Aime Cuellar Garac Single Sign On 1 22/02/05 SSO : Single Sign On.
Solving Single-Sign-On
-
Upload
aaron-king -
Category
Software
-
view
107 -
download
0
description
Transcript of Solving Single-Sign-On
![Page 1: Solving Single-Sign-On](https://reader033.fdocuments.us/reader033/viewer/2022061205/5480fe7a5906b5dc6c8b45df/html5/thumbnails/1.jpg)
Solving Single-Sign-On
![Page 2: Solving Single-Sign-On](https://reader033.fdocuments.us/reader033/viewer/2022061205/5480fe7a5906b5dc6c8b45df/html5/thumbnails/2.jpg)
Introductions
Patrick J. PoerFounder & President
Aaron Stanley KingDirector of Application Development
![Page 3: Solving Single-Sign-On](https://reader033.fdocuments.us/reader033/viewer/2022061205/5480fe7a5906b5dc6c8b45df/html5/thumbnails/3.jpg)
Ability to authenticate into multiple applications
Uses one login screen across multiple applications
Uses one username / password combination across multiple applications
Logging out of one application, logs out of other applications
Self-Service Account Management
What is Single-Sign-On?
![Page 4: Solving Single-Sign-On](https://reader033.fdocuments.us/reader033/viewer/2022061205/5480fe7a5906b5dc6c8b45df/html5/thumbnails/4.jpg)
User Management (Identity Management) Central Management of Permissions across
multiple applications (Federated Security) Account Provisioning / User-Registration and
Activation (Access Management)
Identity and Access Management
What Single-Sign-On is NOT?
![Page 5: Solving Single-Sign-On](https://reader033.fdocuments.us/reader033/viewer/2022061205/5480fe7a5906b5dc6c8b45df/html5/thumbnails/5.jpg)
Storage & Management vs. Communication
Single-Sign-On Protocols
![Page 6: Solving Single-Sign-On](https://reader033.fdocuments.us/reader033/viewer/2022061205/5480fe7a5906b5dc6c8b45df/html5/thumbnails/6.jpg)
Help Desk Password Reset Requests Cost ~ $32 per call
Regulatory Compliance (HIPAA, Sarbanes-Oxley, etc.) Cost ~ $MM per incident
Federated Authentication Cost ~ TBD
Enhanced Security Cost ~ $MM per incident
“Gartner Says Through 2016, Federated Single Sign-On Will Be the Predominant SSO Technology, Needed by 80 Percent of Enterprises”
IAM / SSO Business Case
![Page 7: Solving Single-Sign-On](https://reader033.fdocuments.us/reader033/viewer/2022061205/5480fe7a5906b5dc6c8b45df/html5/thumbnails/7.jpg)
How many applications? Underlying User Store (LDAP, SQL, other)? Application Mix:
Browser Applications Desktop Applications Mobile Applications
SSO Protocol Decision Points
![Page 8: Solving Single-Sign-On](https://reader033.fdocuments.us/reader033/viewer/2022061205/5480fe7a5906b5dc6c8b45df/html5/thumbnails/8.jpg)
HealthCare Company (HIPAA data) 8 Different 3rd party providers 4 different ad hoc SSO pass-through mechanisms Very Poorly Architected LDAP directory 3 Different manual exports and account
synchronizations to 5 different 3rd party providers No central management of user permissions No audit trail for user activity
Example
![Page 9: Solving Single-Sign-On](https://reader033.fdocuments.us/reader033/viewer/2022061205/5480fe7a5906b5dc6c8b45df/html5/thumbnails/9.jpg)
Data StoreApp
1App
2App
3App
4App
5App
6App
7App
8
Website
CASADLD
S
Encrypted Token
Reference Url
SAML
Form Post
Current SSO Environment
![Page 10: Solving Single-Sign-On](https://reader033.fdocuments.us/reader033/viewer/2022061205/5480fe7a5906b5dc6c8b45df/html5/thumbnails/10.jpg)
Implement F648’s S3 IAM / SSO Server Integrate all 3rd party providers into one SSO
server Manage all applications permissions and
profile data from a central server Automate account creation and
management Provide self-service account control to super
users Provide audit trail for all user permissions /
activities
Solution
![Page 11: Solving Single-Sign-On](https://reader033.fdocuments.us/reader033/viewer/2022061205/5480fe7a5906b5dc6c8b45df/html5/thumbnails/11.jpg)
Data Store
App 1
App 2
App 3
App 4
App 5
App 6
App 7
App 8
New SSO Environment
S3Website
![Page 12: Solving Single-Sign-On](https://reader033.fdocuments.us/reader033/viewer/2022061205/5480fe7a5906b5dc6c8b45df/html5/thumbnails/12.jpg)
Data StoreApp
1App
2App
3App
4App
5App
6App
7App
8
Website
CASADLD
S
Encrypted Token
Reference Url
SAML
Form Post
Current SSO Environment
![Page 13: Solving Single-Sign-On](https://reader033.fdocuments.us/reader033/viewer/2022061205/5480fe7a5906b5dc6c8b45df/html5/thumbnails/13.jpg)
Aaron Stanley King
Technical Presentation
![Page 14: Solving Single-Sign-On](https://reader033.fdocuments.us/reader033/viewer/2022061205/5480fe7a5906b5dc6c8b45df/html5/thumbnails/14.jpg)
Protocol Standards
WS-Federation (Web Services Federation) 2006 SOAP extension
WS-Trust 2007 Commonly STS (security token service)
CAS (central authentication service) 2004
OpenID 2005
OAuth2 2006
![Page 15: Solving Single-Sign-On](https://reader033.fdocuments.us/reader033/viewer/2022061205/5480fe7a5906b5dc6c8b45df/html5/thumbnails/15.jpg)
Token Types
SAML (Security Assertion Markup Language) XML based Uses SOAP
CAS XML based
JWT (JSON Web Token) JavaScript Object Notation based
![Page 16: Solving Single-Sign-On](https://reader033.fdocuments.us/reader033/viewer/2022061205/5480fe7a5906b5dc6c8b45df/html5/thumbnails/16.jpg)
WS-Federation and WS-Trust
Full blown SOAP web services with WSDL<s:Envelope> <s:Header> <wsa:Action> http://contoso.com/RFP/PlaceBid </wsa:Action> <wsa:To>http://contoso.com/RFPService</wsa:To> <wsa:ReplyTo> <wsa:Address>http://client.fabrikam.com</wsa:Address> </wsa:ReplyTo> <!-- Other headers not shown for brevity --> </s:Header> <s:Body wsu:Id="body"> <!-- application message --> </s:Body></s:Envelope>
![Page 17: Solving Single-Sign-On](https://reader033.fdocuments.us/reader033/viewer/2022061205/5480fe7a5906b5dc6c8b45df/html5/thumbnails/17.jpg)
![Page 18: Solving Single-Sign-On](https://reader033.fdocuments.us/reader033/viewer/2022061205/5480fe7a5906b5dc6c8b45df/html5/thumbnails/18.jpg)
CAS
/login credential requestor / acceptor
/logout destroy CAS session (logout)
/validate service ticket validation
/serviceValidate service ticket validation [CAS 2.0]
/proxyValidate service- / proxy ticket validation [CAS 2.0]
/proxy proxy ticket service [CAS 2.0]
![Page 19: Solving Single-Sign-On](https://reader033.fdocuments.us/reader033/viewer/2022061205/5480fe7a5906b5dc6c8b45df/html5/thumbnails/19.jpg)
![Page 20: Solving Single-Sign-On](https://reader033.fdocuments.us/reader033/viewer/2022061205/5480fe7a5906b5dc6c8b45df/html5/thumbnails/20.jpg)
OAuth2
/authorize the resource owner logs in, and grants authorization
to the client application. /token
the client application exchanges the authorization code, client ID and client secret, for an access token
/redirect (or sometimes /callback) the client application where the resource owner is
redirected to, after having granted authorization at the authorization endpoint
![Page 21: Solving Single-Sign-On](https://reader033.fdocuments.us/reader033/viewer/2022061205/5480fe7a5906b5dc6c8b45df/html5/thumbnails/21.jpg)
![Page 22: Solving Single-Sign-On](https://reader033.fdocuments.us/reader033/viewer/2022061205/5480fe7a5906b5dc6c8b45df/html5/thumbnails/22.jpg)
Demos