Making Sign-on Simple and Secure - Bitpipedocs.media.bitpipe.com/io_12x/io_122457/item_1111347/03-0615_H… · ENTERPRISE SSO IS TOUGH, BUT WORTH ANOTHER TRY Making Sign-on Simple

EDITOR’S NOTE OPENID OR SAML? SIZE AND OTHER FACTORS DRIVE THE ANSWER

IS OPENID GETTING GREAT AGAIN?

ENTERPRISE SSO IS TOUGH, BUT WORTH ANOTHER TRY

Making Sign-on Simple and SecureSSO isn’t the impossible dream, but it’s not a quick and easy project either. Here’s how to make your next SSO implementation a success.

HOME

EDITOR’S NOTE

OPENID OR SAML?

SIZE AND OTHER FACTORS

DRIVE THE ANSWER

IS OPENID

GETTING GREAT AGAIN?

ENTERPRISE SSO

IS TOUGH, BUT WORTH

ANOTHER TRY

MAKING SIGN-ON SIMPLE AND SECURE2

EDITOR’SNOTE

No Impossible Dream: How To Make SSO Work For You

Single sign-on. The term trips off the tongue, and invites visions of happy end users who log on once to access all they need on the enterprise network, with nary a blip or a bleep. An admirable goal—or is it a fantasy?

Indeed, if you’ve ever been part of the team attempting to implement single sign-on (SSO) in an enterprise, you may well have asked: How did such a seemingly simple idea get so complicated?

One complicating factor is the rise of two main SSO protocols: OpenID and Secu-rity Assertion Markup Language (SAML). In Chapter 1 of this guide, David Strom carefully examines each and explains how they differ, their respective strengths and drawbacks, and in what circumstances you should choose one over the other.

It seems at present SAML is becoming the dominant SSO protocol, but don’t rule out OpenID yet, writes Robert Lemos in Chapter 2.

There have been efforts to save it from obliv-ion, and Lemos looks in-depth at when and where employing the revitalized OpenID makes sense.

But what do all these developments mean for your enterprise? What if you’ve tried and failed to implement SSO before, does that mean it’s not for you? The answer is no, says Michele Chiburka. But there are some key consider-ations to make and some preliminary prepara-tion to do. She outlines all this in this guide’s closing chapter.

In short, this guide lays out the state of the single sign-on landscape today and how to navigate it. Do you want to enable an easier, but still secure, logon experience for end users in your enterprise? This guide will help you turn that goal into reality. n

Brenda L. Horrigan, Ph.D.Associate Managing Editor

HOME

EDITOR’S NOTE

OPENID OR SAML?

SIZE AND OTHER FACTORS

DRIVE THE ANSWER

IS OPENID

GETTING GREAT AGAIN?

ENTERPRISE SSO

IS TOUGH, BUT WORTH

ANOTHER TRY

MAKING SIGN-ON SIMPLE AND SECURE3

SIZE MATTERS

OpenID or SAML? Size and Other Factors Drive the Answer

Single sign-on has a complicated hist- ory. If you look at it from a protocol point of view—OpenID, Security Assertion Markup Language (SAML), OAUTH, YAML and Shib-boleth, among others—the technology seems complex and maddening. The history is simpler if you look at it by instead using Active Direc-tory as the logical single sign-on (SSO) hub.

But the SSO market has grown beyond these origins and evolved as identity providers have moved toward cloud-based identity systems and as more software as a service (SaaS) application vendors support a variety of SSO tools.

Let’s look at where SSO has been and where it stands today in order to help enterprises deter-mine the best ways to deploy SSO in the future.

WHAT IS SSO, AND HOW DOES IT WORK?

SSO works its magic by using a variety of mechanisms to automate the sign-on process.

It is still used for automating logins to local network resources, such as databases, via secure scripts or using one of the identity protocols.

This automation is just one part of the story: You also want to be able to quickly provision all of your users on these various servers and

services. And there are now SSO tools that can operate either in the cloud or on-premises, and some that put pieces of their technology in both places.

That’s the good news. The bad news is that there are almost too many choices in how to implement them. In particular, the field of protocols is split between OpenID and SAML

The SSO market has grown as providers offer more cloud-based systems and SaaS app vendors support more SSO tools.

HOME

EDITOR’S NOTE

OPENID OR SAML?

SIZE AND OTHER FACTORS

DRIVE THE ANSWER

IS OPENID

GETTING GREAT AGAIN?

ENTERPRISE SSO

IS TOUGH, BUT WORTH

ANOTHER TRY

MAKING SIGN-ON SIMPLE AND SECURE4

SIZE MATTERS

as the most popular ways to connect to various applications.

OPENID VS. SAML: WHICH DOES WHAT?

The two protocols differ in terms of how they can be used for just-in-time user provision- ing, how they interact with service and iden-tity providers in the SSO connection dialogs, their relative performance, how they are posi-tioned in terms of consumer or enterprise software plays and the number of known secu-rity vulnerabilities. Not surprisingly, organiza-tions need some guidance when choosing the appropriate protocol for an SSO implementa-tion. With that in mind, let’s look closer at each.

SAML was created in 2002 as a way to exchange XML information among various websites. It has since grown into its role of providing common logins among trusted sites. OpenID came out in 2006 and was designed to enable consumers to use a single login among numerous websites. But the sites don’t have to necessarily have this “circle of trust,” or a way to establish secure communications among

your SaaS app and your user directory and SSO application. A number of popular Internet application providers now support it, including Google, Twitter and Yahoo.

An SSO request can be initiated in one of two ways, either by the service provider (such as the application site itself) or by the iden-tity provider (the SSO vendor). SAML sup-ports both methods, but OpenID only supports the former. This means that if you choose to implement SAML, you can create a Web-based portal page that has icons and links to the vari-ous apps that you want to sign on to. Most of the popular SSO tools have this feature, which appeals to many enterprise users. With Open-ID, you have to bring up the target app on your own.

When it comes to performance, SAML is usually cited as a better option, because it makes use of browser redirects and is consid-ered a smoother process. However, OpenID is generally thought of as easier to implement, and has tools in most of the popular Web pro-gramming languages to make it easier to incor-porate into your own apps. Some of the SSO vendors have their own SAML toolkits, such as

HOME

EDITOR’S NOTE

OPENID OR SAML?

SIZE AND OTHER FACTORS

DRIVE THE ANSWER

IS OPENID

GETTING GREAT AGAIN?

ENTERPRISE SSO

IS TOUGH, BUT WORTH

ANOTHER TRY

MAKING SIGN-ON SIMPLE AND SECURE5

SIZE MATTERS

OneLogin for Ruby and PHP or Okta for Java, to make integration easier with that method.

HOW TO CHOOSE

Neither protocol is perfect. SAML has been the subject of a number of vulnerabilities, while OpenID has seen phishing attacks and can be compromised if the originating email addresses aren’t validated. You should proceed with cau-tion on both approaches, and understand these exploits before deploying either of them.

Finally, there is the matter of user provision-ing. With OpenID, every user of a particular

app has to have his or her OpenID credentials registered for that app. That can get tedious if you have to turn on OpenID for hundreds or even thousands of users. With SAML it is much easier, since it works with X.509 certifi-cates and you can enable an entire user popula-tion at once.

So if you have just a few users or SaaS-based apps, OpenID will be fine; for larger implemen-tations, stick with SAML. SAML will be best for assembling a user portal to all your apps and a better performer over the long run. And if you can employ one of the SAML toolkits, all the better. —David Strom

HOME

EDITOR’S NOTE

OPENID OR SAML?

SIZE AND OTHER FACTORS

DRIVE THE ANSWER

IS OPENID

GETTING GREAT AGAIN?

ENTERPRISE SSO

IS TOUGH, BUT WORTH

ANOTHER TRY

MAKING SIGN-ON SIMPLE AND SECURE6

REJUVENATING OPENID

Is OpenID Getting Great Again?

Three years ago, OpenID seemed to be headed toward oblivion—or at least irrelevance.

Since its creation in 2005, the open specifi-cation for authentication and SSO for the Web has been adopted by a number of cloud provid-ers, including Google, but SAML has become the primary way that websites and authentica-tion services exchange security information. The promise of OpenID’s motto, “Make simple things simple and make complicated things possible,” remained unfulfilled; authentication architects often implemented OpenID in their own non-standardized ways.

Many early adopters stopped supporting the nascent standard. Agile-services provider 37Signals—best known for its Basecamp col-laboration service—dumped support for OpenID two years ago, saying less than 1% of customers used the option to log in.

“What we’ve learned over the past three years is that it didn’t actually make anything

any simpler for the vast majority of our cus-tomers,” the company stated in a 2011 blog post announcing the move. “Instead, it just made things harder.”

Yet, times have changed. In February 2014, the OpenID Foundation—created in 2005 to foster the standard—launched OpenID Con-nect. The new version of the protocol builds on the OAuth 2.0 authentication framework to add identity, mobile support and better interoperability. A number of large cloud ser-vice providers—such as Google, Microsoft and Yahoo—are supporting the framework, while companies such as Deutsche Telecom and Salesforce.com have implemented the tech-nology as the basis of their own identity and access infrastructures.

While the long-preferred alternative, SAML, dominates among APIs and Web-based authentication, some identity and access man-agement (IAM) experts believe that OpenID

HOME

EDITOR’S NOTE

OPENID OR SAML?

SIZE AND OTHER FACTORS

DRIVE THE ANSWER

IS OPENID

GETTING GREAT AGAIN?

ENTERPRISE SSO

IS TOUGH, BUT WORTH

ANOTHER TRY

MAKING SIGN-ON SIMPLE AND SECURE7

REJUVENATING OPENID

Connect’s simplicity, openness and roots in the cloud and mobile sectors will help it quickly gain market share in the enterprise and even pave the way for companies to replace their on-premises IAM systems with cloud offerings.

“OpenID Connect is very developer friendly—as such we will see much greater adoption of OpenID Connect among develop-ers,” said Patrick Harding, CTO of Ping Identity. “Eventually, it will become the standard-ized framework for all [Internet-connected] applications.”

IDENTITY PROBLEMS: HISTORY OF OPENID

The seemingly complex world of enterprise authentication boils down to two simple desires: Users want to log in once and access many services, and companies want to man-age a single store of user identities that enable employees, partners and others to access their applications and resources.

In most organizations, the central part of an authentication system is the identity provider. Also known as an asserting party, it facilitates a

process known as federation to provide authen-tication services to the relying parties, such as companies offering cloud services. Many con-sumers use, for example, Facebook as an iden-tity provider to log into the Web services of relying parties, such as Feedly and Hulu.

Solving the problem of allowing a user to log in once and access multiple, disparate resources on and off the Web in a standardized, interop-erable way, however, proved difficult. OpenID was created in 2005 by LiveJournal creator Brad Fitzpatrick to fill the void and soon became popular as a Web authentication paradigm among bloggers.

SAML though came to dominate the Web services landscape. Introduced in 2002, the specification became much more popular after the release of SAML 2.0 in 2005, because the standard emphasized security and could be used in high-assurance applications, which—as security became more important for Web ser-vices—expanded to include most offerings.

SAML was created during a time when Web architects tried to make all communications on the Web look like the hypertext markup

HOME

EDITOR’S NOTE

OPENID OR SAML?

SIZE AND OTHER FACTORS

DRIVE THE ANSWER

IS OPENID

GETTING GREAT AGAIN?

ENTERPRISE SSO

IS TOUGH, BUT WORTH

ANOTHER TRY

MAKING SIGN-ON SIMPLE AND SECURE8

REJUVENATING OPENID

language, or HTML, and is based on the meta-markup language XML. That adds complex-ity, said Mike Jones, standards architect for Microsoft and one of the inventors—and now the primary editor—of the OpenID Connect specification.

“While it was once believed that most pro-tocols and message formats were going to be based on XML,” said Jones, “in practice most Web developers did not have a taste for it.”

Instead, developers have increasingly used data structures based on JavaScript Object Notation (JSON). While OpenID Connect is a federation protocol like SAML, it uses JSON data structures to pass information between the various parties.

ONE PROTOCOL TO RULE THEM ALL?

Today, that ease in development could turn OpenID Connect into the reigning authentica-tion standard among enterprises. Google, for example, has already deprecated many of the previous OpenID-based login systems in favor of OpenID Connect, a process that will be com-plete in the next year. Yet many companies

with established infrastructures will continue supporting SAML, so the Internet giant will also support that standard, because they are less able to quickly switch to new technologies, said Clayton Jones, manager for Google’s iden-tity and device management products.

“Some of the larger, more established enter-prise players have a connection to SAML, while some of the young startups are more vested in OpenID Connect,” said Google’s Jones, adding that “rumors of SAML’s demise are overstated.”

SAML’s momentum as an established pro-tocol may prove difficult for OpenID Con-nect to overcome. Most cloud developers continue to focus on implementing SAML in their products. More than two-thirds of soft-ware as a service firms currently use SAML for their login infrastructure, with another 30%

“ People say SAML is dead, but we see it exponentially increa-sing in adoption every year. Literally, exponentially.”

—DAVID MEYER, VP of product, OneLogin

HOME

EDITOR’S NOTE

OPENID OR SAML?

SIZE AND OTHER FACTORS

DRIVE THE ANSWER

IS OPENID

GETTING GREAT AGAIN?

ENTERPRISE SSO

IS TOUGH, BUT WORTH

ANOTHER TRY

MAKING SIGN-ON SIMPLE AND SECURE9

REJUVENATING OPENID

intending to implement the technology in the next two years, according to a survey of 100 cloud service providers conducted by San Fran-cisco-based IAM vendor OneLogin. Only 3% of providers had no plans for SAML.

“SAML is still our preferred approach and I think the best approach, when a user is trying to get to a resource in a browser,” said David Meyer, vice president of product for OneLogin. “It is super-efficient and super secure. People say SAML is dead, but we see it exponentially increasing in adoption every year. Literally, exponentially.”

OPENID SUPPORT FOR CLOUD

AND MOBILE ARE KEY

Yet, OpenID Connect could become not only the most popular way to exchange identity informa-tion between Web services, but could also lead to the replacement of much of the IAM infra-structure within enterprises with cloud-based identity and access management services.

In addition to its ease of use for developers, OpenID Connect benefits from two other major trends.

The growing demand for mobile device authentication and the need to authenticate to a variety of emerging and cloud-based ser-vices and data sources, experts say, will likely foster OpenID Connect’s future growth. The GSM Association, an industry group represent-ing more than 800 mobile carriers, announced in February 2014 that the industry would pursue a GSMA Mobile Connect authentica-tion initiative based on the OpenID Connect protocol.

Additionally, increasing enterprise adop-tion of cloud services will mean that the abil-ity to log in once via a Web-based service and gain access to numerous additional services will have a greater importance—not only for consumers accessing Web services, but also for companies looking for simpler user access management.

“There is a realization that authentication is a full-time job,” said Allan Foster, vice presi-dent of technology and standards with San Francisco-based ForgeRock, an authentication provider. “Enterprises need to know who the user is, but they don’t need to own an entire infrastructure.”

HOME

EDITOR’S NOTE

OPENID OR SAML?

SIZE AND OTHER FACTORS

DRIVE THE ANSWER

IS OPENID

GETTING GREAT AGAIN?

ENTERPRISE SSO

IS TOUGH, BUT WORTH

ANOTHER TRY

MAKING SIGN-ON SIMPLE AND SECURE10

REJUVENATING OPENID

No matter which technology service pro-viders adopt, authentication frameworks like OpenID Connect and SAML could simplify authentication and access management infra-structure, likely leading to increased outsourc-ing to the cloud. Netflix, a company whose genetics are firmly rooted in the cloud, has moved its identity and access management functions from an on-premises appliance-based system to OneLogin’s SAML-based cloud service. Google, meanwhile, has used its clout to push the use of OpenID Connect across its services, making many small business users of

Google Apps default users of OpenID Connect.In the end, SAML and OpenID Connect will

coexist, said Don Thibeau, executive director of the OpenID Foundation, but that future growth and innovation will come from openness and ease of development that are core to OpenID.

“When you have the world of mobility and the world of identity bumping into each other, that is the space to watch,” Thibeau said. “In the next year or so, we are going to see some interesting innovations coming out and a truly global conversation on, not just identity, but on enterprise applications.” —Robert Lemos

HOME

EDITOR’S NOTE

OPENID OR SAML?

SIZE AND OTHER FACTORS

DRIVE THE ANSWER

IS OPENID

GETTING GREAT AGAIN?

ENTERPRISE SSO

IS TOUGH, BUT WORTH

ANOTHER TRY

MAKING SIGN-ON SIMPLE AND SECURE11

SSO DO-OVER

Enterprise SSO Is Tough, But Worth Another Try

The implementation of single sign-on has proven difficult for some enterprise infor-mation security pros. Unified access to the company network and applications is clearly a desirable goal, but sometimes existing authen-tication technology, costs or other factors makes it unattainable—at least at first. But IT teams shouldn’t give up; instead it’s important that they carefully consider potential obstacles and make sure their expectations are realistic before they make another attempt at an SSO implementation.

SSO was one of the hottest security industry buzzwords a few years ago, hitting many orga-nizations like a tornado, sucking up resources indiscriminately and leaving systems engineers and project managers disoriented. However, many attempts to deploy SSO failed. Was this because of bad technology or unrealistic expectations?

SSO seems to offer many benefits. It can

ensure consistent control across the enterprise and external providers, potentially reducing support costs related to authentication. How-ever, implementing it is a complex effort. SSO is only successful when an organization has comprehensive documentation of its business and service technical catalogs. Unsurprisingly, many deployment attempts fail because the projects are initiated without a strong under-standing of existing application flows and dependencies across the business. In addition, if there is a lack of knowledge regarding the current types of authentication protocols used by these applications, it can require expensive middleware products acting as translators or glue to make everything use a common inter-face, such as SAML.

Many underestimate the level of effort the endeavor entails, dooming the project before it even begins. To be successful, a proposed SSO rollout should include a discovery phase that

HOME

EDITOR’S NOTE

OPENID OR SAML?

SIZE AND OTHER FACTORS

DRIVE THE ANSWER

IS OPENID

GETTING GREAT AGAIN?

ENTERPRISE SSO

IS TOUGH, BUT WORTH

ANOTHER TRY

MAKING SIGN-ON SIMPLE AND SECURE12

SSO DO-OVER

inventories applications, their dependencies, and authentication protocols. The project team should include non-IT stakeholders who can provide constructive feedback on the user experience during the life of the proj-ect. Otherwise, the attempted implementa-tion results in senior management apoplectic over missed deadlines and an ever-extending timeline.

Ironically, the security issues that SSO is supposed to address can worsen with its imple-mentation. If the password policy is weak or the protocols are insecure, then all your eggs are in one flimsy basket. Connections to the

authentication system should be encrypted and standardized on a limited number of protocols. Using passwords should entail a strong policy with regular expirations, but one-time pass-words are preferable.

Finally, it’s important to remember that identity access management is the intersec-tion of user and data classification. Without proper classification, attempts to implement SSO, or even identity management systems, will be problematic and likely collapse. SSO is a worthy goal, but it requires preparation prior to buying and implementing a product in order to be effective. —Michele Chubirka

HOME

EDITOR’S NOTE

OPENID OR SAML?

SIZE AND OTHER FACTORS

DRIVE THE ANSWER

IS OPENID

GETTING GREAT AGAIN?

ENTERPRISE SSO

IS TOUGH, BUT WORTH

ANOTHER TRY

MAKING SIGN-ON SIMPLE AND SECURE13

ABOUT THE

AUTHORS

DAVID STROM is one of the leading experts on network and Internet technologies and has written and spoken exten-sively on topics such as Voice over Internet Protocol, con-vergence, email, cloud computing, network management, Internet applications, wireless and Web services for more than 25 years. He was founding editor in chief of Network Computing magazine and has run various print and online publications. His work can be found at strominator .com and on Twitter: @dstrom.

ROBERT LEMOS is an award-winning technology journalist, who has reported on computer security and cybercrime for 15 years. He currently writes for several publications fo-cused on information security issues.

MICHELE CHUBIRKA, aka “Mrs. Y,” writes, speaks and teaches on enterprise security architecture best practices with an emphasis on network security. Chubirka has more than 15 years of information security experience, with an emphasis on the design, implementation and support of enterprise application and network security products, in-cluding the maintenance and administration of multiple vendor technologies. You can find her blogs and podcasts at healthyparanoia.net or packetpushers.net/author/securityprincess.

Making Sign-on Simple and Secure is a SearchSecurity.com e-publication.

Robert Richardson | Editorial Director

Eric Parizo | Executive Editor

Kara Gattine | Executive Managing Editor

Brenda L. Horrigan | Associate Managing Editor

Sharon Shea | Assistant Editor

Linda Koury | Director of Online Design

Neva Maniscalco | Graphic Designer

Doug Olender | Senior Vice President/Group Publisher [email protected]

TechTarget 275 Grove Street, Newton, MA 02466

www.techtarget.com

© 2015 TechTarget Inc. No part of this publication may be transmitted or re-produced in any form or by any means without written permission from the publisher. TechTarget reprints are available through The YGS Group.

About TechTarget: TechTarget publishes media for information technology professionals. More than 100 focused websites enable quick access to a deep store of news, advice and analysis about the technologies, products and pro-cesses crucial to your job. Our live and virtual events give you direct access to independent expert commentary and advice. At IT Knowledge Exchange, our social community, you can get advice and share solutions with peers and experts.

COVER ART: THINKSTOCK