1 / 13

Single Sign On

Single Sign On. Glen Dorton. The Problem. Users have to authenticate to multiple systems User name and password is the most common authentication scheme Users are required to remember multiple user names and passwords, one per system Why is this a problem?. Solution: Single Sign On.

gbermudez
Download Presentation

Single Sign On

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Single Sign On Glen Dorton

  2. The Problem • Users have to authenticate to multiple systems • User name and password is the most common authentication scheme • Users are required to remember multiple user names and passwords, one per system • Why is this a problem?

  3. Solution: Single Sign On • Single sign on still employs user name and password as most common method • However, users only need to remember one user name and password to access all systems

  4. Benefits • One sign on grants access to all resources • Users will be less likely to write down passwords and hide the paper under a keyboard • Administration of user accounts and access control is vastly simplified • Improved security through administration ease, better control of account management

  5. Problems • Subject to standard password attacks • Once a password is compromised or an attacker can create an account, access to all resources allowed for that user is obtained • Central point of failure

  6. Implementations • Scripting • Kerberos • Secure European System for Applications in a Multi-vendor Environment • Diskless workstations • Directory Services • Microsoft .NET Passport

  7. Microsoft .NET Passport • Developed to provide single sign on solution to web based applications • Kids Passport Service

  8. Microsoft .NET Passport • Registration • Stores credentials and personal information • Email address is user id • Human Interaction Protocol • Email validation

  9. Microsoft .NET Passport • Authentication • Uses authentication ticket – “ticket granting cookie” • Subsequent sites may use same authentication ticket based on its age • Sign out of password accomplished by deleting cookies except if “sign me in automatically” is enabled

  10. Problems with .NET Passport • Key management • Uses 3DES, keys generated randomly and must be distributed securely • Persistent cookies • Allow user to be ‘logged in’ all the time • Theft of cookies • Coding vulnerabilities

  11. Passport Attacks • Phishing – attacker sets up fake merchant site and redirects to fake passport.com, user enters credentials • Man in the middle – attacker intercepts legitimate redirect to passport.com and redirects to his own fake passport.com • DNS attacks – passport relies on redirects to passport.com for authentication

  12. Conclusion • Becoming more prevalent with directory services • Difficult to implement with systems that have proprietary authentication schemes • Will be more practical in the future

  13. References • Passport risks: http://avirubin.com/passport.html • Opengroup: http://www.opengroup.org/security/sso/ • Microsoft .NET Passport Review Guide http://www.microsoft.com/net/services/passport/review_guide.asp

More Related