SlideShare a Scribd company logo

Enterprise Single Sign-On - SSO

O
Oliver Mueller

Single Sign-On (SSO) allows a user to access multiple applications and systems with a single set of login credentials. The document discusses various SSO standards and implementations including Kerberos, LDAP, CAS, SAML, and PKI. It notes benefits of SSO like reduced passwords to remember but also criticisms like the risk that stealing one set of credentials grants access to all systems.

1 of 25
Download to read offline
SSO Single Sign-On TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver Müller Samstag, 5. März 2011
Definition • Property of access control of multiple, related, but independent software systems • One time authorization process for multiple applications, websites, ... TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver Müller Samstag, 5. März 2011
Benefits • Reducing countless logins and passwords • Reducing time effort to re-login • Reducing IT cost/help desk • Same level of password security everywhere • Centralized reporting • Usually much better passwords TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver Müller Samstag, 5. März 2011
Criticism • Stolen credential opens all dungeons • Infrastructure • Might be combined with strong authentications (e.g. SmartCards) • Many solutions need very expensive software or hardware solutions TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver Müller Samstag, 5. März 2011
Issues • Different apps uses different SSO processes • Impossible to find ONE SSO for all (?) • Most solution unable to jump over intranet barrier TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver Müller Samstag, 5. März 2011
Solutions • Kerberos [1983] • LDAP (slapd, Active Directory, …) [1993] • NTLM (NT Lan Manager) [2000] • CAS (Central Authentication Service) [2001] • PKI (Public Key Infrastructure) [1969] • SAML [2002] • ... TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver Müller Samstag, 5. März 2011
Kerberos • No easy setup • Not easy for developers to setup same environment • Intranet barrier • External service provider unable to use SSO TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver Müller Samstag, 5. März 2011
LDAP / AD • SAME sign-on • Intranet barrier (too much information) • External service provider unable to use SSO • Easy to implement • Nice to sync user data TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver Müller Samstag, 5. März 2011
// using ldap bind $ldaprdn = 'uname'; // ldap rdn or dn $ldappass = 'password'; // associated password // connect to ldap server $ldapconn = ldap_connect("ldap.example.com") or die("Could not connect to LDAP server."); if ($ldapconn) { // binding to ldap server $ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass); // verify binding if ($ldapbind) { echo "LOGIN successful..."; } else { echo "LOGIN failed..."; } } TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver Müller Samstag, 5. März 2011
NTLM • Intranet barrier • External service provider unable to use SSO • Based on Windows logon and Kerberos • Compatibility issues (more or less Microsoft territory Windows, IIS, IE) • Easy to implement for developers TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver Müller Samstag, 5. März 2011
function get_msg_str($msg, $start, $unicode = true) { $len = (ord($msg[$start+1]) * 256) + ord($msg[$start]); $off = (ord($msg[$start+5]) * 256) + ord($msg[$start+4]); if ($unicode) return str_replace("0", '', substr($msg, $off, $len)); else return substr($msg, $off, $len); } $msg = base64_decode(substr($auth, 5)); $user = get_msg_str($msg, 36); $domain = get_msg_str($msg, 28); $workstation = get_msg_str($msg, 44); print "You are $user from $domain/$workstation"; TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver Müller Samstag, 5. März 2011
Central Authentication Service (CAS) • Token/ticket based authentication • Developed by Yale University • phpCAS open source implementation • Made for web only • Common in education environment TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver Müller Samstag, 5. März 2011
include_once('CAS.php'); // initialize phpCAS phpCAS::client(CAS_VERSION_2_0,'sso-cas.home.com',443,''); // no SSL validation for the CAS server phpCAS::setNoCasServerValidation(); // force CAS authentication phpCAS::forceAuthentication(); // at this step, the user has been authenticated by the CAS server // and the user's login name can be read with phpCAS::getUser(). // logout if desired if (isset($_REQUEST['logout'])) { phpCAS::logout(); } echo "LOGIN successful..."; TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver Müller Samstag, 5. März 2011
Public Key Infrastructure (PKI) • X.509 certification based authentication • Its about what-you-have (client certificate) and not what-you-know (password) • Often used with smart cards (e.g. employee ID) • Made for Web, SSH, OS login, ... • Common in enterprise and government solutions TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver Müller Samstag, 5. März 2011
### PHP $cert = openssl_x509_parse($_SERVER[‘SSL_CLIENT_CERT’])); // verify login array(12) { if ( in_array( $cert[‘subject’][‘cn’], $allowedLogins ) ) { ["name"]=> string(75) "/C=DE/O=TEQneers/ echo "LOGIN successful..."; OU=Dev/CN=Oliver/ } else { emailAddress=oliver@php.net" echo "LOGIN failed..."; ["subject"]=> array(6) { } ["C"]=> string(2) "DE" ["O"]=> string(10) "TEQneers" ["OU"]=> string(10) "Dev" ["CN"]=> string(8) "Oliver" ["emailAddress"]=> string(10) "foo@bar.de" ### Apache configuration or .htaccess } ["hash"]=> string(8) "123abc45" SSLVerifyClient required ["issuer"]=> array(7) { ... SSLRequireSSL } SSLVerifyDepth 1 ["version"]=> int(2) ["serialNumber"]=> string(1) "987" ["validFrom"]=> string(13) "110131143055Z" ["validTo"]=> string(13) "130130142954Z" ... TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver Müller Samstag, 5. März 2011
SAML • Security Assertion Markup Language • Defined by OASIS • Made for internet and extranet sites • Credentials/Information can be configured • Open (based on XML, SOAP, HTTP, ...) TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver Müller Samstag, 5. März 2011
SAML Parties • Client (browser) • Web application • Service Provider (SAML client) • Identity Provider (enterprise federation server) TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver Müller Samstag, 5. März 2011
Service Provider • selfmade • simpleSAMLphp (open source PHP solution) • PingConnect (PHP, Perl, Java, …) • ... TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver Müller Samstag, 5. März 2011
TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver Müller Samstag, 5. März 2011
• user enters URL https://app.com/saml.php • user without valid SAML assertion will be forwarded to service provider • browser asks service provider to give him a XML assertion • XML assertion request form is send back to the browser • browser forwards assertion request form to identity provider • IF NOT LOGGED IN YET • identity provider ask the user to log into the enterprise network • user enters his login/password and sends it back to identity provider • client receives a XML assertion and cookie signed by the identity provider • XML assertion is send to service provider, who validates assertion • if assertion is valid, user will be pushed back to his initial url • assertion will be checked and user is going to be looked up in your app • if user exists, app start page appears, otherwise app might show standard login page TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver Müller Samstag, 5. März 2011
// Load simpleSAMLphp configuration and session. $config = SimpleSAML_Configuration::getInstance(); $session = SimpleSAML_Session::getInstance(); // Check if valid local session exists. if (!$session->isValid('saml2') ) { // Redirect to the IdP for authentication. SimpleSAML_Utilities::redirect( '/' . $config->getBaseURL() . 'saml2/sp/initSSO.php', array('RelayState' => SimpleSAML_Utilities::selfURL()) ); } // successful authorization $attributes = $session->getAttributes(); print_r($attributes); // might print out email or login TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver Müller Samstag, 5. März 2011
<saml:Assertion AssertionID="123" IssueInstant="2008-10-08T20:16:12.377Z" Issuer="TransactionMinderSAMLIssuer" MajorVersion="1" MinorVersion="0" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"> <saml:Conditions NotBefore="2008-10-08T20:16:12.307Z NotOnOrAfter="2008-1008T22:16:12.307Z"/> <saml:AuthenticationStatement AuthenticationInstant="2008-10-08T20:16:12.307Z" AuthenticationMethod="urn:oasis:names:tc:SAML"> <saml:Subject> <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.0" NameQualifier="Domain Name">Claire Wasser</saml:NameIdentifier> <saml:SubjectConfirmation> <saml:ConfirmationMethod>http://www/> <saml:SubjectConfirmationData>R1VD8fkkvlrhp</saml:SubjectConfirmationData> </saml:SubjectConfirmation> </saml:Subject> </saml:AuthenticationStatement> </saml:Assertion> TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver Müller Samstag, 5. März 2011
Identity Server • Shibboleth IdP (open source) • PingIdentity • Oracle Identity Server • SAP NetWeaver • Sun OpenSSO ForgeRock OpenAM • IBM • Microsoft Geneva TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver Müller Samstag, 5. März 2011
One size does fit it all • Most federation solution support many different SSO technologies • Most are based on any kind of LDAP backend TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver Müller Samstag, 5. März 2011
Thanks for listening contact me if you have any questions email: oliver@php.net email: oliver@teqneers.de phone: +49 (711) 46 97 28-82 Have Fun! TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver Müller Samstag, 5. März 2011

More Related Content

Enterprise Single Sign-On - SSO

  • 1. SSO Single Sign-On TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver Müller Samstag, 5. März 2011
  • 2. Definition • Property of access control of multiple, related, but independent software systems • One time authorization process for multiple applications, websites, ... TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver Müller Samstag, 5. März 2011
  • 3. Benefits • Reducing countless logins and passwords • Reducing time effort to re-login • Reducing IT cost/help desk • Same level of password security everywhere • Centralized reporting • Usually much better passwords TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver Müller Samstag, 5. März 2011
  • 4. Criticism • Stolen credential opens all dungeons • Infrastructure • Might be combined with strong authentications (e.g. SmartCards) • Many solutions need very expensive software or hardware solutions TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver Müller Samstag, 5. März 2011
  • 5. Issues • Different apps uses different SSO processes • Impossible to find ONE SSO for all (?) • Most solution unable to jump over intranet barrier TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver Müller Samstag, 5. März 2011
  • 6. Solutions • Kerberos [1983] • LDAP (slapd, Active Directory, …) [1993] • NTLM (NT Lan Manager) [2000] • CAS (Central Authentication Service) [2001] • PKI (Public Key Infrastructure) [1969] • SAML [2002] • ... TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver Müller Samstag, 5. März 2011
  • 7. Kerberos • No easy setup • Not easy for developers to setup same environment • Intranet barrier • External service provider unable to use SSO TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver Müller Samstag, 5. März 2011
  • 8. LDAP / AD • SAME sign-on • Intranet barrier (too much information) • External service provider unable to use SSO • Easy to implement • Nice to sync user data TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver Müller Samstag, 5. März 2011
  • 9. // using ldap bind $ldaprdn = 'uname'; // ldap rdn or dn $ldappass = 'password'; // associated password // connect to ldap server $ldapconn = ldap_connect("ldap.example.com") or die("Could not connect to LDAP server."); if ($ldapconn) { // binding to ldap server $ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass); // verify binding if ($ldapbind) { echo "LOGIN successful..."; } else { echo "LOGIN failed..."; } } TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver Müller Samstag, 5. März 2011
  • 10. NTLM • Intranet barrier • External service provider unable to use SSO • Based on Windows logon and Kerberos • Compatibility issues (more or less Microsoft territory Windows, IIS, IE) • Easy to implement for developers TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver Müller Samstag, 5. März 2011
  • 11. function get_msg_str($msg, $start, $unicode = true) { $len = (ord($msg[$start+1]) * 256) + ord($msg[$start]); $off = (ord($msg[$start+5]) * 256) + ord($msg[$start+4]); if ($unicode) return str_replace("0", '', substr($msg, $off, $len)); else return substr($msg, $off, $len); } $msg = base64_decode(substr($auth, 5)); $user = get_msg_str($msg, 36); $domain = get_msg_str($msg, 28); $workstation = get_msg_str($msg, 44); print "You are $user from $domain/$workstation"; TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver Müller Samstag, 5. März 2011
  • 12. Central Authentication Service (CAS) • Token/ticket based authentication • Developed by Yale University • phpCAS open source implementation • Made for web only • Common in education environment TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver Müller Samstag, 5. März 2011
  • 13. include_once('CAS.php'); // initialize phpCAS phpCAS::client(CAS_VERSION_2_0,'sso-cas.home.com',443,''); // no SSL validation for the CAS server phpCAS::setNoCasServerValidation(); // force CAS authentication phpCAS::forceAuthentication(); // at this step, the user has been authenticated by the CAS server // and the user's login name can be read with phpCAS::getUser(). // logout if desired if (isset($_REQUEST['logout'])) { phpCAS::logout(); } echo "LOGIN successful..."; TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver Müller Samstag, 5. März 2011
  • 14. Public Key Infrastructure (PKI) • X.509 certification based authentication • Its about what-you-have (client certificate) and not what-you-know (password) • Often used with smart cards (e.g. employee ID) • Made for Web, SSH, OS login, ... • Common in enterprise and government solutions TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver Müller Samstag, 5. März 2011
  • 15. ### PHP $cert = openssl_x509_parse($_SERVER[‘SSL_CLIENT_CERT’])); // verify login array(12) { if ( in_array( $cert[‘subject’][‘cn’], $allowedLogins ) ) { ["name"]=> string(75) "/C=DE/O=TEQneers/ echo "LOGIN successful..."; OU=Dev/CN=Oliver/ } else { emailAddress=oliver@php.net" echo "LOGIN failed..."; ["subject"]=> array(6) { } ["C"]=> string(2) "DE" ["O"]=> string(10) "TEQneers" ["OU"]=> string(10) "Dev" ["CN"]=> string(8) "Oliver" ["emailAddress"]=> string(10) "foo@bar.de" ### Apache configuration or .htaccess } ["hash"]=> string(8) "123abc45" SSLVerifyClient required ["issuer"]=> array(7) { ... SSLRequireSSL } SSLVerifyDepth 1 ["version"]=> int(2) ["serialNumber"]=> string(1) "987" ["validFrom"]=> string(13) "110131143055Z" ["validTo"]=> string(13) "130130142954Z" ... TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver Müller Samstag, 5. März 2011
  • 16. SAML • Security Assertion Markup Language • Defined by OASIS • Made for internet and extranet sites • Credentials/Information can be configured • Open (based on XML, SOAP, HTTP, ...) TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver Müller Samstag, 5. März 2011
  • 17. SAML Parties • Client (browser) • Web application • Service Provider (SAML client) • Identity Provider (enterprise federation server) TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver Müller Samstag, 5. März 2011
  • 18. Service Provider • selfmade • simpleSAMLphp (open source PHP solution) • PingConnect (PHP, Perl, Java, …) • ... TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver Müller Samstag, 5. März 2011
  • 19. TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver Müller Samstag, 5. März 2011
  • 20. • user enters URL https://app.com/saml.php • user without valid SAML assertion will be forwarded to service provider • browser asks service provider to give him a XML assertion • XML assertion request form is send back to the browser • browser forwards assertion request form to identity provider • IF NOT LOGGED IN YET • identity provider ask the user to log into the enterprise network • user enters his login/password and sends it back to identity provider • client receives a XML assertion and cookie signed by the identity provider • XML assertion is send to service provider, who validates assertion • if assertion is valid, user will be pushed back to his initial url • assertion will be checked and user is going to be looked up in your app • if user exists, app start page appears, otherwise app might show standard login page TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver Müller Samstag, 5. März 2011
  • 21. // Load simpleSAMLphp configuration and session. $config = SimpleSAML_Configuration::getInstance(); $session = SimpleSAML_Session::getInstance(); // Check if valid local session exists. if (!$session->isValid('saml2') ) { // Redirect to the IdP for authentication. SimpleSAML_Utilities::redirect( '/' . $config->getBaseURL() . 'saml2/sp/initSSO.php', array('RelayState' => SimpleSAML_Utilities::selfURL()) ); } // successful authorization $attributes = $session->getAttributes(); print_r($attributes); // might print out email or login TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver Müller Samstag, 5. März 2011
  • 22. <saml:Assertion AssertionID="123" IssueInstant="2008-10-08T20:16:12.377Z" Issuer="TransactionMinderSAMLIssuer" MajorVersion="1" MinorVersion="0" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"> <saml:Conditions NotBefore="2008-10-08T20:16:12.307Z NotOnOrAfter="2008-1008T22:16:12.307Z"/> <saml:AuthenticationStatement AuthenticationInstant="2008-10-08T20:16:12.307Z" AuthenticationMethod="urn:oasis:names:tc:SAML"> <saml:Subject> <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.0" NameQualifier="Domain Name">Claire Wasser</saml:NameIdentifier> <saml:SubjectConfirmation> <saml:ConfirmationMethod>http://www/> <saml:SubjectConfirmationData>R1VD8fkkvlrhp</saml:SubjectConfirmationData> </saml:SubjectConfirmation> </saml:Subject> </saml:AuthenticationStatement> </saml:Assertion> TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver Müller Samstag, 5. März 2011
  • 23. Identity Server • Shibboleth IdP (open source) • PingIdentity • Oracle Identity Server • SAP NetWeaver • Sun OpenSSO ForgeRock OpenAM • IBM • Microsoft Geneva TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver Müller Samstag, 5. März 2011
  • 24. One size does fit it all • Most federation solution support many different SSO technologies • Most are based on any kind of LDAP backend TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver Müller Samstag, 5. März 2011
  • 25. Thanks for listening contact me if you have any questions email: oliver@php.net email: oliver@teqneers.de phone: +49 (711) 46 97 28-82 Have Fun! TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver Müller Samstag, 5. März 2011