Right design for SiteMinder - single-sign-on

I have to give my recommendations for an architecture for SSO using Site Minder.
We have few J2EE applications. These J2EE applications are designed to work when http headers have information after authentication by SSO provider. We have kept our applications SSO provider agnostic. This means we only rely on headers from SSO provider. This worked well with RSA as the SSO provider.
Now there is another architecture proposed with SiteMinder. The way request will flow is
SiteMinder with IIS -> Apache Reverse Proxy -> Tomcat Application -> Backend Applications.
To break down we will have
a) SiteMinder with IIS (public facing site)
b) Apache Reverse Proxy ( For routing)
c) Tomcat Application (For routing and a logic for site access based on time)
d) Backend applications
The reason for bringing the new architecture is that all back end applications have code for site access. The site can be down for some time, which is controlled by a property file.
I find this architecture wrong. I do not understand why Apache Reverse Proxy is requried. I would still go with simple architecture with flow as
a) SiteMinder with IIS doing the routing -> Backend Applications(accessing a common service to check whether site can be accessed or not)
Am I missing something?

The Apache reverse proxy would make it easier to load balance between multiple IIS instances. As far as I know to do something similar on IIS you would need to use the ARR (application request routing) module which won't be optimised to work with Tomcat etc.
However, the SiteMinder with IIS does seem an added overhead in your architecture. The Apache reverse proxy also supports SiteMinder agents. Why don't you push for setting up the SiteMinder agent on the Apache proxy and remove IIS completely from the picture. I can think of the following benefits:
Remove one extra layer from the architecture
Remove an extra network hop
Clean up the stack. Apache + Tomcat is very standard in enterprises while IIS + Apache + Tomcat definitely isn't.
Hope this helps

I don't see either the rationale behind the second architecture. The first scenario is a much more common deployment of Siteminder.
Be aware that this kind of architecture potentially opens vulnerabilities (logon bypass notably). See my answer on this question. Those remarks are true for both architectures.

Related

JBOSS EAP 6 - Siteminder integration components

I need to set up JBOSS EAP6 WebApp to integrate with Siteminder with IDP initiated SAML2 artifact binding.The current integration is using Form based header authentication. Siteminder is onPrem and JBOSS/App is in AWS. I have little visibility to the siteminder set up or it's requirement to integrate to JBOSS. I have a clarity on setting up the ServiceProvider in JBOSS for SSO and Single Log out with post binding.
My question are:
1. To integrate with an OnPrem Siteminder IDM, what components other than JBOSS and it's configurations are to be present in the server hosting JBOSS?
Something like a siteminder agent to be run in the server?
From a purely JBOSS perspective ,where does the JBOSS set up boundary starts?
I went through the net and could not find a conclusive list of components required to meet this integration.
2. Artifact binding is not supported by JBOSS EAP 6 per doc, so I must ask the IDM team to support SSO with post binding, correct?
Thank you in advance for your help.
You need to implemented your own JAAS security module. There is information on JBoss and CA websites on how to do this. This module will provide the authenication (user) and authorization (roles) to the applications deployed on JBoss. When developing I suggest setting the log level of org.jboss.security to trace.
It is picketlink that needs to be configured.Github has [examples][1]
[1]: https://github.com/jboss-developer/jboss-picketlink-quickstarts .
There is no need of siteminder agent if SP set up alone in the scope.
Also IDM team has to be requested to stick to POST Binding.
This covers the questions I asked.

ADFS Implementation for Internal Applications

We are looking forward to implement ADFS to implement SSO across our organization for various set of web applications such as (SAP, Siebel, Custom java based, Asp.net etc.).
I understand based on my research that ADFS can be used to achieve SSO for third party applications using SAML. It can act as an identity provider for third party applications. Please correct me if I am wrong.
Can we use the ADFS to implement cookie based SSO for the various internal web based apps which I mentioned above?? (For Ex: CA Siteminder, ORacle Access manager can work with almost every internal web based application)
In other words: we have one application using apache webserver, one using IIS webserver, one using IHS webserver; can ADFS be used to achieve Single sign on with all these applications??? If yes, How ???
Thanks in Advance...!!
Ashish
ADFS implements SSO via federation using either WS-Fed or SAML 2.0.
If these applications can support these protocols, then yes just federate these products with ADFS and you will get SSO.
e.g. SalesForce SSO with ADFS.
For Java you need a SAML stack e.g. Spring Security.
For ASP.NET, use OWIN or WIF.

Authentication with CAS for rest service call

In our current setup we have about a dozen web applications that deploy to a single Tomcat server. One of these applications is CAS which is used for all authorization.
This works pretty well and in our jRuby web application we use the rubycas-client gem, point to CAS and we're done.
Now we have a requirements where, in a Java component, we need to be able to call out to another web application via a rest service that resides on the same server. My first thought was to use CAS proxy tickets but the web application we have to hit currently doesn't have this enabled and, due to the nature of the environment, this cannot be changed.
So as far as I can tell we're left trying to impersonate the user by using an iframe in our web application that points to the other one (we're all on the same domain and server) and scrape its sessionid for impersonation and pass it down to the Java layer. But I really, really don't want to do this.
Am I missing anything? Is there any better ways of doing this? Is there a way to get the sessionid without an iframe maybe?
Thanks!
If you want to call a web service from a web application using CAS identity, you certainly should use the CAS proxy feature.
If you can't cassify your web service, there is another option for you : you could use the Apache module for CAS : https://wiki.jasig.org/display/CASC/mod_auth_cas.

Do we need dedicated webservers or can we simply use modern application servers?

I am planning to design an application which will require both web server and application server (Java EE based). Modern application servers like Weblogic, Websphere, JBOSS can provide support for both application server and web server. However I have seen many applications where the deployment architecture provides a segregation of web server and application server as a separate entity.
I would like to know:
What is the architectural benefit of segregating the web server and app server as a separate entity?
e.g. Assuming we are going to use weblogic as a web sever and app server do you think if there is any concern for large applications?
There is several resons to use a dedicated web server for static content:
In most case a web server is already present infront of the application server (reverce proxy), it is needed if the app server is clustered. So as it is already present.
If the static content is important (size and trafic), puting it in web server allow to scall the content and the application separeatly.
Historicly pure Java app server was slower that native web server, now NIO allow the same access to system call sending file directly to a socket without going back and forward between system and user mode.
So I think you should start with the contend delivered by the app server and complexify the system if it help you to solve issues you actualy enconter.

Authentication with Windows Identity Foundation and ADFS+3rd party

I'm currently assessing ways to impelement authentication&authorzation in a .NET SOA environment(ASP.NET MVC, WCF).
I have concluded that using Windows Identity Foundation with a STS should fullfill our criteria.
I'm having hard time finding any suitable STS to work with WIF other than ADFS. I know there are multiple options, but there is no documentation/experience available how well these play together with WIF.
Summa summarum, multiple questions:
Is this dumb idea?
Is there any STS product that plays together with WIF smoothly? Any resources on this?
Are there products that allows me to implement centralized(yet scalable) authorization(even with XACML support)?
What is your experience using WSO2 Identity Server with ADFS/WIF?
WSO2 Identity Server has some XACML capabilities but how can these be used in authorization with WCF services?
There is Starter STS
http://startersts.codeplex.com/
which has lately been replaced by the IdentityServer:
http://identityserver.codeplex.com/
It's been for a while and has some features ADFS lacks (like the ability to use a MembershipProvider to authenticate users).
Also, crafting your own STS is relatively easy. There are some good tutorials around, I've also written few posts on this:
http://netpl.blogspot.com/2011/08/quest-for-customizing-adfs-sign-in-web.html
WSO2 Identity Server can be integrated with ADFS. Also it can be run as an XACML engine. XACML engine is exposed to out side as a SOAP end point as well as a Thrift end point.
Disclaimer : I am an architect at WSO2.
No experience of WSO2 but if you don't want to use ADFS you'll have no problems with Identity Server. Both ADFS and Identity Server and more commercial products such as Ping Identity play very nicely with WIF.