Single sign on
Upcoming SlideShare
Loading in...5
×
 

Single sign on

on

  • 892 views

Slide deck created for a presentation practice session

Slide deck created for a presentation practice session

Statistics

Views

Total Views
892
Views on SlideShare
879
Embed Views
13

Actions

Likes
0
Downloads
38
Comments
0

1 Embed 13

http://www.slideshare.net 13

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Single Sign On
  • Single Sign On
  • Danny Kaye – “The Court Jester” – about authentication & security systems – 1956 movie
  • Process that permits a user to enter one name and password ONCE in order to access multiple applications (single action = access to multiple systems)One password instead of multipleMultiple independent systems instead of oneLesser known sibling: Single Sign OffSystem that stores multiple sets of credentials for various internal applicationsOften done with web-portals that interface with multiple systems “on the back end”
  • The Skeleton key
  • Utensil
  • Utopian, Holy grail, HolisticCost - Savings (call centers aren’t dealing with forgotten password tickets)- Reduced IT dev timeUtopian Administration - Centralized, single systemwhich is good for reporting, compliance, maintenance, managing accts, etc.- The “perfect system”ProductivityEasier to remember one password - Reduces human error (password fatigue/identity chaos) Common authentication framework for developersCan be incorporated into Security Everything’s equally protected Reduces phishing success, since users don’t usually see login/password requests and when they do it out of the ordinary and seems suspiciousReduces chance of some types of identity theft (password on sticky note)
  • UtopianPoorly Conceived- Major issues arise if use cases, workflow, infrastructure hasn’t been totally figured outAdministration- Authentication systems become mission-critical; if fail, DOS, no access. Thus some mission critical capabilities may need to be outside of the SSO (e.g. floor access systems)Difficult to implement - Extremely difficult to retrofit- Mission critical nature of components (8 separate mission-critical systems and none can be brought down for any length of time to align with the others)Security issuesAuthentication server is now the single point of attackRisk of giving away “keys to the castle” – protection focus shifts to user credentialsThe “walk away and someone hops on your computer” issueEnterprise Reduced Sign On (purgatory, handles most systems if not the utopian all)- Edsel – the wrong car at the wrong time
  • The Must have featuresAvailable 24/7/365Backup (there are spare copies in the vault if needed)Comprehensive (covers all essential applications in the network, covers all possible use cases)Integral-able (able to be introduced and play well with existing systems)Redundant (if all or part of it fails, there are systems in place that will jump in as needed)Reliable (accurate and doesn’t make mistakes)Scalable (0 to thousands of users)
  • Authentication (from Greek: αυθεντικός ; real or genuine, from authentes; author) is the act of establishing or confirming something (or someone) as authentic, that is, that claims made by or about the subject are true ("authentification" is a French language variant of this word). This might involve confirming the identity of a person, tracing the origins of an artifact, ensuring that a product is what its packaging and labeling claims to be, or assuring that a computer program is a trusted one. Authentication can also be used for identity delegation. Identity Delegation in IT network is an evolving field[1].A process of proving the identity of a computer or computer user. For users, it generally involves a user name and password. Computers usually pass a code that identifies that they are part of a network. - it’s a horizontal systemOften done by an authentication ServerPhysiognomy = idea that facial characteristics are indications of personality/character/psychologyBiometrics =
  • directory service is simply the software system that stores, organizes and provides access to information - corresponding table of names and values (eg login/password. Name, address, etc.)
  • Encryption (greek for “make hidden”)is a form of security that turns information, images, programs or other data into unreadable cipher by applying a set of complex algorithms to the original material. These algorithms transfer the data into streams or blocks of seemingly random alphanumeric characters. The one weakness of symmetric encryption programs is that the single key must necessarily be shared, presenting an opportunity for it to be leaked or stolen. Symmetric types of encryption schemes use a single password to serve as both encryptor and decryptor. Part of key management involves changing the encryption key often to improve security.
  • The process of managing individuals in a system; managing who someone is an what they have access to (technical, legal, security, social)
  • protocol is a set of rules which is used by computers to communicate with each other across a network - a protocol or communications protocol is a formal description of message formats and the rules for exchanging those messages. Protocols may include signaling, authentication and error detection and correction capabilities. In its simplest form, a protocol can be defined as the rules governing the syntax, semantics, and synchronization of communication - protocol (SPNEGO,[ (Simple and Protected GSSAPI Negotiation Mechanism)] Kerberos,(made by MIT) and NTLMSSP (Microsoft’s NT LAN Manager Security Support Provider) authentication protocols with respect to SSPI (A Microsoft Windows security application programming interface
  • communication session, is a semi-permanent interactive information exchange between communicating devices that is established at a certain time and torn down at a later time. Hypertext Transfer Protocol (HTTP) is stateless: a client computer running a web browser must establish a new Transmission Control Protocol (TCP) network connection to the web server with each new HTTP GET or POST request - The Session Layer provides the mechanism for opening, closing and managing a session between end-user application processes, i.e. a semi-permanent dialogue. More than 1 party Information is being exchanged- Across a shared meduim
  • The art and skill of developing a plan to achieve a goal
  • Who’s doing what, where – someone, somewhere, doing something for some reason, sometimesWorkflows often instructional (how to make a cup of coffee)David McCaulay – describing the workflow for how to construct something & later came up with a book called “the way things work”
  • Enterprise Single Sign On – that’s where the industry has been heading; SAML = used by GoogleEISA = SSO is just a component of this
  • Everybody loves puppiesEverybody loves the Red SoxWhen in doubt, switch the topic to puppies or the Red Sox & you’ll regain your equilibrium
  • Not just the technical, it’s the human component as well that’s critical

Single sign on Single sign on Presentation Transcript

  • SSO PresentationPresentation Practice SessionMay 14, 2010Prepared by: Rob Fitzgibbon
    1
  • What is SSO?
    The Ship’s Security Officer?
    Standards Setting Organization?
    SulfolobusSolfataricus?
    Society of Surgical Oncology?
    Syracuse Symphony Orchestra?
    2
  • Guess!(charades session)
    3
  • I know as much about SSO as I do about
    4
  • But here goes
    Want to sound like
    May end up sounding like
    5
  • SSO, Defined (geekspeak)
    Lots of really important boxes and ovals with acronyms
    6
  • SSO, Defined (again)
    Enterprise Applications
    Email program
    Benefits/HR info
    You
    ÏÐ
    Your computer
    Corporate intranet
    Your one SSO passcode
    The firewall & SSO authentication system
    Client Extranet
    7
  • SSO, Defined (and again)the key metaphor
    Old School
    SSO Equivalent
    8
  • SSO, Defined (yet again)the backstage pass metaphor
    9
  • SSO, Defined (one last time):the utensil metaphor
    ~
    10
  • So Why learn about SSO?
    11
  • Will it help you get the girl?
    No.
    12
  • Will it make you seem brilliant at the cocktail party?
    Nope.
    13
  • Will it turn this client
    14
  • Into this client?
    Maybe.
    15
  • But it might help you appreciate the complexity of the client’s infrastructure
    16
  • Why am I talking about SSO?
    17
  • The SSO Upside
    18
  • The SSO Downside
    19
  • Key SSO Features
    20
  • With SSO, there’s lots important terminology to remember!
    21
  • Authentication
    22
  • Directory
    23
  • Encryption Key
    24
  • Identity Management
    25
  • Protocol
    26
  • Session
    27
  • Strategy
    28
  • Workflow
    29
  • Feign Knowledge with Important Sounding Acronyms
    30
  • AAA = Authentication, Authorization & Accounting
    AD = Active Directory
    CAS = Central Authentication Service
    EISA = Enterprise Information Security Architecture
    ESSO = Enterprise Single Sign On
    HTTPS = HyperText Transfer Protocol, Secure
    IDM = Identity Management
    LDAP = Lightweight Directory Access Protocol
    OTP = One Time Password
    PII = Personal Identifying Information
    RADIUS = Remote Authentication Dial In User Service
    SAML = Security Assertion Markup Language
    SSL = Secure Socket Layer
    SSOSrv = Microsoft Single-Sign On Service
    TCP/IP = Transmission Control Protocol/Internet Protocol
    VPN = Virtual Private Network
    31
  • In case of emergency, switch subject
    32
  • SSO really challenges interface designers to develop perhaps the most complex customer facing interactions of their entire career:
    33
  • Login
    Password
    Go
    34
  • Login
    Password
    Behind that interface lies an array of network systems…
    Go
    35
  • Login
    Password
    (Savage, merciless network systems)
    Go
    36
  • What types of clients use SSO?
    37
  • Who provides SSO Solutions?
    38
  • Further Reading
    39
  • Thank You!
    40