Microsoft ADFS based Single Sign On (SSO) Solution for Imam University 22-فبراير-14 TABLE OF CONTENTS Table of Contents ............................................................................................................ 2 Executive Overview ........................................................................................................ 3 Top Features ..................................................................................................................... 7 Solution architecture ...................................................................................................... 8 Requirements for Deploying the Active Directory based Federation services Single Sign on .................................................................................................................. 9 The Architecture components....................................................................................... 9 A brief Description on each and every component: ............................................... 10 General Architecture Notes......................................................................................... 11 Solution Authorization Architecture ........................................................................ 11 Benefits of using proposed solution ......................................................................... 12 About Addvantum ..................................................................................................... 16 Relevant Experience - Oracle Fusion Middleware ................................................ 20 Royal Saudi Air Force: ........................................................................................... 20 University of Dammam: ........................................................................................ 22 The General Organization for Social Insurance (GOSI) .................................... 23 National manufacturing and Gas Company (GASCO): ................................... 24 Samba Bank: ............................................................................................................ 25 Financial Proposal ......................................................................................................... 27 EXECUTIVE OVERVIEW The goal of the project is to deploy Single Sign on Solution for the Current SharePoint 2013 Farm Environment in Imam University. The Microsoft ADFS based solution will provide a seamless integration for the existing SharePoint environment using Active Directory Federation services. After the Deployment of the solution the existing SharePoint 2013 Farm will be available online with integration with current student and staff portals. The solution will provide single sign on ability for users and it will provide the authentication for all existing SharePoint portals using only one time login password. These credentials will be automatically being available to the user without any repetition providing ease of use and enhancing usability and efficiency. The initial goals of this project include, but are not limited to finding a solution that will be able to: ! Provide an efficient and seamless Single Sign on solution for existing SharePoint Portal for all users local (LAN) as well as online. ! Increase the accessibility of information documents to those who need it while maintaining a secure environment ! Align with Information and IT Governance to establish a maintainable ECM foundation In order to achieve such goals we understand that the desired solution must be extensible. In other words, the required components must be available in the existing setup without the need to be purchased and could be configured as needed and ‘snapped’ into the overall existing SharePoint2013 platform. This will provide Imam University with the necessary flexibility to implement Single Sign on without any changes in the current licensing model. The Microsoft Active Directory, industry-leading solution that delivers a new level of integration and productivity across the entire spectrum of unstructured content. Active Directory Federation Services (ADFS) is based on the emerging, industrysupported Web Services Architecture, which is defined in WS-* specifications. ADFS helps provide single sign-on (SSO) to authenticate users to multiple, related Web applications over the life of a single online session. ADFS accomplishes this by securely sharing digital identity and entitlement rights across security and enterprise boundaries. The macro-level features of the Single Sign on Solution include: Terminology used in proposed Solution ADFS uses terminology from several different technologies, including certificate services, Internet Information Services (IIS), Active Directory, ADAM, and Web Services (WS-*). The following table describes these terms. Term account partner Active Directory Federation Services (ADFS) Description A federation partner that is trusted by the Federation Service to provide security tokens. The account partner issues these tokens to its users (that is, users in the account partner realm) so that they can access Webbased applications in the resource partner. A Windows Server 2012 R2 component that provides Web SSO technologies to authenticate a user to multiple Web applications over the life of a single online session. ADFS accomplishes this by securely sharing digital identity and entitlement rights across security and enterprise boundaries. ADFS in Windows Server 2012 R2 supports the WS-F PRP. claim claim mapping claims-aware application client account partner discovery Web page federation Federation Service Federation Service Proxy passive client resource partner security token security token service (STS) A statement that an issuer makes (for example, name, identity, key, group, privilege, or capability) about a client. The act of mapping, removing or filtering, or passing claims between various claim sets. An ASP.NET application that performs authorization based on the claims that are present in an ADFS security token, such as SharePoint 2013. The Web page that is used to interact with the user to determine which account partner the user belongs to when ADFS cannot automatically determine which of the account partners should authenticate the user. A pair of realms or domains that have established a federation trust. A security token service that is built into Windows Server 2012 R2. The Federation Service provides tokens in response to requests for security tokens. A proxy to the Federation Service in the perimeter network (also known as a DMZ or a screened subnet). The Federation Service Proxy uses WS-F PRP protocols to collect user credential information from browser clients and Web applications and send the information to the Federation Service on their behalf. A Hypertext Transfer Protocol (HTTP) browser, capable of broadly supported HTTP, which can make use of cookies. ADFS in Windows Server 2012 R2 supports only passive clients, and it adheres to the WS-F PRP specification. A federation partner that trusts the Federation Service to issue claims-based security tokens. The resource partner contains published Web-based applications that users in the account partner can access. A cryptographically signed data unit that expresses one or more claims. A Web service that issues security tokens. An STS makes assertions based on evidence that it trusts, to whoever trusts it (or to specific recipients). To communicate trust, a service requires proof, such as a signature, to prove knowledge of a security token or set of security tokens. A service itself can generate tokens or it can rely on a separate STS to issue a security token with its own trust statement. This forms the basis of trust brokering. In ADFS, the Federation Service is an STS. In ADFS, a collection of load-balanced federation server farm servers, federation server proxies, or Web servers hosting the ADFS Web Agent. An optimization of the authentication sequence to single sign-on (SSO) remove the burden of repeated logon actions by an end user. token-signing An X509 certificate whose associated public/private certificate key pair is used to provide integrity for security tokens. A compact string of characters that identifies an Uniform Resource abstract resource or physical resource. In ADFS, URIs Identifier (URI) are used to uniquely identify partners and account stores. The specifications for a Web Services Architecture that is based on industry standards such as Simple Object Access Protocol (SOAP); XML; Web Service Description Language (WSDL); and Universal Description, Discovery, and Integration (UDDI). WS-* provides a foundation for delivering complete, interoperable business solutions for the extended enterprise, including the ability to manage federated identity and security. Web Services (WS-*) The Web services model is based on the idea that enterprise systems are written in different languages, with different programming models, which run on and are accessed from many different types of devices. Web services are a means of building distributed systems that can connect and interact with one another easily and efficiently across the Internet, regardless of what language they are written in or what platform they run on. A series of specifications that describes how to attach signature and encryption headers to SOAP messages. In addition, WA series of specifications that describes how Web Services to attach signature and encryption headers to SOAP Security (WSmessages. In addition, WS-Security describes how to Security) attach security tokens, including binary security tokens such as X.509 certificates and Kerberos tickets, to messages. In ADFS, WS-Security is used when Kerberos signs security tokens. A specification that defines a model and set of messages for brokering trust and the federation of identity and WS-Federation authentication information across different trust realms. WS-Federation Passive Requestor Profile (WS-F PRP) The WS-Federation specification identifies two sources of identity and authentication requests across trust realms: active requestors, such as SOAP-enabled applications, and passive requestors, which are defined as HTTP browsers capable of supporting broadly supported HTTP, for example, HTTP 1.1. An implementation of the WS-Federation specification that proposes a standard protocol for how passive clients (such as Web browsers) apply the federation framework. Within this protocol, Web service requestors are expected to understand the new security mechanisms and be capable of interacting with Web service providers. Top Features ! Authenticate only once and use multiple portals or partner sites or resources. ! Improved User Productivity ! Ease of Administration These and many other features, combined with a reputation for industry leading technology, will help drive rapid success, increased user adoption and a faster ROI for Imam University. Addvantum innovative technology is proposing Microsoft Active Directory based Single sign on solution and associated consulting services meet Imam University initial requirements. Solution architecture Figure 1: Recommended Architecture (courtesy by Microsoft) Requirements for Deploying the Active Directory based Federation services Single Sign on • Active Directory running in Windows Server 2008, Windows Server 2012, or Windows Server 2012 R2 with a functional level of mixed or native mode • AD FS 2.x deployed on separate Windows Server 2008/R2 or Windows Server 2012 • AD FS 2.x Proxy deployed, as users are connecting from outside the company’s network • Windows Azure Active Directory Module for Windows PowerShell to establish a trust • Required updates installations • A unique third-party certificate when installing and configuring federation servers and federation server proxies The Architecture components • Windows Server 2008/2008 R2 or Windows Server 2012 • PowerShell • Web Server (IIS) • .NET 3.5 SP1 • Windows Identity Foundation • Publicly registered domain name • SSL Trusted Public Certificates • High-availability design End User in the primary can connect directly from intranet to the SharePoint web front end Server. While remote site users can connect through internet (HTTP/HTTPS) with the user friendly web-based interface. A brief Description on each and every component: Component SharePoint 2013 Function - Document Management & Archiving In-context Web site contribution, preview, updates, and approvals Library services, including full-text search, check-in or check-out, and version control Native content conversion to Webviewable formats, including HTML, XML, and PDF Full digital asset and records management features included ADFS 2.0 Server DC1 (co-hosted with the domain controller) ( Required server) Microsoft Active Directory Federation Services component based on MS ADFS V2.0 Profile and user Synchronization IIS Microsoft Internet information Server V7.0 SSL Certificate This is to be used by the IP-STS and RP-STS, and will be the “glue” for establishing trust between these token services. Identity server configuration Making SharePoint based Identity aware server using federation services SSO web verification Configuration and single sign on web based verifications. DNS Configurations Configure DNS for external user’s access. Group Policy Configuration of Group policy for Active directory users. Synchronization Manager Monitor Synchronization after deploying synchronization. Network Configurations Placing the ADFS Server in DMZ and allowing access by enhancing Firewall/ Network access related configurations. Load Balancing Optimization of Load balancing devices for external and internal access management. General Architecture Notes By using the recommended architecture, Imam University has the advantage of starting deployment with fewer servers. If Imam University discovers when user population starts to grow over time that the initial servers are becoming saturated, they can simply add more nodes to the configuration (horizontal scalability). Solution Authorization Architecture This particular SharePoint 2013 custom made solution for Imam University has three-tier architecture. After the successful deployment of the solution for Single sign on SharePoint Portal the users both on premises/ Local intranet and online users will be able to experience same single sign on capability without the redundancy of multiple login for each portal. The installation and configuration of the client consists of logging in with an appropriate name and password and dynamically executing using the browser based authentication. Specific configuration information for the client is stored in the other tiers (STS a SharePoint based store) not on the desktop/web browser. Benefits of using proposed solution • Web single sign on (SSO) AD FS provides Web SSO to federated partners outside your organization, which enables their users to have a SSO experience when they access your organization’s Web-based applications. • Web Services (WS)-* interoperability AD FS provides a federated identity management solution that interoperates with other security products that support the WS-* Web Services Architecture. AD FS follows the WS-Federation specification (for passive clients; that is, browsers), which makes it possible for environments that do not use the Windows identity model to federate with Windows environments. • External user account management not required the federated partner's Identity Provider (IP) sends claims that reflect its users' identity, groups, and attribute data. Therefore, your organization no longer needs to revoke, change, or reset the credentials for the partner's users, since the credentials are managed by the partner organization. Additionally, if a partnership needs to be terminated, it can be performed with a single trust policy change. Without AD FS, individual accounts for each partner user would need to be deactivated. • Claim mapping Claims are defined in terms that each partner understands and appropriately mapped in the AD FS trust policy for exchange between federation partners. • Centralized federated partner management All federated partner management is performed using the AD FS Microsoft Management Console (MMC) snap-in. • Extensible architecture AD FS provides an extensible architecture for claim augmentation, for example, adding or modifying claims using custom business logic during claims processing. Organizations can use this extensibility to modify AD FS to finely support their business policies. SharePoint 2013 Tasks Schedule for SSO implementation Deployment task Task Description 1. System Analysis and Prepare for implementing SSO. Analysis Phase 2. Review the Imam university infrastructure requirements for deploying AD FS. Review the requirements for Imam university infrastructure deploying AD FS 3. Planning and installation of AD FS server Plan your AD FS deployment 4. Prepare your network infrastructure for federation servers. Prepare your network infrastructure for federation servers 5. Deploy your federation server farm. Depending on the version of AD FS that you want to use, complete the tasks in either of these checklists. Checklist: Deploy your federation server farm on Windows Server 2012 R2 or Checklist: Deploy your federation server farm on legacy versions of Windows Server 6. Prepare your network infrastructure for configuring extranet access. Prepare your network infrastructure for configuring extranet access 7. Configure extranet access. Depending on the version of AD FS that you want to use, complete the tasks outlined in either the following topic or checklist. Configure extranet access for AD FS on Windows Server 2012 R2 or Checklist: Configure extranet access for AD FS on legacy versions of Windows Server Duration 5 days 2 days 5 days 5 days 4 days 2 days 2 days 8. Install Windows PowerShell for SSO with AD FS. Install Windows PowerShell for single sign-on with AD FS 1 day 9. Set up a trust between AD FS and Windows AD. Set up a trust between AD FS and Windows AD 5 days 10 Enabling auditing for AD FS. Enabling auditing for AD FS might be beneficial in situations in which you place a high value on the security of your identity deployment and prefer to monitor it closely for suspicious or unintended activity. The process of enabling auditing for AD FS requires changes that you make using the Local Security Policy snap-in for your federation server as well as changes in the Service properties that you set using the AD FS Management console. For more information, see the “Configure Auditing for AD FS 2.0” section in 11. Set up Active Directory synchronization. Directory synchronization roadmap 12. Verify and manage your SSO implementation with AD FS. Verify and manage single sign-on with AD FS 2 days 2 days 3 days Note: The tasks listed and timelines mentioned does not include any time required for the network and infrastructure related changes such as Firewall, Load balancer changes, as well as acquiring and deploying SSL certificate required for Single sign on web portal authentication. Also it must be kept in consideration that the setup changes required for domain level changes will be managed and updated by Imam University as well. While the whole process of solution deployment and configuration will be carried on the current environment further time will be required for moving the setup to new production environment. About Addvantum Addvantum Innovative Technologies is a technology partner of choice for global organizations looking to strategically transform, grow, and lead in today’s challenging business environment. Head quartered in UAE, Addvantum is a global provider of IT Consulting, Business Process Outsourcing, Business Technology Services, Enterprise Application Services, Software Testing, Product Engineering, Engineering Design and Product Support. Addvantum’s mainly focuses on EMEA and ASEAN regions and maintains offices in USA, UK, Riyadh, Al-Khobar, Bahrain, Lahore, Islamabad and Karachi. Addvantum stands ready to assist your enterprise with the most up-to-date IT solutions and consulting services. Addvantum matches the most advanced global IT expertise to today’s challenging information technology projects. Addvantum is a global IT consulting and IT services company specializing in providing your organization with true integration of Enterprise applications and middleware solutions. The world of business is increasingly shaped by globalization creating pressures to constantly adapt and change. These pressures can be mitigated by the creation of efficient IT platforms that possess the flexibility to meet the ever-changing requirements within today’s business environment. Addvantum continues to expand the focus on providing the best in class unconventional workflows to a global community through new international onshore and offshore centers, business partnerships and acquisitions in areas of strategic interest. Backed with unmatched technical expertise and insights through global delivery centers, we have maintained the highest levels of compliance and quality that go with the changing times and technologies. Our Global Partners’ knowledge investments are backed by years of R&D and have led to the creation of labs and ‘Centers of Excellence’ that have produced innovative solutions. Addvantum has set up Centers of Excellence in partnership with Oracle Corporation in, Riyadh, Dubai and Lahore. The centers of excellence focus on providing innovative solutions to Education sector globally. Addvantum’s client list includes major global enterprises from various different Industry verticals. Addvantum has traditionally focused on education, telecom & media, banking, energy, manufacturing and retail/distribution sectors. Our core expertise lies in Middleware and Higher Education Solutions. Our middlware practise inculdes Core Technologies ( Virtualization, Security, Server Consolidation & High availibilty Solution) and Fusion Middleware (SOA, IDAM, BPM, BI, Content management and WebCenter Portal). Higher education Solutions include PeopleSoft Campus Solutions, PeopleSoft HRMS & Financials. Addvantum also focuses on providing Oracle ERP Applications and is exponentially growing in MEA and ASEAN regions respectively. Addvantum provides domain experts and strong technology implementation teams in PeopleSoft Campus Solutions, PeopleSoft HRMS & Financials, Oracle ERP Applications and Middleware solutions who deliver breakthrough performance for our customers. With over 1,000 employees worldwide, we have the ability to deliver complex solutions for large enterprises. A key factor in our success are practice specific methodologies developed by Addvantum which have been optimized for delivering solutions on key platforms. Leveraging these, Addvantum is able to deliver fixed price implementations for our largest projects. Company Details Saudi Arabia Office Dubai Office Address Global Offices Office # G 01-02, Building # 11 Dubai Internet City Dubai, UAE (T) +971 4448 3026 (F) +971 4449 6085 Addvantum Innovative Technologies Pvt. Ltd. Contact Details Lahore Office: 4th Floor 4th Office, Arfa Software Technology Park Ferozepur Road, Lahore Pakistan (T) +92 423 597 2005 (F) +92 423 5972006 Doha Office: Level 14, Commercial Bank Plaza West Bay, Doha, Qatar P.O. Box 27111 (T) +974 4 452 8165 (F) +974 4 452 8165 U.S. Office: Suite 4925 300 North Lasalle Street, Chicago, IL 60654,USA (T) +1 312 803 0363 (F) +1 312 803 0363 Email: sales@addvantum.com Website www.addvantum.com Email sales@addvantum.com aon.rana@ddvantum.com noman.mazoor@addvantum.com Relevant Experience - Oracle Fusion Middleware Royal Saudi Air Force: Background: The Royal Saudi Air Force is the aviation branch of the Saudi Arabian armed forces. The RSAF has developed from a largely defensive military force into one with an advanced offensive capability. The RSAF maintains the third largest fleet of F-15s after the USAF and the JASDF with a user base of 5000+. The client was undergoing a transformation towards a more secure and centralized model to manage various applications running in there. RSAF was looking for a solution for de-provisioning users from 8 different bases by using IDM solution and to provide thousands of its employees, staff members and a few external stakeholders with direct, online access to the information within the air force. Solution: There were 11 different applications running in there that need to be integrated. Addvantum suggested Oracle IDM Solution for the client that included: IDM Software Components, Oracle Internet Directory, Oracle Identity Manager, IDM Management Pack, Access Manager, Adaptive Access Manager, Oracle database, ESSO and Web Server (Oracle HTTP Server). Addvantum implemented IDM on all the 8 bases along with Disaster Recovery site for HQ. Outcomes: The solution helped realizing the vision for a more secure and centralized approach to share information between different applications and client staff members. The Oracle Identity Manager (OIM) enabled the right employees to gain access to the right information at the right time for the right purpose, while ensuring and enhancing the security and confidentiality of RSAF. Applications integrated at RSAF S/No Resources 1 MS Exchange 2 SharePoint Portal 3 BMC Remedy Business Service Management EMC Documentum 4 5 7 ASG Safari Business Intelligence System AQD Quality and Safety Management System Servisgistics SPM 8 Gold system 9 Morasalat 10 Oracle E-Business Suite 11 Active Directory (AD) 6 University of Dammam: Background: Established in 1975, the University of Dammam (UoD) is one of the largest and oldest Universities in Saudi Arabia. The university consists of 24 Colleges, 123 departments, 1,414 faculty members and 24,950 students. In addition to a higher education solution, the university was looking for a solution to integrate all the existing applications such as learning management system, Blackboard LMS, Symphony library management system, and Active Directory. Solution: Addvantum implemented Oracle WebCenter Suite, consisting of Content Management System and complete Portal at University of Dammam. For all integrations we suggested Single Sign-on, using Oracle Identity Manager that took care of all security concerns as well. In addition, a custom integrated mobile application was also developed for students and faculty of UoD. Outcomes: The solution enabled all system users (with 16000 concurrent users for admission are with total no. of 60000-70000 users) to access the applications in a secure and convenient manner with multiple ways to access information. The information is accurate as well as a reliable, serving the needs of management, faculty, students and even their parents. The General Organization for Social Insurance (GOSI) Background: The General Organization for Social Insurance (GOSI) administers the Kingdom's national insurance scheme. GOSI pays allowances and makes payments for compensation to individuals and families within the scheme. GOSI was looking to change their SUN directory services solution and migrate to Oracle Internet Directory. Having in excess of 500,000 users was really causing them repeated issues and their existing solution was not being able to manage the user load and change requests. With Oracle’s solution, we were able to swiftly migrate 500,000 users into Oracle Internet Directory and integrate with their Critical Applications. Solution • Implementation of OID in clustered environment • Migration of users to OID • Migrate Objects from Sun One to OID • Integrate with One Application “SIMS” • Test the OID in the Pre-Production environment • Read/Write on the Directory Server “LDAP” Outcomes User provisioning, de-provisioning times reduced significantly and considerable performance improvements achieved. National manufacturing and Gas Company (GASCO): Background: National manufacturing and Gas Company (GASCO) serves consumer via provision of LPG at the highest efficiency levels and commitment to protect and develop the local environment. It transports, fills and markets LPG (butane and/or propane). GASCO’s had a host of IT Applications in following areas of technology: an ERP System based on Oracle E-Business Suite, a CRM System based on Oracle Siebel CRM, a SOA Architecture that will compose of Oracle Fusion Middleware and a few third party applications (Motabi, Avaya, and others). GASCO was looking for some middleware solution to integrate its various IT applications across the board for its 10,000+ users. Solution Addvantum suggested and implemented a host of Oracle middleware applications including Weblogic Suite, SOA Suite, Oracle Applications Adapter, SOA Management Pack, WebLogic Management Pack and Oracle Enterprise Gateway. The SOA layer composed of two main parts, the Enterprise Service Bus Layer and a Service Consumers layer on one side, and a Service Providers Layer., on the other. Each service in the ESB layer was architected and implemented with its own tools/components to achieve the intended business and functional objectives. With the fulfillment of these requirements, application (Service Consumers and Service Providers) become eligible to exchange data and information in a transparent manner. Outcomes Oracle SOA Suite's hot-pluggable architecture helped GASCO lowered upfront costs by allowing maximum re-use of existing IT investments and assets, regardless of the environment (OS, application server, etc.) they run in, or the technology they were built upon. It’s easy-to-use, re-use focused, unified application development tooling and end-to-end lifecycle management support further reduced development and maintenance cost and complexity. Samba Bank: Background: Samba Financial Group was formed, to take over the then existing branches of Citibank, N.A. in Jeddah and Riyadh. Samba was formed in accordance with a program adopted by the Kingdom in the mid-1970s, under which all foreign banks were required to sell majority equity interests to Saudi nationals. Samba Bank requires a middleware solution to integrate its various applications, especially in the post T24 implementation scenario. It has over 2500 users. For this purpose, Samba Bank has invited various vendors to demonstrate their products. Solution: Oracle Saudi Arabia has brought its implementation partner, Addvantum onboard, based on its experience in implementing Oracle applications and technologies for a large number of customers, especially in the Oracle Fusion Middleware and Oracle Applications implementations. Addvantum suggested implementation of Enterprise Service Bus (ESB). EBS is a piece of software that connects multiple applications together through reusing application to application interfaces, covering a wide variety of disparate protocols and transport mechanisms. EBS also has the ability to transform messages on the fly, and perform message routing between multiple applications, based on the contents of the message. Outcomes: A good number of messages and integrations have been accommodated as per Samba’s requirements. The implementation integrated multiple applications and heterogeneous messages relatively quickly, and with a reasonably low engagement of development resources. It successfully provided the client an integration middleware platform between the existing and future Systems. Applications integrated at Samba Bank Financial Proposal Addvantum will charge around SAR 144,956/-­‐ for the two months project. This is exclusive of all taxes.