Вы находитесь на странице: 1из 11

EasyVista Extending

security of SSO
exchanges
Last update : January 26th, 2012

03/04/2012

EasyVista Extending security of SSO exchanges

Summary
A.

Presentation ................................................................................ 3

A.1. Goal .................................................................................................................... 3


A.2. Features provided by the encryption extension............................................. 3
A.2.1. Protection against forging URLs ................................................................................................3
A.2.2. Protection against URL theft......................................................................................................3

A.3. Limits of the system ......................................................................................... 4

B.

Prerequisites ............................................................................... 4

C.

STEP 1: Installation of the security extension ........................ 4

C.1. Copy the files..................................................................................................... 4


C.2. Configure the listening port if necessary ....................................................... 4
C.3. Configure your firewall if necessary ............................................................... 4
C.4. Install the service .............................................................................................. 4
C.5. Troubleshooting ................................................................................................ 5
C.5.1. Log files ....................................................................................................................................5
C.5.2. Access to the WSDL information ...............................................................................................5

D.

STEP 2: Configuration of the SSO system you want to use .. 6

D.1. Configuration with the IIS relay system .......................................................... 6


D.1.1. Presentation .............................................................................................................................6
D.1.2. Add a new security group..........................................................................................................6
D.1.3. Install and configure the IIS relay pages ....................................................................................7

D.2. Configuration with a PHP SSO relay on the EasyVista webserver ............... 7
D.2.1. Presentation .............................................................................................................................7
D.2.2. Installation ................................................................................................................................8
D.2.3. Configuration ............................................................................................................................8

D.3. Troubleshooting ................................................................................................ 9

E.

STEP 3: Configure EasyVista .................................................. 10

E.1. Add the missing parameters if necessary .................................................... 10


E.2. Configure the parameters ............................................................................... 10
E.3. Restart the SMO SERVER service ................................................................. 11

03/04/2012

EasyVista Extending security of SSO exchanges

A. Presentation
A.1. Goal
Authentications based on federation services providers are natively based on secured exchanges
(SAML, Client Certificates, etc.) and thus provide a high level of security which guarantees that its not
possible to either:

Forge fake authentication exchanges,

Or reuse a fully authorized URL that has been captured

Pseudo SSO solutions (like IIS relay, HTTP transfer from portal, etc.) do not provide this level of
security. They should not be considered as secured SSO solutions and our advice is that they should
not be used.
Despite this, many customers who are not already providing authentication based on fully secure
federation services implement pseudo SSO solutions for their low cost of implementation.
Even if providing a fully secure SSO system is not part of the EasyVista perimeter, we have developed
a security service, included freely, and which goal is to encrypt the login send from IIS relay like
solutions to the EasyVista platforms.

A.2. Features provided by the encryption extension


A.2.1. Protection against forging URLs
The EasyVista encryption extension is based on AES128 encryption that guarantees a high level of
security (http://en.wikipedia.org/wiki/Advanced_Encryption_Standard).
This guarantees that a malicious user will not be able to forge a new URL based on an existing one to
fake an SSO connection of another user.
Confidentiality of the key used in the encryption process is the responsibility of the customer that must
guarantee that the IIS server is physically and logically secured.

A.2.2. Protection against URL theft


The EasyVista security extension also includes a ONE TIME USE (OTU) for each URL.
Even a captured URL cannot be used a second time.

03/04/2012

EasyVista Extending security of SSO exchanges

A.3. Limits of the system


The service is provided as is and customers cannot request for other way of encryption.
Customer cannot use this service outside of the EasyVista perimeter.

B. Prerequisites
This feature is available with EasyVista fix starting from version 2010.1.1.89

C. STEP 1: Installation of the security


extension
C.1. Copy the files
From the EasyVista security extension package you received from the technical support or you
found on EasyVista CD, copy the files in a new folder on the EasyVista application server (for example
a folder named EZVExtended at the same level that the MSSQL folder containing the
SMO_MSSQL.EXE service).

C.2. Configure the listening port if necessary


Open the smoextended.ini file and change the port number if the default one is already used or not
compliant with your system.
The default proposed value should work for most of the systems.

C.3. Configure your firewall if necessary


The port 34563 on the application server (or the one you configured) must be accessible from the web
server. Configure your firewall if necessary to allow this access in TCP mode.

C.4. Install the service


Install the service by running a SMOExtended.exe /install command.

03/04/2012

EasyVista Extending security of SSO exchanges

C.5. Troubleshooting
C.5.1. Log files
The EasyVista security extension service generates log files that you can use to:

Check the encryption and decryption request processed with our without errors

Check the exceptions triggered while servicing encryption requests

C.5.2. Access to the WSDL information


You can try to access to the follwing URLs from the application server :
URL

Value
Put here the URL to use to access to the web
service published by the EasyVista Security
Extended service.
The URL must include the port 34563 (or the
port youve configured for the service if you
changed the default 34563 port).

http://XXX.XXX.XXX:34563/wsdl

You should see a screen like this one

http://XXX.XXX.XXX:34563/wsdl/ISmoExtendedInterface

03/04/2012

EasyVista Extending security of SSO exchanges

D. STEP 2: Configuration of the SSO system


you want to use
D.1. Configuration with the IIS relay system
D.1.1. Presentation
Use this procedure when you want to implement the IIS relay system to simulate an SSO solution.
The ISS system can be outside of your EasyVista platform.

The exchange workflow is:

D.1.2. Add a new security group


Open the SMOEXTENDED.INI file and change the following parameters:
Parameter

Value
Put here a unique identifier using only
alphabetical and numeric characters that
will uniquely describe the security group on

PUT-HERE-YOUR-UNIQUE-ID

03/04/2012

EasyVista Extending security of SSO exchanges

this server (ex: A34HD78E9T888E8Q8D8).


This value will be referred as the
GROUP UNIQUE ID in this document.
Put here the 16 characters key that will be
used to encrypt data from the IIS server
and decrypt them once received by
EasyVista

PUT-HERE-YOUR-KEY

This value will be referred as the


GROUP SECURITY KEY in this
document.

Remarks: Other parameters should not be changed unless the technical support requires you to do
so.
Once the new security group created, restart the SMOExtended service.

D.1.3. Install and configure the IIS relay pages


From the EasyVista IIS relay package you received from the technical support or you found on
EasyVista CD, copy the files in a folder on the IIS server you want to use as a relay.
Once copied, open the INDEXPHP_REDIRECT.ASPX file and change the following parameters:
Parameter

Value

string strKey = "0123456789012345";

PUT-HERE-YOUR-EASYVISTA-WEBSERVER

Replace the 0123456789012345 string


with the key value (GROUP SECURITY
KEY) you defined in D.1.3
Put here the URL used to access to your
web server (ex:
easyvista.mycompany.com).
Leave the rest of the line unchanged.

D.2. Configuration with a PHP SSO relay on the


EasyVista webserver
D.2.1. Presentation
This configuration is used when the information is directly accessible form the EasyVista webserver,
either because its being pushed by the corporate SSO system, or collected through a tiers layer
(CAS, SAML, Client certificates, etc.).

03/04/2012

EasyVista Extending security of SSO exchanges

The tiers layer installed on the EasyVista webserver will:

Collect the user ID based on the SSO used

Encrypt the user ID through a call to the EasyVista Security Extended service

Send the information through the standard HTTP SSO compliant with EasyVista

This process will guarantee that the whole http/https exchange respect the target level of security.
The exchange workflow is:

D.2.2. Installation
Starting with EasyVista 2012, the pages are already installed by default with EasyVista in the www
and www/sspi folder.
If you want to install the EasyVista Security Extented service with version 2010, you must first apply
the latest fix that includes the last sspi pages.

D.2.3. Configuration
Open the www/sspi/sspi_setting.php file and change the following parameters:
Parameter

Value

03/04/2012

EasyVista Extending security of SSO exchanges

Put here the url to access to the EasyVista web site to redirect the SSO
URL (mind to keep the /index.php?url_account= in the url).
$URL

Ex:
https://easyvista.mycompany.com/index.php?url_account=

$id

Put here the GROUP SECURITY KEY youve created during STEP 2
Put here the url that the EasyVista web server will use to access to the
wsdl ISmoExtentendedInterface service published by the EasyVista
Extented Security service.

$str_wsdl

Keep in mind that this is the URL to access to the application server from
the webserver. It cannot be a Localhost like url
Ex : http://XXX.XXX.XXX:34563/wsdl/ISmoExtendedInterface

D.3. Troubleshooting
Use HTTPWATCH to capture the http exchanges and check that they are consistent what is expected

03/04/2012

EasyVista Extending security of SSO exchanges

E. STEP 3: Configure EasyVista


E.1. Add the missing parameters if necessary
Check the AM_PARAMETER table in the database you want to configure for the presence of the
following parameters:

{ADMIN} SSO : Url of the WebService encryption support

{{ADMIN} SSO : ID of the encryption used

If they are not present, run the following script to add them:
if (NOT EXISTS(SELECT PARAMETER_GUID FROM [AM_PARAMETER] WHERE PARAMETER_GUID='{CF69F417-5AE64386-B95D-D628F7744684}'))
INSERT INTO [AM_PARAMETER]
(PARAMETER_GUID, PARAMETER_EN, PARAMETER_FR, PARAMETER_GE, PARAMETER_SP, PARAMETER_IT,
PARAMETER_PO, PARAMETER_TYPE, PARAMETER_VALUE)
VALUES
('{CF69F417-5AE6-4386-B95D-D628F7744684}', '{ADMIN} SSO : Url of the WebService
encryption support', '{ADMIN} SSO : Url du WebService en charge du cryptage',
'[{ADMIN} SSO : Url of the WebService encryption support]', '[{ADMIN} SSO : Url of the
WebService encryption support]',
'[{ADMIN} SSO : Url of the WebService encryption support]', '[{ADMIN} SSO : Url of the
WebService encryption support]',
'STRING', '')
if (NOT EXISTS(SELECT PARAMETER_GUID FROM [AM_PARAMETER] WHERE PARAMETER_GUID='{C3DAD878-236B4AFB-9F91-8B82E41A89F8}'))
INSERT INTO [AM_PARAMETER]
(PARAMETER_GUID, PARAMETER_EN, PARAMETER_FR, PARAMETER_GE, PARAMETER_SP, PARAMETER_IT,
PARAMETER_PO, PARAMETER_TYPE, PARAMETER_VALUE)
VALUES
('{C3DAD878-236B-4AFB-9F91-8B82E41A89F8}', '{ADMIN} SSO : ID of the encryption used',
'{ADMIN} SSO : ID de l''encryptage utilis',
'[{ADMIN} SSO : ID of the encryption used]', '[{ADMIN} SSO : ID of the encryption
used]',
'[{ADMIN} SSO : ID of the encryption used]', '[{ADMIN} SSO : ID of the encryption
used]',
'STRING', '')

E.2. Configure the parameters


Parameter

{ADMIN} SSO : Url of


the WebService
encryption support

Value
Put here the url that the EasyVista web server will use to
access to the wsdl ISmoExtentendedInterface service
published by the EasyVista Extented Security service.
Keep in mind that this is the URL to access to the application

10

03/04/2012

EasyVista Extending security of SSO exchanges

server from the webserver. It cannot be a Localhost like url


Ex :
http://XXX.XXX.XXX:34563/wsdl/ISmoExtendedInterface
{ADMIN} SSO : ID of
the encryption used

Put here the GROUP SECURITY KEY youve created during


STEP 2

E.3. Restart the SMO SERVER service


Once the parameters changed, restart the SMO SERVER service.
If you change the parameters again later, youll also need to restart the SMO SERVER Service.

11