SLIDE 1
My Involvement
- Chief Integration Geek for WebCT
- Wrote a book on LDAP
- Became expert on authentication
- Participant in Internet 2 authentication
working groups
- Lurker on many other groups
Single Sign-On: Myth vs Reality Mark Wilcox mark@mjwilcox.com My - - PowerPoint PPT Presentation
Single Sign-On: Myth vs Reality Mark Wilcox mark@mjwilcox.com My - - PowerPoint PPT Presentation
Single Sign-On: Myth vs Reality Mark Wilcox mark@mjwilcox.com My Involvement Chief Integration Geek for WebCT Wrote a book on LDAP Became expert on authentication Participant in Internet 2 authentication working groups
SLIDE 2
SLIDE 3
Agenda
- What is SSO
- Risks/Rewards for SSO
- Current SSO technology
- SSO vs SAML
– WS-Security
- SSO Standards
SLIDE 4
Single Sign-On
- Initial Sign-On
– You authenticate once, never authenticate again (well at least for a really long time)
- Central Password Database
– You develop carpal tunnel from entering passwords but you’re no longer required to remember multiple username/passwords
SLIDE 5
Authentication Doesn’t Matter
- Well it matters but not nearly as much as
authorization
- Identity matters depending upon context
– Me speaking here (You want to know who I am) – Airports – it’s a business security, not terror prevention
- We let people into ballparks/movie theaters with just a ticket –
the airline just wants to prevent scalping of tickets
- Electronically – use opaque token that can be used
to release proper information (I.e. Shiboleth)
SLIDE 6
Why do I want SSO
- .EDU
– Improve ability to share resources
- .GOV
– Improve ability to track access
- .COM
– Reduce fraud
SLIDE 7
I Want SSO
- Improve security
- Improve privacy protection
- Provide better quality of service
- Use less resources
SLIDE 8
I Don’t Want SSO
- Reduce security
- Reduce privacy
- Reduce freedom
- Requires more resources
SLIDE 9
SSO Standards?
- Kerberos
– Biggest mistake – not making Kerberos V5 a part of HTTP – Now waiting on Microsoft to add “implementation” to future version .NET Passport
- LDAP
– Shared password DB only
SLIDE 10
SSO Standards
- Internet 2
– WebISO – Shibboleth
- .COM
– Project Liberty – .NET Passport – WS-Security
SLIDE 11
WebISO
- Developed as part of Internet 2
- Central Login Server
- Shared Cookie
- 7 non-interoperable implementations
- Currently working on standardizing
data/API
- PubCookie “leader”
SLIDE 12
Shibboleth
- Internet 2 Authorization Framework
- Authorization Service
- Attributes Describe user
- Utilizes SAML
- Late Beta
- Inter-Op event in October 2002
SLIDE 13
Liberty Alliance
- Sun/Oracle leaders
- Federate Authentication
- SAML for authorization
- Shibboleth member organization
SLIDE 14
Passport
- Microsoft “standard”
- From Hotmail
- Core of .NET Services
- “Failed” to attract many external users
SLIDE 15
WS-Security
- Microsoft/IBM
- Authentication/Authorization for Web
Services
- Nothing exists right now for SOAP
SLIDE 16
Federated Authentication
- Authentication flavor happens locally
– I use LDAP – You use Kerberos – You just trust the connection
- Do I trust your authentication
– Varies on context
SLIDE 17
SAML != SSO
- Security Assertions Markup Language
- XML schema/protocol for authorization
- Authentication happens external to SAML
SLIDE 18
SAML Process
- I go to SAML protected site
- SAML site takes token and obtains
assertions about you from Assertion service
- Application can make authorization
decisions on its own
- Delegate authorization to Authorization
service
SLIDE 19
Conclusion
- SSO does improve:
– Overall security exposure – Reduce support in long term – Makes customers happy
- However: