Directories Services and Single Sign-On for Collaboration

Transcription

1

2 Directories Services and Single Sign-On for Collaboration Paulo Jorge Correia BRKUCC-2664

3 Agenda Identity Challenges and Market Analysis SSO Technologies and protocol Deep Dive OAuth Protocol SAML Protocol Identity Management for on-premise Identity Management for WebEx Identity Management for Spark SSO with IDaaS vendors Conclusions and Key Takeaways

4 Identity Challenges and Market Analysis

5 2016 Internet Security Report BRKUCC Cisco and/or its affiliates. All rights reserved. Cisco Public 5

6 Known breaches Breaches don t happen only in Web organisations that mainly target consumers Source net/visualizations/worlds-biggestdata-breaches-hacks/ BRKUCC Cisco and/or its affiliates. All rights reserved. Cisco Public 6

7 Need For Strong Authentication Additional identification steps significantly increases security Username and passwords are no match for today s sophisticated hackers Solution is easy to deploy and easy to use ensuring user adoption Strong Authentication strengthens identity and access security by combining two or more identifiable elements Something you HAVE Something you KNOW Something you ARE BRKUCC Cisco and/or its affiliates. All rights reserved. Cisco Public 7

8 SSO Technologies and Protocol Deep Dive

9 Identity Framework Explicit Initial Trust Agreement IdP Identity Provider RP Relying Party Users BRKUCC Cisco and/or its affiliates. All rights reserved. Cisco Public 9

10 Authentication and Authorisation (AuthN and AuthZ) The process of authorisation is distinct from that of authentication. Whereas authentication is the process of verifying that "you are who you say you are", authorisation is the process of verifying that "you are permitted to do what you are trying to do". When you enter a hotel and walk up to reception, the receptionist authenticates you by checking your passport. Authentication Your room key is your authorisation token to enter your room and any resource that you are entitled in the Hotel Paulo You do not need your passport to enter your room. Your room key authorises you to enter your room only, and not any other rooms. The room key / authorisation token does not identify the holder of the key / token. Authorisation After authentication has taken place, the receptionist gives you a room key. BRKUCC Cisco and/or its affiliates. All rights reserved. Cisco Public 10

11 Single Sign-On Definition Single Sign-On (SSO) is a session/user authentication process that permits a user to provide credentials only once in order to access multiple applications. The process authenticates the user for all the applications they have been given rights to and eliminates further prompts when they switch applications during a particular session. With SSO the barriers for deploying stronger authentication is much lower. BRKUCC Cisco and/or its affiliates. All rights reserved. Cisco Public 11

12 Role of Identity Providers (IdP) Validate who you are? Review personally identifying information to prove you are who you say you are (identity proofing), such as drivers license, passport, or biometric data Assign attributes [(name, role, address] in the identity management system. Validate and transact authentication requests? Verifying that the person seeking access to a resource is the one previously identified and approved by utilising some form of authentication system, often a username and password. BRKUCC Cisco and/or its affiliates. All rights reserved. Cisco Public 12

13 Which IdP Does Cisco Supports? Cisco supports any IdP vendor that is compliant with the SAMLv2 Oasis Standard. Internally in our development test cycles, we test our products against selected authentication methods of the follow IdP s : Microsoft Active Directory Federation Services (ADFS) 2.0 Open Access Manager (OpenAM) 11.0 PingFederate BRKUCC Cisco and/or its affiliates. All rights reserved. Cisco Public 13

14 OAuth Protocol

15 OAuth 2.0 The OAuth 2.0 authorisation protocol enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf. It is an Authorisation protocol Valet key concept Eliminate the need for web sites to ask for passwords when you are accessing to your information. The resource owner authorise a client to access to resources in a server Client can be web app, desktop/phone app, JS in browser BRKUCC Cisco and/or its affiliates. All rights reserved. Cisco Public 15

16 OAuth main purpose OAuth provides the ability for these applications to access a user s data securely, without requiring the user to hand over his account password Web applications that use OAuth (over 16,000 API s) auth=oauth A common protocol for handling API authorisation greatly improves the developer experience because it lessens the learning curve required to integrate with a new API BRKUCC Cisco and/or its affiliates. All rights reserved. Cisco Public 16

17 SAML Protocol

18 SAML 2.0? The SAML standard is managed by the OASIS Security Services Technical Committee SAML is a protocol specification to use when two servers need to share users identity information. Nothing in the SAML specification provides the actual authentication service, with it we can : Single Sign-On across domains Cookies prevent the need for reauthorisation SSO interoperability between different entities Web Service Security (SAML allows for the exchange of assertions within a SOAP document) Federated Identity (consolidate identities across organisational boundaries) BRKUCC Cisco and/or its affiliates. All rights reserved. Cisco Public 18

19 SAML 2.0 SP inititate Flow 5. Authentication Statement 3. SAML request 4. Authenticate method define by IdP IdP Identity Provider 6. SAML Subject passes statement to RP ( this includes any attributes that are requested ) 1. Resource Request 2. Authentication Request RP Relying Party Ex: Spark, WebEx, CUCM, etc. BRKUCC Cisco and/or its affiliates. All rights reserved. Cisco Public 19 19

20 SAML Cookies to Prevent Re-authentication IdP Identity Provider RP Relying Party Ex: CUCM BRKUCC Cisco and/or its affiliates. All rights reserved. Cisco Public 20

21 SAML Cookies to Prevent Re-authentication IdP Cookie -> our recommendation for the Session Timer is 48 hours But most of the IdP s issue session base cookies Service Cookie -> Our recommendation for the Session Timer is 30 minutes BRKUCC Cisco and/or its affiliates. All rights reserved. Cisco Public 21

22 SAML 2.0 Cookies to Prevent Re-authentication Cisco Jabber 4. Authentication method define by IdP 3.GET with SAML authentication request Identity Provider IdP Cookie 5. Signed response in hiden HTML form with IdP cookie 1. Resource Request 6. POST signed response 2. Redirect with SAML authentication request CUCM Cookie CUCM 7. Supply resource with cookie BRKUCC Cisco and/or its affiliates. All rights reserved. Cisco Public 22

23 SAML 2.0 Cookies to Prevent Re-authentication Cisco Jabber 3.GET with SAML authentication request with IdP Cookie No Authentication needed since IdP Cookie is valid CUCM Cookie IdP Cookie IdP Cookie 4. Signed response in hidden HTML form Identity Provider 5. POST signed response 1. Resource Request 2. Redirect with SAML authentication request 6. Supply resource with cookie WebEx Cookie CUCM Unity Connections WebEx MC BRKUCC Cisco and/or its affiliates. All rights reserved. Cisco Public 23

24 SAML Establish Initial Agreement

25 Establish Trust Metadata File exchange IdP Identity Provider Metadata Exchange RP Relying Party Ex: WebEx BRKUCC Cisco and/or its affiliates. All rights reserved. Cisco Public 25

26 Establish Trust CUCM Metadata file Single Cluster always Agreement the CUCM & IM&P cluster IdP Identity Provider With Single Cluster agreement the entityid is Publisher FQDN <?xml version="1.0" encoding="utf-8"?> <md:entitydescriptor entityid="cucm0a.identitylab20.ciscolabs.com" ID="cucm0a.identitylab20.ciscolabs.com" xmlns:md="urn:oasis:names:tc:saml:2.0:metadata"> <md:spssodescriptor protocolsupportenumeration="urn:oasis:names:tc:saml:2.0:protocol" WantAssertionsSigned="false" We don t require for AuthN or AuthnRequestsSigned="false"> <md:keydescriptor use="signing"> signed Assertions but comply <ds:keyinfo xmlns:ds=" to what the IdP requests <ds:x509data> <ds:x509certificate>miigjjcc..</ds:x509certificate> </ds:x509data> </ds:keyinfo> </md:keydescriptor> <md:keydescriptor use="encryption"> We use the Tomcat Multi <ds:keyinfo xmlns:ds=" <ds:x509data> Server SAN for Signing <ds:x509certificate>miigjjcc..</ds:x509certificate> </ds:x509data> </ds:keyinfo> </md:keydescriptor> <md:nameidformat>urn:oasis:names:tc:saml:2.0:nameid-format:transient</md:nameidformat> <md:assertionconsumerservice index="0" Location=" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/> <md:assertionconsumerservice index="1 Location=" URL for the Client to POST the Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/> <md:assertionconsumerservice index="2" answer from the IdP, two per Location=" node in the cluster Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>.. </md:spssodescriptor> </md:entitydescriptor> BRKUCC Cisco and/or its affiliates. All rights reserved. Cisco Public 26

27 Establish Trust CUCM Metadata files Per node Agreement CUCM & IM&P cluster IdP Identity Provider <?xml version="1.0" encoding="utf-8"?> <md:entitydescriptor entityid="cucm0a.identitylab20.ciscolabs.com" ID="cucm0a.identitylab20.ciscolabs.com" xmlns:md="urn:oasis:names:tc:saml:2.0:metadata"> <md:spssodescriptor protocolsupportenumeration="urn:oasis:names:tc:saml:2.0:protocol" WantAssertionsSigned="false" AuthnRequestsSigned="false"> <md:keydescriptor use="signing"> <ds:keyinfo xmlns:ds=" <ds:x509data> <ds:x509certificate>miigjjcc..</ds:x509certificate> </ds:x509data> </ds:keyinfo> </md:keydescriptor> <md:keydescriptor use="encryption"> <ds:keyinfo xmlns:ds=" <ds:x509data> <ds:x509certificate>miigjjcc..</ds:x509certificate> </ds:x509data> </ds:keyinfo> </md:keydescriptor> <md:nameidformat>urn:oasis:names:tc:saml:2.0:nameid-format:transient</md:nameidformat> <md:assertionconsumerservice index="0" Location=" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/> <md:assertionconsumerservice index="1 Location=" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/> <md:assertionconsumerservice index="2" Location=" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>.. </md:spssodescriptor> </md:entitydescriptor> BRKUCC Cisco and/or its affiliates. All rights reserved. Cisco Public 27

28 Identity Management for On- Premise

29 Identity Management for WebEx

30 Identity Management for Spark

31 Spark Client Spark Service Common Identity Customer IdP Access to Service Prompt for address, metric service contacted BRKUCC Cisco and/or its affiliates. All rights reserved. Cisco Public 31

32 Spark Client Spark Service Common Identity Customer IdP Verify Address BRKUCC Cisco and/or its affiliates. All rights reserved. Cisco Public 32

33 Spark Client Spark Service Common Identity Customer IdP OAuth Server Exchange Go to CI OAuth Server and request a token -> URL for Authentication Server will be provided BRKUCC Cisco and/or its affiliates. All rights reserved. Cisco Public 33

34 Spark Client Spark Service Common Identity Customer IdP Identity Broker Exchange If SSO is enabled, Identity Broker redirect to the IdP. IdP URL was provided in the metadata Exchange, when configured SAML initial agreement BRKUCC Cisco and/or its affiliates. All rights reserved. Cisco Public 34

35 Spark Client Spark Service Common Identity Customer IdP HTTP POST Spark will request a SAML assertion from the IdP by doing a SAML HTTP POST 35

36 Spark Client Spark Service Common Identity Customer IdP Authentication Authentication will happen between Operating System Web resource and the IdP BRKUCC Cisco and/or its affiliates. All rights reserved. Cisco Public 36

37 Spark Client Spark Service Common Identity Customer IdP HTTP POST Client does an HTTP POST back to CI with the attributes provided by the IdP and agreed with the initial agreement 37

38 SAML Assertion from IdP to Spark Same Relay state as the SAML request from the Spark <saml2p:response Destination=" f8-22de53230d1e/sp" ID="_ b8068bb78f4cb242ad4f006" InResponseTo="s2e747a3b284812b71ccd8ac1dce98d00cbfa7555b" IssueInstant=" T17:13:22.572Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:saml:2.0:protocol" > <saml2:issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml2="urn:oasis:names:tc:saml:2.0:assertion" > <saml2p:status> <saml2p:statuscode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> </saml2p:status> <saml2:assertion ID="_574a68c9ba c606a48902e50f" IssueInstant=" T17:13:22.572Z" Sucessefull SAML Version="2.0" Assertion xmlns:saml2="urn:oasis:names:tc:saml:2.0:assertion" xmlns:xs=" > <saml2:issuer Format="urn:oasis:names:tc:SAML:2.0:nameidformat:entity"> When the assertion was created <ds:signature xmlns:ds=" <ds:signedinfo> <ds:canonicalizationmethod Algorithm=" /> <ds:signaturemethod Algorithm=" /> <ds:reference URI="#_574a68c9ba c606a48902e50f"> <ds:transforms> <ds:transform Algorithm=" /> <ds:transform Algorithm=" <ec:inclusivenamespaces PrefixList="xs" xmlns:ec=" /> </ds:transform> </ds:transforms> <ds:digestmethod Algorithm=" /> <ds:digestvalue>f4b90sjgqwcrjauycrl7xs2ncdw=</ds:digestvalue> </ds:reference> </ds:signedinfo> <ds:signaturevalue>l0n0sdiaxfyl4eg6sc9jrajnia85a9oj77bftwflk8vcqomtleqtcopc08zxhsdszyw hivi/wfyqjnjninmmda8f7xdfh+qfrhlsbgw0d4wry4qt3xz59ucsgfdwkafy6ou2kqrb5zzracexx/pqyvsrfkl 7zhw83KvU5Wm/hYbaHpI4eu+0lZ/O4Dyr2r7tz/MF/XBipN3IMATQbswiFDtFFlqpFtfnp0mPqSYwgakDG4ZSslCEw O2ateKlI8c2pelKkDOxO1fvbJV8CjykxBV/k8a+GPuxCrl27EP12MN3MZ/VxPgaNiLQeNXS8z3UlO47kN/wYmxfNcQ YEbHWHg==</ds:SignatureValue> <ds:keyinfo> <ds:x509data> IdP Signature and Certificate for Spark to validate <ds:x509certificate>miidkzccahogawibagiunxwxwlgu07iluaaqto3xa/xhfi0wdqyjkozihvcnaqefbqawg zezmbcg 6k9FCGi2Hd3q9GW0iYUJi68=</ds:X509Certificate> </ds:x509data> </ds:keyinfo> </ds:signature> BRKUCC Cisco and/or its affiliates. All rights reserved. Cisco Public 38

39 SAML Assertion from IdP to Spark <saml2:subject> <saml2:nameid Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameID format, Spark NameQualifier=" SPNameQualifier=" supported transient, </saml2:nameid> <saml2:subjectconfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml2:subjectconfirmationdata Address=" " InResponseTo="s2e747a3b284812b71ccd8ac1dce98d00cbfa7555b NotOnOrAfter=" T17:18:22.572Z" Recipient=" </saml2:subjectconfirmation> </saml2:subject> <saml2:conditions NotBefore=" T17:13:22.572Z" NotOnOrAfter=" T17:18:22.572Z"> <saml2:audiencerestriction> <saml2:audience> </saml2:audiencerestriction> </saml2:conditions> Entity ID that this assertion should apply to Time window when this SAML assertion is accepted unspecified and BRKUCC Cisco and/or its affiliates. All rights reserved. Cisco Public 39

40 NameID formats support by Spark UNSPECIFIED <saml2:nameid Format="urn:oasis:names:tc:SAML:1.1:nameidformat:unspecified NameQualifier=" SPNameQualifier=" _306e0e97b606cc3199a28e72c95aa206 </saml2:nameid> <saml2:attributestatement> <saml2:attribute Name="uid NameFormat="urn:oasis:names:tc:SAML:2.0:attrnameformat:unspecified"> <saml2:attributevalue xmlns:xsi= xsi:type="xs:string"> </saml2:attributevalue> </saml2:attribute> </saml2:attributestatement> NameID format unspecified require SPNameQualifier and the extra attribute (uid) statement NameID format transient require SPNameQualifier and the extra attribute (uid) statement NameID format require SPNameQualifier but doesn t require any extra attribute <saml:nameid Format="urn:oasis:names:tc:SAML:1.1:nameidformat: Address SPNameQualifier=" f8-22de53230d1e"> paucorre@identitylab20.ciscolabs.com </saml:nameid> TRANSIENT <saml:nameid Format="urn:oasis:names:tc:SAML:2.0:nameidformat:transient" NameQualifier="ping8a.uc8sevtlab13.com SPNameQualifier=" RbtO77X6eKfPUF5OhPrAKTCE88e </saml:nameid> <saml:attributestatement> <saml:attribute Name="uid NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml:attributevalue xsi:type="xs:string xmlns:xs= xmlns:xsi=" paucorre@uc8sevtlab13.com </saml:attributevalue> </saml:attribute> </saml:attributestatement> BRKUCC Cisco and/or its affiliates. All rights reserved. Cisco Public 40

41 Spark Client Spark Service Common Identity Customer IdP HTTP POST Gets an authorisation Code that will be replaced with an OAuth access and refresh Token, and will be use from here on to access resources on behalf of the user BRKUCC Cisco and/or its affiliates. All rights reserved. Cisco Public 41

42 Cisco Spark Spark Thick Client Embedded Browser Spark Service Common Identity OAuth Identity Broker Customer IdP Access Service Redirect to Authorisation Service Authz URL AuthZ URL Redirect to the AuthN AuthN Request Provide IdP URL for SAML Exchange SAML GET Authentication request Authentication Provided SAML POST with uid and IdP cookie Access_token POST SAML Assertion Redirect to the Oauth Service with SAML cookie and UID of the user Provides SAML cookie and UID to OAuth Service Send back OAuth Token Validates Assertion and create the SAML SP cookie Verifies Entitlement and Scope for the user and generate OAuth Token Access to the Spark Service BRKUCC Cisco and/or its affiliates. All rights reserved. Cisco Public 42

43 SSO with IDaaS Vendors

44 What is an IDaaS? Cloud-based service in a multitenant or dedicated and hosted delivery model. The service brokers a set of functionality across multiple IAM functions specifically, identity and governance administration (IGA), access enforcement, and analytics functions. Gartner predicts that 40% of identity and access management (IAM) purchases will use the identity and access management as a service (IDaaS) delivery model by 2020, up from just 20% in Source : Gartner - Magic Quadrant for Identity and Access Management as a Service BRKUCC Cisco and/or its affiliates. All rights reserved. Cisco Public 44

45 Cisco Cloud Collaboration Services Integration Some of the IDaaS vendor already have templates defined that almost doesn t need any configuration apart from providing the ORG id. The provide services for thousands of SSO enabled apps, where the users of a customer just need to login to a single apps and all other will receive information from the first login. BRKUCC Cisco and/or its affiliates. All rights reserved. Cisco Public 45

46 Cisco On-premise Integration with IDaaS before 11.5 Before 11.5 CUCM & IM&P cluster Before CSR 11.5 Cisco on-premise collaboration products require on IdP agreement per node in the cluster. BRKUCC Cisco and/or its affiliates. All rights reserved. Cisco Public 46

47 Cisco On-premise Integration with IDaaS before 11.5 Before 11.5 CUCM & IM&P cluster But a single cluster can import a single metadata file from the IdP BRKUCC Cisco and/or its affiliates. All rights reserved. Cisco Public 47

48 Cisco On-premise Integration with IDaaS on and forward CUCM & IM&P cluster With CSR 11.5 and after Cisco on-premise collaboration products require on the IdP a single agreement per cluster. To achieve single cluster agreement, Cisco uses a SAML specification that allow for multiple AssertionConsumerService tags BRKUCC Cisco and/or its affiliates. All rights reserved. Cisco Public 48

49 Cisco On-premise Integration with IDaaS on 11.5 All the IDaaS vendor don t support multiple AssertionConsumerServices tags, you can only specify one. BRKUCC Cisco and/or its affiliates. All rights reserved. Cisco Public 49

50 Cisco On-premise Integration with OKTA on 11.5 With the exception of OKTA that develop the support for multiple AssertionConsumerService. In order to integrate with customer that have SAML enabled applications where multiple nodes need to access to a single IdP agreement. BRKUCC Cisco and/or its affiliates. All rights reserved. Cisco Public 50

51 Cisco On-premise Integration with OKTA on 11.5 For the integration to be configured we need to open the CUCM cluster metadata file and copy the AssertionConsumerService that have the bindings HTTP- POST Cisco and/or its affiliates. All rights reserved. Cisco Public 51

52 Conclusion and Key Takeaways

53 Q & A

54 Complete Your Online Session Evaluation Give us your feedback and receive a Cisco Live 2017 Cap by completing the overall event evaluation and 5 session evaluations. All evaluations can be completed via the Cisco Live Mobile App. Caps can be collected Friday 10 March at Registration. Learn online with Cisco Live! Visit us online after the conference for full access to session videos and presentations. BRKUCC Cisco and/or its affiliates. All rights reserved. Cisco Public 54

55 Thank you

56