Enterprise Single Sign-On - SSO
-
Upload
oliver-mueller -
Category
Documents
-
view
5.440 -
download
5
Transcript of Enterprise Single Sign-On - SSO
Dipl. Betriebswirt (BA) Oliver MüllerTEQneers GmbH & Co. KG
SSOSingle Sign-On
Samstag, 5. März 2011
Dipl. Betriebswirt (BA) Oliver MüllerTEQneers GmbH & Co. KG
Definition
• Property of access control of multiple, related, but independent software systems
• One time authorization process for multiple applications, websites, ...
Samstag, 5. März 2011
Dipl. Betriebswirt (BA) Oliver MüllerTEQneers GmbH & Co. KG
Benefits
• Reducing countless logins and passwords
• Reducing time effort to re-login
• Reducing IT cost/help desk
• Same level of password security everywhere
• Centralized reporting
• Usually much better passwords
Samstag, 5. März 2011
Dipl. Betriebswirt (BA) Oliver MüllerTEQneers GmbH & Co. KG
Criticism
• Stolen credential opens all dungeons
• Infrastructure
• Might be combined with strong authentications (e.g. SmartCards)
• Many solutions need very expensive software or hardware solutions
Samstag, 5. März 2011
Dipl. Betriebswirt (BA) Oliver MüllerTEQneers GmbH & Co. KG
Issues
• Different apps uses different SSO processes
• Impossible to find ONE SSO for all (?)
• Most solution unable to jump over intranet barrier
Samstag, 5. März 2011
Dipl. Betriebswirt (BA) Oliver MüllerTEQneers GmbH & Co. KG
Solutions• Kerberos [1983]
• LDAP (slapd, Active Directory, …) [1993]
• NTLM (NT Lan Manager) [2000]
• CAS (Central Authentication Service) [2001]
• PKI (Public Key Infrastructure) [1969]
• SAML [2002]
• ...
Samstag, 5. März 2011
Dipl. Betriebswirt (BA) Oliver MüllerTEQneers GmbH & Co. KG
Kerberos
• No easy setup
• Not easy for developers to setup same environment
• Intranet barrier
• External service provider unable to use SSO
Samstag, 5. März 2011
Dipl. Betriebswirt (BA) Oliver MüllerTEQneers GmbH & Co. KG
LDAP / AD
• SAME sign-on
• Intranet barrier (too much information)
• External service provider unable to use SSO
• Easy to implement
• Nice to sync user data
Samstag, 5. März 2011
Dipl. Betriebswirt (BA) Oliver MüllerTEQneers GmbH & Co. KG
// using ldap bind
$ldaprdn = 'uname'; // ldap rdn or dn
$ldappass = 'password'; // associated password
// connect to ldap server
$ldapconn = ldap_connect("ldap.example.com")
or die("Could not connect to LDAP server.");
if ($ldapconn) {
// binding to ldap server
$ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);
// verify binding
if ($ldapbind) {
echo "LOGIN successful...";
} else {
echo "LOGIN failed...";
}
}
Samstag, 5. März 2011
Dipl. Betriebswirt (BA) Oliver MüllerTEQneers GmbH & Co. KG
NTLM• Intranet barrier
• External service provider unable to use SSO
• Based on Windows logon and Kerberos
• Compatibility issues (more or less Microsoft territory Windows, IIS, IE)
• Easy to implement for developers
Samstag, 5. März 2011
Dipl. Betriebswirt (BA) Oliver MüllerTEQneers GmbH & Co. KG
function get_msg_str($msg, $start, $unicode = true) {
$len = (ord($msg[$start+1]) * 256) + ord($msg[$start]);
$off = (ord($msg[$start+5]) * 256) + ord($msg[$start+4]);
if ($unicode)
return str_replace("\0", '', substr($msg, $off, $len));
else
return substr($msg, $off, $len);
}
$msg = base64_decode(substr($auth, 5));
$user = get_msg_str($msg, 36);
$domain = get_msg_str($msg, 28);
$workstation = get_msg_str($msg, 44);
print "You are $user from $domain/$workstation";
Samstag, 5. März 2011
Dipl. Betriebswirt (BA) Oliver MüllerTEQneers GmbH & Co. KG
Central Authentication Service (CAS)
• Token/ticket based authentication
• Developed by Yale University
• phpCAS open source implementation
• Made for web only
• Common in education environment
Samstag, 5. März 2011
Dipl. Betriebswirt (BA) Oliver MüllerTEQneers GmbH & Co. KG
include_once('CAS.php');
// initialize phpCAS
phpCAS::client(CAS_VERSION_2_0,'sso-cas.home.com',443,'');
// no SSL validation for the CAS server
phpCAS::setNoCasServerValidation();
// force CAS authentication
phpCAS::forceAuthentication();
// at this step, the user has been authenticated by the CAS server
// and the user's login name can be read with phpCAS::getUser().
// logout if desired
if (isset($_REQUEST['logout'])) {
phpCAS::logout();
}
echo "LOGIN successful...";
Samstag, 5. März 2011
Dipl. Betriebswirt (BA) Oliver MüllerTEQneers GmbH & Co. KG
Public Key Infrastructure (PKI)
• X.509 certification based authentication
• Its about what-you-have (client certificate) and not what-you-know (password)
• Often used with smart cards (e.g. employee ID)
• Made for Web, SSH, OS login, ...
• Common in enterprise and government solutions
Samstag, 5. März 2011
Dipl. Betriebswirt (BA) Oliver MüllerTEQneers GmbH & Co. KG
### PHP
$cert = openssl_x509_parse($_SERVER[‘SSL_CLIENT_CERT’]));
// verify loginif ( in_array( $cert[‘subject’][‘cn’], $allowedLogins ) ) { echo "LOGIN successful...";} else { echo "LOGIN failed...";}
### Apache configuration or .htaccess
SSLVerifyClient requiredSSLRequireSSLSSLVerifyDepth 1
array(12) { ["name"]=> string(75) "/C=DE/O=TEQneers/OU=Dev/CN=Oliver/[email protected]" ["subject"]=> array(6) { ["C"]=> string(2) "DE" ["O"]=> string(10) "TEQneers" ["OU"]=> string(10) "Dev" ["CN"]=> string(8) "Oliver" ["emailAddress"]=> string(10) "[email protected]" } ["hash"]=> string(8) "123abc45" ["issuer"]=> array(7) { ... } ["version"]=> int(2) ["serialNumber"]=> string(1) "987" ["validFrom"]=> string(13) "110131143055Z" ["validTo"]=> string(13) "130130142954Z" ...
Samstag, 5. März 2011
Dipl. Betriebswirt (BA) Oliver MüllerTEQneers GmbH & Co. KG
SAML
• Security Assertion Markup Language
• Defined by OASIS
• Made for internet and extranet sites
• Credentials/Information can be configured
• Open (based on XML, SOAP, HTTP, ...)
Samstag, 5. März 2011
Dipl. Betriebswirt (BA) Oliver MüllerTEQneers GmbH & Co. KG
SAML Parties
• Client (browser)
• Web application
• Service Provider (SAML client)
• Identity Provider (enterprise federation server)
Samstag, 5. März 2011
Dipl. Betriebswirt (BA) Oliver MüllerTEQneers GmbH & Co. KG
Service Provider
• selfmade
• simpleSAMLphp (open source PHP solution)
• PingConnect (PHP, Perl, Java, …)
• ...
Samstag, 5. März 2011
Dipl. Betriebswirt (BA) Oliver MüllerTEQneers GmbH & Co. KG
Samstag, 5. März 2011
Dipl. Betriebswirt (BA) Oliver MüllerTEQneers GmbH & Co. KG
• user enters URL https://app.com/saml.php
• user without valid SAML assertion will be forwarded to service provider
• browser asks service provider to give him a XML assertion
• XML assertion request form is send back to the browser
• browser forwards assertion request form to identity provider
• IF NOT LOGGED IN YET
• identity provider ask the user to log into the enterprise network
• user enters his login/password and sends it back to identity provider
• client receives a XML assertion and cookie signed by the identity provider
• XML assertion is send to service provider, who validates assertion
• if assertion is valid, user will be pushed back to his initial url
• assertion will be checked and user is going to be looked up in your app
• if user exists, app start page appears, otherwise app might show standard login page
Samstag, 5. März 2011
Dipl. Betriebswirt (BA) Oliver MüllerTEQneers GmbH & Co. KG
// Load simpleSAMLphp configuration and session.
$config = SimpleSAML_Configuration::getInstance();
$session = SimpleSAML_Session::getInstance();
// Check if valid local session exists.
if (!$session->isValid('saml2') ) {
// Redirect to the IdP for authentication.
SimpleSAML_Utilities::redirect(
'/' . $config->getBaseURL() . 'saml2/sp/initSSO.php',
array('RelayState' => SimpleSAML_Utilities::selfURL())
);
}
// successful authorization
$attributes = $session->getAttributes();
print_r($attributes); // might print out email or login
Samstag, 5. März 2011
Dipl. Betriebswirt (BA) Oliver MüllerTEQneers GmbH & Co. KG
<saml:Assertion AssertionID="123" IssueInstant="2008-10-08T20:16:12.377Z" Issuer="TransactionMinderSAMLIssuer" MajorVersion="1" MinorVersion="0" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
<saml:Conditions NotBefore="2008-10-08T20:16:12.307Z NotOnOrAfter="2008-1008T22:16:12.307Z"/>
<saml:AuthenticationStatement AuthenticationInstant="2008-10-08T20:16:12.307Z" AuthenticationMethod="urn:oasis:names:tc:SAML">
<saml:Subject>
<saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.0" NameQualifier="Domain Name">Claire Wasser</saml:NameIdentifier>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>http://www/>
<saml:SubjectConfirmationData>R1VD8fkkvlrhp</saml:SubjectConfirmationData>
</saml:SubjectConfirmation>
</saml:Subject>
</saml:AuthenticationStatement>
</saml:Assertion>
Samstag, 5. März 2011
Dipl. Betriebswirt (BA) Oliver MüllerTEQneers GmbH & Co. KG
Identity Server• Shibboleth IdP (open source)
• PingIdentity
• Oracle Identity Server
• SAP NetWeaver
• Sun OpenSSO ForgeRock OpenAM
• IBM
• Microsoft Geneva
Samstag, 5. März 2011
Dipl. Betriebswirt (BA) Oliver MüllerTEQneers GmbH & Co. KG
One size does fit it all
• Most federation solution support many different SSO technologies
• Most are based on any kind of LDAP backend
Samstag, 5. März 2011
Dipl. Betriebswirt (BA) Oliver MüllerTEQneers GmbH & Co. KG
Thanks for listeningcontact me if you have any questions
email: [email protected]: [email protected]
phone: +49 (711) 46 97 28-82
Have Fun!
Samstag, 5. März 2011