY STREAM FACEBOOK GOES TO CONNECTIONS (THE SERVICE PROVIDER) AND ASKS FOR PERMISSION TO POST THE SERVICE PROVIDER GIVES THE CONSUMER A SECRET KEY TO GIVE TO THE USER AND A URL FOR THE USER TO CLICK ON THE USER CLICKS ON THE URL AND AUTHENTICATES WITH THE SERVICE PROVIDER STEPS
  • 44. OAUTH SIMPLIFIED EXAMPLE 44 1 2 3 4 5 USER ASKS FACEBOOK (THE CONSUMER) TO POST ON THEIR ACTIVITY STREAM FACEBOOK GOES TO CONNECTIONS (THE SERVICE PROVIDER) AND ASKS FOR PERMISSION TO POST THE SERVICE PROVIDER GIVES THE CONSUMER A SECRET KEY TO GIVE TO THE USER AND A URL FOR THE USER TO CLICK ON THE USER CLICKS ON THE URL AND AUTHENTICATES WITH THE SERVICE PROVIDER THE SERVICE PROVIDER , SATISFIED THE SECRET KEY IS GOOD, WILL NOW ALLOW THE CONSUMER ACCESS TO ITS SERVICES STEPS
  • 45. THAT WAS REALLY SIMPLIFIED There are other steps and other secrets to ensure traffic is not intercepted once authorisation is granted There are checks to ensure the Service Provider is who it claims to be You don’t want to accidentally authorise a phishing site There are also lots of timeouts on the authorisation ! Make sure you understand the security of both the Consumer and the Service Provider as well as what access you are granting the Consumer on your behalf
  • 46. IN SUMMARY Think about what your problem actually is, there are plenty of technologies to make the user experience seamless but they become ever more complex to build and maintain What are your priorities. Single password? No password? No authentication with a particular service Many solutions require specific operating systems, software and client versions Make sure you meet all requirements before building a plan you can’t deliver on Some things are very easy (Single password, SPNEGO) Some things are very hard (SAML, OAuth)
 There is no one solution, you need to choose the combination that delivers for you
  • 47. HOWTO FIND ME Twitter, blogs, Instagram, Facebook and more gabriella@turtlepartnership.com GabriellaDavis (skype) http://turtleblog.info gabturtle on twitter and elsewhere