Enterprise Single Sign-On - SSO
Upcoming SlideShare
Loading in...5
×
 

Enterprise Single Sign-On - SSO

on

  • 4,522 views

 

Statistics

Views

Total Views
4,522
Views on SlideShare
4,256
Embed Views
266

Actions

Likes
5
Downloads
109
Comments
0

4 Embeds 266

http://opensource.teqneers.de 164
http://opensource.teqneers.com 100
url_unknown 1
http://translate.googleusercontent.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Enterprise Single Sign-On - SSO Enterprise Single Sign-On - SSO Presentation Transcript

  • SSO Single Sign-On TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  • Definition • Property of access control of multiple, related, but independent software systems • One time authorization process for multiple applications, websites, ... TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  • Benefits • Reducing countless logins and passwords • Reducing time effort to re-login • Reducing IT cost/help desk • Same level of password security everywhere • Centralized reporting • Usually much better passwords TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  • Criticism • Stolen credential opens all dungeons • Infrastructure • Might be combined with strong authentications (e.g. SmartCards) • Many solutions need very expensive software or hardware solutions TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  • Issues • Different apps uses different SSO processes • Impossible to find ONE SSO for all (?) • Most solution unable to jump over intranet barrier TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  • Solutions • Kerberos [1983] • LDAP (slapd, Active Directory, …) [1993] • NTLM (NT Lan Manager) [2000] • CAS (Central Authentication Service) [2001] • PKI (Public Key Infrastructure) [1969] • SAML [2002] • ... TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  • Kerberos • No easy setup • Not easy for developers to setup same environment • Intranet barrier • External service provider unable to use SSO TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  • LDAP / AD • SAME sign-on • Intranet barrier (too much information) • External service provider unable to use SSO • Easy to implement • Nice to sync user data TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  • // using ldap bind $ldaprdn = uname; // ldap rdn or dn $ldappass = password; // associated password // connect to ldap server $ldapconn = ldap_connect("ldap.example.com") or die("Could not connect to LDAP server."); if ($ldapconn) { // binding to ldap server $ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass); // verify binding if ($ldapbind) { echo "LOGIN successful..."; } else { echo "LOGIN failed..."; } } TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  • NTLM • Intranet barrier • External service provider unable to use SSO • Based on Windows logon and Kerberos • Compatibility issues (more or less Microsoft territory Windows, IIS, IE) • Easy to implement for developers TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  • function get_msg_str($msg, $start, $unicode = true) { $len = (ord($msg[$start+1]) * 256) + ord($msg[$start]); $off = (ord($msg[$start+5]) * 256) + ord($msg[$start+4]); if ($unicode) return str_replace("0", , substr($msg, $off, $len)); else return substr($msg, $off, $len); } $msg = base64_decode(substr($auth, 5)); $user = get_msg_str($msg, 36); $domain = get_msg_str($msg, 28); $workstation = get_msg_str($msg, 44); print "You are $user from $domain/$workstation"; TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  • Central Authentication Service (CAS) • Token/ticket based authentication • Developed by Yale University • phpCAS open source implementation • Made for web only • Common in education environment TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  • include_once(CAS.php); // initialize phpCAS phpCAS::client(CAS_VERSION_2_0,sso-cas.home.com,443,); // no SSL validation for the CAS server phpCAS::setNoCasServerValidation(); // force CAS authentication phpCAS::forceAuthentication(); // at this step, the user has been authenticated by the CAS server // and the users login name can be read with phpCAS::getUser(). // logout if desired if (isset($_REQUEST[logout])) { phpCAS::logout(); } echo "LOGIN successful..."; TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  • Public Key Infrastructure (PKI) • X.509 certification based authentication • Its about what-you-have (client certificate) and not what-you-know (password) • Often used with smart cards (e.g. employee ID) • Made for Web, SSH, OS login, ... • Common in enterprise and government solutions TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  • ### PHP $cert = openssl_x509_parse($_SERVER[‘SSL_CLIENT_CERT’])); // verify login array(12) { if ( in_array( $cert[‘subject’][‘cn’], $allowedLogins ) ) { ["name"]=> string(75) "/C=DE/O=TEQneers/ echo "LOGIN successful..."; OU=Dev/CN=Oliver/ } else { emailAddress=oliver@php.net" echo "LOGIN failed..."; ["subject"]=> array(6) { } ["C"]=> string(2) "DE" ["O"]=> string(10) "TEQneers" ["OU"]=> string(10) "Dev" ["CN"]=> string(8) "Oliver" ["emailAddress"]=> string(10) "foo@bar.de" ### Apache configuration or .htaccess } ["hash"]=> string(8) "123abc45" SSLVerifyClient required ["issuer"]=> array(7) { ... SSLRequireSSL } SSLVerifyDepth 1 ["version"]=> int(2) ["serialNumber"]=> string(1) "987" ["validFrom"]=> string(13) "110131143055Z" ["validTo"]=> string(13) "130130142954Z" ... TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  • SAML • Security Assertion Markup Language • Defined by OASIS • Made for internet and extranet sites • Credentials/Information can be configured • Open (based on XML, SOAP, HTTP, ...) TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  • SAML Parties • Client (browser) • Web application • Service Provider (SAML client) • Identity Provider (enterprise federation server) TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  • Service Provider • selfmade • simpleSAMLphp (open source PHP solution) • PingConnect (PHP, Perl, Java, …) • ... TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  • TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  • • user enters URL https://app.com/saml.php • user without valid SAML assertion will be forwarded to service provider • browser asks service provider to give him a XML assertion • XML assertion request form is send back to the browser • browser forwards assertion request form to identity provider • IF NOT LOGGED IN YET • identity provider ask the user to log into the enterprise network • user enters his login/password and sends it back to identity provider • client receives a XML assertion and cookie signed by the identity provider • XML assertion is send to service provider, who validates assertion • if assertion is valid, user will be pushed back to his initial url • assertion will be checked and user is going to be looked up in your app • if user exists, app start page appears, otherwise app might show standard login page TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  • // Load simpleSAMLphp configuration and session. $config = SimpleSAML_Configuration::getInstance(); $session = SimpleSAML_Session::getInstance(); // Check if valid local session exists. if (!$session->isValid(saml2) ) { // Redirect to the IdP for authentication. SimpleSAML_Utilities::redirect( / . $config->getBaseURL() . saml2/sp/initSSO.php, array(RelayState => SimpleSAML_Utilities::selfURL()) ); } // successful authorization $attributes = $session->getAttributes(); print_r($attributes); // might print out email or login TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  • <saml:Assertion AssertionID="123" IssueInstant="2008-10-08T20:16:12.377Z" Issuer="TransactionMinderSAMLIssuer" MajorVersion="1" MinorVersion="0" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"> <saml:Conditions NotBefore="2008-10-08T20:16:12.307Z NotOnOrAfter="2008-1008T22:16:12.307Z"/> <saml:AuthenticationStatement AuthenticationInstant="2008-10-08T20:16:12.307Z" AuthenticationMethod="urn:oasis:names:tc:SAML"> <saml:Subject> <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.0" NameQualifier="Domain Name">Claire Wasser</saml:NameIdentifier> <saml:SubjectConfirmation> <saml:ConfirmationMethod>http://www/> <saml:SubjectConfirmationData>R1VD8fkkvlrhp</saml:SubjectConfirmationData> </saml:SubjectConfirmation> </saml:Subject> </saml:AuthenticationStatement> </saml:Assertion> TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  • Identity Server • Shibboleth IdP (open source) • PingIdentity • Oracle Identity Server • SAP NetWeaver • Sun OpenSSO ForgeRock OpenAM • IBM • Microsoft Geneva TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  • One size does fit it all • Most federation solution support many different SSO technologies • Most are based on any kind of LDAP backend TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  • Thanks for listening contact me if you have any questions email: oliver@php.net email: oliver@teqneers.de phone: +49 (711) 46 97 28-82 Have Fun! TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011