Single Sign-on SSO using SAML

Contents● Introduction● Advantages and disadvantages of SSO● Types of SSO● Different implementation protocols● SAML

○ How does it work○ SAML composed of○ SAML example syntax of Request and Response

● References

Introduction+ What is SSO+ Why SSO + How Does it work

What is SSO● SSO is defined as a solution that allow users to log

in using a single page and afterwards to have access to multiple services.

● A simple version of single sign-on can be achieved over IP networks using cookies but only if the sites share a common DNS parent domain

SP

UserAgent

Client

IdP AS

Authentication without SSO Authentication with SSO

SSO has following STEPS

1. The Client tries to access a service. If the client has already token to access this service, then the token is added to request . Afterwards, go to step 10

2. The Service calls the IdP to handle the authentication.3. The IdP asks the client for login credentials.4. The client asks the user to give the login credentials.5. The User hands over the login credentials.6. The Client sends these credentials to the IdP that validates the

credentials.

Steps

7. If the credentials are correct an ID token is send to the AS; otherwise it returns to step 3.8. The AS Collects the rights that are assigned to the user and creates an access token and ID token are sent to the client.9. The Client tries to access a service using the access token.10. The Service grants access to the service

Steps continuing

Advantages and Disadvantages

Of SSO

Advantages of SSO● Improves customer satisfaction● Boosts productivity● Improves compliance and security capabilities● Facilitates B2B collaboration● Stronger and/or automatic password changes● Faster access to systems

Disadvantages of SSO� Single point of failure� Single high-value target (attracts more attackers)� Necessary information disclosure between trusting site

and SSO authority� Lack of control over your user list

Types of SSOThere are two type of SSO

1. Enterprise SSO 2. Web SSO

Enterprise SSO

It is designed to provide Single Sign-On to almost all the application a user needs,including windows executables, java application , terminal-emulator applications and in some case web applications

Web SSO

This focused on web-based applications, an Authorisation server is used to determine who can have access to which service.

Different Implementation Protocols • OAuth2• OpenID Connect• SAML • LDAP • CAS • CoSign• OZ

SAML

What is SAML?The Security assertion mark-up language (SAML) is an XML message format that defines a protocol specification to use when two servers need to share authentication information. The protocol uses the web infrastructure where XML data moves over HTTP protocols on TCP/IP networks

How does SAML work

Create Assertion

SAML request

SAML response

SAML composed of• Assertions • Request/response protocols • Bindings (the SOAP-over-HTTP method of transporting SAML

requests and responses) • Profiles (for embedding and extracting SAML assertions in a

framework or protocol)

Request from the Service providerHere, a sample SAML-compliant request is sent from a service provider requesting password authentication by the identity provider.

<samlp: Request ...> <samlp: AttributeQuery> <saml: Subject> <saml: NameIdentifier SecurityDomain="sun. com" Name="rimap"/> </ saml: Subject> <saml: AttributeDesignator AttributeName="Employee_ ID" AttributeNamespace="sun. com"> </ saml: AttributeDesignator> </ samlp: AttributeQuery> </ samlp: Request>

Response from the Identity providerIn response, the issuing authority asserts that the subject (S) was authenticated by means (M) at time (T).<samlp: Response MajorVersion="1" MinorVersion="0" RequestID="128.14.234.20.90123456" InResponseTo="123.45.678.90.12345678" StatusCode="/features/2002/05/Success"> <saml: Assertion MajorVersion="1" MinorVersion="0" AssertionID="123.45.678.90.12345678" Issuer="Sun Microsystems, Inc." IssueInstant="2002- 01- 14T10: 00: 23Z"> <saml: Conditions NotBefore="2002- 01- 14T10: 00: 30Z" NotAfter="2002- 01- 14T10: 15: 00Z" /> <saml: AuthenticationStatement AuthenticationMethod="Password"AuthenticationInstant="2001- 01- 14T10: 00: 20Z">

<saml: Subject> <saml: NameIdentifier SecurityDomain="sun. com" Name="rimap" />

</ saml: Subject> </ saml: AuthenticationStatement> </ saml: Assertion></ samlp: Response>

References• Secure Single Sign-On

www.ru.nl/publish/pages/.../z_researchpaper_sso_final_nick_heijmink_s4250559.pdf

• Single sign-on - Wikipedia, the free encyclopedia https://en.wikipedia.org/wiki/Single_sign-on

• Demo Free Trials-Single Sign-On Solutions https://www.onelogin.com/product/sso

• Benefits of SSO http://www.jscape.com/blog/bid/104856/5-Big-Business-Benefits-of-Using-SSO- Single-Sign-On

• [PDF]Security Assertion Markup Language (SAML) https://www.cs.ucsb.edu/~bultan/courses/595- W06/SAML.pdf

Thanks!