Authentication
- It is a process of an Entity (Source or Principal) providing its identity to another Entity (Destination or System)
- Principal could be a computer program, an end user, a computer system, a piece of hardware, mobile device ets. and System will be on server that provides a service.
- The principal provides Credentials that must be authenticated by the System using some type of Identity systems ( (User Repos like LDAP or AD, Federation Server etc.). Supplied credentials can be a UserId and Password, Digital Signature, Client Certificate or a Randomly generated Pin.
Single Sign-On
- It is a characteristic of an authentication mechanism that uses the user’s identity and provides access across multiple Service Providers.
- It uses single authentication process to be used across multiple Service Providers.
- Applications still require password to login, but the software handles storing it and automatically retrieving it for the user and passing it across the application request.
- There are many SSO solutions in the market. Active Directory (AD) is an example of a SSO because all domain resources joined to AD can be accessed without the need for additional authentication. SAP, Oracle, IBM and others offer SSO solutions for enterprise use. Okta, OneLogin and others specialize in single sign on for web applications.
- Since single authentication is used across multiple Service Providers it is suggested to have multi-factor authentication to ensure added security which depends on the capabilities of the Service Provider.
- User has to remember multiple login parameters.
- IT teams have to manage all the individual SAAS logins and in some scenarios deported employees may continue having access to the resources after leaving the company that may lead to security breaches.
- As an analogy, you can get into an amusement park but still need a ticket for each ride.
- Advantages
- Access logs – an SSO portal provides detail reporting on who accessed what
- Session time – by eliminating credential re-authentication users spend less time on the authentication process leading to improved productivity.
- Centralized database – one database that includes logs for authentication and authorization to support compliance and administration.
- Fewer credentials means a lower chance of phishing – phishing emails and social engineering are nearly impossible
- Reduce help desk costs – reducing the amount of credentials (passwords) translates to fewer help desk calls which are estimated at 20 – 50% of all help desk calls.
- Disadvantages
- The main disadvantage of SSO is in its use of one set of credentials, if those credentials are not protected correctly and are stolen the thief has access to your entire kingdom.
- The second less talked about disadvantage to SSO is the fact that while it provides single sign on it does not provide single sign off, the logoff process varies from application to application and depends on the settings of the application, user sessions usually stay active long after the user has completed his/hers use which can easily lead to session hijacking.
Federated Single sign-0n OR FEDERATED IDENTITY MANAGEMENT (FIM)
- As per WS-Federation Specification “The goal of federation is to allow security principal identities and attributes to be shared across trust boundaries according to established policies.”
- Federation is a relationship which is maintained between organizations. User from each organization gets access across each other’s web properties. Hence, federated SSO provides an authentication token to the user which is trusted across organizations. So, user does not need to create a different account for every organization in federation to access web properties and applications.
- The federation server (Identity Provider) recognizes user with his username and password. Hence, it passes the message of authentication with a related token to other organizations in federation to authorize the user. Hence, the user is free from creating a new account or resubmitting credentials to log into any application or website in federation. The target website or application acknowledges the token due to trust between systems.
- Federated Identity Management (FIM) refers to a way to connect identity management systems together. With FIM, a user’s credentials are always stored with a home organization (Identity Provider). When the user logs into a service provider instead of providing credentials to the SP , the SP trusts the IdP to validate the credentials. So the user never provides credentials to anyone but to IdP.
- FIM gives SSO but SSO does not necessarily give FIM.
- Authorization messages among partners in an FIM system can be transmitted using security assertion markup language (SAML) or a similar XML standard that allows a user to log on once for affiliated but separate websites or networks.
- Federated SSO uses standard identity protocols like OAuth, WS-Federation, WS-Trust, OPenID and SAML to pass tokens. Federation provides authentication and security features on both cloud and on premise applications.
- Federation allows single sign-on (SSO) without passwords. The federation server knows the username for a Person in each application and presents that application with a token.‘
- As an analogy, you get into an amusement park but have a wrist band that every ride operator recognizes and lets you in.
- Advantages
- All the advantages that SSO provides (listed under SSO Section) plus
- Your users only require to learn a single password for all organizations. No more resetting of passwords. It saves money by avoiding password reset calls. According to META group every password reset request costs 25USD.
- Federated SSO scores eleven in a scale from one to ten when it comes to user experience. You will definitely skyrocket your user experience.
- Employers using federated SSO will benefit from it as your employees will not sit unproductive resetting their passwords for their applications.
- Identity federation offers economic advantages, as well as convenience, to enterprises and their subscribers. For example, multiple corporations can share a single application (B2B federation), with resultant cost savings and consolidation of resources.
- FIM is cheaper and much more secure in the long run because
- It doesn’t need to manage individual SaaS accounts. It happens automatically.
- Licenses for said SaaS applications are assigned or removed automatically.
- Access to ALL SaaS applications is removed at once.
- The user only needs to remember ONE username and password combination.
- FIM allows IT to protect critical apps with Multi Factor Authentication.
- The User has a single user interface to access ALL his SaaS applications.
- When you have a single place that can control access to all applications, not only can you audit and control every access, but you even have the ability to disable access to every application in your inventory with a single click.