Professional Documents
Culture Documents
Sign&go Architecture Guide
Sign&go Architecture Guide
Concepts
Contacts
ILEX
51 boulevard Voltaire
92600 Asnières-sur-Seine
FRANCE
Telephone : +33 (0)1 46 88 03 40
Fax : +33 (0)1 46 88 03 41
www.ilex-international.com
support@ilex-international.com
Legal Information
Meibo, Meibo People Pack, Sign&go and Sign&go Santé are registered trademarks of Ilex.
All other trademarks mentioned in this document are the property of their respective owners.
This document is provided for information purposes only. Ilex provides no guarantee nor accepts any
liability for the information contained in this document. All specifications or information given in this
document are subject to modification at anytime without prior notification.
In accordance with article L. 122-4 of the Code de la Propriété Intellectuelle (French intellectual property
law), any full or partial reproduction, representation or distribution of this document by any means
whatsoever, without the express permission of Ilex, is prohibited and constitutes a breach of the law that
can result in prosecution under Articles L. 335-2 and subsequent articles of the Code de la Propriété
Intellectuelle (French intellectual property law).
TABLE OF CONTENTS
I. OVERVIEW OF SIGN&GO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
1. What is Sign&go?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.1. Securing access to information systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.2. Sign&go, access control and secure SSO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.3. Sign&go, first ''Global SSO'' solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2. When should Sign&go be used? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
3. Architecture of Sign&go . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
4. Functionality of Sign&go. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
4.1. Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
4.2. Authorisation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
4.3. Single Sign-On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
4.4. Auditing access to company resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Ilex 5
Sign&go
4. Secondary credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
4.1. Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
4.2. Walk-through of credentials management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
4.3. Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
4.4. Credentials management interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
6 Ilex
Sign&go
Chapter 1
Overview of Sign&go
In this chapter:
What is Sign&go? (page 9)
When should Sign&go be used? (page 11)
Architecture of Sign&go (page 13)
Functionality of Sign&go (page 15)
Ilex 7
Sign&go
1. What is Sign&go?
In this section:
Securing access to information systems (page 9)
Sign&go, access control and secure SSO (page 9)
Sign&go, first ''Global SSO'' solution (page 9)
Sign&go is a security solution conceived for rapid and flexible integration into the most demanding
eBusiness architectures.
Compatible with leading databases and directories available on the market, Sign&go directly
exploits the company's data repositories.
Finally, by respecting Identity Federation standards, Sign&go guarantees a lasting investment in
an open and interoperable solution.
Sign&go is the security solution to implement as soon as your company finds itself faced with any
of the following situations:
Internal applications being made available to partners, customers or suppliers
Implementation of security policies
Deployment of strong authentication systems
Unique authentication of users of the company's applications (SSO)
Auditing access to all IT applications
3. Architecture of Sign&go
Sign&go allows managing Web SSO and Enterprise SSO or, in other words,
''Global SSO''. Most of the concepts mentioned in this guide are common to the
Web SSO solution and eSSO. However, this guide refers only to the specifics of
the Web SSO architecture.
On average, an employee possesses between 4 and 10 different user accounts. This means that
there are probably just as many passwords to remember, with as many potential security lapses.
Management of these passwords by the helpdesk penalises the user's activity (blocked accounts,
forgotten passwords, etc.) and heavily impacts the IT department's budget.
Between the security requirements, performance and ergonomy, the eSSO solution proposed by
Ilex enables:
Automating password reset operations
Improving employee productivity
Reducing operational costs
Increasing the security of your systems
The security policies that you implement in order to protect your applications do not generally
depend upon the type of client in use (ex: Webmail or thick client). So why use 2 different tools,
duplicate effort (implementation, maintenance, interoperability…) and multiply the associated
risks?
Sign&go is a new generation SSO solution which unites Web SSO, Identity Federation and eSSO
by centralising the definition of security policies and audit information.
Sign&go provides simple and coherent user interfaces and rapidly adapts to your environment
and its constraints whilst respecting standards.
Sign&go protects the company's various applications without the need for deployment on each
user workstation.
Composed of security servers and agents which can be installed on the various Web and
Reverse-Proxy servers available on the market, Sign&go intercepts all communications and
applies the security policies and SSO strategies defined by the company's IT department.
Its modular architecture supports very high loads in addition to the most demanding high
availability constraints.
Extranet type architecture:
4. Functionality of Sign&go
In this section:
Authentication (page 15)
Authorisation (page 16)
Single Sign-On (page 16)
Auditing access to company resources (page 18)
4.1 Authentication
Sign&go is based on a powerful and adaptable authentication engine. This open engine integrates
numerous authentication methods as standard, from routine to the highest security:
Identifier/password
One Time Password (RSA SecurID, Vasco, etc.)
Radius
X509 certificates (files, smart cards, USB keys, biometric)
CPS card
CPS card + Vitale card
Contactless (RFID) cards/password
Xiring CPS smart card reader
NTLM
Kerberos
Checkpoint OPSEC
Custom (APIs, SMS messages, specific shemes)
SAML v1 and v2
OAuth v2 (Facebook, Google mail, Windows Live)
Encrypted cookie (Pelican)
Sign&go is capable of retrieving and exploiting the password strategies defined within databases
and directories (Active Directory, SunONE …). It reinforces traditional authentications both by
imposing stronger password policies and by permitting account locking in the case of failed
authentication.
In the case of the company's repository not incorporating strategy functions, Sign&go provides its
own, thus guaranteeing increased security in all cases.
Highly flexible, the security engine enables the application of authentication schemes according
to the criticality of the application accessed. It is also possible to deploy several authentication
methods concurrently and to impose on the user the requirement to reauthenticate when wanting
to access a more sensitive resource.
4.2 Authorisation
In this section:
Access control (page 16)
Centralised access protection (page 16)
Finally, equipped with native identity management protocols like SAML, Sign&go is a security
product guaranteeing the company a lasting investment interoperable with other solutions on the
market.
Chapter 2
Architecture types
In this chapter:
Overview of Sign&go (page 21)
Securing external access (page 23)
Securing internal access (page 27)
Ilex 19
Sign&go
1. Overview of Sign&go
In this section:
Principle of Sign&go (page 21)
Components of Sign&go (page 21)
Schema (page 22)
To ensure the user authentication and authorisation phases, the security server
relies on the configuration and user directories.
1.3 Schema
The general architecture of Sign&go is shown in the following diagram:
In this section:
Simple configuration (page 23)
High availability configuration (page 25)
2.1.1 Principle
The Web Reverse-Proxy SSO architecture is based on a module placed between the user and
the Web application server: the Web Reverse-Proxy. This module accepts the requests and
routes the information to the destination applications.
The Sign&go agent installed in the Reverse-Proxy carries out the SSO process. Indeed, it
validates the authorisations and can alter the Web application requests in order to simulate a client
authentication (secondary authentication).
2.1.2 Schema
The following schema illustrates a Web Reverse-Proxy SSO architecture:
2.1.3 Operation
Here the user has only one intermediary: the Reverse-Proxy. Therefore it is necessary to modify
the company's DNS configuration such that the Reverse-Proxy is seen as the destination server.
In this way, the user authenticates against the Reverse-Proxy with the help of standard
authentication methods. This server then authorises or denies access to the final URLs by using
the resource protection methods of the security server.
The Sign&go agents are installed directly onto the Web Reverse-Proxies positioned at the entry
to the network. These agents solicit all the security servers, using load-balancing algorithms for
example, and thus retrieve the strategies to be applied.
2.1.4 Advantages
The main advantages of the Web Reverse-Proxy SSO architecture are based on:
Installation: the security Reverse-Proxy sits in the connection chain between the client
and the servers. Therefore no modification whatsoever is required to the servers or the
clients (non-intrusive to the targeted system).
Architecture: the operations are carried out at the HTTP protocol level, which is why this
system of SSO remains independent of the physical architecture (OS, hardware).
Furthermore, this system masks the network topology. In fact, the security portal is the
only machine accessible by the client; this permits the creation of a demilitarised zone
(DMZ), an area equipped with intermediate security between the exterior and interior of
the company. One sole Reverse-Proxy is therefore capable of protecting all the Web
servers.
2.1.5 Restrictions
The Web Reverse-Proxy SSO architecture presents certain limits:
The need to reinforce security: due to the interruption of the connection chain between
the client and the Intranet server, security must be reinforced by making sure that the
destination servers are placed as close as possible to the Reverse-Proxy. This is a large
constraint in an Intranet environment.
The loading (high availability): the portal is the obligatory point of passage to the
applications. As a consequence, issues of Reverse-Proxy loading can arise. Therefore,
in order to conserve the global level of high availability, it is urged that the same resilient
architecture is put in place on the Reverse-Proxy as on the Web server.
The SSL: this system of SSO supports partial compatibility with SSL. When the user
authenticates by certificate to the Web Reverse-Proxy, the Web Reverse-Proxy cannot
then make use of the user's certificate to authenticate to the server.
In this case, the user information is transmitted in the form of application information
(HTTP headers) between the Reverse-Proxy and the server. In fact, the authentication by
certificates intrinsically necessitates direct communication, without interruption in the
chain.
2.2.3 Loading
A complex multi-level cache mechanism exists between the agents and the security servers. This
cache rapidly makes an agent autonomous with regard to a given user.
The cache mechanisms of Sign&go optimise the performance in a radical fashion and thereby
permit the graceful handling of load increases.
In this section:
Web Proxy SSO architecture (page 27)
Filter based Web SSO architecture (page 29)
Multi-site architecture (page 31)
Identity Federation (page 32)
3.1.1 Principle
This architecture implies the modification of the client browser configurations in order to direct
connections to a Proxy. The Proxy intercepts the requests and routes the information to the
destination applications.
The Proxy carries out the SSO process. However it does not satisfy itself with simply routing the
client request to the correct machine, but alters the requests in order to simulate an authentication
of the client to the Web application (secondary authentication).
3.1.2 Schema
The following schema illustrates a Web Proxy SSO architecture:
3.1.3 Operation
After configuration of the user's browser, all requests systematically pass via the Proxy, even if
the client wishes to reach a Web site exterior to the company.
Once the user is authenticated, the Proxy authorises or denies access to the destination URLs.
3.1.4 Advantages
The main advantages of the Web Proxy SSO architecture are based on:
Installation: after the configuration of the client workstations, the HTTP protocol directly
manages the connections passing through the Proxy. There is no need to modify the
sever DNS configurations (as is the case for Reverse-Proxy). This system is therefore
non-intrusive on the servers.
Architecture: all operations are conducted at the level of the HTTP protocol, therefore
this system of SSO remains independent of the underlying architecture. After the
configuration of the client workstations, all of the Web servers are potentially accessible.
Load balancing (high availability): in order to take account of the constraints of high
availability, several proxies can be configured at the user workstation level.
3.1.5 Restrictions
The Web Proxy SSO architecture presents certain limits:
The need to reinforce security: due to the interruption of the connection chain between
the client and the Web server, security must be reinforced by making sure that the
destination servers are placed as close as possible to the Proxy. This is a large
constraint in an Intranet environment.
When SSO is implemented, the HTTPS protocol in Proxy mode imposes upon the Proxy
the decryption of the data flow before any connection to the destination server. The Proxy
is therefore installed as a "man-in-the-middle proxy". As such, for security it constitutes a
strategic entry point, and so should be reinforced by securing the Operating Systems and
installing firewalls for example.
The configuration: this system imposes modification of the configuration of the user
workstations. Therefore, you cannot install it on user workstations remote from the IT
infrastructure or, more generally, where there is no control over the user workstation.
The SSL: this system of SSO supports partial compatibility with SSL. When the user
authenticates by certificate to the Web Proxy, the Web Proxy cannot then make use of
the user's certificate to authenticate to the server. In fact, the authentication by
certificates intrinsically necessitates direct communication, without interruption in the
chain.
3.2.1 Principle
This architecture consists of:
A security server: taking charge of the management of users.
Filters (agents): deployed on each server hosting the applications to be protected.
These filters provide upstream protection for the different applications. They are tasked
with obtaining authentication information from the server.
3.2.2 Schema
The following schema illustrates a filter based Web SSO architecture:
The Sign&go security servers are centralised. The various Sign&go agents are installed on the
company's Web servers, which can be geographically distributed over several sites, as well as
Reverse-Proxies.
3.2.3 Operation
The user looks to access a portal site. After verification of the authentication on the portal, the
security server returns the user's access rights on the site in question back to the agent. An
authentication token is stored on the user's workstation. This token is subsequently recovered at
each client connection to a server and permits the verification of its authentication.
If the user tries to access another site, the agent for this site will consult the security server. The
user having already been authenticated (authentication token), the agent directly returns the
user's rights on the new site.
3.2.4 Advantages
The main advantages of the filter based Web SSO architecture are based upon:
Security: the security of the data flow is assured from end to end.
Load balancing (high availability): the load is naturally distributed between the
different servers and can be managed more easily due to the absence of bottlenecks.
SSL: no intermediary exists between the browser and the Web server, resulting in the
possibility of strong authentication from end to end (PKI and X509 certificates).
3.2.5 Restrictions
The filter based Web SSO architecture presents certain limits:
Installation: you must install a filtering agent on each Web server to be protected
(intrusive on the target system).
Filters specific to the servers to be protected: this SSO system is dependent upon
architecture because specific filters are required for the platforms and Web servers.
Sign&go provides the following filters:
Solaris Netscape
iPlanet
Sun One Web Server
Sun One Proxy Server 3.x
Sun One Proxy Server 4.x
ICAP compatible Agent
Ilex Proxy
Apache 2.2
Chapter 3
Configuration
In this chapter:
Authentication (page 35)
Authorisation (page 41)
SSO strategies (page 47)
Secondary credentials (page 51)
Ilex 33
Sign&go
34 Configuration Ilex
Sign&go
1. Authentication
In this section:
Concepts (page 35)
Walk-through of an authentication (page 39)
Case example (page 40)
1.1 Concepts
In this section:
Principles of authentication (page 35)
Using existing directories (page 36)
Authentication policies (page 36)
Authentication agents (page 37)
Authentication schemes (page 37)
Session token (page 38)
Ilex Configuration 35
Sign&go
1.1.2.3 Personalisation
Personalised mappings and connections of directories can be created. The mapping of directories
permits locating a user in a targeted directory when they are known in the source directory. This
is the case, for example, of a company possessing a primary (reference) and several dedicated
directories (internal personnel, external personnel, etc.).
36 Configuration Ilex
Sign&go
Ilex Configuration 37
Sign&go
When the token remains inactive for a length of time, the "timestamp" permits the
definition of an "inactivity timeout" which overrides the absolute lifetime of the
token.
The identity of the session token is defined at the time of its creation and contains the following
elements:
User identity
Directory in which the user was identified
Authentication agent
Time and date of authentication
Confidence level of the means of authentication
Absolute lifetime of the token
Unique serial number of the token
The user profile and authorisations can be refined, throughout the lifetime of the token, with
optional information (identifier, secondary password, work profile, etc.). This application
information, limited to 2KB, is delivered directly to the authorisation agents at the time of
authentication.
38 Configuration Ilex
Sign&go
Ilex Configuration 39
Sign&go
40 Configuration Ilex
Sign&go
2. Authorisation
In this section:
Concepts (page 41)
Walk-through of access to a protected resource (page 43)
Case example (page 44)
2.1 Concepts
In this section:
Principle of authorisation (page 41)
Access rules (page 42)
Criteria (page 42)
Behaviours (page 43)
When a user tries to access a protected resource, the security server attempts to authenticate
them using the information collected by the authorisation agent that intercepted the request.
Whatever the results of the authentication, the authorisation management phase is then started.
The security server searches for the authorisation policy associated with the resource. If the
authorisation phase is successful, the user is authorised to access the requested resource.
When a resource is associated with several security policies, the security server
applies the authorisation policy with the highest priority and most restrictive in
regards to the resource.
Ilex Configuration 41
Sign&go
For a rule to succeed, all of the criteria of which it is composed of must evaluate successfully. The
failure of any one of the criteria will result in the rule not succeeding.
A rule can explicitly terminate execution of the security rules. This allows, for
example, the creation of an access control rule common to all security policies,
which stops execution of other access rules if the user is not authenticated.
2.1.3 Criteria
By default, in order to execute certain criteria (group, work profiles, etc.), the security server
connects to the company's primary directory. Criteria are the fundamental tests executed on the
user's request, and can consist of, for example:
The presence or absence of a session token
The level of authentication specified in the session token
The validation of the user's IP address
The user's work profiles
The user group
The user's attributes
The current date and time, etc.
Once configured, the criteria are automatically displayed in the criteria list of the corresponding
access rule.
It is possible to extend the Sign&go criteria by creating one's own. These personalised criteria
appear in the criteria list and are administered in the same way as the standard Sign&go criteria.
42 Configuration Ilex
Sign&go
2.1.4 Behaviours
At the end of the authorisation phase, the security server sends the behaviours to the agent.
A behaviour indicates an action to be taken on the request. Depending on its type, it is executed
either by the security server (for example, in the case of adding application data to the token), or
by the agent (for example, when adding HTTP headers to the request). If the access rule is valid,
the OK behaviours are executed, otherwise the KO behaviours are.
Ilex Configuration 43
Sign&go
44 Configuration Ilex
Sign&go
In the case where several authorisation policies are eligible for a given resource,
Sign&go chooses the most restrictive corresponding to the resource.
Ilex Configuration 45
Sign&go
46 Configuration Ilex
Sign&go
3. SSO strategies
In this section:
Concepts (page 47)
Walk-through of an SSO strategy (page 47)
Implementation (page 48)
3.1 Concepts
Sign&go centralises all of the authentication functions. It permits the application of numerous SSO
strategies that assure the propagation of the identity whichever application is protected (Web,
mainframe and client/server).
When a user is already authenticated on the company's information systems, Sign&go is capable
of simulating their secondary authentication to an application, in other words to avoid
authentication operations relative to this resource by applying one of the following SSO strategies:
The propagation of information (the recovery and passing of values)
The automatic learning of application identifiers/passwords (Basic HTTP)
The automatic completion of HTML forms
To do this, Sign&go retrieves the credentials to be inserted in the login dialogue box or HTML form
for example, from external sources or memorised on-the-fly in an encrypted software container.
Sign&go is also capable of transmitting diverse information concerning the user (identity, roles,
authentication method, etc.) directly to the applications by the HTTP channel, in the form of
headers, cookie values, form parameters, etc.
Ilex Configuration 47
Sign&go
3.3 Implementation
In order to access protected resources, the administrator would like to configure an SSO strategy
allowing to retrieve the user's credentials.
To do this, he creates a new authorisation policy in the Sign&go administration interface for the
resource concerned.
The administrator associates an access rule to this authorisation policy defining how to proceed
when a user requests to access the resources.
48 Configuration Ilex
Sign&go
Ilex Configuration 49
Sign&go
50 Configuration Ilex
Sign&go
4. Secondary credentials
In this section:
Concepts (page 51)
Walk-through of credentials management (page 51)
Implementation (page 52)
Credentials management interface (page 53)
4.1 Concepts
The management of secondary credentials, called self-registering, uses the client APIs of Sign&
go. It consists in:
1. Saving the authentication data (an identifier/password pair)
2. Performing updates
3. Performing deletions
Ilex Configuration 51
Sign&go
4.3 Implementation
The management of secondary credentials requires pre-selecting the data storage directory,
whether it is of type LDAP or SQL, in the Sign&go administration interface.
Next, the attribute of the directory which will be used for storing the secondary credentials should
be defined.
Once the directory and attribute have been entered, the administrator creates the authorisation
policy that will be applied when a user attempts to access a protected resource.
This authorisation policy integrates an access rule which will load the secondary credentials and
transmit them to the protected resource or, alternatively, redirect them to the user registration
page.
52 Configuration Ilex
Sign&go
Here are two examples of access rules, which show how they can be associated with the
authorisation policy:
"Token Verification"
This access rule verifies whether the token exists, in other words whether the user has
already been authenticated.
If this rule succeeds and the token exists, then the OK behaviour "Access granted" is
applied.
If this rule fails because the token does not exist, then the following KO behaviours
"Redirection towards a URL" and "Access granted" are executed.
"SSO management"
This access rule loads the secondary authentication parameters and integrates them into
HTTP headers in order to conform to the Basic HTTP format.
If this rule succeeds and the credentials are found, then the following OK behaviours
are applied:
"Loading into the session of the secondary credentials"
"SSO identification in Basic HTTP or other behaviour"
"Access granted"
If this rule fails because the credentials cannot be found, then the following KO
behaviours are executed:
"Redirection towards the secondary authentication URL"
"Access granted"
This page only displays applications for which the user's secondary credentials have already been
entered into the directory.
It is equally possible to create a specific JSP page adapted to the company.
Ilex Configuration 53
Sign&go
54 Configuration Ilex
Sign&go
Chapter 4
Advanced concepts
In this chapter:
Auditing (page 57)
Directory mapping (page 61)
Multi-domain (page 63)
SAML (page 67)
Scripts (page 73)
Ilex 55
Sign&go
1. Auditing
In this section:
Overview (page 57)
Concepts (page 57)
Configuration (page 58)
Case examples (page 58)
1.1 Overview
Sign&go is equipped with a journaling engine which logs all of the authentication and authorisation
events. This engine, integrated into the security server, enables the consolidation of auditing
information in the form of text files or database entries.
An independent Sign&go application, once configured, permits the display of auditing information
in a readable manner. This application is accessible from the Sign&go administration interface.
1.2 Concepts
Auditing is characterised by the recording of information linked to the surveillance of a process on
some form of support. In regard to the Sign&go security server, the processes surveyed are the
phases of user authentication and authorisation.
In respect to the security server, the audit information corresponds to that saved during a user's
successful or unsuccessful authentication or authorisation.
Certain types of information can be common to several processes and other types specific only to
one.
Whether it is an authentication or authorisation, the principal information is the log date, the time
and its reference. This last element corresponds to a numerical value between:
1 and 999 in the case of a successful authentication
1001 and 1999 in the case of a successful authorisation
5001 and 49999 in the case of an unsuccessful authentication
500001 and 99999 in the case of an unsuccessful authorisation
1.3 Configuration
The Sign&go journaling engine is built upon the Open Source Log4j library.
By default, the audit information of the Sign&go security server is saved in text files
(sngauthentication and sngauthorization) in extended W3C format, but can equally be saved
directly to a database.
In addition, according to the method used, the audit information can be saved on any given
support. Modification of the configuration file server.xml, situated in the security server's
installation directory, is all that is required in order to do this.
Finally, wherever the company already possesses an audit log consolidation product, it is perfectly
possible to import the logs into a spreadsheet generating tool.
Requested
resource
To personalise the audit logs, and in particular, the authentication and authorisation
parameters returned, in the log manager's homepage, click the Configuration menu.
The log files configuration page is displayed. This page enables to define:
The type of database
The JDBC driver
The JDBC connection URL
The identifier/password
The number of lines displayed per page
The start and end dates of the logs to be displayed
2. Directory mapping
Several directories can co-exist and be used in parallel throughout a company, according to the
work profiles of the employees. It is possible, for example to work with:
A directory of internal company employees and another for external service providers
A directory created for and used by the IT department, and another dedicated to and
used by administrative staff, etc.
3. Multi-domain
In this section:
Overview (page 63)
Concepts (page 63)
Walk-through (page 65)
Case example (page 66)
3.1 Overview
SSO security solutions rely on cookie mechanisms in order to maintain user sessions. These
cookies are generally associated with a DNS domain.
In the case where a company has several root DNS domains, due to the propagation limit of the
cookies between the domains, the implementation of an SSO solution can turn out to be tedious.
Sign&go takes charge of this constraint and directly manages the SSO in the company, including
where several DNS domains are present. This functionality, called Cross Domain SSO, is outlined
below.
3.2 Concepts
In this section:
Domain (page 63)
Principal domain (page 63)
Authentication domain (page 64)
Single domain SSO (page 64)
Multi-domain SSO (page 64)
Target domains (page 64)
3.2.1 Domain
The word domain is a general concept used in a Web context, in other words in an environment
which consists of a group of Web servers hosting resources accessible by their respective URLs.
A domain corresponds to all of the resources and associated servers in which the DNS name is
terminated by the same suffix. The domain is designated by this suffix which is composed of
several components separated by dots (".").
Since it has a tree structure, a domain can contain other domains called "sub-domains".
Multi-domain SSO applies only to Sign&go architectures that have the same
security context and enables a simple solution to the technical constraints of SSO
on several DNS domains within a single company. Propagation of the
authentication to another security infrastructure is done using SAML technology
(for example: authentication propagation to or from a partner or an outsourced
application).
3.3 Walk-through
Multi-domain SSO is implemented with the help of Sign&go authentication agents and the
following functional entities:
An export agent situated in the authentication domain and charged with exporting the
Sign&go token.
As such, the export agent and all the authentication agents are to be found within the
authentication domain in which all the Sign&go tokens are created.
Import agents situated within each target domain and charged with importing the
Sign&go token to the target domain concerned.
Communication between the export and the import agents is essentially carried out by the
browser, using the redirection mechanism. However, sensitive data is relayed via the security
server.
These two entities are integrated into the Sign&go Web agent and require no specific installation.
On the other hand, it is necessary to configure beforehand some information concerning each of
them, via the Sign&go administration interface.
Example: Authentication on a principal domain, then access to a resource on a target
domain.
Steps 5 and 6: the Sign&go Export agent retrieves the Artifact and redirects the
user to domain B’s Sign&go Import agent.
Steps 7 and 8: the Sign&go Import agent extracts the Artifact from the request,
provides it to the security server, retrieves the token, installs it and performs a
redirection to the URL initially requested by the user. The browser remakes the
original request, but this time with a token.
4. SAML
In this section:
Concepts (page 67)
Usage context (page 68)
Implementation (page 68)
Walk-through (page 69)
Case example (page 72)
4.1 Concepts
4.1.1 Definition
SAML (Security Assertion Markup Language) is a standard protocol for the propagation of user
identity information.
Standardised by the OASIS SSTC (XML-based Security Services Technical Committee), SAML
is built on the XML language in order to respond to issues of user identity propagation between
third-party platforms.
SAML guarantees the security of exchanges by assuring the authentication of the parties and the
integrity of the exchanged data. In order to do this, it relies on a secure communications protocol
such as HTTPS, or it integrates the management of XML signatures by X509 certificates.
SAML formalises the format of requests and responses in the form of XML documents, and
equally the transmission mode of these documents. It therefore permits the propagation of data
concerning the identity, attributes and rights of a user.
The SAML standard enables the exchange of user identity information by the use of HTTP and
SOAP protocols. These protocols, Internet standards, offer the advantage of being compatible
with the constraints of company security (firewalls, etc.).
4.1.2 Issues
SAML answers the eBusiness issues of today, by assuring the propagation of identities between
the company's information system and its partners.
From the moment that each of the partner's architectures is compatible with SAML, it is possible
to propagate the user's identities connected to the different platforms.
As such, SAML facilitates the interconnection between different partner sites just like those of
individual departments within a large company, because it permits different security solutions to
interoperate.
4.2.1 Extranet
In an Extranet context, the company can need to exchange user identity information with its
partners.
The partners generally possess their own security architecture. It is not normally possible or
desirable to impose the installation of specific components or the Sign&go solution on the partner
in order to make the management of identities compatible.
The SAML protocol responds to this issue by permitting, with no prior installation on the partner's
systems:
The provision of the identity of a user connected to the partner
The automatic retrieval of a user's identity provided by the partner
4.2.2 Intranet
In an Intranet context, the implementation of the SAML protocol permits different subsidiary
companies to manage the security of their information systems whilst at the same time
establishing trusted connections between them.
As such, each subsidiary or entity can conserve the management of their own users whilst
remaining open to the rest of the company, by the intermediate SAML identity propagation.
4.3 Implementation
The Sign&go administration interface enables the configuration of the SAML partners who will be
exchanging user identities.
Once configured, Sign&go is capable of providing and retrieving identities. In fact, the Sign&go
security servers have been based on XML which is compatible with SAML. Also, the SAML
authentication schemes permit, for each partner, the definition of the conditions under which the
user's identity is propagated.
In terms of architecture, Sign&go supports both HTTP and HTTPS. In order to do this, a "Sign&go
SAML" Web application is deployed. This Java application, compatible with J2EE servers
available on the market (Tomcat, Websphere, etc.), is in permanent contact with the security
servers and in this way plays the role of the Sign&go SAML agent.
The valuable principle of task separation recommended by Kerberos is maintained by Sign&go.
The Sign&go SAML agent thus plays the role of "Policy Enforcement Point", whilst the security
servers continue to assume the role of "Policy Decision Point". This type of architecture,
distinguishing the functions of decision taking and the application of a decision, guarantees
increased security from the moment of the solutions' implementation.
4.4 Walk-through
SAML permits the propagation of the person's identity and free attributes between different sites,
in accordance with standard protocols. In fact, whichever technical architectures the participants
concerned have employed, provided that they are compatible with these protocols, they will be
able to propagate their user's identities between the different platforms.
As such, SAML is very often used in the framework of Web services destined for public use, such
as coupled offers for train ticket + hotel reservation, etc. In the same way, in the context of an inter-
company issue, SAML is frequently used for propagating user's identities to an external ASP
(Application Service Provider) platform hosting all of the company's services. Such as in the case
of a company with an outsourced applications suite accessible from an ASP.
The following example illustrates the propagation of a user identity from a Sign&go secured
platform to an SAML compatible partner.
It presents a Sign&go use case in "IdP Initiated" SAML mode, similar to the operation mode
prevailing in SAML version 1.1. With this mode, it is up to the IdP to propagate the identity.
Other architecture models, such as the "SP Initiated" mode are possible. For
more information, refer to the Sign&go SAMLV2 Operation Guide.
Step 1:
The user accesses the identity provider (or "IdP") portal for the first time.
Steps 2 and 3:
The Sign&go agent intercepts the request and solicits the security server to perform the local
authentication phase on the IdP.
As the user is not already authenticated, an authentication page is returned.
Steps 4, 5 and 6:
The user successfully authenticates. A Sign&go token is created and installed on the user's
workstation. This allows the user to access the portal.
Steps 7, 8 and 9:
This is actually the beginning of the SAML operations with the transfer of the authentication obtained
on the IdP to the partner's "service provider".
The user attempts to access a partner site via a link on the portal.
The user is then redirected to the application server, hosting the IdP's Sign&go SAML Web
application.
Step 10:
This Sign&go SAML Web application, equipped with a Sign&go API agent, interrogates the security
server in order to retrieve all of the information necessary for the creation of a SAML assertion.
Step 14:
The "SAML responder" on the IdP site responds via an assertion to
the artifact resolution request submitted by the service provider
(SP).
The assertion is used by the service provider (SP) and converted in
local authentication of the user on the service provider's site.
Step 15:
The user accesses the requested resource via an HTTP redirection.
The propagation of the user's identity between partner sites can be carried out by a partner site
or indeed to a partner site:
Provision of the user's identity by a partner site:
In order to propagate the identity of the user to a platform, the partner must send an SAML
response with an assertion, solicited or not by an authentication request, to a URL specific
to the Sign&go Web authentication server.
This URL uses the Sign&go SAML agent in order to validate, on the security server, the
validity of the transmitted information (partner identity, integrity of the message, identity
and rights of the proposed user, etc.).
The security server then generates a Sign&go session token. This token, guaranteeing the
identity of the user, is then installed on the client workstation in the form of a session
cookie in order to serve as proof of identity during subsequent access to the local platform.
Propagation of a user's identity to a partner site:
In order to automatically provide a partner site with the user identity, you need to create
links to a URL specific to the Sign&go Web authentication server.
This URL takes charge of the redirection of the user and the propagation of their identity
("POST Profile" or "Artifact Profile") to the partner site.
The partner site is then able to retrieve the user's attributes or information regarding their
rights by soliciting Sign&go via its intermediate Web authentication server.
5. Scripts
In this section:
Concepts (page 73)
Case examples (page 74)
Examples (page 75)
5.1 Concepts
Integrated to the security server, and with the assistance of its APIs, the script engine offers
numerous possibilities for personalisation. Notably, it brings:
An optimal flexibility of the product, in order to be able to respond to specific, atypical or
complex cases.
The ability to solicit external repositories.
An advanced personalisation, without the need to resort to complex development
environments (such as Java, C, etc.)
The creation of a script is carried out within the administration console. It is then directly saved in
the Sign&go configuration. Modifications are taken into account in real time by the security server.
Compatible with the syntax of the JavaScript 1.0 scripting language, the script engine possesses
a high performance integrated environment thanks to the security server's editor/debugger.
This editor enables:
More intuitive writing of scripts than with the administration console
Step by step execution
Saving of scripts directly within the Sign&go configuration
The editor requires a graphical environment such as Windows, X11, etc. It runs on the security
server and interrupts the transactions in progress. Therefore it is not advisable to run it on
production platforms.
Finally, specific objects enable interaction with the security servers. It is possible, for example, to
instantiate and control external Java classes.
5.2.1 Authentication
Authentication scripts are associated with authentication schemes. Executed once an
authentication has succeeded, they allow to:
Distinguish the Sign&go token by using information originating from the authentication,
directories, etc.
Interrupt the authentication phase based on external criteria.
Carry out personalised tasks (updating the directory, etc.).
5.2.2 Criteria
Criteria scripts are associated with specific rule criteria. They allow to:
Carry out authorisation tests according to topological elements, period, group
membership, authentication level, etc.
Consolidate session information destined for other behaviours or criteria.
Carry out personalised tasks (updating the directory, etc.).
5.2.3 Behaviour
Behaviour scripts are associated with specific behaviour or group of behaviours. They allow to:
Carry out an access control.
Control agents in order to modify requests (add headers, cookies, etc.).
Consolidate session information destined for other behaviours.
Carry out personalised tasks (updating the directory, etc.).
5.2.4 Variable
Variable scripts enable factoring in specific processing. Called from other scripts by simple
evaluation of the variable, they allow to:
Collect information from an external source or by using a particular algorithm.
Carry out personalised tasks (updating the directory, etc.).
5.3 Examples
In this section:
Authentication (page 75)
Criteria (page 76)
Behaviour (page 76)
Variable (page 77)
Directory mapping (page 77)
5.3.1 Authentication
The following authentication script performs the modification of a user's LDAP attribute:
5.3.2 Criteria
The following criteria script authorises access to the information system according to the user's IP
address:
5.3.3 Behaviour
The following behaviour script enables the retrieval of secondary credentials and the passing to
Basic HTTP:
5.3.4 Variable
The following variable script sends a new URL (round-robin) at each evaluation of the variable:
variable.setValue(urls[ival]);