Single sign-on mechanism

Although, I've materially changed the question to protect copyright, I ran across a question worded similarly to the following:

SSO uses the following mechanism:

A. Private key
B. Public key
C. Certificates
D. Account name & password

I chose D (but the answer is C). From Wikipedia the only implementation that sometimes uses certificates is smart cards; but all use username/password. Source: http://en.wikipedia.org/wiki/Single_sign-on
Why is C the best answer?

Find more posts tagged with

Comments

paul78

A lot of SSO implementations use a standard called SAML ( Security Assertion Markup Language) version 2. SAML uses TLS for transport security which uses certificates.

Darril

I'd suggest that the question is flawed.

Single sign-on (SSO) is used for authentication. More specifically, it allows a user to authenticate once and then access multiple resources without authenticating again.

There are multiple ways that people can authenticate including certificates and with account names and passwords.

paul78

Darril - that was my initial interpretation as well. But after thinking a bit more and assuming that teancum144 edited the question, I belief the author wasn't asking about mechanism used by end-users to authenticate against the SSO solution. Instead, the question is about how SSO solutions interact between different applications. Since most SSO solutions use SAML, certificates is the best response.

teancum144

After re-reading the original question, as paul78 suggests, the question does not refer to the end user. The question might be re-worded as follows: "Which tactics are used by SSO systems?" The explanation suggests that digital certificates are stronger and therefore used instead of username/password pairs.

teancum144

To restate what I’ve learned from helpful feedback and further analysis of the original question, it seems the question is not asking how users authenticate to SSO, but how SSO authenticates to multiple related, but independent, software systems. According to Wikipedia (and other sources), Here are some common SSO configurations:

LAN (Intranet) Based

Kerberos: after user provides credentials, Kerberos-based SSO uses ticket-granting tickets and service tickets to authenticate to applications.
Integrated Windows Authentication: most commonly uses Kerberos tickets.

Note: Wikipedia also mentions Smart Cards and OTP Tokens. However, these configurations appear to just add a second factor of initial SSO authentication.

WAN (Internet) Based

SAML (Security Association Markup Language): is an XML-based open standard data format for exchanging authentication and authorization data between parties. A SAML client authenticates to a security token service (STS) to request a SAML security token. The STS is trusted by both client and service provider to provide the authentication. STS creates SAML assertions needed for the transaction, signs the SAML token with its private key, includes its own X.509 certificate in the token, and sends it to the client. The client sends the SAML security token to the service provider, who verifies it.
OpenID: an open standard that describes how users can be authenticated in a decentralized manner. OpenID uses OAuth (an open standard/framework) for authorization. After authentication (via username/password) to an OpenID identity provider, the identity provider uses an OAuth token for authorization to a 3^rd party website.

Of the four methods above, only SAML uses certificates (as far as I can tell). Of the four, OpenID appears to have the widest adoption. Based on this information, I agree with Darril that the question is poorly worded. Instead of “certificates”, a better answer would be “tokens” or “tokens/tickets”.

Thoughts?

lsud00d

I agree that "token" would be a more PC/blanket answer, since SSO (a subset of federation) deals with authentication to typically dissimilar systems.

-or-

It's a reference to the necessary exchange of certificates between these systems to allow SSO with implied security.

teancum144

lsud00d wrote: »

-or-

It's a reference to the necessary exchange of certificates between these systems to allow SSO with implied security.

I thought about that. Specifically, do you mean - in the case of WAN SSO - the SSL/TLS connections (which requires certificates) between the SSO entities?

lsud00d

I was thinking of it from an application/systems POV. To federate (and SSO), self-signed certificates are exchanged so the applications/systems form a trust. When a user is authenticated, the authenticating mechanism creates a token which is then trusted by the devices that share certs in their trust stores.

Anders4711

SAML does not use SSL unless you want to, and SSL is not built into the standard. The SAML standard recommends SSL when integrity and confidentiality is required. SAML and other standards, such as OpenID, Liberty, etc have bindings that requires certificates, such as PKI authentication, but that is only one part of the standard. Still most SSO implementations use username/password.

The system I'm in charge of use both username/password and PKI authentication.

I have to side with Darren on this, the question needs to be reworded.