(ats4-plat09) kerberos & saml with accelrys enterprise platform 9.0
DESCRIPTION
In the past, users have authenticated with Pipeline Pilot by providing a username and password. Starting with 8.5 and continuing with 9.0 we now support additional authentication mechanisms such as Kerberos and SAML. Both Kerberos and SAML can provide a Single Sign On capability; SAML also provides the ability to run secure SOAP web services. This session will detail the current state of support for Kerberos and SAML in AEP 9.0 and discuss future enhancements.TRANSCRIPT
![Page 1: (ATS4-PLAT09) Kerberos & SAML with Accelrys Enterprise Platform 9.0](https://reader035.vdocuments.net/reader035/viewer/2022062513/555149ddb4c905c6268b507d/html5/thumbnails/1.jpg)
(ATS4-PLAT09) Kerberos and SAML with Accelrys Enterprise Platform 9.0
Jon HurleySenior Manager, Platform R&D
![Page 2: (ATS4-PLAT09) Kerberos & SAML with Accelrys Enterprise Platform 9.0](https://reader035.vdocuments.net/reader035/viewer/2022062513/555149ddb4c905c6268b507d/html5/thumbnails/2.jpg)
The information on the roadmap and future software development efforts are intended to outline general product direction and should not be relied on in making a purchasing decision.
![Page 3: (ATS4-PLAT09) Kerberos & SAML with Accelrys Enterprise Platform 9.0](https://reader035.vdocuments.net/reader035/viewer/2022062513/555149ddb4c905c6268b507d/html5/thumbnails/3.jpg)
• (ATS-PLAT02) Security Enhancements in Accelrys Enterprise Platform 9.0– Discussion of authorization enhancements in AEP 9.0
• New Authentication Methods– Kerberos– SAML
• Sender Vouches
– Why?
Security in AEP 9.0
![Page 4: (ATS4-PLAT09) Kerberos & SAML with Accelrys Enterprise Platform 9.0](https://reader035.vdocuments.net/reader035/viewer/2022062513/555149ddb4c905c6268b507d/html5/thumbnails/4.jpg)
I am NOT a security expert
![Page 5: (ATS4-PLAT09) Kerberos & SAML with Accelrys Enterprise Platform 9.0](https://reader035.vdocuments.net/reader035/viewer/2022062513/555149ddb4c905c6268b507d/html5/thumbnails/5.jpg)
• Kerberos is ticket based authentication baked into the Operating System– Many components (e.g. Web Browsers) are able to transmit
Kerberos tickets• Provides Single Sign On – if you are already signed on to the browser,
the Kerberos ticket can log you in to another system
– The server requests an ‘authentication negotiation’ with the browser• If the browser (and OS account) is appropriately configured, a Kerberos
ticket can be transmitted in response
What is Kerberos?
![Page 6: (ATS4-PLAT09) Kerberos & SAML with Accelrys Enterprise Platform 9.0](https://reader035.vdocuments.net/reader035/viewer/2022062513/555149ddb4c905c6268b507d/html5/thumbnails/6.jpg)
Kerberos Sequence Diagram
![Page 7: (ATS4-PLAT09) Kerberos & SAML with Accelrys Enterprise Platform 9.0](https://reader035.vdocuments.net/reader035/viewer/2022062513/555149ddb4c905c6268b507d/html5/thumbnails/7.jpg)
• In the AEP 8.5 release, Kerberos authentication was only supported on Windows Servers– The authentication method was termed WIA (Windows
Integrated Authentication)– The mechanism used to perform the authentication is termed
SPNEGO which allows authentication with Kerberos tickets• On Windows, NTLM can also be used with SPNEGO
– Kerberos requires clients that support SPNEGO:• Web browsers: IE, Firefox, Chrome• SDKs: .NET Client SDK, JavaScript Client SDK, RunProtocol• Not supported: other SDKs (Java) or Pipeline Pilot client
Support for Kerberos/SPNEGO
![Page 8: (ATS4-PLAT09) Kerberos & SAML with Accelrys Enterprise Platform 9.0](https://reader035.vdocuments.net/reader035/viewer/2022062513/555149ddb4c905c6268b507d/html5/thumbnails/8.jpg)
• Additional Kerberos support in AEP 9.0– Delegation on Windows using Full Impersonation
• If your AEP server is configured for Full Impersonation and if your Kerberos realm (e.g. Active Directory) is configured to allow Delegation, this is supported through Pipeline Pilot– Protocols can use their Kerberos token to connect to other Kerberized
resources (e.g. UNC files, HTTP services, SQL Server databases)
– Delegation with Restricted Impersonation is planned
Enhanced support for Kerberos/SPNEGO
![Page 9: (ATS4-PLAT09) Kerberos & SAML with Accelrys Enterprise Platform 9.0](https://reader035.vdocuments.net/reader035/viewer/2022062513/555149ddb4c905c6268b507d/html5/thumbnails/9.jpg)
• Kerberos Authentication on Linux– Kerberos authentication is now supported on Linux– We do NOT support delegation in AEP 9.0
• Just Kerberos Authentication on Linux
Enhanced support for Kerberos/SPNEGO
![Page 10: (ATS4-PLAT09) Kerberos & SAML with Accelrys Enterprise Platform 9.0](https://reader035.vdocuments.net/reader035/viewer/2022062513/555149ddb4c905c6268b507d/html5/thumbnails/10.jpg)
Kerberos Configuration
• On the authentication page, enable SPNEGO
![Page 11: (ATS4-PLAT09) Kerberos & SAML with Accelrys Enterprise Platform 9.0](https://reader035.vdocuments.net/reader035/viewer/2022062513/555149ddb4c905c6268b507d/html5/thumbnails/11.jpg)
Demo
![Page 12: (ATS4-PLAT09) Kerberos & SAML with Accelrys Enterprise Platform 9.0](https://reader035.vdocuments.net/reader035/viewer/2022062513/555149ddb4c905c6268b507d/html5/thumbnails/12.jpg)
Kerberos Client Configuration – Internet Explorer
• Internet Explorer– Add the server as a trusted site (Tools > Internet Options >
Security > Trusted Sites > Custom Level > User Authentication > Logon).
– Select Automatic logon with current user name and password. – If your server is already part of the Local Intranet, select
Automatic logon only in Intranet zone.– These settings may be provided by IT using a group policy
![Page 13: (ATS4-PLAT09) Kerberos & SAML with Accelrys Enterprise Platform 9.0](https://reader035.vdocuments.net/reader035/viewer/2022062513/555149ddb4c905c6268b507d/html5/thumbnails/13.jpg)
Kerberos Client Configuration – Firefox
– Browse to "about:config" and add the server names to the following preferences: • network.negotiate-auth.trusted-uris• network.negotiate-auth.delegation-uris
– If wish to support delegation on AEP server
![Page 14: (ATS4-PLAT09) Kerberos & SAML with Accelrys Enterprise Platform 9.0](https://reader035.vdocuments.net/reader035/viewer/2022062513/555149ddb4c905c6268b507d/html5/thumbnails/14.jpg)
• SAML is Security Assertions Markup Language• Commonly associated to SOAP services• SAML Sender Vouches Sender Confirmation– Web Services securely calling AEP– AEP securely calling SAML protected Web Services
• Externalization– SAML allows federation of multiple Identify Providers (IdP)
SAML Support
![Page 15: (ATS4-PLAT09) Kerberos & SAML with Accelrys Enterprise Platform 9.0](https://reader035.vdocuments.net/reader035/viewer/2022062513/555149ddb4c905c6268b507d/html5/thumbnails/15.jpg)
SAML
Username Token
Custom Cookie
SAML
Form Based
Basic
Kerberos
SAML Sender Vouches - Outbound
SDK Clients
CALPP, NALPP, JALPP
Clients AEP Server Other Web Serverhttp(s) http(s)
Browser
IE, FF, Chrome
15
Serv
ice
Con
tain
erOther
Server
WebLogic
ServerKerberos
Toke
n
AEP 9.0
Server
![Page 16: (ATS4-PLAT09) Kerberos & SAML with Accelrys Enterprise Platform 9.0](https://reader035.vdocuments.net/reader035/viewer/2022062513/555149ddb4c905c6268b507d/html5/thumbnails/16.jpg)
• AEP Protocol securely calling a SAML protected web service– Need to create our SAML Certificate used to self-sign our
outbound SAML Sender Vouches messages– We use the AEP server’s SSL Certificate– Use the Security > SAML Certificates admin portal page– Click the Import KeyPair button to store the SSL Certificate as
the SAML Certficate• AEP 9.0 self-signs all outbound Sender Vouches messages (does not
use an external IdP for message signing)
SAML Sender Vouches - Outbound
![Page 17: (ATS4-PLAT09) Kerberos & SAML with Accelrys Enterprise Platform 9.0](https://reader035.vdocuments.net/reader035/viewer/2022062513/555149ddb4c905c6268b507d/html5/thumbnails/17.jpg)
SAML Sender Vouches – Outbound: SOAP Connector
• Call the service with the SOAP Connector– Set the Token Type parameter to ‘SAML 2.0 Sender Vouches’
• Coming by 9.0 – support for a policy engine (map to a ws-policy file)
![Page 18: (ATS4-PLAT09) Kerberos & SAML with Accelrys Enterprise Platform 9.0](https://reader035.vdocuments.net/reader035/viewer/2022062513/555149ddb4c905c6268b507d/html5/thumbnails/18.jpg)
SAML Sender Vouches - Outbound
![Page 19: (ATS4-PLAT09) Kerberos & SAML with Accelrys Enterprise Platform 9.0](https://reader035.vdocuments.net/reader035/viewer/2022062513/555149ddb4c905c6268b507d/html5/thumbnails/19.jpg)
Kerberos
Form Based
Basic
SAML
Username
Custom Cookie
SAML
SAML Sender Vouches - Inbound
Other Clients
Clients Other Web Server AEP Serverhttp(s) http(s)
Browser
IE, FF, Chrome
19
Serv
ice
Con
tain
erOther
Server
WebLogic
ServerKerberos
AEP 9.0 Server
![Page 20: (ATS4-PLAT09) Kerberos & SAML with Accelrys Enterprise Platform 9.0](https://reader035.vdocuments.net/reader035/viewer/2022062513/555149ddb4c905c6268b507d/html5/thumbnails/20.jpg)
• Web Services securely calling AEP– Need to import a certificate from the outside web
service agent so that we trust it• Use the Security > SAML Certificates admin portal page• Click the Import button on the Available Certificates grid
and paste in the server’s SAML Certificate– Optionally specify one or more SAML Issuer Ids to restrict this
certificate to certain services– If none specified, any service using this certificate will be
supported
SAML Sender Vouches - Inbound
![Page 21: (ATS4-PLAT09) Kerberos & SAML with Accelrys Enterprise Platform 9.0](https://reader035.vdocuments.net/reader035/viewer/2022062513/555149ddb4c905c6268b507d/html5/thumbnails/21.jpg)
SAML Sender Vouches - Inbound
![Page 22: (ATS4-PLAT09) Kerberos & SAML with Accelrys Enterprise Platform 9.0](https://reader035.vdocuments.net/reader035/viewer/2022062513/555149ddb4c905c6268b507d/html5/thumbnails/22.jpg)
• Example protocol that demonstrates an outbound/inbound round trip– The Protocol uses the SOAP Connector to make an Outbound
SAML Sender Vouches call to an Inbound SAML Sender Vouches endpoint
– This Inbound endpoint is a SAML protected web service on the same AEP server that runs a protocol echoing the request
SAML Sender Vouches – Example Protocol
![Page 23: (ATS4-PLAT09) Kerberos & SAML with Accelrys Enterprise Platform 9.0](https://reader035.vdocuments.net/reader035/viewer/2022062513/555149ddb4c905c6268b507d/html5/thumbnails/23.jpg)
SAML Sender Vouches – Example Protocol
![Page 24: (ATS4-PLAT09) Kerberos & SAML with Accelrys Enterprise Platform 9.0](https://reader035.vdocuments.net/reader035/viewer/2022062513/555149ddb4c905c6268b507d/html5/thumbnails/24.jpg)
…
SAML Sender Vouches – SOAP Request Packet
![Page 25: (ATS4-PLAT09) Kerberos & SAML with Accelrys Enterprise Platform 9.0](https://reader035.vdocuments.net/reader035/viewer/2022062513/555149ddb4c905c6268b507d/html5/thumbnails/25.jpg)
<soap-env:Body>
<ns1:echo><hello>jhurley</hello>
</ns1:echo>
</soap-env:Body>
SAML Sender Vouches – SOAP Request Packet (Body)
![Page 26: (ATS4-PLAT09) Kerberos & SAML with Accelrys Enterprise Platform 9.0](https://reader035.vdocuments.net/reader035/viewer/2022062513/555149ddb4c905c6268b507d/html5/thumbnails/26.jpg)
<?xml version="1.0" encoding="UTF-8"?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="urn:examples:soap:echoservice" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <soapenv:Body> <echoResponse xmlns="urn:examples:soap:echoservice">
<return>jhurley</return> </echoResponse> </soapenv:Body></soapenv:Envelope>
SAML Sender Vouches – SOAP Response Packet
![Page 27: (ATS4-PLAT09) Kerberos & SAML with Accelrys Enterprise Platform 9.0](https://reader035.vdocuments.net/reader035/viewer/2022062513/555149ddb4c905c6268b507d/html5/thumbnails/27.jpg)
• Results from the protocol – Successful execution echoing the username (SAML assertion)
TestResult PassedechoResponse/return jhurley
SAML Sender Vouches – Example Protocol
![Page 28: (ATS4-PLAT09) Kerberos & SAML with Accelrys Enterprise Platform 9.0](https://reader035.vdocuments.net/reader035/viewer/2022062513/555149ddb4c905c6268b507d/html5/thumbnails/28.jpg)
WSDL-First Protocols
• This example calls the Echo Service protocol– This is an example of a WSDL-First protocol– As a user, create the WSDL file and then your protocol is designed to operate
with a SOAP packet conforming to that WSDL– Invoke the protocol with a suitable SOAP URL:
• $(ServerRoot)/wsse/wservice/{Full Path of Protocol}– The framework validates the request and passes in the contents of the soap-
env:body element as a global property xmldocin:
<ns1:echo><hello>jhurley</hello>
</ns1:echo>
![Page 29: (ATS4-PLAT09) Kerberos & SAML with Accelrys Enterprise Platform 9.0](https://reader035.vdocuments.net/reader035/viewer/2022062513/555149ddb4c905c6268b507d/html5/thumbnails/29.jpg)
WSDL First Protocols
• Using an XML Reader and the setting ‘Properties Are: Leaf Elements’ results in this data record
![Page 30: (ATS4-PLAT09) Kerberos & SAML with Accelrys Enterprise Platform 9.0](https://reader035.vdocuments.net/reader035/viewer/2022062513/555149ddb4c905c6268b507d/html5/thumbnails/30.jpg)
• AEP 9.0 supports Kerberos SSO and SAML Sender Vouches• Communicate with us – let us know what authentication
providers are important now and in the future• Forthcoming documentation on configuring protocols as
WSDL-first Web Services
• (ATS-PLAT02) Security Enhancements in Accelrys Enterprise Platform 9.0
Summary