WHITE PAPERAUGUST 2018

Single Sign-On Best PracticesProtecting Access in the Cloud

iSeatz © 2018 2

Executive Summary .............................. 3

Objectives .................................................... 3

Security Challenges ............................. 4

Standards ................................................... 5

Conclusion................................................... 6

Additional Resources ........................... 7

Figures ........................................................... 8

Table of Contents

iSeatz © 2018 3

Executive Summary

Driven by promises of faster pursuits of business goals, the shift to the cloud is changing how companies think about their IT infrastructure and what they must do to manage it. Gone are the days when the security of business applications and data were protected within the confines of a local area network (LAN). Cloud services power a federated collection of on-demand services, which are provided by a variety of vendors for a set of highly distributed users. The motivations to leverage cloud architectures are worthwhile since they can allow organizations to be more agile, provide a higher quality of service at a lower cost, and reduce capital investment and staffing costs. However, there can be unanticipated challenges around securing and controlling access, complying with local laws and regulations, uniting overall user experience and budgeting for support costs.

To meet these challenges, IT leaders are looking for secure access control solutions to embrace the cloud while managing associated risks. This paper describes how single sign-on (SSO) provides:

1. A convenient and simple user interface to all cloud services and Web applications2. Explains how a well architected SSO and access control solution allows

IT to maintain oversight3. Describes how an enterprise can maintain the appropriate compliance posture

Objectives

• Leverage open, established protocols and standards

• Utilize existing, secure libraries for encryption and handling sensitive user information

• Use a verified solution (self-hosted or managed) to implement the SSO standard

• When possible, use a standardized channel to share user profile information

iSeatz © 2018 4

Enterprise Cloud Security Challenges

For any cloud application, IT organizations must secure access to the applications and the sensitive data. Access controls are particularly important because they must be strong while not impeding the user experience. In addition, new operational challenges may present themselves from using multiple cloud technology suppliers which may complicate compliance requirements to safeguard sensitive data.

To address these security challenges, many enterprises feel SSO is a fundamental requirement addressing both security and usability. In seeking a solution to these challenges, IT departments should look for a single authentication and control point for executing and enforcing enterprise security policy for all cloud appli-cations. To fully capitalize on the cloud opportunity, the solution should satisfy all users with a simple, consistent experience while allowing enterprise to retain oversight and visibility to ensure policy compliance.

A Best Practices Approach for Enterprise Cloud Security

The market provides a few options to implement SSO

for the enterprise including Security Assertion Markup

Language (SAML) and OpenID Connect.

5

Standards

Security Assertion Markup Language (SAML)

With specification version 2.0 being published in 2005, SAML remains a mainstay for enterprises looking to support federated authentication. SAML facilitates an XML-based exchange between a central Identity Provider and one or more Ser-vice Providers on their users’ behalf. It traditionally has had full focus on brows-er-based authentication delegating authorization to the eXtensible Access Control Markup Language (XAMCL) standard. SAML now offers an Enhanced Client or Proxy (ECP) profile standard designed to support non-browser workflows, but shipped implementations are not yet widely available.

OpenID Connect

Published in 2014, OpenID Connect (OIDC) adds an additional layer to OAuth 2.0 and standardizes the type of SSO login flow offered by Google, Facebook, and others. In addition to authentication and authorization, it allows fine grained delegation of access rights. Also in contrast to SAML, OIDC combines JavaScript Object Notation (JSON) request/response formats with Representational State Transfer (REST) API interactions. It is built to support browsers, embedded devices, and native applications.

iSeatz © 2018 6

Assumptions

• Browser-based SSO

• Consumer-facing

• SAML 2.0, OpenID Connect 1.0

• User profile information via SAML attribute query or OpenID Userinfo endpoint

CONCLUSIONA single sign-on experience for authentication brings smoother collaboration, but it also involves new user flows and more software which adds complexity and a larger attack surface to secure. In light of this, we would advise sticking close to well-known solutions and providers that implement open standards. This also eases finding compatible, well-maintained client libraries for all collabo-rating development teams.

iSeatz © 2018 7

Additional Resources

» What the Heck is OAuth? (overview of OAuth, SAML, OIDC)

» OWASP Threats and Vulnerabilities in Federation Protocols and Products [slides]

» Why not just use OAuth alone for authentication?

SAML

» Shibboleth - Open-Source SSO Solution

» Testing Shibboleth / SAML

» OWASP SAML Security Cheat Sheet

» SAML protocol bug let hackers log in as other users

» ECP Profile

OpenID Connect

» Frequently Asked Questions

» Certified OpenID Connect Implementations

» Security Considerations [OpenID Connect spec]

» Preventing Mix-Up Attacks with OpenID Connect

Solution Providers

» Amazon Cognito

» Auth0

» Centrify

» Okta

» Ping Identity

» Shibboleth Commercial Support

iSeatz © 2018 8

Figures

Figure 1. SAML (High-Level Flow)

Service Provider

Access Protected Resource

Client Identity Provider

Redirect to SSO Endpoint

Request Login

Login Form

User Authenticates

Return SAML Response, etc.

Provide SAML Assertion

Redirect to Target Resource

Request Target Resource

Respond with Resource

iSeatz © 2018 9

Figures Continued

Figure 2. Open ID Connect (High-Level Flow)

Relying Party

Access Protected Resource

Client Identity Provider

Redirect for Authorization

Request Login

Login Form

User Authenticates

Redirect to Web App with Authorization Code

Request for Web App

Call Access Token Endpoint

ID and Access Tokens

Call to UserInfo Endpoint

Response to UserInfo Request

Respond with Resource

Identity Provider

WHITE PAPERSingle Sign-On Best Practices Protecting Access in the Cloud

John GuidrySoftware Architect

John Guidry is a software architect at iSeatz. His current technical interests include distributed systems, contributing to open source and seeking patterns for more reliable software. John earned a Bachelor of Science in Computer Science from Tulane University and has more than ten years of experience. When not at work, John enjoys cooking and taking apart anything that is not nailed down.

Founded in 1999 and based in New Orleans, iSeatz is a leading travel commerce and ancillary

merchandising technology company for travel, financial services and entertainment brands.

The iSeatz team of designers, developers, artists, engineers, inventors, analysts and project

managers are the backbone of our proven reliability and uncontested vision.

www.iseatz.com

AU

TH

OR

Headquarters

643 Magazine Street, Suite 100New Orleans, LA 70130