Single Sign On 101

13,801 views

Published on

These slides are supposed to help you understand the basics of application security, and how the latest technologies come together to enable you to reduce the number of times people at your organization need to authenticate.

For more information visit. http://gluu.org

Published in: Technology

Single Sign On 101

  1. 1. Single Sign-On 101 Solutions, Technology, and Recommendations
  2. 2. Single sign-on (SSO) allows a person to authenticate once at their home domain to obtain a “token”, which is stored in the browser (cookie) or mobile device, and can be presented to websites as evidence of authentication. In SALM the token is XML In OpenID Connect, the token is JSON The tokens are signed by the domain, so the website can validate them. What is Single Sign-On
  3. 3. Single logout (SLO) ensures that after a user logs out at their home domain, all “tabs” are also logged out. OpenID Connect defines a non-network based logout mechanism. Beware! Applications may only test credentials on login! What is Single Logout
  4. 4. Why do you need SSO? ● Essential for portals, where the page consists of multiple backend services. ● Increased productivity for people who use the authentication service ● Increased productivity for developers who don’t need to write authentication code. ● Enables domain to leverage strong credentials at third party sites.
  5. 5. Relevant Protocols ● SAML 2.0 - Currently the most widely adopted standard for Web SSO. XML based. ● OpenID Connect - Most promising successor to SAML, it is a profile of OAuth2, and promises better support for mobile. ● Earlier protocols that are still in use should be deprecated: ○ Kerberos, RADIUS, LDAP, WS-*, OpenID 2, CAS...
  6. 6. Relevant Jargon SAML OpenID Connect Identity Provider (IDP) OpenID Provider (OP) Service Provider (SP) Relying Party (RP) Attributes User claims SP Metadata Client Claims
  7. 7. Develop your SSO roadmap.. 1. Understand market offerings 2. Evaluate your needs 3. Align with a solution
  8. 8. ● SaaS - Vendors provide a multi-tenant IDP. You can quickly try, buy and fly with SSO to popular pre- integrated cloud apps. ● Open Source - You can design, build and operate your domain IDP using open source software. ● Enterprise Software - Pay to use the software, otherwise identical to Open Source. ● Managed Service- Host your domain IDP on your network, but share operations. 1) Market Offerings for large organizations
  9. 9. 2) Evaluate your needs ● Are you ok with persisting personal data in the cloud? ● Are you ok with access to your systems by a third party? ● Do you have a custom requirements for authentication, or strong authentication for your domain? ● How many “users” and “applications” do you have? ● Do you need to support mobile authentication? ● Do you need to have “business continuity” or disaster recovery
  10. 10. 3) Align with a solution ● SaaS - Okta, OneLogin, Stormpath, Symplified ● Open Source - Gluu, ForgeRock, Independent integrators and consulting shops ● Enterprise Software - Oracle Access Manager, CA SiteMinder, IBM Tivoli Access Manager, RSA Cleartrust, Microsoft ADFS, Ping Federate
  11. 11. ● SaaS ○ No root access to the server. If there's a security breach, it affects everyone. ○ Per user or per application pricing can become costly. ● Open Source ○ Expensive to design and build ○ High cost of care and feeding ○ Hard to support new app integrations ● Proprietary ○ Expensive license fees ○ Vendor lock-in Limitations of SSO Solutions
  12. 12. 2 Factor Authentication ● 80% of Internet security breaches are bad passwords ● Many new mobile, bio-metric, location based, and cryptographic authentication mechanisms are being devised. ● Prices are coming down. ● Better enrollment and “password reset” functionality.
  13. 13. Authorization ● ● Organization can create policies to control which clients and people can access which URL’s ● Application contain a lot of security policies... only centralize what is common between applications.
  14. 14. Authorization Sequence
  15. 15. Our Recommendations ● Choose a platform that gives your organization the flexibility to implement its business logic. ● Make sure your solution is Future proof : be ready new strong authentication services ● Use open standards and open source when possible!
  16. 16. Questions? Just reach out!! http://gluu.org

×