1 / 35

Understanding Single Sign-on

Single Redirect" SSO. My composure was in order,if not sufficiently intact.(Lone Justice Wheels"). Understanding Single Sign-on. Part 1 - Single Redirect" SSO. Single Redirect" SSO. My agenda was hidden well.Now I don't know where I left it.(Chagall Guevara, "Escher's World"). Single Red

phoebe
Download Presentation

Understanding Single Sign-on

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Understanding Single Sign-on Part 1 - “Single Redirect” SSO Welcome. I am Andrew Bauserman. I have with me Scott Hayes. We work for IT at the College of William and Mary. In the way of background: Scott and I at William and Mary are coming from a Luminis campus portal. The campus has been building single sign-on using Luminis and CPIP for several years. We also have Windows Active Directory and Unix LDAP servers for authentication via Windows login, LDAP, and Kerberos protocols. Our Web Single Sign-on discussions began in Spring 2002 with our Portal roll-out, initially including SSO to Blackboard and Webmail. I’ve been using the CPIP SSO interface since Jan 2004, and several other forms of SSO since then. Scott has been our Luminis Engineer for the last several years. Welcome. I am Andrew Bauserman. I have with me Scott Hayes. We work for IT at the College of William and Mary. In the way of background: Scott and I at William and Mary are coming from a Luminis campus portal. The campus has been building single sign-on using Luminis and CPIP for several years. We also have Windows Active Directory and Unix LDAP servers for authentication via Windows login, LDAP, and Kerberos protocols. Our Web Single Sign-on discussions began in Spring 2002 with our Portal roll-out, initially including SSO to Blackboard and Webmail. I’ve been using the CPIP SSO interface since Jan 2004, and several other forms of SSO since then. Scott has been our Luminis Engineer for the last several years.

    2. “Single Redirect” SSO My composure was in order, if not sufficiently intact. (Lone Justice – “Wheels”) Last year’s presentation was called “Putting all the eggs in one basket”. It turns out that the title was more than just clever – it was somewhat prescient. Single sign-on has a great deal to do with this notion of putting everything in one place – and all of the convenience and inconvenience associated with having everything in one place. The notes for that presentation are still available for those who are interested... At least year’s Portal 2006 conference I attempted to explain the Luminis CPIP solution, a generic connector built off of that solution, and several “hacks” we had developed to provide various forms of SSO into closed/proprietary systems – all in ONE 90-minute session! Having reflected on SSO for another year, I decided upon a different approach. This year, I have expanded upon several of the types of SSO solutions we have used at W&M, devoting a session to each. Last year’s presentation was called “Putting all the eggs in one basket”. It turns out that the title was more than just clever – it was somewhat prescient. Single sign-on has a great deal to do with this notion of putting everything in one place – and all of the convenience and inconvenience associated with having everything in one place. The notes for that presentation are still available for those who are interested... At least year’s Portal 2006 conference I attempted to explain the Luminis CPIP solution, a generic connector built off of that solution, and several “hacks” we had developed to provide various forms of SSO into closed/proprietary systems – all in ONE 90-minute session! Having reflected on SSO for another year, I decided upon a different approach. This year, I have expanded upon several of the types of SSO solutions we have used at W&M, devoting a session to each.

    3. Understanding Single Sign-on Part 1 - “Single Redirect” SSO In this, the first session, we will NOT be talking specifically about our portal (myWM, based on the Sungard SE Luminis product), its proprietary Campus Pipeline Integration Protocol (CPIP), or any other specific single sign-on solution per se. Instead, what I hope to do is explain HOW one would go about creating a (Secure) Single Sign-On (SSO/SSSO) solution. We’ll define a few different ways one would go about creating an SSO solution, and then focus on one specific genre of SSO that I’m calling “Single Redirect”. Before we dive in, I have one apology to make – and I’ll do my best to make amends. In writing the synopses for the “Single Redirect” and “Two-Step” SSO methods, I mistakenly listed Apple’s iTunesU protocol among the “Single Redirect” SSOs, when it actually belongs among the “Two-Step” SSOs. So let me modify my “show-of-hands” questions at this point to see what we can do to accommodate the situation. I’d like to get a feel for who is currently using SSO, and what protocols or standards (or in-house services) you may be using, and which systems you are looking to integrate using SSO... Show of hands: 1) Are you using/investigating Apple’s iTunesU? If so, were you planning to come to session 2? If not, I will try to save time at the end to introduce Session 2 using iTunesU as an example. 2) Are you using/investigating AlcoholEdu? 3) Do you have any other Single Sign-on Applications at this time? Blackboard? WebMail? Other? 4) Are you using any Single Sign-on mechanism/protocol now? Luminis CPIP/GCF? CAS? Shibboleth/Liberty Alliance/SAML? OpenID? 5) Are you using another Portal or CMS? Which? Is that system driving SSO? Is that system itself an SSO client? OK – let’s get started... In this, the first session, we will NOT be talking specifically about our portal (myWM, based on the Sungard SE Luminis product), its proprietary Campus Pipeline Integration Protocol (CPIP), or any other specific single sign-on solution per se. Instead, what I hope to do is explain HOW one would go about creating a (Secure) Single Sign-On (SSO/SSSO) solution. We’ll define a few different ways one would go about creating an SSO solution, and then focus on one specific genre of SSO that I’m calling “Single Redirect”. Before we dive in, I have one apology to make – and I’ll do my best to make amends. In writing the synopses for the “Single Redirect” and “Two-Step” SSO methods, I mistakenly listed Apple’s iTunesU protocol among the “Single Redirect” SSOs, when it actually belongs among the “Two-Step” SSOs. So let me modify my “show-of-hands” questions at this point to see what we can do to accommodate the situation. I’d like to get a feel for who is currently using SSO, and what protocols or standards (or in-house services) you may be using, and which systems you are looking to integrate using SSO... Show of hands: 1) Are you using/investigating Apple’s iTunesU? If so, were you planning to come to session 2? If not, I will try to save time at the end to introduce Session 2 using iTunesU as an example. 2) Are you using/investigating AlcoholEdu? 3) Do you have any other Single Sign-on Applications at this time? Blackboard? WebMail? Other? 4) Are you using any Single Sign-on mechanism/protocol now? Luminis CPIP/GCF? CAS? Shibboleth/Liberty Alliance/SAML? OpenID? 5) Are you using another Portal or CMS? Which? Is that system driving SSO? Is that system itself an SSO client? OK – let’s get started...

    4. “Single Redirect” SSO My agenda was hidden well. Now I don't know where I left it. (Chagall Guevara, "Escher's World") So what’s our agenda today? I’ve made a bit of an outline of the things we’ll be talking about today, in case you’re one of those folks who follows along better if you know where we’re planning to end up... So what’s our agenda today? I’ve made a bit of an outline of the things we’ll be talking about today, in case you’re one of those folks who follows along better if you know where we’re planning to end up...

    5. “Single Redirect” SSO Overview Methods for Handoffs Why should we use SSO? What is SSO? How do we assert identity? General security issues... What is (secure) “Single Redirect” SSO? General Examples A real-life example – something not unlike AlcoholEdu Specific security issues... Improving upon the “Single Redirect” SSO The “Two-Step” SSO Questions and Discussion SSO Links Brief listing of above… Let’s dive in…Brief listing of above… Let’s dive in…

    6. “Single Redirect” SSO For every problem, there is a solution that is simple, elegant, and wrong. (H.L. Menken) Just because somebody had the brilliant idea of single sign-on, doesn’t make it the right tool for every job… So how do we know that SSO might be the right tool for a given task?Just because somebody had the brilliant idea of single sign-on, doesn’t make it the right tool for every job… So how do we know that SSO might be the right tool for a given task?

    7. “Single Redirect” SSO Methods for Handoffs Several ways of getting external services to the user. Basic Links No authentication Links with simple identifiers “Bucket” sorting – parents vs. students, etc. (Secure) Single Sign-on (SSO) “Single Redirect” SSO “Two-step” SSO Other “Hacks” “Halfway There” “Closed Systems” Who are you? Does it matter? On a web server, there are several types of content we might want to supply... Some of them depend upon who you are — others not so much. (Basic Links vs. personalized content ? when textbooks go on sale vs. how much $ is left on your College ID debit card) Some services might present things based on role if it is known, but th content is not secure info — so if you pretend to be somebody else, you just see a different set of public info... (simple identifiers) And then there are services where you really need to know that the person viewing and manipulating your data is *exactly* who he or she claims to be! Who are you? Does it matter? On a web server, there are several types of content we might want to supply... Some of them depend upon who you are — others not so much. (Basic Links vs. personalized content ? when textbooks go on sale vs. how much $ is left on your College ID debit card) Some services might present things based on role if it is known, but th content is not secure info — so if you pretend to be somebody else, you just see a different set of public info... (simple identifiers) And then there are services where you really need to know that the person viewing and manipulating your data is *exactly* who he or she claims to be!

    8. “Single Redirect” SSO Luck is where preparation meets opportunity. (Ansel Adams) So let’s get some understanding of when SSO is a good idea…So let’s get some understanding of when SSO is a good idea…

    9. “Single Redirect” SSO Why should we use SSO? SSO Provides Convenience Central Password Store Less demand for password to be passed Less systems accessing the password What we’ve shown so far, of course, just demonstrates that there are systems requiring authentication before sensitive (or convenient) content can be provided. What is the specific case for using SSO for this process, as opposed to requiring a separate login to each system? 1)Convenience (but users can be forced to deal with inconvenience) 2)Less password stores (but we could tie directly to LDAP/AD if we really wanted to) 3)Less opportunity for pwd to be divulged (e.g., if just one login form forgets SSL) 4)Lock down the password store tighter (only the known SSO systems can query LDAP/AD) So here’s where we dig deeper into SSO...What we’ve shown so far, of course, just demonstrates that there are systems requiring authentication before sensitive (or convenient) content can be provided. What is the specific case for using SSO for this process, as opposed to requiring a separate login to each system? 1)Convenience (but users can be forced to deal with inconvenience) 2)Less password stores (but we could tie directly to LDAP/AD if we really wanted to) 3)Less opportunity for pwd to be divulged (e.g., if just one login form forgets SSL) 4)Lock down the password store tighter (only the known SSO systems can query LDAP/AD) So here’s where we dig deeper into SSO...

    10. “Single Redirect” SSO Acronyms never die, they merely RIP. (Dan Green) Just because somebody had the brilliant idea of single sign-on, doesn’t make it the right tool for every job… So how do we know that SSO might be the right tool for a given task?Just because somebody had the brilliant idea of single sign-on, doesn’t make it the right tool for every job… So how do we know that SSO might be the right tool for a given task?

    11. “Single Redirect” SSO What is SSO? SSO = (Secure) Single Sign-on One campus-wide authenticating system Campus Portal or Other Identity Provider (idP) One password store LDAP or Active Directory Mechanism to authenticate remotely From authenticating server Secure “hand-off” Assertion of “trust” in the authenticating system To external system As compared to internal systems, which have access to authentication data, e.g., via CORBA (Java) [Summary – explain from slide][Summary – explain from slide]

    12. “Single Redirect” SSO Who did you say you were, little fellow? Mister, I am the Lorax. I speak for the trees. (Dr. Seuss) Who are you and how did you get in here? I'm a locksmith. And, I'm a locksmith. (Police Squad) Who are you? No one of consequence. (The Princess Bride) Who are you? The Lorax A Locksmith No one of consequence By what authority can I be sure that you are whom you claim to be? It’s all about Trust!Who are you? The Lorax A Locksmith No one of consequence By what authority can I be sure that you are whom you claim to be? It’s all about Trust!

    13. “Single Redirect” SSO How do we assert identity? Mechanisms for “hand-off” and “trust”: The “hand-off” includes all necessary parameters Userid and possibly other data Generally done via dynamic URL Via user “clicking” a link or browser “redirect” The “trust” mechanism Trust of the referring server by the external system Site identifier Shared secret key Trust of the user by the external system Credentials The hand-off is what we’ll be looking at in a minute as we build the actual process for the “Single Redirect” SSO. It is also the differentiating factor between this and the “Two-Step” SSO process. But before we delve into that, let’s look at the “trust” piece first…The hand-off is what we’ll be looking at in a minute as we build the actual process for the “Single Redirect” SSO. It is also the differentiating factor between this and the “Two-Step” SSO process. But before we delve into that, let’s look at the “trust” piece first…

    14. “Single Redirect” SSO Ahh, arrogance and stupidity all in the same package. How efficient of you. (Londo Mollari, “Babylon 5: In the Beginning”) Those of us who are not security experts, even if we have attended security workshops and read or listen to experts on the subject, should be very careful with regard to hubris and conceit. Let me tell you a story… The folks who created the Wireless protocol that most of us use in our homes and offices (802.11b) were talented engineers, the lot of them. But what they came up with for securing over-the-air network communications (not, by the way, having consulted any true network security experts) is called WEP (Wired-equivalent protocol). WEP, which asserted to provided security on par with a direct wired connection, turns out to be flawed in the way it was implemented. Most newer wireless routers and network cards now have additional protocols, such as WPA, which provide more robust security. But the old WEP, which by-the-way can now be hacked in a matter of minutes, is still available on almost all wireless equipment because it is part of the 802.11b spec and needs to provide compatibility with older devices which only know how to do WEP security. The point I’m making is this – I’m trying to show you some protocols that some smart folks have created. And I’m pointing out generally how they work and what common characteristics they share. This doesn’t make me an expert capable of “improving” upon these standards. Nor do I suggest reinventing the process yourself, as the potential for smart folks to design flawed protocols is very real…Those of us who are not security experts, even if we have attended security workshops and read or listen to experts on the subject, should be very careful with regard to hubris and conceit. Let me tell you a story… The folks who created the Wireless protocol that most of us use in our homes and offices (802.11b) were talented engineers, the lot of them. But what they came up with for securing over-the-air network communications (not, by the way, having consulted any true network security experts) is called WEP (Wired-equivalent protocol). WEP, which asserted to provided security on par with a direct wired connection, turns out to be flawed in the way it was implemented. Most newer wireless routers and network cards now have additional protocols, such as WPA, which provide more robust security. But the old WEP, which by-the-way can now be hacked in a matter of minutes, is still available on almost all wireless equipment because it is part of the 802.11b spec and needs to provide compatibility with older devices which only know how to do WEP security. The point I’m making is this – I’m trying to show you some protocols that some smart folks have created. And I’m pointing out generally how they work and what common characteristics they share. This doesn’t make me an expert capable of “improving” upon these standards. Nor do I suggest reinventing the process yourself, as the potential for smart folks to design flawed protocols is very real…

    15. “Single Redirect” SSO General Security Issues... Trust nothing, verify everything... Trust Nothing GET data (http://www.wm.edu/index.php?myvar=myval ) POST data (from HTML forms, etc.) Cookies (Set in server code or JavaScript code) Referrer (URL of the page where the link was “clicked”) WebScarab http://www.owasp.org/ Proxy client for Windows, Linux, and Mac Allows user manipulation of all of the above data So I want to take a few minutes to talk about general Web security issues. Some of these can be more easily controlled in the two-step process I’ll be discussing later in the day. But they are *critical* for the “Single Redirect” SSO. Poll: * Heard of SANS Institute? SANS Fire? In DC last July I attended the Web Security seminar – highly recommended * Heard of Web Scarab? Ever used it? Demo Time!!!So I want to take a few minutes to talk about general Web security issues. Some of these can be more easily controlled in the two-step process I’ll be discussing later in the day. But they are *critical* for the “Single Redirect” SSO. Poll: * Heard of SANS Institute? SANS Fire? In DC last July I attended the Web Security seminar – highly recommended * Heard of Web Scarab? Ever used it? Demo Time!!!

    16. “Single Redirect” SSO For a successful technology, reality must take precedence over public relations, for Nature cannot be fooled. (Richard P. Feynman*) * Bonus – what’s the publication/context of this quote? Poll: Context of this quote? Answer: Appendix to the Rogers Commission Report on the Challenger Space Shuttle AccidentPoll: Context of this quote? Answer: Appendix to the Rogers Commission Report on the Challenger Space Shuttle Accident

    17. “Single Redirect” SSO General Security Issues... Trust nothing, verify everything... Verify Everything Filter Input Escape Output Test values Whitelist vs. Blacklist Catch Exceptions Logout issues Does the trusted system tell the external systems when a user logs out? Does the user have to log out of each system independently Am I a security expert? No. But I listen to some who are, and try to follow what they suggest: [SANS, Shiflett, SecurityNow] Poll Any PHP coders? Know Chris Shiflett? His Mantra? Logout Issues: If a public access terminal is left with the browser open, then the session is still alive. As we will see, with the “Single-Redirect” SSO, the security issue is much worse – basically the browser history has a copy of everything it needs to reconnect as the previous user!Am I a security expert? No. But I listen to some who are, and try to follow what they suggest: [SANS, Shiflett, SecurityNow] Poll Any PHP coders? Know Chris Shiflett? His Mantra? Logout Issues: If a public access terminal is left with the browser open, then the session is still alive. As we will see, with the “Single-Redirect” SSO, the security issue is much worse – basically the browser history has a copy of everything it needs to reconnect as the previous user!

    18. “Single Redirect” SSO Inspiration is the Mother of Invention. Desperation is its Father. (unknown) A one-way hand-off, what I’m calling the “Single Redirect” SSO, is not a perfect solution. There are some weaknesses that we shall discuss in a moment. But at this point I’m actually going to describe for you how a “Single Redirect” SSO works in a generic implementation – followed by a real-life implementation that W&M has employed.A one-way hand-off, what I’m calling the “Single Redirect” SSO, is not a perfect solution. There are some weaknesses that we shall discuss in a moment. But at this point I’m actually going to describe for you how a “Single Redirect” SSO works in a generic implementation – followed by a real-life implementation that W&M has employed.

    19. “Single Redirect” SSO What is (secure) “Single Redirect” SSO? A one-way “hand-off” from a system that has authenticated me to a system that “trusts” that I have been authenticated. The trusted system: May be the Portal or other Identity Provider (idP) Verifies userid/password via LDAP, AD, or Kerberos Provides a link to take me to some external site The external system: Can tell that I came from the trusted system Can tell who I am based on information passed from the trusted system Reiterate above Regarding “provides a link”... SSL – does it encrypt GET? POST? [y/y] Can the end user see GET? POST? [y (in url) / y (view-source)] Will the data be in History for GET? POST? [Generally Y / Generally N * (but form data may be cached)] Bookmarking – GET? POST? [Generally Y / Generally N * (but Back button can often “repost form data”)] * Since these are browser/end-user implementation, you can NEVER assume that a particular security measure is in place. A Firefox Extension could easily change this answer.Reiterate above Regarding “provides a link”... SSL – does it encrypt GET? POST? [y/y] Can the end user see GET? POST? [y (in url) / y (view-source)] Will the data be in History for GET? POST? [Generally Y / Generally N * (but form data may be cached)] Bookmarking – GET? POST? [Generally Y / Generally N * (but Back button can often “repost form data”)] * Since these are browser/end-user implementation, you can NEVER assume that a particular security measure is in place. A Firefox Extension could easily change this answer.

    20. “Single Redirect” SSO In theory there is no difference between theory and practice. In practice there is. (Yogi Berra) The idea (theory) is that we’ll link somebody from our trusted system to an external system, and the external system will know *that* the user came from the trusted system, *and* will know *who* the user is! In practice, we need to determine *how* the external system can know *that* the user came from the trusted system. Can we trust the “Referrer” the Browser provides? [NO!!!] So we need to be a bit more resourceful Likewise, we need to determine how the external system will know *who* the user is. Can’t we just trust the GET or POST field called “userid”? [NO!!!] So how shall we proceed?The idea (theory) is that we’ll link somebody from our trusted system to an external system, and the external system will know *that* the user came from the trusted system, *and* will know *who* the user is! In practice, we need to determine *how* the external system can know *that* the user came from the trusted system. Can we trust the “Referrer” the Browser provides? [NO!!!] So we need to be a bit more resourceful Likewise, we need to determine how the external system will know *who* the user is. Can’t we just trust the GET or POST field called “userid”? [NO!!!] So how shall we proceed?

    21. “Single Redirect” SSO General Examples Providing a “link” to the External Server Go to the service now. <a href=“https://example.com/?user=joe& siteid=123&verify=A2854CEE”> Go to the service now. <a href=“handoff.php”> <?php header(“Location: https://example.com/?user=joe& siteid=123&verify=A2854CEE”; ?> Button: [Go to the service now] <form method=“post” action=“https://example.com/”> <input type=“hidden” name=“user” value=“joe” We could also make the form submit to /handoff.php and do the header:Location on that as well… There are probably other variations on this theme… In any case… Which is more secure – to a hacker? to the casual curious user? An “internal” hacker (or WebScarab) sees all of these equally well. An “external” hacker should see nothing (due to SSL). We could also make the form submit to /handoff.php and do the header:Location on that as well… There are probably other variations on this theme… In any case… Which is more secure – to a hacker? to the casual curious user? An “internal” hacker (or WebScarab) sees all of these equally well. An “external” hacker should see nothing (due to SSL).

    22. “Single Redirect” SSO Coders try to make their code work. Testers try to make the code break. (Hal Helms, “OutLoud: Testing, Testing, Testing”) AlcoholEdu doesn’t actually implement exactly the process I’m outlining here. (Like the wireless WEP security folks, I don’t think they hired an actual security expert to design this.) If you are using AlcoholEdu, or are evaluating it, and want to discuss the specific weaknesses of their methods, we can discuss that afterward, over lunch, or via email. But I’m not here to reveal in a public presentation specific vulnerabilities. Instead, I’d like to offer a best-of-breed version of the “Single Redirect” SSO, very similar to how AlcoholEdu works.AlcoholEdu doesn’t actually implement exactly the process I’m outlining here. (Like the wireless WEP security folks, I don’t think they hired an actual security expert to design this.) If you are using AlcoholEdu, or are evaluating it, and want to discuss the specific weaknesses of their methods, we can discuss that afterward, over lunch, or via email. But I’m not here to reveal in a public presentation specific vulnerabilities. Instead, I’d like to offer a best-of-breed version of the “Single Redirect” SSO, very similar to how AlcoholEdu works.

    23. “Single Redirect” SSO A real-life example Something not-unlike AlcoholEdu Site identifier Identifies what trusted server referred me The referrer and the site identifier can be hacked Shared secret key Encoding applied to the GET parameters All parameters passed unencoded Encoded value appended to the parameters External system applies the same encoding verify that the result matches what was passed Encryption Applied for security via SSL (https) We will, however, look at some of the general security issues intrinsic to this method if implemented as I am describing the process. Main ideas: 1) Site ID – Can’t trust 2) Shared Secret – Can trust, but what if intercepted and copied (or hacked off-line) 3) SSL – Can’t be “snooped” (via wire/wireless connection) We will, however, look at some of the general security issues intrinsic to this method if implemented as I am describing the process. Main ideas: 1) Site ID – Can’t trust 2) Shared Secret – Can trust, but what if intercepted and copied (or hacked off-line) 3) SSL – Can’t be “snooped” (via wire/wireless connection)

    24. “Single Redirect” SSO If I traveled to the end of the rainbow As Dame Fortune did intend Murphy would be there to tell me “The pot’s at the other end.” (Bert Whitney) Of course, as I alluded to before, even having provided each of these things, there are still inherent weaknesses to the “Single Redirect” SSO method.Of course, as I alluded to before, even having provided each of these things, there are still inherent weaknesses to the “Single Redirect” SSO method.

    25. “Single Redirect” SSO Specific security issues... Weaknesses in the hand-off process Parameters visible to the user Parameters (GET or POST) are “knowable” by the user The site identifier and referrer are also “knowable” Brute-force hack of shared-secret key Student can see the data that was encoded and the value after the encoding process (If 2+ users collaborate, this becomes weaker) This is more of an internal (user-hacker) vulnerability Redirection URL contains all data needed to connect Bookmarking of URL provides future login without SSO Timestamp parameter tested on the remote system helps Provides the user more data for hacking the encoding NB – Physical Security of the Server/File with the code/algorithm in it is a security issue with any process, but not listed here. This is not an exhaustive list! With the “Single-Redirect” SSO, the security issue is much worse than some other forms – basically the browser history has a copy of everything it needs to reconnect as the previous user! [Review slide.] Discuss Browser History, the Back button, form data caching, etc.NB – Physical Security of the Server/File with the code/algorithm in it is a security issue with any process, but not listed here. This is not an exhaustive list! With the “Single-Redirect” SSO, the security issue is much worse than some other forms – basically the browser history has a copy of everything it needs to reconnect as the previous user! [Review slide.] Discuss Browser History, the Back button, form data caching, etc.

    26. “Single Redirect” SSO Politics is the art of looking for trouble, finding it whether it exists or not, diagnosing it incorrectly, and applying the wrong remedy. (Ernest Benn) So, having over analyzed the weaknesses of the “Single Redirect” SSO method, let’s apply some remedy that will overcome the worst of these issues…So, having over analyzed the weaknesses of the “Single Redirect” SSO method, let’s apply some remedy that will overcome the worst of these issues…

    27. “Single Redirect” SSO Improving upon the “Single Redirect” SSO? Overview of the “Two-Step” SSO Three-party communication The Trusted System, the External System, and the end-user’s Browser all communicate with one another The client can communicate with both systems The Trusted System can directly pass information about the client to the External System, and receive a reply The Trusted System provides the client a (one-time-use) token to give to the External System The token is provided (to the client and to the External System) via SSL, is only accepted once, and generally only within a fixed time-period. Review the summary. [For full notes, see the “Two-Step” SSO presentation.] Review the summary. [For full notes, see the “Two-Step” SSO presentation.]

    28. “Two-Step” SSO Fact is there's nothin' out there you can't do. Yeah, even Santa Claus believes in you. (The Muppet Movie, "Can You Picture That?”) Before we look at the actual “two-step” single sign-on handoff process... Read this quote, take a deep breath, and lets figure it out... Before we look at the actual “two-step” single sign-on handoff process... Read this quote, take a deep breath, and lets figure it out...

    29. “Two-step” SSO – iTunesU SSO This is my attempt at illustrating the iTunesU handoff... [Quick overview of steps. See next presentation for more info…] This is my attempt at illustrating the iTunesU handoff... [Quick overview of steps. See next presentation for more info…]

    30. “Single Redirect” SSO Democracy is the recurrent suspicion that more than half the people are right more than half the time. (E.B. White) Let’s have a bit of democracy here and see what questions we can raise, and what discussion (I can’t guarantee answers) may ensue…Let’s have a bit of democracy here and see what questions we can raise, and what discussion (I can’t guarantee answers) may ensue…

    31. “Single Redirect” SSO Questions and Discussion What shall we discuss? ?

    32. “Single Redirect” SSO The scientific mind does not so much provide the right answers as ask the right questions. (Claude Lčvi-Strauss) I’m not sure how many answers I have provided. But maybe I’ve raised enough questions that you can dig a bit deeper yourself…I’m not sure how many answers I have provided. But maybe I’ve raised enough questions that you can dig a bit deeper yourself…

    33. “Single Redirect” SSO SSO Links General Information http://en.wikipedia.org/wiki/Single_sign-on Proprietary Protocols: Luminis CPIP http://www.lumdev.net/index.php Apple iTunesU http://apple.com AlcoholEdu http://outsidetheclassroom.com

    34. “Single Redirect” SSO SSO Links Open Standards: CAS – Central Authentication Service http://en.wikipedia.org/wiki/Central_Authentication_Service OpenID http://en.wikipedia.org/wiki/Openid SAML – Security Assertion Markup Language http://en.wikipedia.org/wiki/SAML

    35. “Single Redirect” SSO SSO Links Open Standards (continued): SAML 2.0 Profiles SAML 1.1 http://en.wikipedia.org/wiki/SAML_1.1 Liberty Alliance – Liberty ID-FF 1.2 http://en.wikipedia.org/wiki/Liberty_Alliance Shibboleth 1.3 http://en.wikipedia.org/wiki/Shibboleth_%28Internet2%29

    36. “Single Redirect” SSO http://www.wm.edu/it/portal2007/ Visit our portal2007 site to see this presentation, complete with notes and links we’ve looked at today. It will also be on the Gettysburg Portal2007 page.Visit our portal2007 site to see this presentation, complete with notes and links we’ve looked at today. It will also be on the Gettysburg Portal2007 page.

More Related