How does Kerberos SSO work

Security

Single Sign-On (SSO) is a centralized service for user authentication in which a single set of login data can be used to access multiple applications. So the obvious benefit is in its simplicity. Authentication takes place once over a single platform in order to gain access to a large number of services without having to log in and out each time.

In everyday private life, the sign-in variants via social networks such as Google, Facebook or Twitter are already known as prominent SSO platforms, with each platform providing access to various third-party services. In the corporate environment, SSO is used, for example, to give users access to their own web applications hosted on internal servers or ERP systems in the cloud.

SSO is either offered as a stand-alone solution, such as from Evidian, Onelogin and Okta, or is included in access management solutions such as IBM Security Verify Access (formerly Security Access Manager, ISAM) or Oracle Access Management (OAM). The latter usually already contain advanced authentication mechanisms or additional security components such as a web application firewall.

Used correctly, SSO has advantages for productivity, IT monitoring and management as well as security control. With a single security token (e.g. username and password), users can be granted and revoked access to multiple systems, platforms, applications and other resources. The reduction to one set of access data also reduces the risk of weak, easy-to-decrypt passwords being used or of forgetting the access data.

A well-planned and executed SSO strategy can minimize costs and downtime associated with password resets and risks from insider threats. In addition, the ease of use for the user as well as the authentication process itself can be improved and ultimately gives the company absolute control over the access privileges of the users.

Arguments for single sign-on

In particular, the rapidly growing use of cloud applications, which entails an increasing number of passwords, is leading to an increased use of SSO.

That means both an opportunity and a hurdle. According to the results of the annual "Cloud Monitor" survey by Bitkom and KPMG, 76 percent of German companies used cloud applications in 2019. The greatest concerns in this context are data protection and security, especially with regard to access management. 70 percent of the non-users among the respondents fear unauthorized access to sensitive company data in the public cloud.

Identity and Access Management (IAM), which includes the cloud applications, is one way of closing this gap. However, usability plays a major role here. According to a 2019 survey conducted by LastPass and market researchers from Vanson Bourne, almost half of the 700 IT security executives surveyed consider the balance between user friendliness and security to be the greatest challenge with IAM. Single sign-on can serve both aspects.

For Barry Scott, CTO at Centrify EMEA, provider of identity services for data centers, cloud and mobile devices, there are two reasons for SSO: "The first is that it improves the ease of use for users, as it stops the proliferation of different usernames and passwords caused by the explosion in cloud-based software-as-a-service (SaaS) applications. "

The second reason is improved security. One of the main causes of security breaches is compromised access data and the more usernames and passwords employees have, the worse password hygiene becomes. "We're starting to use the same passwords everywhere, and they're often getting less complex, making them easier to crack," summarizes Scott.

Joe Diamond, Director of Security Product at Okta, provider of cloud-based identity management, agrees that cloud applications pose challenges for IT teams. IT departments would have to deal with issues related to creating and managing user accounts, ensuring accurate permissions (no unnecessary authority), and proper offboarding processes when an employee leaves the company. If different identity stores or silos exist across multiple solutions, it would be impossible to manage this wild growth well.

"Just because a company uses Office 365, Box and Slack doesn't mean they want three different logins and passwords for these services," says Diamond and predicts that SSO will become a basic requirement for companies that use the cloud. Want to use solutions. He also cites bring your own device (ByoD) guidelines and an increasing "always-on," "work from anywhere" culture as drivers behind SSO.

More and more people are working on devices that IT cannot control and in networks where IT has no visibility whatsoever. This makes authentication a crucial point of control, independent of device and location, to enable security controls such as continuous authentication, multi-factor authentication (MFA), contextual access controls, analysis of user behavior and so on.

Benefits of SSO

The biggest advantage of SSO is the scalability it offers. Thanks to automated access data management, the system administrator no longer has to manually take care of all the different accesses that employees have for the individual services that they want to use. This in turn reduces the risk of errors in the management of authentication data and gives IT more time to focus on more important tasks.

Further added value lies in the rapid provisioning for cloud applications. If SSO supports open standards such as Security Assertion Markup Language (SAML) 2.0, the application, provided the SSO solution has an interface for it, can be quickly provisioned by an SSO admin and rolled out to employees. SSO can also improve security, increase productivity and reduce the number of help desk tickets for password resets.

Centrify EMEA CTO Scott sees the benefits primarily for the IT team and employees. The big plus point of SSO lies in the ease of use for the user, which in turn leads to fewer help desk calls due to password resets. It improves security as fewer access data are exposed to risks, but it is essential to have multi-factor authentication (MFA) as a backup for passwords in the event that they are stolen or guessed.

In addition, SSO would also enable customers to make the onboarding process of employees for new SaaS applications faster and easier. "Because IT can more easily grant access, the likelihood of 'shadow IT' developing is less," says Scott, adding that good SSO (or Identity-as-a-Service, IDaaS) solutions do Allowing users to request access to new applications and enabling a streamlined workflow for approval.

Francois Lasnier, SVP Identity and Access Management at Gemalto, says SSO can "ease the pressure by giving IT teams more control and employees more convenience." Successful SSO implementation gives IT the authority to decide who can access which applications, when and where. It promotes flexibility and allows a company to let employees access all applications when they are in the office, but only a few selected ones when they work outside.

Corresponding solutions protect the business while the workforce can work at the same time as it is most comfortable for them. All in all, if SSO is combined with risk management mechanisms, such as a detailed, systematic risk analysis of all groups and individuals before rights are assigned, it improves access security and reduces the threat of data leaks.

The downside

However, the arguments in favor of SSO are offset by some problematic aspects that companies should be aware of when considering introducing such a central authentication method.

An important point here is that the bundling of all accesses under one password makes this a kind of single point of failure. If this password is cracked, the damage can potentially be enormous, as the attacker gains access to numerous services and accounts. IT can lock the password relatively quickly and easily via the SSO system. To do this, however, the incident must first be known, which can take a long time under certain circumstances.

In order to prevent this - as already mentioned above - complex, multi-level security measures are necessary. Simple passwords without additional security levels are simply no longer sufficient.

Prominent incidents like the Equifax hack make this abundantly clear. In this cyber attack, the hackers gained unnoticed access to the system of the US financial services provider via a website exploit and stole data records from over 143 million customers - including social security numbers, addresses and credit card data - from the IT was discovered and closed.

In order to increase the level of security, a multi-level authentication is necessary, which includes not only the password but also other identification features. This is often the notorious control question about the "mother's maiden name" or something similar. Such information can, however, be found out relatively easily through research in social networks, social engineering or phishing or whaling attacks.

Verification via SMS code or SIM card is also prone to errors, as the SS7 protocol, which serves as the basis for exchanging messages via the telephone network, has known weaknesses. It was precisely through this vulnerability that the two-factor authentication (2FA) of the social news site Reddit was overcome and an old but very extensive backup was stolen, which also contained cryptographically protected user passwords.

The most secure variant among the "simple" 2FA methods is currently verification via a token in the form of a physical device or a smartphone app that displays the code. Here the attacker has to take the actual item in addition to the password in order to gain access. Due to the relatively high effort and selective attack vector with low scaling potential, the risk of successful theft is low here.

If another security question is added in the form of risk-based authentication, behavior analysis, location data or biometric information, one speaks of multi-factor authentication (MFA).

What all these methods have in common is that additional levels are added to the authentication process, which make the system more complex for IT and users, which ultimately goes against the original idea of ​​SSO for more simplicity.

theory and practice

According to Centrify manager Scott, if a company decides to introduce SSO, it should roughly adhere to the following process:

  • Define a list of relevant applications and decide which ones are suitable.

  • If applications are not SSO-capable, for example because they do not support the information exchange standards used by the solution, assess their future. Ask your software vendors to support SSO.

  • Determine the primary source of identity for your users. (Usually it is Microsoft Active Directory, but it could also include LDAP, Google Directory, or others.)

  • Define the required applications and policies in the SSO solution.

  • Find out who needs access to which applications.

  • Grant users access to applications - ideally on a group basis rather than individually for each person. This should allow existing group management processes to regulate access to applications in the future.

So much for theory. In the practical implementation, however, there are still a few things to consider. Gemalto's Lasnier adds that companies need to consider their current authentication schemes. For some, this could mean using several different schemes, usually separated by department or use case. However, all of this is irrelevant if the solutions implemented by the companies cannot support all of the applications they use, or if the implementation costs are too high. Completely replacing existing solutions can be very costly, so companies would have to try to combine these solutions into a single management solution so that they could expand the possibilities for use cases.

In addition, Diamond advises caution with legacy applications: "The key is to be flexible without compromise." For many, Active Directory (AD) is the authentication mechanism of choice, but one should still be careful: Legacy applications are everywhere. For example, users would also have to be able to support RADIUS, an older authentication protocol for clients in a physical or virtual network, in order to cover critical use cases, for example.

Conclusion

To call SSO a miracle weapon would not do justice to reality. The challenges in implementing SSO include costs, control, standardization (for example, authentication via a web application with SAML versus token-based authorization with OAuth) and vulnerabilities.

For example, at the beginning of 2018, a validation error in the open SAML protocol gave an attacker the opportunity to trick systems into transferring an authentication issued for a specific user to another user - without knowing their password.

Centrify CTO Scott also sees compatibility issues in the form of applications that do not support SSO. Users would have to require their app providers to offer real SSO functionalities via SAML or Kerberos, and not simply a user name and another password that they would have to take care of. In addition, MFA and SSO should be used together and in parallel.

Despite the challenges, Scott is confident that SSO has a bright future. By employing a 'zero trust' model of security, SSO will find widespread use so that users can always work the same way no matter where they are or what device they are using. More and more providers would include SSO in their applications and MFA would find greater acceptance due to the potential danger of only a single set of access data.