Mais conteúdo relacionado Semelhante a CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva (20) Mais de CloudIDSummit (20) CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva2. You’ve waited long enough …
Copyright © 2015 Cloud Identity Summit. All rights reserved. 2
Mobile AppsWeb Apps SaaS Apps
username
password
username
password
username
password
username
password
username
password
username
password
username
password
username
password
username
password
4. Copyright © 2015 Cloud Identity Summit .All rights reserved. 4
Integration
Kits
5. It’s time for SSO …
… what do you mean by SSO?
App Enablement?Session Management? Access Control?
Auditing?Authentication Policy?
“One Username & Password
(or some other form of authentication)
just One Time”
6. It’s time for SSO …
… and how will we get SSO?
Open Standards?On-Premise ? IdaaS?
Agents vs Gateway?App Changes?
“Eliminate Unnecessary Passwords”
(yes, some work will be needed –
but you want to do this the right way)
7. Copyright © 2015 Cloud Identity Summit .All rights reserved. 7
Access Management
ENTERPRISE
Federated Identity Management
9. “First Mile” / “Last Mile” Integration
Federation
Server
Identity
Store
Federation
Server
Target
App
Identity Provider (IdP) Service Provider (SP)
“First Mile” “Last Mile”
10. “First Mile” Integration
• If you’re using a Federation Server – hopefully this is
just a configuration exercise:
• ADconnect (Active Directory)
• PingFederate (Complex AD, LDAP, WAM, etc.)
• PingOne Cloud Directory (IdaaS user/group dir.)
• Worst case – there are Libraries & APIs to help you
integrate a custom portal or user store
Copyright © 2015 Cloud Identity Summit. All rights reserved. 10
12. “Last Mile” Integration
Question #1:
Does your application support Web
(federated) SSO standards?
(i.e.: SAML, WS-Federation, OpenID Connect)
Copyright © 2015 Cloud Identity Summit. All rights reserved. 12
13. “Last Mile” Integration – with Standards
Copyright © 2015 Cloud Identity Summit. All rights reserved. 13
Federation
Server
Identity
Store
Target
App
Identity Provider (IdP) Service Provider (SP)
SAML
14. Copyright © 2015 Cloud Identity Summit. All rights reserved. 14
“Last Mile” Integration – with Standards
Your Apps
Your Identity Stores /
Partners
Acme
Beta
Com
SAML
SAML
SAML
Federation
Hub
15. “Last Mile” Integration – with Standards
Copyright © 2015 Cloud Identity Summit. All rights reserved. 15
Does your app
Web SSO standards?
(SAML/WS-Fed/OIDC)
Do you prefer
IdaaS?
No
Yes
Yes
No
17. “Last Mile” Integration – with HTTP Headers
Federation
Server
Identity
Store
Federation
Server
Target
App
Identity Provider (IdP) Service Provider (SP)
SAML
Agent /
Gateway
HTTP Headers
User: joe
Email: joe@co.co
Group: Sales
18. “Last Mile” Integration – with HTTP Headers
• Federated SSO
• PingFederate Integration Kits:
• Apache & IIS
• WAM Features (Session Management, URL Authorization & Auditing)
• Gateway (Reverse Proxy)
• Agents: Apache & IIS
Copyright © 2015 Cloud Identity Summit. All rights reserved. 18
19. “Last Mile” Integration – with Standards
Copyright © 2015 Cloud Identity Summit. All rights reserved. 19
Does your app
support HTTP header
based SSO?
Do you want
WAM features?
No
Yes
Yes
No
21. “Last Mile” Integration – with App Changes
Copyright © 2015 Cloud Identity Summit. All rights reserved. 21
Features Approach Effort Level Product(s)
Federated SSO Implement SAML
L n/a
Implement OpenID Connect
S n/a
HTTP Headers
XS PingFederate
REST API
S PingFederate
PingOne
SSO Integration Kit SDK Library
(Java, .NET) S PingFederate
WAM Features
(Session Management,
URL Authorization &
Auditing)
HTTP Headers
XS PingAccess
23. “Last Mile” Integration – “I’m out of options…”
• PingFederate Integration Kits
• Basic SSO (Password Vaulting)
Copyright © 2015 Cloud Identity Summit. All rights reserved. 23
… still lost?
Talk to us!
25. Copyright © 2015 Cloud Identity Summit .All rights reserved. 25
Get Your Time Machines Ready …
26. SSO for Mobile Applications
• Are multiple logins (with the same creds) OK?
• User experience could be mitigated with long lived
refresh tokens
• Shared refresh tokens? (Multiple apps – same dev. signer)
• Shared browser session?
• Centralized broker of OAuth Access Tokens
• Napps – http://openid.net/wg/napps/
• PingOne Mobile – Early Napps draft support
compatible with both PingFederate and PingOneCopyright © 2015 Cloud Identity Summit. All rights reserved. 26