Enterprise Single Sign-On - SSO

SSO
Single Sign-On

TEQneers GmbH & Co. KG Dipl. Betriebswirt (BA) Oliver Müller

Samstag, 5. März 2011

Definition

• Property of access control of multiple,
related, but independent software
systems
• One time authorization process for
multiple applications, websites, ...



Benefits
• Reducing countless logins and passwords
• Reducing time effort to re-login
• Reducing IT cost/help desk
• Same level of password security everywhere
• Centralized reporting
• Usually much better passwords


Criticism
• Stolen credential opens all dungeons
• Infrastructure
• Might be combined with strong
authentications (e.g. SmartCards)
• Many solutions need very expensive
software or hardware solutions



Issues

• Different apps uses different SSO
processes
• Impossible to find ONE SSO for all (?)
• Most solution unable to jump over
intranet barrier



Solutions
• Kerberos [1983]
• LDAP (slapd, Active Directory, …) [1993]
• NTLM (NT Lan Manager) [2000]
• CAS (Central Authentication Service) [2001]
• PKI (Public Key Infrastructure) [1969]
• SAML [2002]
• ...


Kerberos
• No easy setup
• Not easy for developers to setup same
environment
• Intranet barrier
• External service provider unable to use
SSO



LDAP / AD
• SAME sign-on
• Intranet barrier (too much information)
SSO
• Easy to implement
• Nice to sync user data


// using ldap bind
$ldaprdn = 'uname'; // ldap rdn or dn
$ldappass = 'password'; // associated password

// connect to ldap server
$ldapconn = ldap_connect("ldap.example.com")
or die("Could not connect to LDAP server.");

if ($ldapconn) {
// binding to ldap server
$ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);

// verify binding
if ($ldapbind) {
echo "LOGIN successful...";
} else {
echo "LOGIN failed...";
}
}



NTLM
• Intranet barrier
SSO
• Based on Windows logon and Kerberos
• Compatibility issues (more or less
Microsoft territory Windows, IIS, IE)
• Easy to implement for developers


function get_msg_str($msg, $start, $unicode = true) {
$len = (ord($msg[$start+1]) * 256) + ord($msg[$start]);
$off = (ord($msg[$start+5]) * 256) + ord($msg[$start+4]);
if ($unicode)
return str_replace("0", '', substr($msg, $off, $len));
else
return substr($msg, $off, $len);
}
$msg = base64_decode(substr($auth, 5));
$user = get_msg_str($msg, 36);
$domain = get_msg_str($msg, 28);
$workstation = get_msg_str($msg, 44);

print "You are $user from $domain/$workstation";



Central Authentication
Service (CAS)
• Token/ticket based authentication
• Developed by Yale University
• phpCAS open source implementation
• Made for web only
• Common in education environment


include_once('CAS.php');

// initialize phpCAS
phpCAS::client(CAS_VERSION_2_0,'sso-cas.home.com',443,'');

// no SSL validation for the CAS server
phpCAS::setNoCasServerValidation();

// force CAS authentication
phpCAS::forceAuthentication();

// at this step, the user has been authenticated by the CAS server
// and the user's login name can be read with phpCAS::getUser().

// logout if desired
if (isset($_REQUEST['logout'])) {
phpCAS::logout();
}

echo "LOGIN successful...";



Public Key
Infrastructure (PKI)
• X.509 certification based authentication
• Its about what-you-have (client certificate) and
not what-you-know (password)
• Often used with smart cards (e.g. employee ID)
• Made for Web, SSH, OS login, ...
• Common in enterprise and government solutions


### PHP

$cert = openssl_x509_parse($_SERVER[‘SSL_CLIENT_CERT’]));

// verify login
array(12) {
if ( in_array( $cert[‘subject’][‘cn’], $allowedLogins ) ) { ["name"]=> string(75) "/C=DE/O=TEQneers/
echo "LOGIN successful..."; OU=Dev/CN=Oliver/
} else { emailAddress=oliver@php.net"
echo "LOGIN failed..."; ["subject"]=> array(6) {
} ["C"]=> string(2) "DE"
["O"]=> string(10) "TEQneers"
["OU"]=> string(10) "Dev"
["CN"]=> string(8) "Oliver"
["emailAddress"]=> string(10) "foo@bar.de"
### Apache configuration or .htaccess }
["hash"]=> string(8) "123abc45"
SSLVerifyClient required ["issuer"]=> array(7) {
...
SSLRequireSSL
}
SSLVerifyDepth 1 ["version"]=> int(2)
["serialNumber"]=> string(1) "987"
["validFrom"]=> string(13)
"110131143055Z"
["validTo"]=> string(13) "130130142954Z"
...



SAML
• Security Assertion Markup Language
• Defined by OASIS
• Made for internet and extranet sites
• Credentials/Information can be
configured
• Open (based on XML, SOAP, HTTP, ...)


SAML Parties

• Client (browser)
• Web application
• Service Provider (SAML client)
• Identity Provider (enterprise federation
server)



Service Provider
• selfmade
• simpleSAMLphp (open source PHP
solution)
• PingConnect (PHP, Perl, Java, …)
• ...


• user enters URL https://app.com/saml.php
• user without valid SAML assertion will be forwarded to service provider
• browser asks service provider to give him a XML assertion
• XML assertion request form is send back to the browser
• browser forwards assertion request form to identity provider
• IF NOT LOGGED IN YET
• identity provider ask the user to log into the enterprise network
• user enters his login/password and sends it back to identity provider
• client receives a XML assertion and cookie signed by the identity provider
• XML assertion is send to service provider, who validates assertion
• if assertion is valid, user will be pushed back to his initial url
• assertion will be checked and user is going to be looked up in your app
• if user exists, app start page appears, otherwise app might show standard login
page



// Load simpleSAMLphp configuration and session.
$config = SimpleSAML_Configuration::getInstance();
$session = SimpleSAML_Session::getInstance();

// Check if valid local session exists.
if (!$session->isValid('saml2') ) {
// Redirect to the IdP for authentication.
SimpleSAML_Utilities::redirect(
'/' . $config->getBaseURL() . 'saml2/sp/initSSO.php',
array('RelayState' => SimpleSAML_Utilities::selfURL())
);
}

// successful authorization
$attributes = $session->getAttributes();
print_r($attributes); // might print out email or login



<saml:Assertion AssertionID="123" IssueInstant="2008-10-08T20:16:12.377Z"
Issuer="TransactionMinderSAMLIssuer" MajorVersion="1" MinorVersion="0"
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
<saml:Conditions NotBefore="2008-10-08T20:16:12.307Z
NotOnOrAfter="2008-1008T22:16:12.307Z"/>
<saml:AuthenticationStatement AuthenticationInstant="2008-10-08T20:16:12.307Z"
AuthenticationMethod="urn:oasis:names:tc:SAML">
<saml:Subject>
<saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.0"
NameQualifier="Domain Name">Claire Wasser</saml:NameIdentifier>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>http://www/>
<saml:SubjectConfirmationData>R1VD8fkkvlrhp</saml:SubjectConfirmationData>
</saml:SubjectConfirmation>
</saml:Subject>
</saml:AuthenticationStatement>
</saml:Assertion>



Identity Server
• Shibboleth IdP (open source)
• PingIdentity
• Oracle Identity Server
• SAP NetWeaver
• Sun OpenSSO ForgeRock OpenAM
• IBM
• Microsoft Geneva


One size does fit it all

• Most federation solution support many
different SSO technologies
• Most are based on any kind of LDAP
backend



Thanks for listening
contact me if you have any questions

email: oliver@php.net
email: oliver@teqneers.de
phone: +49 (711) 46 97 28-82

Have Fun!


Enterprise Single Sign-On - SSO

More Related Content

What's hot (20)

Similar to Enterprise Single Sign-On - SSO (8)

Enterprise Single Sign-On - SSO