Upload
others
View
8
Download
0
Embed Size (px)
Citation preview
page 1month ##, 2002filename.ppt © 2002
Single Sign-On Architectures
Jan De ClercqSecurity Consultant
HPCI Technology Leadership GroupHewlett-Packard
page 2month ##, 2002filename.ppt © 2002
Agenda
• Trusted Security Infrastructures
• SSO: What and Why?
• SSO Architectures
• Extending SSO
page 3month ##, 2002filename.ppt © 2002
Trusted Security Infrastructures (TSIs)
Dir CDir B
Applications
Dir A
Meta-Directory
App 1
Security Admin AccessControl
Infra
Auditing
Identity Mgmt
MsgDBs WebServices
App 2 App 3 App...
Trusted Security
Infrastructures
Core I.T Infrastructure
ServicesMgmt
Sec PolMgmt
AuthentInfra
page 4month ##, 2002filename.ppt © 2002
SSO Foundations: Trust
SSO
Trust
Identification
Authentication
Authorization
Access Control
page 5month ##, 2002filename.ppt © 2002
Agenda•Trusted Security Infrastructures
•SSO: What and Why?•SSO Architectures
•Extending SSO
page 6month ##, 2002filename.ppt © 2002
SSOWhat and Why?
•Ease of Administration
•Ease of Use
•Enables Enforcement of Coherent Security Policy
•Key to the Kingdom?
page 7month ##, 2002filename.ppt © 2002
SSOTerminology
• Authentication Infrastructure
• Authentication Server
- “Physical” providers of authentication/SSO
• Authentication Authority
- “Logical” providers of authentication/SSO/Trust
= Domain (Windows speak)
= Cell (DCE speak)
= Realm (Kerberos speak)
• Authentication Credentials
• Digital Identity
• Credential Database
• Authentication Factors
• Authentication Token
page 8month ##, 2002filename.ppt © 2002
SSO Terminology
AuthenticationServer
SecondaryAuthentication
DomainSecondary
AuthenticationDomain
User
PrimarySign-On
AuthenticationExchange
CredentialDatabase
Resource Server
Account andCredential
Management
ID PW
ID PW Trust TokenValidation
ID PW
ID PW
Tok
page 9month ##, 2002filename.ppt © 2002
Agenda•Trusted Security Infrastructures
•SSO: What and Why?
•SSO Architectures•Extending SSO
page 10month ##, 2002filename.ppt © 2002
SSO Solution
andArchitectures
Simple SSO• Single Authentication
Authority and Server
• Single Authentication Authority and Multiple Servers
Complex SSO• With Single Set of Credentials
– Token-based SSO
– PKI-based SSO
• With Multiple Sets of Credentials
– Credential Synchronization
– Client-side Credential Caching
– Server-side Credential Caching
page 11month ##, 2002filename.ppt © 2002
Simple SSO Solutions
AuthenticationServer
SecondaryAuthentication
DomainSecondary
AuthenticationDomain
User
PrimarySign-On
AuthenticationExchange
CredentialDatabase
Resource Server
Account andCredential
Management
SSO with a single Authentication Authority anda single Authentication Server
Examples: OS, EAMS, Centralized RAS
ID PW
ID PW Trust TokenValidation
ID PW
ID PW
Tok
page 12month ##, 2002filename.ppt © 2002
Simple SSO Solutions
SecondaryAuthentication
Domain
User
PrimarySign-On
AuthenticationExchange
MasterCredentialDatabase
Account andCredential
Management
SSO with a single Authentication Authority andmultiple Authentication Servers
Examples: OS, EAMS, Centralized RAS
ID PW
ID PW TrustToken
Validation
ID PW
ID PW
Tok
ReplicatedCredentialDatabase
ID PWID PW
AuthenticationServer
SecondaryAuthentication
Domain
Replication
Resource Server
AuthenticationServer
page 13month ##, 2002filename.ppt © 2002
Traditional Sign-On (No SSO)
Primary Authentication
Authority
User
PrimarySign-On
SecondarySign-On(s)
PrimaryCredentialDatabase
SecondaryCredentialDatabase
SecondaryAuthentication
Authority
Account andCredential
Management
Account andCredential
Management
ID PW
ID PW
ID PWID PW
Tok
Tok
page 14month ##, 2002filename.ppt © 2002
Complex SSO Solutions: Single Credential Set: Token-based SSO
Account andCredential
Management
SecondaryCredentialDatabase
Primary Authentication
Authority
User
PrimarySign-On
TransparantSecondarySign-On(s)
using Temporary
Token
SecondaryAuthentication
Authority
Account andCredential
ManagementTemporaryToken
Trust
Examples: Kerberos, EAMS, Passport
PrimaryCredentialDatabase
ID PW
ID PW
Tok
ID PW
ID PW
page 15month ##, 2002filename.ppt © 2002
Complex SSO Solutions: Single Credential Set: PKI-based SSO
Primary Authentication
Authority
User
User Registration
TransparantSecondarySign-On(s)
usingPublic Key Credentials
(Certificate and Private Key)
SecondaryAuthentication
Authority
Account andCredential
ManagementCertificate Issuance
Trust
Examples: Entrust, Baltimore, Windows 2000, Windows.NET
CredentialDatabase
ID PW
ID PW
UserCert
CACert
CACert
CACert
UserPrivate
Key
page 16month ##, 2002filename.ppt © 2002
Complex SSO Solutions: Multiple Credential Set: Password Sync
Primary Authentication
Authority
User
PrimarySign-On
SecondarySign-On(s)
SecondaryAuthentication
Authority
Account andCredential
Management
Account andCredential
Management
Examples: PassGo, PSynch, MetaDirectories, Provisioning software
CredentialSynchronization
PrimaryCredentialDatabase
SecondaryCredentialDatabase
ID PW
ID PW
ID PWID PW Trust
Tok
Tok
Sync Software
Sync Software
page 17month ##, 2002filename.ppt © 2002
Complex SSO Solutions: Multiple Credential Set: Client-side Caching
SecureClient-SideCredential
Cache
PrimaryAuthentication
Authority
User
PrimarySign-On
TransparantSecondarySign-On(s)
UsingCached
Credentials
SecondaryAuthentication
Authority
Account andCredential
Management
Account andCredential
Management
Examples: Windows XP and Windows.NET, Identix Biologon, Entrust Entelligence
PrimaryCredentialDatabase
SecondaryCredentialDatabase
ID PW
ID PW
ID PWID PW
Trust
PW
PW
Tok
Tok
page 18month ##, 2002filename.ppt © 2002
Complex SSO Solutions: Multiple Credential Set: Server-side Cache
Primary Authentication
AuthorityUser
Primary Sign-On
SecondaryAuthentication
Authority
Account andCredential
Management
Account andCredential
Management
Examples: Tivoli SecureWay SSO, CA ETrust SSO
SecondaryCredentialDatabase
PrimaryCredentialDatabase
ID PW
ID PW
ID PW
ID PW
Tok
Tok
TransparantSecondarySign-On(s)
UsingCredentials
Returned fromPrimary Authentication Authority’s
Database
Credentials for SecondaryAutentication Authority
Request for Secondary Credentials
ID PWTrust
page 19month ##, 2002filename.ppt © 2002
SSO Solutions: Pros and Cons (1)
page 20month ##, 2002filename.ppt © 2002
SSO Solutions: Pros and Cons (2)
page 21month ##, 2002filename.ppt © 2002
SSO Solutions: Pros and Cons (3)
page 22month ##, 2002filename.ppt © 2002
Agenda•Trusted Security Infrastructures
•SSO: What and Why?
•SSO Architectures
•Extending SSO
page 23month ##, 2002filename.ppt © 2002
Extending SSO
•To cover Different Organizations
• Scope: Extranet and Internet
• Federation
•To cover Different Applications
• Scope: Intranet
• Authentication APIs
page 24month ##, 2002filename.ppt © 2002
Defining Federation
“ The Use of agreements, standards, and technologies to make identity and entitlements portable across autonomous identity domains.”
page 25month ##, 2002filename.ppt © 2002
Extending SSO: Federation
page 26month ##, 2002filename.ppt © 2002
Extending SSO: Authentication APIs
page 27month ##, 2002filename.ppt © 2002
Conclusion
• Creating an SSO Infrastructure for a heterogeneous environment is not an easy job
• The creation of SSO Infrastructures is a great opportunity to leverage directory and meta-directory investments
page 28month ##, 2002filename.ppt © 2002
TSI: Conclusion
AccessControl
Infra
Security Admin
Trusted Security InfrastructuresAuthent
Infra
Wireless
Remote Access
(PPP)AAA – Radius / Tacacs+
Web(HTTP)
Office –Enterprise
(SMB)Provisioning
AppsResourceManagers
NOSSec Adm
Access Method
PKI
EAMS