EASYVISTA Extending SSO Security Exchanges With EasyVista
EASYVISTA Extending SSO Security Exchanges With EasyVista
EASYVISTA Extending SSO Security Exchanges With EasyVista
security of SSO
exchanges
Last update : January 26th, 2012
03/04/2012
Summary
A.
Presentation ................................................................................ 3
B.
Prerequisites ............................................................................... 4
C.
D.
D.2. Configuration with a PHP SSO relay on the EasyVista webserver ............... 7
D.2.1. Presentation .............................................................................................................................7
D.2.2. Installation ................................................................................................................................8
D.2.3. Configuration ............................................................................................................................8
E.
03/04/2012
A. Presentation
A.1. Goal
Authentications based on federation services providers are natively based on secured exchanges
(SAML, Client Certificates, etc.) and thus provide a high level of security which guarantees that its not
possible to either:
Pseudo SSO solutions (like IIS relay, HTTP transfer from portal, etc.) do not provide this level of
security. They should not be considered as secured SSO solutions and our advice is that they should
not be used.
Despite this, many customers who are not already providing authentication based on fully secure
federation services implement pseudo SSO solutions for their low cost of implementation.
Even if providing a fully secure SSO system is not part of the EasyVista perimeter, we have developed
a security service, included freely, and which goal is to encrypt the login send from IIS relay like
solutions to the EasyVista platforms.
03/04/2012
B. Prerequisites
This feature is available with EasyVista fix starting from version 2010.1.1.89
03/04/2012
C.5. Troubleshooting
C.5.1. Log files
The EasyVista security extension service generates log files that you can use to:
Check the encryption and decryption request processed with our without errors
Value
Put here the URL to use to access to the web
service published by the EasyVista Security
Extended service.
The URL must include the port 34563 (or the
port youve configured for the service if you
changed the default 34563 port).
http://XXX.XXX.XXX:34563/wsdl
http://XXX.XXX.XXX:34563/wsdl/ISmoExtendedInterface
03/04/2012
Value
Put here a unique identifier using only
alphabetical and numeric characters that
will uniquely describe the security group on
PUT-HERE-YOUR-UNIQUE-ID
03/04/2012
PUT-HERE-YOUR-KEY
Remarks: Other parameters should not be changed unless the technical support requires you to do
so.
Once the new security group created, restart the SMOExtended service.
Value
PUT-HERE-YOUR-EASYVISTA-WEBSERVER
03/04/2012
Encrypt the user ID through a call to the EasyVista Security Extended service
Send the information through the standard HTTP SSO compliant with EasyVista
This process will guarantee that the whole http/https exchange respect the target level of security.
The exchange workflow is:
D.2.2. Installation
Starting with EasyVista 2012, the pages are already installed by default with EasyVista in the www
and www/sspi folder.
If you want to install the EasyVista Security Extented service with version 2010, you must first apply
the latest fix that includes the last sspi pages.
D.2.3. Configuration
Open the www/sspi/sspi_setting.php file and change the following parameters:
Parameter
Value
03/04/2012
Put here the url to access to the EasyVista web site to redirect the SSO
URL (mind to keep the /index.php?url_account= in the url).
$URL
Ex:
https://easyvista.mycompany.com/index.php?url_account=
$id
Put here the GROUP SECURITY KEY youve created during STEP 2
Put here the url that the EasyVista web server will use to access to the
wsdl ISmoExtentendedInterface service published by the EasyVista
Extented Security service.
$str_wsdl
Keep in mind that this is the URL to access to the application server from
the webserver. It cannot be a Localhost like url
Ex : http://XXX.XXX.XXX:34563/wsdl/ISmoExtendedInterface
D.3. Troubleshooting
Use HTTPWATCH to capture the http exchanges and check that they are consistent what is expected
03/04/2012
If they are not present, run the following script to add them:
if (NOT EXISTS(SELECT PARAMETER_GUID FROM [AM_PARAMETER] WHERE PARAMETER_GUID='{CF69F417-5AE64386-B95D-D628F7744684}'))
INSERT INTO [AM_PARAMETER]
(PARAMETER_GUID, PARAMETER_EN, PARAMETER_FR, PARAMETER_GE, PARAMETER_SP, PARAMETER_IT,
PARAMETER_PO, PARAMETER_TYPE, PARAMETER_VALUE)
VALUES
('{CF69F417-5AE6-4386-B95D-D628F7744684}', '{ADMIN} SSO : Url of the WebService
encryption support', '{ADMIN} SSO : Url du WebService en charge du cryptage',
'[{ADMIN} SSO : Url of the WebService encryption support]', '[{ADMIN} SSO : Url of the
WebService encryption support]',
'[{ADMIN} SSO : Url of the WebService encryption support]', '[{ADMIN} SSO : Url of the
WebService encryption support]',
'STRING', '')
if (NOT EXISTS(SELECT PARAMETER_GUID FROM [AM_PARAMETER] WHERE PARAMETER_GUID='{C3DAD878-236B4AFB-9F91-8B82E41A89F8}'))
INSERT INTO [AM_PARAMETER]
(PARAMETER_GUID, PARAMETER_EN, PARAMETER_FR, PARAMETER_GE, PARAMETER_SP, PARAMETER_IT,
PARAMETER_PO, PARAMETER_TYPE, PARAMETER_VALUE)
VALUES
('{C3DAD878-236B-4AFB-9F91-8B82E41A89F8}', '{ADMIN} SSO : ID of the encryption used',
'{ADMIN} SSO : ID de l''encryptage utilis',
'[{ADMIN} SSO : ID of the encryption used]', '[{ADMIN} SSO : ID of the encryption
used]',
'[{ADMIN} SSO : ID of the encryption used]', '[{ADMIN} SSO : ID of the encryption
used]',
'STRING', '')
Value
Put here the url that the EasyVista web server will use to
access to the wsdl ISmoExtentendedInterface service
published by the EasyVista Extented Security service.
Keep in mind that this is the URL to access to the application
10
03/04/2012
11