Scribd Logo
Upload

Welcome to Scribd!

  • EASYVISTA Extending SSO Security Exchanges With EasyVista

    Uploaded by

    Luis Alberto Lamas Lavin
    142 views11 pages
    This document provides instructions for extending the security of single sign-on (SSO) exchanges using EasyVista's encryption extension. It describes: 1) The goals of protecting against forged URLs and URL theft. 2) How to install the security extension, configure related settings, and troubleshoot issues. 3) How to configure the extension for use with an IIS relay system or PHP SSO relay on the EasyVista web server.

    Original Description:

    easyvista

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document provides instructions for extending the security of single sign-on (SSO) exchanges using EasyVista's encryption extension. It describes: 1) The goals of protecting against forged URLs and URL theft. 2) How to install the security extension, configure related settings, and troubleshoot issues. 3) How to configure the extension for use with an IIS relay system or PHP SSO relay on the EasyVista web server.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    142 views11 pages

    EASYVISTA Extending SSO Security Exchanges With EasyVista

    Uploaded by

    Luis Alberto Lamas Lavin
    This document provides instructions for extending the security of single sign-on (SSO) exchanges using EasyVista's encryption extension. It describes: 1) The goals of protecting against forged URLs and URL theft. 2) How to install the security extension, configure related settings, and troubleshoot issues. 3) How to configure the extension for use with an IIS relay system or PHP SSO relay on the EasyVista web server.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 11

    EasyVista Extending

    security of SSO
    exchanges
    Last update : January 26th, 2012

    03/04/2012

    EasyVista Extending security of SSO exchanges

    Summary
    A.

    Presentation ................................................................................ 3

    A.1. Goal .................................................................................................................... 3


    A.2. Features provided by the encryption extension............................................. 3
    A.2.1. Protection against forging URLs ................................................................................................3
    A.2.2. Protection against URL theft......................................................................................................3

    A.3. Limits of the system ......................................................................................... 4

    B.

    Prerequisites ............................................................................... 4

    C.

    STEP 1: Installation of the security extension ........................ 4

    C.1. Copy the files..................................................................................................... 4


    C.2. Configure the listening port if necessary ....................................................... 4
    C.3. Configure your firewall if necessary ............................................................... 4
    C.4. Install the service .............................................................................................. 4
    C.5. Troubleshooting ................................................................................................ 5
    C.5.1. Log files ....................................................................................................................................5
    C.5.2. Access to the WSDL information ...............................................................................................5

    D.

    STEP 2: Configuration of the SSO system you want to use .. 6

    D.1. Configuration with the IIS relay system .......................................................... 6


    D.1.1. Presentation .............................................................................................................................6
    D.1.2. Add a new security group..........................................................................................................6
    D.1.3. Install and configure the IIS relay pages ....................................................................................7

    D.2. Configuration with a PHP SSO relay on the EasyVista webserver ............... 7
    D.2.1. Presentation .............................................................................................................................7
    D.2.2. Installation ................................................................................................................................8
    D.2.3. Configuration ............................................................................................................................8

    D.3. Troubleshooting ................................................................................................ 9

    E.

    STEP 3: Configure EasyVista .................................................. 10

    E.1. Add the missing parameters if necessary .................................................... 10


    E.2. Configure the parameters ............................................................................... 10
    E.3. Restart the SMO SERVER service ................................................................. 11

    03/04/2012

    EasyVista Extending security of SSO exchanges

    A. Presentation
    A.1. Goal
    Authentications based on federation services providers are natively based on secured exchanges
    (SAML, Client Certificates, etc.) and thus provide a high level of security which guarantees that its not
    possible to either:

    Forge fake authentication exchanges,

    Or reuse a fully authorized URL that has been captured

    Pseudo SSO solutions (like IIS relay, HTTP transfer from portal, etc.) do not provide this level of
    security. They should not be considered as secured SSO solutions and our advice is that they should
    not be used.
    Despite this, many customers who are not already providing authentication based on fully secure
    federation services implement pseudo SSO solutions for their low cost of implementation.
    Even if providing a fully secure SSO system is not part of the EasyVista perimeter, we have developed
    a security service, included freely, and which goal is to encrypt the login send from IIS relay like
    solutions to the EasyVista platforms.

    A.2. Features provided by the encryption extension


    A.2.1. Protection against forging URLs
    The EasyVista encryption extension is based on AES128 encryption that guarantees a high level of
    security (http://en.wikipedia.org/wiki/Advanced_Encryption_Standard).
    This guarantees that a malicious user will not be able to forge a new URL based on an existing one to
    fake an SSO connection of another user.
    Confidentiality of the key used in the encryption process is the responsibility of the customer that must
    guarantee that the IIS server is physically and logically secured.

    A.2.2. Protection against URL theft


    The EasyVista security extension also includes a ONE TIME USE (OTU) for each URL.
    Even a captured URL cannot be used a second time.

    03/04/2012

    EasyVista Extending security of SSO exchanges

    A.3. Limits of the system


    The service is provided as is and customers cannot request for other way of encryption.
    Customer cannot use this service outside of the EasyVista perimeter.

    B. Prerequisites
    This feature is available with EasyVista fix starting from version 2010.1.1.89

    C. STEP 1: Installation of the security


    extension
    C.1. Copy the files
    From the EasyVista security extension package you received from the technical support or you
    found on EasyVista CD, copy the files in a new folder on the EasyVista application server (for example
    a folder named EZVExtended at the same level that the MSSQL folder containing the
    SMO_MSSQL.EXE service).

    C.2. Configure the listening port if necessary


    Open the smoextended.ini file and change the port number if the default one is already used or not
    compliant with your system.
    The default proposed value should work for most of the systems.

    C.3. Configure your firewall if necessary


    The port 34563 on the application server (or the one you configured) must be accessible from the web
    server. Configure your firewall if necessary to allow this access in TCP mode.

    C.4. Install the service


    Install the service by running a SMOExtended.exe /install command.

    03/04/2012

    EasyVista Extending security of SSO exchanges

    C.5. Troubleshooting
    C.5.1. Log files
    The EasyVista security extension service generates log files that you can use to:

    Check the encryption and decryption request processed with our without errors

    Check the exceptions triggered while servicing encryption requests

    C.5.2. Access to the WSDL information


    You can try to access to the follwing URLs from the application server :
    URL

    Value
    Put here the URL to use to access to the web
    service published by the EasyVista Security
    Extended service.
    The URL must include the port 34563 (or the
    port youve configured for the service if you
    changed the default 34563 port).

    http://XXX.XXX.XXX:34563/wsdl

    You should see a screen like this one

    http://XXX.XXX.XXX:34563/wsdl/ISmoExtendedInterface

    03/04/2012

    EasyVista Extending security of SSO exchanges

    D. STEP 2: Configuration of the SSO system


    you want to use
    D.1. Configuration with the IIS relay system
    D.1.1. Presentation
    Use this procedure when you want to implement the IIS relay system to simulate an SSO solution.
    The ISS system can be outside of your EasyVista platform.

    The exchange workflow is:

    D.1.2. Add a new security group


    Open the SMOEXTENDED.INI file and change the following parameters:
    Parameter

    Value
    Put here a unique identifier using only
    alphabetical and numeric characters that
    will uniquely describe the security group on

    PUT-HERE-YOUR-UNIQUE-ID

    03/04/2012

    EasyVista Extending security of SSO exchanges

    this server (ex: A34HD78E9T888E8Q8D8).


    This value will be referred as the
    GROUP UNIQUE ID in this document.
    Put here the 16 characters key that will be
    used to encrypt data from the IIS server
    and decrypt them once received by
    EasyVista

    PUT-HERE-YOUR-KEY

    This value will be referred as the


    GROUP SECURITY KEY in this
    document.

    Remarks: Other parameters should not be changed unless the technical support requires you to do
    so.
    Once the new security group created, restart the SMOExtended service.

    D.1.3. Install and configure the IIS relay pages


    From the EasyVista IIS relay package you received from the technical support or you found on
    EasyVista CD, copy the files in a folder on the IIS server you want to use as a relay.
    Once copied, open the INDEXPHP_REDIRECT.ASPX file and change the following parameters:
    Parameter

    Value

    string strKey = "0123456789012345";

    PUT-HERE-YOUR-EASYVISTA-WEBSERVER

    Replace the 0123456789012345 string


    with the key value (GROUP SECURITY
    KEY) you defined in D.1.3
    Put here the URL used to access to your
    web server (ex:
    easyvista.mycompany.com).
    Leave the rest of the line unchanged.

    D.2. Configuration with a PHP SSO relay on the


    EasyVista webserver
    D.2.1. Presentation
    This configuration is used when the information is directly accessible form the EasyVista webserver,
    either because its being pushed by the corporate SSO system, or collected through a tiers layer
    (CAS, SAML, Client certificates, etc.).

    03/04/2012

    EasyVista Extending security of SSO exchanges

    The tiers layer installed on the EasyVista webserver will:

    Collect the user ID based on the SSO used

    Encrypt the user ID through a call to the EasyVista Security Extended service

    Send the information through the standard HTTP SSO compliant with EasyVista

    This process will guarantee that the whole http/https exchange respect the target level of security.
    The exchange workflow is:

    D.2.2. Installation
    Starting with EasyVista 2012, the pages are already installed by default with EasyVista in the www
    and www/sspi folder.
    If you want to install the EasyVista Security Extented service with version 2010, you must first apply
    the latest fix that includes the last sspi pages.

    D.2.3. Configuration
    Open the www/sspi/sspi_setting.php file and change the following parameters:
    Parameter

    Value

    03/04/2012

    EasyVista Extending security of SSO exchanges

    Put here the url to access to the EasyVista web site to redirect the SSO
    URL (mind to keep the /index.php?url_account= in the url).
    $URL

    Ex:
    https://easyvista.mycompany.com/index.php?url_account=

    $id

    Put here the GROUP SECURITY KEY youve created during STEP 2
    Put here the url that the EasyVista web server will use to access to the
    wsdl ISmoExtentendedInterface service published by the EasyVista
    Extented Security service.

    $str_wsdl

    Keep in mind that this is the URL to access to the application server from
    the webserver. It cannot be a Localhost like url
    Ex : http://XXX.XXX.XXX:34563/wsdl/ISmoExtendedInterface

    D.3. Troubleshooting
    Use HTTPWATCH to capture the http exchanges and check that they are consistent what is expected

    03/04/2012

    EasyVista Extending security of SSO exchanges

    E. STEP 3: Configure EasyVista


    E.1. Add the missing parameters if necessary
    Check the AM_PARAMETER table in the database you want to configure for the presence of the
    following parameters:

    {ADMIN} SSO : Url of the WebService encryption support

    {{ADMIN} SSO : ID of the encryption used

    If they are not present, run the following script to add them:
    if (NOT EXISTS(SELECT PARAMETER_GUID FROM [AM_PARAMETER] WHERE PARAMETER_GUID='{CF69F417-5AE64386-B95D-D628F7744684}'))
    INSERT INTO [AM_PARAMETER]
    (PARAMETER_GUID, PARAMETER_EN, PARAMETER_FR, PARAMETER_GE, PARAMETER_SP, PARAMETER_IT,
    PARAMETER_PO, PARAMETER_TYPE, PARAMETER_VALUE)
    VALUES
    ('{CF69F417-5AE6-4386-B95D-D628F7744684}', '{ADMIN} SSO : Url of the WebService
    encryption support', '{ADMIN} SSO : Url du WebService en charge du cryptage',
    '[{ADMIN} SSO : Url of the WebService encryption support]', '[{ADMIN} SSO : Url of the
    WebService encryption support]',
    '[{ADMIN} SSO : Url of the WebService encryption support]', '[{ADMIN} SSO : Url of the
    WebService encryption support]',
    'STRING', '')
    if (NOT EXISTS(SELECT PARAMETER_GUID FROM [AM_PARAMETER] WHERE PARAMETER_GUID='{C3DAD878-236B4AFB-9F91-8B82E41A89F8}'))
    INSERT INTO [AM_PARAMETER]
    (PARAMETER_GUID, PARAMETER_EN, PARAMETER_FR, PARAMETER_GE, PARAMETER_SP, PARAMETER_IT,
    PARAMETER_PO, PARAMETER_TYPE, PARAMETER_VALUE)
    VALUES
    ('{C3DAD878-236B-4AFB-9F91-8B82E41A89F8}', '{ADMIN} SSO : ID of the encryption used',
    '{ADMIN} SSO : ID de l''encryptage utilis',
    '[{ADMIN} SSO : ID of the encryption used]', '[{ADMIN} SSO : ID of the encryption
    used]',
    '[{ADMIN} SSO : ID of the encryption used]', '[{ADMIN} SSO : ID of the encryption
    used]',
    'STRING', '')

    E.2. Configure the parameters


    Parameter

    {ADMIN} SSO : Url of


    the WebService
    encryption support

    Value
    Put here the url that the EasyVista web server will use to
    access to the wsdl ISmoExtentendedInterface service
    published by the EasyVista Extented Security service.
    Keep in mind that this is the URL to access to the application

    10

    03/04/2012

    EasyVista Extending security of SSO exchanges

    server from the webserver. It cannot be a Localhost like url


    Ex :
    http://XXX.XXX.XXX:34563/wsdl/ISmoExtendedInterface
    {ADMIN} SSO : ID of
    the encryption used

    Put here the GROUP SECURITY KEY youve created during


    STEP 2

    E.3. Restart the SMO SERVER service


    Once the parameters changed, restart the SMO SERVER service.
    If you change the parameters again later, youll also need to restart the SMO SERVER Service.

    11

    You might also like