1 / 38

TAM STE Series 2008 - WebSEAL SSO, Session 1

TAM STE Series 2008 - WebSEAL SSO, Session 1. Presented by: Andrew Quap. Itinerary for WebSEAL single-signon (SSO). Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) CDSSO eCDSSO. SPNEGO. Generic Security Service Application Program Interface (GSS-API)

fknowles
Download Presentation

TAM STE Series 2008 - WebSEAL SSO, Session 1

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. TAM STE Series 2008- WebSEAL SSO, Session 1 Presented by: Andrew Quap WebSEAL SSO, Session 1

  2. Itinerary for WebSEAL single-signon (SSO) • Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) • CDSSO • eCDSSO WebSEAL SSO, Session 1

  3. SPNEGO • Generic Security Service Application Program Interface (GSS-API) • “an application programming interface for programs to access security services. “-wikipedia • RFC 2478 • Describes a set of standard API’s • GSS-API can implement any security protocol • GSS-API implementation of Kerberos is best known WebSEAL SSO, Session 1

  4. SPNEGO • Microsoft started to use SPNEGO in IE 5.01 and IIS 5.0 as an authentication extension – wikipedia • Requires the use of AD server acting as KDC • Nowadays Microsoft markets the use of NTLM instead of SPNEGO • Used to provide desktop single sign-on into IIS server • TAM WebSEAL SPNEGO allows users to SSO into WebSEAL WebSEAL SSO, Session 1

  5. Kerberos basics • MIT Kerberos v5 • RFC 1510 • Kerberos tickets • Kerberos Realm • KDC (Key Distribution Center) • Server that issues Kerberos tickets • Typically listen on port 88 • For UNIX implementations “krb5.conf” contains Kerberos client configuration WebSEAL SSO, Session 1

  6. Kerberos basics • keytab file • Allows a service (ie a server) to automatically authenticate into Kerberos realm • ‘kinit’ command • Command used to authenticate a user into a Kerberos realm • Input User/password • Or input keytab file WebSEAL SSO, Session 1

  7. SPNEGO • SPNEGO uses GSS-API Kerberos implementation • WebSEAL and WebPI use the "HTTP Negotiate" extension defined by Microsoft. • Client Web Browser does HTTP request to WebSEAL. • WebSEAL returns HTTP 401 (Unauthorized) status and the following header: "WWW-Authenticate: Negotiate". • Client chooses a Service Principal Name for the host and calls InitializeSecurityContext() to generate a NegTokenInit token. WebSEAL SSO, Session 1

  8. SPNEGO • Client resends the request with the following header: "Authorization: Negotiate <base64 encoding>" (e.g. Authorization: Negotiate YIIGUQY<remainder of base64 encoded string>). • WebSEAL decodes the NegTokenInit token. • WebSEAL verifies the encryption type and authenticates using gss_accept_sec_context. • The next step depends on what the gss_accept_sec_context function returns. WebSEAL SSO, Session 1

  9. SPNEGO Flow • All Entities share a secret key with the 3rd party • Allows 3rd party to authenticate any known entity • 3rd party can encrypt data for any known entity WebSEAL SSO, Session 1

  10. WebSEAL SPNEGO configuration and setup • AD server typically is configured as TAM registry • Can have separate LDAP server, but AD and LDAP server must be user synchronized • WebSEAL administration document, v6, on SPNEGO is very detailed. WebSEAL SSO, Session 1

  11. WebSEAL SPNEGO configuration and setup • WebSEAL installed on Windows OS • ‘ktpass’ command creates Server Principal Names (SPN’s) in AD server • Setup WebSEAL service to authenticate as new SPN • The WebSEAL server must be configured as a client into the AD domain WebSEAL SSO, Session 1

  12. WebSEAL SPNEGO configuration and setup • WebSEAL installed on UNIX setup • Requires keytab file generated from ‘ktpass’ command • Modify WebSEAL configuration file to include principal name and keytab file • Setup Kerberos client on WebSEAL machine WebSEAL SSO, Session 1

  13. WebSEAL SPNEGO configuration and setup • Supports load balanced WebSEAL setup • WebSEAL admin guide details steps needed for basic setup, case does matter • Forward and reverse lookup must match on the WebSEAL machine for the load balanced hostname • WebSEAL on windows • The server instances must all be running under the same ID • WebSEAL on UNIX • The servers must all share the same keytab WebSEAL SSO, Session 1

  14. WebSEAL SPNEGO problem determination • Invoke ‘bst’ trace or per-process trace • Determine if Kerberos error • Review Kerberos client config in ‘krb5.conf’ • UNIX • Ensure keytab file is valid • Use ‘kinit’ test • Windows • Ensure WebSEAL service authenticates as user created during ‘ktpass’ command WebSEAL SSO, Session 1

  15. WebSEAL SPNEGO typical issues • TAM 6.0 provides SPNEGO problem determination guide • WebSEAL will not start • Invoke per-process tracing • Look for Kerberos error • Example of error WebSEAL SSO, Session 1

  16. WebSEAL SPNEGO typical issues • WebSEAL starts but user SSO fails • Invoke ‘bst’ tracing • Invoke network trace from end user’s browser • Look for AD server response • Check ‘krb5.conf’ • Make sure AD domain is defined or default • If WebSEAL domain is different from AD domain make sure both domains are mapped • Ensure trusted site is entered in IE browser WebSEAL SSO, Session 1

  17. WebSEAL SPNEGO typical issues • Multiple SPN’s mapped into WebSEAL AD account • Issue only occurs when WebSEAL is installed on UNIX • Must use ‘-mapOp set’ option for ktpass command. • When you use ‘–mapOp set’ which is required to create a keytab it removes the other SPN’s that existed on the account • One account per SPN when using Unix WebSEAL SSO, Session 1

  18. WebSEAL SPNEGO limitations • Does not provide SSO into a IIS backend server • If SPNEGO fails, fallback using WebSEAL forms login requires IE fix • WebSEAL’s NTLM error page can be modified for ‘pkmslogin’ • Use E-community SSO to login user • WebSEAL cannot handle NTLM responses from IE • SPNEGO clients cannot log out WebSEAL SSO, Session 1

  19. Kerberos Junctions • Not SSO to WebSEAL, but SSO from WebSEAL to IIS WebSEAL SSO, Session 1

  20. SPNEGO questions WebSEAL SSO, Session 1

  21. Cross Domain Single Signon (CDSSO) • “A mechanism to transfer a user credentials between servers in different domains-”WebSEAL administration guide • Uses an encrypted token to transfer an user identity • “token creation” creates and encrypts the token • “token consumption” decrypts the token • Can use CDSSO between TAM Web plug-in and WebSEAL WebSEAL SSO, Session 1

  22. Cross Domain Single Sign-on (CDSSO) • Supports cross-domain mapping framework (CDMF) • Allows additional attributes to be encrypted in token in addition to user’s identity • Provides the ability to customized CDSSO using TAM C-api’s WebSEAL SSO, Session 1

  23. CDSSO configuration and setup • Configuring CDSSO token create functionality • The following procedures are appropriate for the initial WebSEAL server • Enable WebSEAL to generate CDSSO tokens (cdsso-create). • Configure the built-in token creation module (sso-create). • Create the key file used to encode and decode the token. Copy the key file to all appropriate participating servers ([cdsso-peers] stanza). • Configure the token time stamp (authtoken-lifetime) • Configure the token label (cdsso-argument). • Create the CDSSO HTML link (/pkmscdsso?destination-URL). WebSEAL SSO, Session 1

  24. CDSSO setup and configuration • Configuring CDSSO token consume functionality • The following procedures are appropriate for the destination WebSEAL server: • Enable WebSEAL to consume CDSSO tokens (cdsso-auth) for authentication. • Configure the built-in token consumption module (sso-consume). • Assign the appropriate key file ([cdsso-peers] stanza). • Configure the token time stamp (authtoken-lifetime) • Configure the token label (cdsso-argument). WebSEAL SSO, Session 1

  25. CDSSO flow WebSEAL SSO, Session 1

  26. CDSSO requirements • “All WebSEAL servers participating in CDSSO must have machine times synchronized.”-WebSEAL administration guide • “For CDSSO to function successfully, each participating WebSEAL server must reveal its fully qualified host name to the other participating servers in the cross-domain environment.”-WebSEAL administration guide WebSEAL SSO, Session 1

  27. CDSSO requirements • “Do not reuse key pairs (used to encrypt and decrypt token data) generated for a specific CDSSO environment in any other CDSSO environments.” –WebSEAL administration guide WebSEAL SSO, Session 1

  28. CDSSO problem determination • Determine if error occurs during “token creation” or “token consumption” • Enable specific CDSSO tracing pdweb.wan.cdsso • Enable ‘pdweb.snoop’ trace • Analyze ‘msg__WebSEALd-<instance name>.log’ • Is customer using default libraries WebSEAL SSO, Session 1

  29. CDSSO typical issues • Time issues different timezones not setup correctly or skew • Mismatched keys • CDSSO peers incorrectly set up WebSEAL SSO, Session 1

  30. CDSSO limitations • UTF-8 encoding for strings • Providing compatibility for tokens across WebSEAL versions WebSEAL SSO, Session 1

  31. CDSSO questions WebSEAL SSO, Session 1

  32. E-community Single Sign-on (ECSSO) • Concept is similar to CDSSO • Master authentication server (MAS) provides single point for authentication • WebSEAL and WebPI provides MAS functionality • Domain-specific cookies are used to identify the server that can provide "vouch for" services • The e-community implementation allows for "local" authentication in remote domains WebSEAL SSO, Session 1

  33. eCDSSO flow WebSEAL SSO, Session 1

  34. ECSSO setup and configuration • Enabling and Disabling e-Community Members • Including credential attributes in the vouch-for tokens • Specify the sso-create and sso-consume libraries WebSEAL SSO, Session 1

  35. ECSSO problem determination • Determine if error occurs during “token creation” or “token consumption” • Enable ‘pdweb.snoop’ trace on servers involved • Analyze ‘msg__WebSEALd-<instance name>.log WebSEAL SSO, Session 1

  36. ECSSO typical issues • Time issues different timezones not setup correctly or skew • Mismatched keys • ECDSSO domains incorrectly set up WebSEAL SSO, Session 1

  37. ECSSO limitations • One server, or group, provides authentication for a group of servers • Each server can still do local authentication WebSEAL SSO, Session 1

  38. eCDSSO questions WebSEAL SSO, Session 1

More Related