This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Any form of reproduction, dissemination, copying, disclosure, modification, distribution and/or publication Any form of reproduction, dissemination, copying, disclosure, modification, distribution and/or publication of this Presentation is strictly prohibited without explicit written approval from PistolStar, Inc.of this Presentation is strictly prohibited without explicit written approval from PistolStar, Inc.
Authentication Technologies for the Enterprise
Presented by: Presented by: Rob AxelrodRob AxelrodTechnotics, Inc.Technotics, Inc.
““Best Practices: Authentication Technologies Best Practices: Authentication Technologies That Address Usability, Security, Auditing and That Address Usability, Security, Auditing and Compliance”Compliance”
Any form of reproduction, dissemination, copying, disclosure, modification, distribution and/or publication Any form of reproduction, dissemination, copying, disclosure, modification, distribution and/or publication of this Presentation is strictly prohibited without explicit written approval from PistolStar, Inc.of this Presentation is strictly prohibited without explicit written approval from PistolStar, Inc.
Who is Technotics?Technotics can help to reduce the demands made on corporate information technologies systems by delivering world class architecture and solutions support. They provide professional services for all aspects of collaboration and messaging infrastructure in the enterprise.Who is PistolStar?PistolStar specializes in authentication technologies, providing software products that address organizations’ requirements for enhanced usability, security, auditing and compliance. Our solutions simplify application logons while providing IT staff with functionality to safeguard access, alert login threats, reduce password management and provide strong controls for regulatory compliance.
Why do these two companies work together?Enhanced authentication solutions are often at the top of Technotics customers’ wish lists.The two organizations have teamed up to deliver high value solutions to our mutual customers What will be covered today?This seminar today addresses usability, security, and compliance in a real-world business context in the form of case studies.
Solution: Store the user’s Notes ID in a (Domino) LDAP Server
and pull the ID out of that store during client setup. Use PistolStar’s SSO feature and have the
"stealth"/recovery copy of the user’s Notes ID, so if the user didn't have his/her password anymore, they could get the ID automatically back without the user knowing about it.
The organization already had a large investment in multi factor authentication using smart cards to authenticate to Active Directory. This allowed Pistolstar to leverage this infrastructure to provide password-free strong authentication to the Notes client.
– Kerberos authentication with the OS at logon– Notes ID present on the workstation with 62 character
generated unique password unknown to the user– Pistolstar utilizes Kerberos connection to access AD
attributes to establish identity and unlock local ID
Leveraging the Eclipse framework PistolStar provisions an authentication plug-in into the Sametime client. This utilizes the Kerberos ticket to negotiate with the custom authentication interface on the Sametime server.
–Provides password-free authentication with Sametime
Utilizing PistolStar’s DSAPI filter HTTP requests for authentication are negotiated to use the Kerberos protocol with the browser client.
Customer’s Sametime environment has approximately 75,000 users.
Project is to tie the log-in of Sametime to their AD account to fully automate the log-in process and eliminate all prompts by letting the user log-in with their smart card. The directory that Sametime authenticates against is a pass-through authentication through a Tivoli LDAP server to a universal directory that contains records for all user accounts.
The challenge will be that there is no one definitive AD tree in the organization, but rather a plethora of different ones. The goal is to have all log-ins (WEB and other programs) tied into the smart card.
The Notes authentication event is intercepted by the Pistolstar extension and the credentials are redirected to a Domino web agent for authentication against the HTTP password
Each attempt (successful or failed) is logged on the server in a Notes database
Once a user has been successfully authenticated, encrypted attributes are pulled back from the Domino server via HTTP
The Notes ID is then unlocked using these encrypted attributes Subsequent to this, the user never needs to interact directly with the Notes ID
file (in fact they can’t interact with it even if they want to)
Use a perl approach for creating our SSO cookies. It would only require slight changes on your Apache server and would be a browser-independent solution for SSO to Domino after authenticating to Apache. The process will be completely transparent to end users and they will not need to install any client-side software.
Apache is the primary interface for authentication Authentication occurs against an LDAP server If required, the PistolStar perl script will generate a PistolStar SSO token
which will then be encrypted and passed to the user as a session cookie. Any subsequent requests by that user to a Domino server use the
PistolStar cookie/token which will be interpreted by the PistolStar DSAPI filter.
Assumptions:- The Apache server and all customer-facing Domino servers are part of the "qad.com" domain and referenced as such in the browser- The Apache server is running on Linux on x86 hardware- Client browsers must have cookies enabled
In addition to the Apache and Domino SSO requirements the customer had also implemented a Wiki (Daisy) that they required single sign-on.
Solution Description:
Using the existing token that was generated by the initial logon and script a modification was made to the Daisy logon form to detect the presence of the token.
If the token was found to be present, a perl script would be called to decrypt the credentials and populate the login fields and submit the form.
Business Processes Tailoring solutions using PistolStar existing framework PistolStar’s software suite is a tried-and-tested framework that will deliver the most effective security and compliance solutions for your particular organization. With an extensive set of technical capabilities across a wide range of platforms, PistolStar security experts enable you to build a comprehensive security and compliance infrastructure that is tailored to your authentication requirements and your particular environment. Enterprise-ready Define Framework Solution delivery