single sign on (sso) how does your company apply?
DESCRIPTION
SSO is not a new concept, even we’ve heard very much in your work or research. It's useful but it’s really belong to administration/management people? It's interesting for users but it's really complex and headache for someone implement it? Especially nowadays, we are in an age of Troika Computing: Cloud, Social Network, Mobile, Big data and federation problems. So, with being a professional organisation, or being a skilled member in development team, you will start from where? what is your knowledge about it? which methods will you choose to implement in your organisation? how to develop or intergrate to your customers' products? how does your organisation deploy to support customers and partners...TRANSCRIPT
Single Sign On (SSO)How does your company apply?
Do Duy Trung
Who???
Agenda
- Overview- What? Why? Where? Which? How?- Q&A
IdM, AIM (Access & Identity Management)
Computing Troika
Cloud Computing
Social Computing
Mobile Computing
We are ...
USER
password
P@ssw0rd
account?
username?
IT
where?where?
where?
PIN
ID
???
What is SSO?A session/user authentication process in order to access multiple services/apps
→ Eliminates login prompts during a particular session.→ Reduced Sign On (RSO)
Adv- uniform AaA policies - audit session- not have to understand- desk cost savings
Dis-adv- single point of enterprise failure- data integrity
Diagram
Sign-On Single Sign-On
User Account Manager OR SSO Product
Protocol?Token?
Concepts & Protocols?SAML 2.0 OpenID Connect Others
Description - Most widely adopted standard for Web SSO.- XML based.
- Most promissing successor to SAML.- JSON based- A profile of OAuth 2.- Promises better support for mobile.
- Earlier protocols that are still in use should be deprecated.- Cookie based (LtpaToken, LtpaToken2,...)
Relavant jargon - Identity Provider (IdP)- Service Provider (SP)- Attributes- SP Metadata
- OpenID Provider (OP)- Relying Party (RP)- User claims- Client Claims
Kerberos, RADIUS, LDAP, WS-*, OpenID 2, CAS
Perform where?SP initiated SSO
IdP initiated SSO
Examples
Code where?
Store where?
- AD- OpenLDAP- Realm- Database
Classification
- ESSO (Enterprise SSO)
- WSSO (Web SSO)
- Cloud SSO- Federated SSO
Classification (cont…)
- Cookie based SSO- Token based SSO (XML, JSON)
- MVF (multi value factor) authentication
Which products?
SaaS Okta, OneLogin, Stormpath, Symplified
- No root access to the server. If there's a security breach, it affects everyone- Per user or per application pricing can become costly
Open Source Gluu, ForgeRock, CAS, Indepedent integrators and consulting shops
- Expensive to design and build- High cost of care and feeding- Hard to support new app integrations
Enterprise Software Oracle Access Manager, CA SiteMinder, IBM Tivoli Access Manager, RSA Cleartrust, Microsoft ADFS, Ping Federate,...
- Expensive license fees- Vendor lock-in
How to do?
- Ask yourself?- Ask your organisation?- Ask your customer?- Ask your partner?- Ask your producer?
Steps for Effective SSO Deployments
Step 1. Get power users and executive sponsorshipStep 2. Establish deployment goals and prioritiesStep 3. Understand end user resistance to changeStep 4. Include the right people and resources in the projectStep 5. Train people at all phases Step 6. Test thoroughly Step 7. Market the solution
Scenarios
Q&A
Thank you very much!
References- http://en.wikipedia.org/wiki/Single_sign-on
- http://www.opengroup.org/security/sso/sso_intro.htm
- http://searchsecurity.techtarget.com/definition/single-sign-on
- http://www.authenticationworld.com/Single-Sign-On-Authentication/
- http://www.giac.org/paper/gsec/3618/single-sign-concepts-protocols/105876
- http://www.slideshare.net/gluu/sso-101
- http://qualtrics.com/wp-content/uploads/2013/05/SSO-Single-Sign-On-Specification.pdf
- http://mauriziostorani.wordpress.com/2008/07/21/single-sign-on-sso-concepts-methods-and-frameworks/
- https://www.imprivata.com/customer-success/best-practices/7-steps-for-effective-sso-deployments
- http://www.juniper.net/techpubs/en_US/sa8.0/topics/example/example-simple/secure-access-saml-cloud-googleapps.html
- http://www.authenticationworld.com/Single-Sign-On-Authentication/101ThingsToKnowAboutSingleSignOn.pdf
- http://www.timberlinetechnologies.com/products/sso.html
References- http://www.giac.org/paper/gsec/3618/single-sign-concepts-protocols/105876
- http://www.codeproject.com/Articles/429166/Basics-of-Single-Sign-on-SSO
- http://technet.microsoft.com/en-us/library/cc727987(v=ws.10).aspx
- http://mauriziostorani.wordpress.com/2008/07/21/single-sign-on-sso-concepts-methods-and-frameworks/
- https://wiki.developerforce.com/page/Implementing_Single_Sign-On_Across_Multiple_Organizations
- http://www.juniper.net/techpubs/en_US/sa8.0/topics/example/example-simple/secure-access-saml-cloud-googleapps.html
- http://blog.empowerid.com/top-5-federated-single-sign-on-sso-scenarios?&__hssc=&__hstc&hsCtaTracking=a388cefe-1353-4d80-8702-15118a0712c2%7C55b814cc-7c33-4574-baa4-978c98fc8485