SlideShare une entreprise Scribd logo

Single Sign On 101

Télécharger en tant que PPTX, PDF
Mike Schwartz
Mike Schwartz

These slides are supposed to help you understand the basics of application security, and how the latest technologies come together to enable you to reduce the number of times people at your organization need to authenticate. For more information visit. http://gluu.org

Technologie
1  sur  16
Single Sign-On 101 Solutions, Technology, and Recommendations
Single sign-on (SSO) allows a person to authenticate once at their home domain to obtain a “token”, which is stored in the browser (cookie) or mobile device, and can be presented to websites as evidence of authentication. In SALM the token is XML In OpenID Connect, the token is JSON The tokens are signed by the domain, so the website can validate them. What is Single Sign-On
Single logout (SLO) ensures that after a user logs out at their home domain, all “tabs” are also logged out. OpenID Connect defines a non-network based logout mechanism. Beware! Applications may only test credentials on login! What is Single Logout
Why do you need SSO? ● Essential for portals, where the page consists of multiple backend services. ● Increased productivity for people who use the authentication service ● Increased productivity for developers who don’t need to write authentication code. ● Enables domain to leverage strong credentials at third party sites.
Relevant Protocols ● SAML 2.0 - Currently the most widely adopted standard for Web SSO. XML based. ● OpenID Connect - Most promising successor to SAML, it is a profile of OAuth2, and promises better support for mobile. ● Earlier protocols that are still in use should be deprecated: ○ Kerberos, RADIUS, LDAP, WS-*, OpenID 2, CAS...
Relevant Jargon SAML OpenID Connect Identity Provider (IDP) OpenID Provider (OP) Service Provider (SP) Relying Party (RP) Attributes User claims SP Metadata Client Claims
Develop your SSO roadmap.. 1. Understand market offerings 2. Evaluate your needs 3. Align with a solution
● SaaS - Vendors provide a multi-tenant IDP. You can quickly try, buy and fly with SSO to popular pre- integrated cloud apps. ● Open Source - You can design, build and operate your domain IDP using open source software. ● Enterprise Software - Pay to use the software, otherwise identical to Open Source. ● Managed Service- Host your domain IDP on your network, but share operations. 1) Market Offerings for large organizations
2) Evaluate your needs ● Are you ok with persisting personal data in the cloud? ● Are you ok with access to your systems by a third party? ● Do you have a custom requirements for authentication, or strong authentication for your domain? ● How many “users” and “applications” do you have? ● Do you need to support mobile authentication? ● Do you need to have “business continuity” or disaster recovery
3) Align with a solution ● SaaS - Okta, OneLogin, Stormpath, Symplified ● Open Source - Gluu, ForgeRock, Independent integrators and consulting shops ● Enterprise Software - Oracle Access Manager, CA SiteMinder, IBM Tivoli Access Manager, RSA Cleartrust, Microsoft ADFS, Ping Federate
● SaaS ○ No root access to the server. If there's a security breach, it affects everyone. ○ Per user or per application pricing can become costly. ● Open Source ○ Expensive to design and build ○ High cost of care and feeding ○ Hard to support new app integrations ● Proprietary ○ Expensive license fees ○ Vendor lock-in Limitations of SSO Solutions
2 Factor Authentication ● 80% of Internet security breaches are bad passwords ● Many new mobile, bio-metric, location based, and cryptographic authentication mechanisms are being devised. ● Prices are coming down. ● Better enrollment and “password reset” functionality.
Authorization ● ● Organization can create policies to control which clients and people can access which URL’s ● Application contain a lot of security policies... only centralize what is common between applications.
Authorization Sequence
Our Recommendations ● Choose a platform that gives your organization the flexibility to implement its business logic. ● Make sure your solution is Future proof : be ready new strong authentication services ● Use open standards and open source when possible!
Questions? Just reach out!! http://gluu.org

Recommandé

Single sign on (SSO) How does your company apply?
Single sign on (SSO) How does your company apply?Single sign on (SSO) How does your company apply?
Single sign on (SSO) How does your company apply?Đỗ Duy Trung
 
Enterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSOEnterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSOOliver Mueller
 
SSO introduction
SSO introductionSSO introduction
SSO introductionAidy Tificate
 
Single sign on - SSO
Single sign on - SSOSingle sign on - SSO
Single sign on - SSOAjit Dadresa
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0Mika Koivisto
 
Single Sign On Considerations
Single Sign On ConsiderationsSingle Sign On Considerations
Single Sign On ConsiderationsVenkat Gattamaneni
 
Single Sign On - The Basics
Single Sign On - The BasicsSingle Sign On - The Basics
Single Sign On - The BasicsIshan A B Ambanwela
 
IdP, SAML, OAuth
IdP, SAML, OAuthIdP, SAML, OAuth
IdP, SAML, OAuthDan Brinkmann
 

Recommandé

Single sign on (SSO) How does your company apply?
Single sign on (SSO) How does your company apply?Single sign on (SSO) How does your company apply?
Single sign on (SSO) How does your company apply?Đỗ Duy Trung
 
Enterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSOEnterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSOOliver Mueller
 
SSO introduction
SSO introductionSSO introduction
SSO introductionAidy Tificate
 
Single sign on - SSO
Single sign on - SSOSingle sign on - SSO
Single sign on - SSOAjit Dadresa
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0Mika Koivisto
 
Single Sign On Considerations
Single Sign On ConsiderationsSingle Sign On Considerations
Single Sign On ConsiderationsVenkat Gattamaneni
 
Single Sign On - The Basics
Single Sign On - The BasicsSingle Sign On - The Basics
Single Sign On - The BasicsIshan A B Ambanwela
 
IdP, SAML, OAuth
IdP, SAML, OAuthIdP, SAML, OAuth
IdP, SAML, OAuthDan Brinkmann
 
Single sign on using SAML
Single sign on using SAML Single sign on using SAML
Single sign on using SAML Programming Talents
 
SAML Protocol Overview
SAML Protocol OverviewSAML Protocol Overview
SAML Protocol OverviewMike Schwartz
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World42Crunch
 
SINGLE SIGN-ON
SINGLE SIGN-ONSINGLE SIGN-ON
SINGLE SIGN-ONShambhavi Sahay
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect Nat Sakimura
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect ExplainedVladimir Dzhuvinov
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityMohammed Fazuluddin
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An OverviewPat Patterson
 
Iam presentation
Iam presentationIam presentation
Iam presentationAWS UG PK
 
Presentation sso design_security
Presentation sso design_securityPresentation sso design_security
Presentation sso design_securityMarco Morana
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0Uwe Friedrichsen
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak Abhishek Koserwal
 
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectDemystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectVinay Manglani
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & GuidelinesPrabath Siriwardena
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
Single sign on - benefits, challenges and case study : iFour consultancy
Single sign on - benefits, challenges and case study : iFour consultancySingle sign on - benefits, challenges and case study : iFour consultancy
Single sign on - benefits, challenges and case study : iFour consultancyDevam Shah
 
Gestion des identités : par où commencer ?
Gestion des identités : par où commencer ?Gestion des identités : par où commencer ?
Gestion des identités : par où commencer ?Identity Days
 
Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Anil Saldanha
 
Deep-Dive: Secure API Management
Deep-Dive: Secure API ManagementDeep-Dive: Secure API Management
Deep-Dive: Secure API ManagementApigee | Google Cloud
 
The Ldap Protocol
The Ldap ProtocolThe Ldap Protocol
The Ldap ProtocolGlen Plantz
 
SSO IN/With Drupal and Identitiy Management
SSO IN/With Drupal and Identitiy ManagementSSO IN/With Drupal and Identitiy Management
SSO IN/With Drupal and Identitiy ManagementManish Harsh
 
Safenet Authentication Service, SAS
Safenet Authentication Service, SASSafenet Authentication Service, SAS
Safenet Authentication Service, SASrobbuddingh
 

Contenu connexe

Tendances

SAML Protocol Overview
SAML Protocol OverviewSAML Protocol Overview
SAML Protocol OverviewMike Schwartz
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World42Crunch
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect Nat Sakimura
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityMohammed Fazuluddin
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An OverviewPat Patterson
 
Iam presentation
Iam presentationIam presentation
Iam presentationAWS UG PK
 
Presentation sso design_security
Presentation sso design_securityPresentation sso design_security
Presentation sso design_securityMarco Morana
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak Abhishek Koserwal
 
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectDemystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectVinay Manglani
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & GuidelinesPrabath Siriwardena
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
Single sign on - benefits, challenges and case study : iFour consultancy
Single sign on - benefits, challenges and case study : iFour consultancySingle sign on - benefits, challenges and case study : iFour consultancy
Single sign on - benefits, challenges and case study : iFour consultancyDevam Shah
 
Gestion des identités : par où commencer ?
Gestion des identités : par où commencer ?Gestion des identités : par où commencer ?
Gestion des identités : par où commencer ?Identity Days
 
Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Anil Saldanha
 
The Ldap Protocol
The Ldap ProtocolThe Ldap Protocol
The Ldap ProtocolGlen Plantz
 

Tendances (20)

Single sign on using SAML
Single sign on using SAML Single sign on using SAML
Single sign on using SAML
 
SAML Protocol Overview
SAML Protocol OverviewSAML Protocol Overview
SAML Protocol Overview
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
 
SINGLE SIGN-ON
SINGLE SIGN-ONSINGLE SIGN-ON
SINGLE SIGN-ON
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API Security
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
 
Iam presentation
Iam presentationIam presentation
Iam presentation
 
Presentation sso design_security
Presentation sso design_securityPresentation sso design_security
Presentation sso design_security
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak
 
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectDemystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
 
Single sign on - benefits, challenges and case study : iFour consultancy
Single sign on - benefits, challenges and case study : iFour consultancySingle sign on - benefits, challenges and case study : iFour consultancy
Single sign on - benefits, challenges and case study : iFour consultancy
 
Gestion des identités : par où commencer ?
Gestion des identités : par où commencer ?Gestion des identités : par où commencer ?
Gestion des identités : par où commencer ?
 
Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?
 
Deep-Dive: Secure API Management
Deep-Dive: Secure API ManagementDeep-Dive: Secure API Management
Deep-Dive: Secure API Management
 
The Ldap Protocol
The Ldap ProtocolThe Ldap Protocol
The Ldap Protocol
 

Similaire à Single Sign On 101

SSO IN/With Drupal and Identitiy Management
SSO IN/With Drupal and Identitiy ManagementSSO IN/With Drupal and Identitiy Management
SSO IN/With Drupal and Identitiy ManagementManish Harsh
 
Safenet Authentication Service, SAS
Safenet Authentication Service, SASSafenet Authentication Service, SAS
Safenet Authentication Service, SASrobbuddingh
 
CIS13: Identity at Scale
CIS13: Identity at ScaleCIS13: Identity at Scale
CIS13: Identity at ScaleCloudIDSummit
 
SSL VPN Evaluation Guide
SSL VPN Evaluation GuideSSL VPN Evaluation Guide
SSL VPN Evaluation Guide Array Networks
 
ForgeRock Platform Release - Summer 2016
ForgeRock Platform Release - Summer 2016 ForgeRock Platform Release - Summer 2016
ForgeRock Platform Release - Summer 2016 ForgeRock
 
Synergies across APIs and IAM
Synergies across APIs and IAMSynergies across APIs and IAM
Synergies across APIs and IAMSagara Gunathunga
 
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203Arnaud Le Hors
 
Identity Management with the ForgeRock Identity Platform - So What’s New?
Identity Management with the ForgeRock Identity Platform - So What’s New?Identity Management with the ForgeRock Identity Platform - So What’s New?
Identity Management with the ForgeRock Identity Platform - So What’s New?ForgeRock
 
WSO2Con EU 2015: Securing, Monitoring and Monetizing APIs
WSO2Con EU 2015: Securing, Monitoring and Monetizing APIsWSO2Con EU 2015: Securing, Monitoring and Monetizing APIs
WSO2Con EU 2015: Securing, Monitoring and Monetizing APIsWSO2
 
Open source iam value, benefits, and risks
Open source iam value, benefits, and risksOpen source iam value, benefits, and risks
Open source iam value, benefits, and risksWSO2
 
Open source wso2 identity server sso with drupal 8
Open source wso2 identity server sso with drupal 8Open source wso2 identity server sso with drupal 8
Open source wso2 identity server sso with drupal 8Iwantha Lekamge
 
17 recommended requirements for an identity and access management poc
17 recommended requirements for an identity and access management poc17 recommended requirements for an identity and access management poc
17 recommended requirements for an identity and access management pocGluu
 
Identity Gateway with the ForgeRock Identity Platform - So What’s New?
Identity Gateway with the ForgeRock Identity Platform - So What’s New?Identity Gateway with the ForgeRock Identity Platform - So What’s New?
Identity Gateway with the ForgeRock Identity Platform - So What’s New?ForgeRock
 
Implementing MITREid - CIS 2014 Presentation
Implementing MITREid - CIS 2014 PresentationImplementing MITREid - CIS 2014 Presentation
Implementing MITREid - CIS 2014 PresentationJustin Richer
 
Con8823 access management for the internet of things-final
Con8823 access management for the internet of things-finalCon8823 access management for the internet of things-final
Con8823 access management for the internet of things-finalOracleIDM
 
Open am and_radiantone
Open am and_radiantoneOpen am and_radiantone
Open am and_radiantoneJose R
 
Zapbuild Portfolio
Zapbuild PortfolioZapbuild Portfolio
Zapbuild PortfolioZapbuild
 
Big Brother for Enterprises - The WSO2 Advantage
Big Brother for Enterprises - The WSO2 AdvantageBig Brother for Enterprises - The WSO2 Advantage
Big Brother for Enterprises - The WSO2 AdvantageWSO2
 
Mobile Enterprise Application Platform
Mobile Enterprise Application PlatformMobile Enterprise Application Platform
Mobile Enterprise Application PlatformNugroho Gito
 

Similaire à Single Sign On 101 (20)

SSO IN/With Drupal and Identitiy Management
SSO IN/With Drupal and Identitiy ManagementSSO IN/With Drupal and Identitiy Management
SSO IN/With Drupal and Identitiy Management
 
Safenet Authentication Service, SAS
Safenet Authentication Service, SASSafenet Authentication Service, SAS
Safenet Authentication Service, SAS
 
CIS13: Identity at Scale
CIS13: Identity at ScaleCIS13: Identity at Scale
CIS13: Identity at Scale
 
SSL VPN Evaluation Guide
SSL VPN Evaluation GuideSSL VPN Evaluation Guide
SSL VPN Evaluation Guide
 
ForgeRock Platform Release - Summer 2016
ForgeRock Platform Release - Summer 2016 ForgeRock Platform Release - Summer 2016
ForgeRock Platform Release - Summer 2016
 
Synergies across APIs and IAM
Synergies across APIs and IAMSynergies across APIs and IAM
Synergies across APIs and IAM
 
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
 
Identity Management with the ForgeRock Identity Platform - So What’s New?
Identity Management with the ForgeRock Identity Platform - So What’s New?Identity Management with the ForgeRock Identity Platform - So What’s New?
Identity Management with the ForgeRock Identity Platform - So What’s New?
 
WSO2Con EU 2015: Securing, Monitoring and Monetizing APIs
WSO2Con EU 2015: Securing, Monitoring and Monetizing APIsWSO2Con EU 2015: Securing, Monitoring and Monetizing APIs
WSO2Con EU 2015: Securing, Monitoring and Monetizing APIs
 
Open source iam value, benefits, and risks
Open source iam value, benefits, and risksOpen source iam value, benefits, and risks
Open source iam value, benefits, and risks
 
Open source wso2 identity server sso with drupal 8
Open source wso2 identity server sso with drupal 8Open source wso2 identity server sso with drupal 8
Open source wso2 identity server sso with drupal 8
 
17 recommended requirements for an identity and access management poc
17 recommended requirements for an identity and access management poc17 recommended requirements for an identity and access management poc
17 recommended requirements for an identity and access management poc
 
Identity Gateway with the ForgeRock Identity Platform - So What’s New?
Identity Gateway with the ForgeRock Identity Platform - So What’s New?Identity Gateway with the ForgeRock Identity Platform - So What’s New?
Identity Gateway with the ForgeRock Identity Platform - So What’s New?
 
Implementing MITREid - CIS 2014 Presentation
Implementing MITREid - CIS 2014 PresentationImplementing MITREid - CIS 2014 Presentation
Implementing MITREid - CIS 2014 Presentation
 
Con8823 access management for the internet of things-final
Con8823 access management for the internet of things-finalCon8823 access management for the internet of things-final
Con8823 access management for the internet of things-final
 
Open am and_radiantone
Open am and_radiantoneOpen am and_radiantone
Open am and_radiantone
 
Zapbuild Portfolio
Zapbuild PortfolioZapbuild Portfolio
Zapbuild Portfolio
 
Hitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Password Manager
Hitachi ID Password Manager
 
Big Brother for Enterprises - The WSO2 Advantage
Big Brother for Enterprises - The WSO2 AdvantageBig Brother for Enterprises - The WSO2 Advantage
Big Brother for Enterprises - The WSO2 Advantage
 
Mobile Enterprise Application Platform
Mobile Enterprise Application PlatformMobile Enterprise Application Platform
Mobile Enterprise Application Platform
 

Plus de Mike Schwartz

LASCON 2017: SAML v. OpenID v. Oauth
LASCON 2017: SAML v. OpenID v. OauthLASCON 2017: SAML v. OpenID v. Oauth
LASCON 2017: SAML v. OpenID v. OauthMike Schwartz
 
OTTO - Internet2 TechX 2017
OTTO - Internet2 TechX 2017OTTO - Internet2 TechX 2017
OTTO - Internet2 TechX 2017Mike Schwartz
 
The Client is not always right! How to secure OAuth authentication from your...
The Client is not always right! How to secure OAuth authentication from your...The Client is not always right! How to secure OAuth authentication from your...
The Client is not always right! How to secure OAuth authentication from your...Mike Schwartz
 
LASCON: Three Profiels of OAuth2 for Identity and Access Management
LASCON: Three Profiels of OAuth2 for Identity and Access ManagementLASCON: Three Profiels of OAuth2 for Identity and Access Management
LASCON: Three Profiels of OAuth2 for Identity and Access ManagementMike Schwartz
 
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!Mike Schwartz
 
RSA Conference 2016: Who Are You? From Meat to Electrons and Back Again
RSA Conference 2016: Who Are You? From Meat to Electrons and Back AgainRSA Conference 2016: Who Are You? From Meat to Electrons and Back Again
RSA Conference 2016: Who Are You? From Meat to Electrons and Back AgainMike Schwartz
 
Trust Elevation: Implementing an OAuth2 Infrastructure using OpenID Connect &...
Trust Elevation: Implementing an OAuth2 Infrastructure using OpenID Connect &...Trust Elevation: Implementing an OAuth2 Infrastructure using OpenID Connect &...
Trust Elevation: Implementing an OAuth2 Infrastructure using OpenID Connect &...Mike Schwartz
 
OAuth2 for IoT Security: Why OpenID Connect & UMA Are They Key
OAuth2 for IoT Security: Why OpenID Connect & UMA Are They KeyOAuth2 for IoT Security: Why OpenID Connect & UMA Are They Key
OAuth2 for IoT Security: Why OpenID Connect & UMA Are They KeyMike Schwartz
 
Who Are You? From Meat to Electrons - SXSW 2014
Who Are You? From Meat to Electrons - SXSW 2014Who Are You? From Meat to Electrons - SXSW 2014
Who Are You? From Meat to Electrons - SXSW 2014Mike Schwartz
 
OpenID Connect vs. OpenID 1 & 2
OpenID Connect vs. OpenID 1 & 2OpenID Connect vs. OpenID 1 & 2
OpenID Connect vs. OpenID 1 & 2Mike Schwartz
 
ID Next 2013 Keynote Slides by Mike Schwartz
ID Next 2013 Keynote Slides by Mike SchwartzID Next 2013 Keynote Slides by Mike Schwartz
ID Next 2013 Keynote Slides by Mike SchwartzMike Schwartz
 
Requirements for Personal Clouds : Tech Ranch Talk 8/7/13
Requirements for Personal Clouds : Tech Ranch Talk 8/7/13Requirements for Personal Clouds : Tech Ranch Talk 8/7/13
Requirements for Personal Clouds : Tech Ranch Talk 8/7/13Mike Schwartz
 
Cloud Identity: A Recipe for Higher Education
Cloud Identity: A Recipe for Higher EducationCloud Identity: A Recipe for Higher Education
Cloud Identity: A Recipe for Higher EducationMike Schwartz
 
Gluu EDU Webinar: Shibboleth/SAML SSO
Gluu EDU Webinar: Shibboleth/SAML SSOGluu EDU Webinar: Shibboleth/SAML SSO
Gluu EDU Webinar: Shibboleth/SAML SSOMike Schwartz
 
RSA Europe: Future of Cloud Identity
RSA Europe: Future of Cloud IdentityRSA Europe: Future of Cloud Identity
RSA Europe: Future of Cloud IdentityMike Schwartz
 

Plus de Mike Schwartz (17)

LASCON 2017: SAML v. OpenID v. Oauth
LASCON 2017: SAML v. OpenID v. OauthLASCON 2017: SAML v. OpenID v. Oauth
LASCON 2017: SAML v. OpenID v. Oauth
 
OTTO - Internet2 TechX 2017
OTTO - Internet2 TechX 2017OTTO - Internet2 TechX 2017
OTTO - Internet2 TechX 2017
 
The Client is not always right! How to secure OAuth authentication from your...
The Client is not always right! How to secure OAuth authentication from your...The Client is not always right! How to secure OAuth authentication from your...
The Client is not always right! How to secure OAuth authentication from your...
 
LASCON: Three Profiels of OAuth2 for Identity and Access Management
LASCON: Three Profiels of OAuth2 for Identity and Access ManagementLASCON: Three Profiels of OAuth2 for Identity and Access Management
LASCON: Three Profiels of OAuth2 for Identity and Access Management
 
Kantara OTTO slides
Kantara OTTO slidesKantara OTTO slides
Kantara OTTO slides
 
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!
 
RSA Conference 2016: Who Are You? From Meat to Electrons and Back Again
RSA Conference 2016: Who Are You? From Meat to Electrons and Back AgainRSA Conference 2016: Who Are You? From Meat to Electrons and Back Again
RSA Conference 2016: Who Are You? From Meat to Electrons and Back Again
 
Trust Elevation: Implementing an OAuth2 Infrastructure using OpenID Connect &...
Trust Elevation: Implementing an OAuth2 Infrastructure using OpenID Connect &...Trust Elevation: Implementing an OAuth2 Infrastructure using OpenID Connect &...
Trust Elevation: Implementing an OAuth2 Infrastructure using OpenID Connect &...
 
OAuth2 for IoT Security: Why OpenID Connect & UMA Are They Key
OAuth2 for IoT Security: Why OpenID Connect & UMA Are They KeyOAuth2 for IoT Security: Why OpenID Connect & UMA Are They Key
OAuth2 for IoT Security: Why OpenID Connect & UMA Are They Key
 
Who Are You? From Meat to Electrons - SXSW 2014
Who Are You? From Meat to Electrons - SXSW 2014Who Are You? From Meat to Electrons - SXSW 2014
Who Are You? From Meat to Electrons - SXSW 2014
 
OpenID Connect vs. OpenID 1 & 2
OpenID Connect vs. OpenID 1 & 2OpenID Connect vs. OpenID 1 & 2
OpenID Connect vs. OpenID 1 & 2
 
ID Next 2013 Keynote Slides by Mike Schwartz
ID Next 2013 Keynote Slides by Mike SchwartzID Next 2013 Keynote Slides by Mike Schwartz
ID Next 2013 Keynote Slides by Mike Schwartz
 
Federation registry
Federation registryFederation registry
Federation registry
 
Requirements for Personal Clouds : Tech Ranch Talk 8/7/13
Requirements for Personal Clouds : Tech Ranch Talk 8/7/13Requirements for Personal Clouds : Tech Ranch Talk 8/7/13
Requirements for Personal Clouds : Tech Ranch Talk 8/7/13
 
Cloud Identity: A Recipe for Higher Education
Cloud Identity: A Recipe for Higher EducationCloud Identity: A Recipe for Higher Education
Cloud Identity: A Recipe for Higher Education
 
Gluu EDU Webinar: Shibboleth/SAML SSO
Gluu EDU Webinar: Shibboleth/SAML SSOGluu EDU Webinar: Shibboleth/SAML SSO
Gluu EDU Webinar: Shibboleth/SAML SSO
 
RSA Europe: Future of Cloud Identity
RSA Europe: Future of Cloud IdentityRSA Europe: Future of Cloud Identity
RSA Europe: Future of Cloud Identity
 

Dernier

How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 

Dernier (20)

How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 

Single Sign On 101

  • 1. Single Sign-On 101 Solutions, Technology, and Recommendations
  • 2. Single sign-on (SSO) allows a person to authenticate once at their home domain to obtain a “token”, which is stored in the browser (cookie) or mobile device, and can be presented to websites as evidence of authentication. In SALM the token is XML In OpenID Connect, the token is JSON The tokens are signed by the domain, so the website can validate them. What is Single Sign-On
  • 3. Single logout (SLO) ensures that after a user logs out at their home domain, all “tabs” are also logged out. OpenID Connect defines a non-network based logout mechanism. Beware! Applications may only test credentials on login! What is Single Logout
  • 4. Why do you need SSO? ● Essential for portals, where the page consists of multiple backend services. ● Increased productivity for people who use the authentication service ● Increased productivity for developers who don’t need to write authentication code. ● Enables domain to leverage strong credentials at third party sites.
  • 5. Relevant Protocols ● SAML 2.0 - Currently the most widely adopted standard for Web SSO. XML based. ● OpenID Connect - Most promising successor to SAML, it is a profile of OAuth2, and promises better support for mobile. ● Earlier protocols that are still in use should be deprecated: ○ Kerberos, RADIUS, LDAP, WS-*, OpenID 2, CAS...
  • 6. Relevant Jargon SAML OpenID Connect Identity Provider (IDP) OpenID Provider (OP) Service Provider (SP) Relying Party (RP) Attributes User claims SP Metadata Client Claims
  • 7. Develop your SSO roadmap.. 1. Understand market offerings 2. Evaluate your needs 3. Align with a solution
  • 8. ● SaaS - Vendors provide a multi-tenant IDP. You can quickly try, buy and fly with SSO to popular pre- integrated cloud apps. ● Open Source - You can design, build and operate your domain IDP using open source software. ● Enterprise Software - Pay to use the software, otherwise identical to Open Source. ● Managed Service- Host your domain IDP on your network, but share operations. 1) Market Offerings for large organizations
  • 9. 2) Evaluate your needs ● Are you ok with persisting personal data in the cloud? ● Are you ok with access to your systems by a third party? ● Do you have a custom requirements for authentication, or strong authentication for your domain? ● How many “users” and “applications” do you have? ● Do you need to support mobile authentication? ● Do you need to have “business continuity” or disaster recovery
  • 10. 3) Align with a solution ● SaaS - Okta, OneLogin, Stormpath, Symplified ● Open Source - Gluu, ForgeRock, Independent integrators and consulting shops ● Enterprise Software - Oracle Access Manager, CA SiteMinder, IBM Tivoli Access Manager, RSA Cleartrust, Microsoft ADFS, Ping Federate
  • 11. ● SaaS ○ No root access to the server. If there's a security breach, it affects everyone. ○ Per user or per application pricing can become costly. ● Open Source ○ Expensive to design and build ○ High cost of care and feeding ○ Hard to support new app integrations ● Proprietary ○ Expensive license fees ○ Vendor lock-in Limitations of SSO Solutions
  • 12. 2 Factor Authentication ● 80% of Internet security breaches are bad passwords ● Many new mobile, bio-metric, location based, and cryptographic authentication mechanisms are being devised. ● Prices are coming down. ● Better enrollment and “password reset” functionality.
  • 13. Authorization ● ● Organization can create policies to control which clients and people can access which URL’s ● Application contain a lot of security policies... only centralize what is common between applications.
  • 15. Our Recommendations ● Choose a platform that gives your organization the flexibility to implement its business logic. ● Make sure your solution is Future proof : be ready new strong authentication services ● Use open standards and open source when possible!