Single Sign-On 101: Beyond the Hype
What SSO Can and Can’ t Do For Your Business
Introductions
Diana Kelley, Baroudi Group
[email protected]
Ian Poynter, Security Consultant
[email protected]
Outline
Definitions
Business Requirements
SSO Technologies
Authentication Methods
SSO Case Studies
Definition
Single Sign-On
Fantasy
One Password For Everything!
Reality
Most Systems And Applications Already Have Their Proprietary Login Functionality
Reduced Logins For Discreet Systems
Corporate Systems
Shared Intranet/Web Applications
Web Logon Aggregators
Business Requirements
Is There A Problem Here?
Mushrooming Passwords
Need For Re-use
Sticky Note Password Cache
Unencrypted Text Files On Laptops and PDAs
Business Requirements
Deceptively Intuitive
Reduce Costs
Increase Security
Increase Efficiency
Increase Convenience
My Boss Told Me I Have To
Business Requirements
Be Honest About the Cost / Benefit Analysis
Use Hard Numbers
What Does it Cost to Reset a Password?
How Much Time is Spent Logging into Multiple Systems Each Morning?
What is The Real Cost of Integration?
Will Additional Authentication Methods Need to be Purchased?
Business Requirements
Be Honest About the Cost / Benefit Analysis
Don’ t Forget the Ease of Use Factor
Consider Training for Administrators and All Users
QA and Versioning Can Increase TCO
Business Requirements
Think About the Inside and the Outside
Multiple User Populations Can Increase Costs
Tiered Authentication Levels
At a Minimum Need Secure Password Selection Training for Everyone
Business Risks
Single Point of Failure
Denial of Service/Lack of Availability
Stolen Credentials via Insecure Implementations
Overly Ambitious Projects
Physical and Network
Complicated Procedures
n-factor Authentication
Square Pegs in Round Holes
Business Risks
Failure to Consider the Legacy
OS/390, AS/400, Custom Client/Server Applications, RADIUS
Failure to Consider Regulatory Requirements
Financial Services and GLBA
Health Care and HIPAA
Content Providers and COPPA
International Businesses and EU DPD
Authentication Methods
Declaring and Proving Who or What You Are
Sure, Signing on Once, but What With?
Becomes an Even Larger Question with SSO Because More Systems are Involved
Authentication Methods
Have, Know, Are
Tokens, Passwords, Fingerprints
Single vs. Multi
Authentication Methods
Passwords
One Time Passwords
Tokens and SmartCards
PKI
Digital / Machine Fingerprints
Biometrics
Authentication Protocols and Technologies
Dial-In Users and Wireless (802.1x)
RADIUS
S/390 Mainframes
RACF, ACF2, CA Top-Secret
Unix
PAMs (Pluggable Authentication Modules)
Windows
GINA, Kerberos, NTLM
SSO Technologies
Traditional Single Sign-On
Password Synchronization
Authentication Platforms
Web Logon Aggregators
NB: Convergence Between Traditional SSO and Authentication Platforms
SSO Technologies
Traditional Single Sign-On
Allows a User to Login Once, Using a Single Authentication Method to Gain Access to Multiple Hosts and / or Applications
May Also Provide Access Control / Authorization Features
Authorization policies restrict which applications or systems a user has access
And what the user can and can’ t do on these applications and systems
SSO Technologies
Traditional Single Sign-On
Not an Entirely New Concept
Kerberos and Kerberized
RADIUS and Radiized
Traditional SSO: How It Works
Authenticate Once To Access Many
Login Credentials (ID And Authentication) Usually Stored Locally
Transparently Presented to the System or Application When Needed
Traditional SSO: How It Works
Single Credential for All Systems
Kerberos Model
Multiple Credentials
Required for Most Heterogeneous Environments
Traditional SSO: How It Works
APIs And DLLs
Write the SSO Authentication into Each Application or System (compare to: Radiized)
Or Use Replacement DLLs
Scripts
Pieces of Code on the Client That Manage the Login Procedure to Multiple Systems
Cookies
For Web Applications Only
Traditional SSO: Pros and Cons
Pros
Very Easy to Use
Reduces Support Costs
Reduces Logon Cycles
Cons
Integration of Legacy Can Be Expensive and Time Consuming
Single Point of Attack
Scripting Solutions Often Lead to Storage of Passwords And IDs on the Client
Traditional SSO: Business Fit
Good Business Fit for
Companies That Want to Simplify the User Experience
Companies That Need to Reduce the Login Cycle
Traditional SSO: Brand Examples
IBM/Tivoli Global Sign-On
Netegrity SiteMinder
RSA ClearTrust (formerly Securant)
SSO Technologies
Password Synchronization
Manage Passwords Across Platforms and Systems
Keeps Same Password So User Only Needs to Remember One
When User Changes Her Password, Synchronization Server Automatically Updates User Password on All Available Systems or in the Central Repository Server
Password Synchronization: How It Works
Distributed
Agents Automatically Reset Passwords on Applications and Systems
Centralized
All Authentication Requests Are Forwarded to a Central Server
Password Synchronization: Pros and Cons
Pros
User Has Only One Password to Remember
Usually Fairly Easy to Implement
Help Desk Can Reset Passwords to All Systems From Single Console
Cons
Does Not Reduce the Number of Logons
Only Supports Password Authentication
Password Synchronization: Business Fit
Good Business Fit for
Companies That Only Use Password Authentication
Companies That Don’ t Need to Reduce the Login Cycle
Password Synchronization: Brand Examples
PassGo, InSync (formerly Axent/Symantec)
Courion, Password Courier
SSO Technologies
Authentication Platforms
Provide a Central Point of Management for Multiple Authentication Schemes
Users Authenticate To A Gateway Using Any Combination of Authentication Methods
Smartcards, PKI, Biometrics etc.
Supports Multi-layer Authentication Policies
Authentication Platforms: How It Works
Abstracts the Authentication Layer to an Authentication Gateway
All Users Login to this Gateway
Gateway Determines Level / Type of Authentication that is Required
Authentication Platforms: Pros and Cons
Pros
Eases Integration With Abstracted Authentication Layer
Support for Most Authentication Factors
Cons
Does Not Reduce Number of Logins, Unless SSO is Embedded in the Authentication Platform
Single Point of Attack / Failure
Denial of Service
Authentication Platforms: Business Fit
Good Business Fit for
Enterprises with Hierarchical, Complex Authentication Requirements
Companies using N-factor Authentication Solutions
Organizations with Regulated Security / Privacy Requirements
Financial Institutions, HealthCare, Government Agencies
Authentication Platforms: Brand Examples
Bionetrix Authentication Server
Novell Modular Authentication Service (NMAS)
ActivCard (formerly Ankari)
Trinity Server with SSO Functionality
SSO Technologies
Web Logon Aggregators
One Login, Access Multiple Sites
User Logs into Aggregator Software or Site at Beginning of Session
All Subsequent Logins to Web Sites Visited Are Handled Transparently
Web Logon Aggregators: How It Works
Credentials Are Cached Either
Locally via Cookies
On Server via State Mechanism
Automatically Presented to Sites as Needed
Web Logon Aggregators: Pros and Cons
Pros
Ease of Use
Streamlines Web Experience
Cons
Web Only
Sites May Need to Opt In
Outsources Trust to 3rd Party
Loss of Control
Web Logon Aggregators: Business Fit
Good Business Fit for
Companies Providing Web Interfaces to Customers or Employees
Home Users Who Want to Streamline Their Web Experience
Web Logon Aggregators: Brand Examples
.NET / Passport
Liberty Alliance (in process)
Yodlee
Account Aggregator
Case Studies
Example Architectures From the Real World
Identifying Characteristics Have Been Changed Where Needed to Protect Client Confidentiality
Case Study 1
Large US Insurance Company
Project: Reduce òWake Up’ Time for Internal Personnel and External Agents by Integrating Login Function to Multiple Back and Front Ends
Case Study 1
Points for the RFP
State Business Requirements (cf. previous slide)
Provide Hard Numbers
Example: Time Goal for Reduced Wake-up Time
Time and Cost Estimates
Don’ t Forget QA Before Roll Out
Include Support and Training
Case Study 1
Points for the RFP
Technical Requirements
All Internal Logins Triggered by NT Login
External Users Credentials Stored in LDAP Directory
Login Support For
S/390 with RACF
Oracle Database
RADIUS for Remote Agents
Custom DOS-Based Money Transfers with SecurID
Custom Web Applications
Case Study 1
Proposal from Selected Vendor
Hybrid Technical Solution
Internal Users
Custom GINA
LDAP Support
Link to Traditional SSO for Web Application Logins
Trigger for Users That Needed to Access SecurID Protected Solutions
External Users
Traditional SSO for Web Application Logins
Case Study 2
International Consulting Firm
Project: Link Multiple Intranets, Distributed Around the World, for Secure Access to Internal-Only Information Sharing And Project Collaboration
Case Study 2
Points for the RFP
State Business Requirements
Provide Hard Numbers
Example: Define Secure Access
Type of Authentication
Encryption Requirements
Roaming User Needs
Time and Cost Estimates
Don’ t Forget QA Before Roll Out
Include Support and Training
Case Study 2
Points for the RFP
Technical Requirements
Internationally Distributed Web Servers Across Multiple Domains
Custom Web Applications
Netscape, ISS, Apache Web Servers
Mac And Windows Clients
Case Study 2
Proposal from Selected Vendor
Netegrity SiteMinder with Installation Services
Summary
Know the Business Requirements
Complete a Cost-Benefit Analysis
Set Reasonable Goals
Investigate the Available Technologies
Investigate the Vendors
Match Requirements to Technology
Plan: Create an RFP and Architecture
Prototype, Build, Test, Train, and Deploy
Throw Away Those Yellow Sticky Password Caches!