So you want to SSO … Scott Tomilson John DaSilva
Aug 12, 2015
You’ve waited long enough …
Copyright © 2015 Cloud Identity Summit. All rights reserved. 2
Mobile Apps Web Apps SaaS Apps
username password
username password
username password
username password
username password
username password
username password
username password
username password
It’s time for SSO … … what do you mean by SSO?
App Enablement? Session Management? Access Control?
Auditing? Authentication Policy?
“One Username & Password (or some other form of authentication)
just One Time”
It’s time for SSO … … and how will we get SSO?
Open Standards? On-Premise ? IdaaS?
Agents vs Gateway? App Changes?
“Eliminate Unnecessary Passwords” (yes, some work will be needed –
but you want to do this the right way)
Copyright © 2015 Cloud Identity Summit . All rights reserved. 7
Access Management
ENTERPRISE
Federated Identity Management
“First Mile” / “Last Mile” Integration
Federation Server
Identity Store
Federation Server
Target App
Identity Provider (IdP) Service Provider (SP)
“First Mile” “Last Mile”
“First Mile” Integration
• If you’re using a Federation Server – hopefully this is just a configuration exercise: • ADconnect (Active Directory) • PingFederate (Complex AD, LDAP, WAM, etc.) • PingOne Cloud Directory (IdaaS user/group dir.)
• Worst case – there are Libraries & APIs to help you integrate a custom portal or user store
Copyright © 2015 Cloud Identity Summit. All rights reserved. 10
“Last Mile” Integration
Here’s where things get interesting …
Copyright © 2015 Cloud Identity Summit. All rights reserved. 11
“Last Mile” Integration
Question #1: Does your application support Web
(federated) SSO standards? (i.e.: SAML, WS-Federation, OpenID Connect)
Copyright © 2015 Cloud Identity Summit. All rights reserved. 12
“Last Mile” Integration – with Standards
Copyright © 2015 Cloud Identity Summit. All rights reserved. 13
Federation Server
Identity Store
Target App
Identity Provider (IdP) Service Provider (SP)
SAML
Copyright © 2015 Cloud Identity Summit. All rights reserved. 14
“Last Mile” Integration – with Standards
Your Apps Your Identity Stores / Partners
Acme
Beta
Com
SAML
SAML
SAML
Federation Hub
“Last Mile” Integration – with Standards
Copyright © 2015 Cloud Identity Summit. All rights reserved. 15
Does your app Web SSO standards? (SAML/WS-Fed/OIDC)
Do you prefer IdaaS?
No
Yes
Yes
No
“Last Mile” Integration
Question #2: Does your application support HTTP
header-based SSO?
Copyright © 2015 Cloud Identity Summit. All rights reserved. 16
“Last Mile” Integration – with HTTP Headers
Federation Server
Identity Store
Federation Server
Target App
Identity Provider (IdP) Service Provider (SP)
SAML Agent /
Gateway
HTTP Headers User: joe Email: [email protected] Group: Sales
“Last Mile” Integration – with HTTP Headers
• Federated SSO • PingFederate Integration Kits:
• Apache & IIS
• WAM Features (Session Management, URL Authorization & Auditing) • Gateway (Reverse Proxy) • Agents: Apache & IIS
Copyright © 2015 Cloud Identity Summit. All rights reserved. 18
“Last Mile” Integration – with Standards
Copyright © 2015 Cloud Identity Summit. All rights reserved. 19
Does your app support HTTP header
based SSO?
Do you want WAM features?
No
Yes
Yes
No
“Last Mile” Integration
Question #3: Can you modify the application?
Copyright © 2015 Cloud Identity Summit. All rights reserved. 20
“Last Mile” Integration – with App Changes
Copyright © 2015 Cloud Identity Summit. All rights reserved. 21
Features Approach Effort Level Product(s) Federated SSO Implement SAML L n/a
Implement OpenID Connect S n/a
HTTP Headers XS PingFederate
REST API S PingFederate PingOne
SSO Integration Kit SDK Library (Java, .NET) S PingFederate
WAM Features (Session Management, URL Authorization & Auditing)
HTTP Headers XS PingAccess
“Last Mile” Integration
Question #4: Did you reach here with 3 NO’s?
Copyright © 2015 Cloud Identity Summit. All rights reserved. 22
“Last Mile” Integration – “I’m out of options…”
• PingFederate Integration Kits • Basic SSO (Password Vaulting)
Copyright © 2015 Cloud Identity Summit. All rights reserved. 23
… still lost?
Talk to us!
SSO for Mobile Applications • Are multiple logins (with the same creds) OK?
• User experience could be mitigated with long lived refresh tokens
• Shared refresh tokens? (Multiple apps – same dev. signer) • Shared browser session? • Centralized broker of OAuth Access Tokens
• Napps – http://openid.net/wg/napps/ • PingOne Mobile – Early Napps draft support
compatible with both PingFederate and PingOne Copyright © 2015 Cloud Identity Summit. All rights reserved. 26