Upload
shidrangg
View
216
Download
0
Embed Size (px)
Citation preview
8/8/2019 AST-0006751_Single-Sign-On-101
1/8
8/8/2019 AST-0006751_Single-Sign-On-101
2/8
white paperSecure Internet Single Sign-On 101
Table o Contents
Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Proprietary SSO (Web Agents) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
How Secure Internet SSO Works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Secure Internet SSO with PingFederate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Additional Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Glossary o Terms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
8/8/2019 AST-0006751_Single-Sign-On-101
3/8
white paperSecure Internet Single Sign-On 101
p3
Background
Connecting organizations with their external services over the Internet is critical in todays age
o real-time inormation sharing and collaboration. Organizations are no longer isolated: key
services outside o the organizations domain (including outsourced employee services and
electronic exchanges with trading partners) have to be easily accessible and interoperable.
Collaboration is blurring the lines between enterprises and their service providers. With
employees traversing the Internet with highly-sensitive data, the connection has to be secure
to protect the user, enterprise and service provider. Users are also demanding direct access to
external resources and improved ease o use with single sign-on (SSO) . As a result, organizations
are aced with a myriad o challenges when providing SSO or many dierent use cases
including:
Outbound SSO or users to access sotware as a service (SaaS) and business process
outsourcing (BPO) providers, and to connect with trading partners
Inbound SSO or service providers, such as BPOs and managed services, to access the
enterprises resources
Internal SSO or the enterprise and its acquisitions, afliates, subsidiaries and joint ventures
SSO to a third party, hosted hub or users to share inormation among industry organizations
With many options to consider or delivering SSO that works over the Internet, making
the right technology decision is crucial to successully implementing ederated identity
management and mitigating long deployment times.
Proprietary SSO (Web Agents)
With the success o Web SSO inside the enterprise, many IT organizations looking to provide
SSO over the Internet tried to reuse their existing proprietary Web SSO. In order or employees
to access external Web sites and or external partners to access internal Web sites, organizations
provided a proprietary Web agent to their external partners. Each time access was needed or a
dierent partner, a dierent proprietary Web agent was implemented, thus or each connection
organizations needed to support dierent sotware or each o their business partners. Over
time, the growing number o dierent Web agents became difcult to manage due to their lack
o reusability, and the ability to scale new connections was limited.
As one IT staer at a Fortune 50 company said, We need to do single sign-on with fty
external partners. We have fty dierent ways o doing it. With each partner connection taking
over two months to implement with proprietary SSO methods, IT organizations needed a better
way to implement SSO over the Internet; otherwise, it would take years to connect all their
partners.
8/8/2019 AST-0006751_Single-Sign-On-101
4/8
white paperSecure Internet Single Sign-On 101
p4
Standards-Based SSO: Federated Identity
To overcome the limitations o proprietary implementations, organizations wanting to implemen
SSO over the Internet turned to ederated identity standards such as Security Assertion
Markup Language (SAML) and WS-Federation. These standards allow organizations to share
credentials and attributes or authentication and authorization, reducing the need to maintain
user credentials in multiple systems and eliminating the re-authentication o users to external
resources. By utilizing standards, organizations can deliver secure Internet SSO, which reduces
security gaps by creating trusted connections between enterprises providing identities (called
identity providers or IdPs) and organizations providing the target applications or resources (called
service providers or SPs).
Some IT organizations looked to their incumbent identity management (IdM) stack vendors
to provide ederated identity management. However, these products have ailed to meet their
scalability requirements, oten requiring six to nine months to implement the frst partner
connection. Many such products only work with the newest releases o the sotware suite,
orcing users into massive upgrade cycles just to add Internet SSO. Furthermore, implementing
ederated identity management with the suite products require the entire identity and
access management suite o applicationsimplying millions o dollars and a two-year
implementationjust or SSO that works over the Internet.
With pressure to reduce implementation costs, some IT organizations turned to open source
to develop their own Internet SSO solutions. However, open source is raught with ailed
implementations: toolkits provide a limited set o unctions to specifcations such as SAML.
Development o each external connection and integrated application requires expensive custom
code, oten taking up to 74 days to build a single partner connection. Developing SSO securely
is also the domain o specialistsoten not the expertise o a typical development sta. Base
technologies used to implement Internet SSO such as XML digital signatures are highly complex
and have been ound to have signifcant security vulnerabilities when not implemented using
best practices.
Secure Internet SSO allows organizations to provide users sae access to applications across
the Internet without the need to re-login.
8/8/2019 AST-0006751_Single-Sign-On-101
5/8
white paperSecure Internet Single Sign-On 101
p5
Standalone solutions or identity ederation provide a centralized point or secure Internet SSO
confguration that meets the needs o all organizations including inbound SSO, outbound SSO
and internal SSO. Most standalone solutions oer support or a myriad o standard ederated
identity protocols such as SAML and WS-Federation. Also, they are able to integrate with
existing identity and access management inrastructure and existing application environments.
By utilizing standalone ederated identity sotware that implements standards-based SSO,
IT organizations can reduce operational costs by providing centralized management o all partne
connections, leveraging reusable connection confgurations, and integrating easily with existing
identity inrastructure and target application environments.
How Secure Internet SSO WorksWith secure Internet SSO, once a user has logged into their enterprises network, they can
directly access applications at outsourced services, trading partners and afliates over the
Internet. Hidden rom the user, their home enterprise validates their login credential and
assembles a specially ormatted sotware message called a SAML assertion that contains
inormation about the user. The identity providing organization then transmits the assertion to
the external serv ice provider over the Internet via a trusted connection that has previously been
established between the two organizations. The service provider then reads the inormation in
the assertion and uses it to give the user access to their resources and pertinent inormation ove
the Internet without requiring additional usernames, passwords or any other login mechanism.
The key to secure Internet SSO is the browserthere are no agents required on the end users
machine. Browsers such as Internet Explorer, Mozilla Fireox and Apple Saari provide the ability
to interoperate unbeknownst to the user with ederated identity sotware that validates the user
credentials, creates the SAML assertion and sends the assertion to the service provider.
In order to securely transer inormation about the user, the IdP and SP must frst agree what
details about the user will be passed. This is known as the attribute contract, which may include
username, email address, domain and role group. For example:
The enterprise, or IdP, manages the users credentials and provides inormation to the service
providers, or SPs, or them to establish user sessions.
8/8/2019 AST-0006751_Single-Sign-On-101
6/8
white paperSecure Internet Single Sign-On 101
p6
Andrea
Smith
pingidentity.com
HR
Once both parties have agreed on the attribute contract, each party knows what inormation
will be passed. The user logs into his enterprise domain and is authenticated internally. When
a user requests access to the external site, their browser automatically redirects to their
enterprises SSO server, which then builds an assertion that includes the credentials agreed upon
in the attribute contract.
This inormation is put into the browser header and their browser is directed back to the serviceproviders SSO server, along with the address o the target application; this process is known as
a POST profle, using http or https. The service providers SSO server retrieves the assertion rom
the browser header and maps the credentials to the target application. The user is given access
to the target application without the need to re-login. The entire process happens so quickly
that the user does not even notice the extra redirects have occurred.
The browser is automatically redirected between the servers or the SSO request. Secure Internet
SSOs browser-based method provides a simple approach to identity ederation that requires
minimal confguration by the enterprise and service provider.
Secure Internet SSO with PingFederate
PingFederate is the only standalone ederated identity management sotware to deliver secureInternet single sign-on to all external partner connections including Sotware as a Service
(SaaS) and Business Process Outsourcing (BPO) providers, trading partners, managed services,
acquisitions, afliates, subsidiaries and joint ventures. Through standards based identity
ederation, PingFederate drastically reduces repeated user provisioning and time-consuming
proprietary SSO implementations that previously burdened organizations tasked with supporting
external applications.
Secure Internet SSO utilizes the browser to provide direct access to resources over the Internet. The
transer o identity inormation between IdP and SP occurs completely behind the scenes.
8/8/2019 AST-0006751_Single-Sign-On-101
7/8
white paperSecure Internet Single Sign-On 101
p7
Getting Started
By using secure Internet SSO, IT organizations can quickly enable secure connections or a
multitude o parties. The complexity, excessive time and cost to implement ederated identity
between enterprises and services providers are drastically reduced with standalone Internet SSO.
Start your trial today and learn why implementing standalone identity ederation sotware is
aster and easierbe one o the IT organizations to overcome the common misperception that
ederation takes months to deploy.
When starting your trial it is important to identiy the various options or your project including:
Signing and Validation - Decide which SAML messages assertions, responses, requests
will be digitally signed and how the messages will be verifed by your ederation partner.
Back Channel Security - Determine what type o SOAP channel authentication will be used.
Trusted Certifcate Management - Determine whether both partners are using SSL and/or
signing certifcates that have been signed by a major certifcate authority.
Deployment - Decide how identity ederation fts into your existing network.
Server Clock Synchronization - Ensure that both the SP and IdP server clocks are
synchronized.
User Data Stores - Identiy the type o data store that contains user data when needed.
Web Application and Session Integration - Decide how the IdP side receives subject
identity inormation to look up the session.
Transaction Logging - Decide whether transaction logging should be integrated with a
systems management application and whether you have regulatory compliance requirements
that aect your logging processes.
Identity Mapping - Decide whether you need a 1:1 relationship between user accounts at
the IdP and SP or whether you want to implement role-based accounts at the SP.
Attribute Contract Agreement - Decide on a set o attributes that the IdP will send in an
assertion.
Metadata Exchange - Decide whether you will use the metadata standard to exchange XML
fles containing confguration inormation.
Confguration Data Exchange Decide how connected partners will exchange data.
Timeline Determine project timeline.
8/8/2019 AST-0006751_Single-Sign-On-101
8/8
white paperSecure Internet Single Sign-On 101
p8
Additional Resources
You can fnd additional inormation on the topics addressed in this paper at
www.pingederate.com. Relevant resources that may be o interest include:
Solution Brie: PingEnable Methodologies Overview
White Paper: The Primer: Nuts and Bolts o Federated Identity Management
White Paper: Internet-Scale Identity Systems: An Overview and Comparison
Solution Brie: Secure Internet SSO or Enterprises
Solution Brie: Secure Internet SSO or Service Providers
Glossary o Terms
Business Process Outsourcing (BPO) contracted services through a third-party vendor or
service provider
Enterprise Single Sign-On (E-SSO) single sign-on provided to internal applications within a
single security domain, or enterprise
Federated Identity the ability to use a single set o credentials across multiple security
domains
Security Assertion Markup Language (SAML) an XML-based standard utilized by
enterprises, identity providers and service providers to exchange identity attributes
Secure Internet Single Sign-On standards-based methods used to provide users sae access
to applications across the Internet without the need to re-login
Sotware as a Service (SaaS) a hosted application accessed over the Internet by an
enterprise
Web Single Sign-On (Web SSO) single sign-on within a single security domain, or
enterprise, provided strictly to applications and resources accessed with a Web browser
WS-Federation a standard ederated identity specifcation that defnes a mechanism or
separate security domains to broker credentials or authentication
About Ping Identity CorporationPing Identity is the market leader in Internet Identity Security, delivering on-premise sotware and on-demand
services to hundreds o customers worldwide. For more inormation, dial U.S. toll-ree 877.898.2905 or
+1.303.468.2882, email [email protected] or visit www.pingidentity.com.
2010 Ping Identity Corporation. All rights reserved. P ing Identity, PingFederate, PingFederate
Express, PingConnect, PingEnable, the Ping Identity logo, SignOn.com, Auto-Connect and Single
Sign-On Summit are registered trademarks, trademarks or servicemarks o Ping Identity Corporation.
All other product and service names mentioned are the trademarks o their respective companies.
http://www.pingidentity.com/knowledge-center/view-item.cfm?customel_datapageid_1386=2600http://www.pingidentity.com/knowledge-center/view-item.cfm?customel_datapageid_1386=2904http://www.pingidentity.com/knowledge-center/view-item.cfm?customel_datapageid_1386=2080http://www.pingidentity.com/knowledge-center/view-item.cfm?customel_datapageid_1386=3040http://www.pingidentity.com/knowledge-center/view-item.cfm?customel_datapageid_1386=2176http://www.pingidentity.com/knowledge-center/view-item.cfm?customel_datapageid_1386=2176http://www.pingidentity.com/knowledge-center/view-item.cfm?customel_datapageid_1386=3040http://www.pingidentity.com/knowledge-center/view-item.cfm?customel_datapageid_1386=2080http://www.pingidentity.com/knowledge-center/view-item.cfm?customel_datapageid_1386=2904http://www.pingidentity.com/knowledge-center/view-item.cfm?customel_datapageid_1386=2600