Single Sign-On Best Practices

Similar documents
Best Practices: Authentication & Authorization Infrastructure. Massimo Benini HPCAC - April,

BEYOND AUTHENTICATION IDENTITY AND ACCESS MANAGEMENT FOR THE MODERN ENTERPRISE

Liferay Security Features Overview. How Liferay Approaches Security

SECURING AWS ACCESS WITH MODERN IDENTITY SOLUTIONS

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES BEST PRACTICES FOR IDENTITY FEDERATION IN AWS E-BOOK

Security and Privacy Overview

The Cloud Identity Crisis

Warm Up to Identity Protocol Soup

Inside Symantec O 3. Sergi Isasi. Senior Manager, Product Management. SR B30 - Inside Symantec O3 1

THE SECURITY LEADER S GUIDE TO SSO

OPENID CONNECT 101 WHITE PAPER

TAKING THE MODULAR VIEW

Single Sign-On for PCF. User's Guide

Expertise that goes beyond experience.

ArcGIS Server and Portal for ArcGIS An Introduction to Security

ISACA Silicon Valley. APIs The Next Hacker Target or a Business and Security Opportunity? Tim Mather, CISO Cadence Design Systems

Google Identity Services for work

SAML-Based SSO Solution

WSO2 Identity Management

SOLUTION BRIEF CA API MANAGEMENT. Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management

TIBCO Cloud Integration Security Overview

DreamFactory Security Guide

PSD2 & OPEN BANKING Transform Challenge into Opportunity with Identity & Access Management E-BOOK

API MANAGEMENT WITH WEBMETHODS

IBM Security Access Manager

GDPR, PSD2, CIAM, and the Role of User-Managed Access 2.0

Security and Compliance at Mavenlink

5 OAuth Essentials for API Access Control

Tracking changes in Hybrid Identity environments with both Active Directory and Azure Active Directory

MOBILITY TRANSFORMING THE MOBILE DEVICE FROM A SECURITY LIABILITY INTO A BUSINESS ASSET E-BOOK

Directory Integration with Okta. An Architectural Overview. Okta Inc. 301 Brannan Street San Francisco, CA

How to Secure Your Cloud with...a Cloud?

Authentication in the Cloud. Stefan Seelmann

THE ESSENTIAL OAUTH PRIMER: UNDERSTANDING OAUTH FOR SECURING CLOUD APIS

The Now Platform Reference Guide

Business White Paper IDENTITY AND SECURITY. Access Manager. Novell. Comprehensive Access Management for the Enterprise

Compliance with CloudCheckr

SAP Security in a Hybrid World. Kiran Kola

SAML-Based SSO Solution

Tutorial: Building the Services Ecosystem

AKAMAI WHITE PAPER. Security and Mutual SSL Identity Authentication for IoT. Author: Sonia Burney Solutions Architect, Akamai Technologies

Safelayer's Adaptive Authentication: Increased security through context information

En partenariat avec CA Technologies. Genève, Hôtel Warwick,

ADAPTIVE AUTHENTICATION ADAPTER FOR IBM TIVOLI. Adaptive Authentication in IBM Tivoli Environments. Solution Brief

Today s workforce is Mobile. Cloud and SaaSbased. are being deployed and used faster than ever. Most applications are Web-based apps

Cloud Computing Lectures. Cloud Security

The Emerging Role of a CDN in Facilitating Secure Cloud Deployments

5 OAuth EssEntiAls for APi AccEss control layer7.com

Zero Trust with Okta: A Modern Approach to Secure Access from Anywhere. How Okta enables a Zero Trust solution for our customers

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

Five Reasons It s Time For Secure Single Sign-On

C1: Define Security Requirements

TECHNICAL GUIDE SSO SAML Azure AD

The Top 6 WAF Essentials to Achieve Application Security Efficacy

Identity management. Tuomas Aura CSE-C3400 Information security. Aalto University, autumn 2014

ForgeRock Access Management Core Concepts AM-400 Course Description. Revision B

The CISO s Guide to Deploying True Password-less Security. by Bojan Simic and Ed Amoroso

Best Practices in Securing Your Customer Data in Salesforce, Force.com & Chatter

INDIGO AAI An overview and status update!

WHITE PAPER. ENSURING SECURITY WITH OPEN APIs. Scott Biesterveld, Lead Solution Architect Senthil Senthil, Development Manager IBS Open APIs

TECHNICAL GUIDE SSO SAML. At 360Learning, we don t make promises about technical solutions, we make commitments.

Avanan for G Suite. Technical Overview. Copyright 2017 Avanan. All rights reserved.

LiveEngage Messaging Platform: Security Overview Document Version: 2.0 July 2017

RSA Solution Brief. Managing Risk Within Advanced Security Operations. RSA Solution Brief

Oracle API Platform Cloud Service

THALES DATA THREAT REPORT

IBM Future of Work Forum

Secure single sign-on for cloud applications

1 Copyright 2011, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 7

ArcGIS Enterprise Security: An Introduction. Gregory Ponto & Jeff Smith

Access Management Handbook

Identity as a Platform Service

ArcGIS Enterprise Security: An Introduction. Randall Williams Esri PSIRT

Cracking the Access Management Code for Your Business

AKAMAI WHITE PAPER. Enterprise Application Access Architecture Overview

THALES DATA THREAT REPORT

Sustainable Security Operations

[GSoC Proposal] Securing Airavata API

W H IT E P A P E R. Salesforce Security for the IT Executive

Preparing your network for the next wave of innovation

Mobile Devices prioritize User Experience

Encryption Vision & Strategy

WHITE PAPER AIRWATCH SUPPORT FOR OFFICE 365

Best Practices in Securing a Multicloud World

Centrify for Dropbox Deployment Guide

Leveraging Adaptive Auth and Device Trust for Enhanced Security and Compliance

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

FIVE REASONS IT S TIME FOR FEDERATED SINGLE SIGN-ON

Docker Universal Control Plane Deploy and Manage On-Premises, Your Dockerized Distributed Applications

2013 InterWorks, Page 1

Standards-based Secure Signon for Cloud and Native Mobile Agents

Identify and cluster touchpoints in several ways Identify risks and initiatives associated to touchpoints

Cognizant Cloud Security Solution

WHITE PAPER. Best Practices for Web Application Firewall Management

Bots. Table of Contents

Solutions Business Manager Web Application Security Assessment

Identity-Enabled Web Services

Security Overview. Technical Whitepaper. Secure by design. End to end security. N-tier Application Architecture. Data encryption. User authentication

INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.1 SUCCESS AKAMAI SOLUTIONS BRIEF INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Transcription:

AUGUST 2018 WHITE PAPER Single Sign-On Best Practices Protecting Access in the Cloud

Table of Contents Executive Summary... 3 Objectives... 3 Security Challenges... 4 Standards... 5 Conclusion... 6 Additional Resources... 7 Figures... 8 iseatz 2018 2

Executive Summary Driven by promises of faster pursuits of business goals, the shift to the cloud is changing how companies think about their IT infrastructure and what they must do to manage it. Gone are the days when the security of business applications and data were protected within the confines of a local area network (LAN). Cloud services power a federated collection of on-demand services, which are provided by a variety of vendors for a set of highly distributed users. The motivations to leverage cloud architectures are worthwhile since they can allow organizations to be more agile, provide a higher quality of service at a lower cost, and reduce capital investment and staffing costs. However, there can be unanticipated challenges around securing and controlling access, complying with local laws and regulations, uniting overall user experience and budgeting for support costs. To meet these challenges, IT leaders are looking for secure access control solutions to embrace the cloud while managing associated risks. This paper describes how single sign-on (SSO) provides: 1. A convenient and simple user interface to all cloud services and Web applications 2. Explains how a well architected SSO and access control solution allows IT to maintain oversight 3. Describes how an enterprise can maintain the appropriate compliance posture Objectives Leverage open, established protocols and standards Utilize existing, secure libraries for encryption and handling sensitive user information Use a verified solution (self-hosted or managed) to implement the SSO standard When possible, use a standardized channel to share user profile information iseatz 2018 3

Enterprise Cloud Security Challenges For any cloud application, IT organizations must secure access to the applications and the sensitive data. Access controls are particularly important because they must be strong while not impeding the user experience. In addition, new operational challenges may present themselves from using multiple cloud technology suppliers which may complicate compliance requirements to safeguard sensitive data. To address these security challenges, many enterprises feel SSO is a fundamental requirement addressing both security and usability. In seeking a solution to these challenges, IT departments should look for a single authentication and control point for executing and enforcing enterprise security policy for all cloud applications. To fully capitalize on the cloud opportunity, the solution should satisfy all users with a simple, consistent experience while allowing enterprise to retain oversight and visibility to ensure policy compliance. A Best Practices Approach for Enterprise Cloud Security The market provides a few options to implement SSO for the enterprise including Security Assertion Markup Language (SAML) and OpenID Connect. iseatz 2018 4

Standards Security Assertion Markup Language (SAML) With specification version 2.0 being published in 2005, SAML remains a mainstay for enterprises looking to support federated authentication. SAML facilitates an XML-based exchange between a central Identity Provider and one or more Service Providers on their users behalf. It traditionally has had full focus on browser-based authentication delegating authorization to the extensible Access Control Markup Language (XAMCL) standard. SAML now offers an Enhanced Client or Proxy (ECP) profile standard designed to support non-browser workflows, but shipped implementations are not yet widely available. OpenID Connect Published in 2014, OpenID Connect (OIDC) adds an additional layer to OAuth 2.0 and standardizes the type of SSO login flow offered by Google, Facebook, and others. In addition to authentication and authorization, it allows fine grained delegation of access rights. Also in contrast to SAML, OIDC combines JavaScript Object Notation (JSON) request/response formats with Representational State Transfer (REST) API interactions. It is built to support browsers, embedded devices, and native applications. 5

Assumptions Browser-based SSO Consumer-facing SAML 2.0, OpenID Connect 1.0 User profile information via SAML attribute query or OpenID Userinfo endpoint CONCLUSION A single sign-on experience for authentication brings smoother collaboration, but it also involves new user flows and more software which adds complexity and a larger attack surface to secure. In light of this, we would advise sticking close to well-known solutions and providers that implement open standards. This also eases finding compatible, well-maintained client libraries for all collaborating development teams. iseatz 2018 6

Additional Resources What the Heck is OAuth? (overview of OAuth, SAML, OIDC) OWASP Threats and Vulnerabilities in Federation Protocols and Products [slides] Why not just use OAuth alone for authentication? SAML Shibboleth - Open-Source SSO Solution Testing Shibboleth / SAML OWASP SAML Security Cheat Sheet SAML protocol bug let hackers log in as other users ECP Profile OpenID Connect Frequently Asked Questions Certified OpenID Connect Implementations Security Considerations [OpenID Connect spec] Preventing Mix-Up Attacks with OpenID Connect Solution Providers Amazon Cognito Auth0 Centrify Okta Ping Identity Shibboleth Commercial Support iseatz 2018 7

Figures Figure 1. SAML (High-Level Flow) Service Provider Client Identity Provider Access Protected Resource Redirect to SSO Endpoint Request Login Login Form User Authenticates Return SAML Response, etc. Provide SAML Assertion Redirect to Target Resource Request Target Resource Respond with Resource iseatz 2018 8

Figures Continued Figure 2. Open ID Connect (High-Level Flow) Client Relying Party Identity Provider Access Protected Resource Redirect for Authorization Request Login Login Form User Authenticates Redirect to Web App with Authorization Code Request for Web App Call Access Token Endpoint ID and Access Tokens Call to UserInfo Endpoint Response to UserInfo Request Respond with Resource iseatz 2018 9

Single Sign-On Best Practices Protecting Access in the Cloud WHITE PAPER John Guidry Software Architect AUTHOR John Guidry is a software architect at iseatz. His current technical interests include distributed systems, contributing to open source and seeking patterns for more reliable software. John earned a Bachelor of Science in Computer Science from Tulane University and has more than ten years of experience. When not at work, John enjoys cooking and taking apart anything that is not nailed down. Founded in 1999 and based in New Orleans, iseatz is a leading travel commerce and ancillary merchandising technology company for travel, financial services and entertainment brands. The iseatz team of designers, developers, artists, engineers, inventors, analysts and project managers are the backbone of our proven reliability and uncontested vision. www.iseatz.com Headquarters 643 Magazine Street, Suite 100 New Orleans, LA 70130

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback