IBM Security Access Manager Single Sign-on with Federation

Transcription

1 IBM Security Access Manager Single Sign-on with Federation IBM SECURITY SUPPORT OPEN MIC To hear the WebEx audio, select an option in the Audio Connection dialog or by access the Communicate > Audio Connection menu option. To ask a question by voice, you must either Call In or have a microphone on your device. You will not hear sound until the host opens the audio line. For more information, visit: October 24, 2017 NOTICE: BY PARTICIPATING IN THIS CALL, YOU GIVE YOUR IRREVOCABLE CONSENT TO IBM TO RECORD ANY STATEMENTS THAT YOU MAY MAKE DURING THE CALL, AS WELL AS TO IBM S USE OF SUCH RECORDING IN ANY AND ALL MEDIA, INCLUDING FOR VIDEO POSTINGS ON YOUTUBE. IF YOU OBJECT, PLEASE DO NOT CONNECT TO THIS CALL.

2 ISAM Single Sign-on with Federation IBM SECURITY SUPPORT OPEN MIC October 24, 2017

3 Panelists Tom Ermis ISAM L2 support Engineer Nicholas Hasten ISAM L2 support Engineer David Shen ISAM L2 support Engineer Allen Ewing ISAM L2 support Engineer Gabriel Bell ISAM L2 support Engineer Lance Clinton Moderator ISAM L2 manager 3 IBM Security

4 Agenda Federation Setup Identity Provider initiated flow Service Provider initiated flow Troubleshooting methodology 4 IBM Security

5 Federation Setup (SAML 2.0)

6 Secure Federation -> Manage -> Federations 6 IBM Security

7 Federation Name/protocol 7 IBM Security

8 Template 8 IBM Security

9 Company Name/Role 9 IBM Security

10 Point of Contact (PoC) 10 IBM Security

11 Point of Contact Local WebSEAL (WebSEAL on same appliance) Local host can be used Include hostname of WebSEAL Remote WebSEAL (WebSEAL on different appliance) Include hostname (web-host-name) AND port of remote WebSEAL Junction name optional for both local/remote WebSEAL SPS will be appended to the full path 11 IBM Security

12 SAML Profiles 12 IBM Security

13 SAML SSO 13 IBM Security

14 SAML SSO Default NameID Format determines processing rules for the NameID value if 1. The format attribute is not set 2. The format attribute is set to urn:oasis:names:tc:saml:1.1:nameid-format:unspecified Values for the NameID Format include urn:oasis:names:tc:saml:2.0:nameid-format:persistent urn:oasis:names:tc:saml:1.1:nameid-format: address urn:oasis:names:tc:saml:2.0:nameid-format:transient Require signature on incoming SAML authentication requests ISAM will validate signature Require outgoing SAML authentication responses to be signed Partner will validate signature 14 IBM Security

15 SAML Logout 15 IBM Security

16 Signature Options 16 IBM Security

17 Signature Options Certificate Database Import databases under Manage > Edit SSL Certificate Database X509 certificate data Specify whether you want the BASE64 encoded certificate data to be included with your signature. The default action is to include the X.509 certificate data. X509 Subject Name Specify whether you want the subject name to be included with your signature. The default action is to exclude the X.509 subject name. X509 Subject Key Identifier Specify whether you want the X.509 subject key identifier to be included with your signature. The default action is to exclude the subject key identifier. X509 Subject Issuer Details Specify whether you want the issuer name and the certificate serial number to be included with your signature. The default action is to exclude the X.509 subject issuer details. Public key Specify whether you want the public key to be included with your signature. The default action is to exclude the public key. 17 IBM Security

18 Encryption Options 18 IBM Security

19 SAML Message 19 IBM Security

20 Mapping 20 IBM Security

21 Summary 21 IBM Security

22 Federation flow

23 IDP initiated flow (Unsolicited) Identity Provider Service Provider FIM /Logininitial Client FIM Step 1 /auth Step 2 /Login SAML Response Step 3 /wssoi Step 4 Target URL Step 5 23 IBM Security

24 SP initiated flow Similar to the IDP initiated flow, but starts a little differently. Identity Provider Service Provider FIM Client /Logininitial FIM Step 1 POST /login SAML Request Step 2 /Auth Step 3 /Login SAML Response Step 4 /wssoi Step 5 Target URL Step 6 24 IBM Security

25 Step 1. Logininitial endpoint ISAM Federation specific endpoint used to initiate solicited or unsolicited single sign-on Common query string parameters for both IDP and SP initiated RequestBinding NameIDFormat Target PartnerID ForceAuthn AllowCreate IsPassive The unauth ACL must be attached to this endpoint 25 IBM Security

26 Logininitial endpoint examples Single sign-on service initial URL (IP) /federation_name/saml20/logininitial?requestbinding=requestbindingtype &PartnerId=target_partner_provider_ID &NameIdFormat=NameIDFormatType &AllowCreate=AllowCreateValue &Target=target_application_location Single sign-on service initial URL (service provider) &ResponseBinding=HTTPPost &NameIdFormat= &IsPassive=true &ForceAuthn=false &Target= 26 IBM Security

27 Step 2. SAMLRequest Generated by Service Provider Query string parameters read and processed AuthnRequest generated for IDP Sent to the SingleSignOnService as defined in the IDP meta-data 27 IBM Security

28 Step 2. Authentication by the Identity Provider IDP will check if user is authenticated. Client authenticates through the WebSEAL. If user is not authenticated or ForceAuthn query parameter is set to true redirect to /auth 28 IBM Security

29 Step 3. Post SAMLResponse to the Service Provider After authentication PAC converted into SAML token to be sent to the Service Provider Token is signed using the Identity Provider public key Token is encrypted using the Identity Provider private key 29 IBM Security

30 Step 4. SAML Assertion received at AssertionConsumerService endpoint The endpoint on the Service provider receives SAML responses SAML Response is validated using the Service Provider private key SAML Response decrypted using the IDP public key Validate Timestamp destination InResponseTo matches the request ID Map attributes buildtampac Generate EAI headers for POC 30 IBM Security

31 Step 5. Authenticated user now accesses /wssoi endpoint Authentication level is ensured Poc.websealAuth.authLevel If user is authorized at the correct level redirect to target URL The anyauth ACL must be attached to this endpoint 31 IBM Security

32 Step 5. Redirected to target URL User is redirected to ISAM protected target URL with valid ISAM credential. 32 IBM Security

33 Troubleshooting

34 Troubleshooting Federation Issues Enabling runtime tracing for federation - Navigate to Secure Federation > Runtime Parameters > Runtime Tracing 34 IBM Security

35 Setting Tracing Specifications Select com.tivoli.am.fim* for the Component Select ALL for trace level Click Add Save and Deploy changes Deploying changes results in the runtime server being automatically reloaded. Proceed with recreate steps Disable tracing Return to Secure Federation > Runtime Parameters > Runtime Tracing Click the clear button Save and deploy changes 35 IBM Security

36 Where to find trace logs? Navigate to Monitor: Analysis and Diagnostics > Application Log Files > Federation > Runtime - Here you will find the trace.log - You will also find the option to export the logs for review. 36 IBM Security

37 Where to start when reviewing a trace? When troubleshooting an issue via the FIM trace.log, look for the phrase "logrequest" to locate the endpoints. For example: logrequest Path info: /IDP/saml20/logininitial logrequest Path info: /auth logrequest Path info: /SP/saml20/login logrequest Path info: /wssoi logrequest Path info: /SP/saml20/slo To further this example, here is a common Federation error: An error occurred fulfilling the current request to /sps/idp/saml20/auth. This error was caused by an internal/unexpected error on the invoked protocol module leading to the exception displayed below. Please validate configuration of the executing protocol and environment. This is not a problem with the SPS. The error states the problem occurred at the /auth endpoint. When looking at the Federation trace search for logrequest to locate where the request to /auth starts. From there you can follow the flow. 37 IBM Security

38 Questions for the panel Now is your opportunity to ask questions of our panelists. To ask a question now: Raise your hand by clicking Raise Hand. The Raise Hand icon appears next to your name in the Attendees panel on the right in the WebEx Event. The host will announce your name and unmute your line. or Type a question in the box below the Ask drop-down menu in the Q&A panel. Select All Panelists from the Ask drop-down-menu. Click Send. Your message is sent and appears in the Q&A panel. To ask a question after this presentation: You are encouraged to participate in the dw Answers forum: < 38 IBM Security

39 IBM Security Learning Academy New content published daily! Learning at no cost! Learning Videos Hands-on Labs Live Events 39 IBM Security

40 THANK YOU FOLLOW US ON: facebook.com/ibmsecuritysupport SecurityLearningAcademy.com securityintelligence.com xforce.ibmcloud.com Copyright IBM Corporation All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.