Single Sign-On (SSO) Systems#
Unit II: Account & Data Security#
Lecture 11: Seamless Authentication Across Applications#
Course: Cyber Security (4353204) | Semester V | Diploma ICT | Author: Milav Dabgar
layout: default#
What is Single Sign-On (SSO)?#
๐ SSO Definition#
Single Sign-On (SSO) is an authentication process that allows users to access multiple applications with one set of login credentials.
๐ฏ Key Characteristics#
- One authentication for multiple services
- Centralized identity management
- Seamless user experience
- Reduced password fatigue
- Enhanced security through centralization
๐ SSO Workflow#
graph LR
A[User] --> B[SSO Provider]
B --> C[Authentication]
C --> D[Token Generation]
D --> E[App 1]
D --> F[App 2]
D --> G[App 3]
style B fill:#e3f2fd
style D fill:#f3e5f5
โ Benefits of SSO#
๐ค User Benefits#
- Single password to remember
- Faster access to applications
- Reduced login friction
- Better user experience
- Less password-related help desk calls
๐ข Organization Benefits#
- Centralized access control
- Enhanced security monitoring
- Reduced IT overhead
- Improved compliance
- Better audit capabilities
๐ Security Advantages#
- Stronger password policies
- Multi-factor authentication integration
- Centralized logout
- Session management
- Reduced credential exposure
Course: Cyber Security (4353204) | Unit II | Lecture 11 | Author: Milav Dabgar
layout: default#
SSO Architecture and Components#
๐๏ธ SSO Architecture#
๐ง Core Components#
- Identity Provider (IdP) - Authentication service
- Service Provider (SP) - Applications/services
- User Agent - Browser or client application
- Security Token - Authentication proof
๐ SSO Flow Diagram#
graph TB
A[User] --> B[Service Provider]
B --> C[Identity Provider]
C --> D[Authentication]
D --> E[Token Generation]
E --> F[Token Validation]
F --> B
B --> G[Access Granted]
style C fill:#e3f2fd
style E fill:#f3e5f5
style G fill:#e8f5e8
๐ฏ SSO Participants#
- Principal - User seeking access
- Identity Provider - Authenticates users
- Service Provider - Provides services
- Token - Proof of authentication
๐ SSO Process Flow#
๐ Step-by-Step Process#
- User requests access to application
- Application redirects to SSO provider
- User authenticates with SSO provider
- SSO provider generates security token
- Token sent back to application
- Application validates token
- Access granted to user
๐ซ Token Types#
Security Tokens:
SAML Token:
- XML-based
- Enterprise focused
- Rich attribute support
OAuth Token:
- JSON-based
- Web/mobile friendly
- Limited scope
JWT Token:
- Self-contained
- Stateless
- Compact format
โฑ๏ธ Session Management#
- Session establishment
- Session tracking
- Session timeout
- Global logout
Course: Cyber Security (4353204) | Unit II | Lecture 11 | Author: Milav Dabgar
layout: default#
SAML-Based SSO#
๐ SAML Overview#
๐ฏ SAML Characteristics#
- XML-based standard
- Enterprise-grade SSO solution
- Cross-domain authentication
- Rich metadata support
- Strong security features
๐ SAML Components#
- Assertions - Authentication statements
- Protocols - Request/response messages
- Bindings - Transport mechanisms
- Profiles - Use case specifications
๐ง SAML Assertion Structure#
<saml:Assertion>
<saml:Subject>
<saml:NameID>user@company.com</saml:NameID>
</saml:Subject>
<saml:AuthnStatement>
<saml:AuthnContext>
<saml:AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:Password
</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="Department">
<saml:AttributeValue>Engineering</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
๐ SAML SSO Flow#
๐ SP-Initiated Flow#
graph TB
A[User] --> B[Service Provider]
B --> C[SAML Request]
C --> D[Identity Provider]
D --> E[Authentication]
E --> F[SAML Response]
F --> G[Token Validation]
G --> H[Access Granted]
style D fill:#e3f2fd
style F fill:#f3e5f5
๐ IdP-Initiated Flow#
- User logs into IdP portal
- User selects target application
- IdP generates SAML assertion
- Assertion posted to service provider
- SP validates assertion
- Access granted to user
๐ก๏ธ SAML Security Features#
- Digital signatures for integrity
- Encryption for confidentiality
- Time stamps for replay protection
- Audience restrictions
- Certificate-based trust
๐ป SAML Configuration Example#
SAML Configuration:
Entity ID: https://company.com/sso
SSO URL: https://idp.company.com/sso
Certificate: -----BEGIN CERTIFICATE-----
Attribute Mapping:
- Email: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
- Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
- Role: http://schemas.microsoft.com/ws/2008/06/identity/claims/role
Course: Cyber Security (4353204) | Unit II | Lecture 11 | Author: Milav Dabgar
layout: default#
OAuth and OpenID Connect#
๐ OAuth 2.0 Framework#
๐ฏ OAuth Purpose#
- Authorization framework (not authentication)
- Third-party access delegation
- API access control
- Token-based authorization
๐ญ OAuth Roles#
- Resource Owner - User who owns data
- Client - Application requesting access
- Authorization Server - Issues tokens
- Resource Server - Hosts protected resources
๐ OAuth Flow Types#
Grant Types:
Authorization Code:
- Most secure
- For web applications
- Requires client secret
Implicit:
- For public clients
- Browser-based apps
- No client secret
Client Credentials:
- Service-to-service
- No user involvement
- Backend applications
Resource Owner Password:
- Legacy applications
- Direct username/password
- Not recommended
๐ OpenID Connect (OIDC)#
๐ฏ OIDC Features#
- Built on OAuth 2.0
- Authentication layer added
- ID tokens for identity
- Standardized user info
- JWT-based tokens
๐ซ OIDC Tokens#
// ID Token (JWT)
{
"header": {
"alg": "RS256",
"typ": "JWT"
},
"payload": {
"iss": "https://accounts.company.com",
"sub": "1234567890",
"aud": "client_id_123",
"exp": 1234567890,
"iat": 1234567890,
"email": "user@company.com",
"name": "John Doe"
}
}
๐ง OIDC Endpoints#
- Authorization Endpoint - User consent
- Token Endpoint - Token exchange
- UserInfo Endpoint - User profile data
- JWKS Endpoint - Key verification
๐ป OIDC Configuration#
{
"client_id": "your-client-id",
"client_secret": "your-client-secret",
"issuer": "https://accounts.company.com",
"authorization_endpoint": "https://accounts.company.com/auth",
"token_endpoint": "https://accounts.company.com/token",
"userinfo_endpoint": "https://accounts.company.com/userinfo"
}
Course: Cyber Security (4353204) | Unit II | Lecture 11 | Author: Milav Dabgar
layout: default#
Enterprise SSO Solutions#
๐ข Active Directory Federation Services (ADFS)#
๐ฏ ADFS Overview#
- Microsoft’s SSO solution
- Active Directory integration
- Claims-based authentication
- On-premises or hybrid deployment
๐ง ADFS Components#
- Federation Service - Core authentication
- Federation Proxy - External access
- Claims Provider - Identity source
- Relying Party - Target application
๐ป ADFS Configuration#
# Add relying party trust
Add-ADFSRelyingPartyTrust `
-Name "Company App" `
-MetadataUrl "https://app.company.com/metadata" `
-IssuanceTransformRules @'
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", Value = c.Value);
'@
๐ ADFS Architecture#
graph TB
A[User] --> B[ADFS Proxy]
B --> C[ADFS Server]
C --> D[Active Directory]
C --> E[Relying Party]
E --> F[Application]
style C fill:#e3f2fd
style D fill:#f3e5f5
โ๏ธ Cloud SSO Providers#
๐ง Azure Active Directory#
Azure AD Features:
- Conditional Access
- Multi-Factor Authentication
- Device Compliance
- Risk-Based Authentication
- Application Gallery (5000+ apps)
๐ Okta Platform#
Okta Capabilities:
- Universal Directory
- Adaptive MFA
- Lifecycle Management
- API Access Management
- Advanced Server Access
๐ Google Workspace SSO#
Google Identity:
- G Suite Integration
- Cloud Identity
- Context Aware Access
- Security Keys
- Mobile Device Management
๐ก Ping Identity#
PingIdentity Features:
- PingOne Cloud Platform
- PingFederate
- PingAccess
- PingDirectory
- API Intelligence
๐ Comparison Matrix#
| Feature | Azure AD | Okta | Ping | |
|---|---|---|---|---|
| Apps | 5000+ | 7000+ | 1000+ | 3000+ |
| MFA | โ | โ | โ | โ |
| Risk | โ | โ | โ | โ |
| API | โ | โ | โ | โ |
Course: Cyber Security (4353204) | Unit II | Lecture 11 | Author: Milav Dabgar
layout: default#
SSO Security Considerations#
๐ก๏ธ Security Benefits#
โ Enhanced Security#
- Stronger password policies
- Centralized MFA implementation
- Better audit trails
- Consistent security policies
- Reduced attack surface
๐ Risk Mitigation#
- Password reuse elimination
- Credential theft reduction
- Phishing attack protection
- Insider threat monitoring
- Compliance improvements
๐ Security Monitoring#
SSO Security Metrics:
- Failed authentication attempts
- Unusual login patterns
- Device compliance status
- Geographic access patterns
- Application usage patterns
โ ๏ธ Security Risks#
๐ฏ Single Point of Failure#
- SSO provider compromise affects all apps
- Identity provider availability issues
- Token theft gives broad access
- Session hijacking risks
๐ง Mitigation Strategies#
Risk Mitigation:
High Availability:
- Redundant SSO infrastructure
- Load balancing
- Disaster recovery plans
Token Security:
- Short token lifetimes
- Token encryption
- Secure transmission (HTTPS)
Session Protection:
- Session timeout policies
- Concurrent session limits
- Device binding
Monitoring:
- Real-time threat detection
- Anomaly detection
- Incident response procedures
๐จ Common Attacks#
- Token replay attacks
- Man-in-the-middle attacks
- Cross-site request forgery
- Session fixation
- XML signature wrapping (SAML)
Course: Cyber Security (4353204) | Unit II | Lecture 11 | Author: Milav Dabgar
layout: default#
SSO Implementation Best Practices#
๐๏ธ Planning and Design#
๐ Implementation Steps#
- Assess current authentication landscape
- Choose appropriate SSO technology
- Design integration architecture
- Plan phased rollout
- Prepare user training
๐ฏ Technical Requirements#
- Certificate management
- Network connectivity
- Application integration
- User directory synchronization
- Backup and recovery
๐ง Configuration Standards#
SSO Configuration:
Certificate Management:
- Key rotation schedule
- Certificate validation
- Trust store management
Network Security:
- HTTPS enforcement
- Network segmentation
- Firewall rules
Application Integration:
- Standard protocols (SAML/OIDC)
- Attribute mapping
- Error handling
๐ฏ Operational Excellence#
๐ Monitoring and Metrics#
SSO Monitoring:
Performance Metrics:
- Authentication response time
- Token validation latency
- System availability
Security Metrics:
- Failed authentication rate
- Anomalous login patterns
- Token compromise indicators
User Experience:
- Login success rate
- Help desk tickets
- User satisfaction scores
๐ Maintenance Procedures#
- Regular security assessments
- Certificate renewal automation
- Configuration backup
- Disaster recovery testing
- Performance optimization
๐ฅ User Onboarding#
- Identity provisioning automation
- Application access assignment
- User training delivery
- Support documentation
- Feedback collection
๐ Success Metrics#
- Reduced password reset requests
- Improved user productivity
- Enhanced security posture
- Compliance achievement
- Cost savings
Course: Cyber Security (4353204) | Unit II | Lecture 11 | Author: Milav Dabgar
layout: default#
SSO Integration Examples#
๐ Web Application Integration#
๐ป SAML Integration Code#
// Express.js with Passport SAML
const passport = require('passport');
const SamlStrategy = require('passport-saml').Strategy;
passport.use(new SamlStrategy({
path: '/login/callback',
entryPoint: 'https://idp.company.com/sso',
issuer: 'https://app.company.com',
cert: process.env.SAML_CERT,
privateCert: process.env.SAML_PRIVATE_KEY
},
function(profile, done) {
// User profile processing
const user = {
id: profile.nameID,
email: profile.email,
name: profile.displayName,
role: profile.role
};
return done(null, user);
}
));
// Routes
app.get('/login', passport.authenticate('saml'));
app.post('/login/callback', passport.authenticate('saml'),
(req, res) => {
res.redirect('/dashboard');
}
);
๐ OAuth Integration#
# Flask with OAuth
from authlib.integrations.flask_client import OAuth
oauth = OAuth(app)
oauth.register(
name='company_sso',
client_id='your-client-id',
client_secret='your-client-secret',
server_metadata_url='https://sso.company.com/.well-known/openid_configuration',
client_kwargs={
'scope': 'openid email profile'
}
)
@app.route('/login')
def login():
return oauth.company_sso.authorize_redirect(
redirect_uri=url_for('callback', _external=True)
)
@app.route('/callback')
def callback():
token = oauth.company_sso.authorize_access_token()
user = oauth.company_sso.parse_id_token(token)
session['user'] = user
return redirect('/dashboard')
๐ฑ Mobile Application Integration#
๐ iOS OIDC Implementation#
import AuthenticationServices
class SSOManager: NSObject {
func authenticateWithSSO() {
let authURL = URL(string: "https://sso.company.com/auth")!
let callbackURL = URL(string: "companyapp://callback")!
let session = ASWebAuthenticationSession(
url: authURL,
callbackURLScheme: "companyapp"
) { callbackURL, error in
if let callbackURL = callbackURL {
self.handleCallback(url: callbackURL)
}
}
session.presentationContextProvider = self
session.start()
}
private func handleCallback(url: URL) {
// Extract authorization code
// Exchange for tokens
// Store securely in Keychain
}
}
๐ค Android OIDC Integration#
// Using AppAuth library
public class SSOActivity extends AppCompatActivity {
private AuthorizationService authService;
private void performSSO() {
AuthorizationServiceConfiguration config =
new AuthorizationServiceConfiguration(
Uri.parse("https://sso.company.com/auth"),
Uri.parse("https://sso.company.com/token")
);
AuthorizationRequest request =
new AuthorizationRequest.Builder(
config,
"client-id",
ResponseTypeValues.CODE,
Uri.parse("com.company.app://callback")
)
.setScope("openid email profile")
.build();
Intent intent = authService.getAuthorizationRequestIntent(request);
startActivityForResult(intent, AUTH_REQUEST_CODE);
}
}
Course: Cyber Security (4353204) | Unit II | Lecture 11 | Author: Milav Dabgar
layout: default#
Practical Exercise: SSO Implementation Planning#
๐ฏ Group Activity (30 minutes)#
Scenario: Multi-Application SSO Design#
Your organization needs to implement SSO for:
Applications to Integrate:
- Email System (Microsoft Exchange Online)
- CRM Platform (Salesforce)
- Custom Web Application (Internal development)
- File Sharing (SharePoint Online)
- Project Management (Jira/Confluence)
- HR System (Workday)
Organization Requirements:
- 500 employees across 3 locations
- Mixed Windows/Mac/Mobile environment
- Compliance requirements (SOX, GDPR)
- High availability needed (99.9% uptime)
- Budget constraints (cost-effective solution)
Task: Complete SSO Implementation Plan#
Phase 1: Analysis and Design (10 minutes)
Technology Selection:
- Which SSO protocol(s) would you recommend?
- Cloud vs. on-premises vs. hybrid approach?
- Identity provider selection criteria
Architecture Design:
- Draw high-level SSO architecture
- Identify integration points
- Plan network requirements
Phase 2: Security and Risk Assessment (10 minutes)
Security Requirements:
- Multi-factor authentication strategy
- Session management policies
- Certificate and key management
Risk Mitigation:
- Single point of failure mitigation
- Disaster recovery planning
- Security monitoring approach
Phase 3: Implementation Planning (10 minutes)
Rollout Strategy:
- Phased implementation plan
- User training approach
- Pilot group selection
Success Metrics:
- How will you measure success?
- Monitoring and alerting setup
- Compliance verification
Deliverables:
- SSO architecture diagram
- Technology selection rationale
- Implementation timeline
- Risk assessment matrix
- Success criteria definition
Course: Cyber Security (4353204) | Unit II | Lecture 11 | Author: Milav Dabgar
layout: center class: text-center#
Questions & Discussion#
๐ค Discussion Points:#
- What are the biggest challenges in SSO implementation?
- How do you balance security with user experience?
- What would you prioritize: SAML or OIDC for enterprise SSO?
๐ก Exercise Review#
Share your SSO implementation plans and discuss different approaches
Course: Cyber Security (4353204) | Unit II | Lecture 11 | Author: Milav Dabgar
layout: center class: text-center#
Thank You!#
Next Lecture: Malware Analysis and Detection#
Understanding and Combating Malicious Software#
Cyber Security (4353204) - Lecture 11 Complete
SSO: One login to rule them all! ๐๐ช
Course: Cyber Security (4353204) | Unit II | Lecture 11 | Author: Milav Dabgar