SINGLE SIGN ON SOLUTIONS FOR ICS PRODUCTS

Transcription

1 SINGLE SIGN ON SOLUTIONS FOR ICS PRODUCTS Gabriella Davis - gabriella@turtlepartnership.com IBM Lifetime Champion for Social Business The Turtle Partnership 1

2 Admin of all things and especially quite complicated things where the fun is Working with security, healthchecks, single sign on, design and deployment of IBM technologies and things that they talk to Stubborn and relentless problem solver Lives in London about half of the Ame twider: gabturtle Awarded the first IBM LifeAme Achievement Award for CollaboraAon SoluAons 2

3 ROADMAP FOR THIS SESSION Single Sign On vs Single Identity & Federation What technologies are available to me? What technologies work with ICS products What needs to be in place for single identity to work well The risks of single identity, IOT and GDPR 3

4 WHAT DO WE MEAN BY SINGLE IDENTITY OR FEDERATION? Identity Management I am an individual but one that is part of this group I take my individuality into different systems I take information about me across different systems This is the difference between federation and single sign on 4

5 THINGS HAVE GOTTEN A BIT MORE COMPLICATED THAN THAT.. Multiple systems and standards including SAML, OpenID, OAuth, Facebook Login Users require logins across personal, consumer, and enterprise systems 5

6 Individual Identities Across Systems Attributes Within Systems An individual will have separate identities across different systems, where some attributes are shared such as or name and others might be system specific. As the user moves between systems their core individual identity remains the same. 6

7 WHY IS HAVING A SINGLE IDENTITY VALUABLE? Preferences Behaviour & History Patterns Being Present how i use the system, how i prefer to work with it, what parts of it i prefer to see / engage with what I do, what i have interacted with in the past, what I reuse or repeat identifying ways in which I reuse or repeat in order to present information to me that I might not be aware of or highlight information that the pattern says I should be interested in just because i m using system A doesn t mean someone in system B can t find and interact with me. I have one identity if signed onto multiple systems. 7

8 KEY COMPONENTS OF SINGLE IDENTITY 8

9 AUTHENTICATION Authentication is critical to ensure Gab Davis in SystemA is the same as Gab Davis in SystemB and the information that goes with that Gab Davis is correct 9

10 TRUST Hello - have you met my friend? Is trust transferable? Once you create a way in you are establishing a security level as that of the lowest entry point 10

11 WHAT ARE ATTRIBUTES Examples of Attributes Access rights Sparkling Wine Flute White Wine Glass Light Red Wine Glass Identity data such as name or System specific attributes such as your favourite drink Blood Red Wine Glass Standard Wine Glass 11

12 COMMON AUTHENTICATION TECHNOLOGIES FEDERATION IWA OAUTH OPENID 12

13 PASSWORD SYNCHRONISATION THIS ISN T SINGLE IDENTITY Sametime LDAP Domino Authentication Password Synchronisation Tool TDI comes with a password sync tool that works with Domino for example Synchronising passwords across different systems Connections LDAP You re not the same person, you re just using the same password 13

14 DOMINO PASSWORD SYNC TYPES Notes Client Login Update HTTP password via security policy TDI Syncing Notes Shared Logon not password sync - it just looks like it 14

15 SINGLE LDAP SOURCE Sametime LDAP Password Mail Authenticating against a single password in a single place Network Login Connections Technically you are the same person as you authenticate using the same identity but that s it, there is no other information being held or exchanged. 15

16 SINGLE LDAP SOURCE SOLUTIONS WebSphere Configuration for Connections Sametime - sharing LDAP source for WebSphere and Domino Single Sign On / LTPA token exchanged Domino LTPA tokens are not imported into other systems but Domino can recognise and validate WebSphere tokens Token types ltpatoken and ltpatoken2 - modern systems use ltpatoken2 and should be configured to only support that Domino Directory Assistance authenticating via LDAP 16

17 AUTHENTICATING AGAINST HTTP USING LDAP PASSWORD 17

18 SETTING UP ALTERNATE DIRECTORY AUTHENTICATION Create Directory Assistance database in Domino Create a Directory Assistance document pointing to a LDAP source (such as Active Directory) You ll need bind credentials (hopefully!) You ll use SSL (also hopefully!) If you use bind credentials without SSL you are sending those in clear text Configure your server to use the new Directory Assistance database 18

19 DIRECTORY ASSISTANCE LDAP CONFIGURATION Ensure an attribute in the source LDAP Schema contains, as a minimum, the full hierarchical Notes name of your users The LDAP administrators will need to tell you which attribute to use You can verify it is configured correctly using an LDAP browser It doesn t matter what attribute they give you so long as it s dedicated to that purpose If the LDAP distinguished names are the same as your Domino hierarchical names then you don t need to do this eg CN=Gabriella Davis/O=Turtle and LDAP name of CN=Gabriella Davis, O-Turtle Ensure the attribute value you use to key on is unique 19

20 DIRECTORY ASSISTANCE LDAP CONFIGURATION Set up connection to LDAP server Decide what attribute is to be used as Notes Distinguished Name for lookups Decide if you should use custom filters 20

21 IWA/KERBEROS/SPNEGO STEPS USER LOGS INTO WINDOWS ACTIVE DIRECTORY GENERATES TOKEN USER TRIES TO ACCESS A WEBSITE BROWSER SENDS IWA TOKEN TO THE WEB SERVER ALONG WITH USER NAME THE WEB SERVER CONTACTS ACTIVE DIRECTORY TO VALIDATE TOKEN AND RETRIEVE THE USER S NAME The single authentication to Windows has granted access to other systems using the same identity 21

22 CONFIGURING SPNEGO FOR DOMINO HTTP Domino must be run as a service Ideally running under a named account rather than a system account An SPN must be created for the Domino server using its hostname and the account name it is running under To create an SPN used the domspnego command which generates the output to be used by Active Directory for example setspn -a HTTP/dominoweb.turtletest.com dominowebservice The AD username should exist in the fullname field of the Domino person document for ACLs to work IWA users do not need a Domino HTTP password set 22

23 CONFIGURING SPNEGO FOR WEBSPHERE Create a SPN in Active Directory for the hostname and account relating to the service you want to authorise Use ktpass on a Windows server to create a keytab file for your hostnames for example: ktpass -out c:\conn6.keytab -princ HTTP/ conn6.connections101.info@connections101.info -mapuser conn6iwa - mapop set -pass madeuppassword Use ktab (WebSphere) to merge multiple keytab files for import Use wsadmin to login to the WebSphere deployment manager and run $AdminTask createkrbconfigfile to create a krb5.conf file 23

24 CONFIGURING SPNEGO FOR WEBSPHERE Login to the ISC and choose Security - Global Security - SPNEGO Web Authentication (under Authentication) to configure the settings up upload your keytab and krb5.conf file Depending up on the environment you are connecting to, Kerberos itself may not be necessary 24

25 FEDERATED LOGIN IS SINGLE IDENTITY SECURITY ASSERTION MARKUP LANGUAGE STEPS USER ATTEMPTS TO LOG IN TO A WEBSITE USER IS REDIRECTED TO IDENTITY PROVIDER IDENTITY PROVIDER REQUESTS AUTHENTICATION OR (IF USER IS LOGGED IN) RETURNS CREDENTIALS USER IS REDIRECTED BACK TO ORIGINAL SITE WITH SAML ASSERTION ATTACHED ORIGINAL SITE USES ITS SAML SERVICE PROVIDER TO CONFIRM SAML ASSERTION AND GRANT ACCESS Security Assertion Markup Language A SAML environment ensures that once a user authenticates with a IdP (Identity Provider) other services (Notes clients, WebSphere servers, Domino servers) can verify back with the IdP that the user has been authenticated and not request further authorisation 25 25

26 SAML - FEDERATED SINGLE IDENTITY IdP - Identity Provider (SSO) ADFS (Active Directory Federation Services) can be combined with IWA TFIM (Tivoli Federated Identity Manager) SP - Service Provider IBM Domino (web federated login) IBM SmartCloud IBM Notes (requires ID Vault) (notes federated login) 26 26

27 SAML BEHAVIOUR IdP (Identity Providers) use HTTP or SOAP to communicate to SP (Service Providers) via XML based assertions Assertions have three roles Authentication Authorisation Retrieving Attributes Many kinds of authentication methods are supported depending on your chosen IdP Once initially federated no subsequent password or credentials are passed 27

28 IBM PRODUCTS AS SAML SERVICE PROVIDERS Verse on premises and cloud Domino Notes - both on premises and Smartcloud Connections WebSphere Sametime Community Server 28

29 CONFIGURING SAML - DOMINO Select and configure your Identity Provider - ADFS or TFIM (or alternate via support) Configure ID Vault Create a SSL certificate to run under HTTPS on Domino if required (not needed for NFL) If SSL is required the IdPs SSL certificate must be imported into Domino as a cross certificate People & Groups tab Certificates menu Actions - Import Internet Certificate 29

30 CONFIGURING SAML - DOMINO Create an IdP catalog using idpcat.ntf called idpcat.nsf Create a new IdP document All hostnames and ips (for SSL) that will be requested by the client 30

31 CONFIGURING SAML DOMINO The bottom half of the IdP document is populated by the imported IdP metadata.xml Export the IdpCat configuration to send to the IdP administrator for import 31

32 CONFIGURING SAML FOR CONNECTIONS Enabling SAML for Connections replaces the standard HTML login page with a new IdP authentication page by redirecting the request via httpd.conf Not all services support redirection Install the SAML ACS onto your WebSphere Application Servers Enable Trust Associations/TAI under Global Security 32

33 CONFIGURING SAML - SAMETIME Modify sametime.ini to add ST_AUTH_TOKEN=Fork:Saml,Notes under [ST_BB_NAMES] Import the IdP s certificate into the Community server s trust store Modify the Community server configuration to point to the updated or new trust store 33

34 CONFIGURING SAML FOR VERSE VIA SAMETIME PROXY IBM Verse will attempt to login to Sametime on load if instructed That login is done via Sametime Proxy Sametime Proxy and Sametime Community must be configured to use an Identity Provider to login To enable SAML for the Sametime Proxy you must edit stproxyconfig.xml (back it up first!) 34

35 CONFIGURING SAML FOR CLOUD SERVICES You must configure an IdP first Then contact IBM support and ask them to enable SAML for Verse, Connections, Sametime or any other services you have They will ask for your IdP information 35

36 FEDERATION FOR SOCIAL SYSTEMS OAUTH / OPENID / FACEBOOK LOGIN! OpenID is identity federation OAuth is authorisation OpenID is built on OAuth 36

37 SIMPLIFIED OAUTH PROCESS STEPS USER ASKS FACEBOOK (THE CONSUMER) TO POST ON THEIR ACTIVITY STREAM FACEBOOK GOES TO CONNECTIONS (THE SERVICE PROVIDER) AND ASKS FOR PERMISSION TO POST THE SERVICE PROVIDER GIVES THE CONSUMER A SECRET KEY TO GIVE TO THE USER AND A URL FOR THE USER TO CLICK ON THE USER CLICKS ON THE URL AND AUTHENTICATES WITH THE SERVICE PROVIDER THE SERVICE PROVIDER, SATISFIED THE SECRET KEY IS GOOD, WILL NOW ALLOW THE CONSUMER ACCESS TO ITS SERVICES 37

38 FEDERATION: DIRECTORIES & DATA IDENTITY HISTORY LOCATION SYSTEMS 38

39 IDENTITY Directories that are well constructed and maintained names data accounts Tie directories together with a common key 39

40 SYSTEMS Authorisation Access Levels Data Security Identifying shared attributes Configuring custom attributes in LDAP and the IdP 40

41 LOCATION Different behaviour in different locations Locations define data Why are you here? What is your role? 41

42 HISTORY What have you done before Patterns of behaviour Suggestions based on history, location and identity 42

43 RISKS 43

44 PERSONAS Do you want to tie everything together? Do you have the same persona everywhere? Is the language you use, your opinions, your political views common everywhere and something you want to share? 44

45 FEDERATION Once all systems are integrated all systems are vulnerable You are only as protected as your least secure password / authentication model Understand what services or service providers you have authorised, what information they hold, what their privacy policies are and what their security policies are Make sure users understand they have to logout 45

46 OAUTH/OPENID Theft of credentials Excessive access and data rights Theft of data Brute force guessing of credentials URL redirects or interceptions through incomplete URL requests Token interceptions Puts the user in control - this is not a bad thing 46

47 ICS USE CASES 47

48 SAML Federated Authentication Logins are redirected by the SP to the IdP Once authenticated the IdP won t prompt One SP can recognise multiple IdPs Multi Server Single Sign On Shared LTPATokens passed between servers this user has been validated by me already again Service must support being a Service Provider IWA Active Directory generates a token that can be recognised by (HTTP) based services Shared LTPAToken must be in a format all servers recognise Notes Shared Logon User must login to AD domain 48

49 NOTES CLIENT USERS SAML For All Notes Standard Users IWA Can Integrate With SAML providing authentication to anyone logging into AD Multi Server Single Sign On within Domino HTTP based services Notes Shared Login Non authenticated Non SAML Fixed Machine 49

50 DOMINO WEB APPLICATION USERS SAML IWA Multi Server Single Sign On

51 TRAVELER AND VERSE MOBILE USERS MDM CLIENT BASED CERTIFICATES LDAP AUTHENTICATION VIA DIRECTORY ASSISTANCE LTPATOKEN 51

52 CONNECTIONS SAML VIA HTTPD REDIRECTION TO IDP IWA Can Integrate With SAML providing Multi Server Single Sign On authentication to anyone logging into AD 52

53 SAMETIME SAML VIA HTTPD REDIRECTION TO IDP WEBSPHERE AND COMMUNITY SERVER ELEMENTS DOMINO TOKEN LOGIN - EMBEDDED SAMETIME ONLY IWA Can Integrate With SAML providing authentication to anyone Multi Server Single Sign On logging into AD 53

54 IOT, GDPR & IDENTITY 54

55 GENERAL DATA PROTECTION REGULATION GDPR comes into effect May 2018 I could do an entire session on GDPR alone but the goal of GDPR regulations are To give the individual more control over data held on them by companies the definition of an individual would be any human including employees, customers and suppliers To make companies more responsible for the data they gather and hold 55

56 GDPR & COMPANIES Companies must have an executive role responsible for data and another responsible for reporting any breaches to data agencies Data must be secured and that security must be documented Processes must exist to protect access to data Agreement must be requested for any data that is to be held including names, addresses and contact information In case of a data breach the company must notify relevant (national) data agency immediately Processes must exist to access, share and forget data if requested by the individual Companies can be fined 4% of turnover for failing to follow the new regulations but in reality no-one knows what will happen 56

57 GDPR & THE INDIVIDUAL If any company wants to store your information (and not just credit card information) they must have permission from you If they have your information already and want to keep it they must get permission from you they must have a reason to keeping information on you and declare for how long They must share all information they have kept on you with you at your request They must forget and remove any information they have on you at your request if it s not needed This applies even if you are an employee 57

58 INTERNET OF THINGS A physical device with embedded internet connectivity and always on status The beauty of IOT devices is that they are integrated into your life there s no individual authentication They know everything they need to know simply because of their placement or setup Their true value is in learning about those things we discussed earlier, preferences, behaviour, patterns 58

59 SSO+IOT+GDPR = RISK A lot of data being generated and stored Access to that data given to a wide audience via single sign on GDPR responsibilities require you to know what s being gathered, stored, how it s secured and how to access it and remove it 59

60 SUMMARY There is no single solution for all products - but IBM offer several compatible solutions that their products can use Any Single Sign On solution will extend beyond ICS products if only to include LDAP sources and / or load balancers Understanding what information is being revealed and how to secure it is critical in designing a Single Sign On solution The goal should be federation which means starting with an IdP Good directory data is key GDPR requires better security as well as processes to store, access and remove dataage 60

61 QUESTIONS? Gab Davis twitter: gabturtle skype: gabrielladavis 61