FEDERATED IDENTITY AT ARGONNE NATIONAL LABORATORY

Similar documents
All about SAML End-to-end Tableau and OKTA integration

Warm Up to Identity Protocol Soup

Using Your Own Authentication System with ArcGIS Online. Cameron Kroeker and Gary Lee

SAML-Based SSO Solution

Udemy for Business SSO. Single Sign-On (SSO) capability for the UFB portal

ComponentSpace SAML v2.0 Okta Integration Guide

Operated by Los Alamos National Security, LLC for the U.S. Department of Energy's NNSA

ArcGIS Enterprise Security: An Introduction. Gregory Ponto & Jeff Smith

TECHNICAL GUIDE SSO SAML Azure AD

Authentication. Katarina

Enabling Single Sign-On Using Microsoft Azure Active Directory in Axon Data Governance 5.2

SAML-Based SSO Solution

The Long, Long Road to True Single Sign On at Fermilab. Al Lilianstrom and Dr. Olga Terlyga NLIT 2018 May 22 nd, 2018

SECURING AWS ACCESS WITH MODERN IDENTITY SOLUTIONS

1. Federation Participant Information DRAFT

RSA SecurID Access SAML Configuration for Datadog

Morningstar ByAllAccounts SAML Connectivity Guide

Configuration Guide - Single-Sign On for OneDesk

Your Auth is open! Oversharing with OpenAuth & SAML

Add OKTA as an Identity Provider in EAA

ArcGIS Server and Portal for ArcGIS An Introduction to Security

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES BEST PRACTICES FOR IDENTITY FEDERATION IN AWS E-BOOK

Integrating VMware Workspace ONE with Okta. VMware Workspace ONE

Extending Services with Federated Identity Management

Enhancing cloud applications by using external authentication services. 2015, 2016 IBM Corporation

Introducing Shibboleth. Sebastian Rieger

A Welcome to Federated Identity Nate Klingenstein, Internet2, USA. Prepared for the Matsuyama University, December 2013

TECHNICAL GUIDE SSO SAML. At 360Learning, we don t make promises about technical solutions, we make commitments.

What Does Logout Mean?

WSO2 Identity Management

CAS, Shibboleth, And an evolving SSO approach

CONFIGURING AD FS AS A THIRD-PARTY IDP IN VMWARE IDENTITY MANAGER: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

ForgeRock Access Management Core Concepts AM-400 Course Description. Revision B

Enabling Single Sign-On Using Okta in Axon Data Governance 5.4

INTEGRATING OKTA: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

This topic discusses what's required of SAML IdPs in general and provides a step-by-step procedure for setting up a OneLogin IdP.

Best Practices: Authentication & Authorization Infrastructure. Massimo Benini HPCAC - April,

Cisco Webex Control Hub

Unified Communications Manager Version 10.5 SAML SSO Configuration Example

Single Sign-On (SSO)Technical Specification

TextExpander Okta SCIM Configuration

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

CLI users are not listed on the Cisco Prime Collaboration User Management page.

April Understanding Federated Single Sign-On (SSO) Process

October 14, SAML 2 Quick Start Guide

DocuSign Single Sign On Implementation Guide Published: June 8, 2016

Goal. TeraGrid. Challenges. Federated Login to TeraGrid

SINGLE SIGN ON SOLUTIONS FOR ICS PRODUCTS

DARIAH-AAI. DASISH AAI Meeting. Nijmegen, March 9th,

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

SAP Security in a Hybrid World. Kiran Kola

CLI users are not listed on the Cisco Prime Collaboration User Management page.

Unity Connection Version 10.5 SAML SSO Configuration Example

About This Document 3. Overview 3. System Requirements 3. Installation & Setup 4

Upland Qvidian Proposal Automation Single Sign-on Administrator's Guide

PSUMAC101: Intro to Auth

Configuring Alfresco Cloud with ADFS 3.0

Administrator s Guide. September 27, 2017

The EGI AAI CheckIn Service

MyWorkDrive SAML v2.0 Okta Integration Guide

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

MyWorkDrive SAML v2.0 Azure AD Integration Guide

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Federated AAI and the World of Tomorrow. Rion Dooley

Deploying OAuth with Cisco Collaboration Solution Release 12.0

Major SAML 2.0 Changes. Nate Klingenstein Internet2 EuroCAMP 2007 Helsinki April 17, 2007

Integration Patterns for Legacy Applications

Qualys SAML 2.0 Single Sign-On (SSO) Technical Brief

Canadian Access Federation: Trust Assertion Document (TAD)

Introduction to application management

THE INTEROPERATION BETWEEN CASIDP AND INCOMMON ETC. JIWU JING

Administrator s Guide. June 15, 2018

Greek Research and Technology Network. Authentication & Authorization Infrastructure. Faidon Liambotis. grnet

Introduction of Identity & Access Management Federation. Motonori Nakamura, NII Japan

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Google Auto User Provisioning

Introduction... 5 Configuring Single Sign-On... 7 Prerequisites for Configuring Single Sign-On... 7 Installing Oracle HTTP Server...

Authentication. August 17, 2018 Version 9.4. For the most recent version of this document, visit our documentation website.

D9.2.2 AD FS via SAML2

SAML SSO Okta Identity Provider 2

VMware Identity Manager Administration. MAY 2018 VMware Identity Manager 3.2

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Configuring Confluence

Slack Cloud App SSO. Configuration Guide. Product Release Document Revisions Published Date

The AAF - Supporting Greener Collaboration

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Authentication Guide

Single Sign-On for PCF. User's Guide

Build great products. Contour Enterprise Architect Connector Jama Software, Inc.

OneLogin SCIM. Table of Contents. Summary... 2 System Requirements... 2 Installation & Setup... 2 Contact Us... 6

IMPLEMENTING SINGLE SIGN-ON (SSO) TO KERBEROS CONSTRAINED DELEGATION AND HEADER-BASED APPS. VMware Identity Manager.

IAM for Workday: How to Embrace an 800 Pound Gorilla. Michael Brogan & Jonathan Pass UW-IT, Identity & Access Management

SAML-Based SSO Configuration

Salesforce External Identity Implementation Guide

OneLogin SAML Authentication with WatchGuard Access Portal. Integration Guide

Liferay Security Features Overview. How Liferay Approaches Security

Okta Integration Guide for Web Access Management with F5 BIG-IP

Administering Jive Mobile Apps for ios and Android

API MANAGEMENT WITH WEBMETHODS

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES (POP)

Transcription:

drhgfdjhngngfmhgmghmghjmghfmf NLIT 2018 FEDERATED IDENTITY AT ARGONNE NATIONAL LABORATORY PETE FRIEDMAN Enterprise Architect Business and Information Services (BIS) Argonne National Laboratory

ABOUT THE PRESENTER Pete Friedman is an Enterprise Architect in the Business and Information Services division within Mission Support. He joined the Laboratory in 2012 as a Unix systems administrator and became a full time Enterprise Architect in 2016. B.S Computer Science Carnegie Mellon University 2

ABOUT THE LAB Argonne National Laboratoryseeks solutions to pressing national problems in science and technology. The nation's first national laboratory Argonne conducts leading-edge basic and applied scientific research in virtually every scientific discipline. Argonne researchers work closely with researchers from hundreds of companies, universities, and federal, state and municipal agencies Argonne is managed byuchicago Argonne, LLCfor theu.s. Department of Energy's Office of Science. 3

OUR JOURNEY: REFLECTIONS ON THE EXCITING, CAPTIVATING, AND INSPIRING DISCIPLINE OF IDENTITY MANAGEMENT. ;)

SOME DEFINITIONS In case you haven t heard them before SAML Security Assertion Markup Language. It s the method that backs a lot of federated identity systems, including DOE OneID and InCommon IdP Identity Provider. The system which sends identity data about a user (usually in SAML but can also be e.g. OAuth2) SP Service provider. The system which consumes the identity assertion from the IdP Metadata(SAML) Usually XML, describes the SP or IdP scapabilities, URLs, accepted fields, etc. SSO Single Sign-On InCommon An Internet2 initiative which aggregates IdPand SP metadata. Participating institutions and public SPs can consume the aggregate so that InCommon participants can access the resource (modulo SP-configured AuthZ) AuthN, AuthZ Authentication and Authoriziation DOE OneID Kind of like InCommon but way more advanced in terms of canonicalization, institutional control, and directory services provided XSD XML Schema Description 5

HOW IT ALL STARTED Our Environment, Then and Now THEN Went production with our SAML IdP around 2013. Had a few (n<5) applications which were registered with InCommon, or configured to accept non-argonne Identity Providers Had more (n > 5) cloud applications which were accessed thru our SSO/IdP NOW Have about 40 SAML SPs Argonne 8k in InCommon Using Shibboleth 3.x for IdP Username/Password Kerberos Smart Cards Mostly using Shibboleth SP Also using SimpleSAMLPHP PySAML Others across the Lab 6

NEEDED TO SUPPORT COLLABORATION Why can t another Laboratory user or someone from a University access our business applications like those InCommonapps? We understood the model of an IdP providing access to multiple applications We understood the model of multiple IdPsproviding access to a single application 7

THERE MUST BE A BETTER WAY! Each application manages its own mapping of users! 8

FEDERATED IDENTITY MANAGEMENT To the rescue! We realized what we needed Now we had to solution it! 9

BRAINSTORMING Requirements and Commercial Evaluation Our Requirements: Users can manage their external identities (we re never going to know about all of them, but they do) Example: I have 4! ANL, CMU, OneID, ORCID Don t even get me started on Social logins Applications can map incoming assertions to a user Security and Audit can traverse accounts associated to a person Products like Okta, OneLogin, Ping, etcare great for the provide access to cloud applications from one or more internal identity sources Products do internal(from system perspective) de-dup and canonicalization Unify your AD, LDAP, etc SCIM System for Cross-Domain Identity Management, RFC7643, Usually implemented as HTTPS- POST w/ JSON Payload 10

OUR IMPLEMENTATION CPOs, FAOs, FAOTypes CPO Canonical Person Object Represents a person affiliated with Argonne Aligned to the Enterprise Information Model for a Person FAO Federated Account Object Many to One relationship with a CPO Represents a digital credential Aligned to a SAML assertion, but extensible FAOType Describes the IdPsassociated with an FAO LoAlist XML XSD 11

THE FAO AND FAOTYPE 12

SERVICE DESIGN 13

WHAT IT ALL LOOKS LIKE * Showing as Point to Point to describe information flow, but actually implemented via service bus 14

THIS DOESN T SOLVE ALL THE PROBLEMS It may make some new ones Can t assume a user s login account is ever inactive Applications need to be aware of this, and transition to dealing with people, not accounts It s going to be a while before all our apps support this 15

WHERE TO GO FROM HERE Things we ve talked about but not yet implemented Authorization Service Central authorization service which takes in an FAO Uses the CPO to look up roles Uses the FAO to look up LoAsand other context attributes Returns a filtered permission set Additional Attribute Services Training Admin interface for local identity providers (e.g. user facility systems) to manage creating FAOTypes 16

QUESTIONS?

APPENDIX

EXAMPLE ARGONNE FAOTYPE XSD 19

20

www.anl.gov

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback