Leveraging New Features in CA Single-Sign on to Enable Web Services, Social Sign-On and Enhanced Session Security

ca Securecenter
Leveraging New Features in CA Single Sign-On to
Enable Web Services, Social Sign–On and
Enhanced Session Security
Tim Hobbs, Advisor
SCX19E #CAWorld
Product Management
CA Technologies
*formerly CA SiteMinder

2
© 2014 CA. ALL RIGHTS RESERVED.
Abstract
CA Single Sign-On (CA SSO) is constantly evolving, incorporating the latest technologies in secure web access management. In order to stay secure and competitive, CA SSO makes greater use of the CA Access Gateway (formerly CA SiteMinder® Secure Proxy Server).
Tim Hobbs
CA Technologies
Advisor, Product Management

3
Agenda
USING THE CA ACCESS GATEWAY
SOCIAL SIGN-ON
OPEN FORMAT COOKIE
WEB SERVICES (SOAP AND REST API)
ENHANCED SESSION ASSURANCE WITH DEVICEDNA™
1
2
3
4
5

CA Access Gateway
*formerly CA SiteMinder® Secure Proxy Server

5
CA Access Gateway Overview
Browser
Web Server
with CA SSO Agent
CA SSO Policy Server
Agent Focused
User Directories
CA SSO Policy Store

6
Browser
CA Access Gateway
CA SSO Policy Server
Web Servers
Proxy Focused
Web Services APIs
User Directories
CA SSO Policy Store

7
Any (and multiple) back-end web servers
Login, federation, password service pages
Session management options for mobile devices
Significantly reduces the TCO
Users
•Employees
•Mobile employees
•Partners
•Customers
CA Access Gateway
DestinationServers
CA SSO
Policy Server

8
CA Access Gateway Product Features
Access control for HTTP and HTTPS requests
Single sign-on
Multiple session schemes
Session storage
Cookie-less single sign-on
Intelligent proxy rules
Centralized access control management
Enterprise class architecture

9
Expanded Support For SSO And Access ManagementOverview
Feature
Description
WebDAV
CAAccess Gatewaycan control access to content that is accessed via the WebDAV protocol that is an extension of HTTP
Session Linker
For securing single sign-on to ERP environments
Supportfor ASAs
CA Access Gateway can be used in place of a CA Single Sign-On Web Agent as the web tier in front of a CA Single Sign-On ASA agent
IntegratedWindows Authentication
Supportfor IWA to access applications on servers behind CA Access Gateway
Enhanced proxy rules
Enhanced rules to support new conditions based on cookie existence, cookie value, and header existence

10
Proxy Rules Overview
Forward requests based on:
URI
Virtual host name
Header values (standard or created by CA SSO response)
Device type
File extension
Cookie existence/cookie value
Regular expressions and nested conditions in proxy rules

11
Proxy RulesUse Case

12
Proxy RulesExample

13
Improved Management For Lower TCOOverview
Feature
Description
Manage multiple instances
Canconfigure multiple CA Access Gateway hosts at the same time
Multiple instances on single hardware platform
Making it possible to separate user groups or application access across CA Access Gateway instances without increasing hardware costs
CA Application Performance Management* support
CA Access Gateway has beeninstrumented to provide performance data to the application performance tool
Agentdiscovery
CA Access Gateway instances are uniquely identified in the CA Single Sign-On agent discovery administrative UI for ease of management
Administrative UI for configuration
Administrative UI for configuring proxy rules, virtual hosts, proxy service settings, session store and session scheme settings, federation settings
*formerly CA Wily Introscope®

14
Improved Management for Lower TCOAdministrative UI

15
Capabilities introduced with SPS r12.5

16

17

18

19

20

21
Citrix NetScalerOverviewLeading Application Delivery Controller
Available as a physical or virtual appliance,Citrix NetScaler is a comprehensive system deployed in front of application and database servers that combines high-speed load balancing and content switching with:
Application acceleration
Highly-efficient data compression
Static and dynamic content caching
SSL acceleration
Application performance monitoring
Robust application security
Courtesy: Citrix Training Content
B2B
Performance
Offload
Security
B2C
•World-class L4- L7 load balancing
•Intelligent service health monitoring
•Caching
•Compression
•Connection pooling
•Web 2.0 offload
•SSL processing
•Access Gateway SSL VPN
•Application firewall
Availability
P2P
App Expert Admin

22
Citrix NetScalerPlatforms
NetScalerVPX: A virtual appliance
NetScalerMPX Platform Models: Hardware appliance for scale
NetScalerSDX: Platform for enterprise and cloud datacenters
–Virtualized architecture, which effectively delivers multiple NetScaler instances running on a single NetScaler MPX appliance, with an advanced control plane for unified provisioning, monitoring and management for multi-tenant requirements
–Can consolidate up to 80 independently-managed NetScaler instances with up to 120 Gbpsof overall performance
–Provides complete isolation so that memory, CPU cycles and SSL capacity can be divided and definitively assigned to different NetScalerinstances
Software and Hardware Appliances
Courtesy: Citrix Training Content

23
CA Access Gateway for Citrix NetScaler SDX
Virtual Appliance built on RedHatEnterprise Linux (RHEL) in Citrix-supported XVA format and deployed on NetScaler SDX platform
All standard features of CA Access Gateway, which can be used after performing standard configurations (requires a configured CA Single Sign-On Policy Server)
Can be dynamically provisioned and managed from Citrix NetScaler SDX administrative interface
Creates a VM with installed CA Access Gateway instance (takes the install parameters from provisioning UI)
Monitor performance
Start, stop, reboot,upgrade, upgrade SDX tools etc.
CA Single Sign-On integration use cases with Citrix NetScaler 10.5.x
SAML-based SSO authentication between Citrix NetScaler and CA Single Sign-On
Radius-based authentication from Citrix NetScaler through CA Single Sign-On
Full range of CA Single Sign-On authentication as well as granular authorization capabilities available via integration
CA Access Gateway for Citrix NetScaler SDX

25
Support for Social Sign-On Overview
Simple new user registration increases sign up rate.
Use consumer identity for initial customer acquisition and low risk transactions.
Collecting identity and device attributes allows for personalized marketing.
Seamless sign-on encourages registration and enables targeted marketing.
Sign on with stronger credentials when needed for high value transactions.

26
Support for Social Sign-On Use Case
User initiates a sign-on request using his social sign-on account (OAuth request).
User is redirected to the selected remote authorization server and logs in.
The OAuth flow is completed via the backchannel.
If configured, user information is retrieved from the configured user information URL via the backchannel.
Once authorized, the browser is redirected to the configured target page.
If authorized but not found in the user store, JIT provisioning process can be launched (first time access/create account).

27
Support for Social Sign-On Requirements
Pre-configured OAuthauthorization server support for:
–Twitter (OAuth1.0a)
–Facebook, Google, LinkedIn, Microsoft (OAuth2.0)
–Many other OAuthIdentity Providers
Client registration with the remote authorization server is required before creating partnership

28
Create the local OAuth client entity.
Create or modify the remote entity of an authorization server.
Create a partnership to configure single sign-on.
Migrate an OAuth authentication scheme to OAuthPartnership.
Support for Social Sign-OnConfiguration
1
1
2
1
3
1
4

29
Support for Social Sign-OnCreate the local OAuthclient identity.
Select the appropriate OAuth version for your partnership.

30
Support for Social Sign-onModify the remote entity of an authorization server.

31
Support for Social Sign-OnModify the remote entity of an authorization server.
Google pre-configured remote entity

32
Support for Social Sign-OnCreate a partnership to configure single sign-on.

33

34

35

36
Support for Social Sign-OnMigrate to OAuthpartnership.
Use both the OAuth authentication scheme and an OAuth partnership simultaneously.
–Add the new redirect URL to the existing OAuth authentication scheme redirect URL.
Use an OAuth partnership instead of the OAuth authentication scheme.
–Update the existing redirect URL at the OAuth authorization server to the appropriate partnership redirect URL.

37
Lab 1: Social Sign-On
IN THIS LABYOU WILL:
Create an OAuthPartnership

38
Credential Handling ServiceOverview
Simplified configuration for letting the end user choose the authentication provider
Supports identity providers using federation partnerships
Is deployed on the CA Access Gateway

39
Credential Handling Service Use Case
Make several federated partnerships available for login. The credential handling service shows the partnerships in the group.
–An unauthenticated user requests a resource protected by CA SSO and is presented with the choice of identity providers
–The user selects an identity provider to authenticate with
–The selected partnership is invoked and the user is redirected to the identity provider for login and back to CA SSO
–When the user is identified by CA SSO the user is redirected back to the original target page
–When the user is not found by CA SSO provisioning can occur

40
Credential Handling ServiceRequirements
CA Access Gateway
Partnership between CA SSO and the enterprise (CA SSO) where protected resources exist
Partnership between CA SSO and identity providers

41
Configure partnerships to identity providers.
Create an authentication method group.
Configure a partnership to the enterprise.
Credential Handling ServiceConfiguration
1
1
2
1
3
Optionally customize the credential selector page.
1
4

42
Credential Handling ServiceLogin Flow Detail (Registered User)
An unauthenticated user invokes a partnership with CHS enabled.
The user selects an identity provider and signs-on. The identity provider generates an access token and redirects the user to the federation system (relying party).
The federation system (relying party) verifies the access token, disambiguates the user, and generates a session.
The federation system (asserting party) generates an assertion and redirects the user to the enterprise (relying party).
The enterprise (relying party) verifies the assertion and gives the user access to the federated resource.

43
Credential Handling ServiceCreate an authentication method group.

44
Credential Handling ServiceConfigure a partnership to the enterprise.
Partnership based on one of these authentication protocols:
–SAML 1.1
–SAML 2.0
–WS-Federation
SSO
–Authentication mode = Credential Selector
–Define the base URL
–Select the previously created Authentication Method Group
Target Application
–SAML1.1: Target
–SAML 2.0 and WS-Federation: Relay State Overrides Target

45
Credential Handling ServiceCustomize the header or footer.
<install_path>CAsecure-proxyTomcatwebappschsjsps
Make a copy of the header.jspfile and name the new file header- custom.jsp.
Make a copy of the footer.jspfile and name the new file footer- custom.jsp.
Customize the new files as needed.
Restart CA Access Gateway.

47
Lab 2: Credential Handling Service
Create an Authentication Method Group
Enable the Credential Handling Service

Open Format CookieAgentless-SSO

49
Open Format Cookie = “agentless” SSOOverview
Standards-based cookie directly read by applications
No agent or proxy installed betweenuser and web server
–Lower cost method for accomplishing basic SSO
–Web applications decrypt (optional) and consume the standard cookie
–Adds flexible option to a customer’s CA SSO architecture
For applications that have lower security requirements
–No centralized auditing, CA SSO authorization or centralized session control
Web Agent in the CA SSO architecture used for protection and cookie generation

50
Open Format Cookie Use Case
When not possible/not convenient to deploy a Web Agent
Less stringent security and session control over applications
Generated in response to a successful authentication or authorization event

51
Open Format Cookie Configuration

Web ServicesSOAP and REST APIs

53
SOAP and REST APIsOverview
Web service interfaces for authentication and authorization
Deployed via CA Access Gateway
Supports SOAP (wsdl) and REST (wadl) architectures
http(s)://server:port/authazws/auth?wsdl
http(s)://server:port/authazws/AuthRestService/application.wadl
Lower cost method for integrating CA SSO services
Adds flexible option to a customer’s CA SSO architecture

54
SOAP and REST APIsOverview
Authn/Authzweb services provide following functionality:
–login –Authenticates and returns session token (and optional identity token)
–blogin–(Boolean login) authenticates and verifies whether login is successful and does not return session token
–logout –Logs out the user or group of users
–authorize -Returns an authorization status message and a refreshed session token

55
SOAP and REST APIs Use Case
User accesses mobile gateway via smart phone.
Mobile Gateway calls web service interface to authenticate user.
Web service validates with CA SSO Policy Server.
CA SSO validates/authorizes request.
Web service provides validation/authorization status back to mobile gateway via session token.
Mobile gateway requests content from web server.
Content is returned to user.
1
4
3
5
2
6
7
7
User
Web Server
Policy Server
Secure Proxy
Server
Mobile Gateway

56
SOAP and REST APIsRequirements
Determine and register a virtual host name (DNS entry, Hosts file).
Protect the web services root URL.

57
SOAP and REST APIsRequirements
One or more agents to protect target applications against which callers authenticate
Realms, user directories, policies and responses that are required for authentication and authorization
A client program to issue authn/authzrequest to the web service on behalf of another application (see KB article TEC592437Scenario: Working with the CA Single Sign-On Authentication and Authorization Web Services)

58
Create the ACO.
Enable the web services.
Configure the web services logs (optional).
SOAP and REST APIsConfiguration
1
1
2
1
3

59
SOAP and REST APIsCreate the ACO.
Agentname
EnableAuth/ EnableAz
RequireAgentEnforcement

60
SOAP and REST APIsEnable the Web Services.

61
SOAP and REST APIsConfigure the Web Services logs.
Open file sps_home/proxy-engine/conf/webservicesagent/ authaz-log4j.xml
Un-comment the AuthAZ_ROLLINGappendertag:
<appendername="AuthAZ_ROLLING" class="org.apache.log4j.DailyRollingFileAppender"> <paramname="File" value="logs/authazws.log"/> <layout class="org.apache.log4j.PatternLayout"> <paramname="ConversionPattern" value="%d %-5p [%c] -%m%n"/> </layout> </appender>
Un-comment all occurrences of appender-ref for the tag:
<appender-ref ref="AuthAZ_ROLLING"/>
New log file sps_home/proxy-engine/logs/authazws.log

62
Lab 3: Web Services
Enable the authentication and authorization Web Services

Enhanced Session Assurance with DeviceDNA

64
Enhanced Session Assurance With DeviceDNAOverview
Improves upon existing authentication and session persistence capabilities
Enhancement to the authentication service and the Policy Server to allow for association of DeviceDNA
DeviceDNAis data unique to individual HTTP clients
CA Access Gateway and session store required to support the DeviceDNAcollection

65
Enhanced Session Assurance With DeviceDNAUse Case
Combats session hijacking/session replay
Blocks the use of a stolen SMSESSION cookie
Included with CA SSO deployment and license (no additional SKUs)

66
Enhanced Session Assurance With DeviceDNARequirements
Policy Server r12.52 or greater
–Installs necessary components silently
CA Access Gateway r12.52 or greater
Session store
Agent configuration object used for CA Access Gateway configuration should have “.sac” in ignore extensions list

67
Enhanced Session Assurance With DeviceDNAConfiguration
Review the limitations.
Configure the CA Access Gateway.
Create Enhanced Session Assurance endpoints.
1
1
2
1
3
Add endpoints to realms or applications.
1
4
(Optional) Enable Enhanced Session Assurance on partnerships.
1
5

68
Enhanced Session Assurance With DeviceDNALimitations
Web 2.0 clients
Custom agents
Clients that do not support JavaScript and cookies
POST preservation
Shared workstations
Authentication/authorization web services
Federation limitations
–The SP side of a SAML 2.0 partnership.
–HTTP-POST Authentication request bindings on the IDP side of a SAML 2.0 partnership.

69
Enhanced Session Assurance With DeviceDNAConfigure the CA Access Gateway environment.
Enter the advanced authentication server encryption key (from the installation or upgrade) in all Policy Servers.
Enable the encryption by configuring the JVM with the JSafeJCESecurity Provider.
If multi-domain SSO is configured using a cookie provider Web Agent, the CA Access Gateway must be configured to run in the same domain as the cookie provider Web Agent.

70
Enhanced Session Assurance With DeviceDNACreate Enhanced Session Assurance endpoints.
On the Global options, select create Session Assurance Endpoints.

71
Enhanced Session Assurance With DeviceDNACreate Enhanced Session Assurance endpoints.

72
Enhanced Session Assurance With DeviceDNAAdd endpoints to realms or applications.
To protect resources in realms,add session assurance endpoint.

73
Enhanced Session Assurance With DeviceDNAEnable Enhanced Session Assurance on partnerships.
Available on the following partnerships:
–The IdP side of an SP to IdP partnership
–The Producer side of a Consumer to Producer partnership
–The AP side of an RP to AP partnership

74
Lab 4: Session Assurance
Enable Enhanced Session Assurance with DeviceDNA

75
For More Information
To learn more about Security, please visit:
http://bit.ly/10WHYDm
Insert appropriate screenshot and textoverlayfrom following“More Info Graphics” slide here; ensure it links to correct page
Security

76
For Informational Purposes Only
© 2014CA. All rights reserved. All trademarks referenced herein belong to their respective companies.
This presentation provided at CA World 2014 is intended for information purposes only and does not form any type of warranty. Some of the specific slides with customer references relate to customer's specific use and experience of CA products and solutionssoactual results may vary.
Terms of this Presentation

Leveraging New Features in CA Single-Sign on to Enable Web Services, Social Sign-On and Enhanced Session Security

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Semelhante a Leveraging New Features in CA Single-Sign on to Enable Web Services, Social Sign-On and Enhanced Session Security

Semelhante a Leveraging New Features in CA Single-Sign on to Enable Web Services, Social Sign-On and Enhanced Session Security (20)

Mais de CA Technologies

Mais de CA Technologies (20)

Último

Último (20)

Leveraging New Features in CA Single-Sign on to Enable Web Services, Social Sign-On and Enhanced Session Security