Upload
kyoko
View
28
Download
0
Embed Size (px)
DESCRIPTION
Single Sign-On. - Mayuresh Pardeshi M.Tech CSE - I. Contents:. Introduction Working Structure Features Applications. Why do we need SSO ?. Current Situation: Network users interact with multiple service providers. SSO:. - PowerPoint PPT Presentation
Citation preview
Single Sign-On
-Mayuresh Pardeshi
M.Tech CSE - I
Contents: Introduction Working Structure Features Applications
3
Why do we need SSO ?
Current Situation:Network users interact with multiple service providers.
SSO: A mechanism that allows users to
authenticate themselves only once, and then log into multiple service providers, without necessarily having to re-authenticate.
Authentication Service Provider (ASP). Service providers are aware of the ASP:
establish explicit trust relations, policies, contracts and supporting security infrastructure (e.g. PKI).
ASP is either a trusted third party or part of the user system (requires tamper-resistant hardware, e.g. smartcard, TPM).
5
General SSO Protocol
Typical Information Flow
} Repeated as
necessary
Types of SSO: Password Synchronization
SecurePassSAM, Pass Synch
Legacy SSO Novell’s Secure Login & Microsoft Windows Server
Web Access Management (WAM)RSA
Cross Domain SSO OpenSSO, CAS
Federated SSOFacebook Connect, Google
Novell SecureLogin
Oblix (Oracle)
SAML:
1.The service provider received the client request, and it sent the request to Identity provider to do the client authentication.
2.Identity provider authenticate the client, create the assertion , and pass it back to the service provider. SAML assertions can be add a SOAP Header blocks, and pass by the HTTP protocol
Request from the Service provider
Here, a sample SAML-compliant request is sent from a service provider requesting password authentication by the identity provider. <samlp: Request ...> <samlp: AttributeQuery> <saml: Subject> <saml: NameIdentifier SecurityDomain="sun. com" Name="rimap"/>
</ saml: Subject> <saml: AttributeDesignator AttributeName="Employee_ ID" AttributeNamespace="sun. com">
</ saml: AttributeDesignator> </ samlp: AttributeQuery> </ samlp: Request>
Response from the Identity provider In response, the issuing authority asserts that the subject (S) was
authenticated by means (M) at time (T). <samlp: Response MajorVersion="1" MinorVersion="0"
RequestID="128.14.234.20.90123456" InResponseTo="123.45.678.90.12345678" StatusCode="/features/2002/05/Success">
<saml: Assertion MajorVersion="1" MinorVersion="0" AssertionID="123.45.678.90.12345678" Issuer="Sun Microsystems, Inc." IssueInstant="2002- 01- 14T10: 00: 23Z">
<saml: Conditions NotBefore="2002- 01- 14T10: 00: 30Z" NotAfter="2002- 01- 14T10: 15: 00Z" />
<saml: AuthenticationStatement AuthenticationMethod="Password" AuthenticationInstant="2001- 01- 14T10: 00: 20Z">
<saml: Subject>
<saml: NameIdentifier SecurityDomain="sun. com" Name="rimap" />
</ saml: Subject>
</ saml: AuthenticationStatement>
</ saml: Assertion>
</ samlp: Response>
Advantages Reduced operational cost Reduced time to access data Improved user experience, no password
lists to carry Advanced security to systems
Strong authentication One Time Password devices Smartcards
Ease burden on developers Centralized management of users, roles Fine grained auditing Effective compliance (SOX, HIPPA)
References:1) “OWASP, SanAntonio SingleSignOn” 2006-08, Vijay Kumar, CISSP.
2) “Using EMV cards for Single Sign-On” 1st European PKI Workshop Andreas Pashalidis and Chris J. Mitchell
3) www.cafesoft.com/support/security/glossary.html
4) www.ibm.com/software/webservers/portal/library/v12/InfoCenter/wps/glossary.htm
5) www.suliscommunication.com/language/ecommerce/ebus3.htm
6) http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci340859,00.html
7) http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci340859,00.html
8) Microsoft .Net Passport Review Guide
9) Telling Humans and Computers Apart Automatically
10) XADM: How Secure Sockets Layer Works Microsoft.com