solving single-sign-on
DESCRIPTION
Today users have too many usernames and passwords. As developers it’s our job to create a useful application not to worry about authorization. Thanks to social media, OpenID and Oauth, the user truly has single sign on. Rather than expecting users to store and remember multiple passwords, application can leverage a user relationship with social media sites they know and trust. In a large enterprise it might be better to keep things in house. That just means we leverage the same technologies internally and not re-invent the wheel. In this talk we’ll show you how.TRANSCRIPT
![Page 1: Solving Single-Sign-On](https://reader033.vdocuments.site/reader033/viewer/2022061205/5480fe7a5906b5dc6c8b45df/html5/thumbnails/1.jpg)
Solving Single-Sign-On
![Page 2: Solving Single-Sign-On](https://reader033.vdocuments.site/reader033/viewer/2022061205/5480fe7a5906b5dc6c8b45df/html5/thumbnails/2.jpg)
Introductions
Patrick J. PoerFounder & President
Aaron Stanley KingDirector of Application Development
![Page 3: Solving Single-Sign-On](https://reader033.vdocuments.site/reader033/viewer/2022061205/5480fe7a5906b5dc6c8b45df/html5/thumbnails/3.jpg)
Ability to authenticate into multiple applications
Uses one login screen across multiple applications
Uses one username / password combination across multiple applications
Logging out of one application, logs out of other applications
Self-Service Account Management
What is Single-Sign-On?
![Page 4: Solving Single-Sign-On](https://reader033.vdocuments.site/reader033/viewer/2022061205/5480fe7a5906b5dc6c8b45df/html5/thumbnails/4.jpg)
User Management (Identity Management) Central Management of Permissions across
multiple applications (Federated Security) Account Provisioning / User-Registration and
Activation (Access Management)
Identity and Access Management
What Single-Sign-On is NOT?
![Page 5: Solving Single-Sign-On](https://reader033.vdocuments.site/reader033/viewer/2022061205/5480fe7a5906b5dc6c8b45df/html5/thumbnails/5.jpg)
Storage & Management vs. Communication
Single-Sign-On Protocols
![Page 6: Solving Single-Sign-On](https://reader033.vdocuments.site/reader033/viewer/2022061205/5480fe7a5906b5dc6c8b45df/html5/thumbnails/6.jpg)
Help Desk Password Reset Requests Cost ~ $32 per call
Regulatory Compliance (HIPAA, Sarbanes-Oxley, etc.) Cost ~ $MM per incident
Federated Authentication Cost ~ TBD
Enhanced Security Cost ~ $MM per incident
“Gartner Says Through 2016, Federated Single Sign-On Will Be the Predominant SSO Technology, Needed by 80 Percent of Enterprises”
IAM / SSO Business Case
![Page 7: Solving Single-Sign-On](https://reader033.vdocuments.site/reader033/viewer/2022061205/5480fe7a5906b5dc6c8b45df/html5/thumbnails/7.jpg)
How many applications? Underlying User Store (LDAP, SQL, other)? Application Mix:
Browser Applications Desktop Applications Mobile Applications
SSO Protocol Decision Points
![Page 8: Solving Single-Sign-On](https://reader033.vdocuments.site/reader033/viewer/2022061205/5480fe7a5906b5dc6c8b45df/html5/thumbnails/8.jpg)
HealthCare Company (HIPAA data) 8 Different 3rd party providers 4 different ad hoc SSO pass-through mechanisms Very Poorly Architected LDAP directory 3 Different manual exports and account
synchronizations to 5 different 3rd party providers No central management of user permissions No audit trail for user activity
Example
![Page 9: Solving Single-Sign-On](https://reader033.vdocuments.site/reader033/viewer/2022061205/5480fe7a5906b5dc6c8b45df/html5/thumbnails/9.jpg)
Data StoreApp
1App
2App
3App
4App
5App
6App
7App
8
Website
CASADLD
S
Encrypted Token
Reference Url
SAML
Form Post
Current SSO Environment
![Page 10: Solving Single-Sign-On](https://reader033.vdocuments.site/reader033/viewer/2022061205/5480fe7a5906b5dc6c8b45df/html5/thumbnails/10.jpg)
Implement F648’s S3 IAM / SSO Server Integrate all 3rd party providers into one SSO
server Manage all applications permissions and
profile data from a central server Automate account creation and
management Provide self-service account control to super
users Provide audit trail for all user permissions /
activities
Solution
![Page 11: Solving Single-Sign-On](https://reader033.vdocuments.site/reader033/viewer/2022061205/5480fe7a5906b5dc6c8b45df/html5/thumbnails/11.jpg)
Data Store
App 1
App 2
App 3
App 4
App 5
App 6
App 7
App 8
New SSO Environment
S3Website
![Page 12: Solving Single-Sign-On](https://reader033.vdocuments.site/reader033/viewer/2022061205/5480fe7a5906b5dc6c8b45df/html5/thumbnails/12.jpg)
Data StoreApp
1App
2App
3App
4App
5App
6App
7App
8
Website
CASADLD
S
Encrypted Token
Reference Url
SAML
Form Post
Current SSO Environment
![Page 13: Solving Single-Sign-On](https://reader033.vdocuments.site/reader033/viewer/2022061205/5480fe7a5906b5dc6c8b45df/html5/thumbnails/13.jpg)
Aaron Stanley King
Technical Presentation
![Page 14: Solving Single-Sign-On](https://reader033.vdocuments.site/reader033/viewer/2022061205/5480fe7a5906b5dc6c8b45df/html5/thumbnails/14.jpg)
Protocol Standards
WS-Federation (Web Services Federation) 2006 SOAP extension
WS-Trust 2007 Commonly STS (security token service)
CAS (central authentication service) 2004
OpenID 2005
OAuth2 2006
![Page 15: Solving Single-Sign-On](https://reader033.vdocuments.site/reader033/viewer/2022061205/5480fe7a5906b5dc6c8b45df/html5/thumbnails/15.jpg)
Token Types
SAML (Security Assertion Markup Language) XML based Uses SOAP
CAS XML based
JWT (JSON Web Token) JavaScript Object Notation based
![Page 16: Solving Single-Sign-On](https://reader033.vdocuments.site/reader033/viewer/2022061205/5480fe7a5906b5dc6c8b45df/html5/thumbnails/16.jpg)
WS-Federation and WS-Trust
Full blown SOAP web services with WSDL<s:Envelope> <s:Header> <wsa:Action> http://contoso.com/RFP/PlaceBid </wsa:Action> <wsa:To>http://contoso.com/RFPService</wsa:To> <wsa:ReplyTo> <wsa:Address>http://client.fabrikam.com</wsa:Address> </wsa:ReplyTo> <!-- Other headers not shown for brevity --> </s:Header> <s:Body wsu:Id="body"> <!-- application message --> </s:Body></s:Envelope>
![Page 17: Solving Single-Sign-On](https://reader033.vdocuments.site/reader033/viewer/2022061205/5480fe7a5906b5dc6c8b45df/html5/thumbnails/17.jpg)
![Page 18: Solving Single-Sign-On](https://reader033.vdocuments.site/reader033/viewer/2022061205/5480fe7a5906b5dc6c8b45df/html5/thumbnails/18.jpg)
CAS
/login credential requestor / acceptor
/logout destroy CAS session (logout)
/validate service ticket validation
/serviceValidate service ticket validation [CAS 2.0]
/proxyValidate service- / proxy ticket validation [CAS 2.0]
/proxy proxy ticket service [CAS 2.0]
![Page 19: Solving Single-Sign-On](https://reader033.vdocuments.site/reader033/viewer/2022061205/5480fe7a5906b5dc6c8b45df/html5/thumbnails/19.jpg)
![Page 20: Solving Single-Sign-On](https://reader033.vdocuments.site/reader033/viewer/2022061205/5480fe7a5906b5dc6c8b45df/html5/thumbnails/20.jpg)
OAuth2
/authorize the resource owner logs in, and grants authorization
to the client application. /token
the client application exchanges the authorization code, client ID and client secret, for an access token
/redirect (or sometimes /callback) the client application where the resource owner is
redirected to, after having granted authorization at the authorization endpoint
![Page 21: Solving Single-Sign-On](https://reader033.vdocuments.site/reader033/viewer/2022061205/5480fe7a5906b5dc6c8b45df/html5/thumbnails/21.jpg)
![Page 22: Solving Single-Sign-On](https://reader033.vdocuments.site/reader033/viewer/2022061205/5480fe7a5906b5dc6c8b45df/html5/thumbnails/22.jpg)
Demos