ArchitecturesSingle Sign-On › 6f77 › 0c307093b4ac... · Sign-On Authentication Exchange Master...

month ##, 2002filename.ppt © 2002

Single Sign-On Architectures

Jan De ClercqSecurity Consultant

HPCI Technology Leadership GroupHewlett-Packard


Agenda

• Trusted Security Infrastructures

• SSO: What and Why?

• SSO Architectures

• Extending SSO


Trusted Security Infrastructures (TSIs)

Dir CDir B

Applications

Dir A

Meta-Directory

App 1

Security Admin AccessControl

Infra

Auditing

Identity Mgmt

MsgDBs WebServices

App 2 App 3 App...

Trusted Security

Infrastructures

Core I.T Infrastructure

ServicesMgmt

Sec PolMgmt

AuthentInfra


SSO Foundations: Trust

SSO

Trust

Identification

Authentication

Authorization

Access Control


Agenda•Trusted Security Infrastructures

•SSO: What and Why?•SSO Architectures

•Extending SSO


SSOWhat and Why?

•Ease of Administration

•Ease of Use

•Enables Enforcement of Coherent Security Policy

•Key to the Kingdom?


SSOTerminology

• Authentication Infrastructure

• Authentication Server

- “Physical” providers of authentication/SSO

• Authentication Authority

- “Logical” providers of authentication/SSO/Trust

= Domain (Windows speak)

= Cell (DCE speak)

= Realm (Kerberos speak)

• Authentication Credentials

• Digital Identity

• Credential Database

• Authentication Factors

• Authentication Token


SSO Terminology

AuthenticationServer

SecondaryAuthentication

DomainSecondary

AuthenticationDomain

User

PrimarySign-On

AuthenticationExchange

CredentialDatabase

Resource Server

Account andCredential

Management

ID PW

ID PW Trust TokenValidation

ID PW

ID PW

Tok



•SSO: What and Why?

•SSO Architectures•Extending SSO


SSO Solution

andArchitectures

Simple SSO• Single Authentication

Authority and Server

• Single Authentication Authority and Multiple Servers

Complex SSO• With Single Set of Credentials

– Token-based SSO

– PKI-based SSO

• With Multiple Sets of Credentials

– Credential Synchronization

– Client-side Credential Caching

– Server-side Credential Caching


Simple SSO Solutions



DomainSecondary

AuthenticationDomain

User

PrimarySign-On


CredentialDatabase

Resource Server


Management

SSO with a single Authentication Authority anda single Authentication Server

Examples: OS, EAMS, Centralized RAS

ID PW

ID PW Trust TokenValidation

ID PW

ID PW

Tok


Simple SSO Solutions


Domain

User

PrimarySign-On


MasterCredentialDatabase


Management

SSO with a single Authentication Authority andmultiple Authentication Servers

Examples: OS, EAMS, Centralized RAS

ID PW

ID PW TrustToken

Validation

ID PW

ID PW

Tok

ReplicatedCredentialDatabase

ID PWID PW



Domain

Replication

Resource Server



Traditional Sign-On (No SSO)

Primary Authentication

Authority

User

PrimarySign-On

SecondarySign-On(s)

PrimaryCredentialDatabase

SecondaryCredentialDatabase


Authority


Management


Management

ID PW

ID PW

ID PWID PW

Tok

Tok


Complex SSO Solutions: Single Credential Set: Token-based SSO


Management



Authority

User

PrimarySign-On

TransparantSecondarySign-On(s)

using Temporary

Token


Authority


ManagementTemporaryToken

Trust

Examples: Kerberos, EAMS, Passport


ID PW

ID PW

Tok

ID PW

ID PW


Complex SSO Solutions: Single Credential Set: PKI-based SSO


Authority

User

User Registration


usingPublic Key Credentials

(Certificate and Private Key)


Authority


ManagementCertificate Issuance

Trust

Examples: Entrust, Baltimore, Windows 2000, Windows.NET

CredentialDatabase

ID PW

ID PW

UserCert

CACert

CACert

CACert

UserPrivate

Key


Complex SSO Solutions: Multiple Credential Set: Password Sync


Authority

User

PrimarySign-On

SecondarySign-On(s)


Authority


Management


Management

Examples: PassGo, PSynch, MetaDirectories, Provisioning software

CredentialSynchronization



ID PW

ID PW

ID PWID PW Trust

Tok

Tok

Sync Software

Sync Software


Complex SSO Solutions: Multiple Credential Set: Client-side Caching

SecureClient-SideCredential

Cache

PrimaryAuthentication

Authority

User

PrimarySign-On


UsingCached

Credentials


Authority


Management


Management

Examples: Windows XP and Windows.NET, Identix Biologon, Entrust Entelligence



ID PW

ID PW

ID PWID PW

Trust

PW

PW

Tok

Tok


Complex SSO Solutions: Multiple Credential Set: Server-side Cache


AuthorityUser

Primary Sign-On


Authority


Management


Management

Examples: Tivoli SecureWay SSO, CA ETrust SSO



ID PW

ID PW

ID PW

ID PW

Tok

Tok


UsingCredentials

Returned fromPrimary Authentication Authority’s

Database

Credentials for SecondaryAutentication Authority

Request for Secondary Credentials

ID PWTrust


SSO Solutions: Pros and Cons (1)



•SSO: What and Why?

•SSO Architectures

•Extending SSO


Extending SSO

•To cover Different Organizations

• Scope: Extranet and Internet

• Federation

•To cover Different Applications

• Scope: Intranet

• Authentication APIs


Defining Federation

“ The Use of agreements, standards, and technologies to make identity and entitlements portable across autonomous identity domains.”


Extending SSO: Federation


Extending SSO: Authentication APIs


Conclusion

• Creating an SSO Infrastructure for a heterogeneous environment is not an easy job

• The creation of SSO Infrastructures is a great opportunity to leverage directory and meta-directory investments


TSI: Conclusion

AccessControl

Infra

Security Admin

Trusted Security InfrastructuresAuthent

Infra

Wireless

Remote Access

(PPP)AAA – Radius / Tacacs+

Web(HTTP)

Office –Enterprise

(SMB)Provisioning

AppsResourceManagers

NOSSec Adm

Access Method

PKI

EAMS


Questions?

[email protected]

ArchitecturesSingle Sign-On › 6f77 › 0c307093b4ac... · Sign-On Authentication Exchange Master...

Documents

Transcript of ArchitecturesSingle Sign-On › 6f77 › 0c307093b4ac... · Sign-On Authentication Exchange Master...