Single Sign-On (SSO) allows a user to access multiple applications and systems with a single set of login credentials. The document discusses various SSO standards and implementations including Kerberos, LDAP, CAS, SAML, and PKI. It notes benefits of SSO like reduced passwords to remember but also criticisms like the risk that stealing one set of credentials grants access to all systems.
1. SSO
Single Sign-On
TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver Müller
Samstag, 5. März 2011
2. Definition
• Property of access control of multiple,
related, but independent software
systems
• One time authorization process for
multiple applications, websites, ...
TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver Müller
Samstag, 5. März 2011
3. Benefits
• Reducing countless logins and passwords
• Reducing time effort to re-login
• Reducing IT cost/help desk
• Same level of password security everywhere
• Centralized reporting
• Usually much better passwords
TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver Müller
Samstag, 5. März 2011
4. Criticism
• Stolen credential opens all dungeons
• Infrastructure
• Might be combined with strong
authentications (e.g. SmartCards)
• Many solutions need very expensive
software or hardware solutions
TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver Müller
Samstag, 5. März 2011
5. Issues
• Different apps uses different SSO
processes
• Impossible to find ONE SSO for all (?)
• Most solution unable to jump over
intranet barrier
TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver Müller
Samstag, 5. März 2011
6. Solutions
• Kerberos [1983]
• LDAP (slapd, Active Directory, …) [1993]
• NTLM (NT Lan Manager) [2000]
• CAS (Central Authentication Service) [2001]
• PKI (Public Key Infrastructure) [1969]
• SAML [2002]
• ...
TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver Müller
Samstag, 5. März 2011
7. Kerberos
• No easy setup
• Not easy for developers to setup same
environment
• Intranet barrier
• External service provider unable to use
SSO
TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver Müller
Samstag, 5. März 2011
8. LDAP / AD
• SAME sign-on
• Intranet barrier (too much information)
• External service provider unable to use
SSO
• Easy to implement
• Nice to sync user data
TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver Müller
Samstag, 5. März 2011
9. // using ldap bind
$ldaprdn = 'uname'; // ldap rdn or dn
$ldappass = 'password'; // associated password
// connect to ldap server
$ldapconn = ldap_connect("ldap.example.com")
or die("Could not connect to LDAP server.");
if ($ldapconn) {
// binding to ldap server
$ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);
// verify binding
if ($ldapbind) {
echo "LOGIN successful...";
} else {
echo "LOGIN failed...";
}
}
TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver Müller
Samstag, 5. März 2011
10. NTLM
• Intranet barrier
• External service provider unable to use
SSO
• Based on Windows logon and Kerberos
• Compatibility issues (more or less
Microsoft territory Windows, IIS, IE)
• Easy to implement for developers
TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver Müller
Samstag, 5. März 2011
12. Central Authentication
Service (CAS)
• Token/ticket based authentication
• Developed by Yale University
• phpCAS open source implementation
• Made for web only
• Common in education environment
TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver Müller
Samstag, 5. März 2011
13. include_once('CAS.php');
// initialize phpCAS
phpCAS::client(CAS_VERSION_2_0,'sso-cas.home.com',443,'');
// no SSL validation for the CAS server
phpCAS::setNoCasServerValidation();
// force CAS authentication
phpCAS::forceAuthentication();
// at this step, the user has been authenticated by the CAS server
// and the user's login name can be read with phpCAS::getUser().
// logout if desired
if (isset($_REQUEST['logout'])) {
phpCAS::logout();
}
echo "LOGIN successful...";
TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver Müller
Samstag, 5. März 2011
14. Public Key
Infrastructure (PKI)
• X.509 certification based authentication
• Its about what-you-have (client certificate) and
not what-you-know (password)
• Often used with smart cards (e.g. employee ID)
• Made for Web, SSH, OS login, ...
• Common in enterprise and government solutions
TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver Müller
Samstag, 5. März 2011
16. SAML
• Security Assertion Markup Language
• Defined by OASIS
• Made for internet and extranet sites
• Credentials/Information can be
configured
• Open (based on XML, SOAP, HTTP, ...)
TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver Müller
Samstag, 5. März 2011
17. SAML Parties
• Client (browser)
• Web application
• Service Provider (SAML client)
• Identity Provider (enterprise federation
server)
TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver Müller
Samstag, 5. März 2011
18. Service Provider
• selfmade
• simpleSAMLphp (open source PHP
solution)
• PingConnect (PHP, Perl, Java, …)
• ...
TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver Müller
Samstag, 5. März 2011
19. TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver Müller
Samstag, 5. März 2011
20. • user enters URL https://app.com/saml.php
• user without valid SAML assertion will be forwarded to service provider
• browser asks service provider to give him a XML assertion
• XML assertion request form is send back to the browser
• browser forwards assertion request form to identity provider
• IF NOT LOGGED IN YET
• identity provider ask the user to log into the enterprise network
• user enters his login/password and sends it back to identity provider
• client receives a XML assertion and cookie signed by the identity provider
• XML assertion is send to service provider, who validates assertion
• if assertion is valid, user will be pushed back to his initial url
• assertion will be checked and user is going to be looked up in your app
• if user exists, app start page appears, otherwise app might show standard login
page
TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver Müller
Samstag, 5. März 2011
21. // Load simpleSAMLphp configuration and session.
$config = SimpleSAML_Configuration::getInstance();
$session = SimpleSAML_Session::getInstance();
// Check if valid local session exists.
if (!$session->isValid('saml2') ) {
// Redirect to the IdP for authentication.
SimpleSAML_Utilities::redirect(
'/' . $config->getBaseURL() . 'saml2/sp/initSSO.php',
array('RelayState' => SimpleSAML_Utilities::selfURL())
);
}
// successful authorization
$attributes = $session->getAttributes();
print_r($attributes); // might print out email or login
TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver Müller
Samstag, 5. März 2011
23. Identity Server
• Shibboleth IdP (open source)
• PingIdentity
• Oracle Identity Server
• SAP NetWeaver
• Sun OpenSSO ForgeRock OpenAM
• IBM
• Microsoft Geneva
TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver Müller
Samstag, 5. März 2011
24. One size does fit it all
• Most federation solution support many
different SSO technologies
• Most are based on any kind of LDAP
backend
TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver Müller
Samstag, 5. März 2011
25. Thanks for listening
contact me if you have any questions
email: oliver@php.net
email: oliver@teqneers.de
phone: +49 (711) 46 97 28-82
Have Fun!
TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver Müller
Samstag, 5. März 2011