Single Sign-On for User Authentication
Single Sign-On for User Authentication
In the corporate world of today, most of the businesses have resorted to using Single Sign-On (SSO) for the purposes of user authentication and authorization. It is a new technique that rubs off the old practice that involved frequent logging in and out whenever access is desired irrespective of the system in use. Nevertheless, invention of SSO has brought more positive impacts to the operations in most of the organizations that apply its use. from the information as already mentioned above, this paper attempts to answer given questions regarding various components of SSO relative to the configuration of both; Kerberos-based SSO configuration to a smart card based configuration (Gaskell et al., 2012).
Problems experienced by employees in an enterprise where Single Sign-On (SSO) has not been implemented: Basically, there exist an array of problems to employees regarding businesses that has not yet implemented Single Sign-on technique of authentication and authorization. The first problem is that it heightens ‘help desk’ operations. Absence of SSO denotes to the old practice of frequent logging in and out. It accompanies hardships to the employees that include the requirement of having to master sequence of long lettered passwords. It also heightens the likelihood of forgetting passwords of certain applications. It in turn lowers the operations of the entire organizations in the event that a single application comes to a halt. Absence of SSO denotes slow operations in the organization (Dawson et al., 2014). It is a situation that in turn leads to customer dissatisfaction. It owes to the situation in which there exist overall slow progress of logging in and out of a system. Employees also face a challenge of losing given passwords hence putting the company at risk of a third party having access to its applications. In the long run, an array of applications certainly becomes vulnerable to threats from the third party.
Active Directory (AD) in Provision of SSO access to the enterprise
Advantages: Use of AD-centric has an array of pluses both to the employees and to the organization at large. The first advantage is its capability to develop footprint in administrations. It owes to the availability of expertise employees who are capable of regulating AD. In turn, it leads to submerging expenses of IAM into the overall expenditure of the Information and Technology department. Its implementation is therefore less costly. Similarly, Active Directory has the capability of delivering a compact authentication technique. Through the use of either Native Windows or Kerberos authentication mechanism, it thereby enhances an extension of the compact authentication in regard to on-premise applications. Last but not least, most of corporate applications are capable of provisioning AD authentication. In the long run, it enhances effective incorporation of Active Directory (Gallo et al., 2011).
Disadvantages: One foremost shortcoming of Active Directory involves its incapacity of provisioning future anxieties of both mobile computing as well as cloud. Initially, explosion of cloud applications requires solutions for handling abridging of access as well as regulation of identities. However, it raises security apprehensions with the use of either Kerberos or LDAP in the internet.
Lightweight Directory Access Protocol (LADP)
Advantages: According to modern research, the application of lightweight Directory in provisioning of SSO access to the enterprise has several benefits to the given business. Nevertheless, the utmost merit of exhausting LADP involves its capability to consolidate specific data within a structure of an organization. An example is the situation in which LADP amalgamates profiles of each and every user of an organization into a sole manual. On the other end, each and every application facilitated by LADP has the capability of probing the directory for any given data needed. Similarly, any individual in need of obtaining information from the manual can also use the technique. Correspondingly, LADP is an advantage as it is not all that complex in implementing. It is an advantage that at the same time corresponds to its definite amorphous application programming technique. From this capability, there is a likelihood of an upsurge in the figure of both gateways and applications of LADP in the coming times.
Disadvantage: The chief demerit of LADP applications is the requirement of having LDAP gateways in order to operate LDAP. On the other hand, the use of LDAP application has seen tremendous decline mostly in Linux.
Kerberos-based SSO configuration to a smart card based configuration
Kerberos is an application technique whose configuration has a consideration of provisioning resilient authentication to the end users. It achieves this through the use of clandestine fundamental cryptography. Kerberos entirely denotes the transitioning mechanism as a technique verifying individuality to Kerberos’ server system. Similarly, it continues by validating the set individuality to other servers for the extent of the assembly. Another important intervention is its capability for substantiation on substantially apprehensive networks.
On the other hand, configuration of smartcard involves validating of individuality through bestowing of a certificate. The certificate is meant for the purposes of ascertaining the entity that presents it. The authentication process involves the use of the credentials that are merged in a ‘smart card’. Also known as token, it is a trifling hardware device. In the event that an individual operates the smart card either through swiping or REPLACEing, it requests for user identification subsequent to provision of credentials. In turn, authentication takes place (Gaskell et al., 2012).
Kerberos basically uses Windows 2000 security as the perception of user substantiation. Similarly, there is an obligation of consistent substantiation procedure of network log-on for the consolidated account administration. With a basis on RFC 1510, Kerberos type 5 delivers heightened substantiation for its set systematic structures. In doing so, it thereby has the capability of inter-operating with additional operating systems (Garman, 2013). The authentication practice in this set up includes NT LAN Manager. Similarly, it is engaged in the Active Directory purview situations that have the requirement of authenticating the Windows NT structure. It is also important to note that type 5 of Kerberos is often typical in each and every window 2000. From this capability, there is assurance of utmost safeguarding to network capitals. On the other hand, the progression of Kerberos is based on three naming technique. It is referred to as ‘3 headed dog figure’, a naming classification borrowed from the Greek folklore denoted as Kerberos. The set three leads of Kerberos consist of; client user, the system whose chief purposes involves anticipation to authenticate access as well as KDC (Key Distribution Center). Installation of KDC is a subsection of the domain regulator. From this perspective, it undertakes two package roles including; TGS (Ticket-granting service) collectively with AS (Authentication Service).
Smart Card on the other hand, is sole responsible to adhering to its own credentials as well as to its sole owner. For appropriate communication, there is the occurrence of a disclosure of Microsoft CAP1 subsection. It is subsequent to validation of the smart card amid the given interface. From this perspective, CSP has the capability of validating the pin of the smart card. It also enables still approach of operation for the purposes of not stimulating either entry of the pin, REPLACEion of the card itself as well as assortment of the certificate. There is also a set standard of detailing and validating smart card credentials. At the same time, the smart card conforms to executing RSA cryptographic operations. Generally, the authentication process in smart card handling often occurs due to the availability of both X.509 collectively with a consistent RSA key brace. From the given information as already mentioned above, one can tell that the certificate has a requirement of permitting key pair so as to enhance validation of the user as well as the digital signatures. On the other hand, smartcard entails a safeguarding PIN called ‘The user’ whose main purpose involves provision of security to private keys (Garman, 2013).
The main challenge of implementing Kerberos includes its incapability to host protocol. At the same time, there is an obligation of resolution harmonization for the purposes of achieving a safeguard system.
Processing of Smart card accompanies several challenges. First, there is a difficulty of corporeal issuance to many owners. It also conforms to frequent modification of legacy applications for the acceptance of certificate credentials. There is also a requirement of consistent establishing and management of premises where the card is used. It includes administration systems of web-access as well as portals.
Kerberos conforms to high costs in order to attain commercial authorization of operating it. It is subsequent to unforeseen costs needed subject to provisions of structuring the costs. On the other hand, there is a requirement of relatively high costs as per regard to the POS structures capable of interpreting the smart cards. Similarly, banks and monetary organizations require a lot of money in millions, for the purposes of improving the general networks. Similarly, smart cards just like any physical component of a business must undergo sort of purchasing relative to continuous maintenance. Similarly, s substantial amount of money is required so as to enhance viable configuration process. The general costs of implementing and running smart cards are generally high.
Dawson, E., Golić, J., & International conference Cryptography: policy and algorithms. (2014). Cryptography: Policy and algorithms : international conference, Brisbane, Queensland, Australia, July 3-5, 1995 : proceedings. Berlin [etc.: Springer.
Gallo, M., & Hancock, W. M. (2011). Networking Explained. Burlington: Elsevier.
Garman, J. (2013). Kerberos: The definitive guide ; [cross-platform authentication & single-sign-on ; covers Unix and Windows]. Beijing [u.a.: O’Reilly.
Gaskell, G. I., & Queensland University of Technology. (2012). Integrating smart cards into Kerberos.