Wednesday, December 21, 2011

Single Sign-On (SSO) and Federated Identity Management

If you're studying for one of the security certifications such as CISSP, SSCP, or Security+ it's important to understand single sign-on (SSO) concepts and federated access.

SSO refers to the ability of a user to log on or access multiple systems by providing credentials only once. It enhances security by requiring users to use and remember only one set of credentials for authentication. Once signed on using SSO, this one set of credentials is used throughout a user’s entire session.

Pass the Security+ exam the first time you take it.
CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide


Kerberos is an authentication protocol commonly used to help support SSO in many networks. When users authenticate, a Key Distribution Center (KDC) issues the user an encrypted time-stamped ticket-granting ticket (TGT). The TGT is cached on the user's system and normally has a lifetime of 10 hours but can be renewed. Kerberos uses symmetric cryptography to encrypt tickets and in most current implementations it uses Advanced Encryption Standard (AES). The KDC is also referred to as an authentication server (AS) or sometimes as a Kerberos authentication server (KAS).

When the user later wants to access a resource such as a file on a server, the user's system submits the TGT with a request to access the resource. The KDC validates the TGT and sends the user a ticket (sometimes called a service ticket) for the resource. The user's system then submits this ticket to the host of the resource (in this case the file server) with a request to access the resource. The host checks with the KDC to ensure that the ticket is valid and if so, allows access as long as the user is authorized.

Kerberos requires all systems to be time synchronized and the default in version 5 is for all systems to be within five minutes of each other. If a system is more than five minutes off, the KDC won't issue a TGT or any other tickets, effectively blocking all non-anonymous access on a network. It uses a database of credentials to authenticate users and uses port 88 by default.
A drawback with Kerberos is that it represents a single point of failure. If the KDC fails, all authentication stops. Additionally, if the KDC is compromised, all credentials are compromised.

Studying SSCP?
This book covers the new objectives effective Feb 1, 2012.
SSCP Systems Security Certified Practitioner All-in-One Exam Guide

Federated Identity Management

Identity management refers to the management of user identities and their credentials. For example, usernames and passwords are stored in a database that can be accessed by Kerberos to authenticate users. Users claim an identity and prove their identity by authenticating, such as with a password. In federated identity management, organizations join a group of organizations called a federation. All the organizations within the federation agree on a method to share identities between the organizations.
Once the federation is configured, users are able to log on one time within their organization and then access resources in other organizations without logging on again. This is usually transparent to the user.

As an example, I have worked in an organization where we logged on with smart cards. We had access to training sites hosted by other organizations but part of a federated identity management system. All we had to do was access the web site using a web browser, and our credentials were automatically recognized without requiring us to take any additional steps.

In summary, SSO methods can increase security by reducing the number of passwords users must remember. Federated access allows an organization to share identities between different organizations in a common group, or federation of organizations.