Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
SSO                           Single Sign-On  TEQneers GmbH & Co. KG                    Dipl. Betriebswirt (BA) Oliver Mül...
Definition                • Property of access control of multiple,                       related, but independent softwar...
Benefits           • Reducing countless logins and passwords           • Reducing time effort to re-login           • Redu...
Criticism                • Stolen credential opens all dungeons                • Infrastructure                • Might be ...
Issues                • Different apps uses different SSO                       processes                • Impossible to f...
Solutions             • Kerberos [1983]             • LDAP (slapd, Active Directory, …) [1993]             • NTLM (NT Lan ...
Kerberos                • No easy setup                • Not easy for developers to setup same                       envir...
LDAP / AD                • SAME sign-on                • Intranet barrier (too much information)                • External...
// using ldap bind                $ldaprdn = uname; // ldap rdn or dn                $ldappass = password; // associated p...
NTLM                • Intranet barrier                • External service provider unable to use                       SSO ...
function get_msg_str($msg, $start, $unicode = true) {                           $len = (ord($msg[$start+1]) * 256) + ord($...
Central Authentication                  Service (CAS)                • Token/ticket based authentication                • ...
include_once(CAS.php);                // initialize phpCAS                phpCAS::client(CAS_VERSION_2_0,sso-cas.home.com,...
Public Key                           Infrastructure (PKI)       • X.509 certification based authentication       • Its abo...
### PHP       $cert = openssl_x509_parse($_SERVER[‘SSL_CLIENT_CERT’]));       // verify login                             ...
SAML                • Security Assertion Markup Language                • Defined by OASIS                • Made for inter...
SAML Parties                • Client (browser)                • Web application                • Service Provider (SAML cl...
Service Provider                • selfmade                • simpleSAMLphp (open source PHP                       solution)...
TEQneers GmbH & Co. KG   Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
• user enters URL https://app.com/saml.php     • user without valid SAML assertion will be forwarded to service provider  ...
// Load simpleSAMLphp configuration and session.            $config = SimpleSAML_Configuration::getInstance();            ...
<saml:Assertion AssertionID="123" IssueInstant="2008-10-08T20:16:12.377Z"         Issuer="TransactionMinderSAMLIssuer" Maj...
Identity Server                • Shibboleth IdP (open source)                • PingIdentity                • Oracle Identi...
One size does fit it all                • Most federation solution support many                       different SSO techno...
Thanks for listening                           contact me if you have any questions                                  email...
Upcoming SlideShare
Loading in …5
×

Enterprise Single Sign-On - SSO

11,557 views

Published on

  • DOWNLOAD FULL. BOOKS INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Enterprise Single Sign-On - SSO

  1. 1. SSO Single Sign-On TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  2. 2. Definition • Property of access control of multiple, related, but independent software systems • One time authorization process for multiple applications, websites, ... TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  3. 3. Benefits • Reducing countless logins and passwords • Reducing time effort to re-login • Reducing IT cost/help desk • Same level of password security everywhere • Centralized reporting • Usually much better passwords TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  4. 4. Criticism • Stolen credential opens all dungeons • Infrastructure • Might be combined with strong authentications (e.g. SmartCards) • Many solutions need very expensive software or hardware solutions TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  5. 5. Issues • Different apps uses different SSO processes • Impossible to find ONE SSO for all (?) • Most solution unable to jump over intranet barrier TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  6. 6. Solutions • Kerberos [1983] • LDAP (slapd, Active Directory, …) [1993] • NTLM (NT Lan Manager) [2000] • CAS (Central Authentication Service) [2001] • PKI (Public Key Infrastructure) [1969] • SAML [2002] • ... TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  7. 7. Kerberos • No easy setup • Not easy for developers to setup same environment • Intranet barrier • External service provider unable to use SSO TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  8. 8. LDAP / AD • SAME sign-on • Intranet barrier (too much information) • External service provider unable to use SSO • Easy to implement • Nice to sync user data TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  9. 9. // using ldap bind $ldaprdn = uname; // ldap rdn or dn $ldappass = password; // associated password // connect to ldap server $ldapconn = ldap_connect("ldap.example.com") or die("Could not connect to LDAP server."); if ($ldapconn) { // binding to ldap server $ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass); // verify binding if ($ldapbind) { echo "LOGIN successful..."; } else { echo "LOGIN failed..."; } } TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  10. 10. NTLM • Intranet barrier • External service provider unable to use SSO • Based on Windows logon and Kerberos • Compatibility issues (more or less Microsoft territory Windows, IIS, IE) • Easy to implement for developers TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  11. 11. function get_msg_str($msg, $start, $unicode = true) { $len = (ord($msg[$start+1]) * 256) + ord($msg[$start]); $off = (ord($msg[$start+5]) * 256) + ord($msg[$start+4]); if ($unicode) return str_replace("0", , substr($msg, $off, $len)); else return substr($msg, $off, $len); } $msg = base64_decode(substr($auth, 5)); $user = get_msg_str($msg, 36); $domain = get_msg_str($msg, 28); $workstation = get_msg_str($msg, 44); print "You are $user from $domain/$workstation"; TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  12. 12. Central Authentication Service (CAS) • Token/ticket based authentication • Developed by Yale University • phpCAS open source implementation • Made for web only • Common in education environment TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  13. 13. include_once(CAS.php); // initialize phpCAS phpCAS::client(CAS_VERSION_2_0,sso-cas.home.com,443,); // no SSL validation for the CAS server phpCAS::setNoCasServerValidation(); // force CAS authentication phpCAS::forceAuthentication(); // at this step, the user has been authenticated by the CAS server // and the users login name can be read with phpCAS::getUser(). // logout if desired if (isset($_REQUEST[logout])) { phpCAS::logout(); } echo "LOGIN successful..."; TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  14. 14. Public Key Infrastructure (PKI) • X.509 certification based authentication • Its about what-you-have (client certificate) and not what-you-know (password) • Often used with smart cards (e.g. employee ID) • Made for Web, SSH, OS login, ... • Common in enterprise and government solutions TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  15. 15. ### PHP $cert = openssl_x509_parse($_SERVER[‘SSL_CLIENT_CERT’])); // verify login array(12) { if ( in_array( $cert[‘subject’][‘cn’], $allowedLogins ) ) { ["name"]=> string(75) "/C=DE/O=TEQneers/ echo "LOGIN successful..."; OU=Dev/CN=Oliver/ } else { emailAddress=oliver@php.net" echo "LOGIN failed..."; ["subject"]=> array(6) { } ["C"]=> string(2) "DE" ["O"]=> string(10) "TEQneers" ["OU"]=> string(10) "Dev" ["CN"]=> string(8) "Oliver" ["emailAddress"]=> string(10) "foo@bar.de" ### Apache configuration or .htaccess } ["hash"]=> string(8) "123abc45" SSLVerifyClient required ["issuer"]=> array(7) { ... SSLRequireSSL } SSLVerifyDepth 1 ["version"]=> int(2) ["serialNumber"]=> string(1) "987" ["validFrom"]=> string(13) "110131143055Z" ["validTo"]=> string(13) "130130142954Z" ... TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  16. 16. SAML • Security Assertion Markup Language • Defined by OASIS • Made for internet and extranet sites • Credentials/Information can be configured • Open (based on XML, SOAP, HTTP, ...) TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  17. 17. SAML Parties • Client (browser) • Web application • Service Provider (SAML client) • Identity Provider (enterprise federation server) TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  18. 18. Service Provider • selfmade • simpleSAMLphp (open source PHP solution) • PingConnect (PHP, Perl, Java, …) • ... TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  19. 19. TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  20. 20. • user enters URL https://app.com/saml.php • user without valid SAML assertion will be forwarded to service provider • browser asks service provider to give him a XML assertion • XML assertion request form is send back to the browser • browser forwards assertion request form to identity provider • IF NOT LOGGED IN YET • identity provider ask the user to log into the enterprise network • user enters his login/password and sends it back to identity provider • client receives a XML assertion and cookie signed by the identity provider • XML assertion is send to service provider, who validates assertion • if assertion is valid, user will be pushed back to his initial url • assertion will be checked and user is going to be looked up in your app • if user exists, app start page appears, otherwise app might show standard login page TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  21. 21. // Load simpleSAMLphp configuration and session. $config = SimpleSAML_Configuration::getInstance(); $session = SimpleSAML_Session::getInstance(); // Check if valid local session exists. if (!$session->isValid(saml2) ) { // Redirect to the IdP for authentication. SimpleSAML_Utilities::redirect( / . $config->getBaseURL() . saml2/sp/initSSO.php, array(RelayState => SimpleSAML_Utilities::selfURL()) ); } // successful authorization $attributes = $session->getAttributes(); print_r($attributes); // might print out email or login TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  22. 22. <saml:Assertion AssertionID="123" IssueInstant="2008-10-08T20:16:12.377Z" Issuer="TransactionMinderSAMLIssuer" MajorVersion="1" MinorVersion="0" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"> <saml:Conditions NotBefore="2008-10-08T20:16:12.307Z NotOnOrAfter="2008-1008T22:16:12.307Z"/> <saml:AuthenticationStatement AuthenticationInstant="2008-10-08T20:16:12.307Z" AuthenticationMethod="urn:oasis:names:tc:SAML"> <saml:Subject> <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.0" NameQualifier="Domain Name">Claire Wasser</saml:NameIdentifier> <saml:SubjectConfirmation> <saml:ConfirmationMethod>http://www/> <saml:SubjectConfirmationData>R1VD8fkkvlrhp</saml:SubjectConfirmationData> </saml:SubjectConfirmation> </saml:Subject> </saml:AuthenticationStatement> </saml:Assertion> TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  23. 23. Identity Server • Shibboleth IdP (open source) • PingIdentity • Oracle Identity Server • SAP NetWeaver • Sun OpenSSO ForgeRock OpenAM • IBM • Microsoft Geneva TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  24. 24. One size does fit it all • Most federation solution support many different SSO technologies • Most are based on any kind of LDAP backend TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011
  25. 25. Thanks for listening contact me if you have any questions email: oliver@php.net email: oliver@teqneers.de phone: +49 (711) 46 97 28-82 Have Fun! TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver MüllerSamstag, 5. März 2011

×