Serge Vereecke Security Architect IBM Security Services serge_vereecke@be.ibm.com The Challenges of Web single sign-on GSE Event September 7, 2012
Agenda Single sign-on technology Why single sign-on Challenges of single sign-on Technology journey of SSO SSO use case Lessons learned Summary
Single sign-on technologies Single sign-on Goal of SSO Technology failed to live up to consumer expectations
Single sign-on technologies Terminology & synonyms Definition & properties
Single sign-on : user perspective BEFORE Access Manager Security Services AFTER Unified policy SSingle user registry Centralized audit and other J2EE Figure 1. Unified, Policy-Based Security for the Web 5
Single sign-on : IT perspective 6
Single sign-on technologies Classes of SSO
Technology shifts Technology shift impact on SSO
SSO Technology journey Kerberos technology
SSO Technology journey Web access management technology
SSO Technology journey Federated Identity technology
Scenario: Provide Federated SSO to employees and customers, using internal and partner applications Customers Existing Web Access Management Solution Employee Portal Travel Services Provider 401K Federated Identity Management (e.g. TAMeb) Portal Server Customer Portal Billing Processing We all use this everyday! Tax/Salary information Education Financial/401K/Benefits Travel Bookings Regional Insurance Providers
SSO Technology journey Web services technology
SSO Technology journey Policy 1. Get Token Security Token Service Policy Security Token Claims Requestor 3. Validate Token Claims Security Token 2. Send Message (including token) Provider Policy Security Token Claims Identity Federation and Web Services requires trust This trust is based on agreements between partners & expressed as policies Trust can be enabled by technology Trust requirements expressed as infrastructure policies and requirements Security tokens include identity information; Cryptographic keys used to sign Security Tokens Technology needs to be standards based Standard ways to express and exchange policies that reflect trust relationships Agreed token format, information content, signing and encryption methods
SSO Technology journey User centric identity technology
OAuth What is it? User wants to share information (Resource Owner) OAuth Service Provider Provides Access based on Resource Owner s authorization User wants to access information (Consumer or Client) Delegated Authorization for enabling the sharing of information
OAuth What is it? Delegated Authorization for enabling the sharing of information
SSO Technology journey
Customer example: Securing access and SSO to banking applications
Customer example: Securing access and SSO to banking applications
Customer example: Securing access and SSO to banking applications
Customer example: Securing access and SSO to banking applications TAMeB WebSEAL server Proof of server identity User identity Credential Proof of server identity Credential WebSphere Application Server Web Authenticator Java Subject PDPrincipal Credential Build credential Forwarded request Credential Proof of server identity Credential PDPrincipal Java Subject ETAI Validate origin Return identity
Customer example: Securing access and SSO to banking applications Browser WebSEAL instance LRR application (SharePoint 2010) Request Need to Local Response Redirect to Local Response Redirect URL Http://websealhostname/lrr/ handler.aspx?tam_op=value?macro=value Request to Local Response Redirect URL Generate page Response
Customer example: Securing access and SSO to banking applications
SSO Architecture - TAI++ Web Application TAI++ Web Application User management system HTTP(S) TAM WebSEAL HTTP(S) EAI TFIM STS SharePoint 2010 Browser TMRP++ STS 25
SSO use case : lessons learned
Scenario: Securing access to SaaS and Services in Cloud SMB A FIM BG Enterprise B FIM BG SAML SAML Google Apps Partners/Consumers Merged Companies Application Providers Tivoli Federated Identity Manager Single Sign On to Salesforce.com CRM resources based on authentication to the enterprise directory only Access Salesforce.com CRM resources in context and based on web & email launch points (providing the user with seamless navigation across applications)
Summary
Questions?