Ubilogin SSO Product Description Copyright Ubisecure Solutions, Inc., All rights reserved.
1. Introduction... 3 2. Ubilogin SSO components... 5 2.1. Ubilogin Authentication Server... 5 Management... 5 Identity repository integration... 6 Identity Broker Engine (IBE)... 7 External Authorization... 8 2.2. Ubilogin Security Proxy... 8 2.3. Ubilogin Web Agents... 9 2.4. Ubilogin SAML Service Providers... 11 2.5. Ubilogin Authentication Providers... 11 Windows Authentication Provider... 12 Certificate Authentication Provider... 12 ETSI MSS Provider... 12 2.6. Ubilogin Web Services IDP... 12 2.7. Ubilogin Attribute Authority... 13 2.8. Ubipass... 13 3. Supported standards... 14 3.1. OASIS SAML 2.0 specification... 14 3.2. WS-Federation... 14 3.3. Liberty ID-WSF 2.0 specification... 14 3.4. ETSI TS 102-204 Mobile Signature Service... 15 4. Ubilogin SSO use cases... 16 4.1. Protecting applications extending information availability... 16 Authentication... 16 Authorization... 16 Ubilogin eidm and iidm solutions... 17 4.2. Regulatory compliance... 18 Internal regulations in organizations, security policy... 18 SOX, HIPAA etc... 18 Centralized Audit Trails of application access... 18 4.3. egovernment authentication... 18 4.4. SSO across the enterprise landscape... 19 Web-SSO... 19 Cross Domain Windows SSO... 20 4.5. Web Services authentication for SOA... 20 4.6. Federation across multiple domains... 21 4.7. Preventing phishing... 21 5. Conclusions of the advantages provided by Ubilogin SSO... 24 6. Contact Information... 25 22.09.2008 Copyright Ubisecure Solutions, Inc., All rights reserved. 2
1. Introduction For business entities, on-line services mean 24/7 availability for customer and partner services. Partners can get updated information when needed, view inventories, order products and services on-line etc. Customers can conduct business with the provider around the clock and with integration to backend systems the performance and effectiveness of the organization can reach new levels. On-line egovernment services are multiplying rapidly. It s not just businesses that go on-line to improve their services to their partners and customers; it s also governments that are offering services to citizens. The benefits are quite obvious. Instead of physical interaction, with fixed and limited number of point of services, citizens can instead conduct their affairs with the government agencies on-line. The cost savings are enormous, a 50 visit changes to 0,50 electronic transaction, or even less. But there are some things to consider carefully before creating these services. For what are the services required? What is the nature of the information or service that I m giving people access to? Am I at risk to disclose confidential information to the wrong people? Extending the information availability has many upturns, but it can also have downturns if the most vital information of an organization is not protected prudently. The identity of the person accessing these services and information must be carefully verified. Confidential resources should be protected by using stronger authentication methods than just username and a password in this day of constant threat of identity theft. For internal services it is beneficial to consolidate the access control to a single place. This would normally yield Single Sign-On to the services as well as rapid responses to internal or external changes on emerging threats. Single Sign-On alone has proved its value through several studies and can provide quick ROI. Thanks to the new standards, such as Liberty ID- WSF, even the legacy applications can be integrated to the centralized authentication and authorization platform. The Ubilogin SSO product family provides the tools for identity consolidation, authentication and authorization for organizations from small to the larges ones. This document outlines the major features of Ubilogin family and gives you a couple of use case scenarios. For more in depth view on Ubilogin SSO, please take a look at the Ubilogin Technical Reference document. 22.09.2008 Copyright Ubisecure Solutions, Inc., All rights reserved. 3
20+ authentication methods External authentication Role-Based Access Control Authorization Policies Standards-based Federation Identity attribute queries Windows SSO Identity information consolidation User management Site management Groups management Application Agents management Mappings Logging, reporting Authentication Access Management Identity Federation Identity Management Integration User & Group Management UBILOGIN Figure 1 Overview of Ubilogin SSO s key functional areas 22.09.2008 Copyright Ubisecure Solutions, Inc., All rights reserved. 4
2. Ubilogin SSO components The Ubilogin SSO solution consists of different components, each of which has a specific function. Together these components form a flexible and easy to deploy solution for user authentication and authorization as well as identity management integration. Ubilogin Authentication Ubilogin Access Management Ubilogin Federation Ubilogin IBE (Identity Broker Engine) Ubilogin Server Management UBILOGIN External repositories Active Directory Ubilogin Web Agents Ubilogin Web Services IDP Ubipass Figure 2 Overview of Ubilogin SSO s main functions and modules 2.1. Ubilogin Authentication Server The Ubilogin Authentication Server is the heart of the Ubilogin SSO software product. The authentication server handles all the authentication events, integrates to existing user repositories and creates the identities used to authenticate and authorize the user. The authentication server is a collection of Java applications. As the solution is based on Java technology, the requirements for deployment rely on application server support only. Basically any standards-based Java application server can be used. Officially Ubilogin SSO supports the following application servers for hosting the Ubilogin Authentication Server itself: Apache foundation Tomcat application server BEA WebLogic application server Resin application server For other application servers, please contact Ubisecure. Management The Ubilogin management and day-to-day administration is handled with a web browser. Through the management, application changes in the configuration are easy to do and these changes can be deployed to the application servers in a few seconds. For security professionals this gives the opportunity to adapt to external changes. External changes could be new threats that can be minimized by changing the way people are authenticated. Internal requirements 22.09.2008 Copyright Ubisecure Solutions, Inc., All rights reserved. 5
may change also, which means that e.g. a new group of users need to access certain services. Through Ubilogin management this permission can be given to the group quickly and securely. Figure 3 The Ubilogin management application Ubilogin Management is the application where, firstly, Sites are created and managed; secondly where Ubilogin Web Agents protecting applications and services are managed; and thirdly, where SAML 2.0 Service Providers are integrated to Ubilogin SSO. The administrator has quite free hands in creating the Site hierarchy, which makes it easier to implement a system that follows the real world, that is, the organizational structure, the actual business processes or geographical locations. Each Site can have a dedicated administrator. The Site administrator does neither have access nor sees other Sites. This makes it possible to create a level of separation of duties within the organization. Identity repository integration Identities can be stored in the Ubilogin Directory, but in most cases companies have already identity repository or repositories for their users, such as Microsoft Active Directory. Ubilogin SSO can integrate to the existing repositories where the users are maintained. If the organization has several user repositories, then Ubilogin SSO can provide identity consolidation through central management of identities and their usage in authorization. 22.09.2008 Copyright Ubisecure Solutions, Inc., All rights reserved. 6
Identity Broker Engine (IBE) Figure 4 The Ubilogin Identity Broker Engine. In real life we tend to have several different credentials. Our bank may have issued a One- Time-Password list to us or given us a smart card; our identity as a citizen may be stored on a smart card or to a SIM card of a mobile phone. We have several accounts in various services that we use, and most of them use password authentication. In the office we usually logon to the network using Windows Domain authentication. Within a large organization there may be a couple of different methods available for user authentication. Service providers may need to offer several different ways to authenticate a user. We have to keep track of all these credentials and they need to be managed accordingly. Eventually, this becomes very stressful for any person; and that may lead to actions that compromise the security, as individuals might become too inventive in finding practical ways to handle the hassle. Another issue regarding consolidation has to do with the authentication services. Different authentication methods can give information on the user in different ways. A password based authentication does not tell much about the user. We may only get some user-id of the user. For the application servers that need to control the access of the users in a much more fine grained detail, this is not enough. From the organization point of view authentication methods can be divided in to two categories, external and internal. Internal authentication methods are those controlled by the organization itself, and the external authentication methods are controlled by a third party. This third party can be their partner or perhaps an external identity provider. When the company controls the internal authentication methods, it usually commands the attributes related to this type of authentication. This can be achieved using Ubilogin SSO and its directory integration features. 22.09.2008 Copyright Ubisecure Solutions, Inc., All rights reserved. 7
Companies need to grant access to their resources for external users. An external user may be an employee of the company who is accessing the resources remotely, or a partner that need to access services provided by the company, or for egovernment, the citizen who uses the egovernment services provided 24/7 over the network. A common nominator is that when using external authentication methods, the information available about the user, is limited. Ubilogin Identity Broker collects the information from the authentication event and integrates that information with information from other external or internal data sources. Through IBE companies can use e.g. government issued certificates to authenticate their remote workers. IBE ties the information from the certificate to the person s company-internal identity and can deliver this information from the internal data sources to the application server, hence becoming available also on application level. IBE gives the flexibility to choose an appropriate authentication mechanism from all the available methods and still deliver the necessary complete identity information to the application servers. The identity information may include attributes, such as, roles, groups etc that can be used to implement policy based access control in Ubilogin SSO and fine grained access control in the application servers. External Authorization Sometimes authorization information does exist in the company initially. Ubilogin SSO supports integration to external authorization sources through API, where companies can easily integrate their current authorization information to the Ubilogin SSO authentication and authorization solution. 2.2. Ubilogin Security Proxy Figure 1. Ubilogin Security Proxy setup simple Sometimes the IT department is used to work with proxies. A very typical situation is that applications are published through the proxy that resides in the DMZ. Ubilogin Security Proxy can be used to publish sensitive applications securely to the Internet. Ubilogin Security Proxy will protect the published applications by verifying the user s identity and authorization to use that particular application. The integration between the Ubilogin Security 22.09.2008 Copyright Ubisecure Solutions, Inc., All rights reserved. 8
Proxy and the back-end applications can happen in different ways. In a typical situation integration options could be HTTP Header: SAP, IBM WebSphere etc Kerberos: Microsoft SharePoint Services, Microsoft Outlook Web Access etc The Ubilogin Security Proxy also supports other back-end integration options such as Basic Authentication, so that almost every application can be published and protected using the Ubilogin Security Proxy. 2.3. Ubilogin Web Agents The Ubilogin Web Agents are the components that are installed to protect the resources that need authentication and authorization. Ubilogin Web Agents job is to protect a resource and offer a proper and strong enough authentication of users and relay authorization attributes to the protected application. As Ubilogin SSO supports around 20 different methods of authentication it is very easy to match the required authentication method to the level of confidentiality that should be preserved in the resource. There are Ubilogin Web Agents covering all major web-servers, application servers and business applications. Ubilogin Web Agents can be deployed in a number of ways. The most common way is to integrate the Web Agent to the server where the actual application is running. The Web Agent can protect all applications, or the protection can be deployed selectively leaving other applications as public applications. Some situations require SSL accelerators or load balancing solutions before the actual application can be reached; or Ubilogin Web Agent can act as a front-end server protecting the applications behind it. Figure 5 Protecting all of the applications in the application server using a Ubilogin Web Agent 22.09.2008 Copyright Ubisecure Solutions, Inc., All rights reserved. 9
Figure 6 Protecting some of the applications in the application server, leaving others as public applications Figure 7 Ubilogin Web Agent installed into a front-end serve Each user that tries to connect to an application protected by Ubilogin Web Agents, is authenticated. If they haven t authenticated themselves already, they are redirected to the authentication page, where credentials are submitted and verified. If the verification is successful, the user gets an SSO ticket (SSO Single Sign-On) from the authentication server. This SSO-ticket is then used in all other applications as well, as long as it is valid, so that when the Web Agents verifies that the ticket is valid, and hence also that the user is authorized to access the second resource, the user is then granted access to the resource without any additional authentication interaction with the user. Of course, if the resources that the user is 22.09.2008 Copyright Ubisecure Solutions, Inc., All rights reserved. 10
trying to access requires stronger authentication than the previous resource, the user is then redirected to the authentication server for additional authentication. 2.4. Ubilogin SAML Service Providers The world of authentication today is full of different standards. Standards are excellent things, but when they lack true productized implementations, they can be troublesome to take into actual use. This is very true to SAML 2.0 and the service provider side. While there are several SAML 2.0 capable Identity Providers, such as Ubilogin SSO, there have been only half decent SAML Service Provider implementations at best available. Ubilogin SAML Service Provider products are intended for quick service provider integration to the authentication and authorization infrastructure. Ubilogin SAML Service Provider products are, as their name says, real products and not just libraries or source code collections for building your SAML 2.0 support for the service provider. With Ubilogin SAML Service Provider products the SAML 2.0 integration can happen in mere hours or in a days work. Another challenge has been the inclusion of authorization for the service providers. In the world of RBAC (Role Based Access Control), applications and services are utilizing roles more and more every day. Roles are used to associate the users privileges to a certain set of permissions in the applications. Ubilogin SAML Service Providers can deliver this information to the applications during authentication in SAML assertions as a collection of attributes about the user. These attributes can then be used to determine the actual privileges of the user in the application. You can use Ubilogin Web Agents to achieve the same thing, but with Ubilogin SAML Service Providers you have an extra asset that you can use. Ubilogin SAML Service Provider products have built-in support for SAML 2.0 AttributeQuery. Through the AttributeQuery the service or the application can ask from the Identity Provider directly the user attributes. There are some benefits for this type of functionality; - User attributes do not go through the users browser and this may improve privacy - Attributes can queried at run-time during a session. This is highly useful when large or valuable transactions are signed or committed. Run-time AttributeQuery gives the most recent and up-to-date information on the users privileges and can be recorded to the application audit trails for compliance or other purposes. Ubilogin SAML Service Providers are available for different platforms. Please check our web site for the up-to-date information on our standard support. 2.5. Ubilogin Authentication Providers Ubilogin Authentication Providers are components that integrate to an existing authentication infrastructure such as Windows Domain or PKI. Hence, Ubilogin Authentication Providers are something else and functionally very different from Ubilogin Web Agents, as Ubilogin Web Agents are Ubilogin SSO components that are designed to protect a resource or asset. Ubilogin Authentication Providers, on the other hand, do not protect resources. Instead, they are used for integration. The functionality of Ubilogin the Authentication Providers could quite correctly also be interpreted as identity federation, where e.g. a Windows Domain identity can be used to achieve Single Sign-On to all the services that are protected by Ubilogin Web Agents. But for mere clarity, in this document, the federation term is used only for cross-domain identity transfer. After the installation of an Ubilogin Authentication Provider, it can be selected as an authentication method for services that use Ubilogin Web Agents, SAML SPs or WS-Federation for site protection. 22.09.2008 Copyright Ubisecure Solutions, Inc., All rights reserved. 11
Windows Authentication Provider UBILOGIN SSO Ubilogin Windows Authentication Provider provides SSO functionality for Windows Domain users to Ubilogin Web Agent, SAML SP or sites protected by WS-Federation components. The Ubilogin Windows Provider is installed to the domain, where users are located. Once the Ubilogin Windows Provider has been installed and configured, users that belong to that particular domain can have SSO access to the services, even if these services are not located in the same domain. The Ubilogin Windows Provider is installed to the Microsoft IIS server and requires access to the active directory of the domain, where the users are maintained. The Authentication Server and Web Agents can be installed into a different domain. Certificate Authentication Provider One of the strongest methods of authentication is PKI-based authentication. X.509 certificates stored into a tamper resistant device provide a high level of security for the end user and the organization. The Ubilogin Certificate Authentication Provider provides the necessary link between the PKI and the Ubilogin Authentication Server, as well as the Ubilogin Web Agents, SAML SPs or sites protected by WS-Federation components. Ubilogin Certificate Authentication Provider integrates the PKI to the Ubilogin Authentication Server and provides the possibility to authenticate users to the Ubilogin Web Agent protected services using X.509 certificates. The component is usually installed to the same application server where Ubilogin Authentication Server is installed. The main functionality of the Ubilogin Certificate Authentication Agent is to verify that the certificate is valid, by checking that the signature is valid and that the certificate is not revoked (CRL, Certificate Revocation List). ETSI MSS Provider ETSI MSS Provider provides a standards-based way to integrate mobile authentication based on certificates (commonly referred to as Wireless-PKI) for the authentication service provider using Ubilogin Authentication Server. The main advantage of ETSI MSS implementation, compared to other Wireless-PKI implementations, is that the authentication service provider needs to integrate only to one mobile operator network. Other operators are reached through roaming, where the operator which is connected to the authentication service provider handles the delivery of the authentication request to the correct operator with which the user has the subscription (that is, the SIM-card in GSM networks). Traditionally mobile authentication based on certificates has lacked flexibility due to insufficient standardization, but ETSI has standardized the way how these mobile signature requests should be transferred from the service provider to the operator, and how they should be interoperable between different operators. Interoperable interfaces between operators make it possible to offer roaming of digital signatures to the service providers, whereas the end users can authenticate through a single authentication service. 2.6. Ubilogin Web Services IDP The Ubilogin Web Services IDP component provides standards-based authentication mechanisms for Web Services applications. Ubilogin Web Services IDP relies on Liberty standards, namely the Liberty ID-WSF 2.0 specification. Ubilogin Web Services IDP is an optional component for all Ubilogin SSO installations. The component opens up the possibilities to integrate SOA (SOA Service Oriented Applications) services to the centralized identity, authentication and authorization platform. 22.09.2008 Copyright Ubisecure Solutions, Inc., All rights reserved. 12
2.7. Ubilogin Attribute Authority UBILOGIN SSO As a part of the support for the SAML 2.0 specification, Ubilogin SSO provides an interface to applications to implement attribute queries. The attribute query makes it possible to relay information in the backend, between the identity provider (Ubilogin SSO) and the application. 2.8. Ubipass Most remote workers that can t use browser-based applications, connect to the corporate network using VPN-client software. Ubipass provides integration to the VPN-gateway through a RADIUS interface. If the VPN-gateway supports external authentication through RADIUS, a set of strong authentication methods that Ubilogin SSO supports are available, most notably SMSbased Ubikey SMS authentication as well as WPKI-based authentication. For remote workers the combination of VPN-client software with SMS-based authentication means flexible and secure ways of working from the field. For the corporation the SMS authentication improves security, by providing a protecting layer of risk management as the authentication is not based on username and password only. 22.09.2008 Copyright Ubisecure Solutions, Inc., All rights reserved. 13
3. Supported standards Ubisecure is committed to develop standards-based products and solutions. Ubisecure products support open standards for interoperability and easy connectivity to third party products. Standards-based solutions can be integrated to Ubilogin SSO easily reducing the time-tomarket and ensuring that the developed solutions will work flawlessly in the future. By the release of Ubilogin SSO 4.0, Ubisecure expanded the support for open standards to WS- Federation. This means that the Ubilogin Authentication Server is one of the few IDPs in the world to support such a wide palette of open standards for user authentication and authorization. 3.1. OASIS SAML 2.0 specification Security Assertion Markup Language (SAML) is a collection of specifications aimed to standardize how identities are transferred between different entities in the Internet. Federation is a commonly used term that can be related to SAML, which more accurately is actually much more than just federation. Previously Project Liberty, another standardization organization, maintained its own specification for identity federation, Liberty ID-FF, but delivered the results of its work as input to SAML 2.0; and has now adopted SAML 2.0 as its new federation standard. This is a welcome adoption as now there is only one common standard instead of two competing standards. There s also an additional specification available, called WS-Federation, which uses parts of the SAML specification, namely the assertions. In its core, SAML is about assertions. These assertions could be interpreted as containers of identity information. Assertions are exchanged by identity providers and service providers in order to authenticate the user. Assertions can include attribute information as well. Ubilogin supports SAML 2.0 specifications that provide authentication and attribute information exchange between the identity provider (Ubilogin SSO) and service provider. The Ubilogin SAML Agents are implementations of web agents that utilize the SAML 2.0 standard. 3.2. WS-Federation The Ubilogin Authentication Server supports the WS-Federation standard, passive requestor profile for user authentication. WS-Federation is widely used and supported by companies such as BEA, Microsoft, IBM etc. With WS-Federation, companies can federate their users between Ubilogin SSO and other WS-Federation interoperable products and services. Although WS-Federation makes use of SAML Tokens, it is a completely different protocol compared to SAML. And readers of this document should also note that the lingo of the WS- Federation world differs from that of the SAML world. But, basically, they both perform the same tasks and can accomplish the same end results, just that the technology under the hood is somewhat different. 3.3. Liberty ID-WSF 2.0 specification Project Liberty has created a standard that can be used to integrate SOA applications as well as other legacy client server applications to the standards-based authentication and authorization infrastructure. The Liberty ID-WSF (WSF - Web Services Framework) provides the framework to implement the necessary components into the client and server applications for integration. Ubilogin SSO supports the Liberty ID-WSF 2.0 specification. 22.09.2008 Copyright Ubisecure Solutions, Inc., All rights reserved. 14
3.4. ETSI TS 102-204 Mobile Signature Service UBILOGIN SSO As mentioned earlier in this document, previously roaming mobile authentication has been quite difficult to implement due to the lack of standards. ETSI has created standards for roaming mobile signatures, which are rapidly getting deployed by the mobile operators. Ubilogin SSO supports the 204 section of the mobile signature service standard. Support for ETSI 102-204 makes it extremely easy for organizations to implement mobile and strong authentication based on certificates stored on the SIM-card of the mobile terminal. 22.09.2008 Copyright Ubisecure Solutions, Inc., All rights reserved. 15
4. Ubilogin SSO use cases Ubilogin SSO can be used in various ways in an organization. This section of the document describes a few use cases that can be implemented with Ubilogin SSO. 4.1. Protecting applications extending information availability One of the most important capabilities that the Ubilogin SSO solution offers for organizations, is the ability to protect their information in a flexible way. The information that a company possesses, is its strongest and most important asset. Within an organization there are several types of information that are categorized differently in terms of security. There is information or data that has a varied degree of confidentiality requirements, ranging from public information to top secret levels. Some of the information has stronger requirements for integrity than confidentiality; and some of the data should be always available for the users, even perhaps when confidentiality or integrity can be compromised. Authentication The company security policy outlines how information should be protected and distributed. The rules and guides that are derived from the security policy define how these goals can be achieved, or should be achieved. As the information that the company possess is its most valuable asset, a decision to share it, always requires definitions on how it is protected. One of the first things in managing risk in information sharing is to ensure that the user that can access or change information (confidentiality, integrity) is really a valid entity. Depending on the confidentiality level of information different authentication mechanisms are required. Availability requirements can have an impact on the chosen authentication method used to protect the resource. The wide application platform support and over dozen different supported authentication mechanisms makes it very easy for organizations to select appropriate risk management practices and implement them using Ubilogin SSO. Authorization When a user is accessing a particular resource he or she goes through a process that verifies that the user actually has the right to use the desired resource. The process begins when the user tries to access the resource. If the user is not authenticated, he or she must present credentials that are then verified. If the credentials that the user provided are correct and accepted by the service providing the resource, the user is authenticated. In the process, authentication is the first step implemented by the service. After authentication the service may require further decisions on how the user can act in the service. Upon authentication, Ubilogin SSO can deliver a variety of information about the user, stored in the data repositories that are integrated to Ubilogin SSO. These attributes are then transferred to the application and the application can make decisions based on this information. A user can be authorized to perform certain tasks, where other tasks are out of his or her reach, based on the attributes delivered by Ubilogin SSO and used as a base for authorization. From an Ubilogin SSO point-of-view, the authorization can take place even earlier. As Ubilogin SSO integrates to external identity repositories, authorization decisions can be made before the user is redirected to the service. Once Ubilogin SSO receives the authentication information from the user input and ties this information to an identity information that resides in the internal or external repository, this information can be used to define if the user is a member in a group that has the authorization to use the service in question; or a role that is allowed to access the information provided by the service. 22.09.2008 Copyright Ubisecure Solutions, Inc., All rights reserved. 16
Authorization may take place at two points when using Ubilogin SSO. The first authorization decision is made when the information is received from the user (credentials) and the available information is mapped to groups and roles that are used to make the first authorization decision. The second authorization decision is made by the application or resource, which the user tries to access. This decision is made based on the information that Ubilogin SSO relays from the external databases to the application in question. Figure 8 Creating an authorization policy that determines the attributes and their names that are relayed to the application Ubilogin eidm and iidm solutions The reader of this document should note that Ubisecure has solutions available for very advanced authorization. Ubilogin eidm and iidm products are targeted for companies that are planning to harmonize their identity and authorization management to a single solution. Several references are available for the Ubilogin Identity Management products. Please become familiar with the documents Ubilogin_Extranet_IDM_Product_Description.pdf and Katso - a Nation Wide Outsourced Identity Management System.pdf. 22.09.2008 Copyright Ubisecure Solutions, Inc., All rights reserved. 17
4.2. Regulatory compliance The ICT-world has become a more integral part of regulative and legislative rules and acts governing the way companies and public authorities may and run their operations. Depending on the users geographical location and nature of operation, several different national and international regulations will have implications on how business transactions should be handled. Verticals may have their own regulations that extend national and international frameworks. In Europe, EU-directives are implemented and followed Ubilogin product family helps organizations to meet certain aspects of regulations and laws that handle user identities in the electronic world. Internal regulations in organizations, security policy Ubilogin also helps organizations to centrally follow the company regulations and security policies. When Ubilogin authentication and authorization is extended to the whole organization, changes in the security policy and company rules can be deployed rapidly to the applications which are protected by Ubilogin Web Agents. SOX, HIPAA etc For industry specific regulations and laws the Ubilogin solution can offer the correct ways to implement user authentication in applications with minimum effort. Industry regulations normally have sections that mandate a certain level of authentication when accessing resources. As Ubilogin SSO supports almost 20 different authentication methods, it is easy to pick a suitable method from the list and protect the resources so that the regulation requirements are fulfilled. For more fine grained management of risk Ubilogin SSO provides flexible authorization where the application receives attribute information about the user from the Ubilogin Authentication Server. This information can be used to determine what the user can or can t do within an application. So although the user is authenticated properly, there might be additional levels of access control in the application infrastructure, and Ubilogin can provide the necessary information from the integrated user repositories to the application. Centralized Audit Trails of application access In a large organization with multiple application servers and thousands of users a centralized access log can prove to be very valuable. When resources are protected by Ubilogin components, each time a user access a resource a log entry will be created to Ubilogin. This centralized log can help internal audits and provides an excellent tool to discover problems in the authentication and authorization policies. Not only does the log show who has accessed what resource and when, but it also records in what role was the service accessed. 4.3. egovernment authentication One of the many successful Ubilogin installations to date is the centralized authentication service for all citizens and organizations (companies, public authorities) for several ministries and government agencies in Finland. Ubilogin provides a service that is used to authenticate any Finnish citizen who has an electronic identity. Similarly the service is used to authenticate and authorize any person who has an electronic identity and has a registered role in an organization. The roles may e.g. have to do with authorization for reporting or signing in governmental matters or processes. Ubilogin scales well and can provide robust authentication platform for a very large user base, such as in egovernment use-cases. Integration to several different external authentication 22.09.2008 Copyright Ubisecure Solutions, Inc., All rights reserved. 18
resources and support for more than a dozen authentication methods make it possible to provide almost any imaginable means for authentication to the citizens. The Ubilogin Web Agent technology provides a fast track to deployment for the developers of the egovernment services and applications, as it typically takes merely a few hours to integrate the authentication and authorization to the services. This has helped egovernment developers to offer on-line services to citizens faster and more securely. 4.4. SSO across the enterprise landscape Single Sign-On (SSO) is a term that describes a situation, where a user can access several different resources without any additional logins after the initial authentication. Once the user has successfully authenticated himself or herself to the authentication service, all resources and assets protected by the authentication solution can be provides through SSO, which as part of the process includes authorization to each resource and asset. In large organizations, with multiple services that use different technologies, consolidating the password or other credential management to a single solution, can provide huge cost savings in a short period of time. A centralized authentication solution also improves security, as the user does not have to remember several different passwords, meaning that the temptation to choose a bad or weak password is not that prominent. As presented earlier, Ubilogin SSO supports a variety of authentication methods, so SSO can even lower the threshold of implementing a stronger authentication schemes in organizations as the credentials have to be presented only once. Also, deployment of a stronger authentication scheme later is a straightforward configuration task, once the Ubilogin Web Agent has been deployed in conjunction with the application or service to be protected. Web-SSO Single Sign-On between different web-based applications has proved to be very cost efficient, e.g. in large organizations. Traditionally each portal or web-based application has its own user database for simple authentication. When the number of services grows, the maintenance burden for lost passwords, new users and terminated user accounts may grow rapidly and may even lead to vulnerabilities. When the web applications or services are protected by Ubilogin Web Agents, user management can be outsourced to a single directory or repository. Or, if identity management consolidation is necessary, Ubilogin SSO can integrate to several existing user repositories and group mappings and authorization can be managed logically from a single location and user interface, provided by the Ubilogin Server Management. Ubilogin Web Agents are installed in the application servers, or web servers as described in the section Ubilogin Web Agents. Single Sign-On can hence be achieved in a short amount of time as it typically takes only a few hours to integrate the Ubilogin Web Agent to the existing services. The cost savings can therefore be considerable when multiple web-based services are protected using Ubilogin Web Agent. In addition, from a user perspective, there s only one credential the user has to remember and posses. As they are required to present their credentials only once, this makes it easier for users to accept the sometimes a bit more complex authentication methods, that typically come along with the stronger mechanisms. 22.09.2008 Copyright Ubisecure Solutions, Inc., All rights reserved. 19
Cross Domain Windows SSO Figure 9 Cross Domain Windows SSO for several companies Cross-Domain Windows Single Sign-On provides the tools and technologies for companies to offer SSO to their customers and partners from their respective own Windows Domains. This is especially useful for application service providers or companies that have a large customer base that need to access their extranet services. This way the identities are maintained in the customers own Active Directories respectively and there s no maintenance overhead for the service provider in identity management. 4.5. Web Services authentication for SOA Service Oriented Architecture (SOA) and Web Services technologies is gaining wide-spread acceptance particularly in large organizations. Ubilogin Web Services IDP offers standardsbased authentication for SOA. Ubilogin Web Services IDP supports the Liberty ID-WSF 2.0 specification, which is geared toward Web Services authentication for client-server applications. 22.09.2008 Copyright Ubisecure Solutions, Inc., All rights reserved. 20
When legacy applications are integrated to the Service Oriented Architecture it becomes possible to harmonize the user authentication in these applications as well. Ubilogin Web Services IDP provides the necessary interfaces for client server applications for integration to the identity provider (Ubilogin SSO). Through integration the legacy client server applications can utilize the centrally managed identity repositories and users do not have to remember separate credentials (usually passwords) for the legacy applications. 4.6. Federation across multiple domains When a user identity needs to travel outside of its own domain to a second domain, we call it federation. A typical scenario would be a corporate user, who needs to access services provided by another organization, that is, a typical extranet use-case. Here, if federation is used, the Identity Providers from both organizations have the capability to implement federation. The federation relationship, that is, the so-called trust relationship, can be a one-way or two-way function. When an IDP in an organization provides federation, then the end user can access resources as an authenticated user from his or her own domain and is authorized before accessing the service. The authentication and authorization usually happens as a Single Sign-On operation, where the user does not separately have to log in into the second domain. Technically speaking the SSO session is transferred from the other domain. Federated identities can provide tangible cost savings in organizations that have a large partner or customer base. When the user identities are maintained by the partner, no extra administrative burden exists to the organization for user identity management of partners or customers. Ubilogin SSO can provide federation for Windows domains and for SAML 2.0 or WS-Federation capable Identity providers and service providers. 4.7. Preventing phishing Identity theft is one of the most troublesome phenomenon in the Internet today. As the attacks against corporate networks or confidential data have moved from the company firewall to the user, the success rate of criminal actions has risen rapidly in cyber-crime. The problem is that now the criminals are targeting the weakest and most vulnerable link in the chain, the user. 22.09.2008 Copyright Ubisecure Solutions, Inc., All rights reserved. 21
Figure 10 The development of the attack vectors, from cracking to phishing The biggest technical problem in identity theft is the fact that the authentication information travels through the same channel as the data. Normally this means that everything from the user authentication and approving of transactions is handled through same interface, typically a web browser. This creates opportunities to the criminals that exploit our benevolence and perhaps ignorance by creating elaborate email attacks that are combined with rogue sites that look exactly like the real thing, but are created for the sole purpose of stealing the identity of the user. When we separate the user authentication to a different channel, phishing becomes much more difficult, in practice so difficult that there s no incentive for the criminals to continue identity theft attempts. Mobile authentication provides the best way to separate the user authentication to a different channel, between the service provider, mobile operator and the end user. This link is static and very hard to crack and thus a great way to thwart any phishing attempts. Ubilogin SSO supports standards-based WPKI-authentication as well as SMS-based one-timepasswords and one-time-password generators installed to the mobile terminal. One-timepasswords (OTP) provide far better security to the user compared to traditional static passwords. The strongest mobile authentication scheme supported by Ubilogin SSO relies on international ETSI standard for roaming WPKI-authentication and signing, which is based on X.509 certificates. 22.09.2008 Copyright Ubisecure Solutions, Inc., All rights reserved. 22
Figure 11 Separating the authentication channel and preventing identity theft. Credentials are verified in the operator-authentication server network. But please bear in mind that no technological solution is the silver bullet against phishing. Good technical choices and solutions can mitigate the risk of phishing, never completely prevent it. While this is true to all information security, it is important to realize the best prevention of phishing is a combination of excellent choices in technology and applicable processes and safeguards as well as the acknowledgement of responsibility. Ultimately the service provider is responsible for the customer information. 22.09.2008 Copyright Ubisecure Solutions, Inc., All rights reserved. 23
5. Conclusions of the advantages provided by Ubilogin SSO There are many use cases where Ubilogin SSO provides security and enables secure information availability. One the most obvious advantage comes from the variety of authentication methods that range from traditional passwords to roaming mobile signatures and SMS authentication methods. There s an appropriate authentication method available for every level of confidentiality. Another key benefit is the identity consolidation enabled by the Identity Broker Engine of Ubilogin SSO. This provides to both technical and administrative advantages. When these two are combined, that is, the appropriate authentication methods are combined with the advanced integration to the existing user repositories through directory integration and the Identity Broker Engine; the authentication and authorization policies reach a new level of flexibility and usability in an organization. Standards-based interfaces provide assurance of interoperability with third party solutions and guarantee that the solution will work flawlessly in the future as well. Advanced implementations such as SAML 2.0, WS-Federation, ID-WSF 2.0 and ETSI TS 102-204 provide new means of integrating the most advanced mobile authentication solutions to the legacy applications. Through previous Ubilogin SSO deployments and development of the product, the product family has grown to be a most flexible and scalable identity consolidation, authentication and authorization solutions available today. Hence, it has already been the choice of many companies and public authorities, with demanding requirements. 22.09.2008 Copyright Ubisecure Solutions, Inc., All rights reserved. 24
6. Contact Information Ubisecure Solutions, Inc. <firstname.lastname>@ ubisecure.com Tekniikantie 14 FIN-02150 Espoo, FINLAND tel. +358-9-2517 7250 fax +358-9-2517 7070 Registered in Espoo, Finland reg. nr. FI17487214 About Ubisecure Ubisecure Solutions, Inc. is a leading partner in providing advanced authentication, access control, federation and identity management solutions for Internet, Intranet, Extranet services and mobile applications. Ubisecure provides application developers, integrators, solution providers, OEMs and enduser organizations with IT-security software solutions that maximize the competitive advantage of its customers. The Ubisecure product line consists of Ubilogin SSO solutions for authentication, access control, Web Single Sign On and federated access to Internet, Intranet, Extranet services and Web Services applications; and Ubilogin eidm solutions for extranet identity management. Ubisecure has offices in Finland and Sweden. For more information, visit Ubisecure 's web site at www.ubisecure.com Ubisecure, Ubilogin, Ubilogin SSO, Ubilogin eidm, Ubipass, Ubikey and Ubisignature are trademarks and/or registered trademarks of Ubisecure Solutions, Inc. All other companies and products listed herein are trademarks or registered trademarks of their respective holders. 22.09.2008 Copyright Ubisecure Solutions, Inc., All rights reserved. 25