the long long road to true single sign on at fermilab
play

The Long, Long Road to True Single Sign On at Fermilab Al - PowerPoint PPT Presentation

Jul 23, 2023 •256 likes •558 views

FERMILAB-SLIDES-18-123-CD The Long, Long Road to True Single Sign On at Fermilab Al Lilianstrom and Dr. Olga Terlyga NLIT 2018 This manuscript has been authored by Fermi Research Alliance, LLC under Contract No. DE-AC02-07CH11359 with the U.S.

  1. FERMILAB-SLIDES-18-123-CD The Long, Long Road to True Single Sign On at Fermilab Al Lilianstrom and Dr. Olga Terlyga NLIT 2018 This manuscript has been authored by Fermi Research Alliance, LLC under Contract No. DE-AC02-07CH11359 with the U.S. Department of May 22 nd , 2018 Energy, Office of Science, Office of High Energy PThis manuscript has been authored by Fermi Research Alliance, LLC under Contract No. DE- AC02-07CH11359 with the U.S. Department of Energy, Office of Science, Office of High Energy Physics.

  2. About Fermilab Fermilab is America's particle physics and accelerator laboratory. – Our vision is to solve the mysteries of matter, energy, space and time for the benefit of all. We strive to: • lead the world in neutrino science with particle accelerators • lead the nation in the development of particle colliders and their use for scientific discovery • advance particle physics through measurements of the cosmos Our mission is to drive discovery by: – building and operating world-leading accelerator and detector facilities – performing pioneering research with national and global partners – developing new technologies for science that support U.S. industrial competitiveness www.fnal.gov 2 5/22/2016 Lilianstrom/Terlyga | The Long, Long Road

  3. About Fermilab We’re also looking for dinosaurs 3 5/22/2016 Lilianstrom/Terlyga | The Long, Long Road

  4. The Fermilab Environment • Fermilab is an Open Science Laboratory • Fermilab's 1,750 employees include scientists and engineers from all around the world. – Currently hosting over 4000 users • Fermilab collaborates with more than 50 countries on physics experiments based in the United States and elsewhere. 4 5/22/2016 Lilianstrom/Terlyga | The Long, Long Road

  5. The Long, Long Road In 2012 Fermilab started down the road of single sign on for web applications. In 2018 the end of the road to true single sign on is in sight for all of our users – desktop or mobile, on premise or off. Join us as we describe the tools and techniques being used to provide this ease of access to our user community within the unique Fermilab environment. FERMILAB-CONF-18-185-CD 5 5/22/2016 Lilianstrom/Terlyga | The Long, Long Road

  6. Has It Really Been That Long 6 5/22/2016 Lilianstrom/Terlyga | The Long, Long Road

  7. Over The Years • Start with ADFS – SharePoint – Office 365 • Add Shibboleth – Apache web servers • Replace Shibboleth with Ping Federate – Apache web servers – External SPs and IdPs • ServiceNow • InCommon • Add Shibboleth – Enhanced Client or Proxy (ECP) • Next… 7 5/22/2016 Lilianstrom/Terlyga | The Long, Long Road

  8. Central Authentication • FERMI Domain – Windows systems – User accounts • FNAL.GOV Kerberos Realm – Linux systems – User accounts • LDAP Service – Application servers – User accounts • Users are provisioned into all three services when a computer account is granted – Same username 8 5/22/2016 Lilianstrom/Terlyga | The Long, Long Road

  9. User Experience • Interactive – Strong Authentication • Kerberos (FNAL.GOV realm) • Active Directory (FERMI domain) • Web Services – Not intended for interactive use • LDAP • ADFS • Ping Federate • Our security policy prohibits the use of the FERMI domain and the FNAL.GOV realm for web services where the password is sent over the network between client and server 9 5/22/2016 Lilianstrom/Terlyga | The Long, Long Road

  10. User Experience • Web Services – Username/Password • LDAP Service password – not the interactive logon password – Multiple logons required • Desktop • ADFS Service Providers • Ping Federate Service Providers • LDAP Service Providers • Our goals – One login for the desktop – Mobile device ease of use 10 5/22/2016 Lilianstrom/Terlyga | The Long, Long Road

  11. The Process • Establish a relationship between Ping and ADFS – No impact or changes to Service Providers • PingFederate - 122 • ADFS - 72 • Configure PingFederate – Kerberos Authentication • FERMI • FNAL.GOV – Certificate Authentication • CILogon – Username/Password 11 5/22/2016 Lilianstrom/Terlyga | The Long, Long Road

  12. ADFS • Establish a IdP->SP relationship between PingFederate and ADFS – SAML – Use the SAML_USER attribute coming from the PingFederate assertion to build a samAccountname and WindowsAccountname • c:[Type == "SAML_USER"] => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/samaccountname", Value = c.Value); • c:[Type == "SAML_USER"] => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Value = "SERVICES\" + c.Value); • The ADFS SP rules use these values to build the proper assertion • Now users accessing ADFS resources can choose to use the PingFederate service for authentication via a pull down menu 12 5/22/2016 Lilianstrom/Terlyga | The Long, Long Road

  13. ADFS 13 5/22/2016 Lilianstrom/Terlyga | The Long, Long Road

  14. Central Authentication – ADFS Changes 14 5/22/2016 Lilianstrom/Terlyga | The Long, Long Road

  15. Central Authentication – PingFederate Changes • Kerberos adapters were added for FERMI and FNAL.GOV • A certificate adapter was added for CILogon 15 5/22/2016 Lilianstrom/Terlyga | The Long, Long Road

  16. PingFederate Changes • Composite Adapter – Combine • Kerberos – FERMI – FNAL.GOV • Certificate • Forms Based – Username/Password • Goal was to start with Kerberos and fall through the adapters in order – FNAL.GOV Kerberos – FERMI Kerberos – Certificates – Username/Password 16 5/22/2016 Lilianstrom/Terlyga | The Long, Long Road

  17. Testing • Each adapter worked individually • Combined into a composite adapter – We had problems – Multiple adapter configurations were tried 17 5/22/2016 Lilianstrom/Terlyga | The Long, Long Road

  18. Problems • Kerberos – Windows systems (FERMI Kerberos) would not fall through if FNAL.GOV was first – Linux / Mac systems (FNAL.GOV Kerberos) would hang on occasion • Cross Realm trust between FERMI and FNAL.GOV not working as expected – Errors in krb5.conf file? • Certificates – Unusual pop ups • Dependent on client OS and browser • Composite adapter combined with a pull down menu isn’t sticky (bug) 18 5/22/2016 Lilianstrom/Terlyga | The Long, Long Road

  19. Solutions • Fix krb5.conf – Authentication – Realm definitions – Take advantage of the cross realm trust • New connection configuration – Pull down to select Authentication method • Kerberos (FERMI or FNAL.GOV) – Falls through to Username/Password • Certificates – Falls through to Username/Password • Username/Password 19 5/22/2016 Lilianstrom/Terlyga | The Long, Long Road

  20. Final Configuration • Pull-down menu for each authentication method supported – Fall through to username/password supported – ‘Sticky’ 20 5/22/2016 Lilianstrom/Terlyga | The Long, Long Road

  21. Browser Configuration • FERMI Windows Desktop – IE • Add IdP to Trusted Sites • Enable Integrated Windows Authentication – FireFox • Add IdP to network.negotiate-auth.trusted-uris in about:config • Standalone Windows Desktop – If using Kerberos – same as FERMI • MIT Kerberos for Windows – http://web.mit.edu/kerberos/kfw-4.1/kfw-4.1.html – If not – obtain CILogon certificate and install in the Personal Container for IE and the browser for Firefox 21 5/22/2016 Lilianstrom/Terlyga | The Long, Long Road

  22. Browser Configuration • Linux Desktop – If using Kerberos • Updated krb5.conf • FireFox – Update about:config with IdP information – If not – obtain CILogon certificate and install in the browser 22 5/22/2016 Lilianstrom/Terlyga | The Long, Long Road

  23. Browser Configuration • OSX Desktop – If using Kerberos • Updated krb5.conf • FireFox – Update about:config with IdP information • Safari works out of the box – If not – obtain CILogon certificate and install in the KeyChain for Safari or in the browser for FireFox 23 5/22/2016 Lilianstrom/Terlyga | The Long, Long Road

  24. Browser Configuration • Mobile Device – Obtain CILogon certificate and install 24 5/22/2016 Lilianstrom/Terlyga | The Long, Long Road

  25. Usage • Kerberos Authentication – FERMI Domain Windows Desktop – Standalone Windows Desktop with MIT Kerberos (FERMI or FNAL.GOV) – OSX or Linux Desktop with Kerberos (FERMI or FNAL.GOV) • Initial use – select authentication method • Subsequent uses - No prompts – direct to SP 25 5/22/2016 Lilianstrom/Terlyga | The Long, Long Road

  26. Usage • Desktop without Kerberos but with Certificate – Windows and Linux • Initial use – select authentication method, s elect certificate and go to SP • Subsequent uses - Select Certificate and go to SP 26 5/22/2016 Lilianstrom/Terlyga | The Long, Long Road

  27. Usage – OSX • Initial use – select authentication method, select certificate, negotiate KeyChain access, and go to SP • Subsequent uses - Select certificate, negotiate KeyChain access, and go to SP 27 5/22/2016 Lilianstrom/Terlyga | The Long, Long Road

  28. Usage • Mobile with Certificate – Initial use – Select certificate, select authentication method, and go to SP – Subsequent uses - Select Certificate and go to SP 28 5/22/2016 Lilianstrom/Terlyga | The Long, Long Road

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The long road home The long road home Challenges to the reintegration of IDPs and refugees

The long road home The long road home Challenges to the reintegration of IDPs and refugees

The long road home The long road home Challenges to the reintegration of IDPs and refugees returning to S. Sudan Juba report The context The context Juba town uba town Population increase From garrison town to capital

436 views • 9 slides
TRUE-AHF Trial Short- and Long-Term Effect of Immediate Vasodilator Therapy in Acutely

TRUE-AHF Trial Short- and Long-Term Effect of Immediate Vasodilator Therapy in Acutely

TRUE-AHF Trial Short- and Long-Term Effect of Immediate Vasodilator Therapy in Acutely Decompensated Heart Failure: Results of the TRUE-AHF Trial Milton Packer, M.D. Baylor University Medical Center, Dallas TX on behalf of the TRUE-AHF

591 views • 28 slides
XDP MythBusters David S. Miller Overview What is eBPF and XDP Why is it an important long term

XDP MythBusters David S. Miller Overview What is eBPF and XDP Why is it an important long term

XDP MythBusters David S. Miller Overview What is eBPF and XDP Why is it an important long term solution to a problem space Frequently communicated myths and inaccuracies Things that are true now but will not be true for long An epiphany on

493 views • 20 slides
Long Baseline Neutrino Committee Report Fermilab PAC January, 2020 Fermilab Montgomery

Long Baseline Neutrino Committee Report Fermilab PAC January, 2020 Fermilab Montgomery

Long Baseline Neutrino Committee Report Fermilab PAC January, 2020 Fermilab Montgomery January 15, 2020 Outline LBNC Scope and Process o Membership update DUNE TDR Status LBNC December 2019 Meeting o Agenda o Executive Summary

196 views • 19 slides
Long Quadrupole Giorgio Ambrosio Fermilab Long Quadrupole Task Leaders: Fred Nobrega (FNAL)

Long Quadrupole Giorgio Ambrosio Fermilab Long Quadrupole Task Leaders: Fred Nobrega (FNAL)

BNL - FNAL - LBNL - SLAC Long Quadrupole Giorgio Ambrosio Fermilab Long Quadrupole Task Leaders: Fred Nobrega (FNAL) Coils Jesse Schmalzle (BNL) Coils Paolo Ferracin (LBNL) Structure Helene Felice (LBNL) Instrumentation and QP

536 views • 27 slides
The road is going to be closed for how long? How to reduce the impact of road closures

The road is going to be closed for how long? How to reduce the impact of road closures

The road is going to be closed for how long? How to reduce the impact of road closures during an emergency culvert repair Marc Horstman, PE, PH, CFM, Project Manager WK Dickson Wayne Miles, PE, Stormwater Program Manager City of

687 views • 36 slides
The Long and Winding Road The Long and Winding Road Christmas Edition Martin Luther on the

The Long and Winding Road The Long and Winding Road Christmas Edition Martin Luther on the

The Long and Winding Road The Long and Winding Road Christmas Edition Martin Luther on the Old Testament: Martin Luther on the Old Testament: Martin Luther on the Old Testament: Simple and lowly are these swaddling cloths, but dear is

638 views • 30 slides
LIRRS 100 Projects: EAST SIDE ACCESS Transformation for Bringing Long Island Rail Road

LIRRS 100 Projects: EAST SIDE ACCESS Transformation for Bringing Long Island Rail Road

LIRRS 100 Projects: EAST SIDE ACCESS Transformation for Bringing Long Island Rail Road Service to the East Side of Manhattan And Long Islanders Modernizing Long I sland East Side LI RR Double Access Expansion Track 2 Main Line

566 views • 21 slides
Single sign-on enabled OpenCms Architecture for Single sign-on implementation into OpenCms

Single sign-on enabled OpenCms Architecture for Single sign-on implementation into OpenCms

Single sign-on enabled OpenCms Architecture for Single sign-on implementation into OpenCms Pavel Slav ek, pavel.slavicek@qbizm.cz Brno, The Czech Republic, 2. 5. 2008 Content Single sign-on introduction (SSO) Introduction to

959 views • 24 slides
Long-Range Facility Plan 16 DECEMBER 2019 WELCOME! > Please sign in > Pick up your name

Long-Range Facility Plan 16 DECEMBER 2019 WELCOME! > Please sign in > Pick up your name

Mercer Island School District Long-Range Facility Plan 16 DECEMBER 2019 WELCOME! > Please sign in > Pick up your name tag > Grab a drink and snack > Turn off your cell phones or place on stun > Workshop will start

835 views • 79 slides
Long Term Operating Experience at MiniBooNE Ray Stefanski Fermilab 7th International Workshop on

Long Term Operating Experience at MiniBooNE Ray Stefanski Fermilab 7th International Workshop on

Long Term Operating Experience at MiniBooNE Ray Stefanski Fermilab 7th International Workshop on Neutrino Beams and Instrumentation August 29, 2010 Schematic Geography Beryllium target detector 12 4 10 ppp @ 15Hz 7 slugs each 800

375 views • 21 slides
How Long How to Get Through a Crisis Part 9 Psalm 13 How long, O Lord? Will you

How Long How to Get Through a Crisis Part 9 Psalm 13 How long, O Lord? Will you

How Long How to Get Through a Crisis Part 9 Psalm 13 How long, O Lord? Will you forget me forever? How long will you hide your face from me? 2 How long must I wrestle with my thoughts, and every day have sorrow in my

436 views • 9 slides
Automatic and Efficient Long Term Arm and Hand Tracking for Continuous Sign Language TV

Automatic and Efficient Long Term Arm and Hand Tracking for Continuous Sign Language TV

Automatic and Efficient Long Term Arm and Hand Tracking for Continuous Sign Language TV Broadcasts Tomas Pfister 1 , James Charles 2 , Mark Everingham 2 , Andrew Zisserman 1 1 Visual Geometry Group 2 School of

495 views • 27 slides
Implications of early LHC Results Fermilab CMS limits CMS E XOTICA LQ1, =0.5 LQ1, =1.0

Implications of early LHC Results Fermilab CMS limits CMS E XOTICA LQ1, =0.5 LQ1, =1.0

Toward an Energy Frontier Muon Collider Fermilab Estia Eichten Fermilab The Long View Return to the Energy Frontier Staging Physics Milestones Summary 2013 Community Summer Study Snowmass on the Mississippi University of

282 views • 24 slides
Concluding remarks Keith Ellis - Fermilab "From a long view of the history of mankind - seen

Concluding remarks Keith Ellis - Fermilab "From a long view of the history of mankind - seen

Concluding remarks Keith Ellis - Fermilab "From a long view of the history of mankind - seen from, say, ten thousand years from now - there can be little doubt that the most significant event of the 19th century will be judged as Maxwell's

630 views • 44 slides
Long-Range Facility Plan 27 January 2020 WELCOME! > Please sign in > Grab a drink and

Long-Range Facility Plan 27 January 2020 WELCOME! > Please sign in > Grab a drink and

Mercer Island School District Long-Range Facility Plan 27 January 2020 WELCOME! > Please sign in > Grab a drink and snack > Turn off your cell phones or place on stun > Introduce yourself to someone you dont know 2020

1.26k views • 79 slides
Cost-Benefit Analysis of Cloud Computing versus Desktop Grids Derrick Kondo, Bahman Javadi, Paul

Cost-Benefit Analysis of Cloud Computing versus Desktop Grids Derrick Kondo, Bahman Javadi, Paul

Cost-Benefit Analysis of Cloud Computing versus Desktop Grids Derrick Kondo, Bahman Javadi, Paul Malcot, Franck Cappello INRIA, France David P. Anderson UC Berkeley, USA Cloud Background Vision Hide complexity of hardware and

1.16k views • 69 slides
ALICE Installation Procedure ALICE: Active Learning Interface for Circuits and Electronics

ALICE Installation Procedure ALICE: Active Learning Interface for Circuits and Electronics

ALICE Installation Procedure ALICE: Active Learning Interface for Circuits and Electronics ADALM1000 (M1K) Software Application M. A. Hameed ECSE Department Rensselaer Polytechnic Institute Intro to ECSE Software Required to run ALICE on

495 views • 6 slides
Samba's AD DC: Samba 4.2 and Beyond Presented by Andrew Bartlett of Catalyst // 2014-09 About me

Samba's AD DC: Samba 4.2 and Beyond Presented by Andrew Bartlett of Catalyst // 2014-09 About me

Samba's AD DC: Samba 4.2 and Beyond Presented by Andrew Bartlett of Catalyst // 2014-09 About me Andrew Bartlett Samba T eam member since 2001 Working on the AD DC since 2006 These views are my own, but I do with to thank:

856 views • 36 slides
Securing Digital Assets on Hybrid Platforms Business Development Jeremie Francois Discover

Securing Digital Assets on Hybrid Platforms Business Development Jeremie Francois Discover

Securing Digital Assets on Hybrid Platforms Business Development Jeremie Francois Discover Troubleshooting Issues We know Synology better than anyone else Synology Active Insight Predict. Notify. Resolve Customer Partners Support

1.08k views • 73 slides
The Processor: Datapath and Control 3/ 24/ 2016 1 A single-cycle MIPS processor An

The Processor: Datapath and Control 3/ 24/ 2016 1 A single-cycle MIPS processor An

The Processor: Datapath and Control 3/ 24/ 2016 1 A single-cycle MIPS processor An instruction set architecture is an int erf ace that defines the hardware operations which are available to software. Any instruction set can be

714 views • 24 slides
Linux, PCs and Energy Efficiency Implications for Linux Developers, OEMs, and IHVs Tom Bolioli,

Linux, PCs and Energy Efficiency Implications for Linux Developers, OEMs, and IHVs Tom Bolioli,

Linux, PCs and Energy Efficiency Implications for Linux Developers, OEMs, and IHVs Tom Bolioli, Terra Novum, LLC Agenda Agenda Demand for Energy- -Efficient Electronics Efficient Electronics Demand for Energy ENERGY STAR Program

593 views • 31 slides
IDGF International Desktop Grid Federation First Release of Desktop Grids for e-Science Road Map

IDGF International Desktop Grid Federation First Release of Desktop Grids for e-Science Road Map

IDGF International Desktop Grid Federation First Release of Desktop Grids for e-Science Road Map Taipei, 2011-03-18 Ad Emmen, AlmereGrid DEGISCO project 1 DEGISO WP4 2011-03-18 version 1 Desktop Grids Introduction IDGF 2 DEGISO WP4

1.26k views • 66 slides
Supercharge your next web app with Electron! GET /user/techninja James Todd Drupal Dev for 10+

Supercharge your next web app with Electron! GET /user/techninja James Todd Drupal Dev for 10+

Supercharge your next web app with Electron! GET /user/techninja James Todd Drupal Dev for 10+ years from Nor Cal Full time developer at Four Kitchens Maker, promoter of STEAM for kids Co-Author for Arduino Book series

857 views • 72 slides

More recommend