Single Sign On - The Basics

1,723 views

Published on

This presentation was first presented at Global Technology Office, Virtusa on 3rd June 2014

Published in: Software, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,723
On SlideShare
0
From Embeds
0
Number of Embeds
19
Actions
Shares
0
Downloads
62
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Single Sign On - The Basics

  1. 1. Single Sign On – The Basics Ishan A B Ambanwela
  2. 2. Contents ● What is SSO ● Not to be Confused with ● Pros & Cons ● SSO Approaches – By Configuration ● Types of SSO – Legacy SSO – Password Synchronization – Software Token Based Authentication ● Browser Session ● PC Login session – Mobile SSO ● Q&A
  3. 3. What is SSO ● Single sign-on gives users the ability to access more than one protected resource (Web pages and applications) with one authentication.
  4. 4. Not to be Confused with... ● Authentication vs Authorization ● Shared authentication schemes – Oauth – OpenID / OpenID Connect – Facebook Connect ● Single Sign Out
  5. 5. Pros & Cons ● Reduced operational cost ● Reduced time to access data ● Improved user experience ● Ease burden on developers ● Centralized management of users ● Fine grained auditing ● Effective compliance ● Advanced security to systems – Smart cards, One time password tokens ● impractical in different levels of secure access ● increases the negative impact in case of credentials exposed ● makes the authentication systems highly critical ● Complex logics and pitfalls ● Should combined with strong authentication methods – Smart cards, One time password tokens
  6. 6. SSO Approaches – By Configuration ● Smart card based ● Kerberos based ● SAML (Security Assertion Markup Language) ● Integrated Windows Authentication – An umbrella term for ● SPNEGO, Kerberos, and NTLMSSP
  7. 7. Types of SSO ● Legacy SSO ● Password synchronization ● Software Token Based Authentication
  8. 8. Legacy SSO ● aka - Enterprise or Employee SSO (eSSO) ● After primary authentication, it intercepts further login prompts and fills them for you ● Which is accomplished using – Script ● Which executes the real application with credentials – Background service ● Monitors for login prompts and pass credentials ● Products/Implementations – Citrix Password Manager, Imprivata eSSO appliance, PassLogix, Novell’s Secure Login
  9. 9. Password Synchronization ● A process that coordinates passwords across multiple computers and devices and/or applications ● Each computer, device, application still authenticates but behind the scene ● Products/Implementations – MTech's P-Synch, Proginet's SecurPass, Systor's SAM Password Synchronization
  10. 10. Software Token Based Authentication ● Allow users to enter their username and password in order to obtain a token ● Once their token has been obtained, the user can offer the token - which offers access to a specific resource for a time period - to the remote site instead of credentials ● Complex encryption with complex logic differentiates the implementations ● Usually associated with a session – Web SSO - Browser session – Other SSO - PC Log in session
  11. 11. Web SSO ● Works for browser based applications ● Cookie support is required – Because token is kept in a cookie ● Usually single sign-on to applications deployed on a single web server (domain) ● Implementations – Jasig CAS
  12. 12. PC Login session based SSO ● Works for all kinds of applications – Mail clients – Web applications ● Token is kept in user session ● Client application should implement this feature ● Implementations – Some Kerberos implementations – NTLM
  13. 13. Mobile SSO ● Since Mobile Phone/Tab is a strictly personal device, SSO has not very significant role ● Can save all different passwords like in Legacy SSO ● As technology is getting complicated, SSO will be introduced in near future
  14. 14. Q & A
  15. 15. References ● https://www.owasp.org/images/2/26/OWASPSa nAntonio_2006_08_SingleSignOn.ppt ● http://www.jasig.org/cas/protocol ● http://web.mit.edu/kerberos/ ● Various SSO products pages
  16. 16. Thank you and Good luck :-)

×