© 2012 IBM Corporation
IBM Security Services
The Challenges of Web single sign-on
GSE Event
September 7, 2012
Serge Vereecke Security Architect– IBM Security Services
© 2012 IBM Corporation
IBM Security Services
Agenda
Single sign-on technology
Why single sign-on
Challenges of single sign-on
Technology journey of SSO
SSO use case
Lessons learned
Summary
© 2012 IBM Corporation
IBM Security Services
Single sign-on technologies
Single sign-on
Goal of SSO
Technology failed to live up to consumer expectations
© 2012 IBM Corporation
IBM Security Services
Single sign-on technologies
Terminology & synonyms
Definition & properties
© 2012 IBM Corporation
IBM Security Services
5
Single sign-on : user perspective
Figure 1. Unified, Policy-Based Security for the Web
BEFORE
and other J2EE
SSingle user registry
Unified policy
AFTER
Centralized audit
Access Manager Security Services
© 2012 IBM Corporation
IBM Security Services
6
Single sign-on : IT perspective •
•
•
•
•
•
•
•
•
•
•
•
•
•
© 2012 IBM Corporation
IBM Security Services
Single sign-on technologies
Classes of SSO
© 2012 IBM Corporation
IBM Security Services
Technology shifts
Technology shift impact on SSO •
© 2012 IBM Corporation
IBM Security Services
SSO Technology journey
Kerberos technology
© 2012 IBM Corporation
IBM Security Services
SSO Technology journey
Web access management technology
© 2012 IBM Corporation
IBM Security Services
SSO Technology journey
Federated Identity technology
© 2012 IBM Corporation
IBM Security Services
Scenario: Provide Federated SSO to employees and customers,
using internal and partner applications
Employee Portal
Customer Portal
Federated Identity
Management
Portal
Server
Travel Services Provider
401K
Regional Insurance
Providers
Billing Processing
Customers Existing Web Access
Management Solution
(e.g. TAMeb)
Tax/Salary information
Education
Financial/401K/Benefits
Travel Bookings
We all use this everyday!
© 2012 IBM Corporation
IBM Security Services
SSO Technology journey
Web services technology
© 2012 IBM Corporation
IBM Security Services
SSO Technology journey
Requestor
Policy
Security Token
Security
Token
Service
Policy
Security Token
Provider
Policy
Security Token
Claims
Claims
Claims
1. Get Token
2. Send
Message (including token)
3. Validate Token
Identity Federation and Web Services requires trust This trust is based on agreements between partners & expressed as policies
Trust can be enabled by technology Trust requirements expressed as infrastructure policies and requirements Security tokens include identity information; Cryptographic keys used to sign Security Tokens
Technology needs to be standards based Standard ways to express and exchange policies that reflect trust relationships Agreed token format, information content, signing and encryption methods
© 2012 IBM Corporation
IBM Security Services
SSO Technology journey
User centric identity technology
© 2012 IBM Corporation
IBM Security Services
OAuth – What is it?
User wants to share information (Resource Owner)
User wants to access information (Consumer or Client)
OAuth Service Provider
Provides Access based on Resource Owner’s authorization
Delegated Authorization for enabling the sharing of information
© 2012 IBM Corporation
IBM Security Services
OAuth – What is it?
Delegated Authorization for enabling the sharing of information
© 2012 IBM Corporation
IBM Security Services
SSO Technology journey
•
•
© 2012 IBM Corporation
IBM Security Services
Customer example: Securing access and SSO to banking
applications
© 2012 IBM Corporation
IBM Security Services
Customer example: Securing access and SSO to banking
applications
•
•
© 2012 IBM Corporation
IBM Security Services
Customer example: Securing access and SSO to banking
applications
•
•
•
•
© 2012 IBM Corporation
IBM Security Services
Customer example: Securing access and SSO to banking
applications
TAMeB WebSEAL server
Proof of
server
identity
User identity
Credential
WebSphere Application Server
Web Authenticator
Java Subject
Credential
PDPrincipal
ETAI
Proof of
server
identity
Credential
Forwarded
request
· Validate origin
· Return identity
Cre
dentia
l
Pro
of o
f
serv
er
identity
Java S
ubje
ct
Cre
dentia
l
PD
Prin
cip
al
Build credential
© 2012 IBM Corporation
IBM Security Services
Customer example: Securing access and SSO to banking
applications
Browser WebSEAL instance LRR application
(SharePoint 2010)
Need to Local
Response
Request
Redirect to Local Response Redirect URL
Http://websealhostname/lrr/
handler.aspx?TAM_OP=value?MACRO=value
Request to Local Response Redirect URL Generate
page
Response
© 2012 IBM Corporation
IBM Security Services
Customer example: Securing access and SSO to banking
applications
•
•
•
•
•
© 2012 IBM Corporation
IBM Security Services
Web Application
SharePoint 2010
TMRP++ STS
HTTP(S)
Web Application
TFIM STS
HTTP(S)
Browser
TAM WebSEAL
SSO Architecture -
25
EAI
TAI++
TAI++
User management system
© 2012 IBM Corporation
IBM Security Services
SSO use case : lessons learned
•
•
•
•
•
•
•
•
© 2012 IBM Corporation
IBM Security Services
Scenario: Securing access to SaaS and Services in Cloud
SMB A
Enterprise
B
FIM
BG
FIM
BG
Google Apps
• Single Sign On to Salesforce.com CRM resources based on authentication to the
enterprise directory only
• Access Salesforce.com CRM resources in context and based on web & email
launch points (providing the user with seamless navigation across applications)
Tivoli Federated Identity Manager
SAML
SAML
Partners/Consumers
Merged Companies
Application Providers
© 2012 IBM Corporation
IBM Security Services
Summary
•
•
•
•
•
© 2012 IBM Corporation
IBM Security Services
Questions?