Single Sign-On: Myth vs Reality Mark Wilcox mark@mjwilcox.com
My Involvement • Chief Integration Geek for WebCT • Wrote a book on LDAP • Became expert on authentication • Participant in Internet 2 authentication working groups • Lurker on many other groups
Agenda • What is SSO • Risks/Rewards for SSO • Current SSO technology • SSO vs SAML – WS-Security • SSO Standards
Single Sign-On • Initial Sign-On – You authenticate once, never authenticate again (well at least for a really long time) • Central Password Database – You develop carpal tunnel from entering passwords but you’re no longer required to remember multiple username/passwords
Authentication Doesn’t Matter • Well it matters but not nearly as much as authorization • Identity matters depending upon context – Me speaking here (You want to know who I am) – Airports – it’s a business security, not terror prevention • We let people into ballparks/movie theaters with just a ticket – the airline just wants to prevent scalping of tickets • Electronically – use opaque token that can be used to release proper information (I.e. Shiboleth)
Why do I want SSO • .EDU – Improve ability to share resources • .GOV – Improve ability to track access • .COM – Reduce fraud
I Want SSO • Improve security • Improve privacy protection • Provide better quality of service • Use less resources
I Don’t Want SSO • Reduce security • Reduce privacy • Reduce freedom • Requires more resources
SSO Standards? • Kerberos – Biggest mistake – not making Kerberos V5 a part of HTTP – Now waiting on Microsoft to add “implementation” to future version .NET Passport • LDAP – Shared password DB only
SSO Standards • Internet 2 – WebISO – Shibboleth • .COM – Project Liberty – .NET Passport – WS-Security
WebISO • Developed as part of Internet 2 • Central Login Server • Shared Cookie • 7 non-interoperable implementations • Currently working on standardizing data/API • PubCookie “leader”
Shibboleth • Internet 2 Authorization Framework • Authorization Service • Attributes Describe user • Utilizes SAML • Late Beta • Inter-Op event in October 2002
Liberty Alliance • Sun/Oracle leaders • Federate Authentication • SAML for authorization • Shibboleth member organization
Passport • Microsoft “standard” • From Hotmail • Core of .NET Services • “Failed” to attract many external users
WS-Security • Microsoft/IBM • Authentication/Authorization for Web Services • Nothing exists right now for SOAP
Federated Authentication • Authentication flavor happens locally – I use LDAP – You use Kerberos – You just trust the connection • Do I trust your authentication – Varies on context
SAML != SSO • Security Assertions Markup Language • XML schema/protocol for authorization • Authentication happens external to SAML
SAML Process • I go to SAML protected site • SAML site takes token and obtains assertions about you from Assertion service • Application can make authorization decisions on its own • Delegate authorization to Authorization service
Conclusion • SSO does improve: – Overall security exposure – Reduce support in long term – Makes customers happy • However: – Need real standards – Need to deal with privacy issues
Recommend
More recommend
