What is SSO?
You should note that SSO is not limited to web applications.
Types of SSO
- Kerberos based: Initial sign-on prompts the user for credentials, and gets a Kerberos ticket-granting-ticket (TGT). Software applications use the TGT to prove user’s identity.
- Smart card based: Initial sign-on prompts the user for the smart card. Additional software applications also use the smart card
- OTP token: Two-factor authentication. Digital numbers are created on a device and combined with passwords for processing
- Integrated Windows Authentication: Originally designed for IIS and IE. Though it has moved to cross platform, this authentication method has lost steam in internet based solutions.
- Security Assertion Markup Language: XML based solution for exchanging user security information between an enterprise and a service.
Security Assertion Markup Language (SAML) Defined
To understand SAML you should have an understanding of the pieces that make up SAML, as well as common SSO terminology listed at the bottom of this article.
- Principal (User) - End user looking to get access to an application.
- Identity provider (IdP) - where the user authenticates via user name and password or two-factor authentication.
- Service provider (SP) - relies on the IdP’s identity assertion before providing a service.
SAML versus LDAP
- LDAP is identifying, querying AND modifying directory data. Requires an open port to a directory service, exposing a company’s user data to the web
- SAML is just identifying.
- Note: SAML is a less intrusive, more broadly accepted standard for SSO across the web. SAML can be used on AD and other directory services.
- Active Directory (AD): Database based system that provides authentication, directory, policy, and other services in a Windows environment
- Active Directory Federated Services (AD FS): Software installed in conjunction with AD that allows AD to talk to provide SSO via SAML to external service providers.
- Lightweight Directory Access Protocol (LDAP): Application protocol for querying and modifying items in directory service providers like Active Directory, which supports a form of LDAP.
- LDAP Server: A directory service that utilizes LDAP to access and maintain a directory of users. AD is a form of LDAP Server.
- OAuth: Allows access to outside services on behalf of another user. Similar in concept to SU in Linux.
- OpenID: Standard allowing users to be authenticated by cooperating sites using a third party service. Generally users are authenticated via URI. It allows for a framework of communication between sites. Some concerns remain around spoofing.