SINGLE SIGN ON AND SECURITY - PowerPoint PPT Presentation

About This Presentation
Title:

SINGLE SIGN ON AND SECURITY

Description:

http://www.scmagazine.com/us/grouptest/details/2a136ba7-b164-4346-974e ... http://avirubin.com/passport.html ... url=/library/en-us/dnaspp/html/singlesignon.asp ... – PowerPoint PPT presentation

Number of Views:335
Avg rating:3.0/5.0
Slides: 28
Provided by: mwamini
Learn more at: https://www.cs.odu.edu
Category:
Tags: and | security | sign | single | passport | us

less

Transcript and Presenter's Notes

Title: SINGLE SIGN ON AND SECURITY


1
SINGLE SIGN ON AND SECURITY
  • By
  • Mwamini Naggayi
  • CS 795 MW

2
Outline
  • Introduction
  • What is single sign on?
  • Protocols
  • Purpose
  • Benefits
  • Risk
  • Conclusion
  • Demos (Not available)
  • References

3
Introduction
  • As computer systems increases to support business
    processes, users and system administrators are
    faced with an increasingly complicated interface
    to accomplish their job functions. Users
    typically have to sign-on to multiple systems,
    with an equivalent number of sign-on dialogues,
    each of which may involve different usernames and
    authentication information.
  • System administrators are also faced with
    managing user accounts within each of the
    multiple systems to be accessed in a
    co-coordinated manner in order to maintain the
    integrity of security policy enforcement. This
    legacy approach to user sign-on to multiple
    systems is illustrated below

4
Legacy Approach User Sign-on to Multiple Systems
5
Legacy Approach User Sign-on to Multiple Systems
  • Those components act as independent domains in
    the sense that end-user has to identify and
    authenticate himself independently to each of the
    domains s/he wishes to interact with
  • To invoke the services of a secondary domain end
    user is required to perform a Secondary Domain
    Sign-on
  • From the management perspective the legacy
    approach requires independent management of each
    domain and the use of multiple user account
    management interfaces

6
What is single sign on?
  • Single sign-on (SSO) is mechanism whereby a
    single action of user authentication and
    authorization can permit a user to access all
    computers and systems where s/he has access
    permission, without the need to enter multiple
    passwords.
  • The user needs to authenticate only once and the
    authenticated identity is securely carried across
    the network to access resources on behalf of the
    user.

7
Purpose of single sign on
  • Develop applications to provide a common, single
    end-user sign-on interface for an enterprise
  • The development of applications for the
    co-coordinated management of multiple user
    account management information bases maintained
    by an enterprise.
  • Users only need to remember one username and
    password, and authentication can be provided for
    multiple services.

8
Protocols Single sign on
  • Kerberos is a computer network authentication
    protocol which allows individuals communicating
    over an insecure network to prove their identity
    to one another in a secure manner.
  • Kerberos single sign-on is possible because all
    of the services are under the same administrative
    control. There is a centralized database
    containing keys that are shared with each
    service, and tickets can be issued, encrypted
    under the keys of the target services.

9
Protocols Single sign on
  • Passport protocol makes Single sign-on on the web
    sites possible gaining authenticated access to
    multiple and independent web services
  • Passport is a protocol that enables users to sign
    onto many different merchants' web pages by
    authenticating themselves only once to a common
    server

10
How Passport works
  • Passport model has three entities the client at
    a web browser, the merchant store, and the
    Passport login server.
  • Login server maintains authentication and
    customer profile information for the client and
    gives the merchant access to this information
    when permitted by the client
  • Passport divides client data into profile info
    and the wallet, that contains credit card info
  • Passport's protocols are designed to enable the
    secure transfer of the profile and wallet info
    between the Passport server and the merchants.

11
How Passport works
12
Benefits Single sign-on
  • Reduction in the time taken by users in sign-on
    operations to individual domains.
  • Improved security through the reduced need for a
    user to handle and remember multiple sets of
    authentication information.
  • Reduction in time taken, and improved response,
    by system administrators in adding and removing
    users to the system or modifying their access
    rights.
  • Single sign-on reduces human error, a major
    component of systems failure.

13
Benefits of single sign-on
  • Improved security through the enhanced ability of
    system administrators to maintain the integrity
    of user account configuration including the
    ability to inhibit or remove an individual users
    access to all system resources in a
    co-coordinated and consistent manner.

14
Single User Sign-On To Multiple Services
15
Single User Sign-On To Multiple Services
  • The information supplied by the end-user as part
    of the Primary Domain Sign-On procedure may be
    used in support of secondary domain sign-on in
    several ways
  • Directly the information supplied by the user is
    passed to a secondary domain as part of a
    secondary sign-on.
  • Indirectly the information supplied by the user
    is used to retrieve other user identification and
    user credential information stored within the a
    single sign-on management information base. The
    retrieved information is then used as the basis
    for a secondary domain sign-on operation.
  • Immediately to establish a session with a
    secondary domain as part of the initial session
    establishment. This implies that application
    clients are automatically invoked and
    communications established at the time of the
    primary sign-on operation.
  • Temporarily stored or cached and used at the
    time a request for the secondary domain services
    is made by the end-user.

16
Risks Single Sign on
  • The secondary domains have to trust the primary
    domain to
  • correctly assert the identity and authentication
    credentials of the end user, protect the
    authentication credentials used to verify the end
    user identity to the secondary domain from
    unauthorized use.
  • The authentication credentials have to be
    protected when transferred between the primary
    and secondary domains against threats arising
    from interception or eavesdropping leading to
    possible impersonating attacks.
  • Single sign-on highly desirable but difficult to
    implement.

17
Risk Single sign on
  • When security is compromised, single sign on
    allows access to firewalls, systems, etc.
  • Passport uses the existing web technologies to
    the best of its abilities. Unfortunately, the
    resulting implementing protocol poses several
    risks to the user
  • User interface confusion Merchant site that uses
    Passport displays a Passport sign-out icon which
    is supposed to remove Passport cookies but a user
    may only sign-out in one account and not passport
    account.
  • Passport establishes a centralized service
    trusted by all others to make authoritative
    decisions about the authenticity of a user.
    Compromise of this central service would be
    particularly disastrous since service maintains
    consumer profile info on all registered users

18
Risk Single sign on
  • Passport system is too dependant on cookies.
    Passport cookies, are used as proofs of
    authentication and its lifetimes are determined
    only by the lifetime of the web browser and the
    (encrypted) time window in the cookie. If a user
    forget to logout on a public machine, a Passport
    account could leave valid authentication tokens
    behind on the machine for any user to recover.
  • In Passport, where cookies stand in for tickets,
    possession of the cookie is all that is necessary
    to impersonate the valid user of that cookie. No
    further proof is required which is dangerous on
    public machine. At least in Kerberos, the client
    must send an authenticator that proves knowledge
    of the key inside the ticket.

19
Conclusion
  • The best way to protect your interests is to
    ensure that any SSO software offered by any
    company provides some level of guarantee to meet
    the needs of the organization security.
  • The need for tools to help users manage
    authentication and personal information across a
    variety of sites are increasingly critical.
    Passport is an ambitious attempt to meet those
    needs and requires no changes to existing
    browsers and servers. However, the system carries
    significant risks to users

20
Demo Two Site files
  • Site one
  • Public pages
  • Default.aspx
  • Web config
  • Secure folder
  • httpsPage.aspx
  • login.aspx
  • Site two
  • Public Pages
  • default.aspx
  • Web config
  • Secure folder
  • httpsPage.aspx

21
Demos Default page on slide site 1
22
Demos Web config site one
  • ltauthentication mode"Forms"gt
  • ltforms loginUrl"Secure\login.aspx
    protection"All"
  • requireSSL"true timeout"10
    name"FormsAuthCookie"
  • path"/FormsAuth slidingExpiration"true" /gt
  • lt/authenticationgt
  • lt!-- For SSO Test --gt
  • ltmachineKey
  • validationKey"C50B3C89CB21F4F1422FF158A5B42D0E
    8DB8CB5CDA1742572A487D9401E34
    00267682B202B746511891C1BAF47F8D25C07F6C39A104696D
    B51F17C529AD3CABE"
  • decryptionKey "8A9BE8FD67AF6979E7D20198CFEA50D
    D3D3799C77AF2B72F"
  • validation"SHA1"/gt
  • lt!-- The restricted folder is for authenticated
    and SSL access only. --gt
  • ltlocation path"Secure" gt
  • ltsystem.webgt
  • ltauthorizationgt
  • ltdeny users"?" /gt
  • lt/authorizationgt
  • lt/system.webgt
  • lt/locationgt

23
Site one default.aspx.cs
  • private void SecureButton_Click(object sender,
    System.EventArgs e)
  • UriBuilder uri new UriBuilder(
  • Uri.UriSchemeHttps, Request.Url.Host )
  • uri.Path Path.Combine( Request.ApplicationPath
    ,
  • "Secure/httpsPage.aspx" )
  • Response.Redirect( uri.ToString() )

24
Secure folder One Login.aspx.cs
  • private void Page_Load(object sender,
    System.EventArgs e)
  • try
  • // For different domains, should use the
    cookie domain
  • HttpCookie formsCookie FormsAuthentication
    .GetAuthCookie(
  • UserId.Text, false )
  • formsCookie.Domain "localhost.com"
  • Response.AppendCookie( formsCookie )
  • Response.Redirect( FormsAuthentication.GetRedirec
    tUrl( UserId.Text, false ) )
  • FormsAuthentication.RedirectFromLoginPage(
    UserId.Text, false )
  • private void LoginButton_Click(object sender,
    System.EventArgs e)
  • UriBuilder uri new UriBuilder(
    Uri.UriSchemeHttp, Request.Url.Host )
  • uri.Path Path.Combine(
    Request.ApplicationPath , "default.aspx" )
  • Response.Redirect( uri.ToString() )

25
Secure folder one httpsPage.aspx.cs
  • private void LogoutButton_Click(object sender,
    System.EventArgs e)
  • System.Web.Security.FormsAuthentication.SignOut
    ()
  • HttpCookie formsCookie Request.Cookies
    FormsAuthentication.FormsCookieName
  • formsCookie.Domain "localhost.com"
  • formsCookie.Expires DateTime.Now.AddDays(-1)
  • Response.Cookies.Add(formsCookie)
  • Response.Redirect( Request.Url.ToString() )
  • private void BackButton_Click(object sender,
    System.EventArgs e)
  • UriBuilder uri new UriBuilder(
    Uri.UriSchemeHttp, Request.Url.Host )
  • uri.Path Path.Combine( Request.ApplicationPat
    h , "default.aspx" )
  • Response.Redirect( uri.ToString() )
  • private void SiteTwoButton_Click(object sender,
    System.EventArgs e)
  • Response.Redirect( "https//localhost/FormsAuth2/
    Secure/httpsPage.aspx" )

26
Demos Web config first site
  • private void LinkButton1_Click(object sender,
    System.EventArgs e)
  • UriBuilder uri new UriBuilder(
  • Uri.UriSchemeHttps, Request.Url.Host
    )
  • uri.Path Path.Combine(
  • Request.ApplicationPath ,
  • "Secure/httpsPage.aspx" )
  • Response.Redirect( uri.ToString() )

27
References
  • http//www.opengroup.org/security/sso/
  • http//www.enterasys.com/solutions/secure-networks
    /single_sign-on/
  • http//www.scmagazine.com/us/grouptest/details/2a1
    36ba7-b164-4346-974e-1afcc4d628e2/singlesign-on2
    005/
  • http//www.imprivata.com/content3208.html
  • http//avirubin.com/passport.html
  • http//weblogs.asp.net/hernandl/archive/2004/06/09
    /ssoformsauth.aspx
  • http//msdn.microsoft.com/library/default.asp?url
    /library/en-us/dnaspp/html/singlesignon.asp
Write a Comment
User Comments (0)
About PowerShow.com