SSOSingle Sign On/Off

Russel Mahmud

hossain@newscred.com

drive.google.com

gmail.google.com

drive.google.com

www.youtube.com

accounts.google.com

What is SSO?

SSO Foundations

Authorization

Access Control

Identification

Authentication

SSO

Why SSO?

1. End User Experience Enhanced2. Single Login Form3. Centralized Auditing/Reporting4. Developer Productivity Improved5. Multi-factor Authentication Support6. Reduce IT costs due to lower number of IT help desk calls

about passwords

Terminology

Cookies

Authentication

HTTPS

Encryption

Authorization

HTTPS

HTTPS

Encryption

1. Encryption algorithms transfer plain text into cipher text.2. Two main types of encryption algorithms:

• Symmetric encryption• Use same key for encryption and decryption

• Asymmetric encryption• Use different keys for encryption and decryption

3. Symmetric algorithms are much faster than Asymmetric encryption

RSA

HMAC

DSA

SSO Techniques

1. CAS2. SAML3. OpenID4. oAuth

How Does CAS work?

Web Application

CAS

Kerberos

1.0 Initial Request3.0 Service ticket transfer

4.0 Validate

2.1 Authentication2.3 Sets TGT Cookies

2.0 Service IDAuthentication

5.0 Access Web Server

LDAP

2.2 Authentication

How Does oAuth work?

NewsCred Auth(MVP)

Goals

1. Centralize authentication process2. Keep basic account data isolated3. Allow users to stay logged in while browsing different apps

NewsCred Auth Design

smartgallery.newscred.com1. Initial request

NewsCred Auth Design

smartgallery.newscred.com1. Initial request

redirect to https://accounts.newscred.com/login/

2. No local session

NewsCred Auth Design

smartgallery.newscred.com

1. Initial request

2. No local session(redirect)

accounts.newscred.com

2.0 Login form authentication

NewsCred Auth Design

smartgallery.newscred.com1. Initial request

2. No local session(redirect)

accounts.newscred.com

3.0 Login form Authentication

CDBDatabase

3.1 Login verification

NewsCred Auth Design

smartgallery.newscred.com1. Initial request

2. No local session(redirect)

accounts.newscred.com

3.0 Login form Authentication

CDBDatabase

3.1 Login verification

3.2 Sets Cookies (top domain)Redirect callback_url?token=encrypted_token

NewsCred Auth Design

smartgallery.newscred.com

1. Initial request

2. No local session(redirect)

accounts.newscred.com

3.0 Login form Authentication

CDBDatabase

3.1 Login verification

3.2 Sets Cookies (top domain)Redirect callback_url?token=encrypted_token

4.0 Transfer token

Set local cookies

NewsCred Auth Design

smartgallery.newscred.com

1. Initial request

2. No local session(redirect)

accounts.newscred.com

3.0 Login form Authentication

CDBDatabase

3.1 Login verification

3.2 Sets Cookies (top domain)Redirect callback_url?token=encrypted_token

4.0 Transfer token

Set local cookies

5.0 Access Web Application

Client Application Flowchart

LocalSession

?

AuthCookies

?

Yes

PrivateResource

Yes

NO

NO

Authentication Server

Create LocalSession

VerifyToken

NO

Toke

nRSA

HMACDSA

Challenges

1. Cross domain auto logged in issue2. Checking user permission of each domain3. Updating and deleting account information4. Cookies theft

Web Services

1. Public APIs : from anywhere, no authentication2. S2S APIs : authenticated via API keys

Questions ?