@salonijshah

Single Sign On

As developers…•…wanting to implement SSO, you may have

wondered... How did it get so complicated?

Help! I have an identity crisis!

Some terminology • Identification• Authentication• Authorization

Some terminology • Identification• Authentication• Authorization

Single Sign On & Identity Federation• Single Sign On: Log in once and access multiple applications• Identity Federation: Shared identity between multiple systems

Enterprise SSO Identity federation

Enterprise SSO & Identity Federation

“Enterprise” SSO

Federated identity

Advantages of a identity federation• Standardization >> Platform Neutrality• Security• Better user experience• Loose coupling of directories• Reduced administrative costs for service providers• Risk transference

SAML

SAML• Security assertion markup language.• Created in 2002 by Security Services Technical Committee of OASIS.• XML-based framework to make assertions regarding identity,

attributes, and entitlements of a user.• Current version: SAML 2.0 (2005)

Enterprise

External services

Three roles in SAML

Three roles in SAML

Three roles in SAML

Circle of trust

SAML Concepts

SAML Assertions

SAML Assertions

SP-initiated SSO

SP-initiated SSO

(1) Access resource

SP-initiated SSO

(1) Access resource

(2) Redirect with <Authn Req>

GET using <Authn Req>

SP-initiated SSO

(1) Access resource

(2) Redirect with <Authn Req>

GET using <Authn Req> (3) Challenge

for credentials

SP-initiated SSO

(1) Access resource

(2) Redirect with <Authn Req>

GET using <Authn Req> (3) Challenge

for credentials

(4) User login

SP-initiated SSO

(1) Access resource

(2) Redirect with <Authn Req>

GET using <Authn Req> (3) Challenge

for credentials

(4) User login

(5) Signed <response>

SP-initiated SSO

(1) Access resource

(2) Redirect with <Authn Req>

GET using <Authn Req> (3) Challenge

for credentials

(4) User login

(5) Signed <response> (6) Post signed

<response>

SP-initiated SSO

(1) Access resource

(2) Redirect with <Authn Req>

GET using <Authn Req> (3) Challenge

for credentials

(4) User login

(5) Signed <response> (6) Post signed

<response>

(7) Supply resource

IdP-initiated SSO

IdP-initiated SSO

(1) Challenge for credentials

(2) User login

(3) Select remote resource

(5) Post signed <response>

(6) Supply resource

(4) Signed <response>

SAML – Security Considerations• Use TLS• Use digitally signed messages• Securely validate the digital signature• Validate the XML schema

SAML – Security Considerations• Use TLS• Use digitally signed messages• Securely validate the digital signature• Validate the XML schema

SAML Security Cheat Sheet:https://www.owasp.org/index.php/SAML_Security_Cheat_Sheet

OAuth

OAuth• Open protocol for secure authorization• “Valet key for the web”• Simple and standard method from web, mobile, and desktop apps• Original spec: 2006• Current version: OAuth 2.0• Google’s OAuth Playground:

https://developers.google.com/oauthplayground/

OAuth Roles

OAuth Roles

OAuth Client Registration

OAuth Flow

OAuth Flow

(1) Do something with my resource

OAuth Flow

(1) Do something with my resource

(2)Give me permission

(3) I’d like to grant this client certain permissions

OAuth Flow

(1) Do something with my resource

(2)Give me permission

(3) I’d like to grant this client certain permissions

(4) Authenticate resource owner and verify permission scope

OAuth Flow

(1) Do something with my resource

(2)Give me permission

(3) I’d like to grant this client certain permissions

(4) Authenticate resource owner and verify permission scope

(5) Return authorization grant

(6) Authorization grant

OAuth Flow

(1) Do something with my resource

(2)Give me permission

(3) I’d like to grant this client certain permissions

(4) Authenticate resource owner and verify permission scope

(5) Return authorization grant

(6) Authorization grant(7) Authorization grant & client credentials

(8)Access token

OAuth Flow

(1) Do something with my resource

(2)Give me permission

(3) I’d like to grant this client certain permissions

(4) Authenticate resource owner and verify permission scope

(5) Return authorization grant

(6) Authorization grant(7) Authorization grant & client credentials

(8)Access token

(9)Access token

(10) Resource

OpenId

OpenID• “Driver’s license for the web”• Authenticate with multiple sites without giving out your credentials• OpenID 1.0 - 2005• OpenID 2.0 - 2007• OpenID Connect – 2014• OpenID Connect: Authentication protocol based on OAuth 2.0

OpenId Terms

OpenId Terms

OpenId Terms

https://accounts.example.com/oauth2/auth?scope=contacts&nonce=53f2495d7b435ac571& redirect_uri=https%3A%2F%2Foauth2demo.appspot.com%2Foauthcallback& response_type=code& client_id=753560681145-2ik2j3snsvbs80ijdi8.apps.googleusercontent.com

OpenId Terms

https://accounts.example.com/oauth2/auth?scope=openid+email&nonce=53f2495d7b435ac571& redirect_uri=https%3A%2F%2Foauth2demo.appspot.com%2Foauthcallback& response_type=id_token& client_id=753560681145-2ik2j3snsvbs80ijdi8.apps.googleusercontent.com

OAuth and OpenId – Security considerations•Use OAuth 1.0a at least!•Preferably, use OAuth 2.0 with TLS•Properly handle TLS certificate chain validation•Avoid the “Open Redirect” attack

OAuth 2.0 Threat Model:https://tools.ietf.org/html/rfc6819

In summary• Delegate identity management to a secure IdP• Use an established standard• Beware of security vulnerabilities• What I didn’t talk about:• Vendor-specific implementations• Technology-specific implementations

StandardsSAML 2.0 Oauth 2.0 OpenId Connect

Main Purpose Single sign on for enterprise users

API authorization between

applications

Single sign on for consumers

Support Web applications Web, mobile Web, mobile

Protocols used XML, HTTP, SOAP JSON, HTTP JSON, HTTP

Thanks!Questions?Twitter: @salonijshah