Posts

Showing posts from 2017

What is Reconciliation

What is Reconciliation in Identity Management Reconciliation is a term used in Identity Management for recognizing changes to Identity attributes and their subsequent synchronization with other user stores or an Identity Manager. Identity Manager is a product (e.g. Oracle Identity Manager, SailPoint IIQ Identity Manager) that provides full view and management of user's Life cycle, from creating an account to its final disablement or management of user account on-boarding, off-boarding or user provisioning/de-provisioning. Here User on-boarding/off-boarding is in terms of Business Processes whereas provisioning/de-provisioning is in terms of technical steps. Reconciliation or "Recon" is a generic term used for various Identity Management products, such as Oracle Identity Manager, SailPoint IIQ, IBM Security Identity Manager.  Here is how Oracle defines Reconciliation: When changes in the identities are made directly in a user store, for example an LDAP identity store,...

Basic Authentication and Form based Authentication

What are Basic Authentication and Form Based Authentication? And Kerberos Single sign-on Basic authentication and Form based authentication allow a user to authentication to a server via a browser. Both these authentication mechanisms use the HTTP/HTTPS protocols with HTTPS being the secure channel. Basic authentication is formally defined in an RFC (there is no RFC for Form based authentication). Both authentication mechanisms will allow a remote user to authenticate to a server. However, Basic authentication does not use cookies, hence there is no concept of a session or loggin out a user. Form based authentication are implemented via HTML forms which have username and password fields for a user to enter and send over to the remote server for authentication. Form based authentication use cookies for session management so user logout can be controlled. Another popular browser based authentication is via Kerberos Single Sign-on which allows a user to login to trusted website seamle...

What is Azure AD Connect

Image
Azure AD Connect Azure AD Connect is a tool that connects functionalities of its two predecessors –  Windows Azure Active Directory Sync, commonly referred to as DirSync , and Azure AD Sync (AAD Sync). Azure AD Connect will be now the only directory synchronization tool supported by Microsoft as DirSync and AAD Sync are deprecated and supported only until April 13, 2017. Why do you need Azure AD Connect?    To synchronize users’ identities between local and cloud directories. Here "local" refers to the on-premise Active Directory infrastructure and domains and "cloud" refers to the applications hosted in Azure cloud, such as Office 365 or O365. Why do you need to synchronize between local or on-premise Active Directory and Azure AD?    To provide for users access different resources on both on-premises and cloud environments with just a single set of credentials. Applications that are deployed in a traditional Data Center or on-premise rely on the on-pre...

PingIdentity Articles

Here are some important links for PingFederate for reference. In December 2017, new versions for PingFederate 9 and PingAccess 5 were released. Read here the vendor availability release. Default Login for PingFederate Administrator console https://PingFederate_hostname:9999/pingfederate/app is the default URL  (login with username as Administrator and password) Default Login for PingAccess Admin console https://PingAccess_hostname:9000/login is the default login URL   (login with username as Administrator and password) PingFederate 9 documentation What's new in PingFederate 8.4 What's new in PingAccess 4.3 IdP-initiated SSO—POST   (link check Dec20) SP-initiated SSO—POST-POST  SP-initiated SSO—Redirect-POST Single sign-on  with PingFederate How to configure IE, chrome browser for Kerberos and NTML PingFederate Release Notes   Industry Standard s SAML 2.0 profiles   ( SSO profile variations offered by PingFederate ) Integrate ...

Smart Card Logon and Integration with Kerberos

Image
This article provides the step by step process during Smart Card authentication to Active Directory. How does Smart Card authentication work with Active Directory and what are the steps when a user logins to Active Directory with a Smart Card. (Here is link to How does Kerberos Protocol work ) Although this article is from 2000, its steps remain the same as of Windows 2012 infrastructure with Kerberos authentication. Reference from Microsoft for integrating Smart Card login with third party Certification Authority (CA) Smart Card Logon Integration with Kerberos By  Roberta Bragg October 1st, 2000 Learn the basic behind-the-scenes steps for Smart Card logon under Kerberos. ( This article was published in redmondmag in 2000 ) When smart cards are used for authentication in Win2K, a copy of the certificate and the private key can be stored on the smart card. When the user inserts the card in the reader, he or she will be prompted to enter the pin. What happens nex...