Bootstrapping a global SSO from network access control mechanisms

Abstract

This paper presents the details of a Single Sign On proposal which takes advantage of previously deployed authentication mechanisms. The main goal is to establish a link between authentication methods at different levels in order to provide a seamless global SSO. Specifically, the users will be authenticated once, during the network access control phase. Next, having authenticated to get on to the network using 802. 1X, that authentication will automatically fetch the necessary signed tokens so that there would be no need to repeat the login at the application layer. Therefore, the application level authentication would be boot-strapped from the network access. As we will see, this involves the generation of SAML signed tokens that will be obtained by the users using a PEAP channel able to deliver the appropriate authentication credentials. Then, users will contact a federation-level validation service and there will no need to re-authenticate the user, only a query of the related user attributes will be necessary in some cases. © Springer-Verlag Berlin Heidelberg 2007.