These slides are supposed to help you understand the basics of application security, and how the latest technologies come together to enable you to reduce the number of times people at your organization need to authenticate. For more information visit. http://gluu.org

1. Single Sign-On 101
Solutions, Technology, and
Recommendations

2. Single sign-on (SSO) allows a person to
authenticate once at their home domain to
obtain a “token”, which is stored in the browser
(cookie) or mobile device, and can be presented
to websites as evidence of authentication.
In SALM the token is XML
In OpenID Connect, the token is JSON
The tokens are signed by the domain, so the
website can validate them.
What is Single Sign-On

3. Single logout (SLO) ensures that after a user logs
out at their home domain, all “tabs” are also
logged out.
OpenID Connect defines a non-network based
logout mechanism.
Beware! Applications may only test credentials on
login!
What is Single Logout

4. Why do you need SSO?
● Essential for portals, where the page consists of
multiple backend services.
● Increased productivity for people who use the
authentication service
● Increased productivity for developers who don’t
need to write authentication code.
● Enables domain to leverage strong credentials at
third party sites.

5. Relevant Protocols
● SAML 2.0 - Currently the most widely adopted
standard for Web SSO. XML based.
● OpenID Connect - Most promising successor to
SAML, it is a profile of OAuth2, and promises
better support for mobile.
● Earlier protocols that are still in use should be
deprecated:
○ Kerberos, RADIUS, LDAP, WS-*, OpenID 2,
CAS...

6. Relevant Jargon
SAML OpenID Connect
Identity Provider (IDP) OpenID Provider (OP)
Service Provider (SP) Relying Party (RP)
Attributes User claims
SP Metadata Client Claims

7. Develop your SSO roadmap..
1. Understand market offerings
2. Evaluate your needs
3. Align with a solution

8. ● SaaS - Vendors provide a multi-tenant IDP. You can
quickly try, buy and fly with SSO to popular pre-
integrated cloud apps.
● Open Source - You can design, build and operate
your domain IDP using open source software.
● Enterprise Software - Pay to use the software,
otherwise identical to Open Source.
● Managed Service- Host your domain IDP on your
network, but share operations.
1) Market Offerings for large
organizations

9. 2) Evaluate your needs
● Are you ok with persisting personal data in the cloud?
● Are you ok with access to your systems by a third party?
● Do you have a custom requirements for authentication, or
strong authentication for your domain?
● How many “users” and “applications” do you have?
● Do you need to support mobile authentication?
● Do you need to have “business continuity” or disaster
recovery

10. 3) Align with a solution
● SaaS - Okta, OneLogin, Stormpath, Symplified
● Open Source - Gluu, ForgeRock, Independent
integrators and consulting shops
● Enterprise Software - Oracle Access Manager, CA
SiteMinder, IBM Tivoli Access Manager, RSA
Cleartrust, Microsoft ADFS, Ping Federate

11. ● SaaS
○ No root access to the server. If there's a security
breach, it affects everyone.
○ Per user or per application pricing can become
costly.
● Open Source
○ Expensive to design and build
○ High cost of care and feeding
○ Hard to support new app integrations
● Proprietary
○ Expensive license fees
○ Vendor lock-in
Limitations of SSO Solutions

12. 2 Factor Authentication
● 80% of Internet security breaches are bad
passwords
● Many new mobile, bio-metric, location based,
and cryptographic authentication mechanisms
are being devised.
● Prices are coming down.
● Better enrollment and “password reset”
functionality.

13. Authorization
●
● Organization can create policies to control which
clients and people can access which URL’s
● Application contain a lot of security policies...
only centralize what is common between
applications.

14. Authorization Sequence

15. Our Recommendations
● Choose a platform that gives your organization
the flexibility to implement its business logic.
● Make sure your solution is Future proof : be
ready new strong authentication services
● Use open standards and open source when
possible!

16. Questions?
Just reach out!!
http://gluu.org