Enterprise Single Sign-On - SSO

Dipl. Betriebswirt (BA) Oliver MüllerTEQneers GmbH & Co. KG

SSOSingle Sign-On

Samstag, 5. März 2011


Definition

• Property of access control of multiple, related, but independent software systems

• One time authorization process for multiple applications, websites, ...



Benefits

• Reducing countless logins and passwords

• Reducing time effort to re-login

• Reducing IT cost/help desk

• Same level of password security everywhere

• Centralized reporting

• Usually much better passwords



Criticism

• Stolen credential opens all dungeons

• Infrastructure

• Might be combined with strong authentications (e.g. SmartCards)

• Many solutions need very expensive software or hardware solutions



Issues

• Different apps uses different SSO processes

• Impossible to find ONE SSO for all (?)

• Most solution unable to jump over intranet barrier



Solutions• Kerberos [1983]

• LDAP (slapd, Active Directory, …) [1993]

• NTLM (NT Lan Manager) [2000]

• CAS (Central Authentication Service) [2001]

• PKI (Public Key Infrastructure) [1969]

• SAML [2002]

• ...



Kerberos

• No easy setup

• Not easy for developers to setup same environment

• Intranet barrier

• External service provider unable to use SSO



LDAP / AD

• SAME sign-on

• Intranet barrier (too much information)


• Easy to implement

• Nice to sync user data



// using ldap bind

$ldaprdn = 'uname'; // ldap rdn or dn

$ldappass = 'password'; // associated password

// connect to ldap server

$ldapconn = ldap_connect("ldap.example.com")

or die("Could not connect to LDAP server.");

if ($ldapconn) {

// binding to ldap server

$ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);

// verify binding

if ($ldapbind) {

echo "LOGIN successful...";

} else {

echo "LOGIN failed...";

}

}



NTLM• Intranet barrier


• Based on Windows logon and Kerberos

• Compatibility issues (more or less Microsoft territory Windows, IIS, IE)

• Easy to implement for developers



function get_msg_str($msg, $start, $unicode = true) {

$len = (ord($msg[$start+1]) * 256) + ord($msg[$start]);

$off = (ord($msg[$start+5]) * 256) + ord($msg[$start+4]);

if ($unicode)

return str_replace("\0", '', substr($msg, $off, $len));

else

return substr($msg, $off, $len);

}

$msg = base64_decode(substr($auth, 5));

$user = get_msg_str($msg, 36);

$domain = get_msg_str($msg, 28);

$workstation = get_msg_str($msg, 44);

print "You are $user from $domain/$workstation";



Central Authentication Service (CAS)

• Token/ticket based authentication

• Developed by Yale University

• phpCAS open source implementation

• Made for web only

• Common in education environment



include_once('CAS.php');

// initialize phpCAS

phpCAS::client(CAS_VERSION_2_0,'sso-cas.home.com',443,'');

// no SSL validation for the CAS server

phpCAS::setNoCasServerValidation();

// force CAS authentication

phpCAS::forceAuthentication();

// at this step, the user has been authenticated by the CAS server

// and the user's login name can be read with phpCAS::getUser().

// logout if desired

if (isset($_REQUEST['logout'])) {

phpCAS::logout();

}

echo "LOGIN successful...";



Public Key Infrastructure (PKI)

• X.509 certification based authentication

• Its about what-you-have (client certificate) and not what-you-know (password)

• Often used with smart cards (e.g. employee ID)

• Made for Web, SSH, OS login, ...

• Common in enterprise and government solutions



### PHP

$cert = openssl_x509_parse($_SERVER[‘SSL_CLIENT_CERT’]));

// verify loginif ( in_array( $cert[‘subject’][‘cn’], $allowedLogins ) ) { echo "LOGIN successful...";} else { echo "LOGIN failed...";}

### Apache configuration or .htaccess

SSLVerifyClient requiredSSLRequireSSLSSLVerifyDepth 1

array(12) { ["name"]=> string(75) "/C=DE/O=TEQneers/OU=Dev/CN=Oliver/[email protected]" ["subject"]=> array(6) { ["C"]=> string(2) "DE" ["O"]=> string(10) "TEQneers" ["OU"]=> string(10) "Dev" ["CN"]=> string(8) "Oliver" ["emailAddress"]=> string(10) "[email protected]" } ["hash"]=> string(8) "123abc45" ["issuer"]=> array(7) { ... } ["version"]=> int(2) ["serialNumber"]=> string(1) "987" ["validFrom"]=> string(13) "110131143055Z" ["validTo"]=> string(13) "130130142954Z" ...



SAML

• Security Assertion Markup Language

• Defined by OASIS

• Made for internet and extranet sites

• Credentials/Information can be configured

• Open (based on XML, SOAP, HTTP, ...)



SAML Parties

• Client (browser)

• Web application

• Service Provider (SAML client)

• Identity Provider (enterprise federation server)



Service Provider

• selfmade

• simpleSAMLphp (open source PHP solution)

• PingConnect (PHP, Perl, Java, …)

• ...





• user enters URL https://app.com/saml.php

• user without valid SAML assertion will be forwarded to service provider

• browser asks service provider to give him a XML assertion

• XML assertion request form is send back to the browser

• browser forwards assertion request form to identity provider

• IF NOT LOGGED IN YET

• identity provider ask the user to log into the enterprise network

• user enters his login/password and sends it back to identity provider

• client receives a XML assertion and cookie signed by the identity provider

• XML assertion is send to service provider, who validates assertion

• if assertion is valid, user will be pushed back to his initial url

• assertion will be checked and user is going to be looked up in your app

• if user exists, app start page appears, otherwise app might show standard login page



// Load simpleSAMLphp configuration and session.

$config = SimpleSAML_Configuration::getInstance();

$session = SimpleSAML_Session::getInstance();

// Check if valid local session exists.

if (!$session->isValid('saml2') ) {

// Redirect to the IdP for authentication.

SimpleSAML_Utilities::redirect(

'/' . $config->getBaseURL() . 'saml2/sp/initSSO.php',

array('RelayState' => SimpleSAML_Utilities::selfURL())

);

}

// successful authorization

$attributes = $session->getAttributes();

print_r($attributes); // might print out email or login



<saml:Assertion AssertionID="123" IssueInstant="2008-10-08T20:16:12.377Z" Issuer="TransactionMinderSAMLIssuer" MajorVersion="1" MinorVersion="0" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">

<saml:Conditions NotBefore="2008-10-08T20:16:12.307Z NotOnOrAfter="2008-1008T22:16:12.307Z"/>

<saml:AuthenticationStatement AuthenticationInstant="2008-10-08T20:16:12.307Z" AuthenticationMethod="urn:oasis:names:tc:SAML">

<saml:Subject>

<saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.0" NameQualifier="Domain Name">Claire Wasser</saml:NameIdentifier>

<saml:SubjectConfirmation>

<saml:ConfirmationMethod>http://www/>

<saml:SubjectConfirmationData>R1VD8fkkvlrhp</saml:SubjectConfirmationData>

</saml:SubjectConfirmation>

</saml:Subject>

</saml:AuthenticationStatement>

</saml:Assertion>



Identity Server• Shibboleth IdP (open source)

• PingIdentity

• Oracle Identity Server

• SAP NetWeaver

• Sun OpenSSO ForgeRock OpenAM

• IBM

• Microsoft Geneva



One size does fit it all

• Most federation solution support many different SSO technologies

• Most are based on any kind of LDAP backend



Thanks for listeningcontact me if you have any questions

email: [email protected]: [email protected]

phone: +49 (711) 46 97 28-82

Have Fun!


Documents

Enterprise Single Sign-On - SSO