Single Sign-On (SSO) Mechanism: An Introduction

This paper discusses about the description based on the topic of Single Sign-On (SSO) mechanism. The paper discusses about the working mechanism of SSO and the ways in which different protocols would be used within the SSO mechanism. SSO could be defined as a form of mechanism that would make use of single kind of action based on authentication in order to permit any authorized user for gaining access to related content.

This kind of mechanism helps the independent software applications or systems to be accessed without prompting the user to log in during any particular session. This kind of mechanism helps in reducing the risk for system administrators for managing the users, increase their productivity and many others.

Once, particular user would have logged in, the SSO system would generate an information based on authentication that would be accepted by various systems and applications. The main concept of SSO would be based within an Intranet, Internet or Extranet. This report mainly focuses on the different methods of SSO and the different advantages based on the adoption of such mechanism. The report also discusses about the implementation of the various forms of SSO and the different protocols, which have been used.  

What is Single Sign-On (SSO)?

Definition of Single Sign-On

In the present active digital world, different users would have access to multiple systems in order to conduct their daily activities [1]. Single Sign-On (SSO) mechanism could help in solving different problems in relation with multiple credentials based on different applications.

The SSO could be defined as a mechanism, which would allow the users for authenticating mobile or web applications with a single username and password. This would be helpful for permitting access to multiple applications that would employ the same authentication provider. This mechanism is used for the purpose of authorization and authentication [2]. Authorization is defined as a process based on gaining access to a particular resource. Authentication helps in defining the process based on verification of the concerned user. This deals with the concept of integrity, confidentiality, availability and non-repudiation. SSO helps in improving the user and developer productivity based on avoiding the user in order to remember multiple passwords. SSO would allow the easy form of management of the user rights, changing of function and quick integration of applications.

The primary advantage of SSO is that the concerned user would not have to remember based on the credentials of the entire set of applications in a separate manner. The disadvantage of using SSO mechanism is that is the third party user would gain access to any website that would be integrated with some kind of protocols, then the entire systems would become insecure for use.

In this kind of mechanism, the user would register themselves within the IDP in order to receive the Open ID credentials. At this point, the user would want to access the Application A. This application would thus redirect the user to the IDP. If the user would want the access to the Web Application B, then it would send a request to the Web Application B [3]. Based on the receiving the request, the user would go to the identity provider and would check whether the user is active or not. If the user would be found to be active, then the Web Application B would allow the user to access it in an automatic manner. In a similar process, the different other web applications would also follow the similar process. The Web Application A would not know about the processes that would happen in Web Application B and vice-versa.

There are two types of Single Sign-On systems. These include Simple SSO and Complex SSO.

Advantages and Disadvantages of SSO

Single SSO – This would cover the aspect of single authority of authentication. This kind of mechanism could be implemented within the homogeneous LAN and intranet in which the machines would be running on the same OS and would be trusting the same authority of authentication.

Complex SSO – This kind of mechanism would be able to cover the different authorities of authentication [4]. This would be implemented within different platforms and thus would entirely be governed based on different organisations. This could be implemented on either Extranet or Internet.

There are different kinds of protocols that are used in SSO mechanism such as OpenID, BrowserID, Kerberos and SAML.

The mechanism of OpenID could be defined as a decentralized scheme of authentication for the SSO mechanism. These type of users would be able to choose a trusted form of OpenID server in order to register themselves. Three kind of parties are involved within the OpenID mechanism [5]. These include the Service Provider (SP), the OpenID provider (OP) and the user.

SAML is defined as a XML message format that would be able to define a form of protocol specification in which two servers would need to share the information about authentication [6]. The protocol makes use of web infrastructure in which the XML data would move over HTTP protocols on the TCP/IP networks. IN SAML, the SP and IDP would be able to exchange messages with the help of the browser of the user. The IDP would validate the username and password of the particular user [7]. If the credentials would found to be correct, then it would send back a response of SAML authentication.   

The BrowserID would be able to offer a one-time log-in to different websites and services based on the connection by an e-mail address. The primary idea is that the user would only remember only a single e-mail address instead of different e-mail addresses [8]. The primary advantages of BrowserID is based on the ease of use, cross-browser implementation, decentralized, secure and an improved form of experience based on future browsers. This would also respect the privacy of the concerned user. BrowserID would employ the email addresses that would allow a site to make use of BrowserID without the help of any kind of additional information. BrowserID is one of the experimental version of Mozilla Labs, which is a new and not fully-defined and incompletely defined service [9]. This is primarily developed for Mozilla browser.

Types of Single Sign-On Systems

This is defined as an authentication system that was primarily designed by Clifford Neuman and Steve Miller. The project was targeted for Project Athena in MIT [10]. Kerberos employs a trusted third party or would call for a middle-man server that would be employed for the purpose of authentication. This form of authentication system would be entirely based on Needham-Schroeder protocol [11]. Kerberos is a kind of protocol that would be based between trusted hosts within the untrusted network based on different kinds of authenticating service requests.

The different kind of security issues that would be involved in SAML and Open ID are Man-in-the-Middle attack, Phishing and Session-related attacks. Two common forms of phishing attacks are: Phishing OP Pagewhere and Realm Spoofing.

The other forms of phishing attacks within Kerberos are: In the infrastructure supported by Kerberos, the credentials of the user login would be stored within the central server. Hence, it would be able to migrate each of the login credentials from local machines into the centrally located server. If an attacker would gain access to the centrally located server then the entire infrastructure would be put under serious threat.

Conclusion

Based on the discussion from the above research paper, it could be concluded that Single Sign-On would be an easy and secure process based on the reduction of one account per user for different kinds of services, centrally management of roles, number of passwords based on defining of resources in order to access control. This mechanism would prove to be beneficial for the end-users, help-desk and administrators. SSO would be able to gain much form of importance with the emerging need of cloud computing technology based on providing different forms of ICT based services. It would also reduce the chances of attacks based on phishing. As SSO provides access only with a single login, hence it should be implemented in a highly secure manner. The mechanism of SSO possesses their own strengths and limitations. Hence, each user should be able to carefully estimate the use within the system. The resources available for the deployment and management before the choice of SSO solution would be able to create a huge kind of vulnerability within the security of an organisation but it would not be implemented properly. OpenID in Single Sign-On would only be used for the purpose of authentication. This is used for the purpose of connecting for both of authorization and authentication. Additionally, if the amount of credentials increase, the amount of losing them would also be increased. Although there many kinds of attacks within the system such as man-in-the-middle attacks, session attacks and phishing attacks still the improved form of security within the mechanism would be able to mitigate the impact of such kind of attacks.

References

• Wang, Guilin, Jiangshan Yu, and Qi Xie. "Security analysis of a single sign-on mechanism for distributed computer networks." IEEE Transactions on Industrial Informatics9, no. 1 (2013): 294-302.
• Carbone, Luca Compagna, Jorge Cuéllar, Giancarlo Pellegrino, and Alessandro Sorniotti. "An authentication flaw in browser-based single sign-on protocols: Impact and remediations." Computers & Security33 (2013): 41-58.
• Wang, Guilin, Jiangshan Yu, and Qi Xie. "Security analysis of a single sign-on mechanism for distributed computer networks." IEEE Transactions on Industrial Informatics9, no. 1 (2013): 294-302.
• Urueña, Manuel, Alfonso Muñoz, and David Larrabeiti. "Analysis of privacy vulnerabilities in single sign-on mechanisms for multimedia websites." Multimedia Tools and Applications68, no. 1 (2014): 159-176.
• Tormo, Ginés Dólera, Félix Gómez Mármol, and Gregorio Martínez Pérez. "Towards the integration of reputation management in OpenID." Computer Standards & Interfaces36, no. 3 (2014): 438-453.
• Indu, I., PM Rubesh Anand, and Vidhyacharan Bhaskar. "Encrypted Token based Authentication with Adapted Security Assertions Mark-up Language Technology for Cloud Web Services." Journal of Network and Computer Applications(2017).
• Leitão, Paulo, José Barbosa, Maria-Eleftheria Ch Papadopoulou, and Iakovos S. Venieris. "Standardization in cyber-physical systems: The ARUM case." In Industrial Technology (ICIT), 2015 IEEE International Conference on, pp. 2988-2993. IEEE, 2015.
• Fett, Daniel, Ralf Küsters, and Guido Schmitz. "An expressive model for the Web infrastructure: Definition and application to the Browser ID SSO system." In Security and Privacy (SP), 2014 IEEE Symposium on, pp. 673-688. IEEE, 2014.
• Xu, Ya, Nanyu Chen, Addrian Fernandez, Omar Sinno, and Anmol Bhasin. "From infrastructure to culture: A/b testing challenges in large scale social networks." In Proceedings of the 21th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 2227-2236. ACM, 2015.
• Hidar, Ahmad M. Saeed. "Authentication and Authorization in Cloud Computing Using Kerberos." PhD diss., Universiti Teknologi Malaysia, 2014.
• Dowdeswell, Roland, and Nicolas Williams. "Negotiation of Extra Security Context Tokens for Kerberos V5 Generic Security Services Mechanism." (2014).
• Armando, A., Carbone, R., Compagna, L., Cuéllar, J., Pellegrino, G., & Sorniotti, A. (2013). An authentication flaw in browser-based single sign-on protocols: Impact and remediations. Computers & Security, 33, 41-58.