Upload
programming-talents
View
71
Download
2
Embed Size (px)
Citation preview
Contents● Introduction● Advantages and disadvantages of SSO● Types of SSO● Different implementation protocols● SAML
○ How does it work○ SAML composed of○ SAML example syntax of Request and Response
● References
What is SSO● SSO is defined as a solution that allow users to log
in using a single page and afterwards to have access to multiple services.
● A simple version of single sign-on can be achieved over IP networks using cookies but only if the sites share a common DNS parent domain
1. The Client tries to access a service. If the client has already token to access this service, then the token is added to request . Afterwards, go to step 10
2. The Service calls the IdP to handle the authentication.3. The IdP asks the client for login credentials.4. The client asks the user to give the login credentials.5. The User hands over the login credentials.6. The Client sends these credentials to the IdP that validates the
credentials.
Steps
7. If the credentials are correct an ID token is send to the AS; otherwise it returns to step 3.8. The AS Collects the rights that are assigned to the user and creates an access token and ID token are sent to the client.9. The Client tries to access a service using the access token.10. The Service grants access to the service
Steps continuing
Advantages of SSO● Improves customer satisfaction● Boosts productivity● Improves compliance and security capabilities● Facilitates B2B collaboration● Stronger and/or automatic password changes● Faster access to systems
Disadvantages of SSO� Single point of failure� Single high-value target (attracts more attackers)� Necessary information disclosure between trusting site
and SSO authority� Lack of control over your user list
Enterprise SSO
It is designed to provide Single Sign-On to almost all the application a user needs,including windows executables, java application , terminal-emulator applications and in some case web applications
Web SSO
This focused on web-based applications, an Authorisation server is used to determine who can have access to which service.
SAML
What is SAML?The Security assertion mark-up language (SAML) is an XML message format that defines a protocol specification to use when two servers need to share authentication information. The protocol uses the web infrastructure where XML data moves over HTTP protocols on TCP/IP networks
SAML composed of• Assertions • Request/response protocols • Bindings (the SOAP-over-HTTP method of transporting SAML
requests and responses) • Profiles (for embedding and extracting SAML assertions in a
framework or protocol)
Request from the Service providerHere, a sample SAML-compliant request is sent from a service provider requesting password authentication by the identity provider.
<samlp: Request ...> <samlp: AttributeQuery> <saml: Subject> <saml: NameIdentifier SecurityDomain="sun. com" Name="rimap"/> </ saml: Subject> <saml: AttributeDesignator AttributeName="Employee_ ID" AttributeNamespace="sun. com"> </ saml: AttributeDesignator> </ samlp: AttributeQuery> </ samlp: Request>
Response from the Identity providerIn response, the issuing authority asserts that the subject (S) was authenticated by means (M) at time (T).<samlp: Response MajorVersion="1" MinorVersion="0" RequestID="128.14.234.20.90123456" InResponseTo="123.45.678.90.12345678" StatusCode="/features/2002/05/Success"> <saml: Assertion MajorVersion="1" MinorVersion="0" AssertionID="123.45.678.90.12345678" Issuer="Sun Microsystems, Inc." IssueInstant="2002- 01- 14T10: 00: 23Z"> <saml: Conditions NotBefore="2002- 01- 14T10: 00: 30Z" NotAfter="2002- 01- 14T10: 15: 00Z" /> <saml: AuthenticationStatement AuthenticationMethod="Password"AuthenticationInstant="2001- 01- 14T10: 00: 20Z">
<saml: Subject> <saml: NameIdentifier SecurityDomain="sun. com" Name="rimap" />
</ saml: Subject> </ saml: AuthenticationStatement> </ saml: Assertion></ samlp: Response>
References• Secure Single Sign-On
www.ru.nl/publish/pages/.../z_researchpaper_sso_final_nick_heijmink_s4250559.pdf
• Single sign-on - Wikipedia, the free encyclopedia https://en.wikipedia.org/wiki/Single_sign-on
• Demo Free Trials-Single Sign-On Solutions https://www.onelogin.com/product/sso
• Benefits of SSO http://www.jscape.com/blog/bid/104856/5-Big-Business-Benefits-of-Using-SSO- Single-Sign-On
• [PDF]Security Assertion Markup Language (SAML) https://www.cs.ucsb.edu/~bultan/courses/595- W06/SAML.pdf