A Survey on Single Sign-On Techniques V. Radhaa.D. Hitha Reddva 2012Table of contents 1 Intwoduction... 2 Types of S50... ‘2.1 Where they are deployed... 2.1.1 Intesnat or Emamprise $80.ESS0} 2.12 Extrmet orMulti-damsin 880: 2.1.3 Intemat or Web S50: 2.2 How they are deployed: 2.2.1 Simple $SO architecture: 2.2.2 Complex $50 architacture: 2.3 Types of Credentials Used... 2.3.1 Complex SSO with asinglesxt ofcradantials: 2.3.1.1 Tokenbased $80 system:. 2.3.1.2 Toket-basad $80in HTTP anvismment, 2.3.1.3 PKLbased 880 system 2.3.2 Complex $50 with ambiple sats ofcradantials:.. 2.3.2.1 Credential Synchronization: 2.3.2.2 Client-ide cradantial caching 2.3.2.3 Server-side cradantial caching: 24 Single sign-on Promools: 2.4.1 Kerberos authenticationProtocel.. 24.2 Sacusity Assertion Markup Language: 243° OpallD:.. 244 BrowsaiD:. Condusion, ‘221240173 © 2012 Publishad by Elsevier Ltd1 Introduction In present digital world, users have to accass multiple systems for camying out their business activities. As the number of systems increase, the number of credentials for each user increases and thereby possibility of losing or fomgetting them also increases. Single Sign-On can be used 10 solve many problems selaad to multiple cradentials for different applications. Single Sign-on accass to the main authentication cant: enables users to get access 10 all other sesourcas available. 550 halps to improve user and developer productivity by aveiding the user to semamber muultiple passwords and also reduce the amount of time the ysetepand on typing various patswords to login. $80 also simplifies the administration by managing single credentials instead of multiple credentials. It:mskes easy to manage the tights of user amiving, changing fimction in ox leaving the company, to quickly integrme added applications, delegate sccers rights during holidays without increasing the helpdasl’s workload. 2212-0173 © 2012 Published by Eleavier Ltd2 Typesof SSO ‘The various types of SSO shown in Fig: 1, fll under different catagories, based on wha they a deployed (Intrmet, Extranet, Intemety; how they ae deployed (architecture - Simple, Complex); the credentials they use (tok, certificate, and the protocols thay usa(Kerbams, SAML, QpeplD).). Following picture shows the typat of ‘SSO and their classification: Figure 1: Classification of SingleSign-Ou 2.1 Where they are deployed: 211 Intranet or Enterprise S50 (E550): singlesign on (ESSO) allows connecting to multiple systems within the same enterprise. ESSO is designed to minimize the member of times that a usermust type their ID and password 10 sign into multiple applications. It automatically logs wees in, aud acts a2 g pageniomd Giller where automatic login not possible, Each desktop /laptop is given a token that handles the authentication. ‘2.12 Extranet or Multidomain S50: Multidomain $80 allows comnadting to multiple systems within the same emterprise end all the business paren’ epplications. The user cam login into one smtarprise and access resourozs of the other, the users need not login again using different credentials,Types of S50 1.1.3 Intemet or Web S50: _ Web SSO is a browserbased mechmism, providing access with single login te on web servers. 2.2 Howthey are deployed: SSO architectures ere divided based on their deployment ss Simple SSO end Complex 830 as follows: LLL SimpleS5O architecture: Simple $50 makes use of single authentication authority, single sat of cradanticl forasch user. This architecture could be easily implementad in homozensous LAN! snd intemat environment. 2.2.2 Complex SSO architecture: Complex $80 uses multiple authentication authorities with single or multiple sets of credantials for each user. 2.3 Types of Credentials Used Complex $80 can further be classified as two basic schemes, Complex SSO witha single set of credentials and Complex $30 with multiple sets of credentials. 2.3.1 Complex SSO-with a single set of credentials: Complex $80 using singleset of credentials can be eccomplished in two ways Le. Token-bared and Public Key-based ax follows: LAL Token-based SSO system: In this SSO system, a user submits the cradantials to the tokan-basad authantication suthosity, in which the credantials have bean chacked with its credential datebase. IF the user credentials match, then th user is setumad with a token. Whan the user wants to access am application server which is govemad by second authentication authority, the same token is delivered to get a ticket to access the application server. Success of this ‘LAN: Local Ares Network 2212-0173 © 2012 Published by Elsevier LtdConclusion Single sign on undoubtadly makes it easier and safar by seducing to only onz account per user for all services, number of passwords, cep] management of roles to define resources access control. Ti cam be very beneficial to end-use, administratoss and help desk. Single sign-on can gein much more importance with the emaging Cloud computing technology providing ICT services and alzo it seduces the chances ofphishing attacks but as single sign on gives access with one login, it should be implemented in a secure way. Single sign om has its strengths and weckneises and one must carefully estimate the wee of the system and the reoumes available for its deployment and managemnt bafore choosing $80 solution or alse it can craste abuge vulnesbility in an cxganizations security if it's not implemented propaly. 2212-0173 © 2012 Published by Elsevier LtdTypes of SSO process relies om the trust the authentication authorities have among themselves. 2AL2 Token-based SSO inHTTP enviroment: The Tokebased SSO could be implemanted by using cookies in HTTP snvisonmamt. A cookies a set of infomation givan to the web browser by the web server aud is stored in the client machine. Cookies weed for authentication can be ncryptad to aap them secret. The server could than satsiave the cookie and provide customized service to the clint. Karbaros systam provides basis for constructing secure SSO in network environment, however, it needs client side inffastracture and configuration. In HTTP -anablad environment, cookies could be usad to construct SSO systam and no ext installation or configuration is necessary. The biggest differmce betwam Kerbams system and Cockies-snabled SSO system is that the former uses Remote Procedure Calls to teansport authentication tickets, while the lamer uses cookies to play thasola of tokens. 2412 PRIbased 550 system: In PET bated SSO, thaservers/sesources and users suthenticate each other by using theirsespactive key paiss. Users con authenticate the servers by challenging the servers to decrypt any massage they send which is encrypted by the public key of the saver. Seme way, servers can authenticate the uier by challanging him 1o decrypt the message they send which is encrypted by the public key of the user. As the sal owner of the private key only cam decrypt, the mutusl euthenticstion i.e. server authenticating the user and ‘vice-versa happang. The certifying authorities of users and sarvecs can ba different and if they are different there has to be trust emong the cattifying authorities. 22.1 Complex $50 with multiple set: of credentials: 2.42.1 Credential Synchronization: Themultiple sets of credentials neadad to accass multiple systems ave masked by a single sat of cradantials to give an illusion that wears nacd to remember only the single set. The synchronization software selieves the user from changing the credantiels in all syatems at and whan the policy forces, by amtomatically forwarding the change raquett to all concemed authantication server. ag: Pass Go 242.2 Clientside credential caching: Ir allows wears 10 stose sensitive cradantials like logon information (ax: user ID sand passwords) required for the websites or resources they ancets in ametwodk. These cradentials are stored in spacial folder callad vaults. With this stored infomation, us2r’s | system can automatically log on securely to the web sites and the computers on their © 2012 Published by Elsevier LedTypes of 550 network automatically without requising them to semember the cradantials all the time ‘Vanlts can store all sorts of credentials like passwords, certificates, tokens etc. (eg: ‘Windows Credantial Manager). LAL2 Server-side credential caching: ‘The Server-Side Credential Caching mechanism is same 2s Client-side Credential Caching ‘with only difference being thecredantials storad in a server instead ‘ofthe client. It uses a conteal server 10 take on the task of administering all the different passwords and providing the neaded information directly to the application atking for them. Bz: (CA Etgust 850) 2.4. Single sign-on Protocols: In this saction we will discuss different protocels that are usad om simple and complex $30 architectures. 2.4.1 Kerberos authentication Protocol: Karboros is a classical implementation of Token-based distributed authentication protocol. The whole procais is divided into three parts among four entities. The four cutities ar 1) Client — the ome who want to access resource: 2) Authentication Server (A3)—the one who can authenticate the clients snd resources 3) Ticket Granting Server (TGS)—the ona who gives tichats to access resources and 4) Application Server (S)—a sesoumce to whom the acoass is requested. The three processes are 1) Authentication Request and Response: in which the client using its cradantials gets authenticated with AS and gats a key to securely communicate with TGS 2) Ticket Granting Requast and Response: in which the client using the previously secured key ftom AS, requests TGS gat atichat to access S and3) Application Request and Response: in which the client uset thaticket it got fom TGS to sacurly communicate with §. The fisst process whore the credentials are sequired is completed by client only once and there after the Ind and 3rd processes keap repastad at and when the cliant has to access other resources. Fog qos. 2.4.2 Security Assertion Markup Language: Security Aaenion Masinp Language(SAML)is m XML-based open stmdsr Sor suthantication and data barwem security domains, ia, om ‘Sanity provider and a sorice provider Using SAMI an cules sori proviaat contacts an online identity provider which authenticates users who are trying to access secure content. SAML doesn't spacify how to authanticate a user; sather it defines a way how to exchange the authentication end authorization data once the user is suthenticsted. © 2012 Published by Elsevier LedTipes of $50 SAML is nothing more than a series of XML-based messages callad Assemions that deteil whether users ere authenticated (Authentication Assertion), what kind of rights, soles and access (Attibute Assertion) they have and how they can use data and resources (Qouthosigatinn Assorion) basad om thos2sizhts and soles. [ruses HTTP, SMIP,FTP and SOAP, among other protocols and technologies to transmit these arzertions. Ent mee, 243 OpenID: ‘Open ID is adecentlized authantication protocol. Qpep]D, consists of thre: main satities: 1) The QpelD Identifier: A String of tant or an e-mail address that uniquely identifies the user, 2) The Qp=g]JR, Relying Party (RB): A Web application or service provider that wants proof that the and wier owns tha said Identifier and 3) The OpenID. Provider (OP): A central server that issues, stores and manages the QpenlD identifies of users. Relying Parties sely om this provider for an ssertion that the and user owns the said Identifier. Thereare mainly fourmethods usad in Qpap]D) Pantocol: 1. Discovery, 2. Authentication, 3. Association, 4. Verification. Discovery: End user initistes authentication by presenting = UserSupplied Identifier to the Relying Panty via theis browser. RP pariosms discovery (Discovery) omit and establishes tha OP Endpoint URL which is usad by weer for authentication. Authentication: RP sadivacts the end user's browser to the OP with nm Qpap[P) Authentication sequent. OP establishes whether the end weer is euthocizad. OP redisects the end wears browser back to the RP with either an assertion that authentication is approved ora massage that authentication failad. Association: RP and OP estsblish an association with a shared secret established using Diffie Hallman Kay Exchange. OP uses this association to sign subsequent messager and RP to ‘varify those messages; this someves thenead for subsaquant diract saquasts to verify the signature after each authentication request/response. ‘Verification: RD verifies the information received from OP including chacking the Retum URL, -vatifying the discovered infomation, chacking the nomce, and verifying the signature by using ether the shares ey euilithed during the association o by emnting are 244 Browsed: RagesedD is a dacentralized identity system through which weer cm prove the claim of their email addresses allowing user's login into amy website on the Intemet using single pasword, It avoids cite spacific usemames and passwords, an altamative for ad-hoc application level suthenticstion. It implements Verified Email Protocol built by 2212-0173 © 2012 Published by Elsevier LtdTypes of 530 Mozilla, which offs streamlined axpatience Bappaed. comsists of three main cee: | Primes Authene Taaa bens, | Se ‘Secondary Authorities and the User Agent Le. user's Browser. ‘+ Primary Idewtity Authorities (Primary): A Service which provides the wer with an ‘denaity in the form of an email address. [tix an email provides like Yabo! mailor geaih wilt JA aecUU Seppo. + Relying Parties (RP2): Sies tat we Yogazell}. for umthentication. + The Implementation Provider (IP): (his isthe uscs's web bromser with mative sappowt fir ‘Bepmageli on eke browserid ong serves web resoarces tat implemen te client portion of ie eysiem. 11 implemenas key management, required algorithms and serves asa Secondary Identity Authority. Eagunadh, can be implemented by the: steps: Certificate Provisioning: Certificate Provisioning isthe process in wich a Primary verifies the user's email addresas and ines a signed comificate that proves wser's oweensbip of that email ‘Amartion Gemeratiom: Assertion Generation is the process in which a user's browser produces an assertion dat proves that a ser owns given emai adress. “Amertion Verification: Asertion Verification isthe process in which a Relying Pamy can verify @atan aserton of a wer's omoership offa cestuin corals valid SypMOTe 2212-0173 © 2012 Published by Elsevier Ltd