roopurewal

7/31/2019 roopurewal

1/42

SINGLE SIGN ON

SAI INSTITUTE OF ENGG. AND TECHNOLOGY(MANAWALA) 1

Objective

The objective of a single sign-on (SSO) is to enable a user to authenticate only once.

Enabling this requires an integration framework that allows single sign-on authentication

throughout all systems and applications as well as to clients, partners, and outside

services. The challenge is a multitude of SSO vendor products, discrepancies in partners

security standards, and the administration of Identity Management across client and

business partner systems.SSO is not a new concept. In fact, companies have been dealing

with this concept for years. I can recall developing an IMS transaction to handle

authentication, access control and application data access across many IMS applications.

Most developers at one time or another have designed and built an application profiledatabase and the SSO like code to eliminate the duplicate logon for end users. Industry

statistics show that users have on average, five different logons they use on a regular

basis. Therefore, integrating SSO components to eliminate the need for multiple logons

will simplify the end user experience. This results in increased usage and thus increases

revenue, retains customers, clients, and business partners.


2/42

SINGLE SIGN ON


Single Sign-On

We will go through a brief introduction to Single Sign-on (hereafter also referred to as

SSO in this document). SSO can be defined as a user experience of logging in just once

and being able to navigate across many applications seamlessly without a need to enter

credentials for each application. It is very common for organizations to have many

applications running to take care of different business functions. SSO makes it easy for

the users to login once and be able to access all the applications they can, reducing the

need for users to remember a plethora of logins and passwords. The following is a brief

description of a few important concepts of SSO.

Authentication

The process of verifying the users identity, making sure that the user is who he claims to

be. This can be based on login & password combination or Smart card,biometrics, etc.

Authorization

The process of verifying whether a user is privileged to access a particular resource.

Credentials

Credentials are the details provided by a user during the process of authentication into an

application. They can be login and password, fingerprint, smart card etc.

Domain

A domain is a logical group in an organization with a unique name that is the part of host

names used on the intranet/Internet. For example, mycompany.com is the domain name

myhost.mycompany.com where as mycompanystore.com is the domain name in

www.mycompanystore.com. While mycompany.com is a parent domain,

it.mycompany.com is a sub domain reserved for the IT department in the organization.

Protected Resource

It is a resource the access of which is not open to everyone. A user needs to go throughauthentication and authorization before accessing a protected resource. It can be a URL

on the Internet or intranet, a client to a application, a folder on a server, etc.


3/42

SINGLE SIGN ON


Benefits

Reduces phishing success, because users are not trained to enter password everywherewithout thinking.

Reducing password fatigue from different user name and password combinations Reducing time spent re-entering passwords for the same identity. Can support conventional authentication such as windows credentials (i.e.,

username/password)

Reducing IT costs due to lower number of IT help desk calls about passwords Security on all levels of entry/exit/access to systems without the inconvenience of re-

prompting users

Centralized reporting for compliance adherence.


4/42

SINGLE SIGN ON


Methodology for project development

Firstly, you have to understand basics of cloud computing Understanding LINUX OS. Understanding various terms like SSO, e-mail server, LDAP etc. Learning how to configure an e-mail server. How to do synchronization between servers. Creating databases. Understanding SVN server. Learning how to work on cloud. Planning of your work. And at last how to integrate all the things together.


5/42

SINGLE SIGN ON


Technology used

E-mail Server (Postfix,FTP,Dovecot,Squirrelmail) SVN Server LDAP Lightweight Directory Access Protocol (User Database) Apache (Web Server) Virtual hosting


6/42

SINGLE SIGN ON


Web Server(Apache)

A Web server is a program that, using the client/server model and the World Wide Web's

Hypertext Transfer Protocol ( HTTP serves the files that form Web pages to Web users

(whose computers contain HTTP clients that forward their requests). Every computer on

the Internet that contains a Web site must have a Web server program. Two leading Web

servers are Apache , the most widely-installed Web server, and Microsoft's Internet

Information Server ( IIS ). Other Web servers include Novell's Web Server for users of

its NetWare operating system and IBM's family of Lotus Domino servers, primarily for

IBM's OS/390 and AS/400 customers. Apache supports a variety of features, many

implemented as compiled modules which extend the core functionality. These can range

from server-side programming language support to authentication schemes. Some

common language interfaces support Perl, Python, Tcl, and PHP. HTTP Protocol: HTTP

stands for Hyper-Text-Transfer-Protocol

This is the protocol that is used in order to send and receive information from the server.

This is the protocol that the Apache Web Server Understands and it is what it uses to

send information back to the client Machine. If you would want to get a bit more

technical on the subject the Client Machine this case the Browser sends a HTTP.Request

Object to the Server then the Server responds back by using an HTTP.Response Object.

This is the general back and forth between the server and the browser. Apache is made to

handle all of these requests
http://whatis.techtarget.com/definition/0,,sid9_gci212964,00.htmlhttp://searchnetworking.techtarget.com/definition/client-serverhttp://searchwindevelopment.techtarget.com/definition/HTTPhttp://searchcio-midmarket.techtarget.com/definition/Apachehttp://searchwindowsserver.techtarget.com/definition/IIShttp://searchnetworking.techtarget.com/definition/NetWarehttp://searchdatacenter.techtarget.com/definition/OS-390http://search400.techtarget.com/definition/AS-400http://en.wikipedia.org/wiki/Compilerhttp://en.wikipedia.org/wiki/Modular_programminghttp://en.wikipedia.org/wiki/Mod_perlhttp://en.wikipedia.org/wiki/Mod_pythonhttp://en.wikipedia.org/wiki/Tclhttp://en.wikipedia.org/wiki/PHPhttp://en.wikipedia.org/wiki/PHPhttp://en.wikipedia.org/wiki/Tclhttp://en.wikipedia.org/wiki/Mod_pythonhttp://en.wikipedia.org/wiki/Mod_perlhttp://en.wikipedia.org/wiki/Modular_programminghttp://en.wikipedia.org/wiki/Compilerhttp://search400.techtarget.com/definition/AS-400http://searchdatacenter.techtarget.com/definition/OS-390http://searchnetworking.techtarget.com/definition/NetWarehttp://searchwindowsserver.techtarget.com/definition/IIShttp://searchcio-midmarket.techtarget.com/definition/Apachehttp://searchwindevelopment.techtarget.com/definition/HTTPhttp://searchnetworking.techtarget.com/definition/client-serverhttp://whatis.techtarget.com/definition/0,,sid9_gci212964,00.html


7/42

SINGLE SIGN ON


.


8/42

SINGLE SIGN ON


How To configure web server:

ServerAdmin root@LocalHost

DocumentRoot /var/www/html

ServerName www.google.com

ErrorLog roop

CustomLog deep


9/42

SINGLE SIGN ON


Virtual hosting

Virtual hosting is a method for hosting multiple domain names (with separate handling

of each name) on a single server (or pool of servers). This allows one server to share its

resources, such as memory and processor cycles, without requiring all services provided

to use the same host name. The term virtual hosting is usually used in reference to web

servers but the principles carry over to other internet services.

One widely used application is shared web hosting. Shared web hosting prices are lower

than a dedicated web server because many customers can be hosted on a single server. It

is also very common for a single entity to want to use multiple names on the same

machine so that the names can reflect services offered rather than where those services

happen to be hosted.


DocumentRoot /var/www/html

ServerName www.google.com

ErrorLog

CustomLog


DocumentRoot /var/www/html/yahoo

ServerName www.yahoo.com

ErrorLog

CustomLog
http://en.wikipedia.org/wiki/Domain_namehttp://en.wikipedia.org/wiki/Server_%28computing%29http://en.wikipedia.org/wiki/Web_serverhttp://en.wikipedia.org/wiki/Web_serverhttp://en.wikipedia.org/wiki/Shared_web_hosting_servicehttp://en.wikipedia.org/wiki/Web_serverhttp://en.wikipedia.org/wiki/Web_serverhttp://en.wikipedia.org/wiki/Shared_web_hosting_servicehttp://en.wikipedia.org/wiki/Web_serverhttp://en.wikipedia.org/wiki/Web_serverhttp://en.wikipedia.org/wiki/Server_%28computing%29http://en.wikipedia.org/wiki/Domain_name


10/42

SINGLE SIGN ON



11/42

SINGLE SIGN ON


Email server

A mail server usually consists of a storage area where where e-mail is stored for local

users, a set of user definable rules which determine how the mail server should react tothe destination of a specific message, a database of user accounts that the mail server

recognizes and will deal with locally, and communications modules which are the

components that actually handle the transfer of messages to and from other mail serversand email clients. Generally the person(s) responsible for the maintenance of the e-mail

server (editing users, monitoring system activity) are referred to as the postmaster. Most

mail servers are designed to operate without any manual intervention during normal

operation.

Postfix Mail Server(SMTP mail server)it use for sending mails. FTP(File transfer protocol)it use for transfer file. Squirrel mail(web browser)interface used for check and send mail Dovcot(pop3/imap Server) used to receive emails.
http://www.webopedia.com/TERM/D/database.htmlhttp://www.webopedia.com/TERM/D/database.html


12/42

SINGLE SIGN ON


Squirrel mail (web browser) interface used for check and send mail


13/42

SINGLE SIGN ON



14/42

SINGLE SIGN ON


SVN server

It is an acronym for Subversion. Subversion manages files and directories, and the

changes made to them, over time. This allows you to recover older versions of your data

or examine the history of how your data changed.

Installing SVN: Yum install subversion mod_dav_svn. Configration file: vim /etc/httpd/conf.d/subversion.conf How to create repos SVNadmin create repos Chown -R apache.apache repos(to integrate with apache) Cheking out: SVN COhttp://servername/repos Editing and Commit:

SVN commitm editing the file
http://servername/reposhttp://servername/reposhttp://servername/reposhttp://servername/repos


15/42

SINGLE SIGN ON



16/42

SINGLE SIGN ON


LDAP (Light weight directory access protocol.)

It use for centeralize user authenction. It basically used for user database. An LDAP server is also known as a Directory System Agent (DSA). LDAP has the ability to distribute servers to where they are needed.

Flow diagram of LDAP:


17/42

SINGLE SIGN ON


Integrating Apache with Ldap

To integreate Apache Authentication with Ldap, you may refer to the following steps:

Create a authentication file, e.g: .htaccess and enter the following lines of code:

AuthType BasicAuthBasicProvider ldap

AuthzLDAPAuthoritative Off

AuthName myp2Repo SVN Authentication

AuthLDAPBindDN cn=Manager,dc=example,dc=com

AuthLDAPBindPassword mypass

AuthLDAPURLldap://localhost:389/o=domains,dc=example,dc=com?mail

Require valid-user

Explanation:

AuthzLDAPAuthoritative : Specifies whether ldap authentication is sufficient for authorization

or the system should fall back to other modules on failure.AuthLDAPBindDN : details which would be used to login to ldap

AuthLDAPBindPassword : Master Password of manager, for authentication

AuthLDAPURL : Ldap URL,ldap://localhost:389/o=domains,dc=example,dc=com?mail (User

must provide email for authentication)
http://ldap//localhost:389/o=domains,dc=example,dc=com?mailhttp://ldap//localhost:389/o=domains,dc=example,dc=com?mailhttp://ldap//localhost:389/o=domains,dc=example,dc=com?mailhttp://ldap//localhost:389/o=domains,dc=example,dc=com?mailhttp://ldap//localhost:389/o=domains,dc=example,dc=com?mailhttp://ldap//localhost:389/o=domains,dc=example,dc=com?mailhttp://ldap//localhost:389/o=domains,dc=example,dc=com?mailhttp://ldap//localhost:389/o=domains,dc=example,dc=com?mail


18/42

SINGLE SIGN ON


iRedmail

iRedMail is a free, open source mail server solution for Linux/BSD, provides services

POP3/IMAP/SMTP, anti-spam, anti-virus, etc. It supports OpenLDAP and MySQL as backendsto save the virtual domains and virtual users. It offers a web-based admin panel.

A fully fledged, free email server solution, an open source project (GPL v2). Use official binary packages

from Linux/BSD distributions, with both i386 and x86_64 support. Easy, fast deployment in LESS

THAN 1 MINUTE.. Works on Red Hat(R) Enterprise Linux, CentOS, Debian, Ubuntu, openSUSE,

FreeBSD. Works on both non-virtualized and virtualized boxes, e.g. VMware, OpenVZ, Xen.

Screenshots of installation:

1. iRedMail supports both OpenLDAP and MySQL as backends to store virtual domains and

users. OpenLDAP is recommended.


19/42

SINGLE SIGN ON


2. Choose the directory that will be used to store users' mailboxes.


20/42

SINGLE SIGN ON


3. LDAP suffix, normally it's your domain name, such as: dc=example,dc=com:


21/42

SINGLE SIGN ON


4. Set the MySQL root password:


22/42

SINGLE SIGN ON


5.Set password for LDAP server admin: cn=Manager,dc=example,dc=com


23/42

SINGLE SIGN ON


6.Add your first virtual domain, e.g.:


24/42

SINGLE SIGN ON


7.Set password for the virtual domain admin: [email protected], you can log into

iRedadmin with this account:


25/42

SINGLE SIGN ON


8.Select optional components


26/42

SINGLE SIGN ON


9.Select the default language for your webmail application:

IRed Admin panel

iRedAdmin Open Source Edition is a web-based iRedMail admin panel, it allows you to add,

remove and edit domains, users and domain admin accounts. If you need more features, pleaseconsider purchasing the Pro editioniRedAdmin-Pro.

You can also manage all the features of iRedAdmin-Pro with phpLDAPadmin andphpMyAdmin.
http://www.iredmail.org/admin_panel.htmlhttp://www.iredmail.org/admin_panel.htmlhttp://www.iredmail.org/admin_panel.htmlhttp://www.iredmail.org/admin_panel.html


27/42

SINGLE SIGN ON


Log into iRedAdmin:[email protected]:
mailto:[email protected]:[email protected]:[email protected]:[email protected]


28/42

SINGLE SIGN ON


2.Here we can add users account,admin and domains also:


29/42

SINGLE SIGN ON


3. Creating a new mail user here:


30/42

SINGLE SIGN ON


4.Here we see the account profile of user:


31/42

SINGLE SIGN ON


Roundcube webmail as one of the optional web-based email clients for everyone to use.Roundcube offers a very nice interface for accessing your emails via the web and offers somevery nice features for all to enjoy, such as:

Released features:

Drag-&-drop message management Full support for HTML messages Sophisticated privacy protection Compose messages with attachments Multiple sender identities Address book with groups and LDAP connectors Richtext/HTML message composing Forwarding messages with attachments Searching messages and contacts

Roundcube is a web-based IMAP email client written in the PHP programming language

Roundcube's most prominent feature is the pervasive use of Ajax technology to present a more

fluid and responsive user interface than that of traditional webmail clients.

Server Requirements:

Apache, Lighttpd, Cherokee or Hiawatha web server PHP Version 5.2.1 or greater MySQL, PostgreSQL, SQLite or MSSQL database An IMAP server which supports IMAP4 rev1 An SMTP server (recommended) or PHP configured for mail delivery
http://en.wikipedia.org/wiki/IMAPhttp://en.wikipedia.org/wiki/PHPhttp://en.wikipedia.org/wiki/Ajax_%28programming%29http://en.wikipedia.org/wiki/User_interfacehttp://en.wikipedia.org/wiki/Webmailhttp://en.wikipedia.org/wiki/Webmailhttp://en.wikipedia.org/wiki/User_interfacehttp://en.wikipedia.org/wiki/Ajax_%28programming%29http://en.wikipedia.org/wiki/PHPhttp://en.wikipedia.org/wiki/IMAP


32/42

SINGLE SIGN ON



33/42

SINGLE SIGN ON



34/42

SINGLE SIGN ON



35/42

SINGLE SIGN ON



36/42

SINGLE SIGN ON


phpLDAPadmin (also known as PLA) is a web-based LDAP client. It provides easy, anywhere-accessible, multi-language administration for your LDAP server.

Its hierarchical tree-viewer and advanced search functionality make it intuitive to browse and

administer your LDAP directory. Since it is a web application, this LDAP browser works onmany platforms, making your LDAP server easily manageable from any location.

phpLDAPadmin is the perfect LDAP browser for the LDAP professional and novice alike. Its

user base consists mostly of LDAP administration professionals.

Managing LDAP data doesn't have to be difficult. The phpLDAPadmin project provides acomprehensive Web-based admin tool for easy, accessible administration of your LDAP

directory from the comfort of your Web browser.

No matter how you approach it, LDAP is a challenge. From understanding the fundamentals that

make up the system to managing the data the system uses, it can be a bit overwhelming at times.

To manage the LDAP data you have a number of ways you could go. You could use thecommand line (Manage LDAP from the Command on Linux), you could use the stand-alone,

very capable 389 Directory Server (see Simplify LDAP with Fedora's 389 Directory Server, or

you could go a completely different route and use the web-based phpLDAPadmin.

As you would expect, phpLDAPadmin is very much like phpMyadmin (a very powerful, userfriendly tool for managing MySQL). But does phpLDAPadmin make managing LDAP as easy as

phpMyadmin make managing MySQL? It does. In fact, phpLDAPadmin makes managing LDAPdata so easy, just about anyone could take care of the task.

Your first task is to actually log into the tool. When you open up the page for phpLDAPadmin

you will see a login button. Click on the login button and then enter your LDAP admin

credentials. Remember, your credentials will be in the form of:

cn=manager,dc=example,dc=com

The credentials will have been set when you initially installed and configured LDAP.Once you'rein, you should see something like the screenshot below: As you can see, I have already created a

few entries for you. But before we get into the creation of entries, let's examine the hierarchy

that appears in the left-side navigation. At the top of the hierarchy you have the Base DN . Underthis entry you have the various objects and attributes that you can add to or edit. Let's take a look

at doing the following: Adding a new group and then adding a user into that group.
http://www.linux.com/component/content/article/174-tutorials/376144-manage-ldap-from-the-command-linehttp://www.linux.com/component/content/article/174-tutorials/376144-manage-ldap-from-the-command-linehttp://www.linux.com/component/content/article/174-tutorials/376144-manage-ldap-from-the-command-linehttp://www.linux.com/component/content/article/174-tutorials/376144-manage-ldap-from-the-command-line


37/42

SINGLE SIGN ON



38/42

SINGLE SIGN ON


Log into phpLDAPAdmin: cn=manager,dc=example,dc=com


39/42

SINGLE SIGN ON


Manage the mail account:


40/42

SINGLE SIGN ON


Need and significance of project

Because users are not trained to enter password everywhere without thinking, SSO allowsuser just to enter their password only once and hence increases password security.

Reducing time spent re-entering passwords for the same identity Can support conventional authentication such as windows credentials (i.e.,

username/password)

Security on all levels of entry/exit/access to systems without the inconvenience of re-prompting users

Centralized reporting for compliance adherence.


41/42

SINGLE SIGN ON


Conclusion

A well-planned and carefully deployed Single Sign-on product can be a great

complement to the other security measures that are already in place in an organization.

By weighing the risk factors associated with implementing each SSO product against the

advantages and by keeping the expectations aligned with realistic planning, an SSO

product implementation to satisfy your requirements is achievable.


42/42

SINGLE SIGN ON

References

Red hat enterprise Linux (RHEL), Official Book for LINUX. http://w3mentors.com http://www.google.com http://docs.redhat.com/docs/en-US/index.html http://www.linuxforyou.com
http://w3mentors.com/http://www.google.com/http://docs.redhat.com/docs/en-US/index.htmlhttp://www.linuxforyou.com/http://www.linuxforyou.com/http://docs.redhat.com/docs/en-US/index.htmlhttp://www.google.com/http://w3mentors.com/

roopurewal

Documents