This document discusses single sign-on (SSO), which allows users to access multiple protected resources with one set of credentials. It describes different SSO approaches like smart card-based and Kerberos-based SSO. Legacy SSO uses scripts or services to automatically fill login prompts. Password synchronization keeps passwords synced across devices. Software token-based SSO issues tokens for access instead of credentials. The document also covers web SSO using cookies and PC login session-based SSO. It concludes with a brief discussion of potential future uses of SSO on mobile devices.
2. Contents
● What is SSO
● Not to be Confused with
● Pros & Cons
● SSO Approaches – By Configuration
● Types of SSO
– Legacy SSO
– Password Synchronization
– Software Token Based Authentication
● Browser Session
● PC Login session
– Mobile SSO
● Q&A
3. What is SSO
● Single sign-on gives users the ability to access
more than one protected resource (Web
pages and applications) with one
authentication.
4. Not to be Confused with...
● Authentication vs Authorization
● Shared authentication schemes
– Oauth
– OpenID / OpenID Connect
– Facebook Connect
● Single Sign Out
5. Pros & Cons
● Reduced operational cost
● Reduced time to access data
● Improved user experience
● Ease burden on developers
● Centralized management of
users
● Fine grained auditing
● Effective compliance
● Advanced security to systems
– Smart cards, One time password
tokens
● impractical in different levels
of secure access
● increases the negative impact
in case of credentials exposed
● makes the authentication
systems highly critical
● Complex logics and pitfalls
● Should combined with strong
authentication methods
– Smart cards, One time
password tokens
6. SSO Approaches – By Configuration
● Smart card based
● Kerberos based
● SAML (Security Assertion Markup Language)
● Integrated Windows Authentication
– An umbrella term for
● SPNEGO, Kerberos, and NTLMSSP
7. Types of SSO
● Legacy SSO
● Password synchronization
● Software Token Based Authentication
8. Legacy SSO
● aka - Enterprise or Employee SSO (eSSO)
● After primary authentication, it intercepts further login prompts
and fills them for you
● Which is accomplished using
– Script
● Which executes the real application with credentials
– Background service
● Monitors for login prompts and pass credentials
● Products/Implementations
– Citrix Password Manager, Imprivata eSSO appliance, PassLogix,
Novell’s Secure Login
9. Password Synchronization
● A process that coordinates passwords across
multiple computers and devices and/or
applications
● Each computer, device, application still
authenticates but behind the scene
● Products/Implementations
– MTech's P-Synch, Proginet's SecurPass, Systor's
SAM Password Synchronization
10. Software Token Based
Authentication
● Allow users to enter their username and password in order
to obtain a token
● Once their token has been obtained, the user can offer the
token - which offers access to a specific resource for a time
period - to the remote site instead of credentials
● Complex encryption with complex logic differentiates the
implementations
● Usually associated with a session
– Web SSO - Browser session
– Other SSO - PC Log in session
11. Web SSO
● Works for browser based applications
● Cookie support is required
– Because token is kept in a cookie
● Usually single sign-on to applications deployed
on a single web server (domain)
● Implementations
– Jasig CAS
12. PC Login session based SSO
● Works for all kinds of applications
– Mail clients
– Web applications
● Token is kept in user session
● Client application should implement this feature
● Implementations
– Some Kerberos implementations
– NTLM
13. Mobile SSO
● Since Mobile Phone/Tab is a strictly personal
device, SSO has not very significant role
● Can save all different passwords like in Legacy
SSO
● As technology is getting complicated, SSO will
be introduced in near future