Presentation is loading. Please wait.

Presentation is loading. Please wait.

Brian Gilmore Computing Services, University of Edinburgh

Published byEmory McDowell Modified over 5 years ago

Similar presentations

Presentation on theme: "Brian Gilmore Computing Services, University of Edinburgh"— Presentation transcript:

1 Brian Gilmore Computing Services, University of Edinburgh
Single Sign-On Brian Gilmore Computing Services, University of Edinburgh 2/24/2019 EuroCAMP April 2006

2 Why is it a problem ? Shouldn’t need to tell this audience!
But, how many logins do you have? 2/24/2019 EuroCAMP April 2006

3 Other External Services
Corporate Services - Login Other External Services -Login ATHENS -Login WIZARD eFinancials etc Staffmail -Login ESP -Login WebCT/ EEMEC -Login E-Diary -Login PC Login School Web Site - Login College Intranet Login 2/24/2019 EuroCAMP April 2006

4 What is Single Sign-On (SSO) ?
LDAP Look-up Shared name/password One sign-on, One database 2/24/2019 EuroCAMP April 2006

5 LDAP Look-up A number of sites claim they have single sign-on by having a single LDAP database which a number of services access Not true SSO as the user is challenged individually by each service 2/24/2019 EuroCAMP April 2006

6 Shared Name/Password Multiple, separate name/pass stores, possibly with synchronisation User experience may be the same as true SSO But, higher risk, different security levels, compromise one equals compromise on all, possibility of unencrypted passwords in system and/or across the network 2/24/2019 EuroCAMP April 2006

7 True Single Sign-On There is a single, well protected, store of user names & passwords Interrogated by multiple services User enters (particular) credentials once, and only once Consistent, overall timeout can be applied – how long is an issue! 2/24/2019 EuroCAMP April 2006

8 Do we really want true SSO ?
If a user is compromised then all the resources open to that user are compromised Important to consider a Risk Analysis to determine the balance between useability and security 2/24/2019 EuroCAMP April 2006

9 Possible model 3 distinct levels External Network Logon
‘Normal’ Internal level ‘High Risk’ Areas Can be other models! 2/24/2019 EuroCAMP April 2006

10 External Network Logon
This is probably the most vulnerable link Users of shared machines Sniffability of wireless networks If the 1st level is broken, the 2nd level will probably still be ok BUT.. Don’t forget keyboard sniffers! 2/24/2019 EuroCAMP April 2006

11 Normal Internal Login Level used for all ‘normal’ risk applications (and people) Vulnerable to internal frauds etc But more secure to external threats 2/24/2019 EuroCAMP April 2006

12 High Risk Areas Examples: People able to: sign 1m euro cheque
Add persons to the payroll Achieve ‘root’ or administrator privilege Also, consider an additional ‘check’ for anyone to change their address etc Use of one-time passwords possible (cost!) 2/24/2019 EuroCAMP April 2006

13 What are the pre-requisites ?
You have to know who *all* your users are SSO implies automation, therefore ‘special cases’ are a problem Students Staff Alumni ‘Others’ 2/24/2019 EuroCAMP April 2006

14 Others This tends to be the problem area
Casual staff visitor to a department External Uni PhD students working in your institution Medical staff who teach Retired staff casually still working in a department 2/24/2019 EuroCAMP April 2006

15 Back to definition of SSO
Two disparate types of system Web Based Systems Others Actually a third: Commercial systems with no API 2/24/2019 EuroCAMP April 2006

16 Non Web-based Systems More of them than at first sight Library systems
Not for catalogue lookup, more Fine handling Situations where user behaviour is remembered Some portal systems Where they wish to handle Authentication by themselves and do proxy (pass on) actions Network Login/Unix systems Requires removal of login mechanism 2/24/2019 EuroCAMP April 2006

17 Web-based SSO Systems Edinburgh had a JISC project to investigate web based SSO systems Performed in 2004, so is now out of date but gives a flavour Is stored at: Or enter into google: JISC Single Sign-on Technologies 2/24/2019 EuroCAMP April 2006

18 Systems Evaluated CAS (Yale) Pubcookie (Washington) WebAuth (Stanford)
Cosign (Michigan) KX.509 (Michigan) 2/24/2019 EuroCAMP April 2006

19 Systems not fully evaluated
A-Select Shibboleth 2/24/2019 EuroCAMP April 2006

20 Results All solutions are cookie based, except for KX.509
There are issues with cookies Single Point of Failure How well is it architected to avoid SPF? Support/Documentation/Usage Quality (when we looked!) 2/24/2019 EuroCAMP April 2006

21 Feature Table (2004!) Usage Single Pt Failure Support Docum- entation
Availability of authentication modules Shibboleth enabled CAS Moderate Yes Poor V poor No Pubcookie Widely used Variable Small amount Projected Webauth Not Widely used Responsive V good Cosign Relatively new V Responsive small Good Has been demonstrated A-Select Moderate inside NL Responsive, commercially available V Good 2/24/2019 EuroCAMP April 2006

22 In Edinburgh Decided to implement Cosign
Strong links with kerberos (strong linux presence) Liked the support No single-point of failure But no IIS support (yet) 2/24/2019 EuroCAMP April 2006

23 Edinburgh 29 services now covered by SSO 23 services not covered
6 of them soon! Individual machines Departmental services Commercial Packages Takes time and significant buy-in from depts etc 2/24/2019 EuroCAMP April 2006

24 Shibboleth Shib can (and is) used as a campus SSO Advantage:
same system inside as outside Fine grained Authorisation possible Version 2 will make this easier, will do authentication rather than relying on something like Apache 2/24/2019 EuroCAMP April 2006

25 Shibboleth Disadvantages:
Considerably more complex to install on every web system Would appear to be a number of single points of failure difficult to overcome. SSO expected to be 24x7x365 2/24/2019 EuroCAMP April 2006

26 Shibboleth Other Issues
New system requires an entry in Federation (national) meta-data, or a local federation Requires a certificate (but getting easier) WAYF issues (local & federation?) 2/24/2019 EuroCAMP April 2006

27 Shibboleth and SSOs Once an institution has implemented even a partial SSO then implementing Shibboleth is mush easier You know who your users are! You have the mechanisms for automating user handling How many web servers have external, authN users ? 2/24/2019 EuroCAMP April 2006

28 Summary Implementing a SSO system is loved by the users
Which system, original SSO or Shibboleth will depend upon your circumstances You really do need to know who all your users are! 2/24/2019 EuroCAMP April 2006

Download ppt "Brian Gilmore Computing Services, University of Edinburgh"

Similar presentations

Shibboleth at Cardiff University Lindsay Roberts Project Manager – Shibboleth Implementation Phase 2.

Shibboleth at Cardiff University Lindsay Roberts Project Manager – Shibboleth Implementation Phase 2.
Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.

Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.
Joint Information Systems Committee 01/04/2014 | | Slide 1 Single Sign-On Solutions Nicole Harris Programme Manager – JISC.

Joint Information Systems Committee 01/04/2014 | | Slide 1 Single Sign-On Solutions Nicole Harris Programme Manager – JISC.
Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.

Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
KC-ROLO Project Kidderminster College Repository Of Learning Objects Graham Mason & Ed Beddows.

KC-ROLO Project Kidderminster College Repository Of Learning Objects Graham Mason & Ed Beddows.
ELAG Trondheim 2004 1 Distributed Access Control - BIBSYS and the FEIDE solution Sigbjørn Holmslet, BIBSYS, Norway Ingrid Melve, UNINET, Norway.

ELAG Trondheim Distributed Access Control - BIBSYS and the FEIDE solution Sigbjørn Holmslet, BIBSYS, Norway Ingrid Melve, UNINET, Norway.
iRequestManager for MediMizer X3

iRequestManager for MediMizer X3
Access management for repositories: challenges and approaches for MAMS James Dalziel Professor of Learning Technology and Director, Macquarie E-Learning.

Access management for repositories: challenges and approaches for MAMS James Dalziel Professor of Learning Technology and Director, Macquarie E-Learning.
Audit Issues regarding Passwords on Elevated Privilege Accounts Gene Scheckel Global Internal Audit.

Audit Issues regarding Passwords on Elevated Privilege Accounts Gene Scheckel Global Internal Audit.
Password?. Project CLASP: Common Login and Access rights across Services Plan

Password?. Project CLASP: Common Login and Access rights across Services Plan
1 Issues in federated identity management Sandy Shaw EDINA IASSIST 24-27 May 2005, Edinburgh.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
Password?. Project CLASP: Common Login and Access rights across Services Plan

Password?. Project CLASP: Common Login and Access rights across Services Plan
Active Directory: Final Solution to Enterprise System Integration

Active Directory: Final Solution to Enterprise System Integration
TIES — Technologies for Information Environment Security Sandy Shaw University of Edinburgh.

TIES — Technologies for Information Environment Security Sandy Shaw University of Edinburgh.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
Authentication Systems and Single Sign-On (SSO) David Orrell, Eduserv Athens 1st EuroCAMP, 2-4 March 2005, Turin, Italy.

Authentication Systems and Single Sign-On (SSO) David Orrell, Eduserv Athens 1st EuroCAMP, 2-4 March 2005, Turin, Italy.
Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.

Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.
Supporting further and higher education AA(A) – What does it mean to the service provider? Alan Robiette, JISC Development Group.

Supporting further and higher education AA(A) – What does it mean to the service provider? Alan Robiette, JISC Development Group.

Similar presentations

Ads by Google