ST-FOURDavid Frost

david.frost@st-four.com

Who are ST-FOUR?

ST-FOUR was formed in 2005

Over 15 years industry experience

Engineers located throughout the UK

VCP5, MCNE, NCE and lots of others

Start to finish Project design, Consultancy, Hardware, Software and Post sales support

How can we make life easier?

1)Desktop/Mobile Management Software● SCCM, ZENworks, Meraki

2)Help Desk Software● Service Desk, Kayako, Spiceworks, etc, etc

3)Network Monitoring Tools● Zenmap, HP IMC, Cisco Network Assist

4)User Identity Management

5)Password Management & Self-Service

What do we mean by SSO?

●One sign-on to any device giving access to all corporate resources

● Is this good for Shared devices?● Are we “Shooting for the moon”?

●Reduced sign-on one sign on for device and one for SSO

● More pragmatic definition?

Identity Management

●Manage user logins between disparate systems e.g. Office365, Databases, Linux.

●Customisable scripts that link users, groups, containers, passwords, etc

●Synchronise objects and attributes●Manage user life-cycles●Increase Security

Why a need for SSO?

●User Frustration● “Why do I need to keep entering my password?!”

●Identity Crisis● “Who am I on this server?”● “What was my password again?”

●Pressure from management● Work efficiency● Reduce workload on Helpdesk

●Harden security● Post-it note avoidance

Is SSO always desirable?

●Compromised passwords have a much bigger impact on security

●Mobile devices with credentials stored in a client are compromised passwords in waiting

●SSO servers can become highly critical systems

The Mobile Device Challenge

●Lack of central configuration●Cut-Down browsers “missing” features●Inadequate Proxy settings●Unergonomic (small) interfaces●May not join domains●Apps with embedded authentication●Ownership?

Modern IT Challenges

●A much more complex world than 10 years ago!●Majority of applications are web based●Have to support

● IE / Firefox / Chrome / Safari / etc.

●Most users still use desktops but also use● laptops / tablets / phones / home PCs

●Want to work securely from anywhere●Often Web programs also have Mobile Apps

Typically sites have...

●Enterprise portal web site / Landing page●Links to other applications●Internal web services with directory credentials●Some services have internal authentication●Some services are federated in datacenters

...This is when SSO starts to become serious!

Integrated Windows Authentication

●Ability of Windows workstations to pass user credential transparently to Windows servers

●Many Windows-Core sites implemented IWA●True SSO where:

● All machines are in domain● Microsoft Web apps are IWA compliant● Browsers are centrally configured

●Excellent SSO, as it means just 1 login

IWA Limitations

●Client machines must in the domain●Only Windows PC/Laptop clients●Usually IIS / Exchange / Sharepoint webs●Does not work over Internet●Does not work via proxies●Not supported by many 3rd party services

IWA and Mobile Devices

●IOS / Android / Windows 8 phone etc. do not support IWA

●So Mobile devices need an alternative●As IWA works so well we should work with IWA not replace it.

NetIQ Access Manager

●Web SSO system for all devices●SSO for Internal & External web services

● Need to log into device First● After first login to NAM all subsequent passwords are saved in a SecureStore

● Provides secure reverse proxy● Can Save external IP addresses● Integrates with Web based PSS e.g. PWM● Is also a web VPN

●Is browser neutral●Does not require any client

NAM Features

●Custom Authorization● Username, org role, email address, etc

●Identity Injection● credentials, attributes, headers

●Web page Form Fill● silently completed and submitted

●HTML Rewriting● all client transparent

NAM and Kerberos

●Allows NAM to request service tickets on behalf of users for configured services

●Allows a non-kerberised browser to access a kerberised resource

●Access Gateway must be installed on a Windows server in the domain.

Coexistence NAM/IWA

●NAM does not replace IWA internally where used

● 1 login trumps 2 logins

●But it can be an easy win for mobile devices used internally

● Provides reduced SSO● no client to install/configure/administrate

●Simply point DNS to NAM instead of the existing web service

NAM user view

Password Self Service

●SSPR (Paid) or PWM (Freeware) enables Password Self-Service for users from:● A customised web page● From the Windows/Novell client (via a .exe add-on)● Through integration with Access Manager

● PWM Free web based PSS tool● http://code.google.com/p/pwm/

●SSPR “Paid for” version of PWM comes free with NAM● Integrates with LDAP e.g. AD, eDirectory, OpenLDAP.● Admin creates challenge/response sets

● Users fill in Challenge/response questions

● Can also do ● Forgotten Username● Helpdesk / People Search / Update Profile● New User & Guest Registration / Activation

NetIQ CloudAccess

●Provides drag n' drop access to SaaS●Can manage identity lifecycles

● Provision users to SaaS with correct Access● Remove users from Saas when they leave

●Can work alongside or integrate with NAM● SAML2 federation (e.g. Office365, GoogleApps)● Dedicated connectors (e.g. WebEx, Box)

NetIQ MobileAccess

●Plugs into CloudAccess●Mobile App to store all SaaS links

● iOS and Android

●SaaS links auto-populated on mobile based on user rights in CloudAccess

●A web service is 1 click from a mobile

ST-FOURDavid Frost

david.frost@st-four.com