Implementation of Single Sign On (SSO) Technology Using SAML Standards At UNIKOM Information Systems -
International Conference on Interdisciplinary Academic Research And Innovation (IARI-2016)
Implementation of Single Sign On (SSO) Technology Using SAML Standards At UNIKOM Information Systems
1. Implementation of Single Sign On (SSO)
Technology Using SAML Standards
At UNIKOM Information Systems
International Conference on Interdisciplinary Academic
Research And Innovation (IARI-2016)
November 23-24, 2016
Taryana Suryana, Irawan Afrianto, Andri Heryandi
Teknik Informatika – Fakultas Teknik dan Ilmu Komputer
Universitas Komputer Indonesia
2. Backgrounds
• Many Applications
that require login
• Many Accounts To
Remember
• Different username
and Password
• Admin Create Many
Users dan Passwords
• Complicate password
management
Lecturer Student
Thrusty Online
Value
(NilaiOnline)
E-Learning
Autodebet
Social Media
Campus
Asset
Management
Evaluation of
Lecture
Finance
Academic scholarship
UNIKOM'SINFORMATIONSYSTEMS
Admin
3. Definitions
• Single Sign On (SSO)
Single sign-on (SSO) is a session and user authentication service
that permits a user to use one set of login credentials (e.g., name
and password) to access multiple applications.
The service authenticates the end user for all the applications the
user has been given rights to and eliminates further prompts when
the user switches applications during the same session.
On the back end, SSO is helpful for logging user activities as well as
monitoring user accounts.
(http://searchsecurity.techtarget.com/definition/single-sign-on)
4. Definitions
• Security Assertion Markup Language
(SAML)
SAML is an XML standard that facilitates the exchange of user
authentication and authorization data across secure domains.
SAML-based SSO services involve communications between the
user, an identity provider that maintains a user directory, and a
service provider. When a user attempts to access an application
from the service provider, the service provider will send a request to
the identity provider for authentication. The service provider will then
verify the authentication and log the user in. The user will not have
to log in again for the rest of his session.
(http://searchsecurity.techtarget.com/definition/single-sign-on)
5. Definitions
• Google Apps For Education (GAFE)
Google Apps for Education core services are the heart of Google's
educational offering to schools. The core services are Gmail (including
Inbox by Gmail), Calendar, Classroom, Contacts, Drive, Docs, Forms,
Groups, Sheets, Sites, Slides, Talk/Hangouts and Vault.
SSO is available for G Suite Basic, G Suite Business, and G Suite for
Education. It enables users to access all of their enterprise cloud
applications—including administrators signing in to the Admin console—by
signing in one time for all services.
GAFE also provide a Security Assertion Markup Language (SAML)-based
SSO API that you can use to integrate into your Lightweight Directory
Access Protocol (LDAP), or other SSO system. LDAP is a networking
protocol for querying and modifying directory services running over TCP/IP
(https://support.google.com/a/answer/60224?hl=en)
8. Analysis and Design System
Unikom Password - Single Sign On Backbone Unikom
Transfer Client encrypted with SSL / TLS on the HTTPS protocol.
Sensitive data such as Username and Password should be a second-tier encryption (Second
Layer Encryption) Using ASecure Library (developed by Digital Center using the RSA
algorithm) with the Public and Private Key are different for each session ** minimal 1024bit.
Key to the delivery of data generated on the server (PHP), Key to the reception of data
generated in the Browser (Javascript).
The connection between the Client Apps (Score online, Trusts, Online Lecture, etc.) with the
Digital Passport done on the Digital Passport Protocol and is always in a state encrypted with
OpenSSL, where each client has a Public Key that is different and access permissions that
vary in accordance with the needs.
Apps Web-based client must include the Digital Passport Dashboard on file HTML / PHP so
that users can skip and perform activities related to the account.
Client Apps need not (should not) create a form to Login / Register to User Management
Alone. Client Apps can directly determine the status of users who access the Web page to
communicate on the Digital Passport Protocol (Or use the Digital Passport API for PHP).
14. Results
• User (Lecturers and Students ) more convenience to access Unikom
Information System
• Administrators more easily manage user and password
• And More Secure in Transactions
15. Further Research
• Although single sign-on is a convenience to users, it present risks to
enterprise security. An attacker who gains control over a user's SSO
credentials will be granted access to every application the user has
rights to, increasing the amount of potential damage. In order to
avoid malicious access, it's essential that every aspect of SSO
implementation be coupled with identity governance. Organizations
can also use two factor authentication (2FA) or multifactor
authentication (MFA) with SSO to improve security.