Secure Internet Single Sign-On 101

white paper

Overview

With the success of single sign-on (SSO) inside the enterprise, users are calling for

interoperability outside of the enterprise’s security domain to outsourced services, including

business process outsourcing (BPO) and software as a service (SaaS) providers, and trading

partners, as well as within the enterprise to affiliates and subsidiaries.

While the business demands that employees are able to traverse the Internet with highly-

sensitive data, the connection has to be secure to protect the user, enterprise and service

provider—enter secure Internet SSO. Written for anyone interested in understanding

how secure Internet SSO works, this white paper explores the limitations of current

SSO implementations outside of a single security domain (including identity and access

management systems and open source development) and introduces standalone secure

Internet SSO as a solution.

white paperSecure Internet Single Sign-On 101

Table of Contents

Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Proprietary SSO (Web Agents) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

How Secure Internet SSO Works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Secure Internet SSO with PingFederate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Additional Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Glossary of Terms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

white paperSecure Internet Single Sign-On 101

p3

Background

Connecting organizations with their external services over the Internet is critical in today’s age

of real-time information sharing and collaboration. Organizations are no longer isolated: key

services outside of the organization’s domain (including outsourced employee services and

electronic exchanges with trading partners) have to be easily accessible and interoperable.

Collaboration is blurring the lines between enterprises and their service providers. With

employees traversing the Internet with highly-sensitive data, the connection has to be secure

to protect the user, enterprise and service provider. Users are also demanding direct access to

external resources and improved ease of use with single sign-on (SSO). As a result, organizations

are faced with a myriad of challenges when providing SSO for many different use cases

including:

• Outbound SSO for users to access software as a service (SaaS) and business process

outsourcing (BPO) providers, and to connect with trading partners

• Inbound SSO for service providers, such as BPOs and managed services, to access the

enterprise’s resources

• Internal SSO for the enterprise and its acquisitions, affiliates, subsidiaries and joint ventures

• SSO to a third party, hosted hub for users to share information among industry organizations

• With many options to consider for delivering SSO that works over the Internet, making

the right technology decision is crucial to successfully implementing federated identity

management and mitigating long deployment times.

Proprietary SSO (Web Agents)

With the success of Web SSO inside the enterprise, many IT organizations looking to provide

SSO over the Internet tried to reuse their existing proprietary Web SSO. In order for employees

to access external Web sites and for external partners to access internal Web sites, organizations

provided a proprietary Web agent to their external partners. Each time access was needed for a

different partner, a different proprietary Web agent was implemented, thus for each connection

organizations needed to support different software for each of their business partners. Over

time, the growing number of different Web agents became difficult to manage due to their lack

of reusability, and the ability to scale new connections was limited.

As one IT staffer at a Fortune 50 company said, “We need to do single sign-on with fifty

external partners. We have fifty different ways of doing it.” With each partner connection taking

over two months to implement with proprietary SSO methods, IT organizations needed a better

way to implement SSO over the Internet; otherwise, it would take years to connect all their

partners.

white paperSecure Internet Single Sign-On 101

p4

Standards-Based SSO: Federated Identity

To overcome the limitations of proprietary implementations, organizations wanting to implement

SSO over the Internet turned to federated identity standards such as Security Assertion

Markup Language (SAML) and WS-Federation. These standards allow organizations to share

credentials and attributes for authentication and authorization, reducing the need to maintain

user credentials in multiple systems and eliminating the re-authentication of users to external

resources. By utilizing standards, organizations can deliver secure Internet SSO, which reduces

security gaps by creating trusted connections between enterprises providing identities (called

identity providers or IdPs) and organizations providing the target applications or resources (called

service providers or SPs).

Some IT organizations looked to their incumbent identity management (IdM) stack vendors

to provide federated identity management. However, these products have failed to meet their

scalability requirements, often requiring six to nine months to implement the first partner

connection. Many such products only work with the newest releases of the software suite,

forcing users into massive upgrade cycles just to add Internet SSO. Furthermore, implementing

federated identity management with the suite products require the entire identity and

access management suite of applications—implying millions of dollars and a two-year

implementation—just for SSO that works over the Internet.

With pressure to reduce implementation costs, some IT organizations turned to open source

to develop their own Internet SSO solutions. However, open source is fraught with failed

implementations: toolkits provide a limited set of functions to specifications such as SAML.

Development of each external connection and integrated application requires expensive custom

code, often taking up to 74 days to build a single partner connection. Developing SSO securely

is also the domain of specialists—often not the expertise of a typical development staff. Base

technologies used to implement Internet SSO such as XML digital signatures are highly complex

and have been found to have significant security vulnerabilities when not implemented using

best practices.

Page | 3

WHITE PAPER

WS-Federation. These standards allow organizations to share credentials and attributes for authentication and authorization, reducing the need to maintain user credentials in multiple systems and eliminating the re-authentication of users to external resources. By utilizing standards, organizations can deliver secure Internet SSO, which reduces security gaps by creating trusted connections between enterprises providing identities (called identity providers or IdPs) and organizations providing the target applications or resources (called service providers or SPs).

Secure Internet SSO allows organizations to provide users safe access to applications across the Internet without the need to re-login.

Some IT organizations looked to their incumbent identity management (IdM) stack vendors to provide federated identity management. However, these products have failed to meet their scalability requirements, often requiring six to nine months to implement the first partner connection. Many such products only work with the newest releases of the software suite, forcing users into massive upgrade cycles just to add Internet SSO. Furthermore, implementing federated identity management with the suite products require the entire identity and access management suite of applications—implying millions of dollars and a two-year implementation—just for SSO that works over the Internet.

With pressure to reduce implementation costs, some IT organizations turned to open source to develop their own Internet SSO solutions. However, open source is fraught with failed implementations: toolkits provide a limited set of functions to specifications such as SAML. Development of each external connection and integrated application requires expensive custom code, often taking up to 74 days to build a single partner connection. Developing SSO securely is also the domain of specialists—often not the expertise of a typical development staff. Base technologies used to implement Internet SSO such as XML digital signatures are highly complex and have been found to have significant security vulnerabilities when not implemented using best practices.

Standalone solutions for identity federation provide a centralized point for secure Internet SSO configuration that meets the needs of all organizations including inbound SSO, outbound SSO and internal SSO. Most standalone solutions offer support for a myriad of standard federated identity protocols such as SAML and WS-Federation. Also, they are able to integrate with existing identity and access management infrastructure and existing application environments. By utilizing standalone federated identity software

Secure Internet SSO allows organizations to provide users safe access to applications across

the Internet without the need to re-login.

white paperSecure Internet Single Sign-On 101

p5

Standalone solutions for identity federation provide a centralized point for secure Internet SSO

configuration that meets the needs of all organizations including inbound SSO, outbound SSO

and internal SSO. Most standalone solutions offer support for a myriad of standard federated

identity protocols such as SAML and WS-Federation. Also, they are able to integrate with

existing identity and access management infrastructure and existing application environments.

By utilizing standalone federated identity software that implements standards-based SSO,

IT organizations can reduce operational costs by providing centralized management of all partner

connections, leveraging reusable connection configurations, and integrating easily with existing

identity infrastructure and target application environments.

How Secure Internet SSO Works

With secure Internet SSO, once a user has logged into their enterprise’s network, they can

directly access applications at outsourced services, trading partners and affiliates over the

Internet. Hidden from the user, their home enterprise validates their login credential and

assembles a specially formatted software message called a SAML assertion that contains

information about the user. The identity providing organization then transmits the assertion to

the external service provider over the Internet via a trusted connection that has previously been

established between the two organizations. The service provider then reads the information in

the assertion and uses it to give the user access to their resources and pertinent information over

the Internet without requiring additional usernames, passwords or any other login mechanism.

The key to secure Internet SSO is the browser—there are no agents required on the end user’s

machine. Browsers such as Internet Explorer, Mozilla Firefox and Apple Safari provide the ability

to interoperate unbeknownst to the user with federated identity software that validates the user

credentials, creates the SAML assertion and sends the assertion to the service provider.

In order to securely transfer information about the user, the IdP and SP must first agree what

details about the user will be passed. This is known as the attribute contract, which may include

username, email address, domain and role group. For example:

Page | 4

WHITE PAPER

that implements standards-based SSO, IT organizations can reduce operational costs by providing centralized management of all partner connections, leveraging reusable connection configurations, and integrating easily with existing identity infrastructure and target application environments.

How Secure Internet SSO WorksWith secure Internet SSO, once a user has logged into their enterprise’s network, they can directly access applications at outsourced services, trading partners and affiliates over the Internet. Hidden from the user, their home enterprise validates their login credential and assembles a specially formatted software message called a SAML assertion that contains information about the user. The identity providing organization then transmits the assertion to the external service provider over the Internet via a trusted connection that has previously been established between the two organizations. The service provider then reads the information in the assertion and uses it to give the user access to their resources and pertinent information over the Internet without requiring additional usernames, passwords or any other login mechanism.

The enterprise, or IdP, manages the users’ credentials and provides information to the service providers, or SPs, for them to establish user sessions.

The key to secure Internet SSO is the browser—there are no agents required on the end user’s machine. Browsers such as Internet Explorer, Mozilla Firefox and Apple Safari provide the ability to interoperate unbeknownst to the user with federated identity software that validates the user credentials, creates the SAML assertion and sends the assertion to the service provider.

In order to securely transfer information about the user, the IdP and SP must first agree what details about the user will be passed. This is known as the attribute contract, which may include username, email address, domain and role group. For example:

Andrea Smith asmith@pingidentity.com pingidentity.com HR

The enterprise, or IdP, manages the users’ credentials and provides information to the service

providers, or SPs, for them to establish user sessions.

white paperSecure Internet Single Sign-On 101

p6

Andrea

Smith

asmith@pingidentity.com

pingidentity.com

HR

Once both parties have agreed on the attribute contract, each party knows what information

will be passed. The user logs into his enterprise domain and is authenticated internally. When

a user requests access to the external site, their browser automatically redirects to their

enterprise’s SSO server, which then builds an assertion that includes the credentials agreed upon

in the attribute contract.

This information is put into the browser header and their browser is directed back to the service

provider’s SSO server, along with the address of the target application; this process is known as

a POST profile, using http or https. The service provider’s SSO server retrieves the assertion from

the browser header and maps the credentials to the target application. The user is given access

to the target application without the need to re-login. The entire process happens so quickly

that the user does not even notice the extra redirects have occurred.

The browser is automatically redirected between the servers for the SSO request. Secure Internet

SSO’s browser-based method provides a simple approach to identity federation that requires

minimal configuration by the enterprise and service provider.

Secure Internet SSO with PingFederate

PingFederate is the only standalone federated identity management software to deliver secure

Internet single sign-on to all external partner connections including Software as a Service

(SaaS) and Business Process Outsourcing (BPO) providers, trading partners, managed services,

acquisitions, affiliates, subsidiaries and joint ventures. Through standards based identity

federation, PingFederate drastically reduces repeated user provisioning and time-consuming

proprietary SSO implementations that previously burdened organizations tasked with supporting

external applications.

Page | 5

WHITE PAPER

Once both parties have agreed on the attribute contract, each party knows what information will be passed. The user logs into his enterprise domain and is authenticated internally. When a user requests access to the external site, their browser automatically redirects to their enterprise’s SSO server, which then builds an assertion that includes the credentials agreed upon in the attribute contract.

This information is put into the browser header and their browser is directed back to the service provider’s SSO server, along with the address of the target application; this process is known as a POST profile, using http or https. The service provider’s SSO server retrieves the assertion from the browser header and maps the credentials to the target application. The user is given access to the target application without the need to re-login. The entire process happens so quickly that the user does not even notice the extra redirects have occurred.

Secure Internet SSO utilizes the browser to provide direct access to resources over the Internet. The transfer of identity information between IdP and SP occurs completely

behind the scenes.

The browser is automatically redirected between the servers for the SSO request. Secure Internet SSO’s browser-based method provides a simple approach to identity federation that requires minimal configuration by the enterprise and service provider.

Secure Internet SSO with PingFederate PingFederate is the only standalone federated identity management software to deliver secure Internet single sign-on to all external partner connections including Software as a Service (SaaS) and Business Process Outsourcing (BPO) providers, trading partners, managed services, acquisitions, affiliates, subsidiaries and joint ventures. Through standards based identity federation, PingFederate drastically reduces repeated user provisioning and time-consuming proprietary SSO implementations that previously burdened organizations tasked with supporting external applications.

Secure Internet SSO utilizes the browser to provide direct access to resources over the Internet. The

transfer of identity information between IdP and SP occurs completely behind the scenes.

white paperSecure Internet Single Sign-On 101

p7

Getting Started

By using secure Internet SSO, IT organizations can quickly enable secure connections for a

multitude of parties. The complexity, excessive time and cost to implement federated identity

between enterprises and services providers are drastically reduced with standalone Internet SSO.

Start your trial today and learn why implementing standalone identity federation software is

faster and easier—be one of the IT organizations to overcome the common misperception that

federation takes months to deploy.

When starting your trial it is important to identify the various options for your project including:

• Signing and Validation - Decide which SAML messages — assertions, responses, requests

— will be digitally signed and how the messages will be verified by your federation partner.

• Back Channel Security - Determine what type of SOAP channel authentication will be used.

• Trusted Certificate Management - Determine whether both partners are using SSL and/or

signing certificates that have been signed by a major certificate authority.

• Deployment - Decide how identity federation fits into your existing network.

• Server Clock Synchronization - Ensure that both the SP and IdP server clocks are

synchronized.

• User Data Stores - Identify the type of data store that contains user data when needed.

• Web Application and Session Integration - Decide how the IdP side receives subject

identity information to look up the session.

• Transaction Logging - Decide whether transaction logging should be integrated with a

systems management application and whether you have regulatory compliance requirements

that affect your logging processes.

• Identity Mapping - Decide whether you need a 1:1 relationship between user accounts at

the IdP and SP or whether you want to implement role-based accounts at the SP.

• Attribute Contract Agreement - Decide on a set of attributes that the IdP will send in an

assertion.

• Metadata Exchange - Decide whether you will use the metadata standard to exchange XML

files containing configuration information.

• Configuration Data Exchange – Decide how connected partners will exchange data.

• Timeline – Determine project timeline.

white paperSecure Internet Single Sign-On 101

p8

Additional Resources

You can find additional information on the topics addressed in this paper at

www.pingfederate.com. Relevant resources that may be of interest include:

• Solution Brief: PingEnable Methodologies Overview

• White Paper: The Primer: Nuts and Bolts of Federated Identity Management

• White Paper: Internet-Scale Identity Systems: An Overview and Comparison

• Solution Brief: Secure Internet SSO for Enterprises

• Solution Brief: Secure Internet SSO for Service Providers

Glossary of Terms

Business Process Outsourcing (BPO) – contracted services through a third-party vendor or

service provider

Enterprise Single Sign-On (E-SSO) – single sign-on provided to internal applications within a

single security domain, or enterprise

Federated Identity – the ability to use a single set of credentials across multiple security

domains

Security Assertion Markup Language (SAML) – an XML-based standard utilized by

enterprises, identity providers and service providers to exchange identity attributes

Secure Internet Single Sign-On – standards-based methods used to provide users safe access

to applications across the Internet without the need to re-login

Software as a Service (SaaS) – a hosted application accessed over the Internet by an

enterprise

Web Single Sign-On (Web SSO) – single sign-on within a single security domain, or

enterprise, provided strictly to applications and resources accessed with a Web browser

WS-Federation – a standard federated identity specification that defines a mechanism for

separate security domains to broker credentials for authentication

About Ping Identity CorporationPing Identity is the market leader in Internet Identity Security, delivering on-premise software and on-demand

services to hundreds of customers worldwide. For more information, dial U.S. toll-free 877.898.2905 or

+1.303.468.2882, email sales@pingidentity.com or visit www.pingidentity.com.

© 2010 Ping Identity Corporation. All rights reserved. Ping Identity, PingFederate, PingFederate

Express, PingConnect, PingEnable, the Ping Identity logo, SignOn.com, Auto-Connect and Single

Sign-On Summit are registered trademarks, trademarks or servicemarks of Ping Identity Corporation.

All other product and service names mentioned are the trademarks of their respective companies.