Single Sign-On Mechanism: Working, Types of Protocols and Security Issues
VerifiedAdded on 2023/05/27
|3
|2266
|349
AI Summary
This paper discusses about the description based on the topic of Single Sign-On (SSO) mechanism. The paper discusses about the working mechanism of SSO and the ways in which different protocols would be used within the SSO mechanism. SSO could be defined as a form of mechanism that would make use of single kind of action based on authentication in order to permit any authorized user for gaining access to related content.
Contribute Materials
Your contribution can guide someone’s learning journey. Share your
documents today.
Single Sign-on Mechanism
2nd Author
2nd author's affiliation
1st line of address
2nd line of address
Telephone number, incl. country code
2nd E-mail
ABSTRACT
This paper discusses about the description based on the topic of
Single Sign-On (SSO) mechanism. The paper discusses about
the working mechanism of SSO and the ways in which different
protocols would be used within the SSO mechanism. SSO could
be defined as a form of mechanism that would make use of
single kind of action based on authentication in order to permit
any authorized user for gaining access to related content. This
kind of mechanism helps the independent software applications
or systems to be accessed without prompting the user to log in
during any particular session. This kind of mechanism helps in
reducing the risk for system administrators for managing the
users, increase their productivity and many others. Once,
particular user would have logged in, the SSO system would
generate an information based on authentication that would be
accepted by various systems and applications. The main concept
of SSO would be based within an Intranet, Internet or Extranet.
This report mainly focuses on the different methods of SSO and
the different advantages based on the adoption of such
mechanism. The report also discusses about the implementation
of the various forms of SSO and the different protocols, which
have been used.
Keywords
Single Sign-On, Open ID Provider, Relying Party, BrowserID,
Kerberos
1. INTRODUCTION
1.1 Definition of Single Sign-On
In the present active digital world, different users would have
access to multiple systems in order to conduct their daily
activities [1]. Single Sign-On (SSO) mechanism could help in
solving different problems in relation with multiple credentials
based on different applications.
The SSO could be defined as a mechanism, which would allow
the users for authenticating mobile or web applications with a
single username and password. This would be helpful for
permitting access to multiple applications that would employ the
same authentication provider. This mechanism is used for the
purpose of authorization and authentication [2]. Authorization is
defined as a process based on gaining access to a particular
resource. Authentication helps in defining the process based on
verification of the concerned user. This deals with the concept
of integrity, confidentiality, availability and non-repudiation.
SSO helps in improving the user and developer productivity
based on avoiding the user in order to remember multiple
passwords. SSO would allow the easy form of management of
the user rights, changing of function and quick integration of
applications.
The primary advantage of SSO is that the concerned user would
not have to remember based on the credentials of the entire set
of applications in a separate manner. The disadvantage of using
SSO mechanism is that is the third party user would gain access
to any website that would be integrated with some kind of
protocols, then the entire systems would become insecure for
use.
1.2 Mechanism of Single Sign-On
In this kind of mechanism, the user would register themselves
within the IDP in order to receive the Open ID credentials. At
this point, the user would want to access the Application A. This
application would thus redirect the user to the IDP. If the user
would want the access to the Web Application B, then it would
send a request to the Web Application B [3]. Based on the
receiving the request, the user would go to the identity provider
and would check whether the user is active or not. If the user
would be found to be active, then the Web Application B would
allow the user to access it in an automatic manner. In a similar
process, the different other web applications would also follow
the similar process. The Web Application A would not know
about the processes that would happen in Web Application B
and vice-versa.
1.3 Types of Single Sign-On
There are two types of Single Sign-On systems. These include
Simple SSO and Complex SSO.
Single SSO – This would cover the aspect of single authority of
authentication. This kind of mechanism could be implemented
within the homogeneous LAN and intranet in which the
machines would be running on the same OS and would be
trusting the same authority of authentication.
Complex SSO – This kind of mechanism would be able to cover
the different authorities of authentication [4]. This would be
implemented within different platforms and thus would entirely
be governed based on different organisations. This could be
implemented on either Extranet or Internet.
2. Different Types of Protocols
There are different kinds of protocols that are used in SSO
mechanism such as OpenID, BrowserID, Kerberos and SAML.
2.1 OpenID
The mechanism of OpenID could be defined as a decentralized
scheme of authentication for the SSO mechanism. These type of
users would be able to choose a trusted form of OpenID server
in order to register themselves. Three kind of parties are
involved within the OpenID mechanism [5]. These include the
Service Provider (SP), the OpenID provider (OP) and the user.
2nd Author
2nd author's affiliation
1st line of address
2nd line of address
Telephone number, incl. country code
2nd E-mail
ABSTRACT
This paper discusses about the description based on the topic of
Single Sign-On (SSO) mechanism. The paper discusses about
the working mechanism of SSO and the ways in which different
protocols would be used within the SSO mechanism. SSO could
be defined as a form of mechanism that would make use of
single kind of action based on authentication in order to permit
any authorized user for gaining access to related content. This
kind of mechanism helps the independent software applications
or systems to be accessed without prompting the user to log in
during any particular session. This kind of mechanism helps in
reducing the risk for system administrators for managing the
users, increase their productivity and many others. Once,
particular user would have logged in, the SSO system would
generate an information based on authentication that would be
accepted by various systems and applications. The main concept
of SSO would be based within an Intranet, Internet or Extranet.
This report mainly focuses on the different methods of SSO and
the different advantages based on the adoption of such
mechanism. The report also discusses about the implementation
of the various forms of SSO and the different protocols, which
have been used.
Keywords
Single Sign-On, Open ID Provider, Relying Party, BrowserID,
Kerberos
1. INTRODUCTION
1.1 Definition of Single Sign-On
In the present active digital world, different users would have
access to multiple systems in order to conduct their daily
activities [1]. Single Sign-On (SSO) mechanism could help in
solving different problems in relation with multiple credentials
based on different applications.
The SSO could be defined as a mechanism, which would allow
the users for authenticating mobile or web applications with a
single username and password. This would be helpful for
permitting access to multiple applications that would employ the
same authentication provider. This mechanism is used for the
purpose of authorization and authentication [2]. Authorization is
defined as a process based on gaining access to a particular
resource. Authentication helps in defining the process based on
verification of the concerned user. This deals with the concept
of integrity, confidentiality, availability and non-repudiation.
SSO helps in improving the user and developer productivity
based on avoiding the user in order to remember multiple
passwords. SSO would allow the easy form of management of
the user rights, changing of function and quick integration of
applications.
The primary advantage of SSO is that the concerned user would
not have to remember based on the credentials of the entire set
of applications in a separate manner. The disadvantage of using
SSO mechanism is that is the third party user would gain access
to any website that would be integrated with some kind of
protocols, then the entire systems would become insecure for
use.
1.2 Mechanism of Single Sign-On
In this kind of mechanism, the user would register themselves
within the IDP in order to receive the Open ID credentials. At
this point, the user would want to access the Application A. This
application would thus redirect the user to the IDP. If the user
would want the access to the Web Application B, then it would
send a request to the Web Application B [3]. Based on the
receiving the request, the user would go to the identity provider
and would check whether the user is active or not. If the user
would be found to be active, then the Web Application B would
allow the user to access it in an automatic manner. In a similar
process, the different other web applications would also follow
the similar process. The Web Application A would not know
about the processes that would happen in Web Application B
and vice-versa.
1.3 Types of Single Sign-On
There are two types of Single Sign-On systems. These include
Simple SSO and Complex SSO.
Single SSO – This would cover the aspect of single authority of
authentication. This kind of mechanism could be implemented
within the homogeneous LAN and intranet in which the
machines would be running on the same OS and would be
trusting the same authority of authentication.
Complex SSO – This kind of mechanism would be able to cover
the different authorities of authentication [4]. This would be
implemented within different platforms and thus would entirely
be governed based on different organisations. This could be
implemented on either Extranet or Internet.
2. Different Types of Protocols
There are different kinds of protocols that are used in SSO
mechanism such as OpenID, BrowserID, Kerberos and SAML.
2.1 OpenID
The mechanism of OpenID could be defined as a decentralized
scheme of authentication for the SSO mechanism. These type of
users would be able to choose a trusted form of OpenID server
in order to register themselves. Three kind of parties are
involved within the OpenID mechanism [5]. These include the
Service Provider (SP), the OpenID provider (OP) and the user.
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
2.2 SAML (Security Assertion Mark-Up
Language)
SAML is defined as a XML message format that would be able
to define a form of protocol specification in which two servers
would need to share the information about authentication [6].
The protocol makes use of web infrastructure in which the XML
data would move over HTTP protocols on the TCP/IP networks.
IN SAML, the SP and IDP would be able to exchange messages
with the help of the browser of the user. The IDP would validate
the username and password of the particular user [7]. If the
credentials would found to be correct, then it would send back a
response of SAML authentication.
2.3 BrowserID
The BrowserID would be able to offer a one-time log-in to
different websites and services based on the connection by an e-
mail address. The primary idea is that the user would only
remember only a single e-mail address instead of different e-
mail addresses [8]. The primary advantages of BrowserID is
based on the ease of use, cross-browser implementation,
decentralized, secure and an improved form of experience based
on future browsers. This would also respect the privacy of the
concerned user. BrowserID would employ the email addresses
that would allow a site to make use of BrowserID without the
help of any kind of additional information. BrowserID is one of
the experimental version of Mozilla Labs, which is a new and
not fully-defined and incompletely defined service [9]. This is
primarily developed for Mozilla browser.
2.4 Kerberos
This is defined as an authentication system that was primarily
designed by Clifford Neuman and Steve Miller. The project was
targeted for Project Athena in MIT [10]. Kerberos employs a
trusted third party or would call for a middle-man server that
would be employed for the purpose of authentication. This form
of authentication system would be entirely based on Needham-
Schroeder protocol [11]. Kerberos is a kind of protocol that
would be based between trusted hosts within the untrusted
network based on different kinds of authenticating service
requests.
3. Issues of Security based on Protocols
used within Single Sign-On
The different kind of security issues that would be involved in
SAML and Open ID are Man-in-the-Middle attack, Phishing and
Session-related attacks. Two common forms of phishing attacks
are: Phishing OP Pagewhere and Realm Spoofing.
The other forms of phishing attacks within Kerberos are: In the
infrastructure supported by Kerberos, the credentials of the user
login would be stored within the central server. Hence, it would
be able to migrate each of the login credentials from local
machines into the centrally located server. If an attacker would
gain access to the centrally located server then the entire
infrastructure would be put under serious threat.
4. Conclusion
Based on the discussion from the above research paper, it could
be concluded that Single Sign-On would be an easy and secure
process based on the reduction of one account per user for
different kinds of services, centrally management of roles,
number of passwords based on defining of resources in order to
access control. This mechanism would prove to be beneficial for
the end-users, help-desk and administrators. SSO would be able
to gain much form of importance with the emerging need of
cloud computing technology based on providing different forms
of ICT based services. It would also reduce the chances of
attacks based on phishing. As SSO provides access only with a
single login, hence it should be implemented in a highly secure
manner. The mechanism of SSO possesses their own strengths
and limitations. Hence, each user should be able to carefully
estimate the use within the system. The resources available for
the deployment and management before the choice of SSO
solution would be able to create a huge kind of vulnerability
within the security of an organisation but it would not be
implemented properly. OpenID in Single Sign-On would only be
used for the purpose of authentication. This is used for the
purpose of connecting for both of authorization and
authentication. Additionally, if the amount of credentials
increase, the amount of losing them would also be increased.
Although there many kinds of attacks within the system such as
man-in-the-middle attacks, session attacks and phishing attacks
still the improved form of security within the mechanism would
be able to mitigate the impact of such kind of attacks.
5. REFERENCES
[1] Wang, Guilin, Jiangshan Yu, and Qi Xie. "Security analysis
of a single sign-on mechanism for distributed computer
networks." IEEE Transactions on Industrial Informatics 9,
no. 1 (2013): 294-302.
[2] Carbone, Luca Compagna, Jorge Cuéllar, Giancarlo
Pellegrino, and Alessandro Sorniotti. "An authentication
flaw in browser-based single sign-on protocols: Impact and
remediations." Computers & Security 33 (2013): 41-58.
[3] Wang, Guilin, Jiangshan Yu, and Qi Xie. "Security analysis
of a single sign-on mechanism for distributed computer
networks." IEEE Transactions on Industrial Informatics 9,
no. 1 (2013): 294-302.
[4] Urueña, Manuel, Alfonso Muñoz, and David Larrabeiti.
"Analysis of privacy vulnerabilities in single sign-on
mechanisms for multimedia websites." Multimedia Tools
and Applications 68, no. 1 (2014): 159-176.
[5] Tormo, Ginés Dólera, Félix Gómez Mármol, and Gregorio
Martínez Pérez. "Towards the integration of reputation
management in OpenID." Computer Standards &
Interfaces36, no. 3 (2014): 438-453.
[6] Indu, I., PM Rubesh Anand, and Vidhyacharan Bhaskar.
"Encrypted Token based Authentication with Adapted
Security Assertions Mark-up Language Technology for
Cloud Web Services." Journal of Network and Computer
Applications(2017).
[7] Leitão, Paulo, José Barbosa, Maria-Eleftheria Ch
Papadopoulou, and Iakovos S. Venieris. "Standardization in
cyber-physical systems: The ARUM case." In Industrial
Technology (ICIT), 2015 IEEE International Conference
on, pp. 2988-2993. IEEE, 2015.
[8] Fett, Daniel, Ralf Küsters, and Guido Schmitz. "An
expressive model for the Web infrastructure: Definition and
application to the Browser ID SSO system." In Security and
Privacy (SP), 2014 IEEE Symposium on, pp. 673-688.
IEEE, 2014.
Language)
SAML is defined as a XML message format that would be able
to define a form of protocol specification in which two servers
would need to share the information about authentication [6].
The protocol makes use of web infrastructure in which the XML
data would move over HTTP protocols on the TCP/IP networks.
IN SAML, the SP and IDP would be able to exchange messages
with the help of the browser of the user. The IDP would validate
the username and password of the particular user [7]. If the
credentials would found to be correct, then it would send back a
response of SAML authentication.
2.3 BrowserID
The BrowserID would be able to offer a one-time log-in to
different websites and services based on the connection by an e-
mail address. The primary idea is that the user would only
remember only a single e-mail address instead of different e-
mail addresses [8]. The primary advantages of BrowserID is
based on the ease of use, cross-browser implementation,
decentralized, secure and an improved form of experience based
on future browsers. This would also respect the privacy of the
concerned user. BrowserID would employ the email addresses
that would allow a site to make use of BrowserID without the
help of any kind of additional information. BrowserID is one of
the experimental version of Mozilla Labs, which is a new and
not fully-defined and incompletely defined service [9]. This is
primarily developed for Mozilla browser.
2.4 Kerberos
This is defined as an authentication system that was primarily
designed by Clifford Neuman and Steve Miller. The project was
targeted for Project Athena in MIT [10]. Kerberos employs a
trusted third party or would call for a middle-man server that
would be employed for the purpose of authentication. This form
of authentication system would be entirely based on Needham-
Schroeder protocol [11]. Kerberos is a kind of protocol that
would be based between trusted hosts within the untrusted
network based on different kinds of authenticating service
requests.
3. Issues of Security based on Protocols
used within Single Sign-On
The different kind of security issues that would be involved in
SAML and Open ID are Man-in-the-Middle attack, Phishing and
Session-related attacks. Two common forms of phishing attacks
are: Phishing OP Pagewhere and Realm Spoofing.
The other forms of phishing attacks within Kerberos are: In the
infrastructure supported by Kerberos, the credentials of the user
login would be stored within the central server. Hence, it would
be able to migrate each of the login credentials from local
machines into the centrally located server. If an attacker would
gain access to the centrally located server then the entire
infrastructure would be put under serious threat.
4. Conclusion
Based on the discussion from the above research paper, it could
be concluded that Single Sign-On would be an easy and secure
process based on the reduction of one account per user for
different kinds of services, centrally management of roles,
number of passwords based on defining of resources in order to
access control. This mechanism would prove to be beneficial for
the end-users, help-desk and administrators. SSO would be able
to gain much form of importance with the emerging need of
cloud computing technology based on providing different forms
of ICT based services. It would also reduce the chances of
attacks based on phishing. As SSO provides access only with a
single login, hence it should be implemented in a highly secure
manner. The mechanism of SSO possesses their own strengths
and limitations. Hence, each user should be able to carefully
estimate the use within the system. The resources available for
the deployment and management before the choice of SSO
solution would be able to create a huge kind of vulnerability
within the security of an organisation but it would not be
implemented properly. OpenID in Single Sign-On would only be
used for the purpose of authentication. This is used for the
purpose of connecting for both of authorization and
authentication. Additionally, if the amount of credentials
increase, the amount of losing them would also be increased.
Although there many kinds of attacks within the system such as
man-in-the-middle attacks, session attacks and phishing attacks
still the improved form of security within the mechanism would
be able to mitigate the impact of such kind of attacks.
5. REFERENCES
[1] Wang, Guilin, Jiangshan Yu, and Qi Xie. "Security analysis
of a single sign-on mechanism for distributed computer
networks." IEEE Transactions on Industrial Informatics 9,
no. 1 (2013): 294-302.
[2] Carbone, Luca Compagna, Jorge Cuéllar, Giancarlo
Pellegrino, and Alessandro Sorniotti. "An authentication
flaw in browser-based single sign-on protocols: Impact and
remediations." Computers & Security 33 (2013): 41-58.
[3] Wang, Guilin, Jiangshan Yu, and Qi Xie. "Security analysis
of a single sign-on mechanism for distributed computer
networks." IEEE Transactions on Industrial Informatics 9,
no. 1 (2013): 294-302.
[4] Urueña, Manuel, Alfonso Muñoz, and David Larrabeiti.
"Analysis of privacy vulnerabilities in single sign-on
mechanisms for multimedia websites." Multimedia Tools
and Applications 68, no. 1 (2014): 159-176.
[5] Tormo, Ginés Dólera, Félix Gómez Mármol, and Gregorio
Martínez Pérez. "Towards the integration of reputation
management in OpenID." Computer Standards &
Interfaces36, no. 3 (2014): 438-453.
[6] Indu, I., PM Rubesh Anand, and Vidhyacharan Bhaskar.
"Encrypted Token based Authentication with Adapted
Security Assertions Mark-up Language Technology for
Cloud Web Services." Journal of Network and Computer
Applications(2017).
[7] Leitão, Paulo, José Barbosa, Maria-Eleftheria Ch
Papadopoulou, and Iakovos S. Venieris. "Standardization in
cyber-physical systems: The ARUM case." In Industrial
Technology (ICIT), 2015 IEEE International Conference
on, pp. 2988-2993. IEEE, 2015.
[8] Fett, Daniel, Ralf Küsters, and Guido Schmitz. "An
expressive model for the Web infrastructure: Definition and
application to the Browser ID SSO system." In Security and
Privacy (SP), 2014 IEEE Symposium on, pp. 673-688.
IEEE, 2014.
[9] Xu, Ya, Nanyu Chen, Addrian Fernandez, Omar Sinno, and
Anmol Bhasin. "From infrastructure to culture: A/b testing
challenges in large scale social networks." In Proceedings
of the 21th ACM SIGKDD International Conference on
Knowledge Discovery and Data Mining, pp. 2227-2236.
ACM, 2015.
[10] Hidar, Ahmad M. Saeed. "Authentication and
Authorization in Cloud Computing Using Kerberos." PhD
diss., Universiti Teknologi Malaysia, 2014.
[11] Dowdeswell, Roland, and Nicolas Williams. "Negotiation
of Extra Security Context Tokens for Kerberos V5 Generic
Security Services Mechanism." (2014).
[12] Armando, A., Carbone, R., Compagna, L., Cuéllar, J.,
Pellegrino, G., & Sorniotti, A. (2013). An authentication
flaw in browser-based single sign-on protocols: Impact and
remediations. Computers & Security, 33, 41-58.
Columns on Last Page Should Be Made As Close As
Possible to Equal Length
Anmol Bhasin. "From infrastructure to culture: A/b testing
challenges in large scale social networks." In Proceedings
of the 21th ACM SIGKDD International Conference on
Knowledge Discovery and Data Mining, pp. 2227-2236.
ACM, 2015.
[10] Hidar, Ahmad M. Saeed. "Authentication and
Authorization in Cloud Computing Using Kerberos." PhD
diss., Universiti Teknologi Malaysia, 2014.
[11] Dowdeswell, Roland, and Nicolas Williams. "Negotiation
of Extra Security Context Tokens for Kerberos V5 Generic
Security Services Mechanism." (2014).
[12] Armando, A., Carbone, R., Compagna, L., Cuéllar, J.,
Pellegrino, G., & Sorniotti, A. (2013). An authentication
flaw in browser-based single sign-on protocols: Impact and
remediations. Computers & Security, 33, 41-58.
Columns on Last Page Should Be Made As Close As
Possible to Equal Length
1 out of 3
Related Documents
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
Unlock your academic potential
© 2024 | Zucol Services PVT LTD | All rights reserved.