Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Secure Internet Single Sign-On 101
white paper
Overview
With the success of single sign-on (SSO) inside the enterprise, users are calling for
interoperability outside of the enterprise’s security domain to outsourced services, including
business process outsourcing (BPO) and software as a service (SaaS) providers, and trading
partners, as well as within the enterprise to affiliates and subsidiaries.
While the business demands that employees are able to traverse the Internet with highly-
sensitive data, the connection has to be secure to protect the user, enterprise and service
provider—enter secure Internet SSO. Written for anyone interested in understanding
how secure Internet SSO works, this white paper explores the limitations of current
SSO implementations outside of a single security domain (including identity and access
management systems and open source development) and introduces standalone secure
Internet SSO as a solution.
white paperSecure Internet Single Sign-On 101
Table of Contents
Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Proprietary SSO (Web Agents) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
How Secure Internet SSO Works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Secure Internet SSO with PingFederate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Additional Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Glossary of Terms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
white paperSecure Internet Single Sign-On 101
p3
Background
Connecting organizations with their external services over the Internet is critical in today’s age
of real-time information sharing and collaboration. Organizations are no longer isolated: key
services outside of the organization’s domain (including outsourced employee services and
electronic exchanges with trading partners) have to be easily accessible and interoperable.
Collaboration is blurring the lines between enterprises and their service providers. With
employees traversing the Internet with highly-sensitive data, the connection has to be secure
to protect the user, enterprise and service provider. Users are also demanding direct access to
external resources and improved ease of use with single sign-on (SSO). As a result, organizations
are faced with a myriad of challenges when providing SSO for many different use cases
including:
• Outbound SSO for users to access software as a service (SaaS) and business process
outsourcing (BPO) providers, and to connect with trading partners
• Inbound SSO for service providers, such as BPOs and managed services, to access the
enterprise’s resources
• Internal SSO for the enterprise and its acquisitions, affiliates, subsidiaries and joint ventures
• SSO to a third party, hosted hub for users to share information among industry organizations
• With many options to consider for delivering SSO that works over the Internet, making
the right technology decision is crucial to successfully implementing federated identity
management and mitigating long deployment times.
Proprietary SSO (Web Agents)
With the success of Web SSO inside the enterprise, many IT organizations looking to provide
SSO over the Internet tried to reuse their existing proprietary Web SSO. In order for employees
to access external Web sites and for external partners to access internal Web sites, organizations
provided a proprietary Web agent to their external partners. Each time access was needed for a
different partner, a different proprietary Web agent was implemented, thus for each connection
organizations needed to support different software for each of their business partners. Over
time, the growing number of different Web agents became difficult to manage due to their lack
of reusability, and the ability to scale new connections was limited.
As one IT staffer at a Fortune 50 company said, “We need to do single sign-on with fifty
external partners. We have fifty different ways of doing it.” With each partner connection taking
over two months to implement with proprietary SSO methods, IT organizations needed a better
way to implement SSO over the Internet; otherwise, it would take years to connect all their
partners.
white paperSecure Internet Single Sign-On 101
p4
Standards-Based SSO: Federated Identity
To overcome the limitations of proprietary implementations, organizations wanting to implement
SSO over the Internet turned to federated identity standards such as Security Assertion
Markup Language (SAML) and WS-Federation. These standards allow organizations to share
credentials and attributes for authentication and authorization, reducing the need to maintain
user credentials in multiple systems and eliminating the re-authentication of users to external
resources. By utilizing standards, organizations can deliver secure Internet SSO, which reduces
security gaps by creating trusted connections between enterprises providing identities (called
identity providers or IdPs) and organizations providing the target applications or resources (called
service providers or SPs).
Some IT organizations looked to their incumbent identity management (IdM) stack vendors
to provide federated identity management. However, these products have failed to meet their
scalability requirements, often requiring six to nine months to implement the first partner
connection. Many such products only work with the newest releases of the software suite,
forcing users into massive upgrade cycles just to add Internet SSO. Furthermore, implementing
federated identity management with the suite products require the entire identity and
access management suite of applications—implying millions of dollars and a two-year
implementation—just for SSO that works over the Internet.
With pressure to reduce implementation costs, some IT organizations turned to open source
to develop their own Internet SSO solutions. However, open source is fraught with failed
implementations: toolkits provide a limited set of functions to specifications such as SAML.
Development of each external connection and integrated application requires expensive custom
code, often taking up to 74 days to build a single partner connection. Developing SSO securely
is also the domain of specialists—often not the expertise of a typical development staff. Base
technologies used to implement Internet SSO such as XML digital signatures are highly complex
and have been found to have significant security vulnerabilities when not implemented using
best practices.
Page | 3
WHITE PAPER
WS-Federation. These standards allow organizations to share credentials and attributes for authentication and authorization, reducing the need to maintain user credentials in multiple systems and eliminating the re-authentication of users to external resources. By utilizing standards, organizations can deliver secure Internet SSO, which reduces security gaps by creating trusted connections between enterprises providing identities (called identity providers or IdPs) and organizations providing the target applications or resources (called service providers or SPs).
Secure Internet SSO allows organizations to provide users safe access to applications across the Internet without the need to re-login.
Some IT organizations looked to their incumbent identity management (IdM) stack vendors to provide federated identity management. However, these products have failed to meet their scalability requirements, often requiring six to nine months to implement the first partner connection. Many such products only work with the newest releases of the software suite, forcing users into massive upgrade cycles just to add Internet SSO. Furthermore, implementing federated identity management with the suite products require the entire identity and access management suite of applications—implying millions of dollars and a two-year implementation—just for SSO that works over the Internet.
With pressure to reduce implementation costs, some IT organizations turned to open source to develop their own Internet SSO solutions. However, open source is fraught with failed implementations: toolkits provide a limited set of functions to specifications such as SAML. Development of each external connection and integrated application requires expensive custom code, often taking up to 74 days to build a single partner connection. Developing SSO securely is also the domain of specialists—often not the expertise of a typical development staff. Base technologies used to implement Internet SSO such as XML digital signatures are highly complex and have been found to have significant security vulnerabilities when not implemented using best practices.
Standalone solutions for identity federation provide a centralized point for secure Internet SSO configuration that meets the needs of all organizations including inbound SSO, outbound SSO and internal SSO. Most standalone solutions offer support for a myriad of standard federated identity protocols such as SAML and WS-Federation. Also, they are able to integrate with existing identity and access management infrastructure and existing application environments. By utilizing standalone federated identity software
Secure Internet SSO allows organizations to provide users safe access to applications across
the Internet without the need to re-login.
white paperSecure Internet Single Sign-On 101
p5
Standalone solutions for identity federation provide a centralized point for secure Internet SSO
configuration that meets the needs of all organizations including inbound SSO, outbound SSO
and internal SSO. Most standalone solutions offer support for a myriad of standard federated
identity protocols such as SAML and WS-Federation. Also, they are able to integrate with
existing identity and access management infrastructure and existing application environments.
By utilizing standalone federated identity software that implements standards-based SSO,
IT organizations can reduce operational costs by providing centralized management of all partner
connections, leveraging reusable connection configurations, and integrating easily with existing
identity infrastructure and target application environments.
How Secure Internet SSO Works
With secure Internet SSO, once a user has logged into their enterprise’s network, they can
directly access applications at outsourced services, trading partners and affiliates over the
Internet. Hidden from the user, their home enterprise validates their login credential and
assembles a specially formatted software message called a SAML assertion that contains
information about the user. The identity providing organization then transmits the assertion to
the external service provider over the Internet via a trusted connection that has previously been
established between the two organizations. The service provider then reads the information in
the assertion and uses it to give the user access to their resources and pertinent information over
the Internet without requiring additional usernames, passwords or any other login mechanism.
The key to secure Internet SSO is the browser—there are no agents required on the end user’s
machine. Browsers such as Internet Explorer, Mozilla Firefox and Apple Safari provide the ability
to interoperate unbeknownst to the user with federated identity software that validates the user
credentials, creates the SAML assertion and sends the assertion to the service provider.
In order to securely transfer information about the user, the IdP and SP must first agree what
details about the user will be passed. This is known as the attribute contract, which may include
username, email address, domain and role group. For example:
Page | 4
WHITE PAPER
that implements standards-based SSO, IT organizations can reduce operational costs by providing centralized management of all partner connections, leveraging reusable connection configurations, and integrating easily with existing identity infrastructure and target application environments.
How Secure Internet SSO WorksWith secure Internet SSO, once a user has logged into their enterprise’s network, they can directly access applications at outsourced services, trading partners and affiliates over the Internet. Hidden from the user, their home enterprise validates their login credential and assembles a specially formatted software message called a SAML assertion that contains information about the user. The identity providing organization then transmits the assertion to the external service provider over the Internet via a trusted connection that has previously been established between the two organizations. The service provider then reads the information in the assertion and uses it to give the user access to their resources and pertinent information over the Internet without requiring additional usernames, passwords or any other login mechanism.
The enterprise, or IdP, manages the users’ credentials and provides information to the service providers, or SPs, for them to establish user sessions.
The key to secure Internet SSO is the browser—there are no agents required on the end user’s machine. Browsers such as Internet Explorer, Mozilla Firefox and Apple Safari provide the ability to interoperate unbeknownst to the user with federated identity software that validates the user credentials, creates the SAML assertion and sends the assertion to the service provider.
In order to securely transfer information about the user, the IdP and SP must first agree what details about the user will be passed. This is known as the attribute contract, which may include username, email address, domain and role group. For example:
Andrea Smith [email protected] pingidentity.com HR
The enterprise, or IdP, manages the users’ credentials and provides information to the service
providers, or SPs, for them to establish user sessions.
white paperSecure Internet Single Sign-On 101
p6
Andrea
Smith
pingidentity.com
HR
Once both parties have agreed on the attribute contract, each party knows what information
will be passed. The user logs into his enterprise domain and is authenticated internally. When
a user requests access to the external site, their browser automatically redirects to their
enterprise’s SSO server, which then builds an assertion that includes the credentials agreed upon
in the attribute contract.
This information is put into the browser header and their browser is directed back to the service
provider’s SSO server, along with the address of the target application; this process is known as
a POST profile, using http or https. The service provider’s SSO server retrieves the assertion from
the browser header and maps the credentials to the target application. The user is given access
to the target application without the need to re-login. The entire process happens so quickly
that the user does not even notice the extra redirects have occurred.
The browser is automatically redirected between the servers for the SSO request. Secure Internet
SSO’s browser-based method provides a simple approach to identity federation that requires
minimal configuration by the enterprise and service provider.
Secure Internet SSO with PingFederate
PingFederate is the only standalone federated identity management software to deliver secure
Internet single sign-on to all external partner connections including Software as a Service
(SaaS) and Business Process Outsourcing (BPO) providers, trading partners, managed services,
acquisitions, affiliates, subsidiaries and joint ventures. Through standards based identity
federation, PingFederate drastically reduces repeated user provisioning and time-consuming
proprietary SSO implementations that previously burdened organizations tasked with supporting
external applications.
Page | 5
WHITE PAPER
Once both parties have agreed on the attribute contract, each party knows what information will be passed. The user logs into his enterprise domain and is authenticated internally. When a user requests access to the external site, their browser automatically redirects to their enterprise’s SSO server, which then builds an assertion that includes the credentials agreed upon in the attribute contract.
This information is put into the browser header and their browser is directed back to the service provider’s SSO server, along with the address of the target application; this process is known as a POST profile, using http or https. The service provider’s SSO server retrieves the assertion from the browser header and maps the credentials to the target application. The user is given access to the target application without the need to re-login. The entire process happens so quickly that the user does not even notice the extra redirects have occurred.
Secure Internet SSO utilizes the browser to provide direct access to resources over the Internet. The transfer of identity information between IdP and SP occurs completely
behind the scenes.
The browser is automatically redirected between the servers for the SSO request. Secure Internet SSO’s browser-based method provides a simple approach to identity federation that requires minimal configuration by the enterprise and service provider.
Secure Internet SSO with PingFederate PingFederate is the only standalone federated identity management software to deliver secure Internet single sign-on to all external partner connections including Software as a Service (SaaS) and Business Process Outsourcing (BPO) providers, trading partners, managed services, acquisitions, affiliates, subsidiaries and joint ventures. Through standards based identity federation, PingFederate drastically reduces repeated user provisioning and time-consuming proprietary SSO implementations that previously burdened organizations tasked with supporting external applications.
Secure Internet SSO utilizes the browser to provide direct access to resources over the Internet. The
transfer of identity information between IdP and SP occurs completely behind the scenes.
white paperSecure Internet Single Sign-On 101
p7
Getting Started
By using secure Internet SSO, IT organizations can quickly enable secure connections for a
multitude of parties. The complexity, excessive time and cost to implement federated identity
between enterprises and services providers are drastically reduced with standalone Internet SSO.
Start your trial today and learn why implementing standalone identity federation software is
faster and easier—be one of the IT organizations to overcome the common misperception that
federation takes months to deploy.
When starting your trial it is important to identify the various options for your project including:
• Signing and Validation - Decide which SAML messages — assertions, responses, requests
— will be digitally signed and how the messages will be verified by your federation partner.
• Back Channel Security - Determine what type of SOAP channel authentication will be used.
• Trusted Certificate Management - Determine whether both partners are using SSL and/or
signing certificates that have been signed by a major certificate authority.
• Deployment - Decide how identity federation fits into your existing network.
• Server Clock Synchronization - Ensure that both the SP and IdP server clocks are
synchronized.
• User Data Stores - Identify the type of data store that contains user data when needed.
• Web Application and Session Integration - Decide how the IdP side receives subject
identity information to look up the session.
• Transaction Logging - Decide whether transaction logging should be integrated with a
systems management application and whether you have regulatory compliance requirements
that affect your logging processes.
• Identity Mapping - Decide whether you need a 1:1 relationship between user accounts at
the IdP and SP or whether you want to implement role-based accounts at the SP.
• Attribute Contract Agreement - Decide on a set of attributes that the IdP will send in an
assertion.
• Metadata Exchange - Decide whether you will use the metadata standard to exchange XML
files containing configuration information.
• Configuration Data Exchange – Decide how connected partners will exchange data.
• Timeline – Determine project timeline.
white paperSecure Internet Single Sign-On 101
p8
Additional Resources
You can find additional information on the topics addressed in this paper at
www.pingfederate.com. Relevant resources that may be of interest include:
• Solution Brief: PingEnable Methodologies Overview
• White Paper: The Primer: Nuts and Bolts of Federated Identity Management
• White Paper: Internet-Scale Identity Systems: An Overview and Comparison
• Solution Brief: Secure Internet SSO for Enterprises
• Solution Brief: Secure Internet SSO for Service Providers
Glossary of Terms
Business Process Outsourcing (BPO) – contracted services through a third-party vendor or
service provider
Enterprise Single Sign-On (E-SSO) – single sign-on provided to internal applications within a
single security domain, or enterprise
Federated Identity – the ability to use a single set of credentials across multiple security
domains
Security Assertion Markup Language (SAML) – an XML-based standard utilized by
enterprises, identity providers and service providers to exchange identity attributes
Secure Internet Single Sign-On – standards-based methods used to provide users safe access
to applications across the Internet without the need to re-login
Software as a Service (SaaS) – a hosted application accessed over the Internet by an
enterprise
Web Single Sign-On (Web SSO) – single sign-on within a single security domain, or
enterprise, provided strictly to applications and resources accessed with a Web browser
WS-Federation – a standard federated identity specification that defines a mechanism for
separate security domains to broker credentials for authentication
About Ping Identity CorporationPing Identity is the market leader in Internet Identity Security, delivering on-premise software and on-demand
services to hundreds of customers worldwide. For more information, dial U.S. toll-free 877.898.2905 or
+1.303.468.2882, email [email protected] or visit www.pingidentity.com.
© 2010 Ping Identity Corporation. All rights reserved. Ping Identity, PingFederate, PingFederate
Express, PingConnect, PingEnable, the Ping Identity logo, SignOn.com, Auto-Connect and Single
Sign-On Summit are registered trademarks, trademarks or servicemarks of Ping Identity Corporation.
All other product and service names mentioned are the trademarks of their respective companies.