Monday, August 26, 2013

SSO vs CAS


  • For example, a user logs on to her workstation, then decides to access a company database

Typically, the database would require another username and password for authentication. But in an SSO environment, the application simply determines whether it can authenticate the user based on information the network's authentication server provides

With centralized authentication, this authentication process is different. Using the example above, logging on to the database isn't transparent; the user would have to enter her authentication information again. However, the required credentials would be identical to the credentials she used to log on to her workstation. Centralized authentication effectively solves only one problem: users having to remember multiple sets of authentication credentials.

http://windowsitpro.com/networking/sso-vs-centralized-authentication


  • The Central Authentication Service (CAS) is a single sign-on protocol for the web

Its purpose is to permit a user to access multiple applications while providing their credentials (such as userid and password) only once
It also allows web applications to authenticate users without gaining access to a user's security credentials, such as a password.
http://en.wikipedia.org/wiki/Central_Authentication_Service


  • Central Authentication Service project, more commonly referred to as CAS.  

CAS is an authentication system originally created by Yale University to provide a trusted way for an application to authenticate a user. CAS became a Jasig project in December 2004.
CAS provides enterprise single sign-on service:
http://www.jasig.org/cas

  • FreeIPA is an integrated security information management solution combining Linux (Fedora), 389 Directory Server, MIT Kerberos, NTP, DNS, Dogtag (Certificate System). It consists of a web interface and command-line administration tools.
FreeIPA is an integrated Identity and Authentication solution for Linux/UNIX networked environments. A FreeIPA server provides centralized authentication, authorization and account information by storing data about user, groups, hosts and other objects necessary to manage the security aspects of a network of computers.
https://www.freeipa.org/page/About

  • cookie-based SSO

share the user logged in across multiple applications using only a cookie on the browser

cookies can be shared if domains have a master domain in common. foo.example.com and bar.example.com can share a .example.com cookie
When the user authenticates on site-a.com, you set a cookie on site-a.com domain. Then on site-b.com, you link a dynamic javascript from site-a.com, generated by server side script (php, etc) who has access to the created cookie, and then copy the same cookie on site-b.com on the client-side using js. Now both sites have the same cookie, without the need of asking the user to re-login
I have seen custom SSO solutions that transmit the payload using XML over HTTPS.
https://stackoverflow.com/questions/1784219/cookie-based-sso

No comments:

Post a Comment