Implementation of Single Sign On (SSO) Technology Using SAML Standards At UNIKOM Information Systems
1 like826 views
The document discusses the implementation of Single Sign-On (SSO) technology using SAML standards at Unikom, highlighting its benefits for both users and administrators in accessing multiple applications with a single set of credentials. It details the system architecture, emphasizing security measures such as encryption and the use of digital passport protocols for user management. Additionally, it addresses potential security risks associated with SSO and the importance of identity governance and multi-factor authentication to mitigate these risks.
Implementation of Single Sign On (SSO) Technology Using SAML Standards At UNIKOM Information Systems
- 1. Implementation of Single Sign On (SSO) Technology Using SAML Standards At UNIKOM Information Systems International Conference on Interdisciplinary Academic Research And Innovation (IARI-2016) November 23-24, 2016 Taryana Suryana, Irawan Afrianto, Andri Heryandi Teknik Informatika – Fakultas Teknik dan Ilmu Komputer Universitas Komputer Indonesia
- 2. Backgrounds • Many Applications that require login • Many Accounts To Remember • Different username and Password • Admin Create Many Users dan Passwords • Complicate password management Lecturer Student Thrusty Online Value (NilaiOnline) E-Learning Autodebet Social Media Campus Asset Management Evaluation of Lecture Finance Academic scholarship UNIKOM'SINFORMATIONSYSTEMS Admin
- 3. Definitions • Single Sign On (SSO) Single sign-on (SSO) is a session and user authentication service that permits a user to use one set of login credentials (e.g., name and password) to access multiple applications. The service authenticates the end user for all the applications the user has been given rights to and eliminates further prompts when the user switches applications during the same session. On the back end, SSO is helpful for logging user activities as well as monitoring user accounts. (http://searchsecurity.techtarget.com/definition/single-sign-on)
- 4. Definitions • Security Assertion Markup Language (SAML) SAML is an XML standard that facilitates the exchange of user authentication and authorization data across secure domains. SAML-based SSO services involve communications between the user, an identity provider that maintains a user directory, and a service provider. When a user attempts to access an application from the service provider, the service provider will send a request to the identity provider for authentication. The service provider will then verify the authentication and log the user in. The user will not have to log in again for the rest of his session. (http://searchsecurity.techtarget.com/definition/single-sign-on)
- 5. Definitions • Google Apps For Education (GAFE) Google Apps for Education core services are the heart of Google's educational offering to schools. The core services are Gmail (including Inbox by Gmail), Calendar, Classroom, Contacts, Drive, Docs, Forms, Groups, Sheets, Sites, Slides, Talk/Hangouts and Vault. SSO is available for G Suite Basic, G Suite Business, and G Suite for Education. It enables users to access all of their enterprise cloud applications—including administrators signing in to the Admin console—by signing in one time for all services. GAFE also provide a Security Assertion Markup Language (SAML)-based SSO API that you can use to integrate into your Lightweight Directory Access Protocol (LDAP), or other SSO system. LDAP is a networking protocol for querying and modifying directory services running over TCP/IP (https://support.google.com/a/answer/60224?hl=en)
- 6. Analysis and Design System System Architecture Of Unikom SSO
- 7. Analysis and Design System System Architecture Of Unikom SSO
- 8. Analysis and Design System Unikom Password - Single Sign On Backbone Unikom Transfer Client encrypted with SSL / TLS on the HTTPS protocol. Sensitive data such as Username and Password should be a second-tier encryption (Second Layer Encryption) Using ASecure Library (developed by Digital Center using the RSA algorithm) with the Public and Private Key are different for each session ** minimal 1024bit. Key to the delivery of data generated on the server (PHP), Key to the reception of data generated in the Browser (Javascript). The connection between the Client Apps (Score online, Trusts, Online Lecture, etc.) with the Digital Passport done on the Digital Passport Protocol and is always in a state encrypted with OpenSSL, where each client has a Public Key that is different and access permissions that vary in accordance with the needs. Apps Web-based client must include the Digital Passport Dashboard on file HTML / PHP so that users can skip and perform activities related to the account. Client Apps need not (should not) create a form to Login / Register to User Management Alone. Client Apps can directly determine the status of users who access the Web page to communicate on the Digital Passport Protocol (Or use the Digital Passport API for PHP).
- 9. Analysis and Design System Unikom Password - Single Sign On Backbone Unikom
- 10. Analysis and Design System Unikom Password - Single Sign On Backbone Unikom
- 11. Analysis and Design System Unikom Password - Single Sign On Backbone Unikom
- 14. Results • User (Lecturers and Students ) more convenience to access Unikom Information System • Administrators more easily manage user and password • And More Secure in Transactions
- 15. Further Research • Although single sign-on is a convenience to users, it present risks to enterprise security. An attacker who gains control over a user's SSO credentials will be granted access to every application the user has rights to, increasing the amount of potential damage. In order to avoid malicious access, it's essential that every aspect of SSO implementation be coupled with identity governance. Organizations can also use two factor authentication (2FA) or multifactor authentication (MFA) with SSO to improve security.
- 16. Terima Kasih - Thank You - Hatur Nuhun