AST-0006751_Single-Sign-On-101

8/8/2019 AST-0006751_Single-Sign-On-101

1/8


2/8

white paperSecure Internet Single Sign-On 101

Table o Contents

Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Proprietary SSO (Web Agents) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

How Secure Internet SSO Works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Secure Internet SSO with PingFederate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Additional Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Glossary o Terms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8


3/8


p3

Background

Connecting organizations with their external services over the Internet is critical in todays age

o real-time inormation sharing and collaboration. Organizations are no longer isolated: key

services outside o the organizations domain (including outsourced employee services and

electronic exchanges with trading partners) have to be easily accessible and interoperable.

Collaboration is blurring the lines between enterprises and their service providers. With

employees traversing the Internet with highly-sensitive data, the connection has to be secure

to protect the user, enterprise and service provider. Users are also demanding direct access to

external resources and improved ease o use with single sign-on (SSO) . As a result, organizations

are aced with a myriad o challenges when providing SSO or many dierent use cases

including:

Outbound SSO or users to access sotware as a service (SaaS) and business process

outsourcing (BPO) providers, and to connect with trading partners

Inbound SSO or service providers, such as BPOs and managed services, to access the

enterprises resources

Internal SSO or the enterprise and its acquisitions, afliates, subsidiaries and joint ventures

SSO to a third party, hosted hub or users to share inormation among industry organizations

With many options to consider or delivering SSO that works over the Internet, making

the right technology decision is crucial to successully implementing ederated identity

management and mitigating long deployment times.

Proprietary SSO (Web Agents)

With the success o Web SSO inside the enterprise, many IT organizations looking to provide

SSO over the Internet tried to reuse their existing proprietary Web SSO. In order or employees

to access external Web sites and or external partners to access internal Web sites, organizations

provided a proprietary Web agent to their external partners. Each time access was needed or a

dierent partner, a dierent proprietary Web agent was implemented, thus or each connection

organizations needed to support dierent sotware or each o their business partners. Over

time, the growing number o dierent Web agents became difcult to manage due to their lack

o reusability, and the ability to scale new connections was limited.

As one IT staer at a Fortune 50 company said, We need to do single sign-on with fty

external partners. We have fty dierent ways o doing it. With each partner connection taking

over two months to implement with proprietary SSO methods, IT organizations needed a better

way to implement SSO over the Internet; otherwise, it would take years to connect all their

partners.


4/8


p4

Standards-Based SSO: Federated Identity

To overcome the limitations o proprietary implementations, organizations wanting to implemen

SSO over the Internet turned to ederated identity standards such as Security Assertion

Markup Language (SAML) and WS-Federation. These standards allow organizations to share

credentials and attributes or authentication and authorization, reducing the need to maintain

user credentials in multiple systems and eliminating the re-authentication o users to external

resources. By utilizing standards, organizations can deliver secure Internet SSO, which reduces

security gaps by creating trusted connections between enterprises providing identities (called

identity providers or IdPs) and organizations providing the target applications or resources (called

service providers or SPs).

Some IT organizations looked to their incumbent identity management (IdM) stack vendors

to provide ederated identity management. However, these products have ailed to meet their

scalability requirements, oten requiring six to nine months to implement the frst partner

connection. Many such products only work with the newest releases o the sotware suite,

orcing users into massive upgrade cycles just to add Internet SSO. Furthermore, implementing

ederated identity management with the suite products require the entire identity and

access management suite o applicationsimplying millions o dollars and a two-year

implementationjust or SSO that works over the Internet.

With pressure to reduce implementation costs, some IT organizations turned to open source

to develop their own Internet SSO solutions. However, open source is raught with ailed

implementations: toolkits provide a limited set o unctions to specifcations such as SAML.

Development o each external connection and integrated application requires expensive custom

code, oten taking up to 74 days to build a single partner connection. Developing SSO securely

is also the domain o specialistsoten not the expertise o a typical development sta. Base

technologies used to implement Internet SSO such as XML digital signatures are highly complex

and have been ound to have signifcant security vulnerabilities when not implemented using

best practices.

Secure Internet SSO allows organizations to provide users sae access to applications across

the Internet without the need to re-login.


5/8


p5

Standalone solutions or identity ederation provide a centralized point or secure Internet SSO

confguration that meets the needs o all organizations including inbound SSO, outbound SSO

and internal SSO. Most standalone solutions oer support or a myriad o standard ederated

identity protocols such as SAML and WS-Federation. Also, they are able to integrate with

existing identity and access management inrastructure and existing application environments.

By utilizing standalone ederated identity sotware that implements standards-based SSO,

IT organizations can reduce operational costs by providing centralized management o all partne

connections, leveraging reusable connection confgurations, and integrating easily with existing

identity inrastructure and target application environments.

How Secure Internet SSO WorksWith secure Internet SSO, once a user has logged into their enterprises network, they can

directly access applications at outsourced services, trading partners and afliates over the

Internet. Hidden rom the user, their home enterprise validates their login credential and

assembles a specially ormatted sotware message called a SAML assertion that contains

inormation about the user. The identity providing organization then transmits the assertion to

the external serv ice provider over the Internet via a trusted connection that has previously been

established between the two organizations. The service provider then reads the inormation in

the assertion and uses it to give the user access to their resources and pertinent inormation ove

the Internet without requiring additional usernames, passwords or any other login mechanism.

The key to secure Internet SSO is the browserthere are no agents required on the end users

machine. Browsers such as Internet Explorer, Mozilla Fireox and Apple Saari provide the ability

to interoperate unbeknownst to the user with ederated identity sotware that validates the user

credentials, creates the SAML assertion and sends the assertion to the service provider.

In order to securely transer inormation about the user, the IdP and SP must frst agree what

details about the user will be passed. This is known as the attribute contract, which may include

username, email address, domain and role group. For example:

The enterprise, or IdP, manages the users credentials and provides inormation to the service

providers, or SPs, or them to establish user sessions.


6/8


p6

Andrea

Smith

[email protected]

pingidentity.com

HR

Once both parties have agreed on the attribute contract, each party knows what inormation

will be passed. The user logs into his enterprise domain and is authenticated internally. When

a user requests access to the external site, their browser automatically redirects to their

enterprises SSO server, which then builds an assertion that includes the credentials agreed upon

in the attribute contract.

This inormation is put into the browser header and their browser is directed back to the serviceproviders SSO server, along with the address o the target application; this process is known as

a POST profle, using http or https. The service providers SSO server retrieves the assertion rom

the browser header and maps the credentials to the target application. The user is given access

to the target application without the need to re-login. The entire process happens so quickly

that the user does not even notice the extra redirects have occurred.

The browser is automatically redirected between the servers or the SSO request. Secure Internet

SSOs browser-based method provides a simple approach to identity ederation that requires

minimal confguration by the enterprise and service provider.

Secure Internet SSO with PingFederate

PingFederate is the only standalone ederated identity management sotware to deliver secureInternet single sign-on to all external partner connections including Sotware as a Service

(SaaS) and Business Process Outsourcing (BPO) providers, trading partners, managed services,

acquisitions, afliates, subsidiaries and joint ventures. Through standards based identity

ederation, PingFederate drastically reduces repeated user provisioning and time-consuming

proprietary SSO implementations that previously burdened organizations tasked with supporting

external applications.

Secure Internet SSO utilizes the browser to provide direct access to resources over the Internet. The

transer o identity inormation between IdP and SP occurs completely behind the scenes.


7/8


p7

Getting Started

By using secure Internet SSO, IT organizations can quickly enable secure connections or a

multitude o parties. The complexity, excessive time and cost to implement ederated identity

between enterprises and services providers are drastically reduced with standalone Internet SSO.

Start your trial today and learn why implementing standalone identity ederation sotware is

aster and easierbe one o the IT organizations to overcome the common misperception that

ederation takes months to deploy.

When starting your trial it is important to identiy the various options or your project including:

Signing and Validation - Decide which SAML messages assertions, responses, requests

will be digitally signed and how the messages will be verifed by your ederation partner.

Back Channel Security - Determine what type o SOAP channel authentication will be used.

Trusted Certifcate Management - Determine whether both partners are using SSL and/or

signing certifcates that have been signed by a major certifcate authority.

Deployment - Decide how identity ederation fts into your existing network.

Server Clock Synchronization - Ensure that both the SP and IdP server clocks are

synchronized.

User Data Stores - Identiy the type o data store that contains user data when needed.

Web Application and Session Integration - Decide how the IdP side receives subject

identity inormation to look up the session.

Transaction Logging - Decide whether transaction logging should be integrated with a

systems management application and whether you have regulatory compliance requirements

that aect your logging processes.

Identity Mapping - Decide whether you need a 1:1 relationship between user accounts at

the IdP and SP or whether you want to implement role-based accounts at the SP.

Attribute Contract Agreement - Decide on a set o attributes that the IdP will send in an

assertion.

Metadata Exchange - Decide whether you will use the metadata standard to exchange XML

fles containing confguration inormation.

Confguration Data Exchange Decide how connected partners will exchange data.

Timeline Determine project timeline.


8/8


p8

Additional Resources

You can fnd additional inormation on the topics addressed in this paper at

www.pingederate.com. Relevant resources that may be o interest include:

Solution Brie: PingEnable Methodologies Overview

White Paper: The Primer: Nuts and Bolts o Federated Identity Management

White Paper: Internet-Scale Identity Systems: An Overview and Comparison

Solution Brie: Secure Internet SSO or Enterprises

Solution Brie: Secure Internet SSO or Service Providers

Glossary o Terms

Business Process Outsourcing (BPO) contracted services through a third-party vendor or

service provider

Enterprise Single Sign-On (E-SSO) single sign-on provided to internal applications within a

single security domain, or enterprise

Federated Identity the ability to use a single set o credentials across multiple security

domains

Security Assertion Markup Language (SAML) an XML-based standard utilized by

enterprises, identity providers and service providers to exchange identity attributes

Secure Internet Single Sign-On standards-based methods used to provide users sae access

to applications across the Internet without the need to re-login

Sotware as a Service (SaaS) a hosted application accessed over the Internet by an

enterprise

Web Single Sign-On (Web SSO) single sign-on within a single security domain, or

enterprise, provided strictly to applications and resources accessed with a Web browser

WS-Federation a standard ederated identity specifcation that defnes a mechanism or

separate security domains to broker credentials or authentication

About Ping Identity CorporationPing Identity is the market leader in Internet Identity Security, delivering on-premise sotware and on-demand

services to hundreds o customers worldwide. For more inormation, dial U.S. toll-ree 877.898.2905 or

+1.303.468.2882, email [email protected] or visit www.pingidentity.com.

2010 Ping Identity Corporation. All rights reserved. P ing Identity, PingFederate, PingFederate

Express, PingConnect, PingEnable, the Ping Identity logo, SignOn.com, Auto-Connect and Single

Sign-On Summit are registered trademarks, trademarks or servicemarks o Ping Identity Corporation.

All other product and service names mentioned are the trademarks o their respective companies.
http://www.pingidentity.com/knowledge-center/view-item.cfm?customel_datapageid_1386=2600http://www.pingidentity.com/knowledge-center/view-item.cfm?customel_datapageid_1386=2904http://www.pingidentity.com/knowledge-center/view-item.cfm?customel_datapageid_1386=2080http://www.pingidentity.com/knowledge-center/view-item.cfm?customel_datapageid_1386=3040http://www.pingidentity.com/knowledge-center/view-item.cfm?customel_datapageid_1386=2176http://www.pingidentity.com/knowledge-center/view-item.cfm?customel_datapageid_1386=2176http://www.pingidentity.com/knowledge-center/view-item.cfm?customel_datapageid_1386=3040http://www.pingidentity.com/knowledge-center/view-item.cfm?customel_datapageid_1386=2080http://www.pingidentity.com/knowledge-center/view-item.cfm?customel_datapageid_1386=2904http://www.pingidentity.com/knowledge-center/view-item.cfm?customel_datapageid_1386=2600

Documents

AST-0006751_Single-Sign-On-101