single sign on
play

Single Sign On SimpleSAMLphp CivicActions | SSO | Dan Gurin | - PowerPoint PPT Presentation

Feb 26, 2023 •425 likes •669 views

Single Sign On SimpleSAMLphp CivicActions | SSO | Dan Gurin | tweeter@dgurin | Drupal.org + GitHub + LinkedIn = DANGUR Enterprise level user account costs Administration Setup Retire Support Password resets

  1. Single Sign On SimpleSAMLphp CivicActions | SSO | Dan Gurin | tweeter@dgurin | Drupal.org + GitHub + LinkedIn = DANGUR

  2. Enterprise level user account costs ● Administration ○ Setup ○ Retire ● Support ○ Password resets ● Security ○ Policy ■ Password ■ Multi Factor authentication CivicActions | SSO | Dan Gurin | tweeter@dgurin | Drupal.org + GitHub + LinkedIn = DANGUR

  3. CivicActions | SSO | Dan Gurin | tweeter@dgurin | Drupal.org + GitHub + LinkedIn = DANGUR

  4. Single Sign On (SSO) ● Many applications ● Same ○ Username / password ○ Two Factor Authentication ○ Password policies ■ No unnecessary passwords changes ● Centralized user management ○ Authentication ■ Disable ○ Authorization ■ Roles CivicActions | SSO | Dan Gurin | tweeter@dgurin | Drupal.org + GitHub + LinkedIn = DANGUR

  5. Providers ● Identity Provider (idP) ○ Lightweight Directory Access Protocol (LDAP) ○ Centralized Authentication Service (CAS) ● Service Provider (SP) ○ SAML ○ Shibboleth ● Authentication ● Authorization ○ Drupal role(s) ○ Groups CivicActions | SSO | Dan Gurin | tweeter@dgurin | Drupal.org + GitHub + LinkedIn = DANGUR

  6. SimpleSAMLphp Service Provider (SP) ● Scenario ○ External authentication system ○ Use Drupal for something other than just authentication ● Installation ○ SimpleSAMLphp Library ○ SimpleSAMLphp Auth Drupal Module CivicActions | SSO | Dan Gurin | tweeter@dgurin | Drupal.org + GitHub + LinkedIn = DANGUR

  7. Let’s Get It Started ● PHP ○ php -m | grep 'date\|dom\|hash\|json\|mbstring\|openssl\|pcre\|SPL\|zlib' ● Download ○ https://simplesamlphp.org/download ○ https://simplesamlphp.org/docs/stable/simplesamlphp-install-repo ● Untar or clone to repo root ○ Not web root! REPO root ○ Untar ■ tar -zxvf simplesamlphp-1.16.2.tar.gz ○ Clone ■ git clone git@github.com:simplesamlphp/simplesamlphp.git repo_root/simplesamlphp CivicActions | SSO | Dan Gurin | tweeter@dgurin | Drupal.org + GitHub + LinkedIn = DANGUR

  8. Service Provider/Point (SP) ● Common use case with Drupal ● Drupal does other things than manage users CivicActions | SSO | Dan Gurin | tweeter@dgurin | Drupal.org + GitHub + LinkedIn = DANGUR

  9. Copy config and metadata templates ● Copy config from config-templates directory to config directory mkdir config cp config-templates/config.php config/config.php cp config-templates/authsources.php config/authsources.php ● Copy metadata from metadata-templates directory to metadata directory mkdir metadata cp metadata-templates/saml20-idp-remote.php metadata/saml20-idp-remote.php CivicActions | SSO | Dan Gurin | tweeter@dgurin | Drupal.org + GitHub + LinkedIn = DANGUR

  10. Session Store Options ● PHP ○ Default, Built in, Simplest :) ○ Usually does not work in load balanced environments :( ● SQL ○ Data Source Name (DSN) to access PHP Data Objects (PDO)s ○ Tables created automatically, prefix if many SimpleSAML installations using single DB ● Memcache ○ Can load balance and failover on different servers ● Redis ○ Default connection is localhost over port 6379 ● Write your own plugin :O CivicActions | SSO | Dan Gurin | tweeter@dgurin | Drupal.org + GitHub + LinkedIn = DANGUR

  11. Configure SQL Session Store config/config.php $config array end under DATA STORE CONFIGURATION ‘store.type’ => 'sql', 'store.sql.dsn' => 'mysql:host=database;dbname=mysql', 'store.sql.username' => ‘username’, 'store.sql.password' => ‘password’, CivicActions | SSO | Dan Gurin | tweeter@dgurin | Drupal.org + GitHub + LinkedIn = DANGUR

  12. Symbolic Links ● Access simplesaml from yoursite.com/simplesaml ln -s web/simplesaml simplesaml/www ● Point key folders to composer managed directories ○ Definitely ■ config ■ metadata ln -s simplesamlphp/config vendor/simplesamlphp/simplesamlphp/config ln -s simplesamlphp/metadata vendor/simplesamlphp/simplesamlphp/metadata ○ Call Me Maybe ■ cert ■ log CivicActions | SSO | Dan Gurin | tweeter@dgurin | Drupal.org + GitHub + LinkedIn = DANGUR

  13. Let’s Talk About Certs ● SP may sign requests & receive encrypted responses from idP ● Only one current authentication source ○ authX509userCert validate against LDAP userCertificate attribute ● Cert dir ○ simplesaml/cert ● Create cert ○ openssl req -newkey rsa:2048 -new -x509 -days 3652 -nodes -out saml.crt -keyout saml.pem ● Add to authsources.php 'default-sp' => array( 'saml:SP', 'privatekey' => 'saml.pem', 'certificate' => 'saml.crt') CivicActions | SSO | Dan Gurin | tweeter@dgurin | Drupal.org + GitHub + LinkedIn = DANGUR

  14. HTTPS ● SSL required ● Free certificates https://letsencrypt.org/ ● Base URL Path in $config array ○ simplesaml/config/config.php 'baseurlpath' => 'https://your.drupal.site/simplesaml/' CivicActions | SSO | Dan Gurin | tweeter@dgurin | Drupal.org + GitHub + LinkedIn = DANGUR

  15. Identity Provider (idP) Metadata ● Get metadata XML file from Identity Provider ● Parse XML to SimpleSAMLphp metadata ● Add metadata file to /simplesaml/metadata/saml20-idp-remote.php CivicActions | SSO | Dan Gurin | tweeter@dgurin | Drupal.org + GitHub + LinkedIn = DANGUR

  16. Set Default idP ● Prevents from asking each time ● Super annoying if there is only one! In /simplesaml/config/authsources.php file Add to $config array: 'entityid' => 'https://adfs.your-idp.gov/adfs/services/trust', CivicActions | SSO | Dan Gurin | tweeter@dgurin | Drupal.org + GitHub + LinkedIn = DANGUR

  17. Logging ● Levels ○ DEBUG, INFO, NOTICE, WARNING, ERR ● Handlers ○ syslog, file, or errorlog ● /simplesaml/config/config.php $config array 'logging.level' => SimpleSAML\Logger::DEBUG, 'logging.handler' => 'file', 'logging.logfile' => 'simplesamlphp.log', CivicActions | SSO | Dan Gurin | tweeter@dgurin | Drupal.org + GitHub + LinkedIn = DANGUR

  18. idP sets attributes ● Unique ID ○ UserPrincipalName ● User ○ Email without the @domain.gov ● Email CivicActions | SSO | Dan Gurin | tweeter@dgurin | Drupal.org + GitHub + LinkedIn = DANGUR

  19. Use the full exact name of the attribute CivicActions | SSO | Dan Gurin | tweeter@dgurin | Drupal.org + GitHub + LinkedIn = DANGUR

  20. Local dev ● Config Split ● Drush / Drupal Console ● Deactivate ● Disable SimpleSAMLphp Auth module CivicActions | SSO | Dan Gurin | tweeter@dgurin | Drupal.org + GitHub + LinkedIn = DANGUR

  21. Activation ● Delete test entities in metadata files ● Install a new certificate if your cert has been exposed ● config.php 'logging.level' => SimpleSAML\Logger::NOTICE, ● simplesamlphp_auth.settings.yml activate: true CivicActions | SSO | Dan Gurin | tweeter@dgurin | Drupal.org + GitHub + LinkedIn = DANGUR

  22. Resources ● SimpleSAMLphp homepage ● List of all available SimpleSAMLphp documentation ● Join the SimpleSAMLphp user's mailing list CivicActions | SSO | Dan Gurin | tweeter@dgurin | Drupal.org + GitHub + LinkedIn = DANGUR

  23. Free Open Source Symposium Q & A CivicActions | SSO | Dan Gurin | tweeter@dgurin | Drupal.org + GitHub + LinkedIn = DANGUR

  24. Thank you! CivicActions | SSO | Dan Gurin | tweeter@dgurin | Drupal.org + GitHub + LinkedIn = DANGUR

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Single sign-on enabled OpenCms Architecture for Single sign-on implementation into OpenCms

Single sign-on enabled OpenCms Architecture for Single sign-on implementation into OpenCms

Single sign-on enabled OpenCms Architecture for Single sign-on implementation into OpenCms Pavel Slav ek, pavel.slavicek@qbizm.cz Brno, The Czech Republic, 2. 5. 2008 Content Single sign-on introduction (SSO) Introduction to

959 views • 24 slides
I know who you are, but you can't come in Authentication and single sign-on in the SAS platform

I know who you are, but you can't come in Authentication and single sign-on in the SAS platform

I know who you are, but you can't come in Authentication and single sign-on in the SAS platform Agenda Authentication Inbound authentication Outbound authentication Single Sign-on Definitions Stage Process Method Physical

781 views • 48 slides
Single Sign- -On across On across Single Sign Web Services Web Services Ernest Artiaga

Single Sign- -On across On across Single Sign Web Services Web Services Ernest Artiaga

Single Sign- -On across On across Single Sign Web Services Web Services Ernest Artiaga Artiaga Ernest CERN - - OpenLab OpenLab Security Workshop Security Workshop April 2004 April 2004 CERN Outline Outline Motivation and

352 views • 23 slides
Kerberos and Single Sign-On with HTTP Joe Orton Red Hat Overview Introduction The

Kerberos and Single Sign-On with HTTP Joe Orton Red Hat Overview Introduction The

Kerberos and Single Sign-On with HTTP Joe Orton Red Hat Overview Introduction The Problem Current Solutions Future Solutions Conclusion Introduction WebDAV: common complaint of poor support for authentication in

917 views • 34 slides
Centralized user management and Single Sign On for the WeNMR gateway through the WeNMR Virtual

Centralized user management and Single Sign On for the WeNMR gateway through the WeNMR Virtual

Centralized user management and Single Sign On for the WeNMR gateway through the WeNMR Virtual Research Community Marc van Dijk , Andrea Giachetti, Marco Verlato, Antonio Rosato, Alexandre Bonvin EGI Technical Forum 2012 zondag 16 september 12

413 views • 13 slides
Search for four-top-quark production in in the single-lepton and opposite-sign dilepton final

Search for four-top-quark production in in the single-lepton and opposite-sign dilepton final

Search for four-top-quark production in in the single-lepton and opposite-sign dilepton final states in in pp pp collisions at at = 13 13 TeV with the ATLAS detector MOHAMMED FARAJ UNIVERSITA DI UDINE/INFN TRIESTE -GRUPPO COLLEGATO

601 views • 23 slides
Single sign-on (SSO) Presentation Tiit Erm 106572 IVCMM Main points Introduction Old

Single sign-on (SSO) Presentation Tiit Erm 106572 IVCMM Main points Introduction Old

Single sign-on (SSO) Presentation Tiit Erm 106572 IVCMM Main points Introduction Old approach in multiple systems SSO Security Benefits Common SSO based configurations Examples of SSO usage Conclusion 15/12/11

379 views • 16 slides
Single Sign-On for the Internet: A Security Story eugene@tsyrklevich.name vlad902@gmail.com

Single Sign-On for the Internet: A Security Story eugene@tsyrklevich.name vlad902@gmail.com

Single Sign-On for the Internet: A Security Story eugene@tsyrklevich.name vlad902@gmail.com BlackHat USA, Las Vegas 2007 How do you manage your 169 Web 2.0 accounts today? Does your SSO consist of A login (e.g. johndoe) + 2

599 views • 46 slides
of Workstation Single Sign-On George A. Gellert, MD, MPH, MPA Associate CMIO, CHRISTUS Health

of Workstation Single Sign-On George A. Gellert, MD, MPH, MPA Associate CMIO, CHRISTUS Health

Clinical Impact and Value of Workstation Single Sign-On George A. Gellert, MD, MPH, MPA Associate CMIO, CHRISTUS Health San Antonio, Texas The Challenge: Providers using EHRs must maintain the security of protected health information and

588 views • 26 slides
What is Classlink? Classlink is a single sign on solution for Hamilton County Schools staff and

What is Classlink? Classlink is a single sign on solution for Hamilton County Schools staff and

What is Classlink? Classlink is a single sign on solution for Hamilton County Schools staff and students. - One place to log in and access websites and resources 2 Lets Log In! 1. Use the classlink desktop icon pushed to your HCDE

668 views • 10 slides
The role of directories in Single Sign on Systems Victoriano Giralt Central Computing Facility

The role of directories in Single Sign on Systems Victoriano Giralt Central Computing Facility

The Dark Ages The Enlightenment The Industrial Revolution The XXI century Summary The role of directories in Single Sign on Systems Victoriano Giralt Central Computing Facility University of Malaga TERENA EuroCAMP Ljubljana April 3rd

1.39k views • 105 slides
Single Sign On and Authorization Infrastructure using CAS 2 Shoji KAJITA (Information Technology

Single Sign On and Authorization Infrastructure using CAS 2 Shoji KAJITA (Information Technology

Single Sign On and Authorization Infrastructure using CAS 2 Shoji KAJITA (Information Technology Center, Nagoya University) and Hisashi NAITO (Graduate School of Mathematics, Nagoya University) Jan. 22 2006, APAN 21st Conference p. 1/16

303 views • 16 slides
Single Sign-On: Myth vs Reality Mark Wilcox mark@mjwilcox.com My Involvement Chief

Single Sign-On: Myth vs Reality Mark Wilcox mark@mjwilcox.com My Involvement Chief

Single Sign-On: Myth vs Reality Mark Wilcox mark@mjwilcox.com My Involvement Chief Integration Geek for WebCT Wrote a book on LDAP Became expert on authentication Participant in Internet 2 authentication working groups

789 views • 19 slides
Extending a Legacy Platform Providing a Minimalistic, Secure Single-Sign-On-Library 20/11/2015

Extending a Legacy Platform Providing a Minimalistic, Secure Single-Sign-On-Library 20/11/2015

Extending a Legacy Platform Providing a Minimalistic, Secure Single-Sign-On-Library 20/11/2015 Gschlberger/Gttfert 1 Introduction Research Studios Austria FG MicroLearning and Information Environments Bernhard Gschlberger

488 views • 19 slides
Oracle Buys Passlogix Adds Enterprise Single Sign-On and Network Authentication Capabilities to

Oracle Buys Passlogix Adds Enterprise Single Sign-On and Network Authentication Capabilities to

Oracle Buys Passlogix Adds Enterprise Single Sign-On and Network Authentication Capabilities to Oracles Identity Management Suite October 29, 2010 Oracle is currently reviewing the existing Passlogix product roadmap and will be providing

489 views • 12 slides
Kerberos and Single Sign-On with HTTP Joe Orton Senior Software Engineer, Red Hat Overview

Kerberos and Single Sign-On with HTTP Joe Orton Senior Software Engineer, Red Hat Overview

Kerberos and Single Sign-On with HTTP Joe Orton Senior Software Engineer, Red Hat Overview Introduction The Problem Current Solutions Future Solutions Conclusion Introduction WebDAV: common complaint of poor

481 views • 26 slides
=C=Fermilab Managed by Fermi Research Alliance, LLC for the U.S. Department of Energy Office of

=C=Fermilab Managed by Fermi Research Alliance, LLC for the U.S. Department of Energy Office of

FERMILAB-SLIDES-18-102-CD =C=Fermilab Managed by Fermi Research Alliance, LLC for the U.S. Department of Energy Office of Science Federation At Fermilab Al Lilianstrom National Laboratories Information Technology Summit May 2015 This

642 views • 29 slides
Privacy matters in directories Jose A. Accino 1 Victoriano Giralt 1 Javier Masa 2 1 Central

Privacy matters in directories Jose A. Accino 1 Victoriano Giralt 1 Javier Masa 2 1 Central

The problem The solution The implementation Summary Privacy matters in directories Jose A. Accino 1 Victoriano Giralt 1 Javier Masa 2 1 Central Computing Facility University of Malaga 2 RedIRIS Seville, June 21 th 2007 Jose A. Accino,

1.14k views • 87 slides
Distributed File Systems Early networking and files Had FTP to transfer files Telnet to

Distributed File Systems Early networking and files Had FTP to transfer files Telnet to

4/4/2014 Distributed File Systems Early networking and files Had FTP to transfer files Telnet to remote login to other systems with files Distributed Computing Systems But want more transparency! local computing with remote

532 views • 16 slides
D ISTRIBUTED S YSTEMS [COMP9243] Lecture 8a: Naming Basic Concepts Naming Services

D ISTRIBUTED S YSTEMS [COMP9243] Lecture 8a: Naming Basic Concepts Naming Services

D ISTRIBUTED S YSTEMS [COMP9243] Lecture 8a: Naming Basic Concepts Naming Services Attribute-based Naming (aka Directory Services) Distributed hash tables D ISTRIBUTED S YSTEMS [COMP9243] 1 W HAT IS N AMING ? Systems manage a wide

591 views • 40 slides
MC714 - Sistemas Distribuidos slides by Maarten van Steen (adapted from Distributed System - 3rd

MC714 - Sistemas Distribuidos slides by Maarten van Steen (adapted from Distributed System - 3rd

MC714 - Sistemas Distribuidos slides by Maarten van Steen (adapted from Distributed System - 3rd Edition) Chapter 05: Naming Version: April 2, 2019 Naming: Names, identifiers, and addresses Naming Essence Names are used to denote entities in

1.25k views • 46 slides
The Sun Network File System (NFS) An implementation and a specification of a software system

The Sun Network File System (NFS) An implementation and a specification of a software system

The Sun Network File System (NFS) An implementation and a specification of a software system for accessing remote files across LANs . NFS The implementation is part of the Solaris and SunOS operating systems running on Sun workstations

327 views • 3 slides
IMAP Installation, Configuration & Security HARICHARAN PADMANABAN hari20@siu.edu What is

IMAP Installation, Configuration & Security HARICHARAN PADMANABAN hari20@siu.edu What is

IMAP Installation, Configuration & Security HARICHARAN PADMANABAN hari20@siu.edu What is IMAP? IMAP Internet Message Access Protocol or Internet Mail Access Protocol Allows user to perform certain operations on the messages remotely

592 views • 15 slides
Big Data Processing Technologies Chentao Wu Associate Professor Dept. of Computer Science and

Big Data Processing Technologies Chentao Wu Associate Professor Dept. of Computer Science and

Big Data Processing Technologies Chentao Wu Associate Professor Dept. of Computer Science and Engineering wuct@cs.sjtu.edu.cn Schedule lec1: Introduction on big data and cloud computing Iec2: Introduction on data storage lec3: Data

1.05k views • 86 slides

More recommend