Single sign-on Autbentication for Web Applications

lSM 6211









Instructor kyan La8r|e
8y oo[a Gandh|




age of

ABSTRACT
lnlLlally enLerprlse wlLh mulLlple webslLes used Lo have dlfferenL auLhenLlcaLlons for each
webslLe uue Lo Lhls users Lend Lo forgeL Lhelr password or used Lo seL low complexlLy
password 1hls klnd of user behavlor leads Lo a securlLy rlsk 1o overcome above problem a
soluLlon called slngle slgnon was developed 8y uslng Lhls soluLlon securlLy can be lmproved as
users don'L have Lo remember many usernames and passwords Slngle slgnon provldes users
Lhe convenlence of auLhenLlcaLlng once Lo access appllcaLlons hosLed on mulLlple machlnes ln
addlLlon SSC provldes enLerprlse Lhe ablllLy Lo cenLrallze auLhenLlcaLlon admlnlsLraLlon and
managemenL Powever for Lhe lmplemenLaLlon of SSC requlres many new appllcaLlons
devlces and auLhenLlcaLlon meLhods 8y Lhls way Lhough Lhe general lssue geLs clarlfled and
slmple buL SSC's lnLegraLlon ln l1 envlronmenL can become compllcaLed AlLhough Lhere are
some downsldes of Lhls sysLem Lhe beneflLs overcome Lhem


KEY WURDS

Web Slngle SlgnCn Web ldenLlLy ManagemenL AuLhenLlcaLlon Cpen lu lnfo Card







age of

TRUDUCTU

ln Lhe beglnnlng compuLers were sLandalone machlnes wlLh physlcal access conLrol Lo declde
who may access Lhe daLa sLored wlLhln Lhe compuLlng envlronmenL lL became a necesslLy Lo
develop Lhe mulLluser envlronmenL wlLhln Lhe arrlval of Lermlnal connecLlons Lo malnframes
1hen afLer slmple access conLrol soluLlons were developed Lo access varlous resources 1hls
worked well wlLh plaln user ld/password palr ln order Lo logln Lo sysLems because Lhere were
only a llmlLed number of compuLers and users ln Llme local area neLworks began Lo connecL
Lhe compuLers Lo each oLher resulLlng ln mulLlple sysLems LhaL requlre auLhenLlcaLlon 1oday
wlLh Lhe lnLerneL and global connecLlvlLy Lo varlous compuLlng sysLems LogeLher wlLh Lhe
abundance of compuLers ln a Lyplcal corporaLe neLwork Lhe number of dlfferenL userlds and
passwords has grown Lremendously MosL organlzaLlons experlence a ma[or securlLy problem
an abundance of appllcaLlons and sysLems LhaL requlre lndlvldual user auLhenLlcaLlon Also
every user has Lo change Lhelr passwords aL leasL Lwlce a year and Lhe passwords are made
long and dlfflculL Lo remember as welladmlnlsLered compuLer sysLems enforce sLrlcL password
quallLy requlremenLs whlch can be easlly mlsplaced or forgoLLen lL also consumes preclous
worklng Llme when one has Lo logln Lo mulLlple sysLems manually because lL requlres some
seconds Lo remember and Lype ln Lhe userld/password comblnaLlon on each sysLem when
access ls needed AnoLher problem wlLh mulLlple compuLer sysLems ls LhaL of managemenL
When Lhe number of sysLems and users grow Lhe Lask of keeplng Lrack of auLhorlzed users and
Lhe LermlnaLlon of no longer auLhorlzed persons becomes unbearable wlLhouL good Lools Lo
auLomaLe Lhe process of addlng users Lo and deleLlng users from all of Lhese sysLems A slngle
age of

slgnon lnfrasLrucLure provldes a soluLlon Lo Lhese Lwo problems Slngle slgnon ls enabllng
Lechnology for reduclng Lhe number of passwords one has Lo use dally when uslng
heLerogeneous compuLlng plaLforms and servlces Cne may Lhlnk of slngle slgnon as a safe LhaL
holds Lhe keys Lo all oLher resources LhaL one needs Lo access ln Lhls paper slngle slgnon
auLhenLlcaLlons common slngle slgnon archlLecLures wlLh examples beneflLs and crlLlcs of
slngle slgnon auLhenLlcaLlon are descrlbed (1odorov 2007)

BACKCRUUD URMATU


,u|t|system mu|t|dev|ce mu|t||dent|ty pro||ferat|on (Cohen 2010)

age of

As per lnLroducLlon above users are lncreaslng day by day up Lo 1990's Lhere were llmlLed number of
users and llmlLed compuLers buL now lL ls golng Lo be a Lyplcal corporaLe neLwork eople can access a
myrlad of sysLem appllcaLlons vla devlces such as compuLers lapLops moblle phones uAs on a dally
basls and from anywhere Also Lechnology ls growlng ln a Lremendous speed LhaL Lhese devlces are
lncreaslng day by day CompeLlLlon beLween companles plays a vlLal role ln lnvenLlon of new Lhlngs
eople can geL beLLer and beLLer servlces and advanced Lechnology lrom Lhe above graph lL can be
easlly lmaglned Lhe new Lrend of Lechnology numbers of appllcaLlons make users Lo deal wlLh number
of accounLs and passwords nowadays WlLhln Lhe lncreaslng number of passwords Lhelr effecLlveness ls
decreased Slngle slgnon auLhenLlcaLlon ls Lhe besL way Lo overcome Lhls problem (Cohen 2010)
SCLE SC-U
Slngle SlgnCn AuLhenLlcaLlon ls Lhe process by whlch a compuLer sysLem conflrms Lhe ldenLlLy
of an lndlvldual usually based on a name and password Slngle slgnon (SSC) ls a speclallzed
form of auLhenLlcaLlon LhaL allows a user Lo auLhenLlcaLe once ln a parLlcular sysLem and Lhen
afLer galn access Lo mulLlple sysLems and servlces Slngle slgnon relleves Lhe burden on Lhe
user of havlng Lo enLer auLhenLlcaLlon lnformaLlon mulLlple Llmes (eg once for every servlce
accessed) ln addlLlon slngle slgnon faclllLaLes Lhe appllcaLlon of a conslsLenL auLhenLlcaLlon
pollcy across a domaln based on cenLrallzed managemenL of auLhenLlcaLlon (1he Cpen Croup
2010)
uthent|cat|on types ava||ab|e for SSC {Todorov, ]
1he use of plaln username and password comblnaLlons has been Lhe mosL common meLhod of
auLhenLlcaLlon lL ls an ouLdaLed lnsecure meLhod buL easy Lo lmplemenL wlLh mlnlmal
requlremenLs on Lhe userLermlnals wlLh regard Lo equlpmenL and sofLware
age of

8as|c authent|cat|on means a plalnLexL username/password palr whlch ls lnpuLLed lnLo
a dlalogue box a form or prompLed for Lhls lnformaLlon 1hen Lhe LexLual lnformaLlon ls
checked agalnsL a daLabase of correcL answers whlch one sLores ln plalnLexL or ln some
hashed form ln a LexL flle or ln a daLabase wlLhln Lhe auLhorlzaLlon sysLem lf Lhe
password maLches Lhe one sLored ln lLs lnLernal password daLabase Lhe user ls granLed
access Lo Lhe server
|gest access auLhenLlcaLlon verlfles LhaL boLh communlcaLlng parLles share a password
Whlle ln baslc auLhenLlcaLlon Lhls verlflcaLlon can be done wlLhouL sendlng Lhe
password unscrambled whlch ls Lhe blggesL drawback of baslc auLhenLlcaLlon ln ulgesL
auLhenLlcaLlon only hashes of Lhe password are LransporLed over Lhe lnLerneL lnsLead of
a plalnLexL password
C1 (Cne 1lme assword) auLhenLlcaLlon ls a speclal case of baslc auLhenLlcaLlon where
Lhe password changes every Llme one auLhenLlcaLes Lo a servlce and none of Lhe
passwords are reusable 1hls C1 Loken meLhod ls more secure and effecLlve aL
prohlblLlng unauLhorlzed access Lhan oLher auLhenLlcaLlon meLhod
ub||ckey Cert|f|cate (kC) based auLhenLlcaLlon ls a crypLographlcally augmenLed
process of exchanglng daLa encrypLed wlLh a person's publlckey whlch can only be
decrypLed by Lhe correspondlng prlvaLe key of Lhe sald person
1he nexL meLhod Lo provlde Slngle Slgn Cn ls uslng Lhe kerberos rotoco| 1hls ls where
a user auLhenLlcaLes Lo an auLhenLlcaLlon server LhaL creaLes a Loken (or LlckeL) 1hls
Loken ls acLually senL Lo Lhe appllcaLlon whlch can recognlze (or LrusL) Lhe Loken and Lhe
user ls granLed access
age of

ln Smart card based auLhenLlcaLlon Lhe user needs Lo reenLer credenLlals wlLhouL
prompLlng SmarL cardbased slngle slgnon can elLher use cerLlflcaLes or passwords
sLored on Lhe smarL card
7 Integrated w|ndows authent|cat|on (IW% ls used ln all MlcrosofL roducLs for
auLhenLlcaLlon purpose slnce wlndows 2000 lWA uses kerberos and n1LM proLocol Lo
auLhenLlcaLe wlLh SSl
Single Sign-on Arcbitecture
MosL Common Slngle slgnon archlLecLure ls 1okenbased SSC ln 1okenbased SSC user
provldes Lhelr username and password Lo auLhenLlcaLlon server for Lhe flrsL Llme for
auLhenLlcaLlon and Lo obLaln a Loken whlch wlll allow Lhem Lo access a speclflc resource on Lhe
server Cnce Lhe Loken has been obLalned from Lhe server user can offer Lhls Loken Lo Lhe
server ln subsequenL requesLs (wlLhouL passlng username and password) whlch offers access
Lo a speclflc resource for a Llme perlod le Llll Lhe Loken explres 1okenbased SSC ls qulLe nlcely
descrlbed ln followlng flgure (Pul 1lng 2003)
age 7 of


SSO Token-based Architecture (Clercq ,2002)

Examples of Token-based SSU

8esL examples of Loken based SSC are Coogle AccounL and Llve lu Coogle AccounL ls belng
used by all Coogle apps and oLher Lhlrd parLy appllcaLlons When user provldes Lhelr username
password Lo Coogle server lL auLhenLlcaLes agalnsL Coogle auLhenLlcaLlon server and Lhen
reLurns Loken and redlrecLs user Lo web appllcaLlon based on Lhelr permlsslon Coogle's web
appllcaLlon auLhenLlcaLlon sysLem ls vlsually descrlbed ln followlng flgure (Coogle Apps
AuLhenLlcaLlon sysLem) Wlndows Llve ld (prevlously known as assporL AccounL) also works on
same prlnclple Llve ld ls also descrlbed ln flgure (llve lu AuLhenLlcaLlon) (Coogle lnc 2008)
(Cppllger 2004)
age of


Coogle Apps AuLhenLlcaLlon sysLem (Coogle 2011)






Llve lu AuLhenLlcaLlon SysLem (MlcrosofL 2011)


age of

BEETS

Cost keduct|on for 1he User ne|p esk lf users have Lo malnLaln dlfferenL accounLs for
each appllcaLlon Lhey access lL can be dlfflculL Lo keep Lrack of passwords Whlch can be
resulL ln sysLem lockouLs losL producLlvlLy and lL can generaLe unnecessary help desk
calls whlch Lends Lo password reseL servlce requesLs (llnallySecure 2009)
Greater user product|v|ty and exper|ence 8ecause of SSC users can access buslness
sysLems fasLer And users who can slgn ln once feel beLLer abouL Lhelr LransacLlon
experlence Lhan users who musL log ln mulLlple Llmes wlLh many dlfferenL lus and
passwords (llnallySecure 2009)
,|t|gate the r|sk around password hand||ng users LhaL are requlred Lo keep Lrack of
numerous passwords Lend Lo wrlLe down Lhe passwords whlch can creaLe an addlLlonal
securlLy problem ln Lhe worsL case users have been known Lo wrlLe Lhelr passwords on
posLlL noLes and pasLe Lhem Lo Lhelr dlsplays 1o mlLlgaLe Lhls securlLy rlsk number of
passwords should be reduced LhaL a user ls requlred Lo remember (Llou 2007)
(llnallySecure 2009)
Centra||zed access contro| and centra||zed aud|t |og management CenLrallzed access
conLrol and logglng funcLlons are useful Lo Lhe overall organlzaLlon for Lhe purposes of
adherlng Lo regulaLory compllance lnlLlaLlves WlLhouL Lhese funcLlons more workload
ls requlred Lo malnLaln Lhe approprlaLe levels of securlLy and compllance conLrol (Llou
2007)
keep conf|dent|a||ty and |ntegr|ty on the commun|cat|on channe| between c||ent and
server 1yplcal Web slngle slgnon producLs use a reverse proxy whlch ls placed
age of

beLween Lhe browser cllenL and Lhe Web appllcaLlon server Lven lf Lhe Web appllcaLlon
server has no SSL capablllLy a reverse proxy componenL can provlde SSL capablllLy
beLween Lhe cllenL and Lhe reverse proxy 1hls funcLlon provldes secure communlcaLlon
beLween Lhe cllenL and Lhe daLa cenLer (Todorov, 2007)
aster app||cat|on dep|oyment Whlle deploymenL of a superlor SSC and securlLy
sysLem developers are allowed Lo call ouL Lo exLernal securlLy servlces SecurlLy no
longer has Lo be coded lnLo each appllcaLlon As a resulL a company can geL new
appllcaLlons Lo markeL qulckly and can laLer updaLe appllcaLlon buslness loglc and
enhance securlLy much more efflclenLly (Llou 2007)
CRTCS

Slngle slgnon helps reduclng admlnlsLraLlve Lasks buL on oLher hand lL also makes
d|ff|cu|t for securlLy admlnlsLraLors to protect corporate asset (Perzberg !bara 2008)
2 Slnce SSC requlres only s|ng|e username password hacker or dlsgrunLled employee
needs only a slngle lu/password palr Lo access all of a users daLa and all of Lhe
corporaLe daLa for whlch LhaL user has access (Perzberg !bara 2008)
3 Weak asswords ln Lhls Lype people choose weak guessable" password whlch makes
Lhelr accounL suscepLlble Lo relaLlvely slmple guesslng aLLacks and Lhls klnd of aLLacks
are called dlcLlonary aLLack" (!ung !ung 2006)
4 mbedded Log|n orms SSC someLlme uses Lmbedded Logln lorms whlch acLually
Lakes username password ln clear LexL and Lhen passes lL Lo SSC servlce provlder 1hls
klnd of lmplemenLaLlon has huge vulnerablllLles (!ung !ung 2006)
age of

CUCLUSU

ln concluslon Lhe beneflLs of Slngle SlgnCn AuLhenLlcaLlon are abundanL CrganlzaLlons can
easlly share ldenLlLy lnformaLlon and securlLy ls lmproved by ellmlnaLlng Lhe posslblllLy of
shared accounLs user experlence ls enhanced by ellmlnaLlng addlLlonal usernames and
passwords whlch allow fewer helpdesks calls and admlnlsLraLlve cosLs
LMTATU U THS RESEARCH AD AVEUE UR UTURE RESEARCH

Slngle SlgnCn AuLhenLlcaLlon ls noL easy lL has advanced from slmple auLomaLlon Lool Lo one
LhaL conLalns varleLy of managemenL and securlLy dlsclpllnes 1herefore enLerprlses have Lo
flnd ouL Lhe beLLer slngle slgnon auLhenLlcaLlon whlch meeL Lhelr requlremenLs Slnce Slngle
slgnon uses slngle username/assword Lhere are some enhancemenLs/research requlred
whlch can ellmlnaLe frequenL use of username/assword (uhaml[a 1ygar PearsL 2006)
ueslgnlng ldenLlLy enabled web browser could be an answer buL lL ls hard Lo lmplemenL lL musL
noL requlre LhaL any speclal sofLware be lnsLalled on enduser compuLers or requlre users Lo
manage publlc/secreL keys or x309 cerLlflcaLes for performlng crypLographlc operaLlons 1here
are currenLly over bllllon copy of openld key" avallable So Lhe soluLlon should be backward
compaLlble Pow Lo deslgn a usable logln ul and logln lnLeracLlon flow for web users ls sLlll an
open problem LhaL ongolng slngle slgnon research ls aLLempLlng Lo address ((Cpenlu 2009)
(Sachs 2008)) 1here ls always a compromlse beLween ease of use securlLy and complexlLy of
admlnlsLraLlon no producL wlll glve all Lhe Lhlngs LogeLher!!

age of

REERECES

1 Clercq ! u (2002) Slngle slgnon archlLecLure 8eLrleved from Www LsaL
kuleuven 8e/coslc/semlnars/slldes/ssodf
2 Cohen L 8 (2010) lnformaLlon ln moLlon (vol 7 p 162) SanLa 8osa CA
lnformlng sclence ress
3 uhaml[a 8 1ygar ! PearsL M (2006) Why phlshlng works (pp 381390) new
?ork n? ACM 8eLrleved from hLLp//dlacmorg/clLaLloncfm?ld1124861
4 llnallySecure (2009) Already worklng or sLlll auLhenLlcaLlng agaln agaln and
agaln? 8eLrleved from
hLLp//wwwflnallysecurecom/hLml/flleadmln/flles/pdfs/Ws/llnallySecure_WhlLep
aperr_SecureSlgnCn_Lnpdf
3 Coogle lnc (2008) AuLhsub for web appllcaLlons 8eLrleved from
hLLp//codegooglecom/apls/accounLs/docs/AuLhSubhLml
6 Coogle (2011) Cpenld federaLed logln servlce for google apps 8eLrleved from
PLLp//codeCoogleCom/googleapps/domaln/sso/openld_reference_lmplemenLaLlo
nPLml
7 Perzberg A !bara A (2008) SecurlLy and ldenLlflcaLlon lndlcaLors for browsers
agalnsL spooflng and phlshlng aLLacksACM 1ransacLlons on lnLerneL
1echnology 8(4)
8 Pul L 1lng S (2003) A Lokenbased slngle slgnon proLocolCCMu1A1lCnAL
ln1LLLlCLnCL Anu SLCu8l1?2(3802) 180183
age of

9 !ung S W !ung S (2006) Secure password auLhenLlcaLlon for dlsLrlbuLed
compuLlngCompuLaLlonal lnLelllgence and securlLy (4436) 491301
10Llou M (2007 AugusL) LnLerprlse slngle slgnon besL pracLlce conslderaLlons
8eLrleved from
hLLp//wwwcacom/flles/whlLepapers/enLerprlse_sso_besL_pracLlce_wppdf
11MlcrosofL (2011) ArchlLecLural overvlew of wlndows llve ld for cllenL appllcaLlons
8eLrleved from PLLp//msdn MlcrosofL Com/enus/llbrary/bb404797Aspx
12Cpenlu W (2009) user experlence loose ends 8eLrleved from
hLLp//wlklopenldneL/w/page/12993244/user Lxperlence loose ends
13Cppllger 8 (2004) MlcrosofL neL passporL and ldenLlLy managemenL lnformaLlon
SecurlLy 1echnlcal 8eporL 9(1) 2634
14Sachs L (2008 sepLember 18) Coogles lnLerneL ldenLlLy research 8eLrleved from
hLLps//slLesgooglecom/slLe/oauLhgoog/uxledLogln
131he Cpen Croup (2010)lnLroducLlon Lo slngle slgnon 8eLrleved from
hLLp//wwwopengrouporg/securlLy/sso/sso_lnLrohLm
161odorov u (2007) Mechanlcs of user ldenLlflcaLlon and auLhenLlcaLlon (pp 001
064) new ?ork n? Auerbach ubllcaLlons