Single sign-on ( SSO ) is the access control property of some related, but independent software system. With this property, users log in with a single ID and password to gain access to a connected system or system without the use of different usernames or passwords, or in some configurations that are seamlessly marked on every system. This is usually done using Lightweight Directory Access Protocol (LDAP) and stores the LDAP database on the server (directory). Simple versions of single sign-on can be achieved over IP networks using cookies but only if the site shares the same parent DNS domain.
For clarity, it is best to refer to a system that requires authentication for each application but uses the same credentials from the directory server as Directory Authentication Server and a system where single authentication provides access to multiple applications by passing the authentication token seamlessly to applications configured as Single Sign in.
In contrast, single sign-off is a property in which a single signing action terminates access to some software systems.
Because different applications and resources support different authentication mechanisms, a single sign-on system must internally store the credentials used for initial authentication and translate them to the credentials required for different mechanisms.
Other shared authentication schemes include OAuth, OpenID, OpenID Connect, and Facebook Connect. However, this authentication scheme requires users to enter their login credentials each time they access a different site or app so they are not confused with SSO.
Precisely, OAuth is not entirely an authentication scheme but an authorization protocol: OAuth provides a way for users to grant access on their own behalf to websites or other apps using multiple access keys. The main purpose of this protocol is to swap the access credentials required for authorization and not authentication itself.
Video Single sign-on
Benefits
The benefits of using a single sign-on include:
- Reduce the risk of access to third-party sites (user passwords are not stored or externally managed)
- Reduce password fatigue from different username and password combinations
- Reduce the time spent on re-entering passwords for the same identity
- Reduce IT costs due to lower number of IT help desk calls about passwords
SSO shares a centralized authentication server that all other applications and systems use for authentication purposes and combines this with techniques to ensure that users do not have to actively enter their credentials more than once.
Maps Single sign-on
Criticism
The term reduce sign-on (RSO) has been used by some to reflect the fact that single sign-on is impractical in addressing the need for different levels of secure access in the company, and because it is more than one authentication server may be required.
Because a single sign-on system provides access to many resources after the user has authenticated ("lock to the castle"), it increases the negative impact if the credentials are available to others and abused. Therefore, a single sign-on system requires increased focus on user credential protection, and should ideally be combined with strong authentication methods such as smart cards and one-time password tokens.
Single sign-on systems also make the authentication system very important; Losing their availability may cause a rejection of access to all systems united under SSO. SSO can be configured with session failover capabilities to maintain system operation. However, the risk of system failure may create undesirable single entry systems for systems whose accesses must be guaranteed at all times, such as security or factory floor systems.
In addition, the use of single-sign-on techniques that utilize social networking services such as Facebook can make third-party websites unusable in libraries, schools, or workplaces that block social media sites for productivity reasons. It can also cause difficulties in countries with an active censorship regime, such as China and the "Golden Shield Project," where third-party websites may not be actively censored, but are effectively blocked if a user's social login is blocked.
Security
In March 2012, a research paper reported an extensive study of the security of social entry mechanisms. The authors found 8 serious logic errors in high profile ID providers and relying party websites, such as OpenID (including Google ID and PayPal Access), Facebook, Janrain, Freelancer, Farmville, and Sears.com. Because the researcher informs the provider of the ID and relies on the party's website prior to the public announcement of the deficiency discovery, the vulnerability is corrected, and no security breaches are reported.
In May 2014, a vulnerability named Covert Redirect was disclosed. It was first reported "Covert Covert Vulnerability Associated with OAuth 2.0 and OpenID" by its founder Wang Jing, a PhD Mathematics student from Nanyang Technological University, Singapore. In fact, almost all Single sign-on protocols are affected. Covert Redirects take advantage of third-party clients who are vulnerable to XSS or Open Redirect.
General configuration
Kerberos-based
- Initial login requests users for credentials, and gets a ticket for Kerberos (TGT) ticketing.
- Additional software applications that require authentication, such as email clients, wikis, and revision control systems, use ticketing tickets to obtain service tickets, prove user identity to the mailserver/wiki/etc server. without prompting the user to re-enter the credentials.
Windows Environment - Windows login fetched TGT. Active Directory-aware applications retrieve service tickets, so users are not required to reauthenticate.
Unix/Linux environment - Enter through Keramos PAM module pick up TGT. Kerberized client applications such as Evolution, Firefox, and SVN use service tickets, so users are not required to re-authenticate.
Smart card based
The initial sign-on prompts the user for the smart card. Additional software applications also use smart cards, without requiring users to re-enter their credentials. A smart card-based single signing system can use certificates or passwords stored on a smart card.
Integrated Windows Authentication
Integrated Windows Authentication is a term associated with Microsoft products and refers to the SPNEGO, Kerberos and NTLMSSP authentication protocols in connection with the SSPI functionality introduced with Microsoft Windows 2000 and included with newer Windows NT-based operating systems. This term is most commonly used to refer to connections authenticated automatically between Microsoft Internet Information Services and Internet Explorer. The cross-platform Active Directory integration vendor has expanded the Integrated Windows Authentication paradigm to Unix systems (including Macs) and GNU/Linux.
Security Assertion Markup Language
Security Assertion Markup Language (SAML) is an XML-based solution for exchanging user security information between SAML identity providers and SAML service providers. SAML 2.0 supports W3C XML encryption and service providers initiate the exchange of single sign-on web browsers. Users who use user agents (usually web browsers) are called subjects in SAML-based single sign-on. The user requests web resources protected by the SAML service provider. The service provider, who wants to know the identity of the user, issues an authentication request to the SAML identity provider through the user agent. An identity provider is a provider that provides user credentials. The service provider trusts the user's information from the identity provider to provide access to its services or resources.
Configuration appears
Mobile device as access controller
Newer single-sign-on authentication variations have been developed using mobile devices as access controllers. The user's mobile device can be used to automatically enter it into multiple systems, such as building-access control systems and computer systems, through the use of authentication methods that include OpenID Connect and SAML, along with X.509 ITU-T cryptographic certificates used to identify mobile devices to the access server.
See also
- Central Authentication Service
- Identity management
- Identity management system
- List of single sign-on applications
- Markup Language Security Responsibility
- Use of web authentication system
References
External links
- Introduction of single sign-on with diagram
Source of the article : Wikipedia