Joint Information Systems Committee 04/18/23 | | Slide 1

Single Sign-On Solutions

Nicole HarrisProgramme Manager – JISC

Joint Information Systems Committee 04/18/23 | slide 2

Thanks

To Brian Gilmore, who provided much of the material for these slides!

JISC report can be found at:

– http://www.jisc.ac.uk/uploaded_documents/CMSS-Gilmore.pdf.

Disclaimer: speaker has no direct experience of implementing SSO solutions!

Questions via the WIKI please:

– federation.pbwiki.com

– Login: shibboleth

Joint Information Systems Committee 04/18/23 | slide 3

Roadmap for Institutions

Joint Information Systems Committee 04/18/23 | slide 4

The Problem

PC Login School Web

Site - LoginCollege Intranet

-Login

Staffmail

-Login

Corporate Services

- LoginATHENS

-LoginWIZARD eFinancials

Other External Services

-Login

ESP

-Login WebCT/

EEMEC

-LoginE-Diary

-Login

etc

Joint Information Systems Committee 04/18/23 | slide 5

What is Single Sign-On?

Used to refer to many different approaches, such as:

– LDAP look-up;

– Shared name / password;

– One sign-on, one database.

Joint Information Systems Committee 04/18/23 | slide 6

Approaches to Single Sign-On

LDAP Look-Up:

– A number of sites claim they have single sign-on by having a single LDAP database which a number of services access.

– Not true SSO as the user is challenged individually by each service.

Shared Name / Password:

– Multiple, separate name/pass stores, possibly with synchronisation;

– User experience may be the same as true SSO;

– But, higher risk, different security levels, compromise one equals compromise on all, possibility of unencrypted passwords in system and/or across the network.

True Single Sign-On:

– There is a single, well protected, store of user names & passwords

– Interrogated by multiple services

– User enters (particular) credentials once, and only once

– Consistent, overall timeout can be applied – how long is an issue!

Joint Information Systems Committee 04/18/23 | slide 7

Do We Want SSO?

If a user is compromised then all the resources open to that user are compromised.

Important to consider a Risk Analysis to determine the balance between usability and security.

Joint Information Systems Committee 04/18/23 | slide 8

Potential Sign-On Model

Sign-on at 3 distinct levels:

– External Network Logon

– ‘Normal’ Internal level

– ‘High Risk’ Areas

Can be other models!

Federated Access Management concentrates on web-based resources, although successful trials with network level access.

Joint Information Systems Committee 04/18/23 | slide 9

Pre-requisites for SSO

You have to know who *all* your users are.

SSO implies automation, therefore ‘special cases’ are a problem:

– Students

– Staff

– Alumni

– ‘Others’

‘Others’ problem area:

– Casual staff visitor to a department

– External Uni PhD students working in your institution

– Medical staff who teach

– Retired staff casually still working in a department

Refers to ‘stage two’ in the JISC Roadmap document!

Joint Information Systems Committee 04/18/23 | slide 10

JISC Web-Based SSO Study - 2004

Note that carried out in 2004 – looking to update.

Systems evaluated:

– CAS (Yale)

– Pubcookie (Washington)

– WebAuth (Stanford)

– Cosign (Michigan)

– KX.509 (Michigan)

Systems not fully evaluated:

– A-Select (not fully)

– Shibboleth as an SSO (not at all)

Joint Information Systems Committee 04/18/23 | slide 11

Overview of Results

Usage Single PtFailure

Support Docum-entation

Availabilityof authentication modules

Shibbolethenabled

CAS Moderate Yes Poor Poor V poor No at time. Yes now!

Pubcookie Widely used

Yes Variable Small amount

Variable Yes now!

Webauth Not Widely used

No Responsive V good Poor No

Cosign Relatively new

No V Responsive

small Good Has been demonstrated

A-Select Moderate inside NL

Yes Responsive, commercially available

Good V Good Yes

Joint Information Systems Committee 04/18/23 | slide 12

JISC Project Experience

CAS: LSIP at Liverpool

– http://www.liv.ac.uk/LSIP/Documentation/ImplementationofYaleCASSSO.html

Pubcookie: IAMSECT at Newcastle

– http://iamsect.ncl.ac.uk/deliverables/docs/shib_install/

Webauth: SPIE at Oxford

– http://spie.oucs.ox.ac.uk/Wiki.jsp?page=Outputs

Cosign: AMIE at Edinburgh

– www.ucs.ed.ac.uk/projects/amie

A-Select:

– No existing UK experience (to the knowledge of JISC and Google)

Joint Information Systems Committee 04/18/23 | slide 13

Edinburgh in Focus

Decided to implement Cosign

– Strong links with kerberos (strong linux presence)

– Liked the support

– No single-point of failure

– But no IIS support (yet)

29 services now covered by SSO

23 services not covered

• 6 of them soon!

• Individual machines

• Departmental services

• Commercial Packages

Takes time and significant buy-in from depts etc

Joint Information Systems Committee 04/18/23 | slide 14

Reflections from Edinburgh

Implementing a SSO system is loved by the users

Which system, original SSO or Shibboleth will depend upon your circumstances

You really do need to know who all your users are!