Computer Systems Security 2013/2014. Single Sign-On. Bruno Maia Pedro Borges
|
|
- Tracy Cook
- 8 years ago
- Views:
Transcription
1 Computer Systems Security 2013/2014 Single Sign-On Bruno Maia Pedro Borges December 13, 2013
2 Contents 1 Introduction 2 2 Explanation of SSO systems OpenID SAML CAS Protocol authentication process OpenID authentication process SAML authentication process CAS authentication process Benefits and drawbacks of SSO systems 7 5 Security caveats of the different protocols OpenID caveats SAML caveats FEUP s Single Sign-On System OpenID U.Porto AAI (shibboleth) Conclusion 12 1
3 Computer Systems Security - Single Sign-On 2 1 Introduction The Single Sign-On (SSO) is a mechanism whereby a single action of user authentication and authorization can permit a user to access all computers and systems where he has access permission, without the need to enter multiple IDs and passwords. There are various types of SSO architecture. Some of them are dealing with a single set of credentials and the others are dealing with multiple sets of credentials. In the former case, there are token-based system and PKI-based system. The Kerberos-based and cookie-based are belong to the token-based SSO system. In the latter case, there are credential synchronizationbased system, secure client-side credential caching system and secure serverside credential caching system. There are several SSO mechanisms available, we chose to detail the most common ones on this report, OpenID, SAML and CAS. 2 Explanation of SSO systems 2.1 OpenID The OpenID is an open, decentralized, free framework for user-centric digital identity. It is a protocol that solves the problem of having an individual login and password for every web site which supports OpenID. There are some terminologies for the process of authentication in OpenID. First, relying party (RP) is a website wanting to verify an OpenID identity URL. Sometimes it called a consumer. If you want people to log into your site using OpenID, then you are the RP. Second, OpenID provider (IdP) is a website which makes assertions as to whether or not the user at the end of the browser owns the URL they say they do. It is named also as IdP (Identity Provider). Last, user is a person who wants to take a service of RP by authenticating with OpenID. This protocol doesn t need previous trust between the service and the identity provider. 2.2 SAML SAML (Security Assertion Markup Language) is a new standard that uses XML to encode authentication and authorization information. Because its based on XML, SAML is platform-independent. SAML is also authentication method-neutral: for example, it could be used to set up federations between PKI- and kerberos-based authentication infrastructures. SAML is a product of the OASIS Security Services Technical Committee and it dates from 2001; the most recent update of SAML is from The SAML specification defines three roles: the principal (typically a user), the identity provider (IdP), and the service provider (SP). This protocol requires the SP to be recognized by the IdP by the means of a previously shared certificate with a XML wrapper.
4 Computer Systems Security - Single Sign-On CAS CAS (Central Authentication system) is an open source protocol whose purpose the usage of same credentials for multiple services using only one centralized identity provider. Every actor in this protocol communicates through XML with CAS namespace. This protocol tickets are issue for every application that the user tries to access. 3 Protocol authentication process 3.1 OpenID authentication process The OpenID is designed for web environment. The SSO of OpenID is a kind of cookie-based system. You can see the figure 1 which describes authentication process. SP 1 1.Access 6.Permission 2.Auth.Req. 5.Response U ser SP 2 3.Login Req. 4.User info. submit IdP Figure 1: Process of authentication in OpenID-based system. A user contacts to SP1 with an URL. SP1 asks the user s information to IdP IdP asks its credential to the user after redirecting the user to the log-in page in IdP. The user types his id and password in the login page.
5 Computer Systems Security - Single Sign-On 4 IdP authenticates the user with user information and sends a certificate to SP1. SP1 verifies the validity of certificate. If the result of verification is success, SP1 responses to the user with authenticated page SP 1 1.Access 4.Permission U ser SP 2 2.Auth.Req. 3.Response IdP Figure 2: Process of SSO in OpenID-based system. The Figure 2 shows the process of SSO with Authentication assertion. A user contacts to SP2 with an URL. SP2 asks the user s information to IdP. After the IdP receives SP2 s request, verifies the certification with session value and recognizes the user who was authenticated in spi before. IdP gives authentication response to SP2. After SP2 verifies the user s valid authentication, SP2 responses to the user with authenticated page.
6 Computer Systems Security - Single Sign-On SAML authentication process The SAML authentication process is designed for web environment. This SSO is based on SAML Assertions, all the communications use SOAP and go as follows in figure 3. User SP Service provider IdP Identity Provider User acesses URL in app A App generates auth request B HTTP POST to IdP w/auth Request Auth request is passed, verified User is sent to login page at IdP C User logs in SAML token is generated Redirect to app w/ SAML token D E User is logged in to service provider Figure 3: Process of authentication in SAML system. A - a user opens their web-browser and goes to mybank.ca which stores information about all his bank accounts, but mybank.ca doesn t handle authentication itself B - to authenticate the user mybank.ca constructs a SAML Authnrequest, signs it, optionally encrypts it, and encodes it. After which, it redirects the user s web browser to the Identity Provider (IdP) in order to authenticate. The IdP receives the request, decodes it, decrypts it if necessary, and verifies the signature. C - With a valid Authnrequest the IdP will present the user with a login form in which they can enter their username and password.
7 Computer Systems Security - Single Sign-On 6 D - Once the user has logged in, the IdP generates a SAML token that includes identity information about the user (such as their username, , etc). The Id takes the SAML token and redirects the user back to the Service Provider (mybank.ca). E - mybank.ca verifies the SAML token, decrypts it if necessary, and extracts out identity information about the user, such as who they are and what their permissions might be. mybank.ca now logs the user into its system, presumably with some kind of cookie and session. At the end of the process the user can interact with mybank.ca as a logged in user. The user s credentials never passed through mybank.ca, only through the Identity Provider. 3.3 CAS authentication process CAS is a SSO centralized authentication system, based on issue tickets. The figure 4 represents a CAS login process. U ser Web Application A G ET CAS Server B 302 C G ET Login URL P rotected Resource C A S C L I E N T E G ET D 302 Logout URL Validation URL H 200 F G ET G 200 Figure 4: Process of authentication in CAS system.
8 Computer Systems Security - Single Sign-On 7 A - a user opens their web-browser and goes to mybank.ca which stores information about all his bank accounts, but mybank.ca doesn t handle authentication itself B - to authenticate the user mybank.ca redirects the user s web browser to the CAS server in order to authenticate. C - The user sends his credentials to the CAS server or Ticket Granting Cookie in the case of an already authenticated user. D - The user s web browser back to the CAS client URL and also sends a cookie with the ST (Service Ticket) which is opaque to every actor except the CAS server. E- The user sends the ST to the CAS client. F - The CAS client sends the ST back to the CAS server. G - The CAS server answers to the request of the CAS, with the validity of the Service Ticket and additional information about the user. H - In case of a valid ST the CAS client sends a OK to the web browser and additional information to maintain the session. 4 Benefits and drawbacks of SSO systems Benefits: Unique accounts but several authentications Each time users access an application Security (password stealing) Protect password transmission Do not transmit passwords to applications Easy to change password to multiple accounts Less passwords and account details to remember. Easy service registration Simplify applications Delegate developments without delegating authentication Abstract authentication LDAP, NIS, database, NT, Active Directory, X509 certificates,... Drawbacks:
9 Computer Systems Security - Single Sign-On 8 If authentication details are lost, access to multiple services can be compromised If authentication details are leaked, access to multiple services can be compromised Privacy can be compromised if identity provider logs your internet activity based on your logins 5 Security caveats of the different protocols In this section we ll describe a few caveats, in form of fictitious examples, from the OpenID and SAML protocols. 5.1 OpenID caveats Alice signed in with the IdP and sets domain mybank.ca, as trusted The IdP won t ask Alice for it s credentials when accessing mybank.ca A cross-site request forgery exploit is possible. Take the following as an example: Alice goes to which has the following code snippet: <iframe id =" login " s r c =" http ://mybank. ca/login? openid_url =bob. dylan. s inger " width ="0" height ="0"></ iframe > <iframe id =" t r a n s f e r " s r c =" http ://mybank. ca/ transfer_ green_ money? amount=10000& t o =notevilcorp " width ="0" height ="0"></ iframe > Since Alice, is already signed in, the trusted domain, mybank.ca, the second snippet will be ran successfully without Alice s interaction (or knowledge). Suppose the SP (Service Provider) does not implement secure communication channel, like https. In this case the user s details are subject to being sniffed when the IdP (Identity Provider) sends the reply back to the user with the return URL and login parameters and information which can lead to replay attacks. This can be solved with a bit of ease. The server must implement a nonce, which specifies that the information will only be valid once. This protection only works if is it Alice (the user accessing the SP) and not Mallory(a user trying to impersonate Alice) to process the message first. In the eventuality of Mallory intercepting the message first and immediately resets the TCP connection, Alice will never get the return URL and Mallory will be impersonating Alice. The risk of phishing can also occur, imagine that Alice goes to weareangels.com and tries to login using is openid identity ( but the relying party redirects Alice to, a carbon copy of the login idp real site
10 Computer Systems Security - Single Sign-On 9 instead of the real one, now Alice gives her credentials to Mallory without even realizing. This problem can easily occur because using OpenID we are trusting on the relying party to redirect the users to the real IdP login page. 5.2 SAML caveats Imagine that Alice tries to login into using the SAML protocol, but her DNS was spoofed. This means that Mallory can possibly impersonate the SAML IdP, by doing so Mallory can easily obtain Alice credentials for later usage. This is one example of a man in the middle attack. In another other occasion, Alice tries to login into again using SAML, but this time everything is fine with the DNS provider. The problem this time is that Mallory rewrite the HTTP response and sends Alice login artifacts to his own site instead of the correct one. Now all, systems used by Alice through SAML can be accessed by Mallory. 6 FEUP s Single Sign-On System 6.1 OpenID URL: Since December 5th is set to be deactivated on 1st January 2014 onwards. This will be a step backwards on the direction openness of FEUP s services. This service can be used to authenticate any person who has credentials to FEUP s information system. The user identity is identified by shown at figure 7. Figure 5: FEUP s OpenID client identifier page. In the url shown in figure 8 a login user can see every authentication made using openid (date/time, url, ip address, result (authorized/not authorized)).
11 Computer Systems Security - Single Sign-On 10 Figure 6: FEUP s OpenID client history page. The biggest advantage of this service is that any person can use this service to create an application which uses the authentication of FEUP (e.g.: U.Porto AAI (shibboleth) URL: This service allows a up.pt wide sign-on. This service uses shibboleth, which is an open source application that implements the SAML protocol. The biggest disadvantage of this service is the mandatory service provider, SAML metadata XML with the identity provider. This will lead to an harder development of new applications by students for example. Figure 7: U.Porto AAI entry point.
12 Computer Systems Security - Single Sign-On 11 Figure 8: U.Porto AAI authentication by password challenge. Figure 9: U.Porto AAI limitations For what we know the only services that use this identity provider are sigarra.up.pt and moodle.up.pt. And we don t know how open are the administrators of this system to allow third party apps to take advantage of this service. For example, in the figure 9 we can see an limitation of this implementation which doesn t not allow users to logout from services without restarting the browser. This can lead to potential security risks if for some reason the user doesn t close the browser completely in a shared computer.
13 Computer Systems Security - Single Sign-On 12 7 Conclusion There are a lot of SSO protocols available, we chose only investigate a few in the time window available. We learned a lot about implementation and working internals of SAML, CAS and especially OpenID. We think that UP s and FEUP s SSO identity providers doesn t give developers and users the best experience. There is much work that can be done in this area. The thing we regret the most is the impossibility, because of the complexity and time availability, of implementing our own SSO identity provider, client and service so we could show a real live demo of a communication protocol between all the participants. References CAS (Central Authentication Service) - Apache Directory Server - Interoperability - Apache Software Foundation. URL https: //cwiki.apache.org/confluence/display/dirxinterop/cas+(central+ Authentication+Service). Open-source Single Sign-On with CAS. URL elibrary/archives/general/esup_fr/e040427m.pdf. Choosing an SSO Strategy: SAML vs OAuth2 Mutually Human. URL choosing-an-sso-strategy-saml-vs-oauth2/. Jan De Clercq. Single sign-on architectures. In Infrastructure Security, pages Springer, Thomas Groß. Security analysis of the saml single sign-on browser/artifact profile. In Computer Security Applications Conference, Proceedings. 19th Annual, pages IEEE, Hyun-Kyung Oh and Seung-Hun Jin. The security limitations of sso in openid. In Advanced Communication Technology, ICACT th International Conference on, volume 3, pages , doi: /ICACT Gunnar Peterson. Dynamic security assertion markup language. IEEE SECU- RITY & PRIVACY, Eugene Tsyrklevich and Vlad Tsyrklevich. Single sign-on for the internet: a security story. BalckHat USA, 2007.
Single Sign-On for the Internet: A Security Story. Eugene Tsyrklevich eugene@tsyrklevich.name Vlad Tsyrklevich vlad902@gmail.com
Single Sign-On for the Internet: A Security Story Eugene Tsyrklevich eugene@tsyrklevich.name Vlad Tsyrklevich vlad902@gmail.com BlackHat USA, Las Vegas 2007 Introduction With the explosion of Web 2.0 technology,
More informationAn Anti-Phishing mechanism for Single Sign-On based on QR-Code
An Anti-Phishing mechanism for Single Sign-On based on QR-Code Syamantak Mukhopadhyay School of Electronics and Computer Science University of Southampton Southampton, UK sm19g10@ecs.soton.ac.uk David
More informationQR-SSO : Towards a QR-Code based Single Sign-On system
QR-SSO : Towards a QR-Code based Single Sign-On system Syamantak Mukhopadhyay School of Electronics and Computer Science University of Southampton Southampton, UK sm19g10@ecs.soton.ac.uk David Argles School
More informationThis chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:
CHAPTER 1 SAML Single Sign-On This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections: Junos Pulse Secure Access
More informationLecture Notes for Advanced Web Security 2015
Lecture Notes for Advanced Web Security 2015 Part 6 Web Based Single Sign-On and Access Control Martin Hell 1 Introduction Letting users use information from one website on another website can in many
More informationAuthentication Methods
Authentication Methods Overview In addition to the OU Campus-managed authentication system, OU Campus supports LDAP, CAS, and Shibboleth authentication methods. LDAP users can be configured through the
More informationSAML-Based SSO Solution
About SAML SSO Solution, page 1 SAML-Based SSO Features, page 2 Basic Elements of a SAML SSO Solution, page 2 SAML SSO Web Browsers, page 3 Cisco Unified Communications Applications that Support SAML SSO,
More informationIMPLEMENTING SINGLE SIGN- ON USING SAML 2.0 ON JUNIPER NETWORKS MAG SERIES JUNOS PULSE GATEWAYS
APPLICATION NOTE IMPLEMENTING SINGLE SIGN- ON USING SAML 2.0 ON JUNIPER NETWORKS MAG SERIES JUNOS PULSE GATEWAYS SAML 2.0 combines encryption and digital signature verification across resources for a more
More informationPerceptive Experience Single Sign-On Solutions
Perceptive Experience Single Sign-On Solutions Technical Guide Version: 2.x Written by: Product Knowledge, R&D Date: January 2016 2016 Lexmark International Technology, S.A. All rights reserved. Lexmark
More informationUsing SAML for Single Sign-On in the SOA Software Platform
Using SAML for Single Sign-On in the SOA Software Platform SOA Software Community Manager: Using SAML on the Platform 1 Policy Manager / Community Manager Using SAML for Single Sign-On in the SOA Software
More informationNew Single Sign-on Options for IBM Lotus Notes & Domino. 2012 IBM Corporation
New Single Sign-on Options for IBM Lotus Notes & Domino 2012 IBM Corporation IBM s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM s sole
More informationAgenda. How to configure
dlaw@esri.com Agenda Strongly Recommend: Knowledge of ArcGIS Server and Portal for ArcGIS Security in the context of ArcGIS Server/Portal for ArcGIS Access Authentication Authorization: securing web services
More informationOpenID and identity management in consumer services on the Internet
OpenID and identity management in consumer services on the Internet Kari Helenius Helsinki University of Technology kheleniu@cc.hut.fi Abstract With new services emerging on the Internet daily, users need
More informationAuthentication and Single Sign On
Contents 1. Introduction 2. Fronter Authentication 2.1 Passwords in Fronter 2.2 Secure Sockets Layer 2.3 Fronter remote authentication 3. External authentication through remote LDAP 3.1 Regular LDAP authentication
More informationIVOA Single-Sign-On Profile: Authentication Mechanisms Version 2.0
International Virtual Observatory Alliance IVOA Single-Sign-On Profile: Authentication Mechanisms Version 2.0 IVOA Proposed Recommendation 20151029 Working group http://www.ivoa.net/twiki/bin/view/ivoa/ivoagridandwebservices
More information2015-11-30. Web Based Single Sign-On and Access Control
0--0 Web Based Single Sign-On and Access Control Different username and password for each website Typically, passwords will be reused will be weak will be written down Many websites to attack when looking
More informationHow To Manage Your Web 2.0 Account On A Single Sign On On A Pc Or Mac Or Ipad (For A Free) On A Password Protected Computer (For Free) (For An Ipad) (Free) (Unhack)
Single Sign-On for the Internet: A Security Story eugene@tsyrklevich.name vlad902@gmail.com BlackHat USA, Las Vegas 2007 How do you manage your 169 Web 2.0 accounts today? Does your SSO consist of A login
More informationCopyright: WhosOnLocation Limited
How SSO Works in WhosOnLocation About Single Sign-on By default, your administrators and users are authenticated and logged in using WhosOnLocation s user authentication. You can however bypass this and
More informationSecurity and Privacy Concern for Single Sign-on Protocols
COMP116 Computer Security 2015 Final Project Security and Privacy Concern for Single Sign-on Protocols Name: Fangyuan Xu Login: fxu01 Mentor: Ming Chow Due Date: 12/15/2015 1 Abstract Nowadays, Single
More informationThe increasing popularity of mobile devices is rapidly changing how and where we
Mobile Security BACKGROUND The increasing popularity of mobile devices is rapidly changing how and where we consume business related content. Mobile workforce expectations are forcing organizations to
More informationFlexible Identity Federation
Flexible Identity Federation Quick start guide version 1.0.1 Publication history Date Description Revision 2015.09.23 initial release 1.0.0 2015.12.11 minor updates 1.0.1 Copyright Orange Business Services
More informationTwo SSO Architectures with a Single Set of Credentials
Two SSO Architectures with a Single Set of Credentials Abstract Single sign-on (SSO) is a widely used mechanism that uses a single action of authentication and authority to permit an authorized user to
More informationFederated Identity Management
Federated Identity Management SWITCHaai Introduction Course Bern, 1. March 2013 Thomas Lenggenhager aai@switch.ch Overview What is Federated Identity Management? What is a Federation? The SWITCHaai Federation
More informationSingle Sign On. SSO & ID Management for Web and Mobile Applications
Single Sign On and ID Management Single Sign On SSO & ID Management for Web and Mobile Applications Presenter: Manish Harsh Program Manager for Developer Marketing Platforms of NVIDIA (Visual Computing
More informationMid-Project Report August 14 th, 2012. Nils Dussart 0961540
Mid-Project Report August 14 th, 2012 Nils Dussart 0961540 CONTENTS Project Proposal... 3 Project title... 3 Faculty Advisor... 3 Project Scope and Individual Student Learning Goals... 3 Proposed Product
More informationFederations 101. An Introduction to Federated Identity Management. Peter Gietz, Martin Haase
Authentication and Authorisation for Research and Collaboration Federations 101 An Introduction to Federated Identity Management Peter Gietz, Martin Haase AARC NA2 Task 2 - Outreach and Dissemination DAASI
More informationSCAS: AN IMPROVED SINGLE SIGN-ON MODEL BASE ON CAS
SCAS: AN IMPROVED SINGLE SIGN-ON MODEL BASE ON CAS 1,2 XIANG LIYUN, 1 FANG ZHIYI, 1 SUN HONGYU 1 College of Computer Science and Technology, Jilin University, Changchun, China 2 Department of Computer
More informationIntroduction to SAML
Introduction to THE LEADER IN API AND CLOUD GATEWAY TECHNOLOGY Introduction to Introduction In today s world of rapidly expanding and growing software development; organizations, enterprises and governments
More informationIdentity Federation: Bridging the Identity Gap. Michael Koyfman, Senior Global Security Solutions Architect
Identity Federation: Bridging the Identity Gap Michael Koyfman, Senior Global Security Solutions Architect The Need for Federation 5 key patterns that drive Federation evolution - Mary E. Ruddy, Gartner
More informationSingle Sign-On Implementation Guide
Salesforce.com: Salesforce Winter '09 Single Sign-On Implementation Guide Copyright 2000-2008 salesforce.com, inc. All rights reserved. Salesforce.com and the no software logo are registered trademarks,
More informationFederated Identity Management Solutions
Federated Identity Management Solutions Jyri Kallela Helsinki University of Technology jkallela@cc.hut.fi Abstract Federated identity management allows users to access multiple services based on a single
More informationGENERAL OVERVIEW OF VARIOUS SSO SYSTEMS: ACTIVE DIRECTORY, GOOGLE & FACEBOOK
Antti Pyykkö, Mikko Malinen, Oskari Miettinen GENERAL OVERVIEW OF VARIOUS SSO SYSTEMS: ACTIVE DIRECTORY, GOOGLE & FACEBOOK TJTSE54 Assignment 29.4.2008 Jyväskylä University Department of Computer Science
More informationTenrox. Single Sign-On (SSO) Setup Guide. January, 2012. 2012 Tenrox. All rights reserved.
Tenrox Single Sign-On (SSO) Setup Guide January, 2012 2012 Tenrox. All rights reserved. About this Guide This guide provides a high-level technical overview of the Tenrox Single Sign-On (SSO) architecture,
More informationSAML Security Option White Paper
Fujitsu mpollux SAML Security Option White Paper Fujitsu mpollux Version 2.1 February 2009 First Edition February 2009 The programs described in this document may only be used in accordance with the conditions
More informationSAML-Based SSO Solution
About SAML SSO Solution, page 1 SAML-Based SSO Features, page 2 Basic Elements of a SAML SSO Solution, page 2 SAML SSO Web Browsers, page 3 Cisco Unified Communications Applications that Support SAML SSO,
More informationAmeritas Single Sign-On (SSO) and Enterprise SAML Standard. Architectural Implementation, Patterns and Usage Guidelines
Ameritas Single Sign-On (SSO) and Enterprise SAML Standard Architectural Implementation, Patterns and Usage Guidelines 1 Background and Overview... 3 Scope... 3 Glossary of Terms... 4 Architecture Components...
More informationAn SAML Based SSO Architecture for Secure Data Exchange between User and OSS
An SAML Based SSO Architecture for Secure Data Exchange between User and OSS Myungsoo Kang 1, Choong Seon Hong 1,Hee Jung Koo 1, Gil Haeng Lee 2 1 Department of Computer Engineering, Kyung Hee University
More informationSAML and OAUTH comparison
SAML and OAUTH comparison DevConf 2014, Brno JBoss by Red Hat Peter Škopek, pskopek@redhat.com, twitter: @pskopek Feb 7, 2014 Abstract SAML and OAuth are one of the most used protocols/standards for single
More informationBuilding Secure Applications. James Tedrick
Building Secure Applications James Tedrick What We re Covering Today: Accessing ArcGIS Resources ArcGIS Web App Topics covered: Using Token endpoints Using OAuth/SAML User login App login Portal ArcGIS
More informationFlexible Identity Federation
Flexible Identity Federation Administration guide version 1.0.1 Publication history Date Description Revision 2015.09.24 initial release 1.0.0 2015.12.11 minor updates 1.0.1 Copyright Orange Business Services
More informationOpenLogin: PTA, SAML, and OAuth/OpenID
OpenLogin: PTA, SAML, and OAuth/OpenID Ernie Turner Chris Fellows RightNow Technologies, Inc. Why should you care about these features? Why should you care about these features? Because users hate creating
More informationThe Top 5 Federated Single Sign-On Scenarios
The Top 5 Federated Single Sign-On Scenarios Table of Contents Executive Summary... 1 The Solution: Standards-Based Federation... 2 Service Provider Initiated SSO...3 Identity Provider Initiated SSO...3
More informationBiometric Single Sign-on using SAML
Biometric Single Sign-on using SAML Architecture & Design Strategies Ramesh Nagappan CISSP Ramesh.Nagappan@sun.com 1 Setting Expectations What you can take away! Understand the importance of Single Sign-On
More informationOpenHRE Security Architecture. (DRAFT v0.5)
OpenHRE Security Architecture (DRAFT v0.5) Table of Contents Introduction -----------------------------------------------------------------------------------------------------------------------2 Assumptions----------------------------------------------------------------------------------------------------------------------2
More informationTitle: A Client Middleware for Token-Based Unified Single Sign On to edugain
Title: A Client Middleware for Token-Based Unified Single Sign On to edugain Sascha Neinert Computing Centre University of Stuttgart, Allmandring 30a, 70550 Stuttgart, Germany e-mail: sascha.neinert@rus.uni-stuttgart.de
More informationGetting Started with AD/LDAP SSO
Getting Started with AD/LDAP SSO Active Directory and LDAP single sign- on (SSO) with Syncplicity Business Edition accounts allows companies of any size to leverage their existing corporate directories
More informationSAML SSO Configuration
SAML SSO Configuration Overview of Single Sign-, page 1 Benefits of Single Sign-, page 2 Overview of Setting Up SAML 2.0 Single Sign-, page 3 SAML 2.0 Single Sign- Differences Between Cloud-Based Meeting
More informationOPENID AUTHENTICATION SECURITY
OPENID AUTHENTICATION SECURITY Erik Lagercrantz and Patrik Sternudd Uppsala, May 17 2009 1 ABSTRACT This documents gives an introduction to OpenID, which is a system for centralised online authentication.
More informationDocuSign Single Sign On Implementation Guide Published: March 17, 2016
DocuSign Single Sign On Implementation Guide Published: March 17, 2016 Copyright Copyright 2003-2016 DocuSign, Inc. All rights reserved. For information about DocuSign trademarks, copyrights and patents
More informationEnabling Federation and Web-Single Sign-On in Heterogeneous Landscapes with the Identity Provider and Security Token Service Supplied by SAP NetWeaver
Enabling Federation and Web-Single Sign-On in Heterogeneous Landscapes with the Identity Provider and Security Token Service Supplied by SAP NetWeaver SAP Product Management, SAP NetWeaver Identity Management
More informationIdentity Management. Audun Jøsang University of Oslo. NIS 2010 Summer School. September 2010. http://persons.unik.no/josang/
Identity Management Audun Jøsang University of Oslo NIS 2010 Summer School September 2010 http://persons.unik.no/josang/ Outline Identity and identity management concepts Identity management models User-centric
More informationAccess Gateway Guide Access Manager 4.0 SP1
Access Gateway Guide Access Manager 4.0 SP1 May 2014 www.netiq.com/documentation Legal Notice THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS
More informationLeverage Active Directory with Kerberos to Eliminate HTTP Password
Leverage Active Directory with Kerberos to Eliminate HTTP Password PistolStar, Inc. PO Box 1226 Amherst, NH 03031 USA Phone: 603.547.1200 Fax: 603.546.2309 E-mail: salesteam@pistolstar.com Website: www.pistolstar.com
More informationEvaluation of different Open Source Identity management Systems
Evaluation of different Open Source Identity management Systems Ghasan Bhatti, Syed Yasir Imtiaz Linkoping s universitetet, Sweden [ghabh683, syeim642]@student.liu.se 1. Abstract Identity management systems
More informationOkta/Dropbox Active Directory Integration Guide
Okta/Dropbox Active Directory Integration Guide Okta Inc. 301 Brannan Street, 3rd Floor San Francisco CA, 94107 info@okta.com 1-888- 722-7871 1 Table of Contents 1 Okta Directory Integration Edition for
More informationFinal Project Report December 9, 2012. Cloud-based Authentication with Native Client Server Applications. Nils Dussart 0961540
Final Project Report December 9, 2012 Cloud-based Authentication with Native Client Server Applications. Nils Dussart 0961540 CONTENTS Project Proposal... 4 Project title... 4 Faculty Advisor... 4 Introduction...
More informationINTEGRATION GUIDE. DIGIPASS Authentication for Google Apps using IDENTIKEY Federation Server
INTEGRATION GUIDE DIGIPASS Authentication for Google Apps using IDENTIKEY Federation Server Disclaimer Disclaimer of Warranties and Limitation of Liabilities All information contained in this document
More informationPingFederate. Salesforce Connector. Quick Connection Guide. Version 4.1
PingFederate Salesforce Connector Version 4.1 Quick Connection Guide 2011 Ping Identity Corporation. All rights reserved. PingFederate Salesforce Quick Connection Guide Version 4.1 June, 2011 Ping Identity
More informationPassword Power 8 Plug-In for Lotus Domino Single Sign-On via Kerberos
Password Power 8 Plug-In for Lotus Domino Single Sign-On via Kerberos PistolStar, Inc. PO Box 1226 Amherst, NH 03031 USA Phone: 603.547.1200 Fax: 603.546.2309 E-mail: salesteam@pistolstar.com Website:
More informationSetup Guide Access Manager Appliance 3.2 SP3
Setup Guide Access Manager Appliance 3.2 SP3 August 2014 www.netiq.com/documentation Legal Notice THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS
More informationArchitecture Guidelines Application Security
Executive Summary These guidelines describe best practice for application security for 2 or 3 tier web-based applications. It covers the use of common security mechanisms including Authentication, Authorisation
More informationGateway Apps - Security Summary SECURITY SUMMARY
Gateway Apps - Security Summary SECURITY SUMMARY 27/02/2015 Document Status Title Harmony Security summary Author(s) Yabing Li Version V1.0 Status draft Change Record Date Author Version Change reference
More informationE-Authentication Federation Adopted Schemes
E-Authentication Federation Adopted Schemes Version 1.0.0 Final May 4, 2007 Document History Status Release Date Comment Audience Template 0.0.0 1/18/06 Outline PMO Draft 0.0.1 1/19/07 Initial draft Internal
More informationMobile Security. Policies, Standards, Frameworks, Guidelines
Mobile Security Policies, Standards, Frameworks, Guidelines Guidelines for Managing and Securing Mobile Devices in the Enterprise (SP 800-124 Rev. 1) http://csrc.nist.gov/publications/drafts/800-124r1/draft_sp800-124-rev1.pdf
More information> Please fill your survey to be eligible for a prize draw. Only contact info is required for prize draw Survey portion is optional
Web Access Management May 2008 CA Canada Seminar > Please fill your survey to be eligible for a prize draw Only contact info is required for prize draw Survey portion is optional > How to Transform Tactical
More informationStep-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x
Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x Sverview Trust between SharePoint 2010 and ADFS 2.0 Use article Federated Collaboration with Shibboleth 2.0 and SharePoint 2010 Technologies
More informationAAI for Mobile Apps How mobile Apps can use SAML Authentication and Attributes. Lukas Hämmerle lukas.haemmerle@switch.ch
AAI for Mobile Apps How mobile Apps can use SAML Authentication and Attributes Lukas Hämmerle lukas.haemmerle@switch.ch Berne, 13. August 2014 Introduction App by University of St. Gallen Universities
More informationWhy Identity Management. Identity Management. What We Cover. Role of Digital Identity. Digital Identity. Digital Identity (or network identity)
Why Identity Management Identity Management Claudiu Duma Identity crisis Privacy concerns Identity theft Terrorist threat Department of Computer and Information Science cladu@ida.liu.se What We Cover Digital
More informationINUVIKA OPEN VIRTUAL DESKTOP ENTERPRISE
INUVIKA OPEN VIRTUAL DESKTOP ENTERPRISE SAML 2.0 CONFIGURATION GUIDE Roy Heaton David Pham-Van Version 1.1 Published March 23, 2015 This document describes how to configure OVD to use SAML 2.0 for user
More informationOnly LDAP-synchronized users can access SAML SSO-enabled web applications. Local end users and applications users cannot access them.
This chapter provides information about the Security Assertion Markup Language (SAML) Single Sign-On feature, which allows administrative users to access certain Cisco Unified Communications Manager and
More informationLeveraging SAML for Federated Single Sign-on:
Leveraging SAML for Federated Single Sign-on: Seamless Integration with Web-based Applications whether cloudbased, private, on-premise, or behind a firewall Single Sign-on Layer v.3.2-006 PistolStar, Inc.
More informationHow To Use Saml 2.0 Single Sign On With Qualysguard
QualysGuard SAML 2.0 Single Sign-On Technical Brief Introduction Qualys provides its customer the option to use SAML 2.0 Single Sign On (SSO) authentication with their QualysGuard subscription. When implemented,
More informationSalesforce1 Mobile Security Guide
Salesforce1 Mobile Security Guide Version 1, 1 @salesforcedocs Last updated: December 8, 2015 Copyright 2000 2015 salesforce.com, inc. All rights reserved. Salesforce is a registered trademark of salesforce.com,
More informationWeb Access Management and Single Sign-On
Web Access Management and Single Sign-On Ronnie Dale Huggins In the old days of computing, a user would sit down at his or her workstation, login to the desktop, login to their email system, perhaps pull
More informationHP Software as a Service. Federated SSO Guide
HP Software as a Service Federated SSO Guide Document Release Date: July 2014 Legal Notices Warranty The only warranties for HP products and services are set forth in the express warranty statements accompanying
More informationHow to create a SP and a IDP which are visible across tenant space via Config files in IS
How to create a SP and a IDP which are visible across tenant space via Config files in IS This Documentation is explaining the way to create a SP and IDP which works are visible to all the tenant domains.
More informationA Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith
A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications Slides by Connor Schnaith Cross-Site Request Forgery One-click attack, session riding Recorded since 2001 Fourth out of top 25 most
More informationFrom centralized to single sign on
The LemonLDAP::NG project Abstract LemonLDAP::NG is a modular WebSSO (Web Single Sign On) software based on Apache::Session modules. It simplifies the build of a protected area with a few changes in the
More informationWHITE PAPER Usher Mobile Identity Platform
WHITE PAPER Usher Mobile Identity Platform Security Architecture For more information, visit Usher.com info@usher.com Toll Free (US ONLY): 1 888.656.4464 Direct Dial: 703.848.8710 Table of contents Introduction
More informationWeb Application Entity Session Management using the eid Card Frank Cornelis 03/03/2010. Fedict 2010. All rights reserved
Web Application Entity Session Management using the eid Card Frank Cornelis 03/03/2010 Fedict 2010. All rights reserved What is Entity Authentication? Entity authentication is the process whereby one party
More informationUsing WS-Security and SAML for Internet Single Sign On Darren Miller
Using WS-Security and SAML for Internet Single Sign On Darren Miller Abstract Single Sign On solutions are desirable to reduce the number of usernames and passwords that each user has to manage. Managing
More informationWebNow Single Sign-On Solutions
WebNow Single Sign-On Solutions Technical Guide ImageNow Version: 6.7. x Written by: Product Documentation, R&D Date: June 2015 2012 Perceptive Software. All rights reserved CaptureNow, ImageNow, Interact,
More informationWeb Applications Access Control Single Sign On
Web Applications Access Control Single Sign On Anitha Chepuru, Assocaite Professor IT Dept, G.Narayanamma Institute of Technology and Science (for women), Shaikpet, Hyderabad - 500008, Andhra Pradesh,
More informationContents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008
Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008 Contents Authentication and Identity Assurance The Identity Assurance continuum Plain Password Authentication
More informationIntegrating Apex into Federated Environment using SAML 2.0. Jon Tupman Portalsoft Solutions Ltd
Integrating Apex into Federated Environment using SAML 2.0 Jon Tupman Portalsoft Solutions Ltd Introduction Migration challenge Federated vs Single sign-on SAML process flow Integrating Apex and Weblogic
More informationImplementation Guide SAP NetWeaver Identity Management Identity Provider
Implementation Guide SAP NetWeaver Identity Management Identity Provider Target Audience Technology Consultants System Administrators PUBLIC Document version: 1.10 2011-07-18 Document History CAUTION Before
More informationOpen-source Single Sign-On with CAS (Central Authentication Service)
Open-source Single Sign-On with CAS (Central Authentication Service) Pascal Aubry, Vincent Mathieu & Julien Marchal Copyright 2004 ESUP-Portail consortium Open-source Single Sign-On with CAS Single Sign-On
More informationLiberty Alliance. CSRF Review. .NET Passport Review. Kerberos Review. CPSC 328 Spring 2009
CSRF Review Liberty Alliance CPSC 328 Spring 2009 Quite similar, yet different from XSS Malicious script or link involved Exploits trust XSS - exploit user s trust in the site CSRF - exploit site s trust
More informationSetup Guide Access Manager 3.2 SP3
Setup Guide Access Manager 3.2 SP3 August 2014 www.netiq.com/documentation Legal Notice THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF A LICENSE
More informationSingle Sign on Using SAML
Single Sign on Using SAML Priyank Rajvanshi, Subhash Chand Gupta Abstract- With the proliferation of SaaS and other web-based applications, identity management is becoming a major concern for businesses.
More informationINTEGRATION GUIDE. DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server
INTEGRATION GUIDE DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server Disclaimer Disclaimer of Warranties and Limitation of Liabilities All information contained in this document is
More informationJVA-122. Secure Java Web Development
JVA-122. Secure Java Web Development Version 7.0 This comprehensive course shows experienced developers of Java EE applications how to secure those applications and to apply best practices with regard
More informationArchitecture of Enterprise Applications III Single Sign-On
Architecture of Enterprise Applications III Single Sign-On Haopeng Chen REliable, INtelligent and Scalable Systems Group (REINS) Shanghai Jiao Tong University Shanghai, China e-mail: chen-hp@sjtu.edu.cn
More informationSingle Sign-On for the UQ Web
Single Sign-On for the UQ Web David Gwynne Infrastructure Architect, ITIG, EAIT Taxonomy Authentication - Verification that someone is who they claim to be - ie, only the relevant user
More informationAlfresco Share SAML. 2. Assert user is an IDP user (solution for the Security concern mentioned in v1.0)
Alfresco Share SAML Version 1.1 Revisions 1.1 1.1.1 IDP & Alfresco user logs in using saml login page (Added info about saving the username and IDP login date as a solution for the Security concern mentioned
More informationSingle Sign-On Implementation Guide
Single Sign-On Implementation Guide Salesforce, Winter 16 @salesforcedocs Last updated: November 4, 2015 Copyright 2000 2015 salesforce.com, inc. All rights reserved. Salesforce is a registered trademark
More informationShibboleth Identity Provider (IdP) Sebastian Rieger sebastian.rieger@gwdg.de
Shibboleth Identity Provider (IdP) Sebastian Rieger sebastian.rieger@gwdg.de Gesellschaft für wissenschaftliche Datenverarbeitung mbh Göttingen, Germany CLARIN AAI Hands On Workshop, 25.02.2009, Oxford
More informationOpenSSO: Cross Domain Single Sign On
OpenSSO: Cross Domain Single Sign On Version 0.1 History of versions Version Date Author(s) Changes 0.1 11/30/2006 Dennis Seah Contents Initial Draft. 1 Introduction 1 2 Single Domain Single Sign-On 2
More informationDell One Identity Cloud Access Manager 8.0.1 - How to Develop OpenID Connect Apps
Dell One Identity Cloud Access Manager 8.0.1 - How to Develop OpenID Connect Apps May 2015 This guide includes: What is OAuth v2.0? What is OpenID Connect? Example: Providing OpenID Connect SSO to a Salesforce.com
More informationCA Nimsoft Service Desk
CA Nimsoft Service Desk Single Sign-On Configuration Guide 6.2.6 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation
More information