Report on Federated SSO.

profileprapulmutyala
sg246014-183-196.pdf

© Copyright IBM Corp. 2002, 2004, 2006, 2007. All rights reserved. 149

Chapter 4. Single sign-on technologies

The term single sign-on (SSO) has been bandied about for so long that it has lost much of its initial power. SSO held such power because of its promise to relieve companies of the heavy information technology costs required to maintain security in their information technology enterprise. Despite the best efforts of software vendors, including IBM with its Global Sign-on and Distributed Computing Environment technologies, the goal of each user logging into their computer once and securely accessing all corporate services remained elusive.

When technology failed to live up to consumer expectations, the software vendors decided to lower the expectations by changing the terminology. Single sign-on was dubbed reduced sign-on or simplified sign-on. While this may have reduced consumer expectations, the fact remained that companies were still investing heavily in supporting the user community, which had to keep track of many login names and passwords.

IBM takes a divide and conquer approach to this intractable problem and addressed different classes of SSO with different technologies. The three classes of SSO are:

� Web single sign-on � Desktop single sign-on � Federated single sign-on.

Addressing each of these separately is technically feasible and allows for the realization of true single sign-on.

4

150 Enterprise Security Architecture Using IBM Tivoli Security Solutions

By surveying the different types of SSO and the benefits of each, you will be in a good position to clearly articulate your company's SSO requirements and to identify a solution that can deliver a full range of SSO capabilities.

4.1 SSO delivers multiple business benefits To be an on demand business, a company frequently requires SSO capabilities. By providing users with the ability to log in once across the applications and operating systems that they need to access, a business drives both quantifiable and qualitative benefits, including:

� Reduced administration costs

When users must log in multiple times, they are more likely to forget passwords, which in turn leads to greater Help Desk costs. SSO can significantly reduce these calls and their resulting costs.

� Greater user productivity and experience

SSO allows users to access business systems faster, which enables them to get more done. And users who can sign in once feel better about their transaction experience than users who must log in multiple times with many different IDs and passwords.

� Faster application deployment

When companies deploy a superior SSO and security system that allows application developers to call out to external security services, security no longer has to be coded into each application. As a result, a company can get new applications to market quickly, and can later update application business logic and enhance security much more efficiently.

The benefits of SSO grow as it is applied against an expanded pool of IT environments. As computing models have evolved from distributed client/server systems to Web-based applications—and now even to federated SSO configurations often involving emerging standards such as Security Assertion Markup Language (SAML), Liberty Alliance, and Web Services Federation Language (WS-Federation)—businesses are able to realize increasingly significant value from SSO solutions particular to each model.

4.2 Three classes of single sign-on Let us consider SSO in the context of the evolution of computing models as shown in Figure 4-1 on page 151.

Chapter 4. Single sign-on technologies 151

Figure 4-1 Evolution of computing models

As the computing models evolve from the insular client-server model to the open Web services model, the importance of security increases dramatically. The following table (see Table 4-1) demonstrates how this evolution is impacting user authentication.

Table 4-1 Single sign-on models and their authentication characteristics

The client-server model achieves a certain level of security through the fact that it operates within the corporate network and communicates over a propriety

Model Network exposure

Communication protocol

Authentication

Client-Server Private Proprietary Authenticates user against an application-specific repository. User population contained within the enterprise.

Web Private/Public Standards-based Authenticates user against an application-specific or enterprise repository. User population expands to the Internet.

Federated/ Web Services

Public Standards-based Authenticates user against enterprise repository. Also authenticates users and other network entities (for example, Web services) originating from foreign companies. User population expands to the Internet and other enterprises.

WebClient-Server Federated/ Web Services

We are here, and we are moving this way

152 Enterprise Security Architecture Using IBM Tivoli Security Solutions

protocol. However, being a network-based architecture, the client-server model requires client authentication. In this model, each application tends to have its own user repository. This requires users to keep track of separate accounts for separate applications.

The Web model is just a special case of the client-server model that uses a standard client and communications protocol (HTTP/S). Companies find this model more cost effective, since only one client needs to be deployed to the corporate desktops. Many traditional Web applications were developed (like the client-server model) using their own user repository. In addition to having the same sign-on problem as the client-server model, the Web model compounds the problem by exposing corporate applications directly to the customers through the Internet. This means that companies face a large increase in the number of users needed to be supported. Also, these users are not the traditional corporate users, but rather customers who the company must vet before assigning accounts.

The emergence of the Web as the platform of choice for corporate applications and the exposure of the corporate applications to the end-users created the opportunity for services to be linked between corporations over the Internet. For example, a corporate Web portal may link off to the health benefits provider and the financial services partner. These links lead to an external Web site that requires authentication. Thus, the user is once again faced with additional account data to manage. The federated model requires identity information to be carried securely over the Internet so that users may consume services at various companies.

Each of the three computing models have single sign-on requirements and IBM applies different technologies to meet each of the SSO requirements. These techologies are implemented in the following products:

� Tivoli Access Manager for Enterprise Single Sign-on

Addresses the desktop SSO problem by deploying an agent on the desktop, which intercepts authentication requests by applications and automatically fills in the login data with credentials stored on the local machine.

� Tivoli Access Manager for e-business

Addresses the Web SSO problem by placing a reverse Web proxy in front of the enterprise Web applications. Tivoli Access Manager user accounts are stored in an enterprise directory and users need only authenticate to the Tivoli Access Manager server in order to access all of the existing Web applications configured behind the reverse proxy.

Chapter 4. Single sign-on technologies 153

� Tivoli Federated Identity Manager and Tivoli Federated Identity Manager Business Gateway

Address the federated SSO problem by implementing all of the industry standard federated SSO protocols. These are SAML (all versions), Liberty ID FF (all versions), and WS-Federation. It supports arbitrary identity transformations based on XSLT so that credentials can be converted to a format compatible with the local environment.

Figure 4-2 shows a logical diagram depicting how these products fit together in a solution that addresses all three types of the SSO.

Figure 4-2 IBM Tivoli SSO technologies

The rest of this chapter discusses these SSO technologies in more detail.

4.3 Desktop single sign-on Although few, if any, of the more modern computing solutions being developed today use the client/server model, many existing legacy client/server applications can still benefit from Desktop SSO. While many companies successfully addressed the SSO problem for Web applications, end users still must log into their Windows desktop, log into their mail client, log into corporate chat applications, log into human resources systems, and the list goes on. A complete SSO solution must address desktop SSO.

Tivoli Access Manager for Enterprise Single Sign-On is designed to be an easy-to-deploy solution to automate user authentication to desktop applications. It provides single sign-on by introducing a secure middle layer that authenticates

154 Enterprise Security Architecture Using IBM Tivoli Security Solutions

the user once and then automatically detects and handles subsequent requests for user credentials. Specifically, it uses patented client-side intelligence to respond to requests for user credentials (username/ID, password, and so on) from any Windows, Web, or Mainframe/Host application. Tivoli Access Manager for Enterprise Single Sign-On supports authentication from any authenticator (for example, Passwords, Biometrics, Tokens/Smart Cards) and authentication service (for example, Windows, Entrust PKI, RSA Keon PKI, LDAP directory).

The benefits of desktop SSO are depicted in Figure 4-3.

Figure 4-3 Benefits of desktop SSO

The next section discusses how Web SSO plays a crucial role in an enterprise SSO solution.

4.4 Web single sign-on The predominant computing model today is the Web model, involving HTTP/HTTPS transactions with applications on Web servers, application servers, or both. Many legacy client-server applications are being converted over to the Web model and virtually all new applications are Web-based. With the rapid introduction of new Web applications, each requiring user authentication, companies must adopt a login management strategy or risk overwhelming their user population and consequently reducing security.

Sign on to Desktop

Sign on to Desktop

Windows Domain

Controller

Desktop Login here

Web applications running on

MS IIS

Provides SSO here

But not here

• UNIX • Mainframe • Novell • Linux

TAMeb

Windows Domain

Controller

Desktop Login here

Provides SSO

here

Web applications running on all

targets

Sign on to Desktop

Sign on to Desktop1

2

3 4

1

2

3

Web applications running on:

Chapter 4. Single sign-on technologies 155

Tivoli Access Manager for e-business takes a reverse Web proxy approach to solving this problem. The reverse proxy is called WebSEAL and it intercepts Web traffic destined for the corporate Web applications as shown in Figure 4-4.

Figure 4-4 Tivoli Access Manager for e-business Web SSO solution

Before users can access the desired Web application, they must first authenticate to the WebSEAL reverse proxy. After they are authenticated, WebSEAL checks its policy database to verify whether the user is allowed to access the requested resource. If granted, the user is presented with the originally requested back-end resource without any further authentication.

When a Web application is secured through WebSEAL, it should be configured to allow Web traffic only from the WebSEAL server. With this network security in place, legacy applications may disable authentication and remove the original user accounts from the Web servers. This means that users no longer have to remember the login for that Web application and administrators do not have to manage those accounts anymore.

When all corporate Web applications are brought behind the WebSEAL server, users will only have to remember one login for all corporate Web applications.

To facilitate browser/Web server interactions, Tivoli Access Manager for e-business supports the following:

� Web trust configurations—using IBM WebSphere Application Server SSO capabilities and others

� Basic authentication SSO

156 Enterprise Security Architecture Using IBM Tivoli Security Solutions

� Forms-based SSO

� Lightweight third-party authentication (LTPA) SSO

� Passing user information in the HTTP header

Because customers have used Tivoli Access Manager for e-business and its precursors to solve Web SSO issues since the early 1990s, there have been many additions to its Web SSO capabilities, addressing a wide variety of business needs. Consequently, Tivoli Access Manager for e-business can be used to address desktop SSO, back-end and portal SSO, three-tier SSO, SSO to host application emulators, and federated SSO. Only a robust Web SSO solution addresses all of these areas.

4.4.1 Desktop SSO For companies not using Tivoli Access Manager for Enterprise Single Sign-On, Tivoli Access Manager for e-business can be used to integrate desktop sign-on with Web sign-on. A user logging onto Windows is automatically logged onto Tivoli Access Manager for e-business and consequently has access to all secured Web applications without further need to sign on. This is sometimes called Kerberizing Tivoli Access Manager for e-business because the technology is based on the Kerberos protocol that Microsoft uses in its Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) and Microsoft Windows NT® LAN Manager (NTLM) implementations.

4.4.2 Back-end and portal SSO It is not uncommon for companies to implement a so-called SSO solution for a portal only to find that they still get many password prompts. This is because inferior SSO solutions handle the link between the Web browser and the portal but not those between the portal and its portlets, which connect to other applications that need ID and password combinations. But with Tivoli Access Manager for e-business, user information can be passed to an application server or portal server, and that information can be used to build a credential appropriate to the back-end application environment.

To extend SSO to back-end applications and portals, Tivoli Access Manager for e-business includes the following:

� Java Authentication and Authorization Services (JAAS) standardized support for programmatic security.

� J2EE standardized support for declarative security.

Chapter 4. Single sign-on technologies 157

� A technology preview that enables programmatic and declarative security for .NET applications.

� Special support integrated with the WebSphere Portal credential vault to extend SSO support to the portal's back-end applications.

4.4.3 Three-tier SSO Mainframe applications protected by IBM RACF are widely appreciated for their high degree of security. Many businesses have Web-enabled these applications to extend their value, but not every SSO solution can manage authentication with mainframe applications. Tivoli Access Manager for e-business works in concert with WebSphere software, RACF, and J2EE Connector Architecture (JCA) capabilities to map user information for use in each environment that is involved in a user's request for data as shown in Figure 4-5.

Figure 4-5 Three-tier SSO

Because such transactions involve browsers, middle-tier servers and enterprise servers, they are typically called three-tier transactions.

4.4.4 SSO to host application emulators Another set of applications that have had their value extended by Web enablement are emulation applications running on zSeries, iSeries, and DEC/UNIX. The integration of Tivoli Access Manager for e-business with IBM WebSphere Host Access Transformation Services and IBM WebSphere Host On-Demand enables clients to provide SSO to these emulation applications.

z/OS

CICS app

WebSphere Application Server on distributed platform

JCA

RACF

Application

JAAS Subject

AuthenticateAuthenticateUser

CTG

Access Manager for e-business

LDAP

AuthenticateAuthenticate

• User signs on once • Credential transformed (TAMeb WAS RACF)

CTG = CICS Transaction Gateway

Access Manager for e-business

158 Enterprise Security Architecture Using IBM Tivoli Security Solutions

4.5 Federated single sign-on Many businesses are moving toward federated configurations to cost-effectively introduce partner-hosted capabilities into their customers' Web experiences. These environments typically involve a business that has partner relationships, where the partner is not necessarily using the same software as the business itself. Consequently, it is essential that federated software supports the latest interoperability standards used in SOA-based environments: SAML, Liberty Alliance, and WS-Federation.

Federated single sign-on protocols like SAML define methods for securely transferring a user’s identity between security domains over the Internet. This typically involves a pair of companies who have formed a business relationship in which one company is consuming a service from the other. This transferring of the identity means that a service provider need not manage passwords and the user can access external services without having to authenticate again. This is what is known as federated single sign-on.

The powerful IBM solution for addressing federated SSO is Tivoli Federated Identity Manager, which includes Tivoli Access Manager for e-business. Together, these technologies provide robust management of identities involved in business-to-business SSO transactions. A key aspect of Tivoli Federated Identity Manager is its support of three key federated SSO interoperability standards: SAML, Liberty Alliance, and WS-Federation. This is important because in business-to-business exchanges you cannot always be sure which protocol your partner can support.

For companies, who want to test the waters of federated SSO, but do not want to invest in a full-blown enterprise solution, the Tivoli Federated Identity Manager Business Gateway (see Figure 4-2 on page 153) implements the SAML SSO protocol and provides a push button installation. It can be used by small and large companies alike to get quickly up and running with a business partner.

Customers looking to leverage federated configurations to expand their business with relatively minor investments can now do so with great security, thanks to the combination of Tivoli Federated Identity Manager and Tivoli Access Manager for e-business.

Chapter 4. Single sign-on technologies 159

4.6 Enjoy security management benefits beyond SSO Tivoli Access Manager for e-business not only delivers substantial SSO value, it also provides a number of additional security management benefits, including:

� Authorization for Web applications, enabling uniform application of policies that specify who can and who cannot access sets of resources.

� Reverse proxy, protecting intranet, Web and application servers from Internet access (and, optionally, from intranet access).

� Front-end authentication for applications:

– Out-of-the-box support for multiple authentication mechanisms (including user identities and passwords, certificates and tokens), without requiring modification of back-end applications to support these technologies.

– Switch user capability (where an administrator can take over a user's session), and authentication step-up and forced reauthentication (for accessing highly sensitive target data and applications), essential authentication options for some businesses.

� Audit capabilities, when combined with the clear, unified access-control policy, can be a key enabler of audit readiness and compliance with such regulations as Sarbanes-Oxley. Tivoli Access Manager for e-business is designed to help companies maintain and certify the validity of their records and disclosures of pertinent information.

In addition to its federated SSO capabilities, Tivoli Federated Identity Manager extends the Web services security function of WebSphere and WebSphere Web Services Gateway by:

� Expanding support for security token types, which allows out-of-the-box use of SAML and Liberty tokens.

� Mapping user identities received from another domain to identities understood locally, and then mapping and adding attributes as necessary.

� Authorizing local identities for access to requested Web services, ensuring only legitimate use of the Web services.

4.7 Conclusion In this chapter, we saw that by dividing the SSO problem into three separate classes (desktop, Web, and federated), IBM has been able to provide SSO technologies that successfully address each area.

Tivoli Access Manager for e-business delivers SSO in the area where its need is most prevalent today—the Internet. Additionally, the software works with Tivoli

160 Enterprise Security Architecture Using IBM Tivoli Security Solutions

Federated Identity Manager to address federated and Web services SSO. Finally, Tivoli Access Manager for Enterprise Single Sign-On addresses existing legacy client/server configurations to close the loop on the single sign-on problem.

© Copyright IBM Corp. 2002, 2004, 2006, 2007. All rights reserved. 161

Part 2 Managing access control

In Part 2, we discuss the Tivoli solutions that address the access control domain of the overall security architecture. Access control information, which generally evolves around authentication and authorization mechanisms, is handled mainly by IBM Tivoli Access Manager and its resource managers. Access Manager handles a multitude of integration aspects with all sorts of IT infrastructures and application environments, which are detailed throughout this part of the book.

Part 2

162 Enterprise Security Architecture Using IBM Tivoli Security Solutions

  • Chapter 4. Single sign-on technologies
    • 4.1 SSO delivers multiple business benefits
    • 4.2 Three classes of single sign-on
    • 4.3 Desktop single sign-on
    • 4.4 Web single sign-on
      • 4.4.1 Desktop SSO
      • 4.4.2 Back-end and portal SSO
      • 4.4.3 Three-tier SSO
      • 4.4.4 SSO to host application emulators
    • 4.5 Federated single sign-on
    • 4.6 Enjoy security management benefits beyond SSO
    • 4.7 Conclusion
  • Part 2 Managing access control