Presentation is loading. Please wait.

Presentation is loading. Please wait.

Authentication Systems and Single Sign-On (SSO) David Orrell, Eduserv Athens 1st EuroCAMP, 2-4 March 2005, Turin, Italy.

Published byNorman Patrick Modified over 8 years ago

Similar presentations

Presentation on theme: "Authentication Systems and Single Sign-On (SSO) David Orrell, Eduserv Athens 1st EuroCAMP, 2-4 March 2005, Turin, Italy."— Presentation transcript:

1 Authentication Systems and Single Sign-On (SSO) David Orrell, Eduserv Athens 1st EuroCAMP, 2-4 March 2005, Turin, Italy

2 Overview What is SSO? How SSO operates Implications of SSO SSO products and authentication systems SSO real-world examples and applications

3 Why SSO? Multiple systems typically require multiple sign-on dialogues –Eg. Desktop logon, email, VLE, library systems, external resources … –Multiple sets of credentials –Presenting credentials multiple times Headache for administration and users The more security domains, the more sign-ons required

4 Simple SSO operation Application /resource SSO Application Application /resource 1. Access application 2. Refer for authn. 3. Ask for credentials 4. Transfer to application Authentication DomainSecondary domain SSO Session (Ticket Granting Ticket) Transfer/Service ticket

5 Security implications Credentials never leave the authentication domain Secondary (affiliated) domains have to trust the authentication domain –Credentials must be asserted correctly –Protect from unauthorised use Authentication transfer has to be protected –Replay prevention –Interception/masquerade attacks

6 SSO Components Authentication server SSO Application HTTP server LDAP Kerberos RDBMS … Application Enforcement agent Sign-on (verification)App (enforcement) Authorisation

7 SSO dependencies SSO system relies on other infrastructure –Authentication system –Requires interface with web server –Identity management/registration Need to provide for authorisation –Applications often need more than just authentication information –Attribute information –Shibboleth or other architectures

8 Other considerations Most SSO systems are HTTP based –Browser cookies (restricted to the authentication domain) –HTTP redirects –Placement of tokens in querystring May require integration with application –Agent-based architecture –SSO protocol Needs to interface with authentication system Needs protocol between authentication domain and target application –Token/ticket-based –SAML POST/artifact profiles

9 Session management The SSO application maintains a session (TGT) for the user The target application usually maintains a session Logging out of the target application may not log you out of the SSO application Single Sign-On  Single Sign-Out! –Application specific

10 Single Sign-On applications Cross-institutional SSO –Athens (Eduserv/UK) –PAPI (Rediris/Spain) –Shibboleth (Internet2/USA) Commercial SSO products –Often companion products to identity managers/directories –Increasing standards compliance (SAML etc.) –Eg. Novell iChain, Sun Java System Access Manager etc…

11 WebISO products (1) “Web initial sign-on” products available for intra-institutional use –Allow authentication to web-based resources across an institution Freely available –Many released under Open Source licences Comparison study carried out for JISC, UK –Recommended reading http://www.jisc.ac.uk/uploaded_documents/CMSS-Gilmore.pdf

12 WebISO products (2) Yale Central Authentication Service (CAS) –http://www.yale.edu/tp/auth Pubcookie (Washington) –http://www.pubcookie.org WebAuth (Stanford) –http://webauthv3.stanford.edu Michigan CoSign –http://www.umich.edu/~umweb/software/cosign X.509 certificates via Kerberos (Michigan) –http://www.umich.edu/~x509 A-Select (Surfnet) –http://a-select.surfnet.nl

13 SSO methods Most SSO systems rely on cookies –Widely accepted and supported by browsers –Users who disable cookies or change browser security settings may lose SSO capability X.509 certificates provide alternative approach –Require installation on users machine –Need for revocation –Can be confusing for users

14 Supported Authentication Methods CAS –LDAP server (OpenLDAP, Active Directory) –Kerberos (MIT, Active Directory) Pubcookie –Kerberos v5 –LDAP server –/etc/shadow WebAuth –MIT Kerberos –OpenLDAP CoSign –Supports GSSAPI A-Select –Banking –SMS ‘SURFkey’ –LDAP –Radius

15 overview

16 Authentication in A-Select choose your own method (and strength) IP address Username / password –LDAP / Active Directory –RADIUS –SQL Passfaces PKI certificate OTP through SMS OTP through internet banking Tokens (SecurID, Vasco, … ) Biometrics

17 Choosing an SSO system (1) Need to evaluate systems appropriate to your environment –Apache/IIS/J2EE –OS/platform support Will the SSO product integrate with my –authentication system –applications (agent/webserver integration, legacy applications) –authorisation system (Shibboleth support?) Need to provide resilient system –Single point of failure –Performance/throughput

18 Choosing an SSO system (2) Need to be supportable –Is the product actively developed? –What is the support like? –Logging/diagnostics –Error handling Customisable –Some SSO products are specific to the organisation they originated from. Can it be customised for your needs?

19 SSO applications Applications typically require an ‘enforcement agent’ –Webserver module –Application-level integration –Usually require authorisation info Some SSO products utilise a proxy approach –SSO-enable legacy products without code change –Eg. Novell iChain

20 SSO in portals

21

22 Other SSO services

23

24

25

26 Logout

27 QUESTIONS? david.orrell@eduserv.org.uk http://www.eduserv.org.uk/athens

Download ppt "Authentication Systems and Single Sign-On (SSO) David Orrell, Eduserv Athens 1st EuroCAMP, 2-4 March 2005, Turin, Italy."

Similar presentations

Secure Single Sign-On Across Security Domains

Secure Single Sign-On Across Security Domains
MyProxy Jim Basney Senior Research Scientist NCSA

MyProxy Jim Basney Senior Research Scientist NCSA
Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.

Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.
Next Generation Athens Services Ed Zedlewski UK e-Science Town Meeting, London, 11 April 2005.

Next Generation Athens Services Ed Zedlewski UK e-Science Town Meeting, London, 11 April 2005.
Central Authentication Service (CAS). What is CAS? JA-SIG Central Authentication Service is an enterprise level, open-source, single sign on solution.

Central Authentication Service (CAS). What is CAS? JA-SIG Central Authentication Service is an enterprise level, open-source, single sign on solution.
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.

Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
ELAG Trondheim 2004 1 Distributed Access Control - BIBSYS and the FEIDE solution Sigbjørn Holmslet, BIBSYS, Norway Ingrid Melve, UNINET, Norway.

ELAG Trondheim Distributed Access Control - BIBSYS and the FEIDE solution Sigbjørn Holmslet, BIBSYS, Norway Ingrid Melve, UNINET, Norway.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Access management for repositories: challenges and approaches for MAMS James Dalziel Professor of Learning Technology and Director, Macquarie E-Learning.

Access management for repositories: challenges and approaches for MAMS James Dalziel Professor of Learning Technology and Director, Macquarie E-Learning.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.
JISC Metaleth Project Athens, Shibboleth and the University of Bristol 29 th January 2007.

JISC Metaleth Project Athens, Shibboleth and the University of Bristol 29 th January 2007.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST 24-27 May 2005, Edinburgh.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Novell iChain ® 2.x Configuration Using the Web Server Accelerator Wizard Cary Andrews Senior Software Engineer Novell, Inc.

Novell iChain ® 2.x Configuration Using the Web Server Accelerator Wizard Cary Andrews Senior Software Engineer Novell, Inc.
Federated Identity Management for the context of storage Bart Kerver - TERENA Storage-meeting, Amsterdam,

Federated Identity Management for the context of storage Bart Kerver - TERENA Storage-meeting, Amsterdam,
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (

Similar presentations

Ads by Google