SSO-Report 2007 Key-Player, Status, Trends Martin Kuppinger, KCP mk@kuppingercole.de
What will I talk about? SSO Single Sign-On defined: User perspective: The ability to use multiple applications with one sign-on System perspective: The use of one sign-on to access multiple applications, e.g. a technically integrated sign-on across applications Seite 2
Identity Management Market: Single Sign-On Segment increases 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% Keine Investitionen Optimierungen im laufenden Betrieb Wesentliche Erweiterungen Produktwechsel Einführung 0% Verzeichnisdienste Meta Directory-Dienste Identity Provisioning Virtual Directories Identity Federation Web Access Management Single Sign-On Starke Authentifizierung PKI Mainframe Access Management Auditing Rollenmanagement Delegierte Administration Basis: Kuppinger Cole + Partner Identity Management Survey 2006 Seite 3
Business drivers for IT = Business drivers for SSO process optimization get closer to the market SSO! SSO! automation cut out the fat Identity Management user productivity more bang for bucks SSO! SSO? internal auditing keep the boss out of jail Seite 4
Single Sign-On: Concrete needs User have to many combination of user names and passwords (credentials) to keep in mind Security risks through insecure storage User s don t like new apps ( just another application with just another user name and password ) High help desk costs for password resets Need for strong authentication Unique, safe approaches across apps Securing sensitive apps Optimizing the costs of strong authentication Seite 5
Business Value: SSO delivers Quantitative 1 Administrative costs of Helpdesk 2 Integration costs of Apps (short term) Qualitative 1 Ease of use for the user 2 Acceptance for new (and old) apps 3 Fast implementation of tactical solutions SSO is not only tactical! - tactical: Even mid-term there won t be real SSO across all apps - strategic: real SSO with integration on the application level Seite 6
Identity Management Market: Single Sign-On Approaches 30,0% 25,0% 20,0% 15,0% 10,0% Strategische Lösung Einsatz in Teilbereichen Einsatz geplant 5,0% 0,0% Serverbasierende Lösungen Clientbasierende Lösungen Kerberos X.509 Web Single Sign-On Federation Basis: Kuppinger Cole + Partner Identity Management Survey 2006 Seite 7
SSO: Six approaches for the enterprise Serverbased SSO (E-SSO) Client-based SSO Kerberos X.509 Web-SSO Federation Seite 8
SSO approaches: Server-based ( E-SSO ) Stores credentials on a server store, central control, decentral client which accesses credentials and sometimes caches them (more or less secure) locally Usually called E-SSO or Enterprise Single Sign- On No real Single Sign-On Key-Players: ActivIdentity, CA, Citrix, Evidian, Imprivata, Passlogix, Tesis Multiple OEMs like IBM, Novell, Oracle Seite 9
E-SSO: Wie funktioniert das? Speicherung von Credentials Benutzer mit E-SSO-Client Directory Authentifizierung Anwendungen Seite 10
SSO approaches: Client-based, local SSO Stores credentials on the client, in most cases no central control, local storage might be a potential security risk Special approach: Browser- integrated Some vendors support external storage devices like USB keys or Smartcards, which are commonly more secure Specific: Context of smartcard infrastructures No real Single Sign-On Key-Players: Very segmented market, dozens of smaller offerings ActivIdentity, Aladdin, G&D, PassGo, Secude, Siemens, Symantec, Tesis Seite 11
SSO approaches: Kerberos Authentication standard for distributed systems, supports SSO via service tokens for specific applications Usage practically restricted to closed environments Supported on all major operating system platforms, but with significant interoperability issues Real Single Sign-On, requires so called kerberized applications Key-Players: KDCs: Heimdal, Microsoft, MIT and various adaptors Integration: Centeris, Centrify, Quest Seite 12
SSO approaches: X.509 At first a standard for digital certificates, but with broad interoperability Certificates need to be mapped to existing accounts e.g. some existing base of identities is required Requires PKI and Card management infrastructure on top Exists for a long time, but still isn t supported in any standard application and missing in most custom applications Mainly used in web-apps, can be used externally Might work fine with smartcard infrastructure Somewhat semi-real Single Sign-On due to different identity providers (e.g. directories) Key-Players: Multiple external certificate providers: S-Trust, Thawte, Verisign Card infrastructure providers: ActivIdentity, G&D, Secude, Siemens Seite 13
SSO approaches: Web-SSO Web Single Sign-On, also called Web Access Management or Extranet Access Management Central authentication for web-based apps, policy- based authorization Limited to Web applications, sometimes with support for J2EE and other apps (but seldomly used) Quick-Win approach Somewhat semi-real Single Sign-On Key-Players: BMC, CA, Entrust, HP, IBM, Microsoft, Novell, RSA, Siemens, Sun, Symlabs Seite 14
SSO approaches: Identity Federation Standard-based approach for distributed authentication and authorization Becomes increasingly important and mature Based on web services, very flexible But: multiple standards, key-players usually support multiple of them Real Single Sign-On Key-Players: BMC, CA, HP, IBM, Maxware, Microsoft, Novell, Oracle, Ping Identity, RSA, Siemens, Sun, Symlabs Seite 15
Identity Federation: How it works Federation is based on trust Service Provider trusts Identity Provider User authenticates once for multiple service providers Flexible attribute exchange User Session Identity Provider Service Provider Trust Ressource Verzeichnis Seite 16
Single Sign-On approaches compared: E-SSO as ripe approach Integration Requirements for apps Low Local SSO Enterprise SSO Web- SSO Federation X.509 High Kerberos Maturity Seite 17
SSO trend observed: OpenID, Cardspace, OpenID: Focus on one identity and a single sign-on for this identity CardSpace: Different Infocards, different identity providers, not necessarily a single sign-on Trend: Users from the internet will expect that these technologies are supported They like to have one sign-on Thus, we expect a strong influence on client-based approaches for single sign-on Seite 18
SSO trend observed: Smartcards and SSO Smartcards gain momentum as a means for strong authentication But: Smartcards can as well (depending on card and client technology) store additional information or shield credential stores Result: SSO Valid approach when applied with a smartcard infrastructure, containing related processes Seite 19
SSO trend observed: Entry point for IAM Yes, because you could start at the client and collect information on who has which digital identity for which application (something which is often unknown) there might be a fast success at least some approaches are easy to implement (non intrusive) No, because for all strategic approaches a integrated, trustworthy identity is mandatory (and even for most tactical approaches a central directory) the effort for application integration is high in many cases sometimes a complex infrastructure is required Seite 20
SSO: Tactics versus strategy SSO tactics Frontend oriented SSO User experience: SSO Fast-to-implement solutions Internal: E-SSO or smartcard infrastructure w/ local SSO External, Intranet apps: Web-SSO SSO strategy Backend-SSO Applications are SSOintegrated One defined strategy Identity Federation Kerberos is restricted (but might be important as a internal point solution, e.g. Windows + Linux/UNIX) X.509 is a necessary, complementary base technology, but not the complete solution Seite 21
SSO strategy: The components Integrated identity: Meta Directories, Provisioning Integrated Identity Strong authentication: At least Two-factorauthentication Application Security Infrastructure Mandatory requirements for authentication and authorization in applications Identity Federation Single Sign On Strong authentication Federation: Basis for Single Sign-On Application Security Infrastructure Seite 22
SSO as risk or chance? Identity Risk Management Authentication: Trustworthy identity Provider: SSO = Trust Risk: Non-integrated auditing of authentication and authorization Golden Password? Authorization: Still in most cases decentral Central: Web-SSO Requires a defined configuration of Identity Providers and services/applications IT risks tend to be reduced through SSO Seite 23
Availability of the SSO-Report 2007 Slides: KCP Website right after the conference Text version: End of May 2007 Seite 24