Single Sign-On

Single Sign-On

Single Sign-On Vijay Kumar, CISSP Agenda

What is Single Sign-On (SSO) Advantages of SSO Types of SSO Examples Case Study Summary What is SSO Single sign-on is a user/session

authentication process that permits a user to enter one name and password in order to access multiple applications. The process authenticates the user for all the applications they have been given rights to and eliminates further prompts when they switch applications during a particular session. Advantages

Reduced operational cost Reduced time to access data, e.g. ER Improved user experience, no password lists to carry Advanced security to systems Strong authentication One Time Password devices Smartcards

Ease burden on developers Centralized management of users, roles Fine grained auditing Effective compliance (SOX, HIPPA) Identity Management

Encompasses directory services authentication and authorization services certificate authorities administration consoles single sign-on provisioning services. Types of SSO

Password Synchronization Legacy SSO (Employee/Enterprise SSO) Web Access Management (WAM) Cross Domain (realm) SSO Federated SSO

Password Synchronization A process that coordinates passwords across multiple computers and devices and/or applications Each computer, device, application still authenticates but behind the scene Products: MTechs P-Synch SecurePass

SAM Pass Synch eSSO Aka Enterprise or Employee SSO After primary authentication, it intercepts further login prompts and fills them for you. Learns as you use different apps. Screen Scraping Two Types of eSSO

Script based Write a script that would take the target applications credentials and launch the application Requires modification of desktop icons Application wizard based Runs a service on the client that continually monitors the workstation for login dialog boxes

Event based, cheaper, and easier to deploy What to Look For in eSSO Products Cost Usability Functionality Application enablers Encryption Integrated with OS authentication

OS security Multiple directories support Password Policy Enforcement Backup and Disaster Recovery Maintenance and Support eSSO Products

Citrix Password Manager Imprivata eSSO appliance PassLogix (big in Healthcare) Novells Secure Login Microsoft Windows Server

Citrix Password Manager Installs on Citrix clients or Windows server Self service password reset and account unlock Hot swappable desktop (unlike Windows or Novell) Integrated with User Provisioning software LDAP based storage of credentials Multifactor authentication support Basic Web SSO (WAM)

Browser based application Cookie support is required Single sign-on to applications deployed on a single web server (domain) Cross Domain SSO Multiple realms that manage user credentials. A user authenticated in one realm gets signed-on to an application using another

realm typically with in the same enterprise Novell SecureLogin True SSO for Web applications Windows host (Windows Application Server) Legacy (Client Server) applications Mutiple identities and password policies stored in eDir in encrypted form

Novell client is installed on each workstation, User can access apps from any workstation Optionally cache credentials on workstation Transparent pw expirations and resets Novell SecureLogin Sun Java Access Manager Oblix (Oracle)

Federated SSO Extend SSO across enterprises Liberty Alliance, OASIS, IBM/Microsoft Advantages Establishment of trusted partnerships New revenue opportunities New, efficient, and production biz models Why is this hard to implement?

SAML (OASIS) Liberty Alliance builds fed ident on top of SAML Liberty Model for federated SSO ACEGI Security

Open Source ACEGI Enterprise solution Authentication, Authorization

Instance-based access control, Channel security Human user detection capabilities Seamless integration with Spring Framework SSO via Central Authentication Service (CAS) JA-SIG Central Authentication Service Open Source (CAS) Microsoft

Windows Server 2003 R2 adds Active Directory Federation Service Web Services based SSO Use Active Directory in non-Windows env Microsoft Identity Integration Server 2003 SSO and account management features agents" that handle protocol translation between Active Directory ADFS provides federated SSO based on WS-*

Case Study -Federal Aviation Administration -Requirements: -Provide SSO to ~500,000 users -Across 5000 airports world-wide - >100 web and client server applications -Multiple Directories, Departments -Web services authentication

Summary Reduces cost Enhances security Supports compliance Financial Service (FFIEC directive) Healthcare (HIPPA) But.there are risks. Malicious user gets hold of unattended desktop Malicious processes/services sign on as you to

services that they are not supposed to. References

Sun Java System Access Manager eTrust Secure Sign-On Oracle IDM IBM Tivoli Access Manager Novell SecureLogin Citrix Password Manager Liberty Alliance Yale CAS (Central Authentication Service)

Integrates well with Spring based Acegi Q&A

Recently Viewed Presentations

  • Presentation: Program Overview

    Presentation: Program Overview

    This behavior on the job in turn drives our outcomes, things like patient safety as well as care provider safety and satisfaction. The other important part to keep in mind as you look at the graphic on the right side...
  • New Options in Heart Failure for the Primary Care Provider

    New Options in Heart Failure for the Primary Care Provider

    Ivabradine - Corlanor. Ivabradineselectively inhibits the "funny" current in the sinus node. Slows HR independent of BB effect "Less negative inotropy" Implications for patients with impaired stroke volume
  • 'Listen How it Goes: "Oye Como Va" and the Muusics of Latin ...

    'Listen How it Goes: "Oye Como Va" and the Muusics of Latin ...

    Musics of South America, Mexico, and the Caribbean: A Selective Survey "In this section, we survey several Latin American musicultural traditions that originated in and are principally identified with nations and regions outside of Cuba, Puerto Rico, and the United...
  • Wi-Fi Analytics reduce costs increase revenue improve customer

    Wi-Fi Analytics reduce costs increase revenue improve customer

    These issues lead to a significant number of Wi-Fi related support calls. 30-50% of helpdesk calls are related to Wi-Fi issues and each call can cost you $26 USD or 22 euro. And 10% of support calls lead to expensive...
  • Genotype and Phenotype

    Genotype and Phenotype

    Genotype and Phenotype What is the difference? Review Words Characteristics - are the category of a trait - Example - eye color, height, likes/dislikes Traits - the physical, social, and emotional qualities of an organism Example - blue eyes, tall,...
  • Cestoda / Tapeworm Fun Facts

    Cestoda / Tapeworm Fun Facts

    Cestoda / Tapeworm Fun Facts Symptoms may include upper abdominal discomfort, diarrhea, and loss of appetite. However, infestations are usually asymptomatic. Tapeworms can grow 15 to 30 feet (10 meters) in length. The largest tapeworms grow up to 59 feet...
  • Brand Management Associates, Inc.

    Brand Management Associates, Inc.

    For a broad range of skin conditions Medline delivers a complete skincare regimen featuring non-sensitizing formulations by combining the most advanced skincare science with gentle, beneficial botanicals. Moore Medical. Moore Medical LLC, a subsidiary of McKesson Medical-Surgical, is an Internet...
  • Homeostasis At the end of presentation,students should be

    Homeostasis At the end of presentation,students should be

    The internal environment or milieu . interieur. Extracellular . fluid. Importance . ECF fluid transport and mixing system: 2 stages: 1. Movement of blood in the blood vessels. 2. Fluid movement in between blood capillaries and the intercellular spaces between...