UploadLanguage (EN)Support
BusinessMobileSocial MediaMarketingTechnologyArt & PhotosCareerDesignEducationPresentations & Public SpeakingGovernment & NonprofitHealthcareInternetLawLeadership & ManagementAutomotiveEngineeringSoftwareRecruiting & HRRetailSalesServicesScienceSmall Business & EntrepreneurshipFoodEnvironmentEconomy & FinanceData & AnalyticsInvestor RelationsSportsSpiritualNews & PoliticsTravelSelf ImprovementReal EstateEntertainment & HumorHealth & MedicineDevices & HardwareLifestyle
Upload
Sign in
Mike Schwartz, profile picture
Uploaded byMike Schwartz
PPTX, PDF17,365 views

Single Sign On 101

Single Sign-On (SSO) allows users to authenticate once and access multiple services using a stored token, enhancing productivity for both users and developers. Key protocols include SAML 2.0 and OpenID Connect, with various market offerings ranging from SaaS to open-source solutions. Organizations should evaluate their needs and consider future-proofing their authentication solutions while adhering to open standards.

Technology
Downloaded 392 times
1 / 16
2 / 16
3 / 16
4 / 16
5 / 16
6 / 16
7 / 16
8 / 16
9 / 16
10 / 16
11 / 16
12 / 16
13 / 16
14 / 16
15 / 16
16 / 16
Single Sign-On 101 Solutions, Technology, and Recommendations
Single sign-on (SSO) allows a person to authenticate once at their home domain to obtain a “token”, which is stored in the browser (cookie) or mobile device, and can be presented to websites as evidence of authentication. In SALM the token is XML In OpenID Connect, the token is JSON The tokens are signed by the domain, so the website can validate them. What is Single Sign-On
Single logout (SLO) ensures that after a user logs out at their home domain, all “tabs” are also logged out. OpenID Connect defines a non-network based logout mechanism. Beware! Applications may only test credentials on login! What is Single Logout
Why do you need SSO? ● Essential for portals, where the page consists of multiple backend services. ● Increased productivity for people who use the authentication service ● Increased productivity for developers who don’t need to write authentication code. ● Enables domain to leverage strong credentials at third party sites.
Relevant Protocols ● SAML 2.0 - Currently the most widely adopted standard for Web SSO. XML based. ● OpenID Connect - Most promising successor to SAML, it is a profile of OAuth2, and promises better support for mobile. ● Earlier protocols that are still in use should be deprecated: ○ Kerberos, RADIUS, LDAP, WS-*, OpenID 2, CAS...
Relevant Jargon SAML OpenID Connect Identity Provider (IDP) OpenID Provider (OP) Service Provider (SP) Relying Party (RP) Attributes User claims SP Metadata Client Claims
Develop your SSO roadmap.. 1. Understand market offerings 2. Evaluate your needs 3. Align with a solution
● SaaS - Vendors provide a multi-tenant IDP. You can quickly try, buy and fly with SSO to popular pre- integrated cloud apps. ● Open Source - You can design, build and operate your domain IDP using open source software. ● Enterprise Software - Pay to use the software, otherwise identical to Open Source. ● Managed Service- Host your domain IDP on your network, but share operations. 1) Market Offerings for large organizations
2) Evaluate your needs ● Are you ok with persisting personal data in the cloud? ● Are you ok with access to your systems by a third party? ● Do you have a custom requirements for authentication, or strong authentication for your domain? ● How many “users” and “applications” do you have? ● Do you need to support mobile authentication? ● Do you need to have “business continuity” or disaster recovery
3) Align with a solution ● SaaS - Okta, OneLogin, Stormpath, Symplified ● Open Source - Gluu, ForgeRock, Independent integrators and consulting shops ● Enterprise Software - Oracle Access Manager, CA SiteMinder, IBM Tivoli Access Manager, RSA Cleartrust, Microsoft ADFS, Ping Federate
● SaaS ○ No root access to the server. If there's a security breach, it affects everyone. ○ Per user or per application pricing can become costly. ● Open Source ○ Expensive to design and build ○ High cost of care and feeding ○ Hard to support new app integrations ● Proprietary ○ Expensive license fees ○ Vendor lock-in Limitations of SSO Solutions
2 Factor Authentication ● 80% of Internet security breaches are bad passwords ● Many new mobile, bio-metric, location based, and cryptographic authentication mechanisms are being devised. ● Prices are coming down. ● Better enrollment and “password reset” functionality.
Authorization ● ● Organization can create policies to control which clients and people can access which URL’s ● Application contain a lot of security policies... only centralize what is common between applications.
Authorization Sequence
Our Recommendations ● Choose a platform that gives your organization the flexibility to implement its business logic. ● Make sure your solution is Future proof : be ready new strong authentication services ● Use open standards and open source when possible!
Questions? Just reach out!! http://gluu.org