Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Objective
The objective of a single sign-on (SSO) is to enable a user to authenticate only once. Enabling this requires an integration framework that allows single sign-on authentication throughout all systems and applications as well as to clients, partners, and outside services. The challenge is a multitude of SSO vendor products, discrepancies in partners security standards, and the administration of Identity Management across client and business partner systems.SSO is not a new concept. In fact, companies have been dealing with this concept for years. I can recall developing an IMS transaction to handle authentication, access control and application data access across many IMS applications. Most developers at one time or another have designed and built an application profile database and the SSO like code to eliminate the duplicate logon for end users. Industry statistics show that users have on average, five different logons they use on a regular basis. Therefore, integrating SSO components to eliminate the need for multiple logons will simplify the end user experience. This results in increased usage and thus increases revenue, retains customers, clients, and business partners.
SINGLE SIGN ON
Single Sign-On
We will go through a brief introduction to Single Sign-on (hereafter also referred to as SSO in this document). SSO can be defined as a user experience of logging in just once and being able to navigate across many applications seamlessly without a need to enter credentials for each application. It is very common for organizations to have many applications running to take care of different business functions. SSO makes it easy for the users to login once and be able to access all the applications they can, reducing the need for users to remember a plethora of logins and passwords. The following is a brief description of a few important concepts of SSO. Authentication The process of verifying the users identity, making sure that the user is who he claims to be. This can be based on login & password combination or Smart card,biometrics, etc. Authorization The process of verifying whether a user is privileged to access a particular resource. Credentials Credentials are the details provided by a user during the process of authentication into an application. They can be login and password, fingerprint, smart card etc. Domain A domain is a logical group in an organization with a unique name that is the part of host names used on the intranet/Internet. For example, mycompany.com is the domain name myhost.mycompany.com where as mycompanystore.com is the domain name in www.mycompanystore.com. While mycompany.com is a parent domain,
it.mycompany.com is a sub domain reserved for the IT department in the organization. Protected Resource It is a resource the access of which is not open to everyone. A user needs to go through authentication and authorization before accessing a protected resource. It can be a URL on the Internet or intranet, a client to a application, a folder on a server, etc.
SINGLE SIGN ON
Benefits
Reduces phishing success, because users are not trained to enter password everywhere without thinking. Reducing password fatigue from different user name and password combinations Reducing time spent re-entering passwords for the same identity. Can support conventional authentication such as windows credentials (i.e.,
username/password) Reducing IT costs due to lower number of IT help desk calls about passwords Security on all levels of entry/exit/access to systems without the inconvenience of reprompting users Centralized reporting for compliance adherence.
SINGLE SIGN ON
SINGLE SIGN ON
Technology used
E-mail Server (Postfix,FTP,Dovecot,Squirrelmail) SVN Server LDAP Lightweight Directory Access Protocol (User Database) Apache (Web Server) Virtual hosting
SINGLE SIGN ON
Web Server(Apache)
A Web server is a program that, using the client/server model and the World Wide Web's Hypertext Transfer Protocol ( HTTP serves the files that form Web pages to Web users (whose computers contain HTTP clients that forward their requests). Every computer on the Internet that contains a Web site must have a Web server program. Two leading Web servers are Apache , the most widely-installed Web server, and Microsoft's Internet Information Server ( IIS ). Other Web servers include Novell's Web Server for users of its NetWare operating system and IBM's family of Lotus Domino servers, primarily for IBM's OS/390 and AS/400 customers. Apache supports a variety of features, many implemented as compiled modules which extend the core functionality. These can range from server-side programming language support to authentication schemes. Some common language interfaces support Perl, Python, Tcl, and PHP. HTTP Protocol: HTTP stands for Hyper-Text-Transfer-Protocol This is the protocol that is used in order to send and receive information from the server. This is the protocol that the Apache Web Server Understands and it is what it uses to send information back to the client Machine. If you would want to get a bit more technical on the subject the Client Machine this case the Browser sends a HTTP.Request Object to the Server then the Server responds back by using an HTTP.Response Object. This is the general back and forth between the server and the browser. Apache is made to handle all of these requests
SINGLE SIGN ON
SINGLE SIGN ON
How To configure web server: <VirtualHost * : 80> ServerAdmin root@LocalHost DocumentRoot /var/www/html ServerName www.google.com ErrorLog roop CustomLog deep </VrtualHost>
SINGLE SIGN ON
Virtual hosting
Virtual hosting is a method for hosting multiple domain names (with separate handling of each name) on a single server (or pool of servers). This allows one server to share its resources, such as memory and processor cycles, without requiring all services provided to use the same host name. The term virtual hosting is usually used in reference to web servers but the principles carry over to other internet services. One widely used application is shared web hosting. Shared web hosting prices are lower than a dedicated web server because many customers can be hosted on a single server. It is also very common for a single entity to want to use multiple names on the same machine so that the names can reflect services offered rather than where those services happen to be hosted. <VirtualHost * : 80> ServerAdmin root@LocalHost DocumentRoot /var/www/html ServerName www.google.com ErrorLog CustomLog
</VrtualHost> <VirtualHost * : 80> ServerAdmin root@LocalHost DocumentRoot /var/www/html/yahoo ServerName www.yahoo.com ErrorLog CustomLog
</VrtualHost>
SINGLE SIGN ON
10
SINGLE SIGN ON
Email server
A mail server usually consists of a storage area where where e-mail is stored for local users, a set of user definable rules which determine how the mail server should react to the destination of a specific message, a database of user accounts that the mail server recognizes and will deal with locally, and communications modules which are the components that actually handle the transfer of messages to and from other mail servers and email clients. Generally the person(s) responsible for the maintenance of the e-mail server (editing users, monitoring system activity) are referred to as the postmaster. Most mail servers are designed to operate without any manual intervention during normal operation.
Postfix Mail Server(SMTP mail server)it use for sending mails. FTP(File transfer protocol)it use for transfer file. Squirrel mail(web browser)interface used for check and send mail Dovcot(pop3/imap Server) used to receive emails.
11
SINGLE SIGN ON
Squirrel mail (web browser) interface used for check and send mail
12
SINGLE SIGN ON
13
SINGLE SIGN ON
SVN server
It is an acronym for Subversion. Subversion manages files and directories, and the changes made to them, over time. This allows you to recover older versions of your data or examine the history of how your data changed.
Installing SVN: Yum install subversion mod_dav_svn. Configration file: vim /etc/httpd/conf.d/subversion.conf How to create repos SVNadmin create repos
Cheking out: SVN CO http://servername/repos Editing and Commit: SVN commit m editing the file
14
SINGLE SIGN ON
15
SINGLE SIGN ON
LDAP
It use for centeralize user authenction. It basically used for user database. An LDAP server is also known as a Directory System Agent (DSA). LDAP has the ability to distribute servers to where they are needed. Flow diagram of LDAP:
16
SINGLE SIGN ON
17
SINGLE SIGN ON
iRedmail
iRedMail is a free, open source mail server solution for Linux/BSD, provides services POP3/IMAP/SMTP, anti-spam, anti-virus, etc. It supports OpenLDAP and MySQL as backends to save the virtual domains and virtual users. It offers a web-based admin panel.
A fully fledged, free email server solution, an open source project (GPL v2). Use official binary packages from Linux/BSD distributions, with both i386 and x86_64 support. Easy, fast deployment in LESS THAN 1 MINUTE.. Works on Red Hat(R) Enterprise Linux, CentOS, Debian, Ubuntu, openSUSE, FreeBSD. Works on both non-virtualized and virtualized boxes, e.g. VMware, OpenVZ, Xen. Screenshots of installation:
1. iRedMail supports both OpenLDAP and MySQL as backends to store virtual domains and users. OpenLDAP is recommended.
18
SINGLE SIGN ON
19
SINGLE SIGN ON
3. LDAP suffix, normally it's your domain name, such as: dc=example,dc=com:
20
SINGLE SIGN ON
21
SINGLE SIGN ON
22
SINGLE SIGN ON
23
SINGLE SIGN ON
7.Set password for the virtual domain admin: postmaster@example.com, you can log into iRedadmin with this account:
24
SINGLE SIGN ON
25
SINGLE SIGN ON
26
SINGLE SIGN ON
27
SINGLE SIGN ON
28
SINGLE SIGN ON
29
SINGLE SIGN ON
30
SINGLE SIGN ON
Roundcube webmail as one of the optional web-based email clients for everyone to use. Roundcube offers a very nice interface for accessing your emails via the web and offers some very nice features for all to enjoy, such as:
Released features:
Drag-&-drop message management Full support for HTML messages Sophisticated privacy protection Compose messages with attachments Multiple sender identities Address book with groups and LDAP connectors Richtext/HTML message composing Forwarding messages with attachments Searching messages and contacts
Roundcube is a web-based IMAP email client written in the PHP programming language. Roundcube's most prominent feature is the pervasive use of Ajax technology to present a more fluid and responsive user interface than that of traditional webmail clients.
Server Requirements:
Apache, Lighttpd, Cherokee or Hiawatha web server PHP Version 5.2.1 or greater MySQL, PostgreSQL, SQLite or MSSQL database An IMAP server which supports IMAP4 rev1 An SMTP server (recommended) or PHP configured for mail delivery
31
SINGLE SIGN ON
32
SINGLE SIGN ON
33
SINGLE SIGN ON
34
SINGLE SIGN ON
35
SINGLE SIGN ON
phpLDAPadmin (also known as PLA) is a web-based LDAP client. It provides easy, anywhereaccessible, multi-language administration for your LDAP server. Its hierarchical tree-viewer and advanced search functionality make it intuitive to browse and administer your LDAP directory. Since it is a web application, this LDAP browser works on many platforms, making your LDAP server easily manageable from any location. phpLDAPadmin is the perfect LDAP browser for the LDAP professional and novice alike. Its user base consists mostly of LDAP administration professionals. Managing LDAP data doesn't have to be difficult. The phpLDAPadmin project provides a comprehensive Web-based admin tool for easy, accessible administration of your LDAP directory from the comfort of your Web browser. No matter how you approach it, LDAP is a challenge. From understanding the fundamentals that make up the system to managing the data the system uses, it can be a bit overwhelming at times. To manage the LDAP data you have a number of ways you could go. You could use the command line (Manage LDAP from the Command on Linux), you could use the stand-alone, very capable 389 Directory Server (see Simplify LDAP with Fedora's 389 Directory Server, or you could go a completely different route and use the web-based phpLDAPadmin. As you would expect, phpLDAPadmin is very much like phpMyadmin (a very powerful, user friendly tool for managing MySQL). But does phpLDAPadmin make managing LDAP as easy as phpMyadmin make managing MySQL? It does. In fact, phpLDAPadmin makes managing LDAP data so easy, just about anyone could take care of the task. Your first task is to actually log into the tool. When you open up the page for phpLDAPadmin you will see a login button. Click on the login button and then enter your LDAP admin credentials. Remember, your credentials will be in the form of: cn=manager,dc=example,dc=com The credentials will have been set when you initially installed and configured LDAP.Once you're in, you should see something like the screenshot below: As you can see, I have already created a few entries for you. But before we get into the creation of entries, let's examine the hierarchy that appears in the left-side navigation. At the top of the hierarchy you have the Base DN . Under this entry you have the various objects and attributes that you can add to or edit. Let's take a look at doing the following: Adding a new group and then adding a user into that group.
36
SINGLE SIGN ON
37
SINGLE SIGN ON
38
SINGLE SIGN ON
39
SINGLE SIGN ON
username/password) Security on all levels of entry/exit/access to systems without the inconvenience of reprompting users Centralized reporting for compliance adherence.
40
SINGLE SIGN ON
Conclusion
A well-planned and carefully deployed Single Sign-on product can be a great complement to the other security measures that are already in place in an organization. By weighing the risk factors associated with implementing each SSO product against the advantages and by keeping the expectations aligned with realistic planning, an SSO product implementation to satisfy your requirements is achievable.
41
SINGLE SIGN ON
References
Red hat enterprise Linux (RHEL), Official Book for LINUX. http://w3mentors.com http://www.google.com http://docs.redhat.com/docs/en-US/index.html http://www.linuxforyou.com
42