sso-report 2007 v2

SSO-Report 2007Key-Player, Status, Trends

Martin Kuppinger, KCP

[email protected]

What will I talk about?SSO

� Single Sign-On defined:

� User perspective:

� The ability to use multiple applications withone sign-onone sign-on

� System perspective:

� The use of one sign-on to access multiple applications, e.g. a technically integratedsign-on across applications

© Kuppinger Cole + Partner 2007Seite 2

Identity Management Market:Single Sign-On Segment increases

50%

60%

70%

80%

90%

100%

Keine Investitionen


0%

10%

20%

30%

40%

Verze

ichn

isdi

enst

e

Met

a D

irect

ory-

Die

nste

Iden

tity

Provi

sion

ing

Virtua

l Dire

ctor

ies

Iden

tity

Feder

atio

n

Web

Acc

ess

Man

agem

ent

Singl

e Sig

n-O

n

Stark

e A

uthe

ntifi

zier

ung

PKI

Mai

nfra

me

Acc

ess

Man

agem

ent

Auditi

ng

Rol

lenm

anag

emen

t

Del

egie

rte A

dmin

istra

tion

Keine Investitionen

Optimierungen im laufenden Betrieb

Wesentliche Erweiterungen

Produktwechsel

Einführung

Basis:Kuppinger Cole + PartnerIdentity Management Survey 2006

Business drivers for IT= Business drivers for SSO

• process optimization• „get closer to the market“

• user productivity• “more bang for bucks”

SSO! SSO!


• automation• “cut out the fat”

Identity Management

• internal auditing• “keep the boss out of jail”

SSO! SSO?

Single Sign-On:Concrete needs

� User have to many combination of user namesand passwords (credentials) to keep in mind

� Security risks through insecure „storage“

� User‘s don‘t like new apps („just another applicationwith just another user name and password“)with just another user name and password“)

� High help desk costs for password resets

� Need for strong authentication

� Unique, safe approaches across apps

� Securing sensitive apps

� Optimizing the costs of strong authentication


Business Value:SSO delivers

Quantitative

1 Administrative costsof Helpdesk

2 Integration costs ofApps (short term)

Qualitative

1 Ease of use for theuser

2 Acceptance for new(and old) apps


Apps (short term) (and old) apps

3 Fast implementation oftactical solutions

SSO is not only tactical!- tactical: Even mid-term there won‘t be „real“ SSOacross all apps

- strategic: „real“ SSO with integration on the applicationlevel

Identity Management Market:Single Sign-On Approaches

20,0%

25,0%

30,0%


0,0%

5,0%

10,0%

15,0%

Server-

basierende

Lösungen

Client-

basierende

Lösungen

Kerberos X.509 Web Single

Sign-On

Federation

Strategische Lösung

Einsatz in Teilbereichen

Einsatz geplant

Basis:Kuppinger Cole + PartnerIdentity Management Survey 2006

SSO:Six approaches for the enterprise

Server-based SSO

(E-SSO)

Client-basedSSO

Kerberos

(E-SSO)

X.509 Web-SSO Federation


SSO approaches:Server-based („E-SSO“)

Stores credentials on a server store, central

control, decentral clientwhich accesses credentialsand sometimes caches

them (more or less secure) locally

Usually called „E-SSO“ or„Enterprise Single Sign-

On“

locally

No „real“ Single Sign-On

Key-Players:

ActivIdentity, CA, Citrix, Evidian, Imprivata, Passlogix, Tesis

Multiple OEMs like IBM, Novell, Oracle


E-SSO:Wie funktioniert das?

DirectoryBenutzer mit

E-SSO-Client

Speicherung von

Credentials


DirectoryE-SSO-Client

Anwendungen

Authentifizierung

SSO approaches:Client-based, local SSO

Stores credentials on theclient, in most cases no

central control, local storagemight be a potential security

risk

Special approach: Browser-integrated

Some vendors supportexternal storage devices likeUSB keys or Smartcards, which are commonly more

secure

Specific: Context ofsmartcard infrastructuresintegrated smartcard infrastructures

No „real“ Single Sign-On

Key-Players:

Very segmented market, dozens of smaller offerings

ActivIdentity, Aladdin, G&D, PassGo, Secude, Siemens,

Symantec, Tesis


SSO approaches:Kerberos

Authentication standard fordistributed systems,

supports SSO via servicetokens for specific

applications

Usage practically restrictedto closed environments

Supported on all majoroperating system platforms,

but with significantinteroperability issues

to closed environments

Real Single Sign-On, requires so called

„kerberized“ applications

Key-Players:

KDCs: Heimdal, Microsoft, MIT and various adaptors

Integration: Centeris, Centrify, Quest


SSO approaches:X.509

At first a standard for digital certificates, but with broad

interoperability

Certificates need to be mapped toexisting accounts – e.g. some

existing base of identities is required

Requires PKI and Card managementinfrastructure on top

Exists for a long time, but still isn‘tsupported in any standard application

and missing in most customapplications

Mainly used in web-apps, can be usedexternally

Might work fine with smartcardinfrastructureinfrastructure on top infrastructure

Somewhat „semi-real“ Single Sign-On due to different „identity providers“

(e.g. directories)

Key-Players:

Multiple external certificate providers: S-Trust, Thawte, Verisign

Card infrastructure providers: ActivIdentity, G&D, Secude, Siemens


SSO approaches:Web-SSO

Web Single Sign-On, also called Web Access

Management or Extranet Access Management

Central authentication forweb-based apps, policy-

based authorization

Limited to Web applications, sometimes with support forJ2EE and other apps (but

seldomly used)

Quick-Win approachbased authorization

Somewhat „semi-real“ Single Sign-On

Key-Players:

BMC, CA, Entrust, HP, IBM, Microsoft, Novell, RSA, Siemens, Sun, Symlabs


SSO approaches:Identity Federation

Standard-basedapproach for distributed

authentication andauthorization

Becomes increasinglyimportant and mature

Based on web services, very flexible

But: multiple standards, key-players usuallysupport multiple of

themimportant and mature them

Real Single Sign-On

Key-Players:

BMC, CA, HP, IBM, Maxware, Microsoft, Novell, Oracle, Ping

Identity, RSA, Siemens, Sun, Symlabs


Identity Federation:How it works…

� Federation isbased on trust

� Service Provider trusts Identity Provider

Identity

ServiceProvider

User Session

RessourceTrust

� User authenticatesonce for multiple service providers

� Flexible attributeexchange


Identity Provider

Verzeichnis

Single Sign-On approaches compared:E-SSO as ripe approach

IntegrationRequirementsfor apps

Low

Enterprise SSOLocal SSO

Federation

Web- SSO


Maturity

HighKerberos

X.509

Federation

SSO trend observed:OpenID, Cardspace,…

� OpenID:

� Focus on one identity and a single sign-on for thisidentity

� CardSpace:

� Different Infocards, different identity providers, not � Different Infocards, different identity providers, not necessarily a single sign-on

� Trend:

� Users from the internet will expect that thesetechnologies are supported

� They like to have one sign-on

� Thus, we expect a strong influence on client-basedapproaches for single sign-on


SSO trend observed:Smartcards and SSO

� Smartcards gain momentum as a means forstrong authentication

� But: Smartcards can as well (depending on card and client technology) store additional information or shield credential storesinformation or shield credential stores

� Result: SSO

� Valid approach when applied with a smartcardinfrastructure, containing related processes


SSO trend observed:Entry point for IAM

Yes, because…

� …you could start at the clientand collect information on who has which digital identity for which application(something which is often

No, because…

� …for all strategic approachesa integrated, trustworthyidentity is mandatory (andeven for most tacticalapproaches a central(something which is often

unknown)

� …there might be a fast success

� …at least some approachesare easy to implement (non intrusive)

approaches a centraldirectory)

� …the effort for applicationintegration is high in manycases

� …sometimes a complexinfrastructure is required


SSO:Tactics versus strategy

SSO tactics

� Frontend oriented SSO

� User experience: SSO

� Fast-to-implementsolutions

SSO strategy

� Backend-SSO

� Applications are SSO-integrated

� One defined strategysolutions

� Internal:

� E-SSO or smartcardinfrastructure w/ localSSO

� External, Intranet apps:

� Web-SSO

� One defined strategy

� Identity Federation

� Kerberos is restricted(but might be importantas a internal pointsolution, e.g. Windows + Linux/UNIX)

� X.509 is a necessary, complementary basetechnology, but not thecomplete solution


SSO strategy:The components

Single

Integrated Identity

Integrated identity:

Meta Directories, Provisioning

Strong authentication:

At least Two-factor-authentication

Single SignOn

Strong authen-tication

Application

Security

Infra-structure

Identity

Federation

Application Security Infrastructure

Mandatory requirements forauthentication andauthorization in applications

Federation:

Basis for Single Sign-On


SSO as risk or chance?Identity Risk Management

� Authentication:

� Trustworthy identity Provider: SSO = Trust

� Risk: Non-integrated auditing of authentication andauthorization

� Golden Password?

Authorization:� Authorization:

� Still in most cases decentral

� Central: Web-SSO

� Requires a defined configuration of Identity Providers andservices/applications


IT risks tend to be reduced through SSO

Availability of the SSO-Report 2007

� Slides:

� KCP Website right after the conference

� Text version:

� End of May 2007� End of May 2007


sso-report 2007 v2

Documents