SSO Overview and Examples

Overview

This lecture covers the concept of Single Sign-On (SSO), its advantages, security concerns, and examples like Kerberos and OpenID.

SSO allows users to authenticate once to access multiple services and applications.
Users do not need multiple sets of usernames and passwords for various services.
SSO uses a central authentication server to issue a cookie or token for access.

Kerberos is an SSO authentication system where users authenticate once to receive a ticket granting ticket.
The ticket granting ticket can be presented to access multiple services without re-entering credentials.

A compromised SSO account gives attackers access to all permitted services.
Multi-factor authentication (MFA) should be used with SSO for added security.
Attackers may try to steal SSO session cookies or tokens, bypassing MFA protections.
Stolen session tokens can provide access until expired, even without actual credentials.

OpenID allows users to authenticate using a third-party identity provider at participating sites (relying parties).
Relying parties do not need their own authentication infrastructure.
Users can access sites with their existing identity provider accounts.
The process involves establishing a shared secret, user authentication through the identity provider, and token-based credential relay.

Single Sign-On (SSO) — authentication method allowing one login for multiple services.
Kerberos — SSO protocol using tickets for authentication across services.
Multi-factor Authentication (MFA) — security process requiring additional verification besides a password.
OpenID — open standard for decentralized authentication using third-party identity providers.
Relying Party — a site that delegates authentication to an identity provider.
Identity Provider — a service authenticating users on behalf of relying parties.