Leveraging New Features in CA Single-Sign on to Enable Web Services, Social Sign-On and Enhanced Session Security

ca Securecenter

Leveraging New Features in CA Single Sign-On to Enable Web Services, Social Sign–On and Enhanced Session SecurityTim Hobbs, Advisor

SCX19E #CAWorld

Product ManagementCA Technologies

*formerly CA SiteMinder

2 © 2014 CA. ALL RIGHTS RESERVED.

Abstract

CA Single Sign-On (CA SSO) is constantly evolving, incorporating the latest technologies in secure web access management. In order to stay secure and competitive, CA SSO makes greater use of the CA Access Gateway (formerly CA SiteMinder® Secure Proxy Server).

Tim Hobbs

CA Technologies

Advisor, Product Management


Agenda

USING THE CA ACCESS GATEWAY

SOCIAL SIGN-ON

OPEN FORMAT COOKIE

WEB SERVICES (SOAP AND REST API)

ENHANCED SESSION ASSURANCE WITH DEVICEDNA™

1

2

3

4

5

CA Access Gateway

*formerly CA SiteMinder® Secure Proxy Server


CA Access Gateway Overview

Browser

Web Serverwith CA SSO Agent CA SSO Policy Server

Agent Focused

User Directories

CA SSO Policy Store



Browser

CA Access Gateway

CA SSO Policy Server

Web Servers

Proxy Focused Web Services APIs

User Directories

CA SSO Policy Store



Any (and multiple) back-end web servers

Login, federation, password service pages

Session management

options for mobile

devices

Significantly reduces

the TCO

Users

• Employees• Mobile employees• Partners• Customers

CA Access Gateway

DestinationServers

CA SSOPolicy Server


CA Access Gateway Product Features

Access control for HTTP and HTTPS requests

Single sign-on

Multiple session schemes

Session storage

Cookie-less single sign-on

Intelligent proxy rules

Centralized access control management

Enterprise class architecture


Expanded Support For SSO And Access ManagementOverview

Feature Description

WebDAVCA Access Gateway can control access to content that is accessed via the WebDAV protocol that is an extension of HTTP

Session Linker For securing single sign-on to ERP environments

Support for ASAsCA Access Gateway can be used in place of a CA Single Sign-On Web Agent as the web tier in front of a CA Single Sign-On ASA agent

Integrated Windows Authentication Support for IWA to access applications on servers behind CA Access Gateway

Enhanced proxy rulesEnhanced rules to support new conditions based on cookie existence, cookie value, and header existence


Proxy Rules OverviewForward requests based on:

URI

Virtual host name

Header values (standard or created by CA SSO response)

Device type

File extension

Cookie existence/cookie value

Regular expressions and nested conditions in proxy rules


Proxy RulesUse Case


Proxy RulesExample


Improved Management For Lower TCOOverview

Feature Description

Manage multiple instances Can configure multiple CA Access Gateway hosts at the same time

Multiple instances on single hardware platform

Making it possible to separate user groups or application access across CA Access Gateway instances without increasing hardware costs

CA Application Performance Management* support

CA Access Gateway has been instrumented to provide performance data to the application performance tool

Agent discovery CA Access Gateway instances are uniquely identified in the CA Single Sign-On agent discovery administrative UI for ease of management

Administrative UI for configurationAdministrative UI for configuring proxy rules, virtual hosts, proxy service settings, session store and session scheme settings, federation settings

*formerly CA Wily Introscope®


Improved Management for Lower TCOAdministrative UI


Capabilities introduced with SPS r12.5 Improved Management for Lower TCOAdministrative UI












Citrix NetScaler OverviewLeading Application Delivery Controller

Available as a physical or virtual

appliance, Citrix NetScaler is a

comprehensive system deployed in

front of application and database

servers that combines high-speed load

balancing and content switching with:

Application acceleration

Highly-efficient data compression

Static and dynamic content caching

SSL acceleration

Application performance monitoring

Robust application security

Courtesy: Citrix Training Content

B2B

Performance Offload Security

B2C

• World-class L4-L7 load balancing

• Intelligent service health monitoring

• Caching

• Compression

• Connection pooling

• Web 2.0 offload

• SSL processing

• Access Gateway SSL VPN

• Application firewall

Availability

P2P

App Expert Admin


Citrix NetScaler Platforms

NetScaler VPX: A virtual appliance

NetScaler MPX Platform Models: Hardware appliance for scale

NetScaler SDX: Platform for enterprise and cloud datacenters

– Virtualized architecture, which effectively delivers multiple NetScaler

instances running on a single NetScaler MPX appliance, with an

advanced control plane for unified provisioning, monitoring and

management for multi-tenant requirements

– Can consolidate up to 80 independently-managed NetScaler instances with

up to 120 Gbps of overall performance

– Provides complete isolation so that memory, CPU cycles and SSL capacity

can be divided and definitively assigned to different NetScaler instances

Software and Hardware Appliances

Courtesy: Citrix Training Content


CA Access Gateway for Citrix NetScaler SDX

Virtual Appliance built on RedHat Enterprise Linux (RHEL) in Citrix-supported XVA format and deployed on NetScaler SDX platform

All standard features of CA Access Gateway, which can be used after performing standard configurations (requires a configured CA Single Sign-On Policy Server)

Can be dynamically provisioned and managed from Citrix NetScaler SDX administrative interface Creates a VM with installed CA Access Gateway instance (takes

the install parameters from provisioning UI) Monitor performance Start, stop, reboot, upgrade, upgrade SDX tools etc.

CA Single Sign-On integration use cases with Citrix NetScaler 10.5.x

SAML-based SSO authentication between Citrix NetScaler and CA Single Sign-On

Radius-based authentication from Citrix NetScaler through CA Single Sign-On

Full range of CA Single Sign-On authentication as well as granular authorization capabilities available via integration

CA Access Gateway for Citrix NetScaler SDX

Social Sign-On


Support for Social Sign-On Overview

Simple new user

registration increases

sign up rate.

Use consumer identity

for initial customer acquisition and low risk transactions.

Collecting identity and device attributes allows for personalized marketing.

Seamless sign-on encourages registration and enables targeted marketing.

Sign on with stronger credentials when needed for high value transactions.


Support for Social Sign-On Use Case

User initiates a sign-on request using his social

sign-on account (OAuth request).

User is redirected to the selected remote authorization server and logs in.

The OAuth flow is completed via the backchannel.

If configured, user information is retrieved from the configured user

information URL via the backchannel.

Once authorized, the browser is redirected to the configured target page.

If authorized but not found in the user store, JIT provisioning process can

be launched (first time access/create account).


Support for Social Sign-On Requirements

Pre-configured OAuth authorization server support for:

– Twitter (OAuth 1.0a)

– Facebook, Google, LinkedIn, Microsoft (OAuth 2.0)

– Many other OAuth Identity Providers

Client registration with the remote authorization server is required before

creating partnership


Create the local OAuth client entity.

Create or modify the remote entity of an authorization server.

Create a partnership to configure single sign-on.

Migrate an OAuth authentication scheme to OAuth Partnership.

Support for Social Sign-OnConfiguration

11

12

13

14


Support for Social Sign-OnCreate the local OAuth client identity.

Select the appropriate OAuth version for your partnership.


Support for Social Sign-onModify the remote entity of an authorization server.


Support for Social Sign-OnModify the remote entity of an authorization server. Google pre-configured remote entity


Support for Social Sign-OnCreate a partnership to configure single sign-on.








Support for Social Sign-OnMigrate to OAuth partnership.

Use both the OAuth authentication scheme and an OAuth partnership

simultaneously.

– Add the new redirect URL to the existing OAuth authentication scheme redirect URL.

Use an OAuth partnership instead of the OAuth authentication scheme.

– Update the existing redirect URL at the OAuth authorization server to the appropriate partnership redirect URL.


Lab 1: Social Sign-On

IN THIS LAB YOU WILL:

Create an OAuth Partnership


Credential Handling ServiceOverview

Simplified configuration for letting the end user choose the authentication

provider

Supports identity providers using federation partnerships

Is deployed on the CA Access Gateway


Credential Handling Service Use Case

Make several federated partnerships available for login. The credential

handling service shows the partnerships in the group.

– An unauthenticated user requests a resource protected by CA SSO and is presented with the choice of identity providers

– The user selects an identity provider to authenticate with

– The selected partnership is invoked and the user is redirected to the identity provider for login and back to CA SSO

– When the user is identified by CA SSO the user is redirected back to the original target page

– When the user is not found by CA SSO provisioning can occur


Credential Handling ServiceRequirements

CA Access Gateway

Partnership between CA SSO and the enterprise (CA SSO) where protected

resources exist

Partnership between CA SSO and identity providers


Configure partnerships to identity providers.

Create an authentication method group.

Configure a partnership to the enterprise.

Credential Handling ServiceConfiguration

11

12

13

Optionally customize the credential selector page.14


Credential Handling ServiceLogin Flow Detail (Registered User)

An unauthenticated user invokes a partnership with CHS enabled.

The user selects an identity provider and signs-on. The identity provider generates

an access token and redirects the user to the federation system (relying party).

The federation system (relying party) verifies the access token, disambiguates the

user, and generates a session.

The federation system (asserting party) generates an assertion and redirects the

user to the enterprise (relying party).

The enterprise (relying party) verifies the assertion and gives the user access to

the federated resource.


Credential Handling ServiceCreate an authentication method group.


Credential Handling ServiceConfigure a partnership to the enterprise.

Partnership based on one of these authentication protocols:– SAML 1.1 – SAML 2.0 – WS-Federation

SSO – Authentication mode = Credential Selector– Define the base URL– Select the previously created Authentication Method Group

Target Application– SAML1.1: Target– SAML 2.0 and WS-Federation: Relay State Overrides Target


Credential Handling ServiceCustomize the header or footer.

<install_path>\CA\secure-proxy\Tomcat\webapps\chs\jsps

Make a copy of the header.jsp file and name the new file header-

custom.jsp.

Make a copy of the footer.jsp file and name the new file footer-

custom.jsp.

Customize the new files as needed.

Restart CA Access Gateway.


Lab 2: Credential Handling Service


Create an Authentication Method Group

Enable the Credential Handling Service

Open Format CookieAgentless-SSO


Open Format Cookie = “agentless” SSOOverview

Standards-based cookie directly read by applications

No agent or proxy installed between user and web server

– Lower cost method for accomplishing basic SSO

– Web applications decrypt (optional) and consume the standard cookie

– Adds flexible option to a customer’s CA SSO architecture

For applications that have lower security requirements

– No centralized auditing, CA SSO authorization or centralized session control

Web Agent in the CA SSO architecture

used for protection and cookie generation


Open Format Cookie Use Case

When not possible/not convenient to deploy a Web Agent

Less stringent security and session control over applications

Generated in response to a successful authentication or authorization event


Open Format Cookie Configuration

Web ServicesSOAP and REST APIs


SOAP and REST APIsOverview

Web service interfaces for authentication and authorization

Deployed via CA Access Gateway

Supports SOAP (wsdl) and REST (wadl) architectures

http(s)://server:port/authazws/auth?wsdl

http(s)://server:port/authazws/AuthRestService/application.wadl

Lower cost method for integrating CA SSO services

Adds flexible option to a customer’s CA SSO architecture


SOAP and REST APIsOverview

Authn/Authz web services provide following functionality:

– login – Authenticates and returns session token (and optional identity token)

– blogin – (Boolean login) authenticates and verifies whether login is successful and does not return session token

– logout – Logs out the user or group of users

– authorize - Returns an authorization status message and a refreshed session token


SOAP and REST APIs Use Case User accesses mobile gateway via smart

phone.

Mobile Gateway calls web service interface to authenticate user.

Web service validates with CA SSO Policy Server.

CA SSO validates/authorizes request.

Web service provides validation/authorization status back to mobile gateway via session token.

Mobile gateway requests content from web server.

Content is returned to user.

1

4

3

5

2

6

7

7

User

Web Server

Policy Server

Secure Proxy Server

Mobile Gateway


SOAP and REST APIsRequirements

Determine and register a virtual host name (DNS entry, Hosts file).

Protect the web services root URL.


SOAP and REST APIsRequirements

One or more agents to protect target applications against which

callers authenticate

Realms, user directories, policies and responses that are required for

authentication and authorization

A client program to issue authn/authz request to the web service on

behalf of another application

(see KB article TEC592437 Scenario: Working with the CA Single Sign-On Authentication and

Authorization Web Services)


Create the ACO.

Enable the web services.

Configure the web services logs (optional).

SOAP and REST APIsConfiguration

11

12

13


SOAP and REST APIsCreate the ACO. Agentname

EnableAuth / EnableAz

RequireAgentEnforcement


SOAP and REST APIsEnable the Web Services.


SOAP and REST APIsConfigure the Web Services logs. Open file sps_home/proxy-engine/conf/webservicesagent/ authaz-log4j.xml

Un-comment the AuthAZ_ROLLING appender tag:

<appender name="AuthAZ_ROLLING" class="org.apache.log4j.DailyRollingFileAppender"> <param name="File" value="logs/authazws.log"/>

<layout class="org.apache.log4j.PatternLayout"> <param name="ConversionPattern" value="%d %-5p [%c] - %m%n"/>

</layout> </appender>

Un-comment all occurrences of appender-ref for the tag:

<appender-ref ref="AuthAZ_ROLLING"/>

New log file sps_home/proxy-engine/logs/authazws.log


Lab 3: Web Services


Enable the authentication and authorization

Web Services

Enhanced Session Assurance with DeviceDNA


Enhanced Session Assurance With DeviceDNAOverview

Improves upon existing authentication and session persistence capabilities

Enhancement to the authentication service and the Policy Server to allow

for association of DeviceDNA

DeviceDNA is data unique to individual HTTP clients

CA Access Gateway and session store

required to support the DeviceDNA collection


Enhanced Session Assurance With DeviceDNAUse Case

Combats session hijacking/session replay

Blocks the use of a stolen SMSESSION cookie

Included with CA SSO deployment and license (no additional SKUs)


Enhanced Session Assurance With DeviceDNARequirements

Policy Server r12.52 or greater

– Installs necessary components silently

CA Access Gateway r12.52 or greater

Session store

Agent configuration object used for CA Access Gateway configuration

should have “.sac” in ignore extensions list


Enhanced Session Assurance With DeviceDNAConfiguration

Review the limitations.

Configure the CA Access Gateway.

Create Enhanced Session Assurance endpoints.

11

12

13

Add endpoints to realms or applications.14

(Optional) Enable Enhanced Session Assurance on partnerships.15


Enhanced Session Assurance With DeviceDNALimitations

Web 2.0 clients

Custom agents

Clients that do not support JavaScript and cookies

POST preservation

Shared workstations

Authentication/authorization web services

Federation limitations

– The SP side of a SAML 2.0 partnership.

– HTTP-POST Authentication request bindings on the IDP side of a SAML 2.0 partnership.


Enhanced Session Assurance With DeviceDNAConfigure the CA Access Gateway environment.

Enter the advanced authentication server encryption key (from the

installation or upgrade) in all Policy Servers.

Enable the encryption by configuring the JVM with the JSafeJCE Security

Provider.

If multi-domain SSO is configured using a cookie provider Web Agent, the

CA Access Gateway must be configured to run in the same domain as the

cookie provider Web Agent.


Enhanced Session Assurance With DeviceDNACreate Enhanced Session Assurance endpoints.

On the Global options, select create Session Assurance Endpoints.


Enhanced Session Assurance With DeviceDNACreate Enhanced Session Assurance endpoints.


Enhanced Session Assurance With DeviceDNAAdd endpoints to realms or applications.

To protect resources in realms, add session assurance endpoint.


Enhanced Session Assurance With DeviceDNAEnable Enhanced Session Assurance on partnerships.

Available on the following partnerships:

– The IdP side of an SP to IdP partnership

– The Producer side of a Consumer to Producer partnership

– The AP side of an RP to AP partnership


Lab 4: Session Assurance


Enable Enhanced Session Assurance with

DeviceDNA


For More Information

To learn more about Security,

please visit:

http://bit.ly/10WHYDm

Insert appropriate screenshot and text overlayfrom following “More Info Graphics” slide here;

ensure it links to correct pageSecurity






For Informational Purposes Only

© 2014 CA. All rights reserved. All trademarks referenced herein belong to their respective companies.

This presentation provided at CA World 2014 is intended for information purposes only and does not form any type of warranty. Some of the specific slides with customer references relate to customer's specific use and experience of CA products and solutions so actual results may vary.

Terms of this Presentation

Leveraging New Features in CA Single-Sign on to Enable Web Services, Social Sign-On and Enhanced Session Security

Technology

ca access gateway instances

application access

access gateway overviewany

secure web access management

supportca access gatew

abstractca single sign

proxy rulesexample

single hardware platformmaking