AUGUST 2018 WHITE PAPER Single Sign-On Best Practices Protecting Access in the Cloud
Table of Contents Executive Summary... 3 Objectives... 3 Security Challenges... 4 Standards... 5 Conclusion... 6 Additional Resources... 7 Figures... 8 iseatz 2018 2
Executive Summary Driven by promises of faster pursuits of business goals, the shift to the cloud is changing how companies think about their IT infrastructure and what they must do to manage it. Gone are the days when the security of business applications and data were protected within the confines of a local area network (LAN). Cloud services power a federated collection of on-demand services, which are provided by a variety of vendors for a set of highly distributed users. The motivations to leverage cloud architectures are worthwhile since they can allow organizations to be more agile, provide a higher quality of service at a lower cost, and reduce capital investment and staffing costs. However, there can be unanticipated challenges around securing and controlling access, complying with local laws and regulations, uniting overall user experience and budgeting for support costs. To meet these challenges, IT leaders are looking for secure access control solutions to embrace the cloud while managing associated risks. This paper describes how single sign-on (SSO) provides: 1. A convenient and simple user interface to all cloud services and Web applications 2. Explains how a well architected SSO and access control solution allows IT to maintain oversight 3. Describes how an enterprise can maintain the appropriate compliance posture Objectives Leverage open, established protocols and standards Utilize existing, secure libraries for encryption and handling sensitive user information Use a verified solution (self-hosted or managed) to implement the SSO standard When possible, use a standardized channel to share user profile information iseatz 2018 3
Enterprise Cloud Security Challenges For any cloud application, IT organizations must secure access to the applications and the sensitive data. Access controls are particularly important because they must be strong while not impeding the user experience. In addition, new operational challenges may present themselves from using multiple cloud technology suppliers which may complicate compliance requirements to safeguard sensitive data. To address these security challenges, many enterprises feel SSO is a fundamental requirement addressing both security and usability. In seeking a solution to these challenges, IT departments should look for a single authentication and control point for executing and enforcing enterprise security policy for all cloud applications. To fully capitalize on the cloud opportunity, the solution should satisfy all users with a simple, consistent experience while allowing enterprise to retain oversight and visibility to ensure policy compliance. A Best Practices Approach for Enterprise Cloud Security The market provides a few options to implement SSO for the enterprise including Security Assertion Markup Language (SAML) and OpenID Connect. iseatz 2018 4
Standards Security Assertion Markup Language (SAML) With specification version 2.0 being published in 2005, SAML remains a mainstay for enterprises looking to support federated authentication. SAML facilitates an XML-based exchange between a central Identity Provider and one or more Service Providers on their users behalf. It traditionally has had full focus on browser-based authentication delegating authorization to the extensible Access Control Markup Language (XAMCL) standard. SAML now offers an Enhanced Client or Proxy (ECP) profile standard designed to support non-browser workflows, but shipped implementations are not yet widely available. OpenID Connect Published in 2014, OpenID Connect (OIDC) adds an additional layer to OAuth 2.0 and standardizes the type of SSO login flow offered by Google, Facebook, and others. In addition to authentication and authorization, it allows fine grained delegation of access rights. Also in contrast to SAML, OIDC combines JavaScript Object Notation (JSON) request/response formats with Representational State Transfer (REST) API interactions. It is built to support browsers, embedded devices, and native applications. 5
Assumptions Browser-based SSO Consumer-facing SAML 2.0, OpenID Connect 1.0 User profile information via SAML attribute query or OpenID Userinfo endpoint CONCLUSION A single sign-on experience for authentication brings smoother collaboration, but it also involves new user flows and more software which adds complexity and a larger attack surface to secure. In light of this, we would advise sticking close to well-known solutions and providers that implement open standards. This also eases finding compatible, well-maintained client libraries for all collaborating development teams. iseatz 2018 6
Additional Resources What the Heck is OAuth? (overview of OAuth, SAML, OIDC) OWASP Threats and Vulnerabilities in Federation Protocols and Products [slides] Why not just use OAuth alone for authentication? SAML Shibboleth - Open-Source SSO Solution Testing Shibboleth / SAML OWASP SAML Security Cheat Sheet SAML protocol bug let hackers log in as other users ECP Profile OpenID Connect Frequently Asked Questions Certified OpenID Connect Implementations Security Considerations [OpenID Connect spec] Preventing Mix-Up Attacks with OpenID Connect Solution Providers Amazon Cognito Auth0 Centrify Okta Ping Identity Shibboleth Commercial Support iseatz 2018 7
Figures Figure 1. SAML (High-Level Flow) Service Provider Client Identity Provider Access Protected Resource Redirect to SSO Endpoint Request Login Login Form User Authenticates Return SAML Response, etc. Provide SAML Assertion Redirect to Target Resource Request Target Resource Respond with Resource iseatz 2018 8
Figures Continued Figure 2. Open ID Connect (High-Level Flow) Client Relying Party Identity Provider Access Protected Resource Redirect for Authorization Request Login Login Form User Authenticates Redirect to Web App with Authorization Code Request for Web App Call Access Token Endpoint ID and Access Tokens Call to UserInfo Endpoint Response to UserInfo Request Respond with Resource iseatz 2018 9
Single Sign-On Best Practices Protecting Access in the Cloud WHITE PAPER John Guidry Software Architect AUTHOR John Guidry is a software architect at iseatz. His current technical interests include distributed systems, contributing to open source and seeking patterns for more reliable software. John earned a Bachelor of Science in Computer Science from Tulane University and has more than ten years of experience. When not at work, John enjoys cooking and taking apart anything that is not nailed down. Founded in 1999 and based in New Orleans, iseatz is a leading travel commerce and ancillary merchandising technology company for travel, financial services and entertainment brands. The iseatz team of designers, developers, artists, engineers, inventors, analysts and project managers are the backbone of our proven reliability and uncontested vision. www.iseatz.com Headquarters 643 Magazine Street, Suite 100 New Orleans, LA 70130