DOCSLIB.ORG

Fortiauthenticator Administration Guide Contains the Following Sections

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Fortiauthenticator Administration Guide Contains the Following Sections FortiAuthenticator - Administration Guide Version 6.2.0 FORTINET DOCUMENT LIBRARY https://docs.fortinet.com FORTINET VIDEO GUIDE https://video.fortinet.com FORTINET BLOG https://blog.fortinet.com CUSTOMER SERVICE & SUPPORT https://support.fortinet.com FORTINET TRAINING & CERTIFICATION PROGRAM https://www.fortinet.com/support-and-training/training.html NSE INSTITUTE https://training.fortinet.com FORTIGUARD CENTER https://fortiguard.com/ END USER LICENSE AGREEMENT https://www.fortinet.com/doc/legal/EULA.pdf FEEDBACK Email: [email protected] January 15, 2021 FortiAuthenticator 6.2.0 Administration Guide 23-620-657445-20210115 TABLE OF CONTENTS Change Log 9 What's new in FortiAuthenticator 10 FortiAuthenticator 6.2.0 10 REST API enhancements 10 TACACS+ support 10 SAML IdP Proxy: 0365 Azure/ADFS hybrid support 10 Get Windows AD nested groups during SAML IdP configuration 10 REST API key visibility for Admin users 11 RADSEC support 11 SCEP enrollment requests search 11 LDAP group filter support for remote RADIUS realms 11 Sync certificate bindings to load balancers 11 Show Password toggle included in replacement messages 11 Legacy Self-service Portal disabled by default 12 Additional SCEP CRL/OCSP enrollment options 12 Revoked/expired user certificates hidden by default 12 Richer logs for self-registered users 12 Usernames included in FTM activation messages 12 FTC: Sync email and mobile number 13 SNMP trap for RAID status changes 13 Administrator password required before changes can be made to administrator accounts 13 FortiAuthenticator Windows Agent: SMS/email 2FA support 13 Introduction 14 Before you begin 15 How this guide is organized 16 Registering your Fortinet product 16 Setup 17 Initial setup 17 FortiAuthenticator-VM setup on VMware 17 Administrative access 18 Adding FortiAuthenticator to your network 20 Maintenance 21 Backing up the configuration 21 Upgrading the firmware 21 Licensing 22 Swapping hard disks 22 Platform migration 23 CLI commands 23 Troubleshooting 26 FortiAuthenticator settings 26 FortiGate settings 27 System 28 Dashboard 28 FortiAuthenticator 6.2.0 Administration Guide 3 Fortinet Technologies Inc. Customizing the dashboard 29 System information widget 30 System resources widget 33 Authentication activity widget 33 User inventory widget 34 34 License information widget 34 Disk monitor widget 34 34 Top user lockouts widget 34 User lookup 35 Power supply monitor widget 36 Network 36 Interfaces 36 DNS 38 Static routing 39 Packet capture 40 Administration 40 System access 41 High availability 42 Firmware upgrade 47 Configuring auto-backup 48 SNMP 48 Features 52 Licensing 52 FortiGuard 53 FortiNACs 54 FTP servers 55 Admin profiles 56 NetHSMs 56 Replacement messages 57 Messaging 59 SMTP servers 59 Email services 61 SMS gateways 62 Authentication 65 What to configure 65 Password-based authentication 66 Two-factor authentication 66 Two-factor token and password concatenation 67 Authentication servers 67 Authentication methods 67 Machine authentication 68 User account policies 68 General 68 PCI DSS 3.2 two-factor authentication 69 Lockouts 70 Passwords 70 FortiAuthenticator 6.2.0 Administration Guide 4 Fortinet Technologies Inc. Custom user fields 72 Tokens 72 User management 75 Administrators 75 Local users 76 Remote users 85 Remote user sync rules 89 Guest users 91 User groups 93 Usage profile 94 Organizations 95 Realms 95 FortiTokens 96 MAC devices 97 RADIUS attributes 98 FortiToken physical device and FortiToken Mobile 99 FortiAuthenticator and FortiTokens 99 Monitoring FortiTokens 101 FortiToken device maintenance 101 FortiToken Mobile licenses 101 Portals 101 Portals 102 Policies 104 Access points 110 FortiWLC Pinholes 110 Replacement messages 110 Smart Connect profiles 111 Remote authentication servers 114 General 114 LDAP 115 RADIUS 120 OAUTH 120 SAML 121 RADIUS service 124 Clients 124 Policies 125 Certificates 129 Services 129 Custom dictionaries 130 TACACS+ service 131 Creating policies 131 Adding clients 134 Creating authorization rules 134 Assigning authorization rules 137 LDAP service 138 General 139 Directory tree overview 139 Creating the directory tree 140 FortiAuthenticator 6.2.0 Administration Guide 5 Fortinet Technologies Inc. Configuring a FortiGate unit for FortiAuthenticator LDAP 143 OAuth Service 144 Settings 144 Applications 144 SAML IdP 145 General 146 Replacement messages 147 Service providers 147 FortiAuthenticator agents 151 FortiAuthenticator Agent for Microsoft Windows 151 FortiAuthenticator Agent for Outlook Web Access 154 Legacy self-service portal 154 General 154 Access control 155 Self-registration 155 Token self-provisioning 158 Device self-enrollment 160 Port-based network access control 162 Extensible Authentication Protocol 162 FortiAuthenticator and EAP 163 FortiAuthenticator unit configuration 163 Configuring certificates for EAP 163 Configuring switches and wireless controllers to use 802.1X authentication 163 Non-compliant devices 164 Fortinet Single Sign-On 166 Domain controller polling 166 Windows management instrumentation polling 166 General settings 167 Configuring FortiGate units for FSSO 172 Portal services 172 Kerberos 174 SAML authentication 175 Windows event log sources 176 RADIUS accounting sources 177 Syslog sources 179 Syslog sources 179 Matching rules 180 Predefined rules 180 Fine-grained controls 182 SSO users and groups 183 Domain groupings 185 FortiGate filtering 186 IP filtering rules 187 Tiered architecture 188 FortiClient SSO Mobility Agent 189 Fake client protection 190 FortiAuthenticator 6.2.0 Administration Guide 6 Fortinet Technologies Inc. RADIUS Single Sign-On 191 RADIUS accounting proxy 191 General 191 Rule sets 192 Sources 194 Destinations 195 Monitoring 196 SSO 196 Domains 196 SSO sessions 196 Windows event log sources 197 FortiGates 197 DC/TS agents 197 NTLM statistics 198 Authentication 198 Locked-out users 198 RADIUS sessions 198 Windows AD 199 Windows device logins 199 Learned RADIUS users 199 Certificate management 200 Policies 200 Certificate expiry 200 End entities 201 Certificate authorities 210 Local CAs 210 Certificate revocations lists 216 Trusted CAs 218 SCEP 218 218 General 218 Enrollment requests 219 Logging 225 Log access 225 Log configuration 227 Log settings 227 Syslog servers 229 Audit reports 230 Users audit 230 Troubleshooting 232 Troubleshooting 232 Debug logs 233 RADIUS debugging 234 TCP stack hardening 235 LDAP filter syntax 236 Examples 236 FortiAuthenticator 6.2.0 Administration Guide 7 Fortinet Technologies Inc. Caveats 237 FortiAuthenticator 6.2.0 Administration Guide 8 Fortinet Technologies Inc. Change Log Date Change Description 2020-09-16 Initial release. 2020-09-23 Added new information: l Local user account password storage l Authentication methods l Two-factor authentication token and password concatenation 2020-10-01 Added Power supply monitor widget on page 36. 2020-10-14 Added new information to Licensing on page 52. Added FortiToken Mobile licenses on page 101. 2020-11-23 Added information about Windows AD domain authentication to Policies on page 125. 2020-11-25 Added information about the rfc822MailMember LDAP attribute to Local users on page 76 and LDAP service on page 138. 2020-11-26 Added information about supported authentication types to Adding clients on page 134 2020-12-15 Added Platform migration on page 23. 2021-01-05 Updated HOTP cache size information in Tokens on page 72. 2021-01-15 Updated information about matching rules in Syslog sources on page 179. FortiAuthenticator 6.2.0 Administration Guide 9 Fortinet Technologies Inc. What's new in FortiAuthenticator What's new in FortiAuthenticator This section provides a summary of the new features and enhancements in FortiAuthenticator: l FortiAuthenticator 6.2.0 on page 10 Always review the FortiAuthenticator Release Notes prior to upgrading your device. FortiAuthenticator 6.2.0 The following list contains new and expanded features added in FortiAuthenticator 6.2.0. REST API enhancements The following enhancements have been added for the FortiAuthenticator REST API: l Filtering for user certificates. l Configurable character delimiter for FSSO group membership. TACACS+ support FortiAuthenticator now includes TACACS+ authentication capabilities. TACACS+ settings can be configured in Authentication > TACACS+ Service. Before FortiAuthenticator can accept TACACS+ authentication requests from a client, the device must be registered on FortiAuthenticator, and it must be assigned to a policy. TACACS+ authorization can be specified by creating authorization rules that can be applied to users and user groups in FortiAuthenticator. See TACACS+ service on page 131. SAML IdP Proxy: 0365 Azure/ADFS hybrid support SAML IdP proxy O365 Azure/ADFS hybrid support added. Get Windows AD nested groups during SAML IdP configuration A new configuration option to Get nested groups for user is available during IdP configuration. Enabling this feature allows the IdP to perform nested group lookup for Windows AD. See SAML IdP on page 145. See General on page 146 FortiAuthenticator 6.2.0 Administration Guide 10 Fortinet Technologies Inc. What's new in FortiAuthenticator REST API key visibility for Admin users After enabling Web service access on a local admin account and saving changes, the User API Access Key window is displayed where you can view, copy, and/or email the REST API key. Web service access can be enabled for admin users in Authentication > User Management > Local Users. See Local users on page 76. RADSEC support RADSEC is now supported for RADIUS authentication
Load more

Recommended publications
  • Raw Slides (Pdf)
    2550 Intro to cybersecurity L5: Distributed Authentication abhi shelat/Ran Cohen Agenda • The problem of distributed authentication • The Needham-Schroeder protocol • Kerberos protocol • Oauth So far: authenticating to a server Mallory Alice Bob Gen pw pw Authenticating to an organization Mallory Alice Gen pw pw Authenticating to an organization Mallory Alice Gen pw pw Distributed authentication • Organizations have many entities (users/services) • Secure communication over insecure channels • Password-based authentication • Passwords are never transmitted (except for the setup phase) • Enable mutual authentication Basic tool: symmetric encryption Alice Bob 푚 푚 Eve Basic tool: symmetric encryption • Gen: generates secret key 푘 • Enc: given 푘 and 푚 output a ciphertext 푐 Denote 퐸푛푐푘 푚 , 퐸푘 푚 , 푚 푘 • Dec: given 푘 and 푐 output a message 푚 • Security (informal): Whatever Eve can learn on 푚 given 푐 can be learned without 푐 • Examples: – DES (Data Encryption Standard) – AES (Advanced Encryption Standard) 푚 Authentication from Encryption • Alice and Bob share a key • They communicate over an insecure channel • Alice wants to prove her identity to Bob • Eve’s goal: impersonate Alice Alice Bob 푘퐴퐵 푘퐴퐵 Eve Attempt #1 Alice Bob I am Alice 푘퐴퐵 푘퐴퐵 I am Alice Eve Attempt #2: use the key Alice Bob I am Alice 푘퐴퐵 푘퐴퐵 푘퐴퐵 I am Alice 푘퐴퐵 Replay attack Eve Attempt #3: use nonce Alice I am Alice Bob 푁푎 푘퐴퐵 Pay Eve 500$ 푁푎 − 1 푘퐴퐵 푘퐴퐵 푘퐴퐵 푘퐴퐵 Nonce: a random number for a one-time use Eve Attempt #3: use nonce Alice I am Alice Bob 푁푎 푘퐴퐵 Pay Eve 500$ 푁푎 −
    [Show full text]
  • The Essential Oauth Primer: Understanding Oauth for Securing Cloud Apis
    THE ESSENTIAL OAUTH PRIMER: UNDERSTANDING OAUTH FOR SECURING CLOUD APIS WHITE PAPER TABLE OF CONTENTS 03 EXECUTIVE OVERVIEW 03 MOTIVATING USE CASE: TRIPIT 05 TERMINOLOGY 06 INTRODUCTION 07 THE OAUTH 2.0 MODEL 07 OAUTH 2.0 OVERVIEW USING A TOKEN TOKEN TYPE 09 RELATIONSHIP TO OTHER STANDARDS 11 USE CASES TRIPIT REVISITED TOKEN EXCHANGE MOBILE WORKFORCE 13 RECENT DEVELOPMENT 14 SUMMARY 2 WHITE PAPER ESSENTIAL OAUTH PRIMER EXECUTIVE OVERVIEW A key technical underpinning of the cloud and the Internet of Things are Application Programming Interfaces (APIs). APIs provide consistent methods for outside entities such as web services, clients and desktop applications to interface with services in the cloud. More and more, cloud data will move through APIs, but the security and scalability of APIs are currently threatened by a problem call the password anti-pattern. This is the need for API clients to collect and replay the password for a user at an API in order to access information on behalf of that user via that API. OAuth 2.0 defeats the password anti-pattern, creating a consistent, flexible identity and policy architecture for web applications, web services, devices and desktop clients attempting to communicate with cloud APIs. MOTIVATING USE CASE: TRIPIT Like many applications today, TripIt (http://tripit.com) is a cloud-based service. It’s a travel planning application that allows its users to track things like flights, car rentals, and hotel stays. Users email their travel itineraries to TripIt, which then builds a coordinated view of the users’ upcoming trips (as well as those of their TripIt friends—the inevitable social aspect).
    [Show full text]
  • OK: Oauth 2.0 Interface for the Kerberos V5 Authentication Protocol
    OK: OAuth 2.0 interface for the Kerberos V5 Authentication Protocol James Max Kanter Bennett Cyphers Bruno Faviero John Peebles [email protected] [email protected] [email protected] [email protected] 1. Problem Kerberos is a powerful, convenient framework for user authentication and authorization. Within MIT, Kerberos is used with many online institute services to verify users as part of Project Athena. However, it can be difficult for developers unfamiliar with Kerberos development to take advantage of its resources for use in third-party apps. OAuth 2.0 is an open source protocol used across the web for secure delegated access to resources on a server. Designed to be developer-friendly, OAuth is the de facto standard for authenticating users across sites, and is used by services including Google, Facebook, and Twitter. Our goal with OK Server is to provide an easy way for developers to access third-party services using Kerberos via OAuth. The benefits of this are twofold: developers can rely on an external service for user identification and verification, and users only have to trust a single centralized server with their credentials. Additionally, developers can request access to a subset of Kerberos services on behalf of a user. 2. Implementation overview Our system is composed of two main components: a server (the Kerberos client) to retrieve and process tickets from the MIT KDC, and an OAuth interface (the OAuth server) to interact with a client app (the app) wishing to make use of Kerberos authentication. When using our system, a client application uses the OAuth protocol to get Kerberos service tickets for a particular user.
    [Show full text]
  • Authentication, Authorization and Accounting (AAA) Protocols
    Authentication, Authorization and Accounting (AAA) Protocols Agententechnologien in der Telekommunikation Sommersemester 2009 Babak Shafieian [email protected] A O T Agententechnologien in betrieblichen Anwendungen 10.06.2009 und der Telekommunikation Overview A O T Agententechnologien in der Telekommunikation - 2 TU Berlin Motivation (Why AAA?) Ö Telecommunications services are a global market worth over US$ 1.5 trillion in revenue. Home Entertainment Voice over IP (VoIP) Multimedia Conference Messaging/ Presence A O T Agententechnologien in der Telekommunikation - 3 TU Berlin Authentication (Who is [email protected]) Ö Authentication is the process of verifying user’s identity using credentials like username, password or certificates. Ö After the successful match of user’s authentication credentials with the credentials stored in the database of the service provider, the user is granted access to the network, otherwise the access is denied. A O T Agententechnologien in der Telekommunikation - 4 TU Berlin Authorization Ö Is the process of enforcing policies. It determines what types or qualities of network resources or specific services the user is permitted. Ö By using the access policy defined for a specific user, the service provider grants or rejects the access requests from the user. Ö Access policy could be applied on a per user or group basis. A O T Agententechnologien in der Telekommunikation - 5 TU Berlin Accounting Ö Is the process of keeping track of what the user is doing. Ö It includes: Amount of the time spent in the network (duration of session) Number of packets(or bytes) transmitted during a session. The accessed services during a session.
    [Show full text]
  • Vmware Workspace ONE Access 20.01 Managing User Authentication Methods in Vmware Workspace ONE Access
    Managing User Authentication Methods in VMware Workspace ONE Access JAN 2020 VMware Workspace ONE Access 20.01 Managing User Authentication Methods in VMware Workspace ONE Access You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/ VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com © Copyright 2020 VMware, Inc. All rights reserved. Copyright and trademark information. VMware, Inc. 2 Contents 1 Configuring Authentication in VMware Workspace ONE Access 5 2 User Auth Service Authentication Methods in Workspace ONE Access 8 Configuring Password (Cloud) Authentication in Workspace ONE Access 9 Configure Password (Cloud) Authentication with Your Enterprise Directory 10 Configuring RSA SecurID (Cloud) For Workspace ONE Access 13 Prepare the RSA SecurID Server 13 Configure RSA SecurID Authentication in Workspace ONE Access 14 Configuring RADIUS for Workspace ONE Access 16 Prepare the RADIUS Server 16 Configure RADIUS Authentication in Workspace ONE Access 16 Enable User Auth Service Debug Logs In Workspace ONE Access Connector 19 3 Configuring Kerberos Authentication In Workspace ONE Access 21 Configure and Enable Kerberos Authentication in Workspace ONE Access 21 Configuring your Browser for Kerberos 23 Configure Internet Explorer to Access the Web Interface 23 Configure Firefox to Access the Web Interface 24 Configure the Chrome Browser to Access the Web Interface 25 Kerberos Initialization Error in Workspace ONE Access 26 4 Associate Workspace ONE Access Authentication Methods
    [Show full text]
  • Nist Sp 800-77 Rev. 1 Guide to Ipsec Vpns
    NIST Special Publication 800-77 Revision 1 Guide to IPsec VPNs Elaine Barker Quynh Dang Sheila Frankel Karen Scarfone Paul Wouters This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-77r1 C O M P U T E R S E C U R I T Y NIST Special Publication 800-77 Revision 1 Guide to IPsec VPNs Elaine Barker Quynh Dang Sheila Frankel* Computer Security Division Information Technology Laboratory Karen Scarfone Scarfone Cybersecurity Clifton, VA Paul Wouters Red Hat Toronto, ON, Canada *Former employee; all work for this publication was done while at NIST This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-77r1 June 2020 U.S. Department of Commerce Wilbur L. Ross, Jr., Secretary National Institute of Standards and Technology Walter Copan, NIST Director and Under Secretary of Commerce for Standards and Technology Authority This publication has been developed by NIST in accordance with its statutory responsibilities under the Federal Information Security Modernization Act (FISMA) of 2014, 44 U.S.C. § 3551 et seq., Public Law (P.L.) 113-283. NIST is responsible for developing information security standards and guidelines, including minimum requirements for federal information systems, but such standards and guidelines shall not apply to national security systems without the express approval of appropriate federal officials exercising policy authority over such systems. This guideline is consistent with the requirements of the Office of Management and Budget (OMB) Circular A-130. Nothing in this publication should be taken to contradict the standards and guidelines made mandatory and binding on federal agencies by the Secretary of Commerce under statutory authority.
    [Show full text]
  • Operations T. Dahm Internet-Draft A. Ota Intended Status: Informational Google Inc Expires: July 30, 2020 D
    Operations T. Dahm Internet-Draft A. Ota Intended status: Informational Google Inc Expires: July 30, 2020 D. Medway Gash Cisco Systems, Inc. D. Carrel vIPtela, Inc. L. Grant January 27, 2020 The TACACS+ Protocol draft-ietf-opsawg-tacacs-17 Abstract This document describes the Terminal Access Controller Access-Control System Plus (TACACS+) protocol which is widely deployed today to provide Device Administration for routers, network access servers and other networked computing devices via one or more centralized servers. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on July 30, 2020. Copyright Notice Copyright (c) 2020 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents Dahm, et al. Expires July 30, 2020 [Page 1] Internet-Draft The TACACS+ Protocol January 2020 carefully, as they describe your rights and restrictions with respect to this document.
    [Show full text]
  • Cisco Products Quick Reference Guide December 2004
    Cisco SYSTEMS pII Cisco Product Quick Reference Guide December 2004 Table of Contents Introduction Routing Switching Wireless LAN Voice and IP Communications VPN and Security Content Networking Broadband and Dial Access Optical Networking lOS Software and Network Management 10 Storage Networking Cicro SYsTEr Cisco Products Quick Reference Guide December 2004 Corporate Headquarters Cisco Systems Inc 170 West Tasman Drive San Jose CA 951 34-1706 USA http//wvvw.cisco.com Tel 408 526-4000 800 553-NETS 6387 Customer Order Number 78-5983-13 Text Part Number 78-5983-13 Gisco Products Quick Reference Guide Copyright 2005 Cisco Systems Inc All rights reserved Gener Discbimer Although Cisco has attempted to provide accurate information in this Guide Cisco assumes no responsibility for the accuracy of the information Cisco may change the programs or products mentioned at any time without prior notice Mention of non-Cisco products or services is for information purposes only and constitutes neither an endorsement nor recommendation of such products or services or of any company that develops or sells such products or services ALL INFORMATION PROVIDED ON THIS WEB SITE IS PROVIDED AS IS WITH ALL FAULTS AND WITHOUT WARRANTY OF ANY KIND EITHER EXPRESSED OR IMPLIED CISCO AND ITS SUPPLIERS DISCLAIM ALL WARRANTIES EXPRESSED OR IMPLIED INCLUDING WITHOUT LIMITATION THOSE OF MERCHANTABILITY FITNESS FOR PARTICULAR PURPOSE AND NONINFRJNGEMENT OR ARISING FROM COURSE OF DEALING USAGE OR TRADE PRACTICE CISCO AND ITS SUPPLIERS SHALL NOT BE LIABLE FOR ANY INDIRECT
    [Show full text]
  • Cloudvision As-A-Service (Cvaas) Quick Start Guide
    CloudVision as-a-Service (CVaaS) Quick Start Guide Arista Networks www.arista.com September 2021 Headquarters Support Sales 5453 Great America Parkway +1 408 547-5502 +1 408 547-5501 Santa Clara, CA 95054 +1 866 476-0000 +1 866 497-0000 USA [email protected] [email protected] +1 408 547-5500 www.arista.com © Copyright 2021 Arista Networks, Inc. All rights reserved. The information contained herein is subject to change without notice. The trademarks, logos and service marks ("Marks") displayed in this documentation are the property of Arista Networks in the United States and other countries. Use of the Marks are subject to Arista Network’s Term of Use Policy, available at www.arista.com/en/terms-of-use. Use of marks belonging to other parties is for informational purposes only. ii Contents Contents 1 CloudVision as-a-Service....................................................................1 1.1 Onboarding at a Glance.........................................................................................................1 1.2 User Onboarding Prerequisites.............................................................................................. 3 1.2.1 Invitation URL........................................................................................................... 3 1.2.2 Authentication Details............................................................................................... 3 1.3 User Onboarding Workflow.................................................................................................... 4 1.3.1
    [Show full text]
  • Single Sign-On the Way It Should Be
    Single sign-on the way it should be 6 ways Citrix Workspace delivers seamless access to all apps while improving security and the user experience Contents Single sign-on (SSO) solutions .......................................................................3 Secure access to everything ...........................................................................5 Granular controls for SaaS apps and the web ...........................................6 Control over your user identity ......................................................................7 Security beyond user names and passwords ............................................8 Seamless integration with your existing environment ..........................9 Resolving issues faster with end-to-end visibility ............................... 10 ↑ Back← Pg. to 2 contents | Pg. 4 → Citrix.com 2 Single sign-on (SSO) solutions were designed to make life easier for employees and IT. They’re meant to reduce the cost of management and provide better security, all while delivering an improved user experience. However, many solutions fall short, covering only one type or a subset of application types. This forces you to implement several access solutions from different vendors to cover your entire application landscape — negating the productivity and user experience benefits you hoped for. The complexity this type of implementation creates also runs counter to the Zero Trust initiatives that many organizations are undertaking Citrix Workspace helps you unify all apps and data across your distributed IT architecture to provide single sign-on to all the applications and data people need to be productive. Working with your existing infrastructure, Citrix Access Control consolidates multiple remote access solutions, like traditional VPNs or SSO solutions, simplifying management for IT and providing unified access for employees. ↑ Back to contents ← Pg. 2 | Pg. 4 → 3 Citrix.com | e-book | Choosing a Single Sign-On Solution ↓ 6 benefits of the Citrix Workspace SSO solution ↑ ← Pg.
    [Show full text]
  • Securing Digital Identities in the Cloud by Selecting an Apposite Federated Identity Management from SAML, Oauth and Openid Connect
    Securing Digital Identities in the Cloud by Selecting an Apposite Federated Identity Management from SAML, OAuth and OpenID Connect Nitin Naik and Paul Jenkins Defence School of Communications and Information Systems Ministry of Defence, United Kingdom Email: [email protected] and [email protected] Abstract—Access to computer systems and the information this sensitive data over insecure channels poses a significant held on them, be it commercially or personally sensitive, is security and privacy risk. This risk can be mitigated by using naturally, strictly controlled by both legal and technical security the Federated Identity Management (FIdM) standard adopted measures. One such method is digital identity, which is used to authenticate and authorize users to provide access to IT in the cloud environment. Federated identity links and employs infrastructure to perform official, financial or sensitive operations users’ digital identities across several identity management within organisations. However, transmitting and sharing this systems [1], [2]. FIdM defines a unified set of policies and sensitive information with other organisations over insecure procedures allowing identity management information to be channels always poses a significant security and privacy risk. An transportable from one security domain to another [3], [4]. example of an effective solution to this problem is the Federated Identity Management (FIdM) standard adopted in the cloud Thus, a user accessing data/resources on one secure system environment. The FIdM standard is used to authenticate and could then access data/resources from another secure system authorize users across multiple organisations to obtain access without both systems needing individual identities for the to their networks and resources without transmitting sensitive single user.
    [Show full text]
  • Operations T. Dahm Internet-Draft A. Ota Intended Status: Informational Google Inc Expires: January 9, 2017 D
    Operations T. Dahm Internet-Draft A. Ota Intended status: Informational Google Inc Expires: January 9, 2017 D. Medway Gash Cisco Systems, Inc. D. Carrel vIPtela, Inc. L. Grant July 8, 2016 The TACACS+ Protocol draft-ietf-opsawg-tacacs-04 Abstract TACACS+ provides Device Administration for routers, network access servers and other networked computing devices via one or more centralized servers. This document describes the protocol that is used by TACACS+. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on January 9, 2017. Copyright Notice Copyright (c) 2016 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect Dahm, et al. Expires January 9, 2017 [Page 1] Internet-Draft The TACACS+ Protocol July 2016 to this document.
    [Show full text]