SSO (Single Sign On/Off)
-
Upload
russel-mahmud -
Category
Technology
-
view
161 -
download
5
description
Transcript of SSO (Single Sign On/Off)
drive.google.com
gmail.google.com
drive.google.com
www.youtube.com
accounts.google.com
What is SSO?
SSO Foundations
Authorization
Access Control
Identification
Authentication
SSO
Why SSO?
1. End User Experience Enhanced2. Single Login Form3. Centralized Auditing/Reporting4. Developer Productivity Improved5. Multi-factor Authentication Support6. Reduce IT costs due to lower number of IT help desk calls
about passwords
Terminology
Cookies
Authentication
HTTPS
Encryption
Authorization
HTTPS
HTTPS
Encryption
1. Encryption algorithms transfer plain text into cipher text.2. Two main types of encryption algorithms:
• Symmetric encryption• Use same key for encryption and decryption
• Asymmetric encryption• Use different keys for encryption and decryption
3. Symmetric algorithms are much faster than Asymmetric encryption
RSA
HMAC
DSA
SSO Techniques
1. CAS2. SAML3. OpenID4. oAuth
How Does CAS work?
Web Application
CAS
Kerberos
1.0 Initial Request3.0 Service ticket transfer
4.0 Validate
2.1 Authentication2.3 Sets TGT Cookies
2.0 Service IDAuthentication
5.0 Access Web Server
LDAP
2.2 Authentication
How Does oAuth work?
NewsCred Auth(MVP)
Goals
1. Centralize authentication process2. Keep basic account data isolated3. Allow users to stay logged in while browsing different apps
NewsCred Auth Design
smartgallery.newscred.com1. Initial request
NewsCred Auth Design
smartgallery.newscred.com1. Initial request
redirect to https://accounts.newscred.com/login/
2. No local session
NewsCred Auth Design
smartgallery.newscred.com
1. Initial request
2. No local session(redirect)
accounts.newscred.com
2.0 Login form authentication
NewsCred Auth Design
smartgallery.newscred.com1. Initial request
2. No local session(redirect)
accounts.newscred.com
3.0 Login form Authentication
CDBDatabase
3.1 Login verification
NewsCred Auth Design
smartgallery.newscred.com1. Initial request
2. No local session(redirect)
accounts.newscred.com
3.0 Login form Authentication
CDBDatabase
3.1 Login verification
3.2 Sets Cookies (top domain)Redirect callback_url?token=encrypted_token
NewsCred Auth Design
smartgallery.newscred.com
1. Initial request
2. No local session(redirect)
accounts.newscred.com
3.0 Login form Authentication
CDBDatabase
3.1 Login verification
3.2 Sets Cookies (top domain)Redirect callback_url?token=encrypted_token
4.0 Transfer token
Set local cookies
NewsCred Auth Design
smartgallery.newscred.com
1. Initial request
2. No local session(redirect)
accounts.newscred.com
3.0 Login form Authentication
CDBDatabase
3.1 Login verification
3.2 Sets Cookies (top domain)Redirect callback_url?token=encrypted_token
4.0 Transfer token
Set local cookies
5.0 Access Web Application
Client Application Flowchart
LocalSession
?
AuthCookies
?
Yes
PrivateResource
Yes
NO
NO
Authentication Server
Create LocalSession
VerifyToken
NO
Toke
nRSA
HMACDSA
Challenges
1. Cross domain auto logged in issue2. Checking user permission of each domain3. Updating and deleting account information4. Cookies theft
Web Services
1. Public APIs : from anywhere, no authentication2. S2S APIs : authenticated via API keys
Questions ?