Single Sign-On (SSO) – Second part

Date : June 09, 2010

While the first part gave a theoretical approach of SSO, this one is more practical.

1. SSO Features

This section will describe the SSO features. Some of the features mentioned below might already exist in one or more applications. Implementation of SSO product can be helpful to bring standardized authentication policy across all applications in the organization.

1.1 Basic features

1.1.1 Authentication

Authentication method

o Password

Passwords are the most widely used authentication means. They should be changed regularly, and based on an effective policy to make them less vulnerable.

o One Time Password (OTP)

OTP is a password that is only valid for a single login session or transaction. There are two types of one-time passwords, a challenge-response password (responds with a challenge value after receiving a user identifier) and a password list (use lists of passwords which are sequentially used by the person wanting to access a system).

o Public Key cryptography

Public-key cryptography is a cryptographic approach which uses asymmetric key algorithms instead of or in addition to symmetric key algorithms. Public key cryptography makes use of two keys, one private and the other public. The private key is used to decrypt and also to encrypt messages between the communicating machines. Both encryption and verification of signature is accomplished with the public key.

o Digital Certificate

A digital certificate is an electronic document which uses a digital signature to bind together a public key with an identity.

o Security Token

Security tokens are used to prove one's identity electronically. The token is used in addition to or in place of a password to prove that the customer is who he claims to be.

o Smart card

A smart card is any pocket-sized card with embedded integrated circuits which can process data. Additional software applications also use the smart card, without prompting the user to re-enter credentials. Smart card-based single sign-on can either use certificates or passwords stored on the smart card.

o Biometrics

Users may biometrically authenticate via their fingerprint, voiceprint, or iris scan using provided hardware.

Authentication protocols

o Kerberos

Kerberos is a network authentication protocol that relies on a mechanism for secret keys (symmetric encryption) and use of tickets. There are no passwords in the clear flowing through the network, thereby avoiding the risk of interception of passwords of users’ passwords A

o Lightweight Third-Party Authentication (LTPA)

Lightweight Third Party Authentication (LTPA) is an authentication process, which principle is that all servers involved in the SSO process, share encryption / decryption keys. When a client makes an authentication request to a server, it returns a cookie containing an encrypted LTPA token with the shared key. If the user makes a request on another server, the cookie is wrapped in it, and the LPTA token is decrypted with the shared key. No additional authentication request is then done by that server.

o Simple and Protected GSSAPI NEGOtiation mechanism (SPNEGO)

SPNEGO authentication provides a single sign-on (SSO) to Windows users who want access to a secure Web server using Internet Explorer. A plug-in runs on the server side and Internet Explorer on the client-side.

o Remote Authentication Dial In User Service (RADIUS)

The RADIUS is a client / server protocol that allows centralized management of authentication. The user station transmits an access request to a RADIUS client to enter the network to request information identifying the user. The RADIUS client generates a request according to the protocol Access-Request containing credentials. The RADIUS server processes the request, validates or rejects the identification by returning a package type: Access-Accept or Access-Reject. Several servers can be cascaded (transition to each of the Access-Request) and it is the latter that generates the Access-Accept or Access-Reject.

o NT Lan Manager (NTLM)

When a user tries to access a protected application, the unauthenticated requests are redirected to an URL which requires NTLM Authentication. NTLM credentials are requested from the browser, and then verified against a configured NTLM Domain Controller. Once credentials have been verified, a session cookie is sent to the browser and the user is redirected back to the page that he has originally attempted to access.

o Authentication persistence

When the SSO agent is based on the user’s workstation, for every request, the agent can send the user credentials instead of the user. But there are other mechanisms which allow maintaining session. Usage of cookies is the most widely used mechanism in web-based applications. After having a cookie, if the user browses to a different application that is a part of SSO, the cookie is presented by the browser to the application for directly logging into the application.

1.1.2 Credential Database

To store the authentication and authorization policies, SSO can use a local (its own database) or centralized database. To be integrated into the already existing infrastructure, the SSO product can be interfaced with existing corporate directory. Therefore, most modern single sign on systems use LDAP (Lightweight Directory Access Protocol) directories because they have become with LDAP directories and LDAP authentication one of the enterprise infrastructure cornerstones.

1.1.3 Password management

SSO permits to define password policy which is a set of rules that ensures that users select reliable passwords.
Some SSO products offer self-service password reset, which allows resetting the password after providing the correct answers to a few predefined questions.

1.1.4 Applications

SSO can be configured to authenticate a user for almost any application, even highly customized or in-house developed applications.

1.1.5 Product flexibility

This feature allows customizing the login pages to match the look and feel of the application login page. When a user requests a partner application, he is redirected to the single sign-on server. This server verifies the user name and password, the server redirects the user to the URL of the application. If authentication fails, the server redirects the user back to the login page and displays an error message.

1.1.6 Reverse Proxy function

A reverse proxy is a proxy server, which does not allow users to access directly the Internet.

It serves as a conduit for Internet users wishing to access an internal website by sending requests indirectly. Using reverse-proxy, web server is protected from direct attacks from the outside, thereby enhancing the internal network security. On the other hand, the cache function of the reverse-proxy can help relieve the load on the server for which it is intended.

1.1.7 Network Security

SSO allows reducing the need for users to remember many logins and passwords.

All authorisation and authentication messages and decisions must be secured when being transmitted on the network from the SSO infrastructure. The communication uses https connections.

1.1.8 Audit and traceability

SSO should audit all operations performed in the Credential database.
Audit function allows enterprise to be in compliance with regulations as SOX.

1.1.9 Management and monitoring functions

SSO offers advanced monitoring and reporting capabilities using a console (web-interface or admin console).
SNMP enables monitoring components activity on the network that hosts the SSO system.
Some SSO products allow you to manage and monitor SSO Agents based on the Java Management Extension (JMX) standard.
You can protect administration and management operations on the Administration Console by means of SSL-encryption .For operating-system administration and operations, use standard OS-level protection mechanisms as Secure Shell (SSH), prohibition of root logins, restricted access, and access monitoring should be available.

1.2 Architecture features

The SSO architecture should be the first feature that will help to choose the SSO solution to implement. The integration depends on the different zones in which the components of the SSO product will be located. In the case of federated SSO, different SSO servers can be distributed over different sites of the enterprise.
SSO should be able to easily integrate in related IT solutions, for example existing identity management solutions, security event management solutions, application management solutions, or desktop software distribution solutions.
SSO can be implemented either as software modules or as a hardware appliance. Software modules have to be customized and implemented on servers. Hardware appliances, while also customizable, aren't as flexible.
A downside of SSO is that it's a single point of security failure.. So, SSO products should be both secure themselves and secure on the network. SSO hardware and software should be on dedicated servers that are hardened.
Redundancy is required in order to minimize risk of security failure.
Some SSO solutions need load balancing and using multiple components with load balancing, instead of a single component, may increase reliability through redundancy.

2. SSO products

This section lists products SSO market. The first part is based on the Gartner study in 2009 called "Magic Quadrant for Web Access Management".

The products in the Gartner study:

Tivoli Federated Identity Manager (TFIM) and Tivoli Access Manager for e-business (TAMeb) - IBM
Oracle Access Manager - Oracle
SiteMinder - CA
Novell Access Manager - Novell
Sun OpenSSO enterprise – Sun Microsystems
Web Access Manager - Evidian
RSA Access Manager - EMC (RSA)
GetAccess - Entrust
DirX Access - Siemens
maXecurity – P2 Security
Cams - Cafesoft

Other products:

SecureLogin SSO - ActivIdentity
Remedy Access Request System - BMC software
SSOX - Avencis
OneSign - Imprivata
USO - i-sprint Innovations
v-Go SSO - PassLogix
expreSSO - Sentillion
Protect Tools Security Manager : SSO - HP
Quest Software
PingFederate - PingIdentity
open-source product - Vulture
Sign&Go - Ilex
i-Suite, i-Trust - Bee Ware
CAS : protocol developed by Yale University