Authentication Tactics on the Web

1
Authentication Tactics on the Web

• Rob Axelrod
• United Messaging, Inc.

2
What We'll Cover ...

• Implementing authentication options
• in Domino
• Using external directories for authentication
• Using the Domino Server API (DSAPI) for
  additional flexibility

3
Reviewing Core Security Concepts Authentication
vs. Authorization

• Authentication
• Who are you?
• Restricted use requires a name and password,
• or an ID of some sort
• Authorization
• What are you allowed to do?
• In the Domino world, this is server access,
  database ACLs, Read and Create access, Authors
  and Readers fields, etc.

4
Domino Authentication/Encryption Options

• Basic username/password
• Session-based (cookie) and single sign-on (SSO)
• Authenticating through LDAP
• Implementing SSL for server-side security
• Implementing x.509 certificates for client-side
  security
• Using the DSAPI to implement custom
  authentication solutions

Tool
5
Reviewing Core Security Concepts Security Means
ID Management
1

Security
Convenience
Hassle / Aggravation
Security
6


Implementing Authentication Options in Domino
7
Authentication Options in Domino Management

• Domino components for managing authentication
• Server document settings
• Determines server-wide options
• Web SSO document
• Defines token for Domino domain-wide single
  sign-on, or Domino and WebSphere single sign-on

Building Block
8
Authentication Options in Domino Management
(cont.)

• Domino components for managing authentication
  (cont.)
• Directory Assistance
• Provides authentication with LDAP directories
• Person documents
• Stores Notes or Internet certificate public key

Building Block
9
Authentication Options in Domino Who Are You?

• Range of authentication choices
• Anonymous
• Just username (not really authentication)
• Username/password
• PKI with password (SSL -- more later)
• Third-party options
• Two-factor -- SecureID
• Biometric (i.e., fingerprint or facial scan)

Checklist
10
Authentication Options in Domino Anonymous

• Anonymous
• Good for public websites
• Configure in the Server document -- Ports tab
• Set default to No Access in all databases
• Grant Anonymous access as needed

Best Practice
11
Authentication Options in Domino Username/Password

• Username/password
• Comes in two flavors -- Basic and Session-based
• Configure in the Server document
• Ports tab -- Internet Ports tab
• Internet Protocols tab -- Domino Web Engine tab
• Applied server-wide

12
Authentication Options in Domino Username/Password
-- Basic

• Attributes of Basic authentication
• Good for single database access
• All browsers support it
• Requires Name and Internet Password in the Person
  document
• User receives standard login screen

13
Authentication Options in Domino Username/Password
-- Session-Based

• Attributes of Session-based authentication
• Good for multi-server, single sign-on
• within a Domino domain or with WebSphere
• Uses cookies
• No realm issues
• Sessions are logged
• Timeout session
• Log user out with ?logout

14
Authentication Options in Domino Username/Password
-- Session-Based (cont.)

• Attributes of Session-based authentication
  (cont.)
• Use the login mapping form in DOMCFG.NSF
• to specify a custom login form
• Default custom
• login form
• provided in
• DOMCFG.NSF

15
Authentication Options in Domino Single Sign-On

• Session-based authentication also supports single
  sign-on
• Set in the Server document
• Select Single Server or Multi-server
• Set timeouts
• Set max sessions

New in R5.0.5!
16
Authentication Options in Domino Single Sign-On
(cont.)

• For Multi-server session authentication, create a
  Web SSO Configuration document
• Select from Servers view, Web action menu
• Set expiration
• Select the servers to be included in the single
  sign-on

17


Using External Directories for Authentication
18
External Directories for Authentication

• You can use any LDAP-compliant directory for
  authentication
• Yahoo!, Active Directory, ...
• Requires Domino Directory Assistance
• But do you want to?
• You have to trust the other guy!

Heads Up!
19
External Directories for Authentication Authentica
ting with LDAP

• Steps to set up authentication with LDAP
• Create a Directory Assistance database from the
  DA50.NTF template
• Add the Directory Assistance database name to the
  Server document
• Create Directory Assistance documents to refer to
  the appropriate directories
• Configure SSL for LDAP

Checklist
20
External Directories for Authentication Authentica
ting with LDAP (cont.)

• Set up Directory Assistance in Domino
• Set up in the Server document -- Basic tab

21
External Directories for Authentication Authentica
ting with LDAP (cont.)

• Set up Directory Assistance in Domino (cont.)
• Configure the LDAP Directory Assistance document

22
External Directories for Authentication Authentica
ting with LDAP (cont.)

• Set up Directory Assistance in Domino (cont.)
• Configure SSL for LDAP transactions

Best Practice
23


Using DSAPI for Additional Flexibility
24
DSAPI for Additional Flexibility

• The Domino Server API (DSAPI)
• Specification for writing custom .DLLs to perform
  custom authentication on a Domino Web server
• Enables customized external authentication of
  users
• Provides maximum flexibility for controlling
  authentication

Key Feature
25
DSAPI for Additional Flexibility (cont.)

• Advice on using the DSAPI
• This option adds the most overhead, since it
  necessitates administration of a separate system
• Requires either a third-party product or complex
  in-house development
• Potential for single logon
• But someone has to write the code ...

Issue
26
DSAPI for Additional Flexibility (cont.)

• To learn more about using the DSAPI
• Download the DSAPI Customized Authentication demo
  from the Iris Sandbox on www.notes.net

Where to
FIND it