Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva

471 views

Published on

Are you asking yourself how do I take my inhouse application and make it available to internal users, partners or customers using SSO and access management technologies? Oh, and you don't want it to be a 6 month project? No problem. Come and find out how to leverage your existing investments and move to modern standards like OpenID Connect, without having to rip and replace infrastructure. Learn the capabilities and tradeoffs you can make to deploy the right level of identity and access management infrastructure to match your security needs.

Published in: Technology
  • Be the first to comment

CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva

  1. 1. So you want to SSO … Scott Tomilson John DaSilva
  2. 2. You’ve waited long enough … Copyright © 2015 Cloud Identity Summit. All rights reserved. 2 Mobile AppsWeb Apps SaaS Apps username password username password username password username password username password username password username password username password username password
  3. 3. Copyright © 2015 Cloud Identity Summit .All rights reserved. 3
  4. 4. Copyright © 2015 Cloud Identity Summit .All rights reserved. 4 Integration Kits
  5. 5. It’s time for SSO … … what do you mean by SSO? App Enablement?Session Management? Access Control? Auditing?Authentication Policy? “One Username & Password (or some other form of authentication) just One Time”
  6. 6. It’s time for SSO … … and how will we get SSO? Open Standards?On-Premise ? IdaaS? Agents vs Gateway?App Changes? “Eliminate Unnecessary Passwords” (yes, some work will be needed – but you want to do this the right way)
  7. 7. Copyright © 2015 Cloud Identity Summit .All rights reserved. 7 Access Management ENTERPRISE Federated Identity Management
  8. 8. SSOfor Web Applications Copyright © 2015 Cloud Identity Summit. All rights reserved. 8
  9. 9. “First Mile” / “Last Mile” Integration Federation Server Identity Store Federation Server Target App Identity Provider (IdP) Service Provider (SP) “First Mile” “Last Mile”
  10. 10. “First Mile” Integration •  If you’re using a Federation Server – hopefully this is just a configuration exercise: •  ADconnect (Active Directory) •  PingFederate (Complex AD, LDAP, WAM, etc.) •  PingOne Cloud Directory (IdaaS user/group dir.) •  Worst case – there are Libraries & APIs to help you integrate a custom portal or user store Copyright © 2015 Cloud Identity Summit. All rights reserved. 10
  11. 11. “Last Mile” Integration Here’s where things get interesting … Copyright © 2015 Cloud Identity Summit. All rights reserved. 11
  12. 12. “Last Mile” Integration Question #1: Does your application support Web (federated) SSO standards? (i.e.: SAML, WS-Federation, OpenID Connect) Copyright © 2015 Cloud Identity Summit. All rights reserved. 12
  13. 13. “Last Mile” Integration – with Standards Copyright © 2015 Cloud Identity Summit. All rights reserved. 13 Federation Server Identity Store Target App Identity Provider (IdP) Service Provider (SP) SAML
  14. 14. Copyright © 2015 Cloud Identity Summit. All rights reserved. 14 “Last Mile” Integration – with Standards Your Apps Your Identity Stores / Partners Acme Beta Com SAML SAML SAML Federation Hub
  15. 15. “Last Mile” Integration – with Standards Copyright © 2015 Cloud Identity Summit. All rights reserved. 15 Does your app Web SSO standards? (SAML/WS-Fed/OIDC) Do you prefer IdaaS? No Yes Yes No
  16. 16. “Last Mile” Integration Question #2: Does your application support HTTP header-based SSO? Copyright © 2015 Cloud Identity Summit. All rights reserved. 16
  17. 17. “Last Mile” Integration – with HTTP Headers Federation Server Identity Store Federation Server Target App Identity Provider (IdP) Service Provider (SP) SAML Agent / Gateway HTTP Headers User: joe Email: joe@co.co Group: Sales
  18. 18. “Last Mile” Integration – with HTTP Headers •  Federated SSO •  PingFederate Integration Kits: •  Apache & IIS •  WAM Features (Session Management, URL Authorization & Auditing) •  Gateway (Reverse Proxy) •  Agents: Apache & IIS Copyright © 2015 Cloud Identity Summit. All rights reserved. 18
  19. 19. “Last Mile” Integration – with Standards Copyright © 2015 Cloud Identity Summit. All rights reserved. 19 Does your app support HTTP header based SSO? Do you want WAM features? No Yes Yes No
  20. 20. “Last Mile” Integration Question #3: Can you modify the application? Copyright © 2015 Cloud Identity Summit. All rights reserved. 20
  21. 21. “Last Mile” Integration – with App Changes Copyright © 2015 Cloud Identity Summit. All rights reserved. 21 Features Approach Effort Level Product(s) Federated SSO Implement SAML L n/a Implement OpenID Connect S n/a HTTP Headers XS PingFederate REST API S PingFederate PingOne SSO Integration Kit SDK Library (Java, .NET) S PingFederate WAM Features (Session Management, URL Authorization & Auditing) HTTP Headers XS PingAccess
  22. 22. “Last Mile” Integration Question #4: Did you reach here with 3 NO’s? Copyright © 2015 Cloud Identity Summit. All rights reserved. 22
  23. 23. “Last Mile” Integration – “I’m out of options…” •  PingFederate Integration Kits •  Basic SSO (Password Vaulting) Copyright © 2015 Cloud Identity Summit. All rights reserved. 23 … still lost? Talk to us!
  24. 24. SSOfor Mobile Applications Copyright © 2015 Cloud Identity Summit. All rights reserved. 24
  25. 25. Copyright © 2015 Cloud Identity Summit .All rights reserved. 25 Get Your Time Machines Ready …
  26. 26. SSO for Mobile Applications •  Are multiple logins (with the same creds) OK? •  User experience could be mitigated with long lived refresh tokens •  Shared refresh tokens? (Multiple apps – same dev. signer) •  Shared browser session? •  Centralized broker of OAuth Access Tokens •  Napps – http://openid.net/wg/napps/ •  PingOne Mobile – Early Napps draft support compatible with both PingFederate and PingOneCopyright © 2015 Cloud Identity Summit. All rights reserved. 26
  27. 27. In Closing … Copyright © 2015 Cloud Identity Summit. All rights reserved. 27
  28. 28. Copyright © 2015 Cloud Identity Summit .All rights reserved. 28

×