Page245

Session Management of Single Sign-On

With great power comes responsibility: Single Sign-On enables users to access a wealth of information with a single authentication. The risk of malicious access to those resources can increase with SSO, and this risk must be mitigated. See the “Unattended desktop” section of the quote from “Build and Implement a Single Sign-On Solution” shown in the previous section.

SSO should always be combined with MFA (multifactor authentication), but that still leaves the potential risk of malicious use of an existing session. For that reason: session timeouts and screensavers that automatically lock the workstation should be used. Users should also be trained to lock their workstations when they leave their desks.

Federated Identity Management

Federated Identity Management (FIM) applies Single Sign-On at a much wider scale: ranging from cross-organization to Internet scale.

According to EDUCAUSE, “Identity management refers to the policies, processes, and technologies that establish user identities and enforce rules about access to digital resources. In a campus setting, many information systems—such as e-mail, learning management systems, library databases, and grid computing applications—require users to authenticate themselves (typically with a username and password). An authorization process then determines which systems an authenticated user is permitted to access. With an enterprise identity management system, rather than having separate credentials for each system, a user can employ a single digital identity to access all resources to which the user is entitled. Federated identity management permits extending this approach above the enterprise level, creating a trusted authority for digital identities across multiple organizations. In a federated system, participating institutions share identity attributes based on agreed-upon standards, facilitating authentication from other members of the federation and granting appropriate access to online resources. This approach streamlines access to digital assets while protecting restricted resources” [10].

SAML

SAML (Security Assertion Markup Language) 2.0 is the current version and provides a standardized way of communicating identity data between systems. SAML transmits this data via XML-formatted assertions, which can communicate details regarding identification, authentication, and possibly also authorization. One goal of SAML is to enable web-based SSO at an Internet scale.

SAML considers three roles: the Identity Provider (IdP), the Service Provider (SP), and the principal/user. The principal, via a user-agent typically in the form of a Web browser, requests resources from the SP. The SP offers applications/resources that can be leveraged by trusted principals but depends upon the IdP to verify and vouch for the principal. The IdP serves as the trusted source of identities and is responsible for authenticating users/principals and communicating the result of that authentication to the SP. At a high level SAML operates via XML-formatted assertions created by the identity provider (IdP) to communicate details regarding the status of identification and authentication of a principal/user to the service provider (SP).

SAML natively focuses primarily on authentication. While in some use cases basic SAML can be used for simple authorization, it can be extended to allow for communication of more robust authorization details. To integrate complex authorization details SAML can leverage either the XML-based eXtensible Access Control Markup Language (XACML) protocol or JSON-formatted OAuth, which is discussed next.