Single Sign-On Vijay Kumar, CISSP
Agenda <ul><li>What is Single Sign-On (SSO) </li></ul><ul><li>Advantages of SSO </li></ul><ul><li>Types of SSO </li></ul><...
What is SSO <ul><li>Single sign-on is a user/session authentication process that permits a user to enter one name and pass...
Advantages  <ul><li>Reduced operational cost </li></ul><ul><li>Reduced time to access data, e.g. ER </li></ul><ul><li>Impr...
Identity Management <ul><li>Encompasses  </li></ul><ul><ul><li>directory services </li></ul></ul><ul><ul><li>authenticatio...
Types of SSO <ul><li>Password Synchronization </li></ul><ul><li>Legacy SSO (Employee/Enterprise SSO) </li></ul><ul><li>Web...
Password Synchronization <ul><li>A process that coordinates passwords across multiple computers and devices and/or applica...
eSSO <ul><li>Aka – Enterprise or Employee SSO </li></ul><ul><li>After primary authentication, it intercepts further login ...
Two Types of eSSO <ul><li>Script based </li></ul><ul><ul><li>Write a script that would take the target applications creden...
What to Look For in eSSO Products <ul><li>Cost </li></ul><ul><li>Usability </li></ul><ul><li>Functionality </li></ul><ul><...
eSSO Products <ul><li>Citrix Password Manager </li></ul><ul><li>Imprivata eSSO appliance </li></ul><ul><li>PassLogix (big ...
Citrix Password Manager <ul><li>Installs on Citrix clients or Windows server </li></ul><ul><li>Self service password reset...
Basic Web SSO (WAM) <ul><li>Browser based application </li></ul><ul><li>Cookie support is required </li></ul><ul><li>Singl...
Cross Domain SSO <ul><li>Multiple realms that manage user credentials. </li></ul><ul><li>A user authenticated in one realm...
Novell SecureLogin <ul><li>True SSO for </li></ul><ul><ul><li>Web applications </li></ul></ul><ul><ul><li>Windows host (Wi...
Novell SecureLogin
Sun Java Access Manager
Oblix (Oracle)
Federated SSO <ul><li>Extend SSO across enterprises </li></ul><ul><li>Liberty Alliance, OASIS, IBM/Microsoft  </li></ul><u...
Liberty Model for federated SSO
ACEGI Security <ul><li>Open Source  ACEGI </li></ul><ul><li>Enterprise solution </li></ul><ul><li>Authentication, </li></u...
JA-SIG Central Authentication Service <ul><li>Open Source ( CAS ) </li></ul>
Microsoft <ul><li>Windows Server 2003 R2 adds </li></ul><ul><ul><li>Active Directory Federation Service </li></ul></ul><ul...
Case Study <ul><li>Federal Aviation Administration </li></ul><ul><li>Requirements:  </li></ul><ul><ul><li>Provide SSO to  ...
Summary <ul><li>Reduces cost </li></ul><ul><li>Enhances security </li></ul><ul><li>Supports compliance  </li></ul><ul><ul>...
References <ul><li>Sun Java System Access Manager </li></ul><ul><li>eTrust Secure Sign-On </li></ul><ul><li>Oracle IDM </l...
Q & A
Upcoming SlideShare
Loading in …5
×

OWASPSanAntonio_2006_08_SingleSignOn.ppt

992 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
992
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
25
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • CAS : # A library of clients for Java, .Net, PHP, Perl, Apache, uPortal, and others # Integrates with uPortal, BlueSocket, TikiWiki, Mule, Liferay, Moodle and others
  • OWASPSanAntonio_2006_08_SingleSignOn.ppt

    1. 1. Single Sign-On Vijay Kumar, CISSP
    2. 2. Agenda <ul><li>What is Single Sign-On (SSO) </li></ul><ul><li>Advantages of SSO </li></ul><ul><li>Types of SSO </li></ul><ul><li>Examples </li></ul><ul><li>Case Study </li></ul><ul><li>Summary </li></ul>
    3. 3. What is SSO <ul><li>Single sign-on is a user/session authentication process that permits a user to enter one name and password in order to access multiple applications. The process authenticates the user for all the applications they have been given rights to and eliminates further prompts when they switch applications during a particular session. </li></ul>
    4. 4. Advantages <ul><li>Reduced operational cost </li></ul><ul><li>Reduced time to access data, e.g. ER </li></ul><ul><li>Improved user experience, no password lists to carry </li></ul><ul><li>Advanced security to systems </li></ul><ul><ul><li>Strong authentication </li></ul></ul><ul><ul><ul><li>One Time Password devices </li></ul></ul></ul><ul><ul><ul><li>Smartcards </li></ul></ul></ul><ul><li>Ease burden on developers </li></ul><ul><li>Centralized management of users, roles </li></ul><ul><li>Fine grained auditing </li></ul><ul><li>Effective compliance (SOX, HIPPA) </li></ul>
    5. 5. Identity Management <ul><li>Encompasses </li></ul><ul><ul><li>directory services </li></ul></ul><ul><ul><li>authentication and authorization services </li></ul></ul><ul><ul><li>certificate authorities </li></ul></ul><ul><ul><li>administration consoles </li></ul></ul><ul><ul><li>single sign-on </li></ul></ul><ul><ul><li>provisioning services. </li></ul></ul>
    6. 6. Types of SSO <ul><li>Password Synchronization </li></ul><ul><li>Legacy SSO (Employee/Enterprise SSO) </li></ul><ul><li>Web Access Management (WAM) </li></ul><ul><li>Cross Domain (realm) SSO </li></ul><ul><li>Federated SSO </li></ul>
    7. 7. Password Synchronization <ul><li>A process that coordinates passwords across multiple computers and devices and/or applications </li></ul><ul><li>Each computer, device, application still authenticates but behind the scene </li></ul><ul><li>Products: </li></ul><ul><ul><li>MTech’s P-Synch </li></ul></ul><ul><ul><li>SecurePass </li></ul></ul><ul><ul><li>SAM Pass Synch </li></ul></ul>
    8. 8. eSSO <ul><li>Aka – Enterprise or Employee SSO </li></ul><ul><li>After primary authentication, it intercepts further login prompts and fills them for you. </li></ul><ul><li>Learns as you use different apps. </li></ul><ul><li>Screen Scraping </li></ul>
    9. 9. Two Types of eSSO <ul><li>Script based </li></ul><ul><ul><li>Write a script that would take the target applications credentials and launch the application </li></ul></ul><ul><ul><li>Requires modification of desktop icons </li></ul></ul><ul><li>Application wizard based </li></ul><ul><ul><li>Runs a service on the client that continually monitors the workstation for login dialog boxes </li></ul></ul><ul><ul><li>Event based, cheaper, and easier to deploy </li></ul></ul>
    10. 10. What to Look For in eSSO Products <ul><li>Cost </li></ul><ul><li>Usability </li></ul><ul><li>Functionality </li></ul><ul><ul><li>Application enablers </li></ul></ul><ul><ul><li>Encryption </li></ul></ul><ul><ul><li>Integrated with OS authentication </li></ul></ul><ul><ul><li>OS security </li></ul></ul><ul><ul><li>Multiple directories support </li></ul></ul><ul><li>Password Policy Enforcement </li></ul><ul><li>Backup and Disaster Recovery </li></ul><ul><li>Maintenance and Support </li></ul>
    11. 11. eSSO Products <ul><li>Citrix Password Manager </li></ul><ul><li>Imprivata eSSO appliance </li></ul><ul><li>PassLogix (big in Healthcare) </li></ul><ul><li>Novell’s Secure Login </li></ul><ul><li>Microsoft Windows Server </li></ul>
    12. 12. Citrix Password Manager <ul><li>Installs on Citrix clients or Windows server </li></ul><ul><li>Self service password reset and account unlock </li></ul><ul><li>Hot swappable desktop (unlike Windows or Novell) </li></ul><ul><li>Integrated with User Provisioning software </li></ul><ul><li>LDAP based storage of credentials </li></ul><ul><li>Multifactor authentication support </li></ul>
    13. 13. Basic Web SSO (WAM) <ul><li>Browser based application </li></ul><ul><li>Cookie support is required </li></ul><ul><li>Single sign-on to applications deployed on a single web server (domain) </li></ul>
    14. 14. Cross Domain SSO <ul><li>Multiple realms that manage user credentials. </li></ul><ul><li>A user authenticated in one realm gets signed-on to an application using another realm typically with in the same enterprise </li></ul>
    15. 15. Novell SecureLogin <ul><li>True SSO for </li></ul><ul><ul><li>Web applications </li></ul></ul><ul><ul><li>Windows host (Windows Application Server) </li></ul></ul><ul><ul><li>Legacy (Client Server) applications </li></ul></ul><ul><li>Mutiple identities and password policies stored in eDir in encrypted form </li></ul><ul><li>Novell client is installed on each workstation, </li></ul><ul><li>User can access apps from any workstation </li></ul><ul><li>Optionally cache credentials on workstation </li></ul><ul><li>Transparent pw expirations and resets </li></ul>
    16. 16. Novell SecureLogin
    17. 17. Sun Java Access Manager
    18. 18. Oblix (Oracle)
    19. 19. Federated SSO <ul><li>Extend SSO across enterprises </li></ul><ul><li>Liberty Alliance, OASIS, IBM/Microsoft </li></ul><ul><li>Advantages </li></ul><ul><ul><li>Establishment of trusted partnerships </li></ul></ul><ul><ul><li>New revenue opportunities </li></ul></ul><ul><ul><li>New, efficient, and production biz models </li></ul></ul><ul><li>Why is this hard to implement? </li></ul><ul><ul><li>SAML (OASIS) </li></ul></ul><ul><ul><li>Liberty Alliance builds fed ident on top of SAML </li></ul></ul>
    20. 20. Liberty Model for federated SSO
    21. 21. ACEGI Security <ul><li>Open Source ACEGI </li></ul><ul><li>Enterprise solution </li></ul><ul><li>Authentication, </li></ul><ul><li>Authorization </li></ul><ul><li>Instance-based access control, </li></ul><ul><li>Channel security </li></ul><ul><li>Human user detection capabilities </li></ul><ul><li>Seamless integration with Spring Framework </li></ul><ul><li>SSO via Central Authentication Service (CAS) </li></ul>
    22. 22. JA-SIG Central Authentication Service <ul><li>Open Source ( CAS ) </li></ul>
    23. 23. Microsoft <ul><li>Windows Server 2003 R2 adds </li></ul><ul><ul><li>Active Directory Federation Service </li></ul></ul><ul><ul><li>Web Services based SSO </li></ul></ul><ul><ul><li>Use Active Directory in non-Windows env </li></ul></ul><ul><li>Microsoft Identity Integration Server 2003 </li></ul><ul><ul><li>SSO and account management features </li></ul></ul><ul><ul><li>“agents&quot; that handle protocol translation between Active Directory </li></ul></ul><ul><ul><li>ADFS provides federated SSO based on WS-* </li></ul></ul>
    24. 24. Case Study <ul><li>Federal Aviation Administration </li></ul><ul><li>Requirements: </li></ul><ul><ul><li>Provide SSO to ~500,000 users </li></ul></ul><ul><ul><li>Across 5000 airports world-wide </li></ul></ul><ul><ul><li>>100 web and client server applications </li></ul></ul><ul><ul><li>Multiple Directories, Departments </li></ul></ul><ul><ul><li>Web services authentication </li></ul></ul>
    25. 25. Summary <ul><li>Reduces cost </li></ul><ul><li>Enhances security </li></ul><ul><li>Supports compliance </li></ul><ul><ul><li>Financial Service (FFIEC directive) </li></ul></ul><ul><ul><li>Healthcare (HIPPA) </li></ul></ul><ul><li>But….there are risks. </li></ul><ul><ul><li>Malicious user gets hold of unattended desktop </li></ul></ul><ul><ul><li>Malicious processes/services sign on as you to services that they are not supposed to. </li></ul></ul>
    26. 26. References <ul><li>Sun Java System Access Manager </li></ul><ul><li>eTrust Secure Sign-On </li></ul><ul><li>Oracle IDM </li></ul><ul><li>IBM Tivoli Access Manager </li></ul><ul><li>Novell SecureLogin </li></ul><ul><li>Citrix Password Manager </li></ul><ul><li>Liberty Alliance </li></ul><ul><li>Yale CAS (Central Authentication Service) </li></ul><ul><ul><li>Integrates well with Spring based Acegi </li></ul></ul>
    27. 27. Q & A

    ×