Single Sign-On

-Mayuresh Pardeshi

M.Tech CSE - I

Contents: Introduction Working Structure Features Applications

3

Why do we need SSO ?

Current Situation:Network users interact with multiple service providers.

SSO: A mechanism that allows users to

authenticate themselves only once, and then log into multiple service providers, without necessarily having to re-authenticate.

Authentication Service Provider (ASP). Service providers are aware of the ASP:

establish explicit trust relations, policies, contracts and supporting security infrastructure (e.g. PKI).

ASP is either a trusted third party or part of the user system (requires tamper-resistant hardware, e.g. smartcard, TPM).

5

General SSO Protocol

Typical Information Flow

} Repeated as

necessary

Types of SSO: Password Synchronization

SecurePassSAM, Pass Synch

Legacy SSO Novell’s Secure Login & Microsoft Windows Server

Web Access Management (WAM)RSA

Cross Domain SSO OpenSSO, CAS

Federated SSOFacebook Connect, Google

Novell SecureLogin

Oblix (Oracle)

SAML:

1.The service provider received the client request, and it sent the request to Identity provider to do the client authentication.

2.Identity provider authenticate the client, create the assertion , and pass it back to the service provider. SAML assertions can be add a SOAP Header blocks, and pass by the HTTP protocol

Request from the Service provider

Here, a sample SAML-compliant request is sent from a service provider requesting password authentication by the identity provider. <samlp: Request ...> <samlp: AttributeQuery> <saml: Subject> <saml: NameIdentifier SecurityDomain="sun. com" Name="rimap"/>

</ saml: Subject> <saml: AttributeDesignator AttributeName="Employee_ ID" AttributeNamespace="sun. com">

</ saml: AttributeDesignator> </ samlp: AttributeQuery> </ samlp: Request>

Response from the Identity provider In response, the issuing authority asserts that the subject (S) was

authenticated by means (M) at time (T). <samlp: Response MajorVersion="1" MinorVersion="0"

RequestID="128.14.234.20.90123456" InResponseTo="123.45.678.90.12345678" StatusCode="/features/2002/05/Success">

<saml: Assertion MajorVersion="1" MinorVersion="0" AssertionID="123.45.678.90.12345678" Issuer="Sun Microsystems, Inc." IssueInstant="2002- 01- 14T10: 00: 23Z">

<saml: Conditions NotBefore="2002- 01- 14T10: 00: 30Z" NotAfter="2002- 01- 14T10: 15: 00Z" />

<saml: AuthenticationStatement AuthenticationMethod="Password" AuthenticationInstant="2001- 01- 14T10: 00: 20Z">

<saml: Subject>

<saml: NameIdentifier SecurityDomain="sun. com" Name="rimap" />

</ saml: Subject>

</ saml: AuthenticationStatement>

</ saml: Assertion>

</ samlp: Response>

Advantages Reduced operational cost Reduced time to access data Improved user experience, no password

lists to carry Advanced security to systems

Strong authentication One Time Password devices Smartcards

Ease burden on developers Centralized management of users, roles Fine grained auditing Effective compliance (SOX, HIPPA)

References:1) “OWASP, SanAntonio SingleSignOn” 2006-08, Vijay Kumar, CISSP.

2) “Using EMV cards for Single Sign-On” 1st European PKI Workshop Andreas Pashalidis and Chris J. Mitchell

3) www.cafesoft.com/support/security/glossary.html

4) www.ibm.com/software/webservers/portal/library/v12/InfoCenter/wps/glossary.htm

5) www.suliscommunication.com/language/ecommerce/ebus3.htm

6) http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci340859,00.html

7) http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci340859,00.html

8) Microsoft .Net Passport Review Guide

9) Telling Humans and Computers Apart Automatically

10) XADM: How Secure Sockets Layer Works Microsoft.com