CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva

So you want to SSO … Scott Tomilson John DaSilva

You’ve waited long enough …

Copyright © 2015 Cloud Identity Summit. All rights reserved. 2

Mobile Apps Web Apps SaaS Apps

username password

username password

username password

username password

username password

username password

username password

username password

username password

Copyright © 2015 Cloud Identity Summit . All rights reserved. 3


Integration Kits

It’s time for SSO … … what do you mean by SSO?

App Enablement? Session Management? Access Control?

Auditing? Authentication Policy?

“One Username & Password (or some other form of authentication)

just One Time”

It’s time for SSO … … and how will we get SSO?

Open Standards? On-Premise ? IdaaS?

Agents vs Gateway? App Changes?

“Eliminate Unnecessary Passwords” (yes, some work will be needed –

but you want to do this the right way)


Access Management

ENTERPRISE

Federated Identity Management

SSO for

Web Applications


“First Mile” / “Last Mile” Integration

Federation Server

Identity Store

Federation Server

Target App

Identity Provider (IdP) Service Provider (SP)

“First Mile” “Last Mile”

“First Mile” Integration

•  If you’re using a Federation Server – hopefully this is just a configuration exercise: •  ADconnect (Active Directory) •  PingFederate (Complex AD, LDAP, WAM, etc.) •  PingOne Cloud Directory (IdaaS user/group dir.)

•  Worst case – there are Libraries & APIs to help you integrate a custom portal or user store


“Last Mile” Integration

Here’s where things get interesting …



Question #1: Does your application support Web

(federated) SSO standards? (i.e.: SAML, WS-Federation, OpenID Connect)


“Last Mile” Integration – with Standards


Federation Server

Identity Store

Target App


SAML



Your Apps Your Identity Stores / Partners

Acme

Beta

Com

SAML

SAML

SAML

Federation Hub



Does your app Web SSO standards? (SAML/WS-Fed/OIDC)

Do you prefer IdaaS?

No

Yes

Yes

No


Question #2: Does your application support HTTP

header-based SSO?


“Last Mile” Integration – with HTTP Headers

Federation Server

Identity Store

Federation Server

Target App


SAML Agent /

Gateway

HTTP Headers User: joe Email: [email protected] Group: Sales

“Last Mile” Integration – with HTTP Headers

•  Federated SSO •  PingFederate Integration Kits:

•  Apache & IIS

•  WAM Features (Session Management, URL Authorization & Auditing) •  Gateway (Reverse Proxy) •  Agents: Apache & IIS




Does your app support HTTP header

based SSO?

Do you want WAM features?

No

Yes

Yes

No


Question #3: Can you modify the application?


“Last Mile” Integration – with App Changes


Features Approach Effort Level Product(s) Federated SSO Implement SAML L n/a

Implement OpenID Connect S n/a

HTTP Headers XS PingFederate

REST API S PingFederate PingOne

SSO Integration Kit SDK Library (Java, .NET) S PingFederate

WAM Features (Session Management, URL Authorization & Auditing)

HTTP Headers XS PingAccess


Question #4: Did you reach here with 3 NO’s?


“Last Mile” Integration – “I’m out of options…”

•  PingFederate Integration Kits •  Basic SSO (Password Vaulting)


… still lost?

Talk to us!

SSO for

Mobile Applications



Get Your Time Machines Ready …

SSO for Mobile Applications •  Are multiple logins (with the same creds) OK?

•  User experience could be mitigated with long lived refresh tokens

•  Shared refresh tokens? (Multiple apps – same dev. signer) •  Shared browser session? •  Centralized broker of OAuth Access Tokens

•  Napps – http://openid.net/wg/napps/ •  PingOne Mobile – Early Napps draft support

compatible with both PingFederate and PingOne Copyright © 2015 Cloud Identity Summit. All rights reserved. 26

In Closing …



Technology

CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva