Single sign on and security
Download
1 / 27

SINGLE SIGN ON AND SECURITY - PowerPoint PPT Presentation


  • 388 Views
  • Uploaded on

SINGLE SIGN ON AND SECURITY. By Mwamini Naggayi CS 795 MW. Outline. Introduction What is single sign on? Protocols Purpose Benefits Risk Conclusion Demos (Not available) References. Introduction.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'SINGLE SIGN ON AND SECURITY' - cybille


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Single sign on and security

SINGLE SIGN ON AND SECURITY

By

Mwamini Naggayi

CS 795 MW


Outline
Outline

  • Introduction

  • What is single sign on?

  • Protocols

  • Purpose

  • Benefits

  • Risk

  • Conclusion

  • Demos (Not available)

  • References

Single Sign On & Security


Introduction
Introduction

  • As computer systems increases to support business processes, users and system administrators are faced with an increasingly complicated interface to accomplish their job functions. Users typically have to sign-on to multiple systems, with an equivalent number of sign-on dialogues, each of which may involve different usernames and authentication information.

  • System administrators are also faced with managing user accounts within each of the multiple systems to be accessed in a co-coordinated manner in order to maintain the integrity of security policy enforcement. This legacy approach to user sign-on to multiple systems is illustrated below:

Single Sign On & Security


Legacy approach user sign on to multiple systems
Legacy Approach :User Sign-on to Multiple Systems

Single Sign On & Security


Legacy approach user sign on to multiple systems1
Legacy Approach: User Sign-on to Multiple Systems

  • Those components act as independent domains in the sense that end-user has to identify and authenticate himself independently to each of the domains s/he wishes to interact with

  • To invoke the services of a secondary domain end user is required to perform a Secondary Domain Sign-on

  • From the management perspective the legacy approach requires independent management of each domain and the use of multiple user account management interfaces

Single Sign On & Security


What is single sign on
What is single sign on?

  • Single sign-on (SSO) is mechanism whereby a single action of user authentication and authorization can permit a user to access all computers and systems where s/he has access permission, without the need to enter multiple passwords.

  • The user needs to authenticate only once and the authenticated identity is securely carried across the network to access resources on behalf of the user.

Single Sign On & Security


Purpose of single sign on
Purpose of single sign on

  • Develop applications to provide a common, single end-user sign-on interface for an enterprise

  • The development of applications for the co-coordinated management of multiple “user account management information bases” maintained by an enterprise.

  • Users only need to remember one username and password, and authentication can be provided for multiple services.

Single Sign On & Security


Protocols single sign on
Protocols: Single sign on

  • Kerberos is a computer network authentication protocol which allows individuals communicating over an insecure network to prove their identity to one another in a secure manner.

  • Kerberos single sign-on is possible because all of the services are under the same administrative control. There is a centralized database containing keys that are shared with each service, and tickets can be issued, encrypted under the keys of the target services.

Single Sign On & Security


Protocols single sign on1
Protocols: Single sign on

  • Passport protocol makes Single sign-on on the web sites possible gaining authenticated access to multiple and independent web services

  • Passport is a protocol that enables users to sign onto many different merchants' web pages by authenticating themselves only once to a common server

Single Sign On & Security


How passport works
How Passport works

  • Passport model: has three entities: the client at a web browser, the merchant store, and the Passport login server.

  • Login server maintains authentication and customer profile information for the client and gives the merchant access to this information when permitted by the client

  • Passport divides client data into profile info and the wallet, that contains credit card info

  • Passport's protocols are designed to enable the secure transfer of the profile and wallet info between the Passport server and the merchants.

Single Sign On & Security


How passport works1
How Passport works

Single Sign On & Security


Benefits single sign on
Benefits: Single sign-on

  • Reduction in the time taken by users in sign-on operations to individual domains.

  • Improved security through the reduced need for a user to handle and remember multiple sets of authentication information.

  • Reduction in time taken, and improved response, by system administrators in adding and removing users to the system or modifying their access rights.

  • Single sign-on reduces human error, a major component of systems failure.

Single Sign On & Security


Benefits of single sign on
Benefits of single sign-on

  • Improved security through the enhanced ability of system administrators to maintain the integrity of user account configuration including the ability to inhibit or remove an individual user’s access to all system resources in a co-coordinated and consistent manner.

Single Sign On & Security


Single user sign on to multiple services
Single User Sign-On To Multiple Services

Single Sign On & Security


Single user sign on to multiple services1
Single User Sign-On To Multiple Services

The information supplied by the end-user as part of the Primary Domain Sign-On procedure may be used in support of secondary domain sign-on in several ways:

  • Directly: the information supplied by the user is passed to a secondary domain as part of a secondary sign-on.

  • Indirectly: the information supplied by the user is used to retrieve other user identification and user credential information stored within the a single sign-on management information base. The retrieved information is then used as the basis for a secondary domain sign-on operation.

  • Immediately: to establish a session with a secondary domain as part of the initial session establishment. This implies that application clients are automatically invoked and communications established at the time of the primary sign-on operation.

  • Temporarily: stored or cached and used at the time a request for the secondary domain services is made by the end-user.

Single Sign On & Security


Risks single sign on
Risks: Single Sign on

  • The secondary domains have to trust the primary domain to:

  • correctly assert the identity and authentication credentials of the end user, protect the authentication credentials used to verify the end user identity to the secondary domain from unauthorized use.

  • The authentication credentials have to be protected when transferred between the primary and secondary domains against threats arising from interception or eavesdropping leading to possible impersonating attacks.

  • Single sign-on highly desirable but difficult to implement.

Single Sign On & Security


Risk single sign on
Risk: Single sign on

  • When security is compromised, single sign on allows access to firewalls, systems, etc.

  • Passport uses the existing web technologies to the best of its abilities. Unfortunately, the resulting implementing protocol poses several risks to the user

  • User interface confusion: Merchant site that uses Passport displays a Passport sign-out icon which is supposed to remove Passport cookies but a user may only sign-out in one account and not passport account.

  • Passport establishes a centralized service trusted by all others to make authoritative decisions about the authenticity of a user. Compromise of this central service would be particularly disastrous since service maintains consumer profile info on all registered users

Single Sign On & Security


Risk single sign on1
Risk: Single sign on

  • Passport system is too dependant on cookies. Passport cookies, are used as proofs of authentication and its lifetimes are determined only by the lifetime of the web browser and the (encrypted) time window in the cookie. If a user forget to logout on a public machine, a Passport account could leave valid authentication tokens behind on the machine for any user to recover.

  • In Passport, where cookies stand in for tickets, possession of the cookie is all that is necessary to impersonate the valid user of that cookie. No further proof is required which is dangerous on public machine. At least in Kerberos, the client must send an authenticator that proves knowledge of the key inside the ticket.

Single Sign On & Security


Conclusion
Conclusion

  • The best way to protect your interests is to ensure that any SSO software offered by any company provides some level of guarantee to meet the needs of the organization security.

  • The need for tools to help users manage authentication and personal information across a variety of sites are increasingly critical. Passport is an ambitious attempt to meet those needs and requires no changes to existing browsers and servers. However, the system carries significant risks to users

Single Sign On & Security


Demo two site files

Site one

Public pages

Default.aspx

Web config

Secure folder

httpsPage.aspx

login.aspx

Site two

Public Pages

default.aspx

Web config

Secure folder

httpsPage.aspx

Demo: Two Site files

Single Sign On & Security


Demos default page on slide site 1
Demos: Default page on slide site 1

Single Sign On & Security


Demos web config site one
Demos: Web config site one

<authentication mode="Forms">

<forms loginUrl="Secure\login.aspx” protection="All"

requireSSL="true“ timeout="10“ name="FormsAuthCookie"

path="/FormsAuth“ slidingExpiration="true" />

</authentication>

<!-- For SSO Test -->

<machineKey

validationKey="C50B3C89CB21F4F1422FF158A5B42D0E8DB8CB5CDA1742572A487D9401E34 00267682B202B746511891C1BAF47F8D25C07F6C39A104696DB51F17C529AD3CABE"

decryptionKey= "8A9BE8FD67AF6979E7D20198CFEA50DD3D3799C77AF2B72F"

validation="SHA1"/>

<!-- The restricted folder is for authenticated and SSL access only. -->

<location path="Secure" >

<system.web>

<authorization>

<deny users="?" />

</authorization>

</system.web>

</location>

Single Sign On & Security


Site one default aspx cs
Site one: default.aspx.cs

private void SecureButton_Click(object sender, System.EventArgs e)

{

UriBuilder uri = new UriBuilder(

Uri.UriSchemeHttps, Request.Url.Host );

uri.Path = Path.Combine( Request.ApplicationPath ,

"Secure/httpsPage.aspx" );

Response.Redirect( uri.ToString() );

}

Single Sign On & Security


Secure folder one login aspx cs
Secure folder One: Login.aspx.cs

private void Page_Load(object sender, System.EventArgs e) {

try

{

// For different domains, should use the cookie domain

HttpCookie formsCookie = FormsAuthentication.GetAuthCookie(

UserId.Text, false );

formsCookie.Domain = "localhost.com";

Response.AppendCookie( formsCookie );

Response.Redirect( FormsAuthentication.GetRedirectUrl( UserId.Text, false ) );

FormsAuthentication.RedirectFromLoginPage( UserId.Text, false );

}

}

private void LoginButton_Click(object sender, System.EventArgs e)

{

UriBuilder uri = new UriBuilder( Uri.UriSchemeHttp, Request.Url.Host );

uri.Path = Path.Combine( Request.ApplicationPath , "default.aspx" );

Response.Redirect( uri.ToString() );

}

Single Sign On & Security


Secure folder one httpspage aspx cs
Secure folder one: httpsPage.aspx.cs

private void LogoutButton_Click(object sender, System.EventArgs e)

{

System.Web.Security.FormsAuthentication.SignOut();

HttpCookie formsCookie = Request.Cookies[ FormsAuthentication.FormsCookieName ];

formsCookie.Domain = "localhost.com";

formsCookie.Expires = DateTime.Now.AddDays(-1);

Response.Cookies.Add(formsCookie);

Response.Redirect( Request.Url.ToString() );

}

private void BackButton_Click(object sender, System.EventArgs e)

{

UriBuilder uri = new UriBuilder( Uri.UriSchemeHttp, Request.Url.Host );

uri.Path = Path.Combine( Request.ApplicationPath , "default.aspx" );

Response.Redirect( uri.ToString() );

}

private void SiteTwoButton_Click(object sender, System.EventArgs e)

{

Response.Redirect( "https://localhost/FormsAuth2/Secure/httpsPage.aspx" );

}

Single Sign On & Security


Demos web config first site
Demos: Web config first site

private void LinkButton1_Click(object sender, System.EventArgs e)

{

UriBuilder uri = new UriBuilder(

Uri.UriSchemeHttps, Request.Url.Host );

uri.Path = Path.Combine(

Request.ApplicationPath ,

"Secure/httpsPage.aspx" );

Response.Redirect( uri.ToString() );

}

Single Sign On & Security


References
References

  • http://www.opengroup.org/security/sso/

  • http://www.enterasys.com/solutions/secure-networks/single_sign-on/

  • http://www.scmagazine.com/us/grouptest/details/2a136ba7-b164-4346-974e-1afcc4d628e2/single+sign-on+2005/

  • http://www.imprivata.com/content3208.html

  • http://avirubin.com/passport.html

  • http://weblogs.asp.net/hernandl/archive/2004/06/09/ssoformsauth.aspx

  • http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnaspp/html/singlesignon.asp

Single Sign On & Security


ad