Single sign-on
Single sign-on (SSO) is a property of access control of multiple related, but independent software systems. With this property a user logs in with a single ID and password to gain access to a connected system or systems without using different usernames or passwords, or in some configurations seamlessly sign on at each system. This is typically accomplished using the Lightweight Directory Access Protocol (LDAP) and stored LDAP databases on servers also called directory servers.[1] A simple version of single sign-on can be achieved over IP networks using cookies but only if the sites share a common DNS parent domain.[2] For clarity it is best to refer to systems requiring authentication for each application but using the same credentials from a directory server as Directory Server Authentication and systems where a single authentication provides access to multiple applications by passing the authentication token seamlessly to configured applications as SSO.
Conversely, single sign-off is the property whereby a single action of signing out terminates access to multiple software systems.
As different applications and resources support different authentication mechanisms, single sign-on must internally translate and store credentials for the different mechanisms, from the credential used for initial authentication.
Other shared authentication schemes not to be confused with SSO include OAuth, OpenID, OpenID Connect and Facebook Connect, which require the user to enter their login credentials each time they access a different site or application.
Benefits
Benefits of using single sign-on include:
- Reducing password fatigue from different user name and password combinations
- Reducing time spent re-entering passwords for the same identity
- Reducing IT costs due to lower number of IT help desk calls about passwords[3]
SSO shares centralized authentication servers that all other applications and systems use for authentication purposes and combines this with techniques to ensure that users do not have to actively enter their credentials more than once.
Criticisms
The term reduced sign-on (RSO) has been used by some to reflect the fact that single sign-on is impractical in addressing the need for different levels of secure access in the enterprise, and as such more than one authentication server may be necessary.[4]
As single sign-on provides access to many resources once the user is initially authenticated ("keys to the castle") it increases the negative impact in case the credentials are available to other persons and misused. Therefore, single sign-on requires an increased focus on the protection of the user credentials, and should ideally be combined with strong authentication methods like smart cards and one-time password tokens.[4]
Single sign-on also makes the authentication systems highly critical; a loss of their availability can result in denial of access to all systems unified under the SSO. SSO can be configured with session failover capabilities in order to maintain the system operation.[5] Nonetheless, the risk of system failure may make single sign-on undesirable for systems to which access must be guaranteed at all times, such as security or plant-floor systems.
The use of single sign-on techniques utilizing social networking services such as Facebook may unintentionally render third party websites useless within certain libraries, schools, or workplaces which block social media sites for productivity reasons. It can also cause difficulties in countries with active censorship regimes, such as China and its "Golden Shield Project," where the third party website may not be actively censored, but is effectively blocked if a user's social login is blocked.[6][7]
Security
In March, 2012, a research paper[8] reported an extensive study on the security of social login mechanisms. The authors found 8 serious logic flaws in high-profile ID providers and relying party websites, such as OpenID (including Google ID and PayPal Access), Facebook, Janrain, Freelancer, FarmVille, and Sears.com. Because the researchers informed ID providers and relying party websites prior to public announcement of the discovery of the flaws, the vulnerabilities were corrected, and there have been no security breaches reported.[9]
In May 2014, a vulnerability named Covert Redirect was disclosed.[10] It is first reported "Covert Redirect Vulnerability Related to OAuth 2.0 and OpenID" by its discoverer Wang Jing, a Mathematical PhD student from Nanyang Technological University, Singapore.[11][12][13] In fact, almost all Single sign-on protocols are affected. Covert Redirect takes advantage of third-party clients susceptible to an XSS or Open Redirect.[14]
Common configurations
Kerberos based
- Initial sign-on prompts the user for credentials, and gets a Kerberos ticket-granting ticket (TGT).
- Additional software applications requiring authentication, such as email clients, wikis, revision control systems, etc., use the ticket-granting ticket to acquire service tickets, proving the user's identity to the mailserver / wiki server / etc. without prompting the user to re-enter credentials.
Windows environment - Windows login fetches TGT. Active Directory-aware applications fetch service tickets, so user is not prompted to re-authenticate.
Unix/Linux environment - Login via Kerberos PAM modules fetches TGT. Kerberized client applications such as Evolution, Firefox, and SVN use service tickets, so user is not prompted to re-authenticate.
Smart card based
Initial sign-on prompts the user for the smart card. Additional software applications also use the smart card, without prompting the user to re-enter credentials. Smart card-based single sign-on can either use certificates or passwords stored on the smart card.
Integrated Windows Authentication
Integrated Windows Authentication is a term associated with Microsoft products and refers to the SPNEGO, Kerberos, and NTLMSSP authentication protocols with respect to SSPI functionality introduced with Microsoft Windows 2000 and included with later Windows NT-based operating systems. The term is most commonly used to refer to the automatically authenticated connections between Microsoft Internet Information Services and Internet Explorer. Cross-platform Active Directory integration vendors have extended the Integrated Windows Authentication paradigm to Unix, Linux and Mac systems.
Security Assertion Markup Language
Security Assertion Markup Language (SAML) is an XML-based solution for exchanging user security information between an enterprise and a service provider. It supports W3C XML encryption and service provider initiated web browser single sign-on exchanges. A user wielding a user agent (usually a web browser) is called the subject in the SAML-based single sign-on. The user requests a web resource protected by a SAML service provider. The service provider, wishing to know the identity of the requesting user, issues an authentication request to a SAML identity provider through the user agent. The identity provider is the one that provides the user credentials. The service provider trusts the identity provider of the user information, to provide access to its services or resources.
Enterprise SSO (ESSO)
This is an alternative to "true SSO" approach. "Enterprise SSO" (ESSO) is using agents that are installed on every workstation. The agent watches when a login window is displayed and enters username and password before user notices anything. It is something like "remember password" feature in browsers but much faster. It does not require modification of the applications therefore the deployment is much cheaper when compared with true SSO.[15]
Emerging configurations
Mobile devices as access controllers
A newer variation of single sign-on authentication has been developed using mobile devices as access controllers. Users' mobile devices can be used to automatically log them onto multiple systems, such as building access control systems and computer systems, through the use of authentication methods which include OpenID Connect and SAML,[16] in conjunction with an X.509 ITU-T cryptography certificate used to identify the mobile device to an access server.
See also
- Central Authentication Service
- Identity management
- Identity management systems
- List of single sign-on implementations
- Security Assertion Markup Language
- Usability of web authentication systems
References
- ↑ "SSO and LDAP Authentication". Authenticationworld.com. Retrieved 2014-05-23.
- ↑ "OpenID versus Single-Sign-On Server". alleged.org.uk. 2007-08-13. Retrieved 2014-05-23.
- ↑ "Benefits of SSO". University of Geulph. Retrieved 2014-05-23.
- 1 2 "Single Sign On Authentication". Authenticationworld.com. Retrieved 2013-05-28.
- ↑ "Sun GlassFish Enterprise Server v2.1.1 High Availability Administration Guide". Oracle.com. Retrieved 2013-05-28.
- ↑ Laurenson, Lydia (3 May 2014). "The Censorship Effect". TechCrunch. Retrieved 27 February 2015.
- ↑ Chester, Ken (12 August 2013). "Censorship, external authentication, and other social media lessons from China’s Great Firewall". Tech in Asia. Retrieved 9 March 2016.
- ↑ Rui Wang, Shuo Chen, and XiaoFeng Wang. "Signing Me onto Your Accounts through Facebook and Google: a Traffic-Guided Security Study of Commercially Deployed Single-Sign-On Web Services".
- ↑ "OpenID: Vulnerability report, Data confusion" - OpenID Foundation, March 14, 2012
- ↑ "Facebook, Google Users Threatened by New Security Flaw". Tom's Guide. 2 May 2014. Retrieved 11 November 2014.
- ↑ "Covert Redirect Vulnerability Related to OAuth 2.0 and OpenID". Tetraph. 1 May 2014. Retrieved 10 November 2014.
- ↑ "Math student detects OAuth, OpenID security vulnerability". Tech Xplore. 3 May 2014. Retrieved 10 November 2014.
- ↑ "Facebook, Google Users Threatened by New Security Flaw". Yahoo. 2 May 2014. Retrieved 10 November 2014.
- ↑ "Covert Redirect Flaw in OAuth is Not the Next Heartbleed". Symantec. 3 May 2014. Retrieved 10 November 2014.
- ↑ "Single Sign-On First". Evolveum. 3 July 2012. Retrieved 2 January 2016.
- ↑ "MicroStrategy’s office of the future includes mobile identity and cybersecurity". Washington Post. 2014-04-14. Retrieved 2014-03-30.