Вы находитесь на странице: 1из 42

SINGLE SIGN ON

Objective
The objective of a single sign-on (SSO) is to enable a user to authenticate only once. Enabling this requires an integration framework that allows single sign-on authentication throughout all systems and applications as well as to clients, partners, and outside services. The challenge is a multitude of SSO vendor products, discrepancies in partners security standards, and the administration of Identity Management across client and business partner systems.SSO is not a new concept. In fact, companies have been dealing with this concept for years. I can recall developing an IMS transaction to handle authentication, access control and application data access across many IMS applications. Most developers at one time or another have designed and built an application profile database and the SSO like code to eliminate the duplicate logon for end users. Industry statistics show that users have on average, five different logons they use on a regular basis. Therefore, integrating SSO components to eliminate the need for multiple logons will simplify the end user experience. This results in increased usage and thus increases revenue, retains customers, clients, and business partners.

SAI INSTITUTE OF ENGG. AND TECHNOLOGY(MANAWALA)

SINGLE SIGN ON

Single Sign-On
We will go through a brief introduction to Single Sign-on (hereafter also referred to as SSO in this document). SSO can be defined as a user experience of logging in just once and being able to navigate across many applications seamlessly without a need to enter credentials for each application. It is very common for organizations to have many applications running to take care of different business functions. SSO makes it easy for the users to login once and be able to access all the applications they can, reducing the need for users to remember a plethora of logins and passwords. The following is a brief description of a few important concepts of SSO. Authentication The process of verifying the users identity, making sure that the user is who he claims to be. This can be based on login & password combination or Smart card,biometrics, etc. Authorization The process of verifying whether a user is privileged to access a particular resource. Credentials Credentials are the details provided by a user during the process of authentication into an application. They can be login and password, fingerprint, smart card etc. Domain A domain is a logical group in an organization with a unique name that is the part of host names used on the intranet/Internet. For example, mycompany.com is the domain name myhost.mycompany.com where as mycompanystore.com is the domain name in www.mycompanystore.com. While mycompany.com is a parent domain,

it.mycompany.com is a sub domain reserved for the IT department in the organization. Protected Resource It is a resource the access of which is not open to everyone. A user needs to go through authentication and authorization before accessing a protected resource. It can be a URL on the Internet or intranet, a client to a application, a folder on a server, etc.

SAI INSTITUTE OF ENGG. AND TECHNOLOGY(MANAWALA)

SINGLE SIGN ON

Benefits
Reduces phishing success, because users are not trained to enter password everywhere without thinking. Reducing password fatigue from different user name and password combinations Reducing time spent re-entering passwords for the same identity. Can support conventional authentication such as windows credentials (i.e.,

username/password) Reducing IT costs due to lower number of IT help desk calls about passwords Security on all levels of entry/exit/access to systems without the inconvenience of reprompting users Centralized reporting for compliance adherence.

SAI INSTITUTE OF ENGG. AND TECHNOLOGY(MANAWALA)

SINGLE SIGN ON

Methodology for project development


Firstly, you have to understand basics of cloud computing Understanding LINUX OS. Understanding various terms like SSO, e-mail server, LDAP etc. Learning how to configure an e-mail server. How to do synchronization between servers. Creating databases. Understanding SVN server. Learning how to work on cloud. Planning of your work. And at last how to integrate all the things together.

SAI INSTITUTE OF ENGG. AND TECHNOLOGY(MANAWALA)

SINGLE SIGN ON

Technology used
E-mail Server (Postfix,FTP,Dovecot,Squirrelmail) SVN Server LDAP Lightweight Directory Access Protocol (User Database) Apache (Web Server) Virtual hosting

SAI INSTITUTE OF ENGG. AND TECHNOLOGY(MANAWALA)

SINGLE SIGN ON

Web Server(Apache)
A Web server is a program that, using the client/server model and the World Wide Web's Hypertext Transfer Protocol ( HTTP serves the files that form Web pages to Web users (whose computers contain HTTP clients that forward their requests). Every computer on the Internet that contains a Web site must have a Web server program. Two leading Web servers are Apache , the most widely-installed Web server, and Microsoft's Internet Information Server ( IIS ). Other Web servers include Novell's Web Server for users of its NetWare operating system and IBM's family of Lotus Domino servers, primarily for IBM's OS/390 and AS/400 customers. Apache supports a variety of features, many implemented as compiled modules which extend the core functionality. These can range from server-side programming language support to authentication schemes. Some common language interfaces support Perl, Python, Tcl, and PHP. HTTP Protocol: HTTP stands for Hyper-Text-Transfer-Protocol This is the protocol that is used in order to send and receive information from the server. This is the protocol that the Apache Web Server Understands and it is what it uses to send information back to the client Machine. If you would want to get a bit more technical on the subject the Client Machine this case the Browser sends a HTTP.Request Object to the Server then the Server responds back by using an HTTP.Response Object. This is the general back and forth between the server and the browser. Apache is made to handle all of these requests

SAI INSTITUTE OF ENGG. AND TECHNOLOGY(MANAWALA)

SINGLE SIGN ON

SAI INSTITUTE OF ENGG. AND TECHNOLOGY(MANAWALA)

SINGLE SIGN ON

How To configure web server: <VirtualHost * : 80> ServerAdmin root@LocalHost DocumentRoot /var/www/html ServerName www.google.com ErrorLog roop CustomLog deep </VrtualHost>

SAI INSTITUTE OF ENGG. AND TECHNOLOGY(MANAWALA)

SINGLE SIGN ON

Virtual hosting
Virtual hosting is a method for hosting multiple domain names (with separate handling of each name) on a single server (or pool of servers). This allows one server to share its resources, such as memory and processor cycles, without requiring all services provided to use the same host name. The term virtual hosting is usually used in reference to web servers but the principles carry over to other internet services. One widely used application is shared web hosting. Shared web hosting prices are lower than a dedicated web server because many customers can be hosted on a single server. It is also very common for a single entity to want to use multiple names on the same machine so that the names can reflect services offered rather than where those services happen to be hosted. <VirtualHost * : 80> ServerAdmin root@LocalHost DocumentRoot /var/www/html ServerName www.google.com ErrorLog CustomLog

</VrtualHost> <VirtualHost * : 80> ServerAdmin root@LocalHost DocumentRoot /var/www/html/yahoo ServerName www.yahoo.com ErrorLog CustomLog
</VrtualHost>

SAI INSTITUTE OF ENGG. AND TECHNOLOGY(MANAWALA)

SINGLE SIGN ON

SAI INSTITUTE OF ENGG. AND TECHNOLOGY(MANAWALA)

10

SINGLE SIGN ON

Email server
A mail server usually consists of a storage area where where e-mail is stored for local users, a set of user definable rules which determine how the mail server should react to the destination of a specific message, a database of user accounts that the mail server recognizes and will deal with locally, and communications modules which are the components that actually handle the transfer of messages to and from other mail servers and email clients. Generally the person(s) responsible for the maintenance of the e-mail server (editing users, monitoring system activity) are referred to as the postmaster. Most mail servers are designed to operate without any manual intervention during normal operation.

Postfix Mail Server(SMTP mail server)it use for sending mails. FTP(File transfer protocol)it use for transfer file. Squirrel mail(web browser)interface used for check and send mail Dovcot(pop3/imap Server) used to receive emails.

SAI INSTITUTE OF ENGG. AND TECHNOLOGY(MANAWALA)

11

SINGLE SIGN ON

Squirrel mail (web browser) interface used for check and send mail

SAI INSTITUTE OF ENGG. AND TECHNOLOGY(MANAWALA)

12

SINGLE SIGN ON

SAI INSTITUTE OF ENGG. AND TECHNOLOGY(MANAWALA)

13

SINGLE SIGN ON

SVN server
It is an acronym for Subversion. Subversion manages files and directories, and the changes made to them, over time. This allows you to recover older versions of your data or examine the history of how your data changed.

Installing SVN: Yum install subversion mod_dav_svn. Configration file: vim /etc/httpd/conf.d/subversion.conf How to create repos SVNadmin create repos

Chown -R apache.apache repos(to integrate with apache)

Cheking out: SVN CO http://servername/repos Editing and Commit: SVN commit m editing the file

SAI INSTITUTE OF ENGG. AND TECHNOLOGY(MANAWALA)

14

SINGLE SIGN ON

SAI INSTITUTE OF ENGG. AND TECHNOLOGY(MANAWALA)

15

SINGLE SIGN ON

LDAP

(Light weight directory access protocol.)

It use for centeralize user authenction. It basically used for user database. An LDAP server is also known as a Directory System Agent (DSA). LDAP has the ability to distribute servers to where they are needed. Flow diagram of LDAP:

SAI INSTITUTE OF ENGG. AND TECHNOLOGY(MANAWALA)

16

SINGLE SIGN ON

Integrating Apache with Ldap


To integreate Apache Authentication with Ldap, you may refer to the following steps: Create a authentication file, e.g: .htaccess and enter the following lines of code: AuthType Basic AuthBasicProvider ldap AuthzLDAPAuthoritative Off AuthName myp2Repo SVN Authentication AuthLDAPBindDN cn=Manager,dc=example,dc=com AuthLDAPBindPassword mypass AuthLDAPURL ldap://localhost:389/o=domains,dc=example,dc=com?mail Require valid-user Explanation: AuthzLDAPAuthoritative : Specifies whether ldap authentication is sufficient for authorization or the system should fall back to other modules on failure. AuthLDAPBindDN : details which would be used to login to ldap AuthLDAPBindPassword : Master Password of manager, for authentication AuthLDAPURL : Ldap URL, ldap://localhost:389/o=domains,dc=example,dc=com?mail (User must provide email for authentication)

SAI INSTITUTE OF ENGG. AND TECHNOLOGY(MANAWALA)

17

SINGLE SIGN ON

iRedmail
iRedMail is a free, open source mail server solution for Linux/BSD, provides services POP3/IMAP/SMTP, anti-spam, anti-virus, etc. It supports OpenLDAP and MySQL as backends to save the virtual domains and virtual users. It offers a web-based admin panel.
A fully fledged, free email server solution, an open source project (GPL v2). Use official binary packages from Linux/BSD distributions, with both i386 and x86_64 support. Easy, fast deployment in LESS THAN 1 MINUTE.. Works on Red Hat(R) Enterprise Linux, CentOS, Debian, Ubuntu, openSUSE, FreeBSD. Works on both non-virtualized and virtualized boxes, e.g. VMware, OpenVZ, Xen. Screenshots of installation:

1. iRedMail supports both OpenLDAP and MySQL as backends to store virtual domains and users. OpenLDAP is recommended.

SAI INSTITUTE OF ENGG. AND TECHNOLOGY(MANAWALA)

18

SINGLE SIGN ON

2. Choose the directory that will be used to store users' mailboxes.

SAI INSTITUTE OF ENGG. AND TECHNOLOGY(MANAWALA)

19

SINGLE SIGN ON

3. LDAP suffix, normally it's your domain name, such as: dc=example,dc=com:

SAI INSTITUTE OF ENGG. AND TECHNOLOGY(MANAWALA)

20

SINGLE SIGN ON

4. Set the MySQL root password:

SAI INSTITUTE OF ENGG. AND TECHNOLOGY(MANAWALA)

21

SINGLE SIGN ON

5.Set password for LDAP server admin: cn=Manager,dc=example,dc=com

SAI INSTITUTE OF ENGG. AND TECHNOLOGY(MANAWALA)

22

SINGLE SIGN ON

6.Add your first virtual domain, e.g.:

SAI INSTITUTE OF ENGG. AND TECHNOLOGY(MANAWALA)

23

SINGLE SIGN ON

7.Set password for the virtual domain admin: postmaster@example.com, you can log into iRedadmin with this account:

SAI INSTITUTE OF ENGG. AND TECHNOLOGY(MANAWALA)

24

SINGLE SIGN ON

8.Select optional components

SAI INSTITUTE OF ENGG. AND TECHNOLOGY(MANAWALA)

25

SINGLE SIGN ON

9.Select the default language for your webmail application:

IRed Admin panel


iRedAdmin Open Source Edition is a web-based iRedMail admin panel, it allows you to add, remove and edit domains, users and domain admin accounts. If you need more features, please consider purchasing the Pro edition iRedAdmin-Pro. You can also manage all the features of iRedAdmin-Pro with phpLDAPadmin and phpMyAdmin.

SAI INSTITUTE OF ENGG. AND TECHNOLOGY(MANAWALA)

26

SINGLE SIGN ON

Log into iRedAdmin: postmaster@example.com:

SAI INSTITUTE OF ENGG. AND TECHNOLOGY(MANAWALA)

27

SINGLE SIGN ON

2.Here we can add users account,admin and domains also:

SAI INSTITUTE OF ENGG. AND TECHNOLOGY(MANAWALA)

28

SINGLE SIGN ON

3. Creating a new mail user here:

SAI INSTITUTE OF ENGG. AND TECHNOLOGY(MANAWALA)

29

SINGLE SIGN ON

4.Here we see the account profile of user:

SAI INSTITUTE OF ENGG. AND TECHNOLOGY(MANAWALA)

30

SINGLE SIGN ON

Roundcube webmail as one of the optional web-based email clients for everyone to use. Roundcube offers a very nice interface for accessing your emails via the web and offers some very nice features for all to enjoy, such as:

Released features:

Drag-&-drop message management Full support for HTML messages Sophisticated privacy protection Compose messages with attachments Multiple sender identities Address book with groups and LDAP connectors Richtext/HTML message composing Forwarding messages with attachments Searching messages and contacts

Roundcube is a web-based IMAP email client written in the PHP programming language. Roundcube's most prominent feature is the pervasive use of Ajax technology to present a more fluid and responsive user interface than that of traditional webmail clients.

Server Requirements:

Apache, Lighttpd, Cherokee or Hiawatha web server PHP Version 5.2.1 or greater MySQL, PostgreSQL, SQLite or MSSQL database An IMAP server which supports IMAP4 rev1 An SMTP server (recommended) or PHP configured for mail delivery

SAI INSTITUTE OF ENGG. AND TECHNOLOGY(MANAWALA)

31

SINGLE SIGN ON

SAI INSTITUTE OF ENGG. AND TECHNOLOGY(MANAWALA)

32

SINGLE SIGN ON

SAI INSTITUTE OF ENGG. AND TECHNOLOGY(MANAWALA)

33

SINGLE SIGN ON

SAI INSTITUTE OF ENGG. AND TECHNOLOGY(MANAWALA)

34

SINGLE SIGN ON

SAI INSTITUTE OF ENGG. AND TECHNOLOGY(MANAWALA)

35

SINGLE SIGN ON

phpLDAPadmin (also known as PLA) is a web-based LDAP client. It provides easy, anywhereaccessible, multi-language administration for your LDAP server. Its hierarchical tree-viewer and advanced search functionality make it intuitive to browse and administer your LDAP directory. Since it is a web application, this LDAP browser works on many platforms, making your LDAP server easily manageable from any location. phpLDAPadmin is the perfect LDAP browser for the LDAP professional and novice alike. Its user base consists mostly of LDAP administration professionals. Managing LDAP data doesn't have to be difficult. The phpLDAPadmin project provides a comprehensive Web-based admin tool for easy, accessible administration of your LDAP directory from the comfort of your Web browser. No matter how you approach it, LDAP is a challenge. From understanding the fundamentals that make up the system to managing the data the system uses, it can be a bit overwhelming at times. To manage the LDAP data you have a number of ways you could go. You could use the command line (Manage LDAP from the Command on Linux), you could use the stand-alone, very capable 389 Directory Server (see Simplify LDAP with Fedora's 389 Directory Server, or you could go a completely different route and use the web-based phpLDAPadmin. As you would expect, phpLDAPadmin is very much like phpMyadmin (a very powerful, user friendly tool for managing MySQL). But does phpLDAPadmin make managing LDAP as easy as phpMyadmin make managing MySQL? It does. In fact, phpLDAPadmin makes managing LDAP data so easy, just about anyone could take care of the task. Your first task is to actually log into the tool. When you open up the page for phpLDAPadmin you will see a login button. Click on the login button and then enter your LDAP admin credentials. Remember, your credentials will be in the form of: cn=manager,dc=example,dc=com The credentials will have been set when you initially installed and configured LDAP.Once you're in, you should see something like the screenshot below: As you can see, I have already created a few entries for you. But before we get into the creation of entries, let's examine the hierarchy that appears in the left-side navigation. At the top of the hierarchy you have the Base DN . Under this entry you have the various objects and attributes that you can add to or edit. Let's take a look at doing the following: Adding a new group and then adding a user into that group.

SAI INSTITUTE OF ENGG. AND TECHNOLOGY(MANAWALA)

36

SINGLE SIGN ON

SAI INSTITUTE OF ENGG. AND TECHNOLOGY(MANAWALA)

37

SINGLE SIGN ON

Log into phpLDAPAdmin: cn=manager,dc=example,dc=com

SAI INSTITUTE OF ENGG. AND TECHNOLOGY(MANAWALA)

38

SINGLE SIGN ON

Manage the mail account:

SAI INSTITUTE OF ENGG. AND TECHNOLOGY(MANAWALA)

39

SINGLE SIGN ON

Need and significance of project


Because users are not trained to enter password everywhere without thinking, SSO allows user just to enter their password only once and hence increases password security. Reducing time spent re-entering passwords for the same identity Can support conventional authentication such as windows credentials (i.e.,

username/password) Security on all levels of entry/exit/access to systems without the inconvenience of reprompting users Centralized reporting for compliance adherence.

SAI INSTITUTE OF ENGG. AND TECHNOLOGY(MANAWALA)

40

SINGLE SIGN ON

Conclusion
A well-planned and carefully deployed Single Sign-on product can be a great complement to the other security measures that are already in place in an organization. By weighing the risk factors associated with implementing each SSO product against the advantages and by keeping the expectations aligned with realistic planning, an SSO product implementation to satisfy your requirements is achievable.

SAI INSTITUTE OF ENGG. AND TECHNOLOGY(MANAWALA)

41

SINGLE SIGN ON

References
Red hat enterprise Linux (RHEL), Official Book for LINUX. http://w3mentors.com http://www.google.com http://docs.redhat.com/docs/en-US/index.html http://www.linuxforyou.com

SAI INSTITUTE OF ENGG. AND TECHNOLOGY(MANAWALA)

42