Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
What will I talk about?SSO
� Single Sign-On defined:
� User perspective:
� The ability to use multiple applications withone sign-onone sign-on
� System perspective:
� The use of one sign-on to access multiple applications, e.g. a technically integratedsign-on across applications
© Kuppinger Cole + Partner 2007Seite 2
Identity Management Market:Single Sign-On Segment increases
50%
60%
70%
80%
90%
100%
Keine Investitionen
© Kuppinger Cole + Partner 2007Seite 3
0%
10%
20%
30%
40%
Verze
ichn
isdi
enst
e
Met
a D
irect
ory-
Die
nste
Iden
tity
Provi
sion
ing
Virtua
l Dire
ctor
ies
Iden
tity
Feder
atio
n
Web
Acc
ess
Man
agem
ent
Singl
e Sig
n-O
n
Stark
e A
uthe
ntifi
zier
ung
PKI
Mai
nfra
me
Acc
ess
Man
agem
ent
Auditi
ng
Rol
lenm
anag
emen
t
Del
egie
rte A
dmin
istra
tion
Keine Investitionen
Optimierungen im laufenden Betrieb
Wesentliche Erweiterungen
Produktwechsel
Einführung
Basis:Kuppinger Cole + PartnerIdentity Management Survey 2006
Business drivers for IT= Business drivers for SSO
• process optimization• „get closer to the market“
• user productivity• “more bang for bucks”
SSO! SSO!
© Kuppinger Cole + Partner 2007Seite 4
• automation• “cut out the fat”
Identity Management
• internal auditing• “keep the boss out of jail”
SSO! SSO?
Single Sign-On:Concrete needs
� User have to many combination of user namesand passwords (credentials) to keep in mind
� Security risks through insecure „storage“
� User‘s don‘t like new apps („just another applicationwith just another user name and password“)with just another user name and password“)
� High help desk costs for password resets
� Need for strong authentication
� Unique, safe approaches across apps
� Securing sensitive apps
� Optimizing the costs of strong authentication
© Kuppinger Cole + Partner 2007Seite 5
Business Value:SSO delivers
Quantitative
1 Administrative costsof Helpdesk
2 Integration costs ofApps (short term)
Qualitative
1 Ease of use for theuser
2 Acceptance for new(and old) apps
© Kuppinger Cole + Partner 2007Seite 6
Apps (short term) (and old) apps
3 Fast implementation oftactical solutions
SSO is not only tactical!- tactical: Even mid-term there won‘t be „real“ SSOacross all apps
- strategic: „real“ SSO with integration on the applicationlevel
Identity Management Market:Single Sign-On Approaches
20,0%
25,0%
30,0%
© Kuppinger Cole + Partner 2007Seite 7
0,0%
5,0%
10,0%
15,0%
Server-
basierende
Lösungen
Client-
basierende
Lösungen
Kerberos X.509 Web Single
Sign-On
Federation
Strategische Lösung
Einsatz in Teilbereichen
Einsatz geplant
Basis:Kuppinger Cole + PartnerIdentity Management Survey 2006
SSO:Six approaches for the enterprise
Server-based SSO
(E-SSO)
Client-basedSSO
Kerberos
(E-SSO)
X.509 Web-SSO Federation
© Kuppinger Cole + Partner 2007Seite 8
SSO approaches:Server-based („E-SSO“)
Stores credentials on a server store, central
control, decentral clientwhich accesses credentialsand sometimes caches
them (more or less secure) locally
Usually called „E-SSO“ or„Enterprise Single Sign-
On“
locally
No „real“ Single Sign-On
Key-Players:
ActivIdentity, CA, Citrix, Evidian, Imprivata, Passlogix, Tesis
Multiple OEMs like IBM, Novell, Oracle
© Kuppinger Cole + Partner 2007Seite 9
E-SSO:Wie funktioniert das?
DirectoryBenutzer mit
E-SSO-Client
Speicherung von
Credentials
© Kuppinger Cole + Partner 2007Seite 10
DirectoryE-SSO-Client
Anwendungen
Authentifizierung
SSO approaches:Client-based, local SSO
Stores credentials on theclient, in most cases no
central control, local storagemight be a potential security
risk
Special approach: Browser-integrated
Some vendors supportexternal storage devices likeUSB keys or Smartcards, which are commonly more
secure
Specific: Context ofsmartcard infrastructuresintegrated smartcard infrastructures
No „real“ Single Sign-On
Key-Players:
Very segmented market, dozens of smaller offerings
ActivIdentity, Aladdin, G&D, PassGo, Secude, Siemens,
Symantec, Tesis
© Kuppinger Cole + Partner 2007Seite 11
SSO approaches:Kerberos
Authentication standard fordistributed systems,
supports SSO via servicetokens for specific
applications
Usage practically restrictedto closed environments
Supported on all majoroperating system platforms,
but with significantinteroperability issues
to closed environments
Real Single Sign-On, requires so called
„kerberized“ applications
Key-Players:
KDCs: Heimdal, Microsoft, MIT and various adaptors
Integration: Centeris, Centrify, Quest
© Kuppinger Cole + Partner 2007Seite 12
SSO approaches:X.509
At first a standard for digital certificates, but with broad
interoperability
Certificates need to be mapped toexisting accounts – e.g. some
existing base of identities is required
Requires PKI and Card managementinfrastructure on top
Exists for a long time, but still isn‘tsupported in any standard application
and missing in most customapplications
Mainly used in web-apps, can be usedexternally
Might work fine with smartcardinfrastructureinfrastructure on top infrastructure
Somewhat „semi-real“ Single Sign-On due to different „identity providers“
(e.g. directories)
Key-Players:
Multiple external certificate providers: S-Trust, Thawte, Verisign
Card infrastructure providers: ActivIdentity, G&D, Secude, Siemens
© Kuppinger Cole + Partner 2007Seite 13
SSO approaches:Web-SSO
Web Single Sign-On, also called Web Access
Management or Extranet Access Management
Central authentication forweb-based apps, policy-
based authorization
Limited to Web applications, sometimes with support forJ2EE and other apps (but
seldomly used)
Quick-Win approachbased authorization
Somewhat „semi-real“ Single Sign-On
Key-Players:
BMC, CA, Entrust, HP, IBM, Microsoft, Novell, RSA, Siemens, Sun, Symlabs
© Kuppinger Cole + Partner 2007Seite 14
SSO approaches:Identity Federation
Standard-basedapproach for distributed
authentication andauthorization
Becomes increasinglyimportant and mature
Based on web services, very flexible
But: multiple standards, key-players usuallysupport multiple of
themimportant and mature them
Real Single Sign-On
Key-Players:
BMC, CA, HP, IBM, Maxware, Microsoft, Novell, Oracle, Ping
Identity, RSA, Siemens, Sun, Symlabs
© Kuppinger Cole + Partner 2007Seite 15
Identity Federation:How it works…
� Federation isbased on trust
� Service Provider trusts Identity Provider
Identity
ServiceProvider
User Session
RessourceTrust
� User authenticatesonce for multiple service providers
� Flexible attributeexchange
© Kuppinger Cole + Partner 2007Seite 16
Identity Provider
Verzeichnis
Single Sign-On approaches compared:E-SSO as ripe approach
IntegrationRequirementsfor apps
Low
Enterprise SSOLocal SSO
Federation
Web- SSO
© Kuppinger Cole + Partner 2007Seite 17
Maturity
HighKerberos
X.509
Federation
SSO trend observed:OpenID, Cardspace,…
� OpenID:
� Focus on one identity and a single sign-on for thisidentity
� CardSpace:
� Different Infocards, different identity providers, not � Different Infocards, different identity providers, not necessarily a single sign-on
� Trend:
� Users from the internet will expect that thesetechnologies are supported
� They like to have one sign-on
� Thus, we expect a strong influence on client-basedapproaches for single sign-on
© Kuppinger Cole + Partner 2007Seite 18
SSO trend observed:Smartcards and SSO
� Smartcards gain momentum as a means forstrong authentication
� But: Smartcards can as well (depending on card and client technology) store additional information or shield credential storesinformation or shield credential stores
� Result: SSO
� Valid approach when applied with a smartcardinfrastructure, containing related processes
© Kuppinger Cole + Partner 2007Seite 19
SSO trend observed:Entry point for IAM
Yes, because…
� …you could start at the clientand collect information on who has which digital identity for which application(something which is often
No, because…
� …for all strategic approachesa integrated, trustworthyidentity is mandatory (andeven for most tacticalapproaches a central(something which is often
unknown)
� …there might be a fast success
� …at least some approachesare easy to implement (non intrusive)
approaches a centraldirectory)
� …the effort for applicationintegration is high in manycases
� …sometimes a complexinfrastructure is required
© Kuppinger Cole + Partner 2007Seite 20
SSO:Tactics versus strategy
SSO tactics
� Frontend oriented SSO
� User experience: SSO
� Fast-to-implementsolutions
SSO strategy
� Backend-SSO
� Applications are SSO-integrated
� One defined strategysolutions
� Internal:
� E-SSO or smartcardinfrastructure w/ localSSO
� External, Intranet apps:
� Web-SSO
� One defined strategy
� Identity Federation
� Kerberos is restricted(but might be importantas a internal pointsolution, e.g. Windows + Linux/UNIX)
� X.509 is a necessary, complementary basetechnology, but not thecomplete solution
© Kuppinger Cole + Partner 2007Seite 21
SSO strategy:The components
Single
Integrated Identity
Integrated identity:
Meta Directories, Provisioning
Strong authentication:
At least Two-factor-authentication
Single SignOn
Strong authen-tication
Application
Security
Infra-structure
Identity
Federation
Application Security Infrastructure
Mandatory requirements forauthentication andauthorization in applications
Federation:
Basis for Single Sign-On
© Kuppinger Cole + Partner 2007Seite 22
SSO as risk or chance?Identity Risk Management
� Authentication:
� Trustworthy identity Provider: SSO = Trust
� Risk: Non-integrated auditing of authentication andauthorization
� Golden Password?
Authorization:� Authorization:
� Still in most cases decentral
� Central: Web-SSO
� Requires a defined configuration of Identity Providers andservices/applications
© Kuppinger Cole + Partner 2007Seite 23
IT risks tend to be reduced through SSO
Availability of the SSO-Report 2007
� Slides:
� KCP Website right after the conference
� Text version:
� End of May 2007� End of May 2007
© Kuppinger Cole + Partner 2007Seite 24