single sign on (sso) how does your company apply?

Single Sign On (SSO)How does your company apply?

Do Duy Trung

Who???

Agenda

- Overview- What? Why? Where? Which? How?- Q&A

IdM, AIM (Access & Identity Management)

Computing Troika

Cloud Computing

Social Computing

Mobile Computing

We are ...

USER

password

P@ssw0rd

account?

username?

IT

where?where?

where?

PIN

ID

???

What is SSO?A session/user authentication process in order to access multiple services/apps

→ Eliminates login prompts during a particular session.→ Reduced Sign On (RSO)

Adv- uniform AaA policies - audit session- not have to understand- desk cost savings

Dis-adv- single point of enterprise failure- data integrity

Diagram

Sign-On Single Sign-On

User Account Manager OR SSO Product

Protocol?Token?

Concepts & Protocols?SAML 2.0 OpenID Connect Others

Description - Most widely adopted standard for Web SSO.- XML based.

- Most promissing successor to SAML.- JSON based- A profile of OAuth 2.- Promises better support for mobile.

- Earlier protocols that are still in use should be deprecated.- Cookie based (LtpaToken, LtpaToken2,...)

Relavant jargon - Identity Provider (IdP)- Service Provider (SP)- Attributes- SP Metadata

- OpenID Provider (OP)- Relying Party (RP)- User claims- Client Claims

Kerberos, RADIUS, LDAP, WS-*, OpenID 2, CAS

Perform where?SP initiated SSO

IdP initiated SSO

Examples

Code where?

Store where?

- AD- OpenLDAP- Realm- Database

Classification

- ESSO (Enterprise SSO)

- WSSO (Web SSO)

- Cloud SSO- Federated SSO

Classification (cont…)

- Cookie based SSO- Token based SSO (XML, JSON)

- MVF (multi value factor) authentication

Which products?

SaaS Okta, OneLogin, Stormpath, Symplified

- No root access to the server. If there's a security breach, it affects everyone- Per user or per application pricing can become costly

Open Source Gluu, ForgeRock, CAS, Indepedent integrators and consulting shops

- Expensive to design and build- High cost of care and feeding- Hard to support new app integrations

Enterprise Software Oracle Access Manager, CA SiteMinder, IBM Tivoli Access Manager, RSA Cleartrust, Microsoft ADFS, Ping Federate,...

- Expensive license fees- Vendor lock-in

How to do?

- Ask yourself?- Ask your organisation?- Ask your customer?- Ask your partner?- Ask your producer?

Steps for Effective SSO Deployments

Step 1. Get power users and executive sponsorshipStep 2. Establish deployment goals and prioritiesStep 3. Understand end user resistance to changeStep 4. Include the right people and resources in the projectStep 5. Train people at all phases Step 6. Test thoroughly Step 7. Market the solution

Scenarios

Q&A

Thank you very much!

References- http://en.wikipedia.org/wiki/Single_sign-on

- http://www.opengroup.org/security/sso/sso_intro.htm

- http://searchsecurity.techtarget.com/definition/single-sign-on

- http://www.authenticationworld.com/Single-Sign-On-Authentication/

- http://www.giac.org/paper/gsec/3618/single-sign-concepts-protocols/105876

- http://www.slideshare.net/gluu/sso-101

- http://qualtrics.com/wp-content/uploads/2013/05/SSO-Single-Sign-On-Specification.pdf

- http://mauriziostorani.wordpress.com/2008/07/21/single-sign-on-sso-concepts-methods-and-frameworks/

- https://www.imprivata.com/customer-success/best-practices/7-steps-for-effective-sso-deployments

- http://www.juniper.net/techpubs/en_US/sa8.0/topics/example/example-simple/secure-access-saml-cloud-googleapps.html

- http://www.authenticationworld.com/Single-Sign-On-Authentication/101ThingsToKnowAboutSingleSignOn.pdf

- http://www.timberlinetechnologies.com/products/sso.html

References- http://www.giac.org/paper/gsec/3618/single-sign-concepts-protocols/105876

- http://www.codeproject.com/Articles/429166/Basics-of-Single-Sign-on-SSO

- http://technet.microsoft.com/en-us/library/cc727987(v=ws.10).aspx

- http://mauriziostorani.wordpress.com/2008/07/21/single-sign-on-sso-concepts-methods-and-frameworks/

- https://wiki.developerforce.com/page/Implementing_Single_Sign-On_Across_Multiple_Organizations

- http://www.juniper.net/techpubs/en_US/sa8.0/topics/example/example-simple/secure-access-saml-cloud-googleapps.html

- http://blog.empowerid.com/top-5-federated-single-sign-on-sso-scenarios?&__hssc=&__hstc&hsCtaTracking=a388cefe-1353-4d80-8702-15118a0712c2%7C55b814cc-7c33-4574-baa4-978c98fc8485