SSO                           Single Sign-On  TEQneers GmbH & Co. KG                    Dipl. Betriebswirt (BA) Oliver Mül...
Definition                • Property of access control of multiple,                       related, but independent softwar...
Benefits           • Reducing countless logins and passwords           • Reducing time effort to re-login           • Redu...
Criticism                • Stolen credential opens all dungeons                • Infrastructure                • Might be ...
Issues                • Different apps uses different SSO                       processes                • Impossible to f...
Solutions             • Kerberos [1983]             • LDAP (slapd, Active Directory, …) [1993]             • NTLM (NT Lan ...
Kerberos                • No easy setup                • Not easy for developers to setup same                       envir...
LDAP / AD                • SAME sign-on                • Intranet barrier (too much information)                • External...
// using ldap bind                $ldaprdn = uname; // ldap rdn or dn                $ldappass = password; // associated p...
NTLM                • Intranet barrier                • External service provider unable to use                       SSO ...
function get_msg_str($msg, $start, $unicode = true) {                           $len = (ord($msg[$start+1]) * 256) + ord($...
Central Authentication                  Service (CAS)                • Token/ticket based authentication                • ...
include_once(CAS.php);                // initialize phpCAS                phpCAS::client(CAS_VERSION_2_0,sso-cas.home.com,...
Public Key                           Infrastructure (PKI)       • X.509 certification based authentication       • Its abo...
### PHP       $cert = openssl_x509_parse($_SERVER[‘SSL_CLIENT_CERT’]));       // verify login                             ...
SAML                • Security Assertion Markup Language                • Defined by OASIS                • Made for inter...
SAML Parties                • Client (browser)                • Web application                • Service Provider (SAML cl...
Service Provider                • selfmade                • simpleSAMLphp (open source PHP                       solution)...
TEQneers GmbH & Co. KG   Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
• user enters URL https://app.com/saml.php     • user without valid SAML assertion will be forwarded to service provider  ...
// Load simpleSAMLphp configuration and session.            $config = SimpleSAML_Configuration::getInstance();            ...
<saml:Assertion AssertionID="123" IssueInstant="2008-10-08T20:16:12.377Z"         Issuer="TransactionMinderSAMLIssuer" Maj...
Identity Server                • Shibboleth IdP (open source)                • PingIdentity                • Oracle Identi...
One size does fit it all                • Most federation solution support many                       different SSO techno...
Thanks for listening                           contact me if you have any questions                                  email...
Upcoming SlideShare
Loading in...5
×

Enterprise Single Sign-On - SSO

5,909

Published on

Enterprise Single Sign-On - SSO

  1. 1. SSO Single Sign-On TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  2. 2. Definition • Property of access control of multiple, related, but independent software systems • One time authorization process for multiple applications, websites, ... TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  3. 3. Benefits • Reducing countless logins and passwords • Reducing time effort to re-login • Reducing IT cost/help desk • Same level of password security everywhere • Centralized reporting • Usually much better passwords TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  4. 4. Criticism • Stolen credential opens all dungeons • Infrastructure • Might be combined with strong authentications (e.g. SmartCards) • Many solutions need very expensive software or hardware solutions TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  5. 5. Issues • Different apps uses different SSO processes • Impossible to find ONE SSO for all (?) • Most solution unable to jump over intranet barrier TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  6. 6. Solutions • Kerberos [1983] • LDAP (slapd, Active Directory, …) [1993] • NTLM (NT Lan Manager) [2000] • CAS (Central Authentication Service) [2001] • PKI (Public Key Infrastructure) [1969] • SAML [2002] • ... TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  7. 7. Kerberos • No easy setup • Not easy for developers to setup same environment • Intranet barrier • External service provider unable to use SSO TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  8. 8. LDAP / AD • SAME sign-on • Intranet barrier (too much information) • External service provider unable to use SSO • Easy to implement • Nice to sync user data TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  9. 9. // using ldap bind $ldaprdn = uname; // ldap rdn or dn $ldappass = password; // associated password // connect to ldap server $ldapconn = ldap_connect("ldap.example.com") or die("Could not connect to LDAP server."); if ($ldapconn) { // binding to ldap server $ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass); // verify binding if ($ldapbind) { echo "LOGIN successful..."; } else { echo "LOGIN failed..."; } } TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  10. 10. NTLM • Intranet barrier • External service provider unable to use SSO • Based on Windows logon and Kerberos • Compatibility issues (more or less Microsoft territory Windows, IIS, IE) • Easy to implement for developers TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  11. 11. function get_msg_str($msg, $start, $unicode = true) { $len = (ord($msg[$start+1]) * 256) + ord($msg[$start]); $off = (ord($msg[$start+5]) * 256) + ord($msg[$start+4]); if ($unicode) return str_replace("0", , substr($msg, $off, $len)); else return substr($msg, $off, $len); } $msg = base64_decode(substr($auth, 5)); $user = get_msg_str($msg, 36); $domain = get_msg_str($msg, 28); $workstation = get_msg_str($msg, 44); print "You are $user from $domain/$workstation"; TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  12. 12. Central Authentication Service (CAS) • Token/ticket based authentication • Developed by Yale University • phpCAS open source implementation • Made for web only • Common in education environment TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  13. 13. include_once(CAS.php); // initialize phpCAS phpCAS::client(CAS_VERSION_2_0,sso-cas.home.com,443,); // no SSL validation for the CAS server phpCAS::setNoCasServerValidation(); // force CAS authentication phpCAS::forceAuthentication(); // at this step, the user has been authenticated by the CAS server // and the users login name can be read with phpCAS::getUser(). // logout if desired if (isset($_REQUEST[logout])) { phpCAS::logout(); } echo "LOGIN successful..."; TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  14. 14. Public Key Infrastructure (PKI) • X.509 certification based authentication • Its about what-you-have (client certificate) and not what-you-know (password) • Often used with smart cards (e.g. employee ID) • Made for Web, SSH, OS login, ... • Common in enterprise and government solutions TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  15. 15. ### PHP $cert = openssl_x509_parse($_SERVER[‘SSL_CLIENT_CERT’])); // verify login array(12) { if ( in_array( $cert[‘subject’][‘cn’], $allowedLogins ) ) { ["name"]=> string(75) "/C=DE/O=TEQneers/ echo "LOGIN successful..."; OU=Dev/CN=Oliver/ } else { emailAddress=oliver@php.net" echo "LOGIN failed..."; ["subject"]=> array(6) { } ["C"]=> string(2) "DE" ["O"]=> string(10) "TEQneers" ["OU"]=> string(10) "Dev" ["CN"]=> string(8) "Oliver" ["emailAddress"]=> string(10) "foo@bar.de" ### Apache configuration or .htaccess } ["hash"]=> string(8) "123abc45" SSLVerifyClient required ["issuer"]=> array(7) { ... SSLRequireSSL } SSLVerifyDepth 1 ["version"]=> int(2) ["serialNumber"]=> string(1) "987" ["validFrom"]=> string(13) "110131143055Z" ["validTo"]=> string(13) "130130142954Z" ... TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  16. 16. SAML • Security Assertion Markup Language • Defined by OASIS • Made for internet and extranet sites • Credentials/Information can be configured • Open (based on XML, SOAP, HTTP, ...) TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  17. 17. SAML Parties • Client (browser) • Web application • Service Provider (SAML client) • Identity Provider (enterprise federation server) TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  18. 18. Service Provider • selfmade • simpleSAMLphp (open source PHP solution) • PingConnect (PHP, Perl, Java, …) • ... TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  19. 19. TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  20. 20. • user enters URL https://app.com/saml.php • user without valid SAML assertion will be forwarded to service provider • browser asks service provider to give him a XML assertion • XML assertion request form is send back to the browser • browser forwards assertion request form to identity provider • IF NOT LOGGED IN YET • identity provider ask the user to log into the enterprise network • user enters his login/password and sends it back to identity provider • client receives a XML assertion and cookie signed by the identity provider • XML assertion is send to service provider, who validates assertion • if assertion is valid, user will be pushed back to his initial url • assertion will be checked and user is going to be looked up in your app • if user exists, app start page appears, otherwise app might show standard login page TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  21. 21. // Load simpleSAMLphp configuration and session. $config = SimpleSAML_Configuration::getInstance(); $session = SimpleSAML_Session::getInstance(); // Check if valid local session exists. if (!$session->isValid(saml2) ) { // Redirect to the IdP for authentication. SimpleSAML_Utilities::redirect( / . $config->getBaseURL() . saml2/sp/initSSO.php, array(RelayState => SimpleSAML_Utilities::selfURL()) ); } // successful authorization $attributes = $session->getAttributes(); print_r($attributes); // might print out email or login TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  22. 22. <saml:Assertion AssertionID="123" IssueInstant="2008-10-08T20:16:12.377Z" Issuer="TransactionMinderSAMLIssuer" MajorVersion="1" MinorVersion="0" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"> <saml:Conditions NotBefore="2008-10-08T20:16:12.307Z NotOnOrAfter="2008-1008T22:16:12.307Z"/> <saml:AuthenticationStatement AuthenticationInstant="2008-10-08T20:16:12.307Z" AuthenticationMethod="urn:oasis:names:tc:SAML"> <saml:Subject> <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.0" NameQualifier="Domain Name">Claire Wasser</saml:NameIdentifier> <saml:SubjectConfirmation> <saml:ConfirmationMethod>http://www/> <saml:SubjectConfirmationData>R1VD8fkkvlrhp</saml:SubjectConfirmationData> </saml:SubjectConfirmation> </saml:Subject> </saml:AuthenticationStatement> </saml:Assertion> TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  23. 23. Identity Server • Shibboleth IdP (open source) • PingIdentity • Oracle Identity Server • SAP NetWeaver • Sun OpenSSO ForgeRock OpenAM • IBM • Microsoft Geneva TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  24. 24. One size does fit it all • Most federation solution support many different SSO technologies • Most are based on any kind of LDAP backend TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  25. 25. Thanks for listening contact me if you have any questions email: oliver@php.net email: oliver@teqneers.de phone: +49 (711) 46 97 28-82 Have Fun! TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  1. Gostou de algum slide específico?

    Recortar slides é uma maneira fácil de colecionar informações para acessar mais tarde.

×