Single Sign-on and the OBSSOCookie

The Oracle Access System implements single-domain and multi-domain single sign-on
through an encrypted cookie called the ObSSOCookie. The WebGate sends the
ObSSOCookie to the user’s browser upon successful authentication. This cookie can
then act as an authentication mechanism for other protected resources that require the same or a lower level of authentication.


When the user requests access to a browser or another resource, the request flows to
the Access Server. The user is logged in, and the ObSSOCookie is set. The Access
Server generates a session token with a URL that contains the ObSSOCookie. Single
sign-on works when the cookie is used for subsequent authorizations in lieu of
prompting the user to supply authorization credentials.


When the cookie is generated, part of the cookie is used as an encrypted session token.


The encrypted session token contains the following information:
- The distinguished name (DN) of the authenticated user.
- The level of the authentication scheme that authenticated the user.
- The IP address of the client to which the cookie was issued.
- The time the cookie was originally issued.
- The time the cookie was last updated.

If the user has not been idle, the cookie is updated at a fixed interval to prevent the session from timing out. The update interval is one-fourth of the length of the idle session timeout parameter.


Unencrypted ObSSOCookie data includes:
- Cookie expiry time.
- The domain in which the cookie is valid.
- An optional flag that determines if the cookie can only be sent using SSL.
Security of the ObSSOCookie


The ObSSOCookie is a secure mechanism for user authentication. When the Access
System generates the cookie, an MD-5 hash is taken of the session token. When the
ObSSOCookie is used to authenticate a user, the MD-5 hash is compared with the
original cookie contents to be sure no one has tampered with the cookie. MD-5 is a
one-way hash, so it cannot be unencrypted. The Access Server does the comparison by
hashing the session token again and comparing the output with the hash of the token
already present in the cookie. If the two hashes do not match, the cookie is corrupt.
The system relies on the fact that if someone tampers with the session token, the
hashes will not match.

More Here

Courtesy:http://securidm.wordpress.com/2009/07/13/single-sign-on-and-the-obssocookie/

SSO in Web Services Using SAML

Introduction:


Web Services provides a standard mean of interoperating between different software
applications running on a variety of platforms. The simplest web service
consists of a SOAP message for communication and a WSDL for web service
description. Web services use XML extensively which are very well understood
technology. WSDL document defines services as collection of network endpoints
or ports.


One of the main problems in distributed Web Services is security standards. Due to
different platforms the interpretation of security information has different
meaning in different security context. For instance if a J2EE application try
to exchange security information with a COM+ application, the data sent by J2EE
application will not be recognizable to COM+.
The other problem in distributed Web Services application is the
capability for single-sign on. Security Assertion Markup Language (SAML) is a
standard proposed by OASIS to solve problem like security information exchange
and how Single Sign on capabilities be provided within distributed web services
application.


Exploring SAML:


SAML is a set of specifications used for transferring information like user
authentication, entitlement, and attributes to identity provider (IP) which can
authenticate the user and allow access to resources on a server provider. In SAML a third party which is identity provider will assert the authentication information provided by the consumer and will return SAML assertion which can be passed with any incoming request to
the target or resource provider which will identify the assertion and allow
access to the corresponding activity.

By
obtaining the assertion from identity provider consumer can pass it with any
request. The same assertion can be used universally and by any part of
application which is a step forward to interoperability in security context.


All
the security services which implemented SAML are able to interpret security
information transferred by one service to another which makes SAML one of the
most accepted solutions for Web Services Security. The Assertion generated by identity provider
can be used by consumer as long as it is trusted by target or service provider.
The Service Provider can accept the principal an allow authentication.


SAML
provides three types of assertions:


1.
Authentication assertion


2.
Authorization decision assertion


3.
Attribute assertion.


Authentication
Assertion


The
authentication information is received by identity providers which process this
information and authorization assertion is made along with authorization
decision and attributes assertion.
Authentication Assertion is composed of the identity of issuer and the
principal, the period for which the assertion will be valid and some creation
time information. It also input some information about the provider system and
validation time etc.


The
following is the Authentication Statement Schema









































Attribute
Assertion

More Here

Courtesy:http://asadroshan.wordpress.com/2011/01/12/sso-in-web-services-using-saml/

A Closer Look at Centrify DirectControl's Web SSO Solution

Core Features


At a high-level, the DirectControl for web/Java agent provides the following five key features:


* SPNEGO Support for Application Servers: the DirectControl for web/Java agent natively extends the security layer of each application server to implement the SPNEGO protocol for Kerberos and NTLM authentication and single sign-on. Per Wikipedia: "SPNEGO is used when a client application wants to authenticate to a remote server, but neither end is sure what authentication protocols the other supports...SPNEGO's most visible use is in Microsoft's "HTTP Negotiate" authentication extension. It was first implemented in Internet Explorer 5.01 and IIS 5.0 and provided single sign-on capability later marketed as Integrated Windows Authentication. The negotiable sub-mechanisms included NTLM and Kerberos, both used in Active Directory."


In effect DirectControl is extending the "secret handshake" that Microsoft provides between IE and IIS. Which means that now with DirectControl you can use IE or any other browser that supports SPNEGO and have that SSO experience to not only IIS but to non-Microsoft web servers such as Apache, JBoss, WebLogic and WebSphere (running on either the Windows or UNIX/Linux platforms).
* Kerberos Support for web/Java Applications: Kerberos is the mature approach that Microsoft uses for single sign-on in an all-Microsoft environment. While Kerberos is available for non-Microsoft platforms, like UNIX and Linux, it can be difficult for a non-expert to deploy and manage a Kerberos stack for use in single sign-on. DirectControl for web/Java, in cooperation with DirectControl for Systems, automatically deploys, configures and manages the entire Kerberos stack for the application server and OS that your custom application is installed on.


Optionally, NTLM can also be used for authentication in an environment or system where Kerberos is not functional or appropriate. NTLM is an older technology provided by Microsoft for authentication.
* Authorization based on Active Directory Groups: Using J2EE standards, DirectControl for web/Java can populate the proper J2EE roles based on Active Directory Groups. Additionally, custom user attribute can be passed to the application from Active Directory. This allows a custom web application to provide role-based access and personalization based on a centrally managed identity in Active Directory, regardless of the platform the application server runs on.
* Active Directory Federation Services (ADFS) Support: ADFS, based on industry standards such as the WS-* web services specifications, provides a platform for single sign-on across multiple applications during a single browsing session. Additionally, ADFS provides services that allow authentication and authorization to happen across security, organizational and domain boundaries. These services are included in Windows Server 2003 R2 and 2008. Follow this link for more information on our ADFS web SSO agents for non-Microsoft web servers.
* Support for SSO to the underlying operating systems: Centrify DirectControl delivers secure access control and centralized identity management by seamlessly integrating your UNIX, Linux, Mac, web and database platforms with Microsoft Active Directory. DirectControl effectively turns a non-Microsoft system into an Active Directory client, enabling you to secure that system using the same operating system-level authentication, authorization and Group Policy services currently deployed for your Windows systems.

This means by packaging the DirectControl agent for the operating system and application server, along with installation and configuration documentation and support and services of the DirectControl for web/Java products into a single comprehensive solution, Centrify can help provide a true single sign-on solution at both the OS and application layer that better interoperates with your enterprise.

More Here

Courtesy:http://www.centrify.com/blogs/tomkemp/centrify_active_directory_integration_with_web_java.asp

Sharepoint 2007 : Configure and start the Microsoft Single Sign-On service

To use single sign-on, the Microsoft Single Sign-On service (SSOSrv) must be installed on all Microsoft Windows front-end Web servers in the farm. SSOSrv must also be installed on all servers running Excel Services. If the Business Data Catalog search is used, SSOSrv must also be installed on the index server.
SSOSrv is configured by using the Services console. When configuring the service, a logon account is required. The logon account must meet all of the following criteria:

• Must be a domain user account. It cannot be a group account.
• Must be an Office SharePoint Server farm account.
• Must be a member of the local Administrators group on the encryption-key server. (The encryption-key server is the first server on which you start SSOSrv.)
• Must be a member of the Security Administrators role and db_creator role on the computer running Microsoft SQL Server.
• Must be either the same as the single sign-on administrator account, or a member of the group account that is the single sign-on administrator account.

Configure and start the Microsoft Single Sign-On service

1. On the server, click Start, Control Panel, Administrative Tools, and then click Computer Management.
3. In the Computer Management console, expand Services and Applications, and then click Services.
4. Right-click Microsoft Single Sign-On Service, and then choose Properties.
5. On the General tab, change the Startup type to Automatic.
6. On the General tab, under Service Status, click Start.
7. Click OK to save your changes and close the Properties window.
8. Repeat steps 1 through 6 for each applicable server in the farm.Source : http://technet.microsoft.com/en-us/library/cc262932.aspx#Section1

More Here

Courtesy:http://panca.wordpress.com/2009/04/07/sharepoint-2007-configure-and-start-the-microsoft-single-sign-on-service/

Configuring Tomcat for Single Sign On Support

Introduction

In many large web sites, it is desireable to recognize an authenticated user the first time that he or she tries to access a protected area in any web application, and then recognize that authenticated user across other web applications in the same environment without requiring the user to log in again. Tomcat supports that capability if it is configured as described in this document.

Configuration Requirements

To successfully configure Tomcat for "single sign on" support, the following requirements must be taken into account:

• All clients that intend to utilize "single sign on" support must provide support for cookies, which are used to maintain the user identity across web applications.
• As implemented in Tomcat, the scope of "single sign on" support is the entire set of web applications registered with a single virtual host.

The system administrator must configure the $CATALINA_HOME/conf/server.xml file as follows to enable "single sign on" support:

• At the or level, configure a element that defines the database of valid users and their corresponding roles. In the default configuration shipped with Tomcat, this is done at the Engine level.
• You MUST NOT configure a element inside one of the elements describing the web applications associated with this virtual host.
• Nested inside the element, you must include the following element:

• Each web application that wishes to operate under the "single signon support" environment should define appropriate and elements. The former elements are used to identify portions of the application's URI space that are to require user authentication, and the latter element is used if this application is the first one accessed by the user that requires the user to log in.
• There are no restrictions on different web applications utilizing different authentication methods.

Security Considerations

Because the "single signon support" implementation utilizes cookies to maintain use identity across applications, the same risks of information exposure apply here as when cookies are used to maintain session identity within a single web application. If you are concerned that attackers may try to impersonate an ongoing session, you should run across a secure network connection (such as an SSL connection using the https protocol).

More Here

Courtesy:http://www.jajakarta.org/tomcat/tomcat3.2-4.0/tomcat-4.0b5/src/catalina/docs/singlesignon.html

Single Sign-On to Remote Desktop Services

Single sign-on is an authentication method that allows users with a domain account to log on once to a client computer by using a password, and then gain access to remote servers without being asked for their credentials again. See more details here for Windows Server 2008 and here for Windows Server 2008 R2.

On the client-side SSO are currently available for Windows XP with SP3, Windows Vista and Windows 7.

Configure SSO on the server-side

To configure SSO on the server-side (Windows Server 2008 Terminal Services or Windows Server 2008 R2 Remote Desktop Services), set the option “Security layer” to either “Negotiate” or “SSL (TLS 1.0)”:

Best practice would be to configure this in a common GPO for all Remote Desktop Services servers in the domain:

This setting resides under Computer Configuration->Policies->Administrative templates->Windows Components->Terminal Services->Terminal Server->Security.

Configure SSO on the client-side

Using a common GPO would also be the best practice to deploy the client settings needed for SSO to work.
The “Allow Delegating Default Credentials” resides under Computer Configuration->Policies->System->Credentials Delegation:

Enable “Allow Delegating Default Credentials”, press the “Show”-button and either specify the domain pre-fixed with * to allow delegation to all servers in the domain, or specify specific servers:

 

Next, create a RDP-file and deploy this file to the client computers.
Before deploying the file, open it in a text editor, e.g. Notepad, and add the following line: enablecredsspsupport:i:1
This will enable SSO for the RDP-file.

I would also recommend to sign the RDP-file with a Code Signing certificate. This can be accomplished using the utilityrdpsign.exe:

Sample signing:

When a RDP-file are signed, the following will be added to the bottom of the file:

signature:s:AQABAAEAAADBCgAAMIIKvQ……..

More Here

Courtesy:http://blog.powershell.no/2009/12/25/single-sign-on-to-remote-desktop-services/

What is Single Sign On in SharePoint? (Non Technical)

Single Sign On in SharePoint is a Service. It is really just something that holds credentials (login’s/passwords) for different applications. These other applications can be CRM systems, ERP systems, whatever. It does not automatically integrate or pass through credentials to these systems. This may sound obvious to some people, but it’s important to point out because this is what I always hear people think it does.





What it really does is allows developers and administrators to connect other systems in webpart code and as an example an administrator could use it in the BDC application definition xml’s authentication for connecting to say a SQL database. It is wonderful in that it gives a great starting point and service for configuration and development to pull data from other systems into SharePoint (typically).

More Here

Courtesy:http://sharepointkb.wordpress.com/2008/11/25/what-is-single-sign-on-in-sharepoint-non-technical/

Single Sign On with Pubcookie

A couple of months ago I had to find a solution to offer a single sign on service in a environment with PHP applications and Plone. I decided to use Pubcookie which is a good solution and has a good documentation although due to its small niche market its community is not very big.

According to SLOCCount most of the code is C and it has almost 50 thousand lines of code

Totals grouped by language (dominant language first):
ansic: 40864 (85.89%)
cpp: 4215 (8.86%)
sh: 2500 (5.25%)

Total Physical Source Lines of Code (SLOC) = 47,579

The documentation is available here, it is clear but from my point of view it lacks of a set of examples. The first time I installed pubcookie I was a bit confused, my first error was trying to install it without understand completely how it worked so my first advice is that you must understand how it works before. The key concept is to realize that the authentication and creation/validation of cookies is going to be performed by the pubcookie service. Your web applications won’t have to deal with this issues anymore.

Have a look at the diagram in the section How Pubcookie Works. In our example with Plone, PHP applications 

and Apache our agents would be:

• User-Agent, your browser
• Application Server, an apache module installed in the server which offers the web application. In our example we would have one for each web application
• Login Server, the service in charge of creating and delivering the important cookies and dealing with the user login form
• AuthN Server, in our example it could be offered by an LDAP server. The Login Server would deal with this authentication server. We only need one

Every time the user visits a protected url (by the apache module / application server) in one of the server applications, the application server finds out whether the users’ cookie is valid or not. Depending on the type of cookie the user provide, it (the application server) can forward the user to the login server or give him access as logged in. Once the application server ensures the user is a valid user with a valid cookie it passes the user to the web application using an apache header, this last step is very important from the security point of view. The web applications will blindly accept the user passed in that HTTP header so it must come only from localhost and only when the apache module checks the request comes from a valid user.

Hands on. Download it and install all the components (keyserver, keyclient, apache module ..), you will need to generate some keys used to sign and encrypt the cookies which are exchanged between the login server and the application server.

Once the daemons are running and the apache module is built, we can start setting up our Plone. The most important part is the configuration of the apache module, there is a Plone plugin (product) calledWebServerAuth that will do the rest of the job.

This is the important part of the apache configuration for our traffic over SSL:


ServerName www.example.com
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/example.crt
SSLCertificateKeyFile /etc/apache2/ssl/example.key
# Prompt for authentication:

AuthType EXAMPLEAuth
PubcookieAppID zope
Require valid-user

# once we know the user is a valid user, we set the HTTP header with the username
RewriteEngine On
RewriteRule .* - [E=RU:%{REMOTE_USER}]
RequestHeader set X_REMOTE_USER %{RU}e

....


As I remarked before, the application (Plone in this case) will accept any user in the HTTP_X_REMOTE_USER header so we must avoid that header when our apache module for pubcookie is not checking it is sent by a valid user. That is, we remove this header unless it goes to the URL protected by the apache module (our application server).


...
RequestHeader unset X_REMOTE_USER
...

At this point, you would be able of using the single sign on service with Plone. The next step would be to add more web applications. If you don’t find a pubcookie plugin for your PHP application, you would have to edit the code to bypass the user and session verification in order to accept the user included in the HTTP_X_REMOTE_USER header.

Last but not least, thanks to cewing and erikrose in #plone IRC channel at freenode.net, they were very helpful 

More Here

Courtesy:http://sanacl.wordpress.com/2010/02/24/single-sign-on-with-pubcookie/

Single Sign-On between Portal and Webtop

How we can configure Single Sign-On between a Portal server and a Webtop is what i am trying to bring in today. This Post does not recommend any specific solution, however it provides insight into implementing the Single Sign-on by customizing the Documentum components.

Before we discuss about the Configuration Steps involved ,lets first see What is Single Sign-On :

Single Sign-on is a concept that enables users to be authenticated once and gain access to the resources of multiple software systems. The requirement is to provide the portal user access to Webtop without being asked to submit the credentials.

Approaches to achieve Single Sign-on

1. Using third party vendor softwares like Tivoli Access Manager(TAM) & WebSEAL, Netegrity SiteMinder or RSA ClearTrust (from RSA Security)
2. Customize Documentum components

Approach A was evaluated, however with requirements conflicting with the version support, approach B was preferred.

In order to achieve the Single Sign-On, user credentials are passed as URL parameters by encrypting the userid & password. The same is decrypted before establishing documentum session. The following steps provide the details in accomplishing the same.

Note: A standard algorithm is used for the encryption/decryption purposes, which however is out of scope.

Steps

A. Documentum Configurations

1. Create a property file named DocbaseInfo.properties and add properties “Docbase” & “TargetDomain”. Docbase refers to the docbase to which the user will access through Webtop & TargetDomain is the authentication domain. Add this file to the appropriate folder. (We have used the path as com\\DocbaseInfo.properties)
2. Extend the basic behavior of documentum login component.
   1. Create SSOLogin.java by extending com\documentum\web\formext\session\Login.java
   2. Override the onInit() method to retrieve the user credentials from the URL and establish documentum session for the user
   3. call setStartPoint() method after a session is established

Compile the java class and update the classpath.

Figure 1: Pictorial representation of the directory structure used.

1. Create custom\login & custom\config folders under webtop\webtop folder. Copy the login_component.xml to custom\config folder. Edit the login_component.xml to include the path for SSOLogin.class & add the following tags:

/custom/login/login.jsp

Copy the login.jsp page available wdk\system\login to webtop\webtop\custom\login folder and customize as per the requirement. Add the path information in the login_component.xml.

The code snippet of login_component.xml after the changes is as follows:

/custom/login/login.jsp

com..SSOLogin

com.documentum.webtop.session.LoginNlsProp

B. Portal Configurations

1.    Append the encryption/decryption class to the classpath

2.    Create a portlet, retrieve the user-id/password from the form and add the same to session or a cookie

3.    Use the encryption algorithm to encrypt the user-id and password and append the same to the URL link calling Webtop. The URL format to be used is as follows:

http:///webtop/component/main?userID=< a=""> user-id>&pwd=

Testing the Single Sign-on Configuration

1.    Create a portal application and provide a link to Webtop

2.    Login to the portal and access the Webtop link

3.    If the user is a valid documentum user, user is allowed to access the documentum repository without being asked to enter the credentials. If the authentication fails, user will be provided with the standard Webtop login page.

More Here

Courtesy:http://hkishan.wordpress.com/2010/10/24/single-sign-on-between-portal-and-webtop/

Making the case for Single Sign On (SSO) and Biometric authentication

Definitions:


Enterprise Single Sign On (ESSO) – ESSO is simple since it is a non-programmed way to handle SSO, thus making it much easier and less complex.


Single Sign On (SSO) - SSO is a programmed method of performing SSO with the key difference of having the added functionality to handle forced role-based authentication directly into applications themselves from the network. This is the Holy Grail – for the big boys and serious budgets!


I look at ESSO as “the poor man’s single sign on”, however don’t be fooled into thinking ESSO is of lesser quality to SSO. ESSO is incredibly powerful and quite a compelling approach to what I would call “Reduced Sign On” versus “Single Sign On”. Credit Unions should consider ESSO/SSO options when experiencing the following problems or increased needs:
1) The help desk is having to handle too many password reset requests. I once worked with a credit union that justified costs due to this issue alone.
2) IT (believe it or not) is handling an extraordinary number of passwords.
3) The desire exists to integrate physical and network security (very cool and doable these days).
4) Compliance Drivers, meaning you have a desire to monitor, track and perform forensics on network and application access.



5) A need for increased security due to IT being unable to enforce a demanding password policy.
6) A need for increased security that will not see employees leaving passwords lying around their office on notepads.
In summary there is the coolness factor to SSO and ESSO, but for me the credit union winning punch here is the compliance win and the ability to integrate biometric authentication with the solution. I am not sure I believe entirely in the concept of SSO and this is why I like ESSO since the application still drives the final layer of security.


ESSO has the ability to layer biometrics on top of the authentication, making it an appealing solution since one gains the compliance uplift, plus the added “I know who you are” factor from the biometric stand point. Ultimately, my vision has always been to concentrate on the directory security needs in an organization. For my credit union clients this is usually accomplished via Microsoft’s Active Directory. From a de-provisioning perspective, it is quite appealing that once a user account is killed in AD then they are in effect “locked out” of the network. It is very nice indeed to have all devices on the network just as directory-aware. Furthermore, if you are allowing Citrix or another remote access, this centralized AD security approach works well since once an employee or contractor is terminated then all IT must do is terminate the account in AD and the remote access is terminated as well. For credit unions with overburdened IT personnel this makes for simple, effective and clean security.

More Here

Courtesy:http://mdrawbaugh.wordpress.com/2008/05/15/making-the-case-for-single-sign-on-sso-and-biometric-authentication/

Single Sign-On – Choosing Practical over Paranoid Security

As various business processes are automated in enterprises, a complex IT landscape is created. Multiple applications and platforms require different authentication checks before granting user access. Users need to sign on to multiple systems, each involving a different set of credentials. As a result, accessing systems gets increasingly complicated and frustrating for users and hampers their daily tasks.

Implementing a single sign-on (SSO) security functionality can significantly simplify systems access. SSO provides a unified mechanism to manage user authentication and implement business rules determining user access. As only one set of credentials are needed to access multiple systems, SSO improves usability, increases productivity and reduces helpdesk expenses, without compromising system security.

SSO also reduces human error, because the user logs in once and gains access to all systems without being prompted to log in again for each, a major component of systems failure.

Why is SSO relevant?

The need for SSO is accentuated by several issues enterprises face including:

• Enforcing strong security and password policies at a central level
• Multiple helpdesks
• Need for helpdesks to engage in more value-adding tasks rather than be consumed by resetting passwords for users
• Management of multiple platforms and application models
• Risk of unsecured, unauthorized administrative and user accounts

SSO types you need to know

Two of the most important types of SSO are:

Enterprise SSO

Enterprise single sign-on (ESSO) systems are designed to minimize the number of times that a user must type their ID and password to sign into multiple applications. The ESSO automatically logs users in, and acts as a password filler where automatic login is not possible. Each desktop/laptop is given a token that handles the authentication.

Web SSO

Single sign-on for web-based applications and few supported proprietary closed source web applications. It is a browser-based mechanism, with single sign-on to applications deployed on web servers (domain).

The main differences between ESSO and Web SSO approaches are given in the table below.

ESSO can provide tangible benefits to an enterprise through:

• Enhanced user productivity - users are no longer bogged down by multiple logins and they are not required to remember multiple IDs and passwords
• Improved developer productivity - developers get a common authentication framework – developers don’t have to worry about authentication at all
• Simplified IT administration – the administrative burden of managing user accounts is simplified. The degree of simplification depends on the applications since SSO only deals with authentication
• Reduced password fatigue from different user name and password combinations
• Reduced IT costs due to fewer help desk calls about passwords
• Improved security through reduced need for a user to handle and remember multiple sets of authentication information
• Reduced time spent re-entering passwords for the same identity.
• Integration with conventional authentication such as Windows username/password.
• Centralized reporting for compliance adherence like ISO 27001, etc.

Clearly, SSO functionality is a practical approach to security management in an enterprise. Its detractors highlight that once a password is breached through SSO, then other systems become highly vulnerable. However, while weighing the pros and cons of the SSO approach, its benefits in the form of lesser maintenance and increased usability far outweigh the disadvantages. It can even ensure a better protection of the single password, with stronger policies in place, which may not be practically possible if there were multiple passwords to remember. SSO can be a suitable choice for most enterprises which are struggling with the burden of managing multiple accesses.

More Here

Courtesy:http://aujasus.com/2010/12/07/single-sign-on/

Java Web Apps and Single Sign-On

 

Single Sign-On:

Essentially, single sign-on (SSO) is the process where the user is required to authenticate himself only once in order to gain access to multiple related but ultimately independent software systems. The most common case is when the user belongs to a domain (internal network) and is able to login using his account credentials where he subsequently gains access to network drives etc. without the need to re-authenticate himself.
I will be looking at possible ways to achieve SSO with a Java web app where users belong to a Windows domain and where the users (and their credentials) gets stored in a Windows Active Directory (against which authentication gets performed).

SSO Advantages:

• Improved user productivity. Users are no longer bogged down by multiple logins and they are not required to remember multiple IDs and passwords. This also improves security as users find it easier to remember their credentials and do not have to write them down etc., allowing for a more efficient user login process
• It improves an administrator’s ability to manage users and user configurations to all associated systems
• It reduces administrative overhead in resetting forgotten passwords over multiple platforms and applications
• It improves the effectiveness/timeliness of disabling all network/computer accounts for terminated users

SSO Disadvantages:

• Unattended desktop. Implementing SSO reduces some security risks, but increases others. For example, a malicious user could gain access to a user’s resources if the user walks away from his machine and leaves it logged in. Although this is a problem with security in general, it is worse with SSO because all authorized resources are compromised. At least with multiple logins, the user may only be logged into one system at the time and so only one resource is compromised
• It requires continuous availability of a central server. When the AD server is down, no one can log in
• Since all authentication is controlled by a centralized AD server, compromise of this authentication infrastructure will allow an attacker to impersonate any user across all SSO supported systems
• Hence the SSO server and other host security must be hardened

In order to gain access to network resources, authentication needs to happen in the background where authentication information ultimately has to be sent over to the Active Directory (AD) server. Thus  authentication protocols had to be developed to do this securely.

Authentication Protocols:

Kerberos Protocol:
Kerberos is a standardized network authentication protocol (developed by MIT), which is designed to provide strong authentication (by using secret-key cryptography) for client/server applications, such as web applications where the browser is the client. Essentially Kerberos is an authentication protocol for trusted hosts on untrusted networks.
Kerberos is an integral part of Windows Active Directory implementations and is the preferred authentication protocol when operating in a domain environment. Essentially every Windows Active Directory domain controller is also a Kerberos Key Distribution Center or “KDC”.
The protocol is currently sitting on version 5.
NT LAN Manage (NTLM) Protocol:
NTLM is a challenge-response based protocol. In a challenge-response protocol, the client generates a response using the server challenge and a secret value that the client and server both know (like a password) and sends it back for validation. Security features were added to the protocol in version 2 to provide for stronger protection of encryption keys and challenges.
Simple and Protected GSS-API Negotiation (SPNEGO) Protocol:
The Generic Security Service Application Program Interface (GSS-API) was developed on top of the Kerberos and the NTLM authentication protocols, where its development goal was to provide security developers with a consistent high-level programming interface for authentication and security without needing to know the details of a particular security protocol.
The wiring of GSS-API authentication to a web browser occurs through the use of a message exchange standard known as Simple and Protected GSS-API Negotiation Mechanism (SPNEGO). SPNEGO is an algorithm specifying the behaviour of two GSS-API implementations in determining whether they can communicate with each other over a common security protocol.
Quick Protocol Conclusion:
As it’s a very technical manner to weigh up the advantages and disadvantages of the Kerberos and NTLM authentication protocols against each other and because Kerberos is the industry standard, there is no need to further explain that Kerberos is indeed the preferred protocol to use. At the end of the day they will both achieve SSO but Kerberos will do so in a more secure manner. One thing to note though is that neither Kerberos or NTLM protocols send the user’s password over the wire, which is obviously a good thing as the no amount of network packet sniffing would result in the malicious user being able to impersonate an authenticated user.

Other Means to Authenticate Against Active Directory:

Lightweight Directory Access Protocol (LDAP):
LDAP is an application protocol for querying and modifying items in directory service providers such as Active Directory. Thus it can’t be considered as a solution to achieve SSO as the client/browser plays a large role in SSO and LDAP is simply a way for the application to talk to the AD server. That being said LDAP can be configured to securely communicate to the AD server so theoretically it can play a part in the SPNEGO Kerberos authentication process.

Implementing SSO in a Java Web App:

As all major browsers support the SPNEGO a.k.a. Negotiate protocol to achieve SSO and because the protocol is integrated by Windows Active Directory as part of their product – it became clear that this is the way to achieve SSO in a web app.

SPNEGO/Kerberos Libraries:

Windows Authentication Functional Framework Light Edition (WAFFLE):
Provides various ways to achieve SSO (via the Negotiate protocol) in a web application but is restricted to web applications sitting on web servers running on a Windows machine. Thus a no go as our web server runs on a Linux machine.
spnego.sourceforge.net:
The library is aimed at Java based web servers looking to handle SPNEGO/“Negotiate” (with preference to Kerberos over NTLM) as the authentication protocol, where SSO is ultimately achieved by configuring a Java Servlet Filter with all the necessary information to perform the authentication against the Active Directory (Key Distribution Centre).
Advantages:
Once the Kerberos environment has been correctly setup on the AD server with regards to the web server in question – SSO is relatively straightforward to achieve. It is also pretty lightweight as we’re essentially dealing with one filter. The project has got an active community/forum where the developer of the project is very actively taking part in discussions and troubleshooting.
Disadvantages:
It is not very configurable. For example in the Spring Security framework you can declare various “intercept-urls” which specifies what level of authentication the user needs to access the URL in question. It gives precedence to the top-most declaration thus if you specify that the “/login.jsp” URL requires no authentication to access and then specify that “/*” (all permutations of URLs) needs full authentication to access, it effectively excludes “/login.jsp” URL from the list of URLs that need full authentication. This behaviour is crucial as we obviously can’t expect a user to be authenticated before he had a chance to authenticate himself. Effort would be required to place this library (which is designed to sit on the web server) in the application as the web app also needs to confirm that the user exists in the web app (it’s not enough to know that the user merely exists on the domain). The web app also needs to know when negotiation/authentication fails as to provide a fallback method to authenticate the user, which this library doesn’t quite support (it provides basic authentication as a fallback but this protocol is unsecure).
Spring Security Kerberos/SPNEGO Extension:
The Spring team brought out an extension to their latest version of the Spring Security framework (version 3) that provides the security developer with a solution to achieve SSO via the SPNEGO/Kerberos protocol. The solution has been implemented in alignment with their existing security framework, thus a developer that is familiar with Spring Security would have no trouble in understanding the flow of the solution and would effectively be able to use it out of the box. To use this solution the web app would need to upgrade it’s core Spring framework to version 3 and it’s Spring Security framework to version 3. Version 3 of the Spring Security framework has significantly changed its package structure from version 2 which has enabled them to make the functionality that the framework provides much more modular.
Advantages:
The solution sits in the application and thus can easily confirm if the user exists in the web app upon successful authentication. As with the spnego.sourcefourge.net solution – SSO is relatively straightforward to achieve once the Kerberos environment has been correctly setup on the AD server with regards to the web server in question. As it is in alignment with the existing security framework – the solution is highly configurable. The extension to the Spring Security framework also provides a way to combine form-based authentication with the Kerberos protocol to securely authenticate the user against the Active Directory. Furthermore as the framework is so highly configurable, it is possible to use this as the fallback. Thus upon SSO authentication failure (ex if the user tries to access the web app from outside of the domain), the user can effectively be redirected to the login screen to enter his domain account credentials. Which is first prize.
Lastly the Spring Security framework has been widely adopted and has a very active community.
Disadvantages:
This extension library needs the latest Spring libraries, thus if an upgrade is necessary, then the package structure changes (and inevitable deprecations) would need to be catered for in existing security classes. Furthermore, a fair amount of systems testing would be required which is obviously not ideal.

Integrating a “Kerbeized” Web Application With an Openfire Chat Server:

Built in (Home Made) Java Chat Client:
Integration can be achieved once the user has been authenticated in the web app. All that would be required is an authenticated request from the web app to the Openfire server to login the user in question.  The whole concept of SSO is around the web app not storing the domain user’s password as the Kerberos/SPNEGO protocol doesn’t send the password across the wire when authenticating against the AD server.
My proposed solution to send the authenticated login request is as follows:

• The web app and the Openfire server shares a private key and salt
• The Openfire server stores a timestamp (upon server startup the timestamp gets created)
• The web app upon making the login request (which requires a username and password), creates a timestamp (which would effectively be later on than the one stored by the Openfire server)
• The web app then encrypts the timestamp with the private key and subsequently encrypts it again with the salt (thus double encrypted) and uses this result as the password (RSA encryption is probably a good bet)
• The Openfire server then receives the request with the username and the double encrypted timestamp which it then decrypts as it knows the key and salt used to encrypt it
• The Openfire server then compares the decrypted timestamp with its stored timestamp
• Only if the decrypted timestamp is later on than the stored timestamp does the user get logged in
• If successful, the stored timestamp subsequently gets set to the decrypted timestamp

This solution would effectively be secure against replay attacks (where a malicious user sniffs the request and uses it again to try and login) and relatively secure against brute force attacks (due to the double encryption). Note that the timestamp is accurate to the closest millisecond where it would be sent as a long. This solution assumes that the machines which host the web app and Openfire, to be closely synchronised in time.
External Chat Clients:
At this stage there isn’t a clear solution to achieve SSO with external chat clients as the SPNEGO/Kerberos authentication protocol essentially requires the client (in this case the external chat client) to speak this language/implement the protocol. It is also not recommended to let the external chat client send the user’s domain password over the wire as we don’t have any control over how the credentials gets sent, making it a high security risk. A potential work around could be to have the user specify a chat password in the web app (which would effectively be stored in the database) which the user could use to authenticate himself. At least if these credentials are obtained by a malicious user, it can’t be used to login to the web app or any system other than Openfire.

Conclusion:

In my opinion the Spring Security solution is the clear winner for achieving SSO in a Java web app. Its drawbacks are in actual fact a bit irrelevant as you would need to upgrade the Spring framework at some stage. At the time of writing I am unable to setup a Kerberos environment in the domain to test this SSO solution, thus at this stage the POC is riding on some assumptions:

• That the main SSO solution does in fact work as expected (i.e. the user gets authenticated securely without the need to enter credentials). This assumption is quite solid as Spring has been widely adopted and the active Spring forum suggest that this functionality works as expected
• That the fallback configuration works (upon authentication failure). This assumption is not really solid at this stage as it wasn’t provided by a recognised Spring developer, thus I will only be happy once I have confirmed it. This fallback solution was posted on the Spring forums: http://forum.springsource.org/showthread.php?p=326151#post326151

More Here

Courtesy:http://bsgdev.wordpress.com/2011/01/04/java-web-apps-and-single-sign-on/