If you’re planning to take the Security+ exam, you should have a good understanding of authentication services.This includes those using the XML-based standard to exchange authentication and authorization information between different parties.
For example, can you answer this question?
Q. Your organization recently made an agreement with third parties for the exchange of authentication and authorization information. The solution uses an XML-based open standard. Which of the following is the MOST likely solution being implemented?
A. RADIUS
B. Diameter
C. TACACS+
D. SAML
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation is available at the end of this post.
Single Sign-On
Single sign-on (SSO) refers to the ability of a user to log on or access multiple systems by providing credentials only once. SSO increases security because the user only needs to remember one set of credentials and is less likely to write them down. It’s also much more convenient for users to access network resources if they only have to log on one time.
As an example, consider a user who needs to access multiple servers within a network to perform normal work. Without SSO, the user would need to know one set of credentials to log on locally, and additional credentials for each of the servers. Many users would write these credentials down to remember them.
Alternatively, in a network with SSO capabilities, the user only needs to log on to the network once. The SSO system typically creates some type of SSO token used during the entire logon session. Each time the user accesses a network resource, the SSO system uses this token for authentication. Kerberos and LDAP both include SSO capabilities.
Remember this
Single sign-on enhances security by requiring users to use and remember only one set of credentials for authentication. Once signed on using SSO, this one set of credentials is used throughout a user’s entire session. SSO can provide central authentication against a federated database for different operating systems.
SSO and SAML
Security Assertion Markup Language (SAML) is an Extensible Markup Language (XML)–based data format used for SSO on web browsers. Imagine two web sites hosted by two different organizations. Normally a user would have to provide different credentials to access either web site. However, if the organizations trust each other, they can use SAML as a federated identity management system. Users authenticate with one web site and are not required to authenticate again when accessing the second web site.
Many web-based portals use SAML for SSO. The user logs on to the portal once, and the portal then passes proof of the user’s authentication to back-end systems. As long as one organization has authenticated users, they are not required to authenticate again to access other sites within the portal.
SAML defines three roles:
- Principal. This is typically a user. The user logs on once. If necessary, the principal requests an identity from the identity provider.
- Identity provider. An identity provider creates, maintains, and manages identity information for principals.
- Service provider. A service provider is an entity that provides services to principals. For example, a service provider could host one or more web sites accessible through a web-based portal. When a principal tries to access a resource, the service provider redirects the principal to obtain an identity first.
This process sends several XML-based messages between the systems. However, it is transparent to the user.
SAML and Authorization
It’s important to realize that the primary purpose of SSO is for identification and authentication of users. Users claim an identity and prove that identity with credentials. SSO does not provide authorization. For example, if the power plant and the school system create a federation using SAML, this doesn’t automatically grant everyone in the school system full access to the nuclear power plant resources. Authorization is completely separate.
However, many federation SSO systems, including SAML, include the ability to transfer authorization data between their systems. In other words, it’s possible to use SAML for single sign-on authentication and for authorization.
Remember this
SAML is an XML-based standard used to exchange authentication and authorization information between different parties. SAML provides SSO for web-based applications.
Q. Your organization recently made an agreement with third parties for the exchange of authentication and authorization information. The solution uses an XML-based open standard. Which of the following is the MOST likely solution being implemented?
A. RADIUS
B. Diameter
C. TACACS+
D. SAML
Answer is D. Security Assertion Markup Language (SAML) is an Extensible Markup Language (XML) used for single sign-on (SSO) solutions.
Remote Authentication Dial-In User Service (RADIUS) is a remote access authentication service.
Diameter is an alternative to RADIUS.
Terminal Access Controller Access-Control System Plus (TACACS+) is an authentication service that replaces the older TACACS protocol. RADIUS, Diameter, and TACACS+ do not use XML.