Enterprise-Grade Single Sign-On For Pivotal Cloud Foundry Applications

November 5, 2015 Sree Tummidi

sfeatured-PCF-SSOWe are pleased to announce the general availability of the Pivotal Single Sign-On service for Pivotal Cloud Foundry® (PCF). This service allows applications running on PCF to integrate with enterprise identity providers for authentication and SSO with extraordinary simplicity.

Development and operations teams are familiar with single sign-on (SSO) services, which help address security and compliance requirements while allowing companies, partners, and customers to seamlessly access applications.

Traditionally, enterprise applications have been secured using agent-based web access management solutions. These systems involve an agent co-located with the application which intercepts the web traffic and redirects the users to a centralized authentication server, based on the policy set up. This approach adds to the complexity of deployment, configuration and maintenance. Following this model to ensure the security of applications running in a cloud platform is not a feasible solution.

These traditional approaches to security are giving way to open standards like OAuth, OpenID Connect, and SCIM, all of which are better suited for Cloud Native applications. These standards began in the consumer space but are also quickly becoming the standard in the enterprise.

The Single Sign-On Service on PCF offers a turnkey solution that enables strong application security while easing user experience. This technology release is based on standards like OAuth, OpenID Connect, and SAML 2.0. Our objective is to offer developers a simplified experience while making it easy for operators to deploy, configure and maintain the service. The service has been certified by industry-leading, federated identity providers like Ping Identity, CA SSO (formerly CA SiteMinder), Azure ADFS, ForgeRock OpenAM, VMware Identity Management, and Okta. Adopting other compliant identity standard providers requires little effort to integrate and validate.

Key Features Included In This Release:

  • Integrate applications with SAML 2.0 based enterprise identity providers
  • Secure all types of applications (web, mobile, and native), as well as the API’s both on and off the platform
  • Single sign-on between applications on the platform
  • Secure Java applications with a single click via the SSO Service Connector
  • Multi-tenant single sign-on service that allows for segregation of applications and identities based on the unique needs of the organization
  • Easy-to-use self service administration, user interface for tenant management, and on-boarding Identity Providers for SSO
  • Role based access control for Service Administrators & Application Developers
  • Self service interface for registering applications and associating identity providers for SSO
  • OAuth 2.0 Authorization Server with support for all four OAuth 2.0 Grant Types
  • Zero downtime upgrades with blue green deployment model
  • Certified with industry-leading federated identity providers including CA SiteMinder, Ping Identity, OpenAM, VMware Identity Management, Okta, and more

Pivotal Single Sign-On Service for PCF offers cloud application developers with a simpler and more effective authentication process, while making it easy for operators to deploy, configure, and maintain enterprise-grade security using the service.

Learn More:

Video Transcript : CA SiteMinder Identity Provider On-Boarding

Hello Everyone.

In this session I will covering the configuration of SiteMinder as an Identity Provider for Single Sign-On of applications running on PCF.

At a high level, configuration of SSO using SAML 2.0 involves exchanging metadata between the Service Provider and Identity Provider to establish trust.

We begin the process by launching the Single Sign-On Dashboard at p-identity.system-domain. Please note that you need to be logged in as an Administrator to on-board Identity Providers.

For the Single Sign-On Service plan that you have configured , expand the menu options select Manage User Stores.

Click on download Service Provider Metadata to download the SAML Service Provider Metadata for the given SSO Plan. The metadata varies from plan to plan as the authentication domain is unique.

Now navigate to the SiteMinder Administrative console and expand the federation menu options. Click on the entities options and import the SAML Service Provider Metadata just downloaded.

Importing the metadata creates the remote service provider entity object as seen here. All of the information is pre-filled from the SAML service provider metadata xml.

Next step is to create the local Identity Provider entity object in SiteMinder. Please make sure that the NameID format is set as email address.

Now we are ready to set up the federation partnership. This involves selecting the Local Identity Provider entity and Remote Service Provider entity just created.

Select one or more user directories for authentication. You may choose to set up advanced authorization filters to limit the users who are allowed to single sign-on.

Select the NameID format as email address and the value as the user’s email.

Set the authentication URL based on the authentication scheme of your choice. You may choose to enable an advanced authentication scheme.

The HTTP binding needs to be set to post.

Save and Activate the partnership.

Now we are ready to export the metadata for the partnership.

Navigate back to the Pivotal Single Sign-On dashboard and click on new user store to upload the exported metadata from SiteMinder. Saving the form creates the CA SiteMinder Identity provider connection. This connection can be further selected by Application developers to enable SSO via SiteMinder.

This concludes the demonstration for On-boarding SiteMinder as an Identity provider for the Pivotal Single Sign-On Service.

We begin the process by downloading the SAML Service Provider Metadata for the given Single Sign-On Service Plan. The link to download the Service Provider Metadata is available under the Single Sign-On Plan Dashboard.

I am launching the Plan Dashboard and logging in as an Administrator. Clicking on the Metadata button downloads the Service Provider metadata.

Now I am switching the CA SiteMinder Administrative Console. Now we are ready to create the remote service provider entity by uploading the Service Provider Metadata from the XML that we just downloaded. This creates the Remote Entity as seen here.

The next step is to create the Local Identity Provider.

Once the SP and IDP entities are created, it’s time to set-up the SAML partnership.

As part of the partnership creation we select the IDP and SP entities, select the directory for authentication and Single Sign-On.

The nameid format supported is email. We select that and map the value of the user’s email.

The SAML Binding is Post and the same needs to be selected here.

Finally we save and activate the partnership.

Next, we download the metadata for the Partnership.

We are going to create the SiteMinder SSO IDP from the Single Sign-On service dashboard. This is an admin only action.

The SiteMinder Identity Provider is now created and can be used for Application SSO

This concludes the demo for CA SiteMinder Identity provider set up for the Single Sign-On Service. Thank you for watching.

Video Transcript: Enable SiteMinder Single Sign-On for Java apps with a single click

In today’s session I will be providing a demonstration of enabling applications for Single Sign-On with SiteMinder using a single button click.

As part of the Pivotal Single Sign-On service we provide a sample application help guide to the integration process for the Application developers.

The integration interface between the Applications and the Pivotal Single Sign-On service is OAuth. Spring Security and Spring Boot makes it very easy for the applications to be made OAuth-aware with bare minimum coding effort. The samples here are spring boot and use the SSO service connector for auto configuration.

For the purposes of this demo I have pushed two sample web applications to demonstrate Single Sign on capability.

We see that in order to secure the applications , these need to be bound to the SSO Service Instance.

We will now go back and bind both the applications with the SSO Service Instance. Once bound, the required SSO credentials—which is essentially the oauth client configuration—is generated. Restarting the application auto-configures the application for single sign-on.

Now when we launch the Single Sign-On management dashboard we notice that both the Applications are registered. Under each application, we will switch the default authentication policy from Internal User Store to CA SiteMinder and repeat the same process for the second application.

Let’s launch the first application. I am being redirected to CA SiteMinder for authentication. After authentication, I am being shown a consent window, [asking] whether I want to share my enterprise profile with this app. You can choose to disable this consent as part of the Application Auto-Approve configuration. Now we are authenticated and the authentication token has been made available to the application. The token represents the proof of authentication. The origin in the token is set to SiteMinder, as seen here.

Now we launch the second application. We are directly being taken to the consent window because I have already authenticated against the Identity Provider.

This concludes the demonstration for Application Single Sign-On with Single Sign-On Service on PCF and SiteMinder. Thank you for watching.

About the Author

Biography

Previous
eWeek interview on Palm webOS
eWeek interview on Palm webOS

I had a great conversation with Darryl Taft at eWeek last Friday about our experience developing for webOS....

Next
Continuous Delivery: Conception To Production In Pivotal Cloud Foundry
Continuous Delivery: Conception To Production In Pivotal Cloud Foundry

Top business and IT leaders realize their companies must evolve into software and data driven organizations...