Identity, access management
From SME Guide
Authentic
http://www.entrouvert.com/en/authentic/
Authentic is a Liberty Alliance identity provider aiming to address a broad range of needs, from simple to complex setups. It provides Single Sign-on (SSO), Single Logout (SLO) and attribute exchange. It is highly and easily customisable. Its Liberty conformance relies on Lasso, a free (GNU GPL) implementation of the Liberty Alliance certified by the consortium in may 2005. Authentic implements every feature required by the Identity Provider Conformance Matrix.
Among the features: Liberty Alliance conformance: support of ID-FF 1.2, ID-WSF and partially SAML 2.0; authentic can behave as a proxy, redirecting service providers requests towards other identity providers, can use the ID-WSF Personal Profile Authentic to allow identity attribute sharing, automatically creates its own metadata file and and integrates easily Service Providers ones.
DogTag
http://pki.fedoraproject.org/wiki/PKI_Main_Page
The Dogtag Certificate System is an enterprise-class open source certificate authority (CA). It is a full-featured system, and has been hardened by real-world deployments. It supports all aspects of certificate lifecycle management, including key archival, OCSP, smartcard management, and much more. Dogtag is a collection of technologies that allow enterprises to deploy PKI on a large scale. It has features such as: certificate issuance, revocation, and retrieval, CRL generation and publishing, certificate profiles, simple Certificate Enrollment Protocol (SCEP), Local Registration Authority (LRA) for organizational authentication and policies, eEncryption key archival and recovery, smartcard lifecycle management.
FederID
http://federid.objectweb.org/xwiki/bin/view/Main/ FLOSSMETRICS link: http://melquiades.flossmetrics.org/projects/federid FLOSSMETRICS quality evaluation: http://melquiades.flossmetrics.org/projects/federid/quality
The FederID project aim to offer a real solution of Identity Management and Identity Federation. It is based on several OSS components:
- InterLDAP: Based on J2EE and OpenLDAP, InterLDAP makes it possible to manage the complete cycle of an identity through its attributes, its accesses and its prerogatives. It is the essential tool to provide an advanced interface of consultation and administration of an LDAP directory
- LASSO: Lasso is a free software C library aiming to implement the Liberty Alliance standards; it defines processes for federated identities, single sign-on and related protocols. Lasso is built on top of libxml2, XMLSec and OpenSSL and is licensed under the GNU General Public License (with an OpenSSL exception)
- Authentic: Authentic is a Liberty Alliance Identity Provider. It provides Single Sign-On (SSO), Single Logout (SLO) and attributes sharing
- LemonLDAP: The LemonLDAP project is a reverse proxy SSO developed with the French Ministry of Finances under GNU GPL license. LemonLDAP is a network service which is a single entrance point of all HTTP requests aimed to the various protected Web applications. With the help of an LDAP directory, it offers a single mechanism of authentication and access control to these applications
FreeIPA
http://www.freeipa.com/page/Main_Page
FreeIPA is an integrated security information management solution combining Linux (Fedora), Fedora Directory Server, MIT Kerberos, NTP, DNS. It consists of a web interface and command-line administration tools. Currently it supports identity management with plans to support policy and auditing management.
HardTokenManagement
HardToken is an Hard Token Management Framework in Java used to manage the complete lifecycle of an organizations smartcard and/or USB dongles. It communicates with the tokens through a PKCS11 interface so it is possible to change hardware as long as they supply it with a good implementation of PKCS11. It comes along quite with a few ready made modules that can be composed to fit the need of the organization. The Hard Token Management Framework is an Add-on to EJBCA Certificate Authority; the current application suite of modules using the hard token management framework 'ToLiMa' have the following features.
- Issue tokens, regular, temporary and project
- Unlock PIN of a token without exposing the PUK code for the users or administrators
- Revoke lost cards
- Renew expiring cards
- Activate cards in the organizations systems
- It is also possible to issue and unlock tokens on an approval basis, used in scenarios were no token administrator is available (for instance in 24/7 operational environments). Then it is possible for a colleague of the end user to generate a request of the action which is sent to a central support unit for review and approval.
Mandriva directory server
Mandriva Directory Server is an enterprise directory platform based on LDAP designed to manage identities, access control informations, policies, application settings and user profiles. The Mandriva Directory Server (MDS) is a Free Software project that features:
- user authentication and management thanks to LDAP and Kerberos
- an extensible, nice looking and AJAX powered PHP web interface called MMC (Mandriva Management Console), provided with 6 modules:
- Users and groups management
- SAMBA accounts and shares management
- Printing management
- Email delivery management
- Web proxy blacklist management
- Open-Xchange users management
- a Python dedicated management API for LDAP, SAMBA, Open-Xchange and SQUID (core of the MDS and the MMC)
- a policy system, that will allow to define users right on network ressources
Thanks to the MMC, the MDS can fully replace a Windows NT4 server.
OpenPEC2
An implementation of Italian's Certified Email, a server-based infrastructure that provides encryption, guarantee of reception and non-repudiability of email.
OpenSSO
The Open Web SSO project (OpenSSO) provides core identity services to simplify the implementation of transparent single sign-on (SSO) as a security component in a network infrastructure. OpenSSO provides the foundation for integrating diverse web applications that might typically operate against a disparate set of identity repositories and are hosted on a variety of platforms such as web and application servers. This project is based on the code base of Sun Java System Access Manager, a core identity infrastructure product offered by Sun Microsystems. OpenSSO provides complete access management, federation and secure web services functionality in a single Java distribution. The solution helps organizations manage secure access to Web applications - both within the enterprise and across business-to-business (B2B) value chains. By utilizing a central point of authentication, role-based access control, and single sign on (SSO), OpenSSO provides an effective and scalable security model across all Web-based applications, simplifying the exchange of information and transactions while protecting the privacy and security of vital identity information. OpenSSO supports the latest federation standards, including Liberty Alliance, Security Assertion Markup Language and WS-Federation. Its support of these standards helps create a federated framework and authentication-sharing mechanism that is both easy to use and interoperable with existing enterprise systems.
OpenTrust-PAM
http://www.opentrust.com/content/view/237/205/lang,en/
Web reverse proxy for Single Sign On (SSO). It can apply a security policy (profiles stored in a LDAP directory) to an existing set of applications, consolidate websites, encrypt all communications, and rewrite simple URLs. Among the features:
- Business application access management
- Authentication unity
- Level 7 application firewall
- URL dynamic rewrite (HTTPS)
- Automatic adjustment to strong authentication according to the security policy
- Integration of the intranet in a customized portal with access rights
- Multiple websites consolidated in a central URL tree structure and/or using several virtual hosts as proxy front-ends
- Integrated cache to speed up flows
- HTTP 1.0 and HTTP 1.1 including fragmented transfer coding
- SSLv2, SSLv3, TLSv1
- Support for URL, HTTP header and script dynamic rewrite
- Security policy linked to LDAP directory
- Oracle Forms protocol support
PacketFence
PacketFence is an open-source network access control (NAC) system. Deployed in academic networks around the world, PacketFence is reliable, extremely configurable, and built upon unmodified open-source code (Fedora, LAMP, Perl, and Snort). PacketFence is designed to operate in heterogeneous environments and uses vendor-agnostic isolation techniques including DHCP scope changes and ARP cache manipulation ("passive" mode). Among the features:
- Authenticate users using any authentication Apache supports (even more than one!)
- Registration-based and scheduled vulnerability scans.
- Captive portal-based user registration and remediation.
- Passive operating system fingerprinting using DHCP
- Ban unsupported operating systems (eg. Windows 95/98/ME) or NAT-based routers.
- Automatically register game consoles or VoIP phones.
- Log location-based information using DHCP option-82.
- Protect multiple networks and 802.1q trunks.
SSLExplorer
http://3sp.com/showSslExplorerCommunity.do FLOSSMETRICS link: http://melquiades.flossmetrics.org/projects/sslexplorer FLOSSMETRICS quality evaluation: http://melquiades.flossmetrics.org/projects/sslexplorer/quality
SSL-Explorer is the world's first open-source, browser-based SSL VPN solution. This unique remote access control solution provides you with a means of securely accessing intranet applications and resources using a standard web browser. No client-side software needs to be installed on your user's systems and maintenance is centralised and simple. SSL-Explorer relies on the ubiquitous Java web technology and hence requires just a standard web browser to take advantage of full remote access. Network traffic can be tunnelled through the SSL connection with ease and your email and intranet web/file resources are securely accessible from outside the corporate network with just a single firewall configuration required post-installation. Among the features:
- Versions available for Microsoft Windows XP/2000/2003/Vista, Apple Mac OS X Tiger (or later) and Linux operating systems
- Standards compliant HTML supported on all modern browsers include Internet Explorer 5, IE6, IE7, Mozilla Firefox, Opera and Safari browsers among many more
- Granular policy-based rights management
- Remotely browse Windows filesystems via Windows Explorer
- Microsoft Outlook Web Access 2003 supported - move vulnerable OWA servers out of the DMZ
- Reverse proxy web forwarding supported with HTTP rewrite technology
- Active Directory authentication supported
- Built-in database authentication supported
- UNIX authentication supported
- Configurable authentication schemes
- Access your desktop remotely
- Intranet resources may be securely externalized using web forwarding
- Accessible using zero-footprint VPN client
- Connect using any modern web browser
- Supports access through HTTP or SOCKS proxy
- Local and remote tunneling via SSL
- Session inactivity timeouts
- Web application URL masking
- No dedicated appliance necessary
Univention Corporate Server
Univention Corporate Server (UCS) is an easy-to-use
Linux distribution based on Debian GNU/Linux and has a central common server/client and site/platform management system. UCS can be used to replace or complement existing server infrastructures, but also to provide a complete Linux desktop that can be managed centrally.
- central control and policy-based
- administration of users and groups in Linux & heterogenous environments
- printers, share,s IPmanagement mail, groupware, fax solutions
- a LDAP based software management, a Thin Client Infrastructure
VELO
http://docs.safehaus.org/display/VELO/Home
VELO is an Open Source Identity and Access Provisioning server. Among the features:
- SPML V2 compliance.
- Role Based Access Control (RBAC)
- Consolidated Employee Identity Attributes repository
- Accounts Attribute Synchronization
- User and Access Reconciliations
- Integrated work-flow engine for complex business processes
- Self Service interfaces
- Support many resources
- Support Complete Account Operations
- Specific typed actions can be added easily
- Centralized Password Policy and Password Synchronization.
- Auditing & Compliance.
- Powerful scripting support for complex processes via Scripting expressions
- Supports more than 20 different scripting languages! new
- Remote services access via Web-Services.
- Extensible via Events.
- Advanced Report Designer & Web-based Reporting Manager.
- Pluggable Authentication Handlers.
- Jboss and Glassfish Support
ViaFirma
VIAFIRMA is a platform of digital signature that simplifies the development of applications that use Digital Certificates, base on its incorporation as another service, following the pattern of SOA architectures(Service Oriented Architecture). Any application can include authentication and digital signature features using the services offered by this system, obliterating the problems and technical complexities related to the use of digital certificates for your applications, difficulties like cryptography of public key, validation using CRL's or OCSP, the certificates reading, the use of an electronic ID card (DNIe), etc. VIAFIRMA Allows the authentication with digital certificates: electronic ID card (DNIe), FNMT, Camerfirma, ANCERT, Avansi DR... In any support: software, Smartcard, token... and allows the digital recognized signature of documents.
WIKID
WiKID is a two-factor authentication system. It consists of: a PIN, stored in the user's head; a small, lightweight client that encapsulates the private/public keys; and a server that stores the public keys of the client's and the user's PIN. When the user wants to login to a service, they start the client and enter their PIN, which is encrypted and sent to the server. If the PIN is correct, the account active and the encryption valid, the user is sent a one-time passcode to use instead of a static password. You can think of WiKID as 'certificates on steroids'. It is more secure than certificates because the required PIN is only stored on the server, so it is not susceptible to offline passive attacks. It is easier because user enrollment is automated and you don't have to deal with a full certiticate infrastructure. You can also compare WiKID to hardware tokens: it is much easier to implement, more extensible, yet just as secure. Stealing either the token or the PIN does you no good. You must steal both, just like a hardware token.
