Have you ever thought about how many usernames and passwords your employees have to remember and enter during the course of a regular day? There are too many offsite applications and resources, such as data centres, cloud applications and social networking sites, to expect employees to use a unique, truly strong password for each one. Most will use the same password for every service, particularly if you enforce a password expiry policy. Multiple usernames and passwords not only cause frustration, but are a serious security weakness.
Finding an alternative to multiple passwords will help manage users' identities and their access to resources that reside beyond the corporate firewall. However, throughout the process you will also need to control not only your own employees accessing external resources, but also customers and trading partners that access your resources via the Internet.
The time has come to look into implementing single sign-on (SSO) authentication, which allows users to sign into the system only once and still access services controlled by third parties. Federation is probably the most cost-effective and safest method of providing customers, suppliers and employees access to data and application functionality distributed across the Internet.
So what is a federated environment and how will it prevent password fatigue? A federated environment is a collection of security domains that have established relationships for sharing resources securely. There are two main standards for implementing federation and enabling SSO connections: SAML (Security Assertion Markup Language) and Liberty Alliance ID-FF.
Both specifications define mechanisms for organisations to share and manage identity information between autonomous domains, enabling access to cross-boundary information. So instead of having to remember separate logins and passwords for each application, users authenticate once using their organisation's identity management system and then have access to all of their SSO-enabled applications without the need to sign in again.
SAML is emerging as the most popular standard and is part of several single sign-on (SSO) authentication solutions, such as the Shibboleth Project, an open source software package used for Web single sign-on. In addition, the Liberty Alliance's ID-WSF 2.0 actually includes support for SAML 2.0.
There are two main roles in a SAML SSO transaction:
- The identity provider (IdP)
: This is likely to be an enterprise which maintains a directory of users and some mechanism for authenticating them
The service provider (SP): This could be a Software as a Service (SaaS) or any outsourced service that needs to provide authorised access to its services or resources.
Identity federation allows a trust relationship to be defined so the SP can control user access based on authentication carried out by the IdP. An example would be an enterprise using Google Apps such as Google Docs, Calendar and Groups. The organisation acts as the IdP and Google Apps as the SP. IdPs can support multiple service provider connections, and SPs can use the same SAML solution to support multiple customers.
All of the identifying information about a person, company, application or system required by an application to make access decisions, such as the user's name and application access level is contained in an XML document called a SAML assertion or token. The SAML assertion is encrypted and signed by the issuing organization, ensuring secure transmission across the Internet. SAML 2.0 overcomes the drawback of early versions by providing the means to directly establish the identifiers used to represent a federated identity using SAML message exchanges.
Choosing a single sign-on (SSO) solution
SSO is an ideal cure for password fatigue. Because the user is authenticated by his or her own organisation's identity system, no additional passwords are required and the user's password never needs to cross the corporate firewall. However, building your own SSO solution is a significant undertaking. Even Google's implementation of SSO for its Google Apps Premier Edition was found to contain a security flaw. On no account should you consider building or using a proprietary solution, as it's very unlikely to scale to connect with multiple partners.
When choosing an SSO solution, you should choose one that supports all versions of SAML, as they are all still in use, plus an additional standard known as WS-Federation. Many Microsoft-based houses will be using WS-Federation as it is the protocol supported by the Active Directory Federation Service (ADFS).
WS-Federation is a component of the suite of Web service specifications spearheaded by Microsoft and IBM. WS-Federation provides comparable functionality to SAML, but many consider it overly complex, adding little to SAML 2.0 and ID-WSF. A SaaS-based SSO service that supports various federation protocols is myOneLogin. Its identity services can be used by developers as a federation hub or gateway service, or simply to provide secure single sign-on to all of the major social media sites such as Facebook, Twitter, LinkedIn and Google Apps.
Another option is deploying a standalone federation server such as Ping Identity Corp.'s PingFederate, which can work with an identity management system you already have in place. PingFederate uses a WS-Trust Security Token Service (STS), which converts the user's local identity into a standard SAML assertion token so that it can be easily shared with SPs and their applications. The Open Web Single Sign-On project (OpenSSO) also provides core identity services, access management, and federation functionality that can be incorporated into Web and J2EE-based applications or services. It is based on the source code for the Sun Federated Access Manager developed by Sun Microsystems Inc.
Added benefits
Single sign-on (SSO) authentication isn't just about curing password fatigue, though. It helps eliminate password resets and help desk calls. Single sign-on has also been shown to increase outsourced application adoption rates as users can more easily sign in and access new services. From a security standpoint, it enables you to give users access to accounts, such as corporate Facebook or Twitter accounts, without having to give them the account and password. This removal of passwords from Internet applications can be a key advantage in terms of regulatory compliance. When an employee leaves, you can remove their access in a few mouse clicks, a great help in protecting your online brand.
Organisations can no longer operate in isolation. Having a clear strategy for distributed identity management is fundamental to ensuring a secure workplace and remaining competitive. Any enterprise trying to manage access to external services by internal users -- and access its internal systems by external users -- should see that there is a strong case for a federated identity solution. It provides secure access to heterogeneous applications, centralises the management, monitoring and auditing of security credentials and greatly reduces the administrative overhead.
About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications.
