Your SlideShare is downloading. ×
  • Like
Enterprise Single Sign-On - SSO
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Enterprise Single Sign-On - SSO

  • 4,583 views
Published

 

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
4,583
On SlideShare
0
From Embeds
0
Number of Embeds
3

Actions

Shares
Downloads
137
Comments
0
Likes
6

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. SSO Single Sign-On TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  • 2. Definition • Property of access control of multiple, related, but independent software systems • One time authorization process for multiple applications, websites, ... TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  • 3. Benefits • Reducing countless logins and passwords • Reducing time effort to re-login • Reducing IT cost/help desk • Same level of password security everywhere • Centralized reporting • Usually much better passwords TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  • 4. Criticism • Stolen credential opens all dungeons • Infrastructure • Might be combined with strong authentications (e.g. SmartCards) • Many solutions need very expensive software or hardware solutions TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  • 5. Issues • Different apps uses different SSO processes • Impossible to find ONE SSO for all (?) • Most solution unable to jump over intranet barrier TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  • 6. Solutions • Kerberos [1983] • LDAP (slapd, Active Directory, …) [1993] • NTLM (NT Lan Manager) [2000] • CAS (Central Authentication Service) [2001] • PKI (Public Key Infrastructure) [1969] • SAML [2002] • ... TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  • 7. Kerberos • No easy setup • Not easy for developers to setup same environment • Intranet barrier • External service provider unable to use SSO TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  • 8. LDAP / AD • SAME sign-on • Intranet barrier (too much information) • External service provider unable to use SSO • Easy to implement • Nice to sync user data TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  • 9. // using ldap bind $ldaprdn = uname; // ldap rdn or dn $ldappass = password; // associated password // connect to ldap server $ldapconn = ldap_connect("ldap.example.com") or die("Could not connect to LDAP server."); if ($ldapconn) { // binding to ldap server $ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass); // verify binding if ($ldapbind) { echo "LOGIN successful..."; } else { echo "LOGIN failed..."; } } TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  • 10. NTLM • Intranet barrier • External service provider unable to use SSO • Based on Windows logon and Kerberos • Compatibility issues (more or less Microsoft territory Windows, IIS, IE) • Easy to implement for developers TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  • 11. function get_msg_str($msg, $start, $unicode = true) { $len = (ord($msg[$start+1]) * 256) + ord($msg[$start]); $off = (ord($msg[$start+5]) * 256) + ord($msg[$start+4]); if ($unicode) return str_replace("0", , substr($msg, $off, $len)); else return substr($msg, $off, $len); } $msg = base64_decode(substr($auth, 5)); $user = get_msg_str($msg, 36); $domain = get_msg_str($msg, 28); $workstation = get_msg_str($msg, 44); print "You are $user from $domain/$workstation"; TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  • 12. Central Authentication Service (CAS) • Token/ticket based authentication • Developed by Yale University • phpCAS open source implementation • Made for web only • Common in education environment TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  • 13. include_once(CAS.php); // initialize phpCAS phpCAS::client(CAS_VERSION_2_0,sso-cas.home.com,443,); // no SSL validation for the CAS server phpCAS::setNoCasServerValidation(); // force CAS authentication phpCAS::forceAuthentication(); // at this step, the user has been authenticated by the CAS server // and the users login name can be read with phpCAS::getUser(). // logout if desired if (isset($_REQUEST[logout])) { phpCAS::logout(); } echo "LOGIN successful..."; TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  • 14. Public Key Infrastructure (PKI) • X.509 certification based authentication • Its about what-you-have (client certificate) and not what-you-know (password) • Often used with smart cards (e.g. employee ID) • Made for Web, SSH, OS login, ... • Common in enterprise and government solutions TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  • 15. ### PHP $cert = openssl_x509_parse($_SERVER[‘SSL_CLIENT_CERT’])); // verify login array(12) { if ( in_array( $cert[‘subject’][‘cn’], $allowedLogins ) ) { ["name"]=> string(75) "/C=DE/O=TEQneers/ echo "LOGIN successful..."; OU=Dev/CN=Oliver/ } else { emailAddress=oliver@php.net" echo "LOGIN failed..."; ["subject"]=> array(6) { } ["C"]=> string(2) "DE" ["O"]=> string(10) "TEQneers" ["OU"]=> string(10) "Dev" ["CN"]=> string(8) "Oliver" ["emailAddress"]=> string(10) "foo@bar.de" ### Apache configuration or .htaccess } ["hash"]=> string(8) "123abc45" SSLVerifyClient required ["issuer"]=> array(7) { ... SSLRequireSSL } SSLVerifyDepth 1 ["version"]=> int(2) ["serialNumber"]=> string(1) "987" ["validFrom"]=> string(13) "110131143055Z" ["validTo"]=> string(13) "130130142954Z" ... TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  • 16. SAML • Security Assertion Markup Language • Defined by OASIS • Made for internet and extranet sites • Credentials/Information can be configured • Open (based on XML, SOAP, HTTP, ...) TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  • 17. SAML Parties • Client (browser) • Web application • Service Provider (SAML client) • Identity Provider (enterprise federation server) TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  • 18. Service Provider • selfmade • simpleSAMLphp (open source PHP solution) • PingConnect (PHP, Perl, Java, …) • ... TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  • 19. TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  • 20. • user enters URL https://app.com/saml.php • user without valid SAML assertion will be forwarded to service provider • browser asks service provider to give him a XML assertion • XML assertion request form is send back to the browser • browser forwards assertion request form to identity provider • IF NOT LOGGED IN YET • identity provider ask the user to log into the enterprise network • user enters his login/password and sends it back to identity provider • client receives a XML assertion and cookie signed by the identity provider • XML assertion is send to service provider, who validates assertion • if assertion is valid, user will be pushed back to his initial url • assertion will be checked and user is going to be looked up in your app • if user exists, app start page appears, otherwise app might show standard login page TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  • 21. // Load simpleSAMLphp configuration and session. $config = SimpleSAML_Configuration::getInstance(); $session = SimpleSAML_Session::getInstance(); // Check if valid local session exists. if (!$session->isValid(saml2) ) { // Redirect to the IdP for authentication. SimpleSAML_Utilities::redirect( / . $config->getBaseURL() . saml2/sp/initSSO.php, array(RelayState => SimpleSAML_Utilities::selfURL()) ); } // successful authorization $attributes = $session->getAttributes(); print_r($attributes); // might print out email or login TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  • 22. <saml:Assertion AssertionID="123" IssueInstant="2008-10-08T20:16:12.377Z" Issuer="TransactionMinderSAMLIssuer" MajorVersion="1" MinorVersion="0" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"> <saml:Conditions NotBefore="2008-10-08T20:16:12.307Z NotOnOrAfter="2008-1008T22:16:12.307Z"/> <saml:AuthenticationStatement AuthenticationInstant="2008-10-08T20:16:12.307Z" AuthenticationMethod="urn:oasis:names:tc:SAML"> <saml:Subject> <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.0" NameQualifier="Domain Name">Claire Wasser</saml:NameIdentifier> <saml:SubjectConfirmation> <saml:ConfirmationMethod>http://www/> <saml:SubjectConfirmationData>R1VD8fkkvlrhp</saml:SubjectConfirmationData> </saml:SubjectConfirmation> </saml:Subject> </saml:AuthenticationStatement> </saml:Assertion> TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  • 23. Identity Server • Shibboleth IdP (open source) • PingIdentity • Oracle Identity Server • SAP NetWeaver • Sun OpenSSO ForgeRock OpenAM • IBM • Microsoft Geneva TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  • 24. One size does fit it all • Most federation solution support many different SSO technologies • Most are based on any kind of LDAP backend TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  • 25. Thanks for listening contact me if you have any questions email: oliver@php.net email: oliver@teqneers.de phone: +49 (711) 46 97 28-82 Have Fun! TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011