DOCSLIB.ORG

Dirx Access V8.10

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Dirx Access V8.10 Evidian DirX Access V8.10 Trusted Collaboration Identity Federation and Access Management for the Connected World Everything and everyone is always online and While users may want to have a few different Partners also need to consider security securing access to applications or devices identities to protect their privacy, creating and models for online user transactions that provided either as on- and off-premise services maintaining a one-to-one identity relationship move collection and control of identity or from the cloud has never been more im- with each online service provider is a tedious information away from online service pro- portant. chore that can lead to poor access credentials. viders and into the hands of their users and Businesses and government agencies are assign the management of this data to accelerating the formation of online partner- Building a business-agile virtual enterprise using online identity providers. ships to respond quickly to potential revenue on-premise applications and private and public opportunities, outsource non-core functions, cloud or software as service offerings involves Users of Web or cloud services often share and deliver the widest variety of services to numerous security challenges to provide end- personal and sensitive information. This is their users. to-end security. The emergence of cloud, mo- associated with an increasing risk of poten- To improve operational efficiency and respond bile and social computing has heightened the tial security and privacy issues. Once a user to user demand, they continue to put more and need for strengthened access controls to en- has submitted such information, he has more critical data and applications online for sure compliance with organization authentica- only limited ability to control access to such information sharing and self-service by con- tion and authorization policies. Partners must information. To alleviate this problem, there sumers, mobile employees, channel partners share or integrate their identity data, but they is a clear need for new approaches and and suppliers. must do it without overloading their IT admin- methods, to allow users to manage access Cloud adoption has soared as it has proved to istration or inadvertently creating security holes. to their Web resources and data. offer great economies of scale for many organi- To maximize user satisfaction, they must pro- zations by providing a lower-cost, flexible way vide for secure, seamless transactions between to use applications and services. services offered by disparate sites in different Meanwhile, people have come to expect the security domains, and these transactions must online services they use to be always-available, be completely auditable from beginning to end on-demand one-stop shopping experiences to prove regulatory compliance. To improve the accessible through a single login and providing user experience and ease the user login bur- them with the same look and feel no matter den, partners must offer single sign-on (SSO) what business they are transacting. With the capabilities to applications and services hosted recent news of massive security breaches of internally or in the cloud. They must also pro- online service databases and the rise in phish- vide rapid onboarding of new users to cloud ing, spoofing, and other fraudulent online activi- services to avoid the daunting task of manually ties, users are also beginning to worry that they and individually provisioning and managing are giving up too much of their critical identity users in each software as a service (SaaS) direc- information to too many Web sites. tory. Trusted partner for your Digital Journey Next Generation Identity Federation and Access Management with DirX Access Federation Protected These challenges are driving the design and Authentication Authorization SAML, OAuth, UMA, Systems OpenID Connect deployment of new security models for access Web management. Identity federation and secure HTTP User Entitlement Session Servers Web services are joining authentication, author- Management Management Management REST ization, audit, and Web SSO as essential capabili- XACML Application ties for protecting Web resources against unau- SOAP Servers thorized use in a flexible way. Web Policy WS Security Single Sign-On Management WS-Trust, WS-* DirX Access is a comprehensive access man- Web SSO Fine-grained policies WS-Federation agement, identity federation, and Web services SAML Services security solution protecting resources against Audit, Delegated, Integration and Other unauthorized use. DirX Access: Monitoring, Customization Role-Based Applications Provides for the consistent enforcement of Logging Administration Framework business security policies through external, centralized, policy-based authentication and Figure 1: DirX Access Functionality authorization services. Enhances Web user experience through local and federated single sign-on (SSO). Authentication Access and uses standards-based initial authen- Secures eGovernment and eBusiness initia- With DirX Access, authentication is provided as tication mechanisms such as: tives and provides seamless integration with an external, central service that supports a SSL/TLS client authentication through X.509 business and organizational partners through variety of well-known authentication methods, certificates including path validation, OCSP identity federation. such as passwords, X.509 certificates, FIDO- and CRL support Protects access to Web applications and based authentication, Integrated Windows Username/password authentication via HTTP devices with authentication and authorization Authentication, smart cards, HTML forms, one- basic or HTML form services, both on the premises and in the time-password (OTP) tokens, biometrics and call Second-channel OTP mechanism enabling cloud. back/out-of-band authentication. Administrators mobile push, SMS, and e-mail-based authenti- Supports versatile authorization scenarios can apply the method that best matches the cation via HTML form including user-managed access. security requirements of each individual appli- Standardized OTP algorithms IETF RFC 4226 Decouples security management such as cation or resource without rewriting or even (HOTP) and IETF RFC 6238 (TOTP) via HTML authentication and authorization from appli- touching the application. Decoupling authenti- form cation logic and ensures consistent, fine- cation from the application or resource allows Integrated Windows Authentication (IWA) grained entitlement management across the authentication service to scale easily – using the SPNEGO, Kerberos and NTLM au- multiple applications and services. administrators can add new authentication thentication protocols via HTTP Enables enterprises and service providers to methods without affecting the applications that W3C WebAuthentication based on FIDO2 deploy strong authentication solutions that depend on the service. including authentication with Microsoft Win- reduce reliance on passwords. Centralized authentication services also enable dows Hello Supports regulatory compliance with audit SSO. Users present their login credentials once, FIDO U2F (Universal 2nd Factor) functionality, both within and across security and are then allowed to access all applications domains. and resources within the enterprise security FIDO UAF (Universal Authentication Frame- work) domain for which they are authorized without having to re-authenticate/log in again. DirX Access enables to strengthen the authen- Authentication, Authorization and Audit – Finally, the DirX Access central authentication tication process by combining two or more Core Functionality for Access Management service allows authentication management to be concentrated in one configurable compo- authentication methods sequentially. This rep- Authentication is the process of verifying the nent. Because an external, central service by- resents a reasonable way of achieving a multi- identity of a user requesting a service or a passes the need for per-application authentica- factor authentication within simple deploy- resource, while authorization is the process of tion, users no longer need to keep track of ments; for example, combining verifying that an authenticated user has the multiple login credentials, and administrators no username/password with additional verification right to access a requested service or resource. longer need to maintain and support redundant via OTP values or username/password plus an Authentication and authorization answer the authentication mechanisms. external validation. The combination mecha- questions "Who are you?" and "What are you nism provides a conditional configuration of the entitled to do?" A not-yet-authenticated user’s interaction with a system protected by DirX Access leads to an authentication method sequence, i.e., failure in Authentication and authorization address the initial user authentication process. Subsequent the first method may lead either to an overall real-time enforcement of enterprise security interactions employ the single sign-on mecha- authentication failure or to invocation of a policies, while audit automatically records these nism. Risk-based authentication is applied in different method. Hence, DirX Access is able to transactions and stores these records securely both mentioned cases enabling to ask the user provide more sophisticated scenarios, such as for later compilation in reports to provide ana- about additional authentication, when strength- account locking
Load more

Recommended publications
  • Security on the Mainframe Stay Connected to IBM Redbooks
    Front cover Security on the IBM Mainframe Operating system and application security IBM Security Blueprint and Framework IBM mainframe security concepts Karan Singh Lennie Dymoke-Bradshaw Thomas Castiglion Pekka Hanninen Vincente Ranieri Junior Patrick Kappeler ibm.com/redbooks International Technical Support Organization Security on the IBM Mainframe April 2010 SG24-7803-00 Note: Before using this information and the product it supports, read the information in “Notices” on page ix. First Edition (April 2010) This edition applies to the IBM System z10 Enterprise Class server, the IBM System z10 Business Class server, and Version 1, Release 11, Modification 0 of z/OS (product number 5694-A01). © Copyright International Business Machines Corporation 2010. All rights reserved. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Notices . ix Trademarks . .x Preface . xi The team who wrote this book . xi Now you can become a published author, too! . xii Comments welcome. xii Stay connected to IBM Redbooks . xiii Part 1. Introduction . 1 Chapter 1. Introduction. 3 1.1 IBM Security Framework. 4 1.1.1 People and identity . 5 1.1.2 Data and information. 5 1.1.3 Application and process . 5 1.1.4 Network, server, and endpoint . 5 1.1.5 Physical Infrastructure . 6 1.2 Framework and Blueprint . 7 1.3 IBM Security Blueprint. 7 Chapter 2. Security of the IBM Mainframe: yesterday and today . 13 2.1 Operating systems . 14 2.1.1 z/OS operating system family . 14 2.1.2 z/VM Hypervisor family .
    [Show full text]
  • IBM Security Access Manager Version 9.0.7 June 2019: Advanced Access Control Configuration Topics Contents
    IBM Security Access Manager Version 9.0.7 June 2019 Advanced Access Control Configuration topics IBM IBM Security Access Manager Version 9.0.7 June 2019 Advanced Access Control Configuration topics IBM ii IBM Security Access Manager Version 9.0.7 June 2019: Advanced Access Control Configuration topics Contents Figures .............. vii Configuring authentication ........ 39 Configuring an HOTP one-time password Tables ............... ix mechanism .............. 40 Configuring a TOTP one-time password mechanism 42 Configuring a MAC one-time password mechanism 45 Chapter 1. Upgrading configuration ... 1 Configuring an RSA one-time password mechanism 46 Upgrading external databases with the dbupdate tool Configuring one-time password delivery methods 50 (for appliance at version 9.0.0.0 and later) .... 2 Configuring username and password authentication 54 Upgrading a SolidDB external database (for Configuring an HTTP redirect authentication appliance versions earlier than 9.0.0.0) ...... 3 mechanism .............. 56 Upgrading a DB2 external runtime database (for Configuring consent to device registration .... 57 appliance versions earlier than 9.0.0.0) ...... 4 Configuring an End-User License Agreement Upgrading an Oracle external runtime database (for authentication mechanism ......... 59 appliance versions earlier than 9.0.0.0) ...... 5 Configuring an Email Message mechanism .... 60 Setting backward compatibility mode for one-time HTML format for OTP email messages .... 62 password ............... 6 Configuring the reCAPTCHA Verification Updating template files ........... 6 authentication mechanism ......... 62 Updating PreTokenGeneration to limit OAuth tokens 7 Configuring an Info Map authentication mechanism 64 Reviewing existing Web Reverse Proxy instance point Embedding reCAPTCHA verification in an Info of contact settings ............ 8 Map mechanism ............ 66 Upgrading the signing algorithms of existing policy Available parameters in Info Map .....
    [Show full text]
  • Pdf/Idm Tech Wp 11G R1.Pdf
    Oracle® Fusion Middleware Integration Overview for Oracle Identity Management Suite 11g Release 1 (11.1.1) E15477-03 August 2012 Oracle Fusion Middleware Integration Overview for Oracle Identity Management Suite, 11g Release 1 (11.1.1) E15477-03 Copyright © 2010, 2012, Oracle and/or its affiliates. All rights reserved. Primary Author: Vinaye Misra Contributors: Sidhartha Das, Ellen Desmond, Subbu Devulapalli, Sandy Lii, Kavya Muthanna, Sanjay Rallapalli, Vinay Shukla, Olaf Stullich, Lyju Vadassery, Mark Wilcox This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited. The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing. If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, the following notice is applicable: U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, delivered to U.S. Government end users are "commercial computer software" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, use, duplication, disclosure, modification, and adaptation of the programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, shall be subject to license terms and license restrictions applicable to the programs.
    [Show full text]
  • Understanding SOA Security Design and Implementation
    Front cover Understanding SOA Security Design and Implementation Introducing an SOA security reference architecture Implementing scenarios based on the IBM SOA Foundation Deploying SOA using IBM Tivoli security solutions Axel Buecker Paul Ashley Martin Borrett Ming Lu Sridhar Muppidi Neil Readshaw ibm.com/redbooks International Technical Support Organization Understanding SOA Security Design and Implementation November 2007 SG24-7310-01 Note: Before using this information and the product it supports, read the information in “Notices” on page xi. Second Edition (November 2007) This edition applies to Version 6.0 of IBM Tivoli Access Manager for e-business, Version 6.1.1 of IBM Tivoli Federated Identity Manager, and Version 6.0 of IBM Tivoli Directory Server. We are also discussing several other IBM software products in the context of hands-on scenarios. © Copyright International Business Machines Corporation 2007. All rights reserved. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Notices . .xi Trademarks . xii Preface . xiii The team that wrote this IBM Redbook . xiii Become a published author . xvi Comments welcome. xvi Summary of changes . xvii November 2007, Second Edition . xvii Part 1. Business context and foundation . 1 Chapter 1. Business context . 3 1.1 Business scenarios . 4 1.1.1 Service creation at an insurance company . 4 1.1.2 Service connectivity at a government department . 5 1.1.3 Interaction and collaboration at a telecommunications company . 5 1.2 Service orientation in SOA . 6 1.2.1 More than componentization. 7 1.2.2 A focus on reuse .
    [Show full text]
  • IBM Tivoli Security Solutions for Microsoft Software Environments
    Front cover IBM Tivoli Security Solutions for Microsoft Software Environments Explaining common architecture and standards Deploying on Microsoft operating systems Securing Microsoft software environments Axel Buecker Neil Readshaw ibm.com/redbooks Redpaper International Technical Support Organization IBM Tivoli Security Solutions for Microsoft Software Environments September 2008 REDP-4430-00 Note: Before using this information and the product it supports, read the information in “Notices” on page v. First Edition (September 2008) This document created or updated on September 18, 2008. © Copyright International Business Machines Corporation 2008. All rights reserved. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Notices . .v Trademarks . vi Preface . vii The team that wrote this paper . vii Become a published author . viii Comments welcome. viii Chapter 1. Architecture and standards . 1 1.1 IBM Security Framework. 2 1.2 IBM Service Management strategy . 3 1.2.1 Visibility . 3 1.2.2 Controls. 3 1.2.3 Automation . 3 1.3 Security standards . 4 1.3.1 LDAP. 4 1.3.2 Kerberos . 4 1.3.3 SPNEGO. 4 1.3.4 SSL and TLS. 5 1.3.5 Service-oriented architecture and Web Services Security . 5 1.4 Conclusion . 9 Chapter 2. IBM Tivoli Security Solutions using Microsoft operating systems and middleware . 11 2.1 Microsoft products that we discuss in this chapter . 12 2.1.1 Operating systems . 12 2.1.2 Middleware . 12 2.2 Support summary by IBM Tivoli Security product . 13 2.2.1 IBM Tivoli Directory Server .
    [Show full text]
  • Cloud Access Manager Overview Updated - November 2018 Version - 8.1.4 Contents
    Cloud Access Manager 8.1.4 Overview Copyright 2018 One Identity LLC. ALL RIGHTS RESERVED. This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser’s personal use without the written permission of One Identity LLC . The information in this document is provided in connection with One Identity products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of One Identity LLC products. EXCEPT AS SET FORTH IN THE TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, ONE IDENTITY ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON- INFRINGEMENT. IN NO EVENT SHALL ONE IDENTITY BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF ONE IDENTITY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. One Identity makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice.
    [Show full text]
  • Vendor: Microsoft Exam Code: 70-534 Exam Name: Architecting
    Vendor: Microsoft Exam Code: 70-534 Exam Name: Architecting Microsoft Azure Solutions Version: DEMO ★ Instant Download ★ PDF And VCE ★ 100% Passing Guarantee ★ 100% Money Back Guarantee Case Study 1 - VanArsdel, Ltd (Question 1 - Question 8) Case Study 2 - Trey Research (Question 53 - Question 57) Case Study 3 - Contoso, Ltd (Question 58 - Question 62) Case Study 4 - Lucerne Publishing (Question 63 - Question 68) Case Study 5 - Northwind traders (Question 69 - Question 77) Case Study 6 - Fourth Coffee (Question 180 - Question 187) Case Study 7 - Trey Research (Question 188 - Question 195) Case Study 8 - Woodgrove Bank (Question 196 - Question 203) QUESTION 1 You need to recommend a solution that allows partners to authenticate. Which solution should you recommend? A. Configure the federation provider to trust social identity providers. B. Configure the federation provider to use the Azure Access Control service. C. Create a new directory in Azure Active Directory and create a user account for the partner. D. Create an account on the VanArsdel domain for the partner and send an email message that contains the password to the partner. Answer: B Explanation: * Scenario: The partners all use Hotmail.com email addresses. * In Microsoft Azure Active Directory Access Control (also known as Access Control Service or ACS), an identity provider is a service that authenticates user or client identities and issues security tokens that ACS consumes. The ACS Management Portal provides built-in support for configuring Windows Live ID as an ACS Identity Provider. Incorrect: Not C, not D: Scenario: VanArsdel management does NOT want to create and manage user accounts for partners.
    [Show full text]
  • Identity Authentication Service SAP Cloud Platform
    Identity Authentication Service SAP Cloud Platform Marko Sommer, SAP July 26th, 2017 PUBLIC Legal disclaimer The information in this presentation is confidential and proprietary to SAP and may not be disclosed without the permission of SAP. This presentation is not subject to your license agreement or any other service or subscription agreement with SAP. SAP has no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation and SAP's strategy and possible future developments, products and or platforms directions and functionality are all subject to change and may be changed by SAP at any time for any reason without notice. The information in this document is not a commitment, promise or legal obligation to deliver any material, code or functionality. This document is provided without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. This document is for informational purposes and may not be incorporated into a contract. SAP assumes no responsibility for errors or omissions in this document, except if such damages were caused by SAP´s willful misconduct or gross negligence. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.
    [Show full text]
  • Cloud Access Manager Security and Best Practices Guide Updated - November 2018 Version - 8.1.4 Contents
    Cloud Access Manager 8.1.4 Security and Best Practices Guide Copyright 2018 One Identity LLC. ALL RIGHTS RESERVED. This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser’s personal use without the written permission of One Identity LLC . The information in this document is provided in connection with One Identity products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of One Identity LLC products. EXCEPT AS SET FORTH IN THE TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, ONE IDENTITY ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON- INFRINGEMENT. IN NO EVENT SHALL ONE IDENTITY BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF ONE IDENTITY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. One Identity makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice.
    [Show full text]
  • Federated Identity Management and Web Services Security with IBM Tivoli Security Solutions
    Front cover Federated Identity Management and Web Services Security with IBM Tivoli Security Solutions Introduction to Web services security standards Complete product architecture and component discussion Extensive federation business scenario Axel Buecker Werner Filip Heather Hinton Heinz Peter Hippenstiel Mark Hollin Ray Neucom Shane Weeden Johan Westman ibm.com/redbooks International Technical Support Organization Federated Identity Management and Web Services Security with IBM Tivoli Security Solutions October 2005 SG24-6394-01 Note: Before using this information and the product it supports, read the information in “Notices” on page xiii. Second Edition (October 2005) This edition applies to Version 6 of Tivoli Federated Identity Manager (product number 5724-L73) and to all subsequent releases and modifications until otherwise indicated in new editions. Various other related IBM and Tivoli products are mentioned in this book. © Copyright International Business Machines Corporation 2004, 2005. All rights reserved. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Notices . xiii Trademarks . xiv Preface . xv The team that wrote this redbook. xvi Become a published author . xviii Comments welcome. xix Part 1. Architecture and design . 1 Chapter 1. Business context for identity federation . 3 1.1 Federated identity . 4 1.2 Business environment . 5 1.2.1 Deconstruction of the enterprise . 5 1.2.2 Enterprise re-aggregation . 6 1.2.3 High-level example of a re-aggregated business . 7 1.2.4 Business models for federated identity . 9 1.2.5 The relationship - Trust and assurance. 15 1.3 IT environment . 17 1.3.1 The role of identity management.
    [Show full text]
  • Security As a Service Leveraged by Apache Projects Oliver Wulff, Talend Application Security Landscape
    Security As A Service Leveraged by Apache Projects Oliver Wulff, Talend Application Security Landscape 11/19/14 2 Solution Building blocks ● Apache CXF Fediz ● Single Sign On (WS-Federation) ● Attribute Based Access Control (SAML AttributeStatement) ● Identity Provider and Application Server Plugin ● Apache Syncope ● IAM (User management, Attribute Management, Provisioning) ● Connector LDAP ● Apache DS ● LDAP Server ● PostgreSQL ● Database for Syncope and Fediz IDP 11/19/14 3 Solution Building blocks Demo Federation/SSO with Apache Tomcat Application 11/19/14 4 Solution Building blocks Apache CXF Fediz 11/19/14 5 Apache CXF Fediz ● Sub-project of Apache CXF project ● Work started mid of 2011 ● Community growing ● First release in June 2012 ● Current release 1.1.2 ● Finishing work for 1.2 11/19/14 6 OASIS WS-Federation 1.2 ● OASIS Standard 2009 ● Security Token agnostic (SAML 1.1/2.0, …) ● Extends OASIS WS-Trust ● Browser and Web Services SSO ● PRP adapts Browsers to WS-Trust ● No connectivity between Application and IDP required (Cloud) ● Claims/Attribute Based Access Control ● Supports several Authentication domains 11/19/14 7 ) Security Tokens STS ) ( issued by STS (IDP Fediz IDP Identity Provider Security Token Service Fediz STS 8 ) -Federation (RP WS -Trust WS Web Application n WS-Federation o i n Fediz Plugin t Relying Party e a k c i o t T n e h t u A Servlet Container Access Web Application Redirect to IDP HTTPS Browser User Machine 11/19/14 Fediz Plugin ● WS-Federation 1.0/1.1/1.2 ● SAML 1.1 / 2.0 Tokens ● SAML-P support ● IDP
    [Show full text]
  • IBM Presentations
    1 2 3 Datapower is both a security appliance & can provide a firewall mechanism to get into Systems of Record 5 White boxes show the access points for different kinds of security. That’s what we will talk about: Security points for an Enterprise Server. What are the Security scenarios: Inbound: protecting transactions, commands & Data Outbound: messages will need to carry some form of an authentication mechanism The OTMA Resume TPIPE Security exit routine (DFSYRTUX) is one of two possible methods that you can use to secure messages queued on the OTMA asynchronous hold queue. The other possible method of securing messages on the asynchronous hold queue is to use an external security product, such as RACF. The DFSYRTUX exit routine and an external security product can each by used by itself or in combination with each other. The DFSYRTUX exit routine runs in the IMS control region. You can set a default RACF user ID for IMS Connect to use when the input message either does not contain a userid in the header or the field is blank. When the default RACF userid is used, IMS Connect passes it in the OMSECUID field of the input message to OTMA. When OTMA security checking is enabled, OTMA uses the RACF userid for authorizing commands, transactions, and RESUME TPIPE calls with RACF. When both a default RACF userid is defined and the incoming message header userid field is not blank, IMS Connect uses the userid value in the message header. A lot of people also use IMS Connect Extensions. Connect extensions also implements these security exit routines.
    [Show full text]