SSO (Single Sign On/Off)
-
Upload
russel-mahmud -
Category
Technology
-
view
162 -
download
5
description
Transcript of SSO (Single Sign On/Off)
![Page 2: SSO (Single Sign On/Off)](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c6a50b4a7959d9228b4576/html5/thumbnails/2.jpg)
drive.google.com
gmail.google.com
drive.google.com
www.youtube.com
accounts.google.com
What is SSO?
![Page 3: SSO (Single Sign On/Off)](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c6a50b4a7959d9228b4576/html5/thumbnails/3.jpg)
SSO Foundations
Authorization
Access Control
Identification
Authentication
SSO
![Page 4: SSO (Single Sign On/Off)](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c6a50b4a7959d9228b4576/html5/thumbnails/4.jpg)
Why SSO?
1. End User Experience Enhanced2. Single Login Form3. Centralized Auditing/Reporting4. Developer Productivity Improved5. Multi-factor Authentication Support6. Reduce IT costs due to lower number of IT help desk calls
about passwords
![Page 5: SSO (Single Sign On/Off)](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c6a50b4a7959d9228b4576/html5/thumbnails/5.jpg)
Terminology
Cookies
Authentication
HTTPS
Encryption
Authorization
![Page 6: SSO (Single Sign On/Off)](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c6a50b4a7959d9228b4576/html5/thumbnails/6.jpg)
HTTPS
![Page 7: SSO (Single Sign On/Off)](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c6a50b4a7959d9228b4576/html5/thumbnails/7.jpg)
HTTPS
![Page 8: SSO (Single Sign On/Off)](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c6a50b4a7959d9228b4576/html5/thumbnails/8.jpg)
Encryption
1. Encryption algorithms transfer plain text into cipher text.2. Two main types of encryption algorithms:
• Symmetric encryption• Use same key for encryption and decryption
• Asymmetric encryption• Use different keys for encryption and decryption
3. Symmetric algorithms are much faster than Asymmetric encryption
![Page 9: SSO (Single Sign On/Off)](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c6a50b4a7959d9228b4576/html5/thumbnails/9.jpg)
RSA
![Page 10: SSO (Single Sign On/Off)](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c6a50b4a7959d9228b4576/html5/thumbnails/10.jpg)
HMAC
![Page 11: SSO (Single Sign On/Off)](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c6a50b4a7959d9228b4576/html5/thumbnails/11.jpg)
DSA
![Page 12: SSO (Single Sign On/Off)](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c6a50b4a7959d9228b4576/html5/thumbnails/12.jpg)
SSO Techniques
1. CAS2. SAML3. OpenID4. oAuth
![Page 13: SSO (Single Sign On/Off)](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c6a50b4a7959d9228b4576/html5/thumbnails/13.jpg)
How Does CAS work?
Web Application
CAS
Kerberos
1.0 Initial Request3.0 Service ticket transfer
4.0 Validate
2.1 Authentication2.3 Sets TGT Cookies
2.0 Service IDAuthentication
5.0 Access Web Server
LDAP
2.2 Authentication
![Page 14: SSO (Single Sign On/Off)](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c6a50b4a7959d9228b4576/html5/thumbnails/14.jpg)
How Does oAuth work?
![Page 15: SSO (Single Sign On/Off)](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c6a50b4a7959d9228b4576/html5/thumbnails/15.jpg)
NewsCred Auth(MVP)
![Page 16: SSO (Single Sign On/Off)](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c6a50b4a7959d9228b4576/html5/thumbnails/16.jpg)
Goals
1. Centralize authentication process2. Keep basic account data isolated3. Allow users to stay logged in while browsing different apps
![Page 17: SSO (Single Sign On/Off)](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c6a50b4a7959d9228b4576/html5/thumbnails/17.jpg)
NewsCred Auth Design
smartgallery.newscred.com1. Initial request
![Page 18: SSO (Single Sign On/Off)](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c6a50b4a7959d9228b4576/html5/thumbnails/18.jpg)
NewsCred Auth Design
smartgallery.newscred.com1. Initial request
redirect to https://accounts.newscred.com/login/
2. No local session
![Page 19: SSO (Single Sign On/Off)](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c6a50b4a7959d9228b4576/html5/thumbnails/19.jpg)
NewsCred Auth Design
smartgallery.newscred.com
1. Initial request
2. No local session(redirect)
accounts.newscred.com
2.0 Login form authentication
![Page 20: SSO (Single Sign On/Off)](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c6a50b4a7959d9228b4576/html5/thumbnails/20.jpg)
NewsCred Auth Design
smartgallery.newscred.com1. Initial request
2. No local session(redirect)
accounts.newscred.com
3.0 Login form Authentication
CDBDatabase
3.1 Login verification
![Page 21: SSO (Single Sign On/Off)](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c6a50b4a7959d9228b4576/html5/thumbnails/21.jpg)
NewsCred Auth Design
smartgallery.newscred.com1. Initial request
2. No local session(redirect)
accounts.newscred.com
3.0 Login form Authentication
CDBDatabase
3.1 Login verification
3.2 Sets Cookies (top domain)Redirect callback_url?token=encrypted_token
![Page 22: SSO (Single Sign On/Off)](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c6a50b4a7959d9228b4576/html5/thumbnails/22.jpg)
NewsCred Auth Design
smartgallery.newscred.com
1. Initial request
2. No local session(redirect)
accounts.newscred.com
3.0 Login form Authentication
CDBDatabase
3.1 Login verification
3.2 Sets Cookies (top domain)Redirect callback_url?token=encrypted_token
4.0 Transfer token
Set local cookies
![Page 23: SSO (Single Sign On/Off)](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c6a50b4a7959d9228b4576/html5/thumbnails/23.jpg)
NewsCred Auth Design
smartgallery.newscred.com
1. Initial request
2. No local session(redirect)
accounts.newscred.com
3.0 Login form Authentication
CDBDatabase
3.1 Login verification
3.2 Sets Cookies (top domain)Redirect callback_url?token=encrypted_token
4.0 Transfer token
Set local cookies
5.0 Access Web Application
![Page 24: SSO (Single Sign On/Off)](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c6a50b4a7959d9228b4576/html5/thumbnails/24.jpg)
Client Application Flowchart
LocalSession
?
AuthCookies
?
Yes
PrivateResource
Yes
NO
NO
Authentication Server
Create LocalSession
VerifyToken
NO
Toke
nRSA
HMACDSA
![Page 25: SSO (Single Sign On/Off)](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c6a50b4a7959d9228b4576/html5/thumbnails/25.jpg)
Challenges
1. Cross domain auto logged in issue2. Checking user permission of each domain3. Updating and deleting account information4. Cookies theft
![Page 26: SSO (Single Sign On/Off)](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c6a50b4a7959d9228b4576/html5/thumbnails/26.jpg)
Web Services
1. Public APIs : from anywhere, no authentication2. S2S APIs : authenticated via API keys
![Page 27: SSO (Single Sign On/Off)](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c6a50b4a7959d9228b4576/html5/thumbnails/27.jpg)
Questions ?