SlideShare uma empresa Scribd logo

Stronger Authentication with Biometric SSO

Ramesh Nagappan
Ramesh Nagappan
Tecnologia
1 de 30
Baixar para ler offline
Stronger Authentication with Biometric SSO using OpenSSO Enterprise and BiObexTM Ramesh Nagappan Sun Microsystems, Burlington, MA ramesh.nagappan@sun.com http://www.coresecuritypatterns.com/blogs
Setting Expectations What you can take away !  OpenSSO Enterprise and BiObex - Architectural Overview  Pre-requisites for enabling Biometric SSO authentication.  Configuration of BiObex AMLoginModule in OpenSSO environment.  Deployment and Testing of Biometrics enabled SSO.  Multi-factor/Biometric authentication based SSO - Moving forward and next steps ! 2
OpenSSO Enterprise • Identity Services Infrastructure facilitates Single Sign-On (SSO) for Web applications residing within an enterprise or across networks. • Open standards based framework supports centralized authentication, authorization and auditing. > JAAS based authentication services > Agent-based and XACML based policy enforcement > User session management > Identity-enabled XML Web services for AuthN, AuthX, Audit and Provisioning > Identity Federation Protocols support include SAMLv2, ID-*, WS-Federation,WS-Policy) > XML Web Services Security (WS-Security, WS-Trust, WS-I Basic Security Profile) > Multi-factor authentication via chaining > Centralized configuration, logging and auditing services > Supports multiple Java EE application servers and Web containers • Deployed as a Web application (single WAR file) 3
OpenSSO Enterprise Architecture and Services 4
OpenSSO Enterprise Deployment (SSO, Federation and Web Services Security) 5
BiObexTM Interoperable Biometric Middleware • Biometric Assurance Infrastructure facilitates User enrollment and Physical/Logical access control using Biometric credentials. > Fingerprints, Iris, Facial geometry and Hand geometry > Biometric enrollment and device management. > Biometrics based Logical access control enables Web Single Sign-On and Desktop authentication (Windows, Solaris/Linux and Sun Rays). > Biometrics based Physical access control restricts personnel access to doors, buildings, locations and restricted areas. > Standards support include CBEFF, BioAPI, MINEX/INCITS-378 and FIPS-201. • Integrates with Sun OpenSSO for addressing Web SSO and Federation scenarios. > Enables stronger/multi-factor authentication by chaining of Biometric authentication with other credentials such as Smartcard/Tokens, PKI/Digital certificate and Password. • Integrates with Sun Identity Manager for provisioning and de- provisioning of Biometric credentials for Credential issuance and authentication. 6
Biometric SSO - Logical Architecture Architecture and its core building blocks 7
Tools of the Trade OpenSSO/BiObex Integration Pre-Requisites • OpenSSO Enterprise 8.x > Deployed on Glassfish Enterprise V2.x > Configured with NSS Keystore (FIPS mode) or JKS (Non-FIPS mode). • BiObex 2.8.x Authentication and Enrollment Middleware > OpenSSO BiObex LoginModule artifacts (Available as part of BiObex 2.8 and above). > BiObex enrollment client for user enrollment. • SecuGen Hamster Plus/IV (preferred) or CrossMatch Verifier-E Fingerprint scanners. • Solaris 10 (preferred) or Solaris Trusted Extensions, Sun Ray, RHEL/SUSE Linux and Microsoft Windows environments. 8
Configuration/Deployment Steps Install Unpack Create Configure BiObex Configure Glassfish V2 w. BiObex BiObex BiObex/OpenSSO OpenSSO Enterprise AMLoginModule AMLoginModule AMLoginModule Attributes Trust Comm. (FIPS) Service Schema 1. Install OpenSSO v8.x Enterprise on Glassfish v2.x Enterprise.  Ensure that NSS Keystore is available to support FIPS-mode communication.  Ensure OpenSSO access to BiObex authentication server (up and running). 2. Unpack BiObex-LoginModule bundle and deploy the LoginModule artifacts to OpenSSO. 3. Install the BiObex AMLoginModule Service Schema in OpenSSO. 4. Configure the BiObex AMLoginModule Global attributes. 5. Configure the BiObex/OpenSSO truststore to support SSL with FIPS-mode communication. 9
BiObex AMLoginModule Installation 1. Unpack the BiObex module archive: jar –xf BiobexAMLoginModuleWebDevices- unix-glassfish.zip cd biobex-am-loginmodule 2. Use GlassFish’s ant tool to deploy into OpenSSO: /opt/SUNWappserver/lib/ant/bin/ant 10
Configure BiObex/OpenSSO Service Schema Create a new OpenSSO BiObexLoginModule service 3. Configure the BiObexLoginModule service schema via SSOadm console.  http://<glassfish>/opensso/ssoadm.jsp  Click ‘create-svc’.  Copy ‘BiObexService.xml’  Paste to ‘create-svc’ entry box. 11
Configure BiObex AMLoginModule Configure the BiometricLoginModule in OpenSSO 4. Configure the BiometricLoginModule in OpenSSO pluggable authentication classes.  Login to OpenSSO admin console as ‘amadmin’  Goto ‘Configuration’ and click on ‘Core’.  In pluggable authentication, add com.biobex.jaas.BiometricLoginModule 12
Configure BiObex Global Attributes 5. Specify the BiObex Global attributes.  Goto ‘Authentication’ and click “Biobex Login” to configure global attributes. 13
Configure BiObex Global Attributes 5. Specify the BiObex Global Attributes  Enable SSL/TLS communication to BiObex by choosing NSS (FIPS) or Java SE (Non-FIPS). 14
Configure BiObex/Glassfish SSL Truststore SSL communication between BiObex and OpenSSO 6. BiObex requires the Glassfish’s SSL implementation to enable trusted communication with the BiObex Authentication Server.  In case of NSS (FIPS-Mode), use the NSS certutil tool to import the CA certificate for the BiObex Authentication Server. 1. Note the “-t C” option restricts trust in the Biobex CA to issuing SSL certificates, NOT client certificates. cd /opt/SUNWappserver/domains/domain1/config certutil -A -d . -t C -i ~bioauth/biobex2/certs/bootstrapCA.cer -n biobex-authserver  In case of Java Key Store, use the Java Keytool to import the CA certificate. keytool -import -keystore cacerts.jks –file ~bioauth/biobex2/certs/bootstrapCA.cer 15
Configure Biometric Authentication Setting up a Fingerprint authentication module instance. • Configure the BiObex Login Module Instance  Goto ‘Authentication’, select ‘Module instances’ and click “New”.  Add a module instance named ‘Fingerprint’ and choose “BiObex Login”.  The new module named “Fingerprint” will showup in Module instance list. 16
Configure BiObex Login Realm Attributes • Specify the realm attributes of BiObex AuthN server.  Enter the BiObex Authentication server hostname and port (ex. 10443)  Set “Terminal Discovery Method” to “Specify a fixed terminal”.  Set “User Discovery Method” to “SSO, JAAS Shared State” and then “Save”. Important: Circled option enables ‘username’ discovery through various methods and facilitates multi-factor authentication and/or session-upgrade scenarios. 17
Verifying and Testing Biometric AuthN Quick sanity check 1. Install and verify the Fingerprint scanner drivers and test the scanner by capturing sample fingerprints.  Make sure the USB or Ethernet based scanner is connected and working properly. 2. Make sure the user has already enrolled his/her fingerprints in BioBex.  Verify the user account exist in both BiObex and OpenSSO. 3. Now you are ready to test Biometric authentication…  Goto: http://<GlassFish>/opensso/UI/Login?module=Fingerprint 18
Testing the Biometric Login… OpenSSO login will prompt for random fingerprints as enrolled in BiObex 19
Multi-factor AuthN and Session Upgrade OpenSSO Authentication Chain and Session upgrade thru’ AuthN • OpenSSO facilitates stronger/ multi-factor authentication through authentication chain including multiple authentication providers. > Enables an authentication process where an user must pass credentials to one or more authentication modules before session validation. > Session validation is determined based on the control flag (Required, Requisite, Sufficient, Optional) configured to the authentication module instance chain. > The overall authentication success or failure is determined based on the control flag assigned to each module in the authentication stack. > OpenSSO is tested and verified to provide multi-factor authentication chain that include BiObex Login, Smartcard/PKI and other OpenSSO supported authentication providers. • Session Upgrade allows upgrading a valid session based on a successful “second-factor authentication” performed by the same user. > Allows user authenticate to access second resource under the same or different realm > If authentication is successful - OpenSSO updates the session based on the second- level authentication. If authentication fails, the current session will be maintained. 20
Configuring Authentication Chain Goto: “Authentication” Select “Authentication Chaining” ….. 21
Testing Multi-factor/Biometric SSO 1. Goto: Authentication - Configure “PasswordFinger” as Default Authentication Chain.  Make sure the ldapService remains as Administrator AuthN chain.  Goto: http://<GlassFish>/opensso 22
Role of OpenSSO Policy Agents Authorization and Policy enforcement • Policies are managed by Policy configuration service in OpenSSO. > Policy service authorizes a user based on the policies stored in OpenSSO. > Policies consists of Rules, Subjects, Conditions and Response providers.. • OpenSSO Policy Agents enforce policies and policy decisions on protected resources . > Intercepts requests from clients/applications and redirects the requests to OpenSSO for authentication - if no valid session token is present. > Once authenticated, the policy agent communicates with OpenSSO Policy service to grant/deny access to the user based on policy evaluation. 23
Attribute Retrieval for Application Use • User Profile Attributes > J2EE Agent allows retrieving LDAP Attributes and sets them as HTTP Headers or Cookies. > com.sun.identity.agents.config.profile.attribute.fetch.mode (Possible values are HTTP_HEADER, HTTP_COOKIE, REQUEST_ATTRIBUTE, NONE) > Attribute mapping can be done using com.sun.identity.agents.config.profile.attribute.map • Response Attributes > J2EE Agent allows retrieving Response Attributes and sets them as HTTP Headers or Cookies. > com.sun.identity.agents.config.response.attribute.fetch.mode (Possible values are HTTP_HEADER, HTTP_COOKIE, REQUEST_ATTRIBUTE, NONE). > Attribute mapping can be done using com.sun.identity.agents.config.response.attribute.map • Session Attributes > J2EE Agent allows retrieving Session Attributes and sets them as HTTP Headers or Cookies. > com.sun.identity.agents.config.session.attribute.fetch.mode (Possible values are HTTP_HEADER, HTTP_COOKIE, REQUEST_ATTRIBUTE, NONE) > Attribute mapping can be done using com.sun.identity.agents.config.session.attribute.map • Privileged Attributes 24
OpenSSO / BiObex Troubleshooting • Enable Message-level Debugging in OpenSSO > Goto Administration page, select ‘Configuration’ tab. > Select your OpenSSO server, In Debug section, select Debug Level to “Message”. > Restart your Web container. • View BiObex AMLoginModule logs > Goto ~/opensso/debug/ and view the following files. > “Biobex”: Contains tracing when the login module in action > “BiobexSSL”: Contains OpenSSO-Biobex server communication related messages, SSL related configuration errors. > “amAuth”: Contains message related to LoginModule instance and issues related to configuration of BiObex AMLoginModule. • View BiObex Authentication server logs for issues related to user authentication failure. • Make sure user has an account in OpenSSO and also enrolled his/her fingerprints in BiObex Enrollment server. 25
Environment Requirements Supported/verified BiObex environment Components Software Products (Provided) Supported Environment Application Server GlassFish V2 Sun Application Server 7.1 Authentication and OpenSSO/BiObex AMLoginModule OpenSSO Enterprise Authorization Server Sun Access Manager 7.1 Oracle 10g Database Server DB2 PostgreSQL 7.3 + MySQL 5.x JRE 1.5.12 + User Enrollment BiObex Enrollment Client Windows XP/2003/Vista Workstation SecuGen Hamster Plus/IV Sensors RHEL/SUSE Linux Solaris / Sun Ray / Solaris TX Client Workstation BiObex 2.8 Client Windows XP/2003 (Microsoft Windows / BioGINA RHEL/SUSE Linux SunRay) SecuGen Hamster Plus/IV Sensors Solaris / Sun Ray / Solaris TX JRE 1.5.12 + BiObex Server BiObex Authentication Server Windows XP/2003 BiObex Enrollment Server RHEL/SUSE Linux Solaris / Sun Ray / Solaris TX 26
Real-world Deployment Biometrics and Smartcard/PKI based Logical Access Control * User Desktops/Browsers configured to use Biometric Scanners and Smartcard Readers. 27
SaaS/Cloud Deployment Deploying Biometric Assurance as “SaaS” over Web 28
Acquiring BiObex Software Contact/Support information Advanced Biometric Controls, LLC 11501 Sunset Hills Rd., Suite 200 Reston, Virginia 20190-4731 Toll-free: 1-877-4 BIOBEX 877-424-6239 571-313-0969 Main 571-313-0962 Fax Internet: www.biobex.com E-mail: support@biobex.com 29
Q&A Ramesh Nagappan Sun Microsystems, Burlington, MA ramesh.nagappan@sun.com http://www.coresecuritypatterns.com/blogs

Recomendados

Mini-Training: SSO with Windows Identity Foundation
Mini-Training: SSO with Windows Identity FoundationMini-Training: SSO with Windows Identity Foundation
Mini-Training: SSO with Windows Identity FoundationBetclic Everest Group Tech Team
 
“Secure Portal” or WebSphere Portal – Security with Everything
“Secure Portal” or WebSphere Portal – Security with Everything“Secure Portal” or WebSphere Portal – Security with Everything
“Secure Portal” or WebSphere Portal – Security with EverythingDave Hay
 
Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018MOnCloud
 
Getting Started with FIDO2
Getting Started with FIDO2Getting Started with FIDO2
Getting Started with FIDO2FIDO Alliance
 
Securing online services by combining smart cards and web-based applications
Securing online services by combining smart cards and web-based applicationsSecuring online services by combining smart cards and web-based applications
Securing online services by combining smart cards and web-based applicationsOlivier Potonniée
 
SAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your EnterpriseSAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your EnterpriseDenis Gundarev
 
Enterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSOEnterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSOOliver Mueller
 
Single sign on using SAML
Single sign on using SAML Single sign on using SAML
Single sign on using SAML Programming Talents
 

Recomendados

Mini-Training: SSO with Windows Identity Foundation
Mini-Training: SSO with Windows Identity FoundationMini-Training: SSO with Windows Identity Foundation
Mini-Training: SSO with Windows Identity FoundationBetclic Everest Group Tech Team
 
“Secure Portal” or WebSphere Portal – Security with Everything
“Secure Portal” or WebSphere Portal – Security with Everything“Secure Portal” or WebSphere Portal – Security with Everything
“Secure Portal” or WebSphere Portal – Security with EverythingDave Hay
 
Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018MOnCloud
 
Getting Started with FIDO2
Getting Started with FIDO2Getting Started with FIDO2
Getting Started with FIDO2FIDO Alliance
 
Securing online services by combining smart cards and web-based applications
Securing online services by combining smart cards and web-based applicationsSecuring online services by combining smart cards and web-based applications
Securing online services by combining smart cards and web-based applicationsOlivier Potonniée
 
SAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your EnterpriseSAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your EnterpriseDenis Gundarev
 
Enterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSOEnterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSOOliver Mueller
 
Single sign on using SAML
Single sign on using SAML Single sign on using SAML
Single sign on using SAML Programming Talents
 
Configuring kerberos based sso in weblogic
Configuring kerberos based sso in weblogicConfiguring kerberos based sso in weblogic
Configuring kerberos based sso in weblogicHarihara sarma
 
Chakray.com - Enterprise Security and IAM with WSO2IS and Penrose
Chakray.com - Enterprise Security and IAM with WSO2IS and PenroseChakray.com - Enterprise Security and IAM with WSO2IS and Penrose
Chakray.com - Enterprise Security and IAM with WSO2IS and PenroseRoger CARHUATOCTO
 
Microservice Protection With WSO2 Identity Server
Microservice Protection With WSO2 Identity ServerMicroservice Protection With WSO2 Identity Server
Microservice Protection With WSO2 Identity ServerAnupam Gogoi
 
SecDevOps - The Operationalisation of Security
SecDevOps - The Operationalisation of SecuritySecDevOps - The Operationalisation of Security
SecDevOps - The Operationalisation of SecurityDinis Cruz
 
WSO2 Identity Server 5.3.0 - Product Release Webinar
WSO2 Identity Server 5.3.0 - Product Release WebinarWSO2 Identity Server 5.3.0 - Product Release Webinar
WSO2 Identity Server 5.3.0 - Product Release WebinarWSO2
 
WSO2 Identity Server - Product Overview
WSO2 Identity Server - Product OverviewWSO2 Identity Server - Product Overview
WSO2 Identity Server - Product OverviewWSO2
 
Novell® iChain® 2.3
Novell® iChain® 2.3Novell® iChain® 2.3
Novell® iChain® 2.3webhostingguy
 
Web Single sign on system
Web Single sign on systemWeb Single sign on system
Web Single sign on systemSwati Sinha
 
Introduction to the WSO2 Identity Server &Contributing to an OS Project
Introduction to the WSO2 Identity Server &Contributing to an OS ProjectIntroduction to the WSO2 Identity Server &Contributing to an OS Project
Introduction to the WSO2 Identity Server &Contributing to an OS ProjectMichael J Geiser
 
OpenSSO Tech Overview Aquarium
OpenSSO Tech Overview AquariumOpenSSO Tech Overview Aquarium
OpenSSO Tech Overview AquariumEduardo Pelegri-Llopart
 
Cisco SDWAN - Components Deployment Workflow
Cisco SDWAN - Components Deployment WorkflowCisco SDWAN - Components Deployment Workflow
Cisco SDWAN - Components Deployment WorkflowFarooq Khan
 
OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)Torsten Lodderstedt
 
CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0
CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0
CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0Krishna-Kumar
 
Security aspects on blockchain white paper
Security aspects on blockchain white paperSecurity aspects on blockchain white paper
Security aspects on blockchain white paperCreus Moreira Carlos
 
The container ecosystem @ Microsoft A story of developer productivity
The container ecosystem @ Microsoft A story of developer productivityThe container ecosystem @ Microsoft A story of developer productivity
The container ecosystem @ Microsoft A story of developer productivityNills Franssens
 
Securing a Web App with Security Keys
Securing a Web App with Security KeysSecuring a Web App with Security Keys
Securing a Web App with Security KeysFIDO Alliance
 
Whats new in was liberty security and cloud readiness
Whats new in was liberty security and cloud readinessWhats new in was liberty security and cloud readiness
Whats new in was liberty security and cloud readinesssflynn073
 
WSO2 Product Release Webinar: WSO2 Identity Server 5.2.0
WSO2 Product Release Webinar: WSO2 Identity Server 5.2.0WSO2 Product Release Webinar: WSO2 Identity Server 5.2.0
WSO2 Product Release Webinar: WSO2 Identity Server 5.2.0WSO2
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...Torsten Lodderstedt
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable CredentialsTorsten Lodderstedt
 
Post Quantum Cryptography: Technical Overview
Post Quantum Cryptography: Technical OverviewPost Quantum Cryptography: Technical Overview
Post Quantum Cryptography: Technical OverviewRamesh Nagappan
 
Biometric Authentication for J2EE applications - JavaONE 2005
Biometric Authentication for J2EE applications - JavaONE 2005Biometric Authentication for J2EE applications - JavaONE 2005
Biometric Authentication for J2EE applications - JavaONE 2005Ramesh Nagappan
 

Mais conteúdo relacionado

Semelhante a Stronger Authentication with Biometric SSO

Configuring kerberos based sso in weblogic
Configuring kerberos based sso in weblogicConfiguring kerberos based sso in weblogic
Configuring kerberos based sso in weblogicHarihara sarma
 
Chakray.com - Enterprise Security and IAM with WSO2IS and Penrose
Chakray.com - Enterprise Security and IAM with WSO2IS and PenroseChakray.com - Enterprise Security and IAM with WSO2IS and Penrose
Chakray.com - Enterprise Security and IAM with WSO2IS and PenroseRoger CARHUATOCTO
 
Microservice Protection With WSO2 Identity Server
Microservice Protection With WSO2 Identity ServerMicroservice Protection With WSO2 Identity Server
Microservice Protection With WSO2 Identity ServerAnupam Gogoi
 
SecDevOps - The Operationalisation of Security
SecDevOps - The Operationalisation of SecuritySecDevOps - The Operationalisation of Security
SecDevOps - The Operationalisation of SecurityDinis Cruz
 
WSO2 Identity Server 5.3.0 - Product Release Webinar
WSO2 Identity Server 5.3.0 - Product Release WebinarWSO2 Identity Server 5.3.0 - Product Release Webinar
WSO2 Identity Server 5.3.0 - Product Release WebinarWSO2
 
WSO2 Identity Server - Product Overview
WSO2 Identity Server - Product OverviewWSO2 Identity Server - Product Overview
WSO2 Identity Server - Product OverviewWSO2
 
Novell® iChain® 2.3
Novell® iChain® 2.3Novell® iChain® 2.3
Novell® iChain® 2.3webhostingguy
 
Web Single sign on system
Web Single sign on systemWeb Single sign on system
Web Single sign on systemSwati Sinha
 
Introduction to the WSO2 Identity Server &Contributing to an OS Project
Introduction to the WSO2 Identity Server &Contributing to an OS ProjectIntroduction to the WSO2 Identity Server &Contributing to an OS Project
Introduction to the WSO2 Identity Server &Contributing to an OS ProjectMichael J Geiser
 
Cisco SDWAN - Components Deployment Workflow
Cisco SDWAN - Components Deployment WorkflowCisco SDWAN - Components Deployment Workflow
Cisco SDWAN - Components Deployment WorkflowFarooq Khan
 
OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)Torsten Lodderstedt
 
CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0
CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0
CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0Krishna-Kumar
 
Security aspects on blockchain white paper
Security aspects on blockchain white paperSecurity aspects on blockchain white paper
Security aspects on blockchain white paperCreus Moreira Carlos
 
The container ecosystem @ Microsoft A story of developer productivity
The container ecosystem @ Microsoft A story of developer productivityThe container ecosystem @ Microsoft A story of developer productivity
The container ecosystem @ Microsoft A story of developer productivityNills Franssens
 
Securing a Web App with Security Keys
Securing a Web App with Security KeysSecuring a Web App with Security Keys
Securing a Web App with Security KeysFIDO Alliance
 
Whats new in was liberty security and cloud readiness
Whats new in was liberty security and cloud readinessWhats new in was liberty security and cloud readiness
Whats new in was liberty security and cloud readinesssflynn073
 
WSO2 Product Release Webinar: WSO2 Identity Server 5.2.0
WSO2 Product Release Webinar: WSO2 Identity Server 5.2.0WSO2 Product Release Webinar: WSO2 Identity Server 5.2.0
WSO2 Product Release Webinar: WSO2 Identity Server 5.2.0WSO2
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...Torsten Lodderstedt
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable CredentialsTorsten Lodderstedt
 

Semelhante a Stronger Authentication with Biometric SSO (20)

Configuring kerberos based sso in weblogic
Configuring kerberos based sso in weblogicConfiguring kerberos based sso in weblogic
Configuring kerberos based sso in weblogic
 
Chakray.com - Enterprise Security and IAM with WSO2IS and Penrose
Chakray.com - Enterprise Security and IAM with WSO2IS and PenroseChakray.com - Enterprise Security and IAM with WSO2IS and Penrose
Chakray.com - Enterprise Security and IAM with WSO2IS and Penrose
 
Microservice Protection With WSO2 Identity Server
Microservice Protection With WSO2 Identity ServerMicroservice Protection With WSO2 Identity Server
Microservice Protection With WSO2 Identity Server
 
SecDevOps - The Operationalisation of Security
SecDevOps - The Operationalisation of SecuritySecDevOps - The Operationalisation of Security
SecDevOps - The Operationalisation of Security
 
WSO2 Identity Server 5.3.0 - Product Release Webinar
WSO2 Identity Server 5.3.0 - Product Release WebinarWSO2 Identity Server 5.3.0 - Product Release Webinar
WSO2 Identity Server 5.3.0 - Product Release Webinar
 
WSO2 Identity Server - Product Overview
WSO2 Identity Server - Product OverviewWSO2 Identity Server - Product Overview
WSO2 Identity Server - Product Overview
 
Novell® iChain® 2.3
Novell® iChain® 2.3Novell® iChain® 2.3
Novell® iChain® 2.3
 
Web Single sign on system
Web Single sign on systemWeb Single sign on system
Web Single sign on system
 
Introduction to the WSO2 Identity Server &Contributing to an OS Project
Introduction to the WSO2 Identity Server &Contributing to an OS ProjectIntroduction to the WSO2 Identity Server &Contributing to an OS Project
Introduction to the WSO2 Identity Server &Contributing to an OS Project
 
OpenSSO Tech Overview Aquarium
OpenSSO Tech Overview AquariumOpenSSO Tech Overview Aquarium
OpenSSO Tech Overview Aquarium
 
Cisco SDWAN - Components Deployment Workflow
Cisco SDWAN - Components Deployment WorkflowCisco SDWAN - Components Deployment Workflow
Cisco SDWAN - Components Deployment Workflow
 
OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)
 
CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0
CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0
CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0
 
Security aspects on blockchain white paper
Security aspects on blockchain white paperSecurity aspects on blockchain white paper
Security aspects on blockchain white paper
 
The container ecosystem @ Microsoft A story of developer productivity
The container ecosystem @ Microsoft A story of developer productivityThe container ecosystem @ Microsoft A story of developer productivity
The container ecosystem @ Microsoft A story of developer productivity
 
Securing a Web App with Security Keys
Securing a Web App with Security KeysSecuring a Web App with Security Keys
Securing a Web App with Security Keys
 
Whats new in was liberty security and cloud readiness
Whats new in was liberty security and cloud readinessWhats new in was liberty security and cloud readiness
Whats new in was liberty security and cloud readiness
 
WSO2 Product Release Webinar: WSO2 Identity Server 5.2.0
WSO2 Product Release Webinar: WSO2 Identity Server 5.2.0WSO2 Product Release Webinar: WSO2 Identity Server 5.2.0
WSO2 Product Release Webinar: WSO2 Identity Server 5.2.0
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable Credentials
 

Mais de Ramesh Nagappan

Post Quantum Cryptography: Technical Overview
Post Quantum Cryptography: Technical OverviewPost Quantum Cryptography: Technical Overview
Post Quantum Cryptography: Technical OverviewRamesh Nagappan
 
Biometric Authentication for J2EE applications - JavaONE 2005
Biometric Authentication for J2EE applications - JavaONE 2005Biometric Authentication for J2EE applications - JavaONE 2005
Biometric Authentication for J2EE applications - JavaONE 2005Ramesh Nagappan
 
Interoperable Provisioning in a distributed world
Interoperable Provisioning in a distributed worldInteroperable Provisioning in a distributed world
Interoperable Provisioning in a distributed worldRamesh Nagappan
 
Secure Multitenancy on Oracle SuperCluster
Secure Multitenancy on Oracle SuperClusterSecure Multitenancy on Oracle SuperCluster
Secure Multitenancy on Oracle SuperClusterRamesh Nagappan
 
Secure Multi-tenancy on Private Cloud Environment (Oracle SuperCluster)
Secure Multi-tenancy on Private Cloud Environment (Oracle SuperCluster)Secure Multi-tenancy on Private Cloud Environment (Oracle SuperCluster)
Secure Multi-tenancy on Private Cloud Environment (Oracle SuperCluster)Ramesh Nagappan
 
High Performance Security and Virtualization for Oracle Database and Cloud-En...
High Performance Security and Virtualization for Oracle Database and Cloud-En...High Performance Security and Virtualization for Oracle Database and Cloud-En...
High Performance Security and Virtualization for Oracle Database and Cloud-En...Ramesh Nagappan
 
High Performance Security With SPARC T4 Hardware Assisted Cryptography
High Performance Security With SPARC T4 Hardware Assisted CryptographyHigh Performance Security With SPARC T4 Hardware Assisted Cryptography
High Performance Security With SPARC T4 Hardware Assisted CryptographyRamesh Nagappan
 
Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...
Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...
Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...Ramesh Nagappan
 
ICAM - Demo Architecture review
ICAM - Demo Architecture reviewICAM - Demo Architecture review
ICAM - Demo Architecture reviewRamesh Nagappan
 
Government Citizen ID using Java Card Platform
Government Citizen ID using Java Card PlatformGovernment Citizen ID using Java Card Platform
Government Citizen ID using Java Card PlatformRamesh Nagappan
 
PIV Card based Identity Assurance in Sun Ray and IDM environment
PIV Card based Identity Assurance in Sun Ray and IDM environmentPIV Card based Identity Assurance in Sun Ray and IDM environment
PIV Card based Identity Assurance in Sun Ray and IDM environmentRamesh Nagappan
 
Java Platform Security Architecture
Java Platform Security ArchitectureJava Platform Security Architecture
Java Platform Security ArchitectureRamesh Nagappan
 
Managing PIV Card Lifecycle and Converging Physical & Logical Access Control
Managing PIV Card Lifecycle and Converging Physical & Logical Access ControlManaging PIV Card Lifecycle and Converging Physical & Logical Access Control
Managing PIV Card Lifecycle and Converging Physical & Logical Access ControlRamesh Nagappan
 
Stronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise ApplicationsStronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise ApplicationsRamesh Nagappan
 
Wire-speed Cryptographic Acceleration for SOA and Java EE Security
Wire-speed Cryptographic Acceleration for SOA and Java EE SecurityWire-speed Cryptographic Acceleration for SOA and Java EE Security
Wire-speed Cryptographic Acceleration for SOA and Java EE SecurityRamesh Nagappan
 

Mais de Ramesh Nagappan (15)

Post Quantum Cryptography: Technical Overview
Post Quantum Cryptography: Technical OverviewPost Quantum Cryptography: Technical Overview
Post Quantum Cryptography: Technical Overview
 
Biometric Authentication for J2EE applications - JavaONE 2005
Biometric Authentication for J2EE applications - JavaONE 2005Biometric Authentication for J2EE applications - JavaONE 2005
Biometric Authentication for J2EE applications - JavaONE 2005
 
Interoperable Provisioning in a distributed world
Interoperable Provisioning in a distributed worldInteroperable Provisioning in a distributed world
Interoperable Provisioning in a distributed world
 
Secure Multitenancy on Oracle SuperCluster
Secure Multitenancy on Oracle SuperClusterSecure Multitenancy on Oracle SuperCluster
Secure Multitenancy on Oracle SuperCluster
 
Secure Multi-tenancy on Private Cloud Environment (Oracle SuperCluster)
Secure Multi-tenancy on Private Cloud Environment (Oracle SuperCluster)Secure Multi-tenancy on Private Cloud Environment (Oracle SuperCluster)
Secure Multi-tenancy on Private Cloud Environment (Oracle SuperCluster)
 
High Performance Security and Virtualization for Oracle Database and Cloud-En...
High Performance Security and Virtualization for Oracle Database and Cloud-En...High Performance Security and Virtualization for Oracle Database and Cloud-En...
High Performance Security and Virtualization for Oracle Database and Cloud-En...
 
High Performance Security With SPARC T4 Hardware Assisted Cryptography
High Performance Security With SPARC T4 Hardware Assisted CryptographyHigh Performance Security With SPARC T4 Hardware Assisted Cryptography
High Performance Security With SPARC T4 Hardware Assisted Cryptography
 
Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...
Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...
Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...
 
ICAM - Demo Architecture review
ICAM - Demo Architecture reviewICAM - Demo Architecture review
ICAM - Demo Architecture review
 
Government Citizen ID using Java Card Platform
Government Citizen ID using Java Card PlatformGovernment Citizen ID using Java Card Platform
Government Citizen ID using Java Card Platform
 
PIV Card based Identity Assurance in Sun Ray and IDM environment
PIV Card based Identity Assurance in Sun Ray and IDM environmentPIV Card based Identity Assurance in Sun Ray and IDM environment
PIV Card based Identity Assurance in Sun Ray and IDM environment
 
Java Platform Security Architecture
Java Platform Security ArchitectureJava Platform Security Architecture
Java Platform Security Architecture
 
Managing PIV Card Lifecycle and Converging Physical & Logical Access Control
Managing PIV Card Lifecycle and Converging Physical & Logical Access ControlManaging PIV Card Lifecycle and Converging Physical & Logical Access Control
Managing PIV Card Lifecycle and Converging Physical & Logical Access Control
 
Stronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise ApplicationsStronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise Applications
 
Wire-speed Cryptographic Acceleration for SOA and Java EE Security
Wire-speed Cryptographic Acceleration for SOA and Java EE SecurityWire-speed Cryptographic Acceleration for SOA and Java EE Security
Wire-speed Cryptographic Acceleration for SOA and Java EE Security
 

Último

What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 

Último (20)

What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 

Stronger Authentication with Biometric SSO

  • 1. Stronger Authentication with Biometric SSO using OpenSSO Enterprise and BiObexTM Ramesh Nagappan Sun Microsystems, Burlington, MA ramesh.nagappan@sun.com http://www.coresecuritypatterns.com/blogs
  • 2. Setting Expectations What you can take away !  OpenSSO Enterprise and BiObex - Architectural Overview  Pre-requisites for enabling Biometric SSO authentication.  Configuration of BiObex AMLoginModule in OpenSSO environment.  Deployment and Testing of Biometrics enabled SSO.  Multi-factor/Biometric authentication based SSO - Moving forward and next steps ! 2
  • 3. OpenSSO Enterprise • Identity Services Infrastructure facilitates Single Sign-On (SSO) for Web applications residing within an enterprise or across networks. • Open standards based framework supports centralized authentication, authorization and auditing. > JAAS based authentication services > Agent-based and XACML based policy enforcement > User session management > Identity-enabled XML Web services for AuthN, AuthX, Audit and Provisioning > Identity Federation Protocols support include SAMLv2, ID-*, WS-Federation,WS-Policy) > XML Web Services Security (WS-Security, WS-Trust, WS-I Basic Security Profile) > Multi-factor authentication via chaining > Centralized configuration, logging and auditing services > Supports multiple Java EE application servers and Web containers • Deployed as a Web application (single WAR file) 3
  • 5. OpenSSO Enterprise Deployment (SSO, Federation and Web Services Security) 5
  • 6. BiObexTM Interoperable Biometric Middleware • Biometric Assurance Infrastructure facilitates User enrollment and Physical/Logical access control using Biometric credentials. > Fingerprints, Iris, Facial geometry and Hand geometry > Biometric enrollment and device management. > Biometrics based Logical access control enables Web Single Sign-On and Desktop authentication (Windows, Solaris/Linux and Sun Rays). > Biometrics based Physical access control restricts personnel access to doors, buildings, locations and restricted areas. > Standards support include CBEFF, BioAPI, MINEX/INCITS-378 and FIPS-201. • Integrates with Sun OpenSSO for addressing Web SSO and Federation scenarios. > Enables stronger/multi-factor authentication by chaining of Biometric authentication with other credentials such as Smartcard/Tokens, PKI/Digital certificate and Password. • Integrates with Sun Identity Manager for provisioning and de- provisioning of Biometric credentials for Credential issuance and authentication. 6
  • 7. Biometric SSO - Logical Architecture Architecture and its core building blocks 7
  • 8. Tools of the Trade OpenSSO/BiObex Integration Pre-Requisites • OpenSSO Enterprise 8.x > Deployed on Glassfish Enterprise V2.x > Configured with NSS Keystore (FIPS mode) or JKS (Non-FIPS mode). • BiObex 2.8.x Authentication and Enrollment Middleware > OpenSSO BiObex LoginModule artifacts (Available as part of BiObex 2.8 and above). > BiObex enrollment client for user enrollment. • SecuGen Hamster Plus/IV (preferred) or CrossMatch Verifier-E Fingerprint scanners. • Solaris 10 (preferred) or Solaris Trusted Extensions, Sun Ray, RHEL/SUSE Linux and Microsoft Windows environments. 8
  • 9. Configuration/Deployment Steps Install Unpack Create Configure BiObex Configure Glassfish V2 w. BiObex BiObex BiObex/OpenSSO OpenSSO Enterprise AMLoginModule AMLoginModule AMLoginModule Attributes Trust Comm. (FIPS) Service Schema 1. Install OpenSSO v8.x Enterprise on Glassfish v2.x Enterprise.  Ensure that NSS Keystore is available to support FIPS-mode communication.  Ensure OpenSSO access to BiObex authentication server (up and running). 2. Unpack BiObex-LoginModule bundle and deploy the LoginModule artifacts to OpenSSO. 3. Install the BiObex AMLoginModule Service Schema in OpenSSO. 4. Configure the BiObex AMLoginModule Global attributes. 5. Configure the BiObex/OpenSSO truststore to support SSL with FIPS-mode communication. 9
  • 10. BiObex AMLoginModule Installation 1. Unpack the BiObex module archive: jar –xf BiobexAMLoginModuleWebDevices- unix-glassfish.zip cd biobex-am-loginmodule 2. Use GlassFish’s ant tool to deploy into OpenSSO: /opt/SUNWappserver/lib/ant/bin/ant 10
  • 11. Configure BiObex/OpenSSO Service Schema Create a new OpenSSO BiObexLoginModule service 3. Configure the BiObexLoginModule service schema via SSOadm console.  http://<glassfish>/opensso/ssoadm.jsp  Click ‘create-svc’.  Copy ‘BiObexService.xml’  Paste to ‘create-svc’ entry box. 11
  • 12. Configure BiObex AMLoginModule Configure the BiometricLoginModule in OpenSSO 4. Configure the BiometricLoginModule in OpenSSO pluggable authentication classes.  Login to OpenSSO admin console as ‘amadmin’  Goto ‘Configuration’ and click on ‘Core’.  In pluggable authentication, add com.biobex.jaas.BiometricLoginModule 12
  • 13. Configure BiObex Global Attributes 5. Specify the BiObex Global attributes.  Goto ‘Authentication’ and click “Biobex Login” to configure global attributes. 13
  • 14. Configure BiObex Global Attributes 5. Specify the BiObex Global Attributes  Enable SSL/TLS communication to BiObex by choosing NSS (FIPS) or Java SE (Non-FIPS). 14
  • 15. Configure BiObex/Glassfish SSL Truststore SSL communication between BiObex and OpenSSO 6. BiObex requires the Glassfish’s SSL implementation to enable trusted communication with the BiObex Authentication Server.  In case of NSS (FIPS-Mode), use the NSS certutil tool to import the CA certificate for the BiObex Authentication Server. 1. Note the “-t C” option restricts trust in the Biobex CA to issuing SSL certificates, NOT client certificates. cd /opt/SUNWappserver/domains/domain1/config certutil -A -d . -t C -i ~bioauth/biobex2/certs/bootstrapCA.cer -n biobex-authserver  In case of Java Key Store, use the Java Keytool to import the CA certificate. keytool -import -keystore cacerts.jks –file ~bioauth/biobex2/certs/bootstrapCA.cer 15
  • 16. Configure Biometric Authentication Setting up a Fingerprint authentication module instance. • Configure the BiObex Login Module Instance  Goto ‘Authentication’, select ‘Module instances’ and click “New”.  Add a module instance named ‘Fingerprint’ and choose “BiObex Login”.  The new module named “Fingerprint” will showup in Module instance list. 16
  • 17. Configure BiObex Login Realm Attributes • Specify the realm attributes of BiObex AuthN server.  Enter the BiObex Authentication server hostname and port (ex. 10443)  Set “Terminal Discovery Method” to “Specify a fixed terminal”.  Set “User Discovery Method” to “SSO, JAAS Shared State” and then “Save”. Important: Circled option enables ‘username’ discovery through various methods and facilitates multi-factor authentication and/or session-upgrade scenarios. 17
  • 18. Verifying and Testing Biometric AuthN Quick sanity check 1. Install and verify the Fingerprint scanner drivers and test the scanner by capturing sample fingerprints.  Make sure the USB or Ethernet based scanner is connected and working properly. 2. Make sure the user has already enrolled his/her fingerprints in BioBex.  Verify the user account exist in both BiObex and OpenSSO. 3. Now you are ready to test Biometric authentication…  Goto: http://<GlassFish>/opensso/UI/Login?module=Fingerprint 18
  • 19. Testing the Biometric Login… OpenSSO login will prompt for random fingerprints as enrolled in BiObex 19
  • 20. Multi-factor AuthN and Session Upgrade OpenSSO Authentication Chain and Session upgrade thru’ AuthN • OpenSSO facilitates stronger/ multi-factor authentication through authentication chain including multiple authentication providers. > Enables an authentication process where an user must pass credentials to one or more authentication modules before session validation. > Session validation is determined based on the control flag (Required, Requisite, Sufficient, Optional) configured to the authentication module instance chain. > The overall authentication success or failure is determined based on the control flag assigned to each module in the authentication stack. > OpenSSO is tested and verified to provide multi-factor authentication chain that include BiObex Login, Smartcard/PKI and other OpenSSO supported authentication providers. • Session Upgrade allows upgrading a valid session based on a successful “second-factor authentication” performed by the same user. > Allows user authenticate to access second resource under the same or different realm > If authentication is successful - OpenSSO updates the session based on the second- level authentication. If authentication fails, the current session will be maintained. 20
  • 21. Configuring Authentication Chain Goto: “Authentication” Select “Authentication Chaining” ….. 21
  • 22. Testing Multi-factor/Biometric SSO 1. Goto: Authentication - Configure “PasswordFinger” as Default Authentication Chain.  Make sure the ldapService remains as Administrator AuthN chain.  Goto: http://<GlassFish>/opensso 22
  • 23. Role of OpenSSO Policy Agents Authorization and Policy enforcement • Policies are managed by Policy configuration service in OpenSSO. > Policy service authorizes a user based on the policies stored in OpenSSO. > Policies consists of Rules, Subjects, Conditions and Response providers.. • OpenSSO Policy Agents enforce policies and policy decisions on protected resources . > Intercepts requests from clients/applications and redirects the requests to OpenSSO for authentication - if no valid session token is present. > Once authenticated, the policy agent communicates with OpenSSO Policy service to grant/deny access to the user based on policy evaluation. 23
  • 24. Attribute Retrieval for Application Use • User Profile Attributes > J2EE Agent allows retrieving LDAP Attributes and sets them as HTTP Headers or Cookies. > com.sun.identity.agents.config.profile.attribute.fetch.mode (Possible values are HTTP_HEADER, HTTP_COOKIE, REQUEST_ATTRIBUTE, NONE) > Attribute mapping can be done using com.sun.identity.agents.config.profile.attribute.map • Response Attributes > J2EE Agent allows retrieving Response Attributes and sets them as HTTP Headers or Cookies. > com.sun.identity.agents.config.response.attribute.fetch.mode (Possible values are HTTP_HEADER, HTTP_COOKIE, REQUEST_ATTRIBUTE, NONE). > Attribute mapping can be done using com.sun.identity.agents.config.response.attribute.map • Session Attributes > J2EE Agent allows retrieving Session Attributes and sets them as HTTP Headers or Cookies. > com.sun.identity.agents.config.session.attribute.fetch.mode (Possible values are HTTP_HEADER, HTTP_COOKIE, REQUEST_ATTRIBUTE, NONE) > Attribute mapping can be done using com.sun.identity.agents.config.session.attribute.map • Privileged Attributes 24
  • 25. OpenSSO / BiObex Troubleshooting • Enable Message-level Debugging in OpenSSO > Goto Administration page, select ‘Configuration’ tab. > Select your OpenSSO server, In Debug section, select Debug Level to “Message”. > Restart your Web container. • View BiObex AMLoginModule logs > Goto ~/opensso/debug/ and view the following files. > “Biobex”: Contains tracing when the login module in action > “BiobexSSL”: Contains OpenSSO-Biobex server communication related messages, SSL related configuration errors. > “amAuth”: Contains message related to LoginModule instance and issues related to configuration of BiObex AMLoginModule. • View BiObex Authentication server logs for issues related to user authentication failure. • Make sure user has an account in OpenSSO and also enrolled his/her fingerprints in BiObex Enrollment server. 25
  • 26. Environment Requirements Supported/verified BiObex environment Components Software Products (Provided) Supported Environment Application Server GlassFish V2 Sun Application Server 7.1 Authentication and OpenSSO/BiObex AMLoginModule OpenSSO Enterprise Authorization Server Sun Access Manager 7.1 Oracle 10g Database Server DB2 PostgreSQL 7.3 + MySQL 5.x JRE 1.5.12 + User Enrollment BiObex Enrollment Client Windows XP/2003/Vista Workstation SecuGen Hamster Plus/IV Sensors RHEL/SUSE Linux Solaris / Sun Ray / Solaris TX Client Workstation BiObex 2.8 Client Windows XP/2003 (Microsoft Windows / BioGINA RHEL/SUSE Linux SunRay) SecuGen Hamster Plus/IV Sensors Solaris / Sun Ray / Solaris TX JRE 1.5.12 + BiObex Server BiObex Authentication Server Windows XP/2003 BiObex Enrollment Server RHEL/SUSE Linux Solaris / Sun Ray / Solaris TX 26
  • 27. Real-world Deployment Biometrics and Smartcard/PKI based Logical Access Control * User Desktops/Browsers configured to use Biometric Scanners and Smartcard Readers. 27
  • 28. SaaS/Cloud Deployment Deploying Biometric Assurance as “SaaS” over Web 28
  • 29. Acquiring BiObex Software Contact/Support information Advanced Biometric Controls, LLC 11501 Sunset Hills Rd., Suite 200 Reston, Virginia 20190-4731 Toll-free: 1-877-4 BIOBEX 877-424-6239 571-313-0969 Main 571-313-0962 Fax Internet: www.biobex.com E-mail: support@biobex.com 29
  • 30. Q&A Ramesh Nagappan Sun Microsystems, Burlington, MA ramesh.nagappan@sun.com http://www.coresecuritypatterns.com/blogs