Single Sign-On 101: Beyond the Hype

Single Sign-On 101: Single Sign-On 101: Beyond the HypeBeyond the Hype

What SSO Can and Can’t Do For Your What SSO Can and Can’t Do For Your BusinessBusiness

BlackHat Briefings Diana Kelley & Ian Poynter 2

OutlineOutline

• Definitions

• Business Requirements

• SSO Technologies

• Authentication Methods

• SSO Case Studies


DefinitionDefinition

• Single Sign-On– Fantasy

• One Password For Everything!

– Reality• Most Systems And Applications Already Have

Their Proprietary Login Functionality• Reduced Logins For Discreet Systems

– Corporate Systems– Shared Intranet/Web Applications– Web Logon Aggregators


Business RequirementsBusiness Requirements

• Is There A Problem Here?– Mushrooming Passwords– Need For Re-use– “Sticky Note” Password Cache– Unencrypted Text Files On Laptops and PDAs



• Deceptively Intuitive– Reduce Costs– Increase Security– Increase Efficiency– Increase Convenience– My Boss Told Me I Have To



• Be Honest About the Cost / Benefit Analysis– Use Hard Numbers

• What Does it Cost to Reset a Password?• How Much Time is Spent Logging into Multiple

Systems Each Morning?• What is The Real Cost of Integration?• Will Additional Authentication Methods Need to be

Purchased?



• Be Honest About the Cost / Benefit Analysis– Don’t Forget the Ease of Use Factor

• Consider Training for Administrators and All Users

– QA and Versioning Can Increase TCO



• Think About the Inside and the Outside– Multiple User Populations Can Increase Costs– Tiered Authentication Levels– At a Minimum Need Secure Password

Selection Training for Everyone


Business RisksBusiness Risks

• Single Point of Failure– Denial of Service/Lack of Availability

• Stolen Credentials via Insecure Implementations

• Overly Ambitious Projects– Physical and Network– Complicated Procedures

• n-factor Authentication

– Square Pegs in Round Holes


Business RisksBusiness Risks• Failure to Consider the Legacy

– OS/390, AS/400, Custom Client/Server Applications, RADIUS

• Failure to Consider Regulatory Requirements– Financial Services and GLBA– Health Care and HIPAA– Content Providers and COPPA– International Businesses and EU DPD


Authentication MethodsAuthentication Methods

• Declaring and Proving Who or What You Are

• Sure, Signing on Once, but What With?

• Becomes an Even Larger Question with SSO Because More Systems are Involved



• Have, Know, Are– Tokens, Passwords, Fingerprints

• Single vs. Multi



• Passwords

• One Time Passwords

• Tokens and SmartCards

• PKI

• Digital / Machine Fingerprints

• Biometrics


Authentication Protocols and Authentication Protocols and TechnologiesTechnologies

• Dial-In Users and Wireless (802.1x)– RADIUS

• S/390 Mainframes– RACF, ACF2, CA Top-Secret

• Unix– PAMs (Pluggable Authentication Modules)

• Windows– GINA, Kerberos, NTLM


SSO TechnologiesSSO Technologies

• Traditional Single Sign-On

• Password Synchronization

• Authentication Platforms

• Web Logon Aggregators

• NB: Convergence Between Traditional SSO and Authentication Platforms



• Traditional Single Sign-On– Allows a User to Login Once, Using a Single

Authentication Method to Gain Access to Multiple Hosts and / or Applications

– May Also Provide Access Control / Authorization Features

• Authorization policies restrict which applications or systems a user has access

• And what the user can and can’t do on these applications and systems



• Traditional Single Sign-On

• Not an Entirely New Concept– Kerberos and Kerberized– RADIUS and Radiized


Traditional SSO: How It WorksTraditional SSO: How It Works

• Authenticate Once To Access Many

• Login Credentials (ID And Authentication) Usually Stored Locally

• Transparently Presented to the System or Application When Needed



• Single Credential for All Systems– Kerberos Model

• Multiple Credentials– Required for Most Heterogeneous

Environments



• APIs And DLLs– Write the SSO Authentication into Each

Application or System (compare to: Radiized)– Or Use Replacement DLLs

• Scripts– Pieces of Code on the Client That Manage the

Login Procedure to Multiple Systems

• Cookies– For Web Applications Only


Traditional SSO: Pros and ConsTraditional SSO: Pros and Cons

• Pros– Very Easy to Use– Reduces Support Costs– Reduces Logon Cycles

• Cons– Integration of Legacy Can Be Expensive and

Time Consuming– Single Point of Attack– Scripting Solutions Often Lead to Storage of

Passwords And IDs on the Client


Traditional SSO: Business FitTraditional SSO: Business Fit

• Good Business Fit for– Companies That Want to Simplify the User

Experience– Companies That Need to Reduce the Login

Cycle


Traditional SSO: Traditional SSO: Brand ExamplesBrand Examples

• IBM/Tivoli Global Sign-On

• Netegrity SiteMinder

• RSA ClearTrust (formerly Securant)



• Password Synchronization– Manage Passwords Across Platforms and

Systems– Keeps Same Password So User Only Needs

to Remember One– When User Changes Her Password,

Synchronization Server Automatically Updates User Password on All Available Systems or in the Central Repository Server


Password Synchronization: Password Synchronization: How It WorksHow It Works

• Distributed– Agents Automatically Reset Passwords on

Applications and Systems

• Centralized– All Authentication Requests Are Forwarded to

a Central Server


Password Synchronization: Password Synchronization: Pros and ConsPros and Cons

• Pros– User Has Only One Password to Remember– Usually Fairly Easy to Implement– Help Desk Can Reset Passwords to All

Systems From Single Console

• Cons– Does Not Reduce the Number of Logons– Only Supports Password Authentication


Password Synchronization: Password Synchronization: Business FitBusiness Fit

• Good Business Fit for– Companies That Only Use Password

Authentication– Companies That Don’t Need to Reduce the

Login Cycle


Password Synchronization:Password Synchronization:Brand ExamplesBrand Examples

• PassGo, InSync (formerly Axent/Symantec)

• Courion, Password Courier



• Authentication Platforms– Provide a Central Point of Management for

Multiple Authentication Schemes– Users Authenticate To A Gateway Using Any

Combination of Authentication Methods• Smartcards, PKI, Biometrics etc.

– Supports Multi-layer Authentication Policies


Authentication Platforms: Authentication Platforms: How It WorksHow It Works

• Abstracts the Authentication Layer to an Authentication Gateway

• All Users Login to this Gateway

• Gateway Determines Level / Type of Authentication that is Required


Authentication Platforms: Authentication Platforms: Pros and ConsPros and Cons

• Pros– Eases Integration With Abstracted Authentication

Layer– Support for Most Authentication Factors

• Cons– Does Not Reduce Number of Logins, Unless SSO is

Embedded in the Authentication Platform– Single Point of Attack / Failure

• Denial of Service


Authentication Platforms: Authentication Platforms: Business FitBusiness Fit

• Good Business Fit for– Enterprises with Hierarchical, Complex

Authentication Requirements– Companies using N-factor Authentication

Solutions– Organizations with Regulated

Security / Privacy Requirements• Financial Institutions, HealthCare, Government

Agencies


Authentication Platforms:Authentication Platforms:Brand ExamplesBrand Examples

• Bionetrix Authentication Server

• Novell Modular Authentication Service (NMAS)

• ActivCard (formerly Ankari)– Trinity Server with SSO Functionality



• Web Logon Aggregators– One Login, Access Multiple Sites– User Logs into Aggregator Software or Site at

Beginning of Session– All Subsequent Logins to Web Sites Visited

Are Handled Transparently


Web Logon Aggregators:Web Logon Aggregators: How It Works How It Works

• Credentials Are Cached Either – Locally via Cookies– On Server via State Mechanism

• Automatically Presented to Sites as Needed


Web Logon Aggregators: Web Logon Aggregators: Pros and ConsPros and Cons

• Pros– Ease of Use– Streamlines Web Experience

• Cons– Web Only– Sites May Need to Opt In– Outsources Trust to 3rd Party– Loss of Control


Web Logon Aggregators: Web Logon Aggregators: Business FitBusiness Fit

• Good Business Fit for– Companies Providing Web Interfaces to

Customers or Employees– Home Users Who Want to Streamline Their

Web Experience


Web Logon Aggregators:Web Logon Aggregators:Brand ExamplesBrand Examples

• .NET / Passport

• Liberty Alliance (in process)

• Yodlee– Account Aggregator

Documents

Single Sign-On 101: Beyond the Hype