In 250 – 350 words, and using the Jamsa textbook as your source:
- Define SSO
- List FIVE advantages of SSO
- If you were an IT manager, explain IN YOUR OWN WORDS how using THREE of the five advantages you listed would benefit your organization.
chapter 5
Identity as a Service (IDaaS)
TODAY, WITHIN MOST COMPANIES, users must log in to a variety
of different systems in order to perform various tasks. Some of the systems
may be cloud based, some may be based on local servers, and some may be
accessible through different devices. The challenge of having multiple
servers to access is that users must remember and manage multiple
username and password combinations. Further, if an employee leaves the
company, the IT staff must coordinate with the human resources
department to ensure that each of the user’s accounts has been disabled.
User identity management (ID management) is difficult, time consuming,
and expensive. Over the past few years, companies have begun to emerge to
provide identity (or identification) as a service (IDaaS), or cloudbased ID management.
Learning Objectives
This chapter examines cloud-based ID management in detail. By the time you
finish this chapter, you will be able to do the following:
• Describe challenges related to ID management.
• Describe and discuss single sign-on (SSO) capabilities.
• List the advantages of IDaaS solutions.
• Discuss IDaaS solutions offered by various companies.
Understanding Single Sign-On (SSO)
As discussed, business users today must log in to a variety of applications,
which may reside on many different servers. The users, therefore, must
manage numerous username and password combinations. To simplify user
access to multiple systems, many companies now use single sign-on
(SSO) software, which, as shown in FIGURE 5-1, requires the user to sign
on only one time. Behind the scenes, the SSO software manages the user’s
access to other systems.
The advantages of SSO software include the following:
• Fewer username and password combinations for users to remember and
manage
• Less password fatigue caused by the stress of managing multiple
passwords
• Less user time consumed by having to log in to individual systems
• Fewer calls to help desks for forgotten passwords
• A centralized location for IT staff to manage password compliance and
reporting
The primary disadvantage of SSO systems is the potential for a single
source of failure. If the authentication server fails, users will not be able to
log in to other servers. Thus, having a cloud-based authentication server
with system redundancy reduces the risk of system unavailability.
Understanding How SSO Works
Although different implementations of SSO exist, many solutions employ a
secure ticket. When a user logs in to the authentication server, he or she is
given a secure ticket. Later, when the user accesses a server, that server, in
turn, validates the ticket with the authentication server. The authentication
server, as shown in FIGURE 5-2, not only confirms that the user is
authorized to use the server, but may also provide the user’s access rights
that are specific to that server.
FIGURE 5-1 An SSO system lets a user log in to a system one time and then move freely
among related servers and applications without having to authenticate him- or herself each
time.
Step 1: User logs into the authentication server using a username and
password
Step 2: The authentication server returns the user’s ticket
Step 3: User sends the ticket to the intranet server
Step 4: Intranet server sends the ticket to the authentication server
Step 5: Authentication server sends the user’s security credentials for that
server back to the intranet server
FIGURE 5-2 SSO systems often assign authenticated users a ticket, which the software
presents behind the scenes to the servers that the user accesses. Each server can use the
ticket to determine the user’s access rights on that particular server.
If an employee leaves the company, the IT staff need only disable the user
at the authentication server in order to disable the user’s access to all
systems.
Understanding Federated Identity Management
As you examine SSO solutions, you may encounter the term federated
identity management (FIDM). In short, FIDM describes the
technologies and protocols that combine to enable a user to bring security
credentials across different security domains (different servers running
potentially different operating systems). Behind the scenes, many FIDM
systems use the Security Assertion Markup Language (SAML) to
package a user’s security credentials, as shown in FIGURE 5-3. For
specifics on SAML, visit the SAML website at www.saml.xml.org.
FIGURE 5-3 SAML allows software to package user security credentials.
Understanding Account Provisioning
In many companies, when an employee is hired the human resources
department sends an e-mail to the IT staff, who creates a user account for
the employee. Sometime during the employee’s first week, his or her
manager will decide that the employee needs to access other systems. The
manager will send additional e-mails to the IT staff requesting various
account access. The process of creating a user account on a system is called
account provisioning. As you might guess, because different employees
may need different capabilities on each system, the provisioning process
can be complex.
When an employee leaves the company, a deprovisioning process must
occur to remove the user’s accounts. Unfortunately, the IT staff is not
always immediately informed that an employee no longer works for the
company, or the IT staff misses a server account and the user may still have
access to one or more systems.
CASE 5-1 PING IDENTITY IDAAS
Ping Identity provides cloud-based ID management software that supports
FIDM and user account provisioning. The company’s website provides an
excellent article called “The 4 A’s of Cloud Identity,” which are as follows:
• Authentication: The process of determining and validating a user for onsite as well as cloud-based solutions.
• Authorization: The process of determining and specifying what the user is
allowed to do on each server.
• Account management: The process of synchronizing user accounts by
provisioning and deprovisioning access.
• Audit logging: The process of tracking which applications users access and
when. To perform its ID management, Ping Identity makes extensive use of
SAML.
Exercise Discuss the importance of the audit logging process within an IDaaS
solution.
Web Resources For additional information on Ping Identity and SAML,
see www.CloudBookContent.com/Chapter05/index.html.
CASE 5-2 PASSWORDBANK IDAAS
PasswordBank provides an IDaaS solution that supports on-site and cloud-
based system access. Its FIDM service supports enterprise-wide SSO (E-SSO)
and SSO for web-based applications (WebSSO). The PasswordBank solutions
perform the FIDM without the use of SAML. PasswordBank solutions support
a myriad of devices, including the iPhone.
Exercise Within the cloud, some IDaaS providers use SAML to package a
user’s security credentials, and some do not. Discuss the arguments for and
against using SAML.
Web Resources For additional information on PasswordBank,
see www.CloudBookContent.com/Chapter05/index.html.
Understanding OpenID
For companies to support FIDM across autonomous systems, the security
policies and protocols must be open. OpenID allows users to use an existing
account to log in to multiple websites. Today, more than 1 billion OpenID
accounts exist and are accepted by thousands of websites. Companies that
support OpenID include Google, Yahoo!, Flickr, Myspace, WordPress.com,
and more. For companies, the advantages of using OpenID include the
following:
• Increased site conversion rates (rates at which customers choose to join
websites) because users do not need to register
• Access to greater user profile content
• Fewer problems with lost passwords
• Ease of content integration into social networking sites
FIGURE 5-4 From the OpenID website, you can create your own OpenID username and
password, which you can then use to access thousands of websites.
For more information on OpenID, or to get your own OpenID username
and password, visit the OpenID website at www.openid.net, as shown
in FIGURE 5-4.
Mobile ID Management
Every day employees access e-mail and other business applications through
handheld devices. More and more business applications support mobile
device interfaces. The challenge for developers today is not only getting
content to the mobile device, but also securing the device. Threats to mobile
devices include the following:
CASE 5-3 SYMPLIFIED IDAAS
Symplified provides ID management solutions for on-site and cloud-based
applications. The solutions support a variety of device types, such as mobile
devices. Symplified solutions support SAML and non-SAML-based
applications, which significantly extends the company’s product reach.
Symplified’s key products include:
• Symplified Access Manager: This compliance tool provides on-demand
web access management for access control and audit of software as a service
(SaaS), private cloud, and public cloud applications.
• Symplified Identity Manager: This account management tool provides
user account support for on-site and SaaS solutions.
• SinglePoint: This platform as a service (PaaS) solution provides a cloudbased platform for deploying ID management, with the following capabilities:
• Access control
• Authentication
• Auditing
• Federation
• Provisioning and user management
• Support for portals
Exercise Symplified provides IDaaS solutions for on-site and cloud
operations. Discuss the additional requirements and challenges of
implementing a solution for cloud-based applications over on-ground
applications.
Web Resources For additional information on Symplified and the company’s
IDaaS solutions, see www.CloudBookContent.com/Chapter05/index.html.
• Identity theft if a device is lost or stolen
• Eavesdropping on data communications
• Surveillance of confidential screen content
• Phishing of content from rogue sites
• Man-in-the-middle attacks through intercepted signals
• Inadequate device resources to provide a strong security implementation
• Social attacks on unaware users that yield identity information
CHAPTER SUMMARY
To accomplish a wide range of tasks, users must often log in to a variety of
different systems. Today some of the systems may be cloud based and some
may reside on local servers. Further, users often access servers (and their
services) through different devices. Requiring users to access multiple
servers means that users must often remember and manage multiple
username and password combinations. To reduce this burden on users as
well as the IT staff who must help retrieve forgotten passwords, many
companies now use a technique called SSO. Users log in to a central
authorization server that, in turn, uses a ticket that grants users access to
other specific servers without requiring them to log in again. In this way,
users must remember only one username and password.
If an employee leaves the company, the IT staff need only disable the user’s
account on the centralized authorization server in order to shut down the
user’s access to all other servers.
User ID management is difficult, time consuming, and expensive. To
address the challenges and cost of user management, many companies are
turning to IDaaS solutions that reside in the cloud.
KEY TERMS
Federated identity management (FIDM)
Identity (or identification) as a service (IDaaS)
Provisioning
Security Assertion Markup Language (SAML)
Single sign-on (SSO)
CHAPTER REVIEW
1. Define and describe SSO.
2. Define and describe IDaaS.
3. Define SAML and describe its purpose.
4. Define and describe provisioning.
5. Define and describe FIDM.
6. List factors that make mobile ID management difficult