leveraging new features in ca single-sign on to enable web services, social sign-on and enhanced...
DESCRIPTION
CA Single Sign-On (CA SSO) is constantly evolving, incorporating the latest technologies in secure Web access management. In order to stay secure and competitive, CA SSO makes greater use of the CA Access Gateway (formerly CA SiteMinder Secure Proxy Server). This presentation provides a comprehensive overview of the new features in CA Single Sign On. For more information on CA Security solutions, please visit: http://bit.ly/10WHYDmTRANSCRIPT
ca Securecenter
Leveraging New Features in CA Single Sign-On to Enable Web Services, Social Sign–On and Enhanced Session SecurityTim Hobbs, Advisor
SCX19E #CAWorld
Product ManagementCA Technologies
*formerly CA SiteMinder
2 © 2014 CA. ALL RIGHTS RESERVED.
Abstract
CA Single Sign-On (CA SSO) is constantly evolving, incorporating the latest technologies in secure web access management. In order to stay secure and competitive, CA SSO makes greater use of the CA Access Gateway (formerly CA SiteMinder® Secure Proxy Server).
Tim Hobbs
CA Technologies
Advisor, Product Management
3 © 2014 CA. ALL RIGHTS RESERVED.
Agenda
USING THE CA ACCESS GATEWAY
SOCIAL SIGN-ON
OPEN FORMAT COOKIE
WEB SERVICES (SOAP AND REST API)
ENHANCED SESSION ASSURANCE WITH DEVICEDNA™
1
2
3
4
5
5 © 2014 CA. ALL RIGHTS RESERVED.
CA Access Gateway Overview
Browser
Web Serverwith CA SSO Agent CA SSO Policy Server
Agent Focused
User Directories
CA SSO Policy Store
6 © 2014 CA. ALL RIGHTS RESERVED.
CA Access Gateway Overview
Browser
CA Access Gateway
CA SSO Policy Server
Web Servers
Proxy Focused Web Services APIs
User Directories
CA SSO Policy Store
7 © 2014 CA. ALL RIGHTS RESERVED.
CA Access Gateway Overview
Any (and multiple) back-end web servers
Login, federation, password service pages
Session management
options for mobile
devices
Significantly reduces
the TCO
Users
• Employees• Mobile employees• Partners• Customers
CA Access Gateway
DestinationServers
CA SSOPolicy Server
8 © 2014 CA. ALL RIGHTS RESERVED.
CA Access Gateway Product Features
Access control for HTTP and HTTPS requests
Single sign-on
Multiple session schemes
Session storage
Cookie-less single sign-on
Intelligent proxy rules
Centralized access control management
Enterprise class architecture
9 © 2014 CA. ALL RIGHTS RESERVED.
Expanded Support For SSO And Access ManagementOverview
Feature Description
WebDAVCA Access Gateway can control access to content that is accessed via the WebDAV protocol that is an extension of HTTP
Session Linker For securing single sign-on to ERP environments
Support for ASAsCA Access Gateway can be used in place of a CA Single Sign-On Web Agent as the web tier in front of a CA Single Sign-On ASA agent
Integrated Windows Authentication Support for IWA to access applications on servers behind CA Access Gateway
Enhanced proxy rulesEnhanced rules to support new conditions based on cookie existence, cookie value, and header existence
10 © 2014 CA. ALL RIGHTS RESERVED.
Proxy Rules OverviewForward requests based on:
URI
Virtual host name
Header values (standard or created by CA SSO response)
Device type
File extension
Cookie existence/cookie value
Regular expressions and nested conditions in proxy rules
13 © 2014 CA. ALL RIGHTS RESERVED.
Improved Management For Lower TCOOverview
Feature Description
Manage multiple instances Can configure multiple CA Access Gateway hosts at the same time
Multiple instances on single hardware platform
Making it possible to separate user groups or application access across CA Access Gateway instances without increasing hardware costs
CA Application Performance Management* support
CA Access Gateway has been instrumented to provide performance data to the application performance tool
Agent discovery CA Access Gateway instances are uniquely identified in the CA Single Sign-On agent discovery administrative UI for ease of management
Administrative UI for configurationAdministrative UI for configuring proxy rules, virtual hosts, proxy service settings, session store and session scheme settings, federation settings
*formerly CA Wily Introscope®
15 © 2014 CA. ALL RIGHTS RESERVED.
Capabilities introduced with SPS r12.5 Improved Management for Lower TCOAdministrative UI
21 © 2014 CA. ALL RIGHTS RESERVED.
Citrix NetScaler OverviewLeading Application Delivery Controller
Available as a physical or virtual
appliance, Citrix NetScaler is a
comprehensive system deployed in
front of application and database
servers that combines high-speed load
balancing and content switching with:
Application acceleration
Highly-efficient data compression
Static and dynamic content caching
SSL acceleration
Application performance monitoring
Robust application security
Courtesy: Citrix Training Content
B2B
Performance Offload Security
B2C
• World-class L4-L7 load balancing
• Intelligent service health monitoring
• Caching
• Compression
• Connection pooling
• Web 2.0 offload
• SSL processing
• Access Gateway SSL VPN
• Application firewall
Availability
P2P
App Expert Admin
22 © 2014 CA. ALL RIGHTS RESERVED.
Citrix NetScaler Platforms
NetScaler VPX: A virtual appliance
NetScaler MPX Platform Models: Hardware appliance for scale
NetScaler SDX: Platform for enterprise and cloud datacenters
– Virtualized architecture, which effectively delivers multiple NetScaler
instances running on a single NetScaler MPX appliance, with an
advanced control plane for unified provisioning, monitoring and
management for multi-tenant requirements
– Can consolidate up to 80 independently-managed NetScaler instances with
up to 120 Gbps of overall performance
– Provides complete isolation so that memory, CPU cycles and SSL capacity
can be divided and definitively assigned to different NetScaler instances
Software and Hardware Appliances
Courtesy: Citrix Training Content
23 © 2014 CA. ALL RIGHTS RESERVED.
CA Access Gateway for Citrix NetScaler SDX
Virtual Appliance built on RedHat Enterprise Linux (RHEL) in Citrix-supported XVA format and deployed on NetScaler SDX platform
All standard features of CA Access Gateway, which can be used after performing standard configurations (requires a configured CA Single Sign-On Policy Server)
Can be dynamically provisioned and managed from Citrix NetScaler SDX administrative interface Creates a VM with installed CA Access Gateway instance (takes
the install parameters from provisioning UI) Monitor performance Start, stop, reboot, upgrade, upgrade SDX tools etc.
CA Single Sign-On integration use cases with Citrix NetScaler 10.5.x
SAML-based SSO authentication between Citrix NetScaler and CA Single Sign-On
Radius-based authentication from Citrix NetScaler through CA Single Sign-On
Full range of CA Single Sign-On authentication as well as granular authorization capabilities available via integration
CA Access Gateway for Citrix NetScaler SDX
25 © 2014 CA. ALL RIGHTS RESERVED.
Support for Social Sign-On Overview
Simple new user
registration increases
sign up rate.
Use consumer identity
for initial customer acquisition and low risk transactions.
Collecting identity and device attributes allows for personalized marketing.
Seamless sign-on encourages registration and enables targeted marketing.
Sign on with stronger credentials when needed for high value transactions.
26 © 2014 CA. ALL RIGHTS RESERVED.
Support for Social Sign-On Use Case
User initiates a sign-on request using his social
sign-on account (OAuth request).
User is redirected to the selected remote authorization server and logs in.
The OAuth flow is completed via the backchannel.
If configured, user information is retrieved from the configured user
information URL via the backchannel.
Once authorized, the browser is redirected to the configured target page.
If authorized but not found in the user store, JIT provisioning process can
be launched (first time access/create account).
27 © 2014 CA. ALL RIGHTS RESERVED.
Support for Social Sign-On Requirements
Pre-configured OAuth authorization server support for:
– Twitter (OAuth 1.0a)
– Facebook, Google, LinkedIn, Microsoft (OAuth 2.0)
– Many other OAuth Identity Providers
Client registration with the remote authorization server is required before
creating partnership
28 © 2014 CA. ALL RIGHTS RESERVED.
Create the local OAuth client entity.
Create or modify the remote entity of an authorization server.
Create a partnership to configure single sign-on.
Migrate an OAuth authentication scheme to OAuth Partnership.
Support for Social Sign-OnConfiguration
11
12
13
14
29 © 2014 CA. ALL RIGHTS RESERVED.
Support for Social Sign-OnCreate the local OAuth client identity.
Select the appropriate OAuth version for your partnership.
30 © 2014 CA. ALL RIGHTS RESERVED.
Support for Social Sign-onModify the remote entity of an authorization server.
31 © 2014 CA. ALL RIGHTS RESERVED.
Support for Social Sign-OnModify the remote entity of an authorization server. Google pre-configured remote entity
32 © 2014 CA. ALL RIGHTS RESERVED.
Support for Social Sign-OnCreate a partnership to configure single sign-on.
33 © 2014 CA. ALL RIGHTS RESERVED.
Support for Social Sign-OnCreate a partnership to configure single sign-on.
34 © 2014 CA. ALL RIGHTS RESERVED.
Support for Social Sign-OnCreate a partnership to configure single sign-on.
35 © 2014 CA. ALL RIGHTS RESERVED.
Support for Social Sign-OnCreate a partnership to configure single sign-on.
36 © 2014 CA. ALL RIGHTS RESERVED.
Support for Social Sign-OnMigrate to OAuth partnership.
Use both the OAuth authentication scheme and an OAuth partnership
simultaneously.
– Add the new redirect URL to the existing OAuth authentication scheme redirect URL.
Use an OAuth partnership instead of the OAuth authentication scheme.
– Update the existing redirect URL at the OAuth authorization server to the appropriate partnership redirect URL.
37 © 2014 CA. ALL RIGHTS RESERVED.
Lab 1: Social Sign-On
IN THIS LAB YOU WILL:
Create an OAuth Partnership
38 © 2014 CA. ALL RIGHTS RESERVED.
Credential Handling ServiceOverview
Simplified configuration for letting the end user choose the authentication
provider
Supports identity providers using federation partnerships
Is deployed on the CA Access Gateway
39 © 2014 CA. ALL RIGHTS RESERVED.
Credential Handling Service Use Case
Make several federated partnerships available for login. The credential
handling service shows the partnerships in the group.
– An unauthenticated user requests a resource protected by CA SSO and is presented with the choice of identity providers
– The user selects an identity provider to authenticate with
– The selected partnership is invoked and the user is redirected to the identity provider for login and back to CA SSO
– When the user is identified by CA SSO the user is redirected back to the original target page
– When the user is not found by CA SSO provisioning can occur
40 © 2014 CA. ALL RIGHTS RESERVED.
Credential Handling ServiceRequirements
CA Access Gateway
Partnership between CA SSO and the enterprise (CA SSO) where protected
resources exist
Partnership between CA SSO and identity providers
41 © 2014 CA. ALL RIGHTS RESERVED.
Configure partnerships to identity providers.
Create an authentication method group.
Configure a partnership to the enterprise.
Credential Handling ServiceConfiguration
11
12
13
Optionally customize the credential selector page.14
42 © 2014 CA. ALL RIGHTS RESERVED.
Credential Handling ServiceLogin Flow Detail (Registered User)
An unauthenticated user invokes a partnership with CHS enabled.
The user selects an identity provider and signs-on. The identity provider generates
an access token and redirects the user to the federation system (relying party).
The federation system (relying party) verifies the access token, disambiguates the
user, and generates a session.
The federation system (asserting party) generates an assertion and redirects the
user to the enterprise (relying party).
The enterprise (relying party) verifies the assertion and gives the user access to
the federated resource.
43 © 2014 CA. ALL RIGHTS RESERVED.
Credential Handling ServiceCreate an authentication method group.
44 © 2014 CA. ALL RIGHTS RESERVED.
Credential Handling ServiceConfigure a partnership to the enterprise.
Partnership based on one of these authentication protocols:– SAML 1.1 – SAML 2.0 – WS-Federation
SSO – Authentication mode = Credential Selector– Define the base URL– Select the previously created Authentication Method Group
Target Application– SAML1.1: Target– SAML 2.0 and WS-Federation: Relay State Overrides Target
45 © 2014 CA. ALL RIGHTS RESERVED.
Credential Handling ServiceCustomize the header or footer.
<install_path>\CA\secure-proxy\Tomcat\webapps\chs\jsps
Make a copy of the header.jsp file and name the new file header-
custom.jsp.
Make a copy of the footer.jsp file and name the new file footer-
custom.jsp.
Customize the new files as needed.
Restart CA Access Gateway.
47 © 2014 CA. ALL RIGHTS RESERVED.
Lab 2: Credential Handling Service
IN THIS LAB YOU WILL:
Create an Authentication Method Group
Enable the Credential Handling Service
49 © 2014 CA. ALL RIGHTS RESERVED.
Open Format Cookie = “agentless” SSOOverview
Standards-based cookie directly read by applications
No agent or proxy installed between user and web server
– Lower cost method for accomplishing basic SSO
– Web applications decrypt (optional) and consume the standard cookie
– Adds flexible option to a customer’s CA SSO architecture
For applications that have lower security requirements
– No centralized auditing, CA SSO authorization or centralized session control
Web Agent in the CA SSO architecture
used for protection and cookie generation
50 © 2014 CA. ALL RIGHTS RESERVED.
Open Format Cookie Use Case
When not possible/not convenient to deploy a Web Agent
Less stringent security and session control over applications
Generated in response to a successful authentication or authorization event
53 © 2014 CA. ALL RIGHTS RESERVED.
SOAP and REST APIsOverview
Web service interfaces for authentication and authorization
Deployed via CA Access Gateway
Supports SOAP (wsdl) and REST (wadl) architectures
http(s)://server:port/authazws/auth?wsdl
http(s)://server:port/authazws/AuthRestService/application.wadl
Lower cost method for integrating CA SSO services
Adds flexible option to a customer’s CA SSO architecture
54 © 2014 CA. ALL RIGHTS RESERVED.
SOAP and REST APIsOverview
Authn/Authz web services provide following functionality:
– login – Authenticates and returns session token (and optional identity token)
– blogin – (Boolean login) authenticates and verifies whether login is successful and does not return session token
– logout – Logs out the user or group of users
– authorize - Returns an authorization status message and a refreshed session token
55 © 2014 CA. ALL RIGHTS RESERVED.
SOAP and REST APIs Use Case User accesses mobile gateway via smart
phone.
Mobile Gateway calls web service interface to authenticate user.
Web service validates with CA SSO Policy Server.
CA SSO validates/authorizes request.
Web service provides validation/authorization status back to mobile gateway via session token.
Mobile gateway requests content from web server.
Content is returned to user.
1
4
3
5
2
6
7
7
User
Web Server
Policy Server
Secure Proxy Server
Mobile Gateway
56 © 2014 CA. ALL RIGHTS RESERVED.
SOAP and REST APIsRequirements
Determine and register a virtual host name (DNS entry, Hosts file).
Protect the web services root URL.
57 © 2014 CA. ALL RIGHTS RESERVED.
SOAP and REST APIsRequirements
One or more agents to protect target applications against which
callers authenticate
Realms, user directories, policies and responses that are required for
authentication and authorization
A client program to issue authn/authz request to the web service on
behalf of another application
(see KB article TEC592437 Scenario: Working with the CA Single Sign-On Authentication and
Authorization Web Services)
58 © 2014 CA. ALL RIGHTS RESERVED.
Create the ACO.
Enable the web services.
Configure the web services logs (optional).
SOAP and REST APIsConfiguration
11
12
13
59 © 2014 CA. ALL RIGHTS RESERVED.
SOAP and REST APIsCreate the ACO. Agentname
EnableAuth / EnableAz
RequireAgentEnforcement
61 © 2014 CA. ALL RIGHTS RESERVED.
SOAP and REST APIsConfigure the Web Services logs. Open file sps_home/proxy-engine/conf/webservicesagent/ authaz-log4j.xml
Un-comment the AuthAZ_ROLLING appender tag:
<appender name="AuthAZ_ROLLING" class="org.apache.log4j.DailyRollingFileAppender"> <param name="File" value="logs/authazws.log"/>
<layout class="org.apache.log4j.PatternLayout"> <param name="ConversionPattern" value="%d %-5p [%c] - %m%n"/>
</layout> </appender>
Un-comment all occurrences of appender-ref for the tag:
<appender-ref ref="AuthAZ_ROLLING"/>
New log file sps_home/proxy-engine/logs/authazws.log
62 © 2014 CA. ALL RIGHTS RESERVED.
Lab 3: Web Services
IN THIS LAB YOU WILL:
Enable the authentication and authorization
Web Services
64 © 2014 CA. ALL RIGHTS RESERVED.
Enhanced Session Assurance With DeviceDNAOverview
Improves upon existing authentication and session persistence capabilities
Enhancement to the authentication service and the Policy Server to allow
for association of DeviceDNA
DeviceDNA is data unique to individual HTTP clients
CA Access Gateway and session store
required to support the DeviceDNA collection
65 © 2014 CA. ALL RIGHTS RESERVED.
Enhanced Session Assurance With DeviceDNAUse Case
Combats session hijacking/session replay
Blocks the use of a stolen SMSESSION cookie
Included with CA SSO deployment and license (no additional SKUs)
66 © 2014 CA. ALL RIGHTS RESERVED.
Enhanced Session Assurance With DeviceDNARequirements
Policy Server r12.52 or greater
– Installs necessary components silently
CA Access Gateway r12.52 or greater
Session store
Agent configuration object used for CA Access Gateway configuration
should have “.sac” in ignore extensions list
67 © 2014 CA. ALL RIGHTS RESERVED.
Enhanced Session Assurance With DeviceDNAConfiguration
Review the limitations.
Configure the CA Access Gateway.
Create Enhanced Session Assurance endpoints.
11
12
13
Add endpoints to realms or applications.14
(Optional) Enable Enhanced Session Assurance on partnerships.15
68 © 2014 CA. ALL RIGHTS RESERVED.
Enhanced Session Assurance With DeviceDNALimitations
Web 2.0 clients
Custom agents
Clients that do not support JavaScript and cookies
POST preservation
Shared workstations
Authentication/authorization web services
Federation limitations
– The SP side of a SAML 2.0 partnership.
– HTTP-POST Authentication request bindings on the IDP side of a SAML 2.0 partnership.
69 © 2014 CA. ALL RIGHTS RESERVED.
Enhanced Session Assurance With DeviceDNAConfigure the CA Access Gateway environment.
Enter the advanced authentication server encryption key (from the
installation or upgrade) in all Policy Servers.
Enable the encryption by configuring the JVM with the JSafeJCE Security
Provider.
If multi-domain SSO is configured using a cookie provider Web Agent, the
CA Access Gateway must be configured to run in the same domain as the
cookie provider Web Agent.
70 © 2014 CA. ALL RIGHTS RESERVED.
Enhanced Session Assurance With DeviceDNACreate Enhanced Session Assurance endpoints.
On the Global options, select create Session Assurance Endpoints.
71 © 2014 CA. ALL RIGHTS RESERVED.
Enhanced Session Assurance With DeviceDNACreate Enhanced Session Assurance endpoints.
72 © 2014 CA. ALL RIGHTS RESERVED.
Enhanced Session Assurance With DeviceDNAAdd endpoints to realms or applications.
To protect resources in realms, add session assurance endpoint.
73 © 2014 CA. ALL RIGHTS RESERVED.
Enhanced Session Assurance With DeviceDNAEnable Enhanced Session Assurance on partnerships.
Available on the following partnerships:
– The IdP side of an SP to IdP partnership
– The Producer side of a Consumer to Producer partnership
– The AP side of an RP to AP partnership
74 © 2014 CA. ALL RIGHTS RESERVED.
Lab 4: Session Assurance
IN THIS LAB YOU WILL:
Enable Enhanced Session Assurance with
DeviceDNA
75 © 2014 CA. ALL RIGHTS RESERVED.
For More Information
To learn more about Security,
please visit:
http://bit.ly/10WHYDm
Insert appropriate screenshot and text overlayfrom following “More Info Graphics” slide here;
ensure it links to correct pageSecurity
76 © 2014 CA. ALL RIGHTS RESERVED.
For Informational Purposes Only
© 2014 CA. All rights reserved. All trademarks referenced herein belong to their respective companies.
This presentation provided at CA World 2014 is intended for information purposes only and does not form any type of warranty. Some of the specific slides with customer references relate to customer's specific use and experience of CA products and solutions so actual results may vary.
Terms of this Presentation