Single Sign-On Architectures Jan De Clercq Senior Member of Technical Staff Technology Leadership Group Hewlett-Packard
Agenda Trusted Security Infrastructures SSO: What and Why? SSO Architectures Extending SSO Conclusion HP World 2003 Solutions and Technology Conference & Expo page 2
Agenda Trusted Security Infrastructures SSO: What and Why? SSO Architectures Extending SSO Conclusion HP World 2003 Solutions and Technology Conference & Expo page 3
Trusted Security Infrastructures (TSIs) Applications App 1 App 2 App... Web Services Trusted Security Infrastructures Security Admin Identity Mgmt Sec Pol Mgmt Authent Infra Auditing Author Infra Core I.T Infrastructure Services Meta-Directory Dir A Dir B Dir C DBs Msg Mgmt HP World 2003 Solutions and Technology Conference & Expo page 4
SSO Foundations: Trust Trust Identification SSO Authorization HP World 2003 Solutions and Technology Conference & Expo page 5
Agenda Trusted Security Infrastructures SSO: What and Why? SSO Architectures Extending SSO Conclusion HP World 2003 Solutions and Technology Conference & Expo page 6
SSO: What and Why? Ease of Administration Ease of Use Enables Enforcement of Coherent Security Policy Key to the Kingdom? HP World 2003 Solutions and Technology Conference & Expo page 7
SSO Terminology Infrastructure Server - Physical providers of authentication/sso Authority - Logical providers of authentication/sso/trust = Domain (Windows speak) = Cell (DCE speak) = Realm (Kerberos speak) s Digital Identity Factors Token HP World 2003 Solutions and Technology Conference & Expo page 8
SSO Terminology Tok Sign-On Server Account and Management User Trust Token Validation Exchange Resource Domain Domain Server HP World 2003 Solutions and Technology Conference & Expo page 9
Agenda Trusted Security Infrastructures SSO: What and Why? SSO Architectures Extending SSO Conclusion HP World 2003 Solutions and Technology Conference & Expo page 10
SSO Solutions and Architectures Simple SSO Single Authority and Server Single Authority and Multiple Servers Complex SSO With Single Set of s Token-based SSO PKI-based SSO With Multiple Sets of s Synchronization Client-side Caching Server-side Caching HP World 2003 Solutions and Technology Conference & Expo page 11
Simple SSO Solutions Tok Sign-On Server Account and Management User Trust Token Validation Exchange Resource Domain Domain Server HP World 2003 Solutions and Technology Conference & Expo page 12
Simple SSO Solutions Server Replicated Tok Replication Sign-On Server Master Account and Management User Trust Token Validation Exchange Resource Domain Domain Server HP World 2003 Solutions and Technology Conference & Expo page 13
Traditional Sign-On (No SSO) Tok Tok Sign-On Authority Account and Management User Sign-On(s) Authority Account and Management HP World 2003 Solutions and Technology Conference & Expo page 14
Complex SSO Solutions: Single Set: Tokenbased SSO Tok Sign-On Temporary Token Authority Account and Management User Trust Transparent Sign-On(s) using Temporary Token Authority Account and Management HP World 2003 Solutions and Technology Conference & Expo page 15
Complex SSO Solutions: Single Set: PKI-based SSO User Private Key User Cert User User Registration Certificate Issuance Authority Trust CA Cert Account and Management CA Cert Transparent Sign-On(s) using Public Key s (Certificate and Private Key) Authority CA Cert HP World 2003 Solutions and Technology Conference & Expo page 16
Complex SSO Solutions: Multiple Set: Password Sync Tok Tok Sign-On Authority Account and Management User Sign-On(s) Trust Authority Sync Software Sync Software Synchronization Account and Management HP World 2003 Solutions and Technology Conference & Expo page 17
Complex SSO Solutions: Multiple Set: Clientside Caching Tok Tok Sign-On Authority Account and Management User Secure Client-Side Cache Transparent Sign-On(s) Using Cached s Trust Authority Account and Management HP World 2003 Solutions and Technology Conference & Expo page 18
Complex SSO Solutions: Multiple Set: Serverside Cache Tok Sign-On Tok User Request for s s for Authority Authority Account and Management Trust Transparent Sign-On(s) Using s Returned from Authority s Authority Account and Management HP World 2003 Solutions and Technology Conference & Expo page 19
Agenda Trusted Security Infrastructures SSO: What and Why? SSO Architectures Extending SSO Conclusion HP World 2003 Solutions and Technology Conference & Expo page 20
Extending SSO To cover Different Organizations Scope: Extranet and Internet Federation HP World 2003 Solutions and Technology Conference & Expo page 21
Defining Federation The Use of agreements, standards, and technologies to make identity and entitlements portable across autonomous identity domains. HP World 2003 Solutions and Technology Conference & Expo page 22
Extending SSO: Federation HP World 2003 Solutions and Technology Conference & Expo page 23
Agenda Trusted Security Infrastructures SSO: What and Why? SSO Architectures Extending SSO Conclusion HP World 2003 Solutions and Technology Conference & Expo page 24
Conclusion Creating an SSO Infrastructure for a heterogeneous environment is not an easy job The creation of SSO Infrastructures is a great opportunity to leverage directory and metadirectory investment Prefer open standards above proprietary solutions Keep it simple HP World 2003 Solutions and Technology Conference & Expo page 25
Overview Trusted Security Infrastructures SSO: What and Why? SSO Architectures Extending SSO Conclusion HP World 2003 Solutions and Technology Conference & Expo page 26
Questions? Jan.DeClercq@HP.com HP World 2003 Solutions and Technology Conference & Expo page 27
Interex, Encompass and HP bring you a powerful new HP World.