Thursday, June 9, 2011

One to Rule them All!


Single Sign on as a concept is the idea that once you login to your GINA on a Microsoft platform or to your Sesson on a Linux / Unix based platform that any and all other applications or instances that you interface with during your session of use may challenge your authentication and determine your identity.

Identity management is one if not the largest problem in IT Security as the computer only uses a user id and some kind of token to assume that it's a given individual logging in. Weather or not the password for a given account has been compromised is a debate for another conversation all together.

SSO as an idea is rooted in DAP, directory access protocol was developed by the international telecommunications union in and international standards organization in 1988 for accessing the X.500 based directory service[ITU-T]i; although not popular at the time due to the complexity of implementing fully OSI complaint networks it acted as a foundation for the Lightweight Directory Access Protocol which became the standard to which the entire industry developed producrts.

The first prominent and popular directory service was the Novell Directory Service (NDS for short) Netscape had their own directory service with a fully accredited LDAP implementation, Sun had and still has SunOne, IBM has and still has Tivoli directory server; and eventually Microsoft developed Active Directory; all of these products had the exact same operational specification that is they were all fully LDAP complaint; however the nomenclature of the organizational units, concanical names and trees were proprietary as to facilitate vendor lock in.

LDAP is an open standard used to act as a database of identity's and methods to authenticate against them. LDAP is based upon X500; and as a standard is designed to identify a user so that the user may modify objects within a network or directory[VK]ii.

Within the world of Microsoft there is Active Directory the LDAP schema is proprietary to Microsoft view of LDAP; Active directory incorporates Kerberos, LDAP, Distributed Com and Remote Procedure Calls (DCOM & RPC) standards into an authentication and access framework. That is to say an Active directory server cannot interchange information in it's directory with say a SunOne or Tivoli server. The idea behind this is that to facilitate repeat business during the software life cycle within an organization by locking your clients into your directory services you are also locking in their entire respective application stack including middle ware and communications suites on both the client and server sides of the authentication coin. IBM has lotus notes, Sun has OpenOffice and Microsoft has MS Office with Outlook; although all of these suites may be classified as Middle ware; their servers must also provide methods to authenticate clients for access; the widest model being a network file server that must have some kind of discretionary or group based access control.

So what are Liberty and Shibboleth? These are open platforms designed to facilitate the same level and needs of authentication according to the exact same standards as the above products and companies but these aim to be “Open” thus not locking any organization in to a specific vendor for any given software products whilst achieving the same functionality and operations of a single point of sign on. Another way to achieve the use of these frameworks would be to implement a localized version of Open LDAP on an open source platform using say Samba, Kerberos and POSTGRESQL as a back end and front end interfaces to the network to facilitate network access. Liberty has recently been adopted and re-branded as Kantara.iii

Single sign on acts as a way to authenticate a single user to a network of systems for use. This includes file access across NIS or CIFS or other network shares and systems; as well as authenticating that user for E-mail potentially against a totally different server or product suite. These suites of SSO are aimed at complete Identity management; that's a lofty goal for any organization and only time will tell if industry adopts these standards of digital identity management and Free's themselves of the locks that bind them to commercial behemoth's. 

i[ITU] N.A.(ITU-T, 2008) Information technology – Open Systems Interconnection – The Directory: Abstract service definition [Online] PDF Document, Available online:http://www.itu.int/itu-t/recommendations/rec.aspx?rec=X.511 accessed on June 9th 2010
ii[VK] Vassiliki Koutsonikola, Athena Vakali, (Aristotle University, IEEE Internet Computing, vol. 8, no. 5, pp. 66-72, Sep./Oct. 2004, doi:10.1109/MIC.2004.44) LDAP: Framework, Practices, and Trends, [Online] PDF Document available from: http://www.computer.org/portal/web/csdl/doi?doc=doi/10.1109/MIC.2004.44 (Accessed on June 9th 2010)
iii[KT] n.a. (Kantara, 2011) About Kantara [Online] World Wide Web Available from: http://kantarainitiative.org/wordpress/about/ (Accessed on June 9th 2010)

No comments:

Post a Comment