SAML and Federation for Enterprise Apps

@fdwl #BriForum @entisys
SAML and Other Types of
Federation for Your Enterprise
Denis Gundarev, Senior Consultant, Entisys Solutions
May 20, 2014

Based on a true story

About me

Agenda
 What is federated authentication
 How to add federation support for your legacy applications

Identity and Account Management Basics
 Identity Management (IdM) describes the
management of individual principals,
their authentication, authorization, and
privileges within enterprise
 Integral components of identity and
access management:
 Identification
 Authentication
 Authorization

Identification vs. Authentication vs.
Authorization

Entity vs Identity vs Credential vs Attribute
Entity
• Person
• Computer
Identity
• Active
Directory
Account
• Passport
Number
• Serial
Number
Credential
• Passport
• Credit Card
• Kerberos
token
Attribute
• Address
• Qualification
• Criminal
record

Attribute Assertion
 An attribute assertion is a claim made by someone (the asserter) that a particular person
possesses a particular attribute.
 College can confirm that person is graduated.
 Active Directory can confirm that password is correct
 A digitally signed attribute assertion = authorization credential.
Source: David W Chadwick Federated Identity Management http://kar.kent.ac.uk/30609/1/FederatedIdManChapter.pdf

Credential Types
Credentials Authenticity
 Credentials Not been tampered
 Received exactly as issued by the issuing
authority
 Digitally signed to prove authenticity
Credentials Validity
 Monopoly money is authentic if obtained
from the Monopoly game pack.
 valid for buying stuff in the game
 NOT valid in a grocery store
 Credit card is an authentic credential.
 Valid in Marks & Spencer
 Not valid in a fisherman village in the
middle of nowhere during the night
Source: David W Chadwick Federated Identity Management http://kar.kent.ac.uk/30609/1/FederatedIdManChapter.pdf

What is Federation?
A set of standards-based technology & IT processes
to facilitate distributed identification, authentication
& authorization across boundaries (security,
departmental, organizational or platform).

Federation Example
Identity Provider (IdP)
Entity
Attribute Assertion
Service Provider (SP)
Resources

Federation Example
 Facebook perform authentication and
generate a signed attributes assertion
with user name and unique user ID
 Digg maintain a user database and
authorization

Why Do I Need Federation?
 Provide access to your applications to suppliers or partners
 Quickly onboard acquired organization
 Provide access for temporary workers by using “bring your own identity” model
 Service Providers

Can’t I Just Create User Accounts?
 More work for you
 Less security for your network
 No control over the user population

Can’t I Just Use Forest Trusts?
 Network connection between partners
 User principal name (UPN) suffixes, service
principal name (SPN) suffixes, and security
ID (SID) namespaces are replicated
 DNS configuration is required

Benefits of Federation
 Better Access Experience
 Single sign-on across networks & organizational boundaries
 Increased Security & Simpler Administration
 Heightened identity assurance
 No passwords involved
 Account de-activation is handled by the account partner
 Account partner can easily be disabled at the organizational level
 Strong authentication such as user certificates or OTP tokens can be layered on top of federation
claim

Benefits of Federation
•Active
Directory
•LDAP
•Kerberos
•Anonymous
users
•One-time
Access
•ADFS
•OpenSSO
•PingIdentiy
•Office365
•Google
•Microsoft
•Facebook
•Twitter
Private-
Sector
IDPs
Partners
Corporate
Directories
Special
Cases

SAML
 SAML – Security Assertions Markup Language
 XML-based security specification for exchanging authentication and authorization information
 Developed by the OASIS standards organisation
 Use HTTP as a communication protocol
 Designed to addresses the complexities of establishing Business-to-Business communication
between differing systems.

SAML Assertion
 A set of statements (claims) made by a SAML authority (Identity provider or IdP)
 Authentication statement: subject was authenticated using a particular technique at a particular
time
 Attribute statement: particular attribute values are associated with the subject
 Optional authorization decision statement: subject is authorized to perform certain actions
19

SAML Assertion

X.509 Certificates
 Trust is managed through
certificates
 Certificates for
 HTTPS Communications
 Security token signing and
encryption
 Require PKI for A & B
certificates, C & D can be
self-signed
CommunicationA
Signing
Relying party Issuer
ST
Encyption ST
B
Public key of C C
Public key of DD
Root for ARoot for B

Federation Metadata
 During the establishment of the issuer / relying party trust, both parties will require
configuration which includes
 End-points for communication
 Claims offered by issuer
 Claims accepted by replying party
 Public keys for signing and encryption
 This information can be manually configured or automatically via the exchange of
federation metadata
 Federation metadata can be automatically updated

SAML IdP Example

Active Directory Federation Services
 AD FS 1.0 - released with Windows Server 2003 R2 as part of the operating system
 AD FS 1.1 - released with Windows Server 2008 and was carried into Windows Server 2008
R2
 AD FS 2.0 was released after Windows Server 2008 R2. It was released to the web and is
free to download.
 ADFS 2.1 was released to Windows Server 2012 as part of the operating system

ADFS 1.x
 AD FS 1.x is limited
 WS-Federation Passive Requestor Profile (browser)
 SAML 1.0 TOKENS
 SAML 2.x is not backward compatible with SAML 1.x, so forget about ADFS 1.x

ADFS 2.x
 A SAML implementation (both IdP and SP) from Microsoft
 An AD-based single sign-on system
 SAMLv2 Authentication
 Allows for Single Sign on support for Web based applications.
 ADFS for Windows 2008 R2 has SAML 2.0 support.

Can I Have it Out of the Box?
 Not with StoreFront 
 Web Interface 5.4 supports ADFS out of the box!
 ADFS version 1.1 only
 Windows Server 2003 R2 only
 32-bit edition of 2003 R2 only
 Not supported with NetScaler, Secure Gateway only
 Does not work with XenDesktop
 

Authentication in XenApp/XenDesktop
 Support for several authentication methods
 Smart cards, client certificates, RSA SecurID, etc.
 Support for OS and non-OS credentials stores
 OS: Active Directory and eDirectory
 Non-OS: LDAP, RADIUS, 3rd party authentication methods.
 Leverage Authentication methods supported by Windows:
 Smartcard support
 Client certificates support
 Custom 3rd party authentication mechanisms through GINA extensions.
 Leverage Windows authentication to flow the OS identity tokens between Access Infrastructure services
 Example: flowing Kerberos tickets between ICA client and XA server.

SAML SP Example

NetScaler & SAML Authentication
 NetScaler can act as a Service Provider (SP)
 User can be authenticated on LB or CS
vserver
 NetScaler Gateway 10.1 supports SAML 2.0
 Configuring SAML Authentication on
NetScaler Gateway
 http://support.citrix.com/proddocs/topic/nets
caler-gateway-101/ng-authen-saml-con.html
 NetScaler practical / SAML AAA against
simplesamlphp IdP
 http://blogs.citrix.com/2012/08/24/174193098/
 How to Configure NetScaler SAML to Work
with Microsoft AD FS 2.0 IdP
 https://support.citrix.com/article/CTX133919
 Does not provide metadata
 Use Metadata builder
http://samlmetajs.simplesamlphp.org/demo

Authentication flow
IdPNetScaler (SP) Active Directory
Browse to NG
Not authenticated
Redirected to IdP
Authenticate
User
Query for user attributes
Return Security Token
Return page
and cookie
Send Token
ST
ST
SP trusts IdP

MetaData
NetScaler does not provide metadata
Use Metadata builder
http://samlmetajs.simplesamlphp.org/demo

Federation Example
 Facebook perform authentication and
generate a signed attributes assertion
with user name and unique user ID
 Digg maintain a user database and
authorization
Shadow Accounts

Shadow Accounts
 Required to delegate access to non-
claim aware resources
 Regular user account
 Mapped to the attribute received from
IdP
 Can be mapped to any attribute

SAML for XenApp/XenDesktop Options
 S4U (Service-for-User) Kerberos Extensions
 Kerberos delegation and S4U on NetScaler – too complicated
 S4U on WebInterface? No future!
 S4U on StoreFront? You mean StoreFront code customization?

SAML for XenApp/XenDesktop Options

Explicit Auth in XD/XA
Client
WI
DDC
VDA
Servers (File Server,
Exchange, …)
DC
Winlogon
SSOn
IE
Desktop Toolbar
ICA Client Engine
Winlogon
VDA
IMA / DDC
pwd
pwd
pwd
auth
pwd
WI ticket
WI ticket
WI ticket
WI ticket
pwd
pwd
Authenticate
& get TGT
Get svc ticket
Svc ticket

Solution
 NetScaler SAML authentication
 NetScaler FormFill SSO profile
 Custom Account Manager Service
 NetScaler HTTP Callout
 NetScaler Rewrite Policy

Account Manager Service
 Web Application
 Create and shadow user accounts with
random password in AD
 Store password securely
 Respond on HTTP request with user
password
 GET /GetPassword/gundarev@partner.com
 Response:
0@J4y9jCv9CHzP2Q!rhMHY@7AOk7vfF2Rf1!
T!i29QG^se^RQZbhjt4fOOmn$CN4

SAML Authentication Profile
 add authentication samlAction PartnerIdp -samlIdPCertName Partner-idp -
samlSigningCertName ns-server-certificate -
samlRedirectUrl "https://osso.parner.com:443/opensso/SSOPOST/metaAlias/partnernet/idp
" -samlUserField mail -samlRejectUnsignedAssertion OFF -samlIssuerName
"https://go.example.com/"
 add authentication samlPolicy PartnerIdp ns_true PartnerIdp

Form SSO Profile
add vpn formSSOAction WebInterfaceFormSSOProfile -actionURL "/SSO/auth/login.aspx" -
userField email -passwdField donotuse -
ssoSuccessRule"Http.RES.SET_COOKIE.COOKIE("WIAuthId").VALUE("WIAuthId").LENGTH.GT
(10) && Http.RES.STATUS.EQ(302)" -nameValuePair "password=&LoginType=Explicit" -
nvtype STATIC -submitMethod POST
add vpn trafficAction WebInterfaceFormSSOTrafficProfile http -appTimeout 120 -SSO ON -
formSSOAction WebInterfaceFormSSOProfile
add vpn trafficPolicy WebInterfaceFormSSOTrafficPolicy "(URL CONTAINS
/sso/auth/login.aspx) && METHOD == GET && HEADER Cookie CONTAINS
WIClientInfo" WebInterfaceFormSSOTrafficProfile

Callout and Rewrite
add policy httpCallout AccountManager
set policy httpCallout AccountManager -vServer AccountManager -returnType TEXT -
hostExpr ""CN1-ACCMAN01.example.com"" -
urlStemExpr""/GetPassword/" +http.REQ.BODY(500).AFTER_REGEX(re#email=#).BEFORE_REG
EX(re#&#)" -resultExpr"http.RES.BODY(1000).XPATH(xp%/%)“
add rewrite action ReplaceEmptyPasswordAction
replace_all "HTTP.REQ.BODY(500)" ""&password="+SYS.HTTP_CALLOUT(AccountManager).HT
TP_URL_SAFE+"&"" -search"regex(re/&password=[ -~]*&/)" -bypassSafetyCheck YES
add rewrite policy ReplaceEmptyPasswordPolicy "http.req.method.eq(POST) &&
HTTP.REQ.URL.PATH.TO_LOWER.EQ("/sso/auth/login.aspx")" ReplaceEmptyPasswordAction

Communication flow
Active Directory
User
Browser
ADFS Active Directory
Account Manager
StoreFront
1. User Authenticates at SSO
portal
2. SSO Send SAML Response to
the user s browser
NetScaler
3. User s browser POST SAML
response to NetScaler
Gateway
4. Netscaler request shadow
user credentials from Account
Manager
5. Account Manager send
credentials back to NetScaler
6.Netscalersubmitshadowuser
credentialstoStoreFront
XenDesktop
Controller
7. StoreFront request
XenDesktop token from DDC
8. DDC send XenDesktop token
back to StoreFRont
9.StoreFront sends ICA file
10. Citrix receiver connects to
access gateway
11. NetScaler gateway connects
to the desktop
VDA
12Shadow
userloggedon

SAML-enabled solutions
Cloud
 www.pingidentity.com
 www.ssoeasy.com
 www.forumsys.com
 www.okta.com
 www.onelogin.com
 www.cloudentr.com
 Azure Active Directory
 Google Apps
On prem
 Microsoft ADFS
 Oracle OpenSSO
 ForgeRock OpenAM
 PingFederation
 RCDevs OpenID
 Novell Access Manager
 IBM Tivoli Access Manager
 JBoss SSO

Q&A
j.mp/gundarev
@fdwl
DenisG@entisys.com

SAML and Federation for Enterprise Apps

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to SAML and Federation for Enterprise Apps

Similar to SAML and Federation for Enterprise Apps (20)

More from Denis Gundarev

More from Denis Gundarev (20)

Recently uploaded

Recently uploaded (20)

SAML and Federation for Enterprise Apps