SINGLE SIGN-ON (SSO)

Single Sign-On (SSO)

Single-sign-on (SSO) authentication at present is required more than ever. Nowadays, almost every website requires some form of authentication to access its features and content. With the number of websites and services increasing, a centralized login system has become a necessity. In this article we’ll let you know what is SSO and how SSO authentication works.

What is SSO

Single Sign On (SSO) occurs when a user logs in to one Client’s system and then signed in to other Clients system automatically, regardless of the platform, technology, or domain the user is using.

Google’s implementation of login for their products, such as Gmail, YouTube, Google Analytics, and much more, is one of the best examples of SSO. Any user who are logged-on to one of Google’s products are automatically logged in to their other products as well.

Single Sign On usually makes use of a Central Service which organizes the single sign on between multiple clients. In the example of Google, this central service is Google Accounts. When a user first logs-in, Google Accounts creates a cookie, which persists with the user as they navigate to other Google-owned services. The process flow is as follows:

  • The user accesses the first Google product.
  • The user receives a generated cookie.
  • The user navigates to another Google product.
  • The user is redirected again to their accounts.
  • Google Accounts sees that the user already has an authentication-related cookie, so it redirects the user to the requested product.

How it works

In a basic web SSO service, an agent module on the application server retrieves the specific authentication credentials for an individual user from a dedicated SSO policy server, while authenticating the user against a user repository such as a lightweight directory access protocol (LDAP) directory.

Some of the SSO services uses protocols such as Kerberos and the security assertion mark-up language (SAML). SAML is an XML standard that facilitates the exchange of user authentication and authorization data across secure domains. SAML-based SSO services involves the communications between the user, an identity provider that maintains a user directory, and a service provider. When a user attempts to access an application from the service provider, the service provider will send a request to the identity provider for authentication. The service provider will then verify the authentication and log the user in. The user will not have to log in again for the rest of his session. In a Kerberos-based setup, once the user credentials are provided, a ticket-granting-ticket (TGT) is issued. The TGT fetches service tickets for other applications the user wishes to access, without asking the user to re-enter the credentials.

Although single sign-on is a convenience to users, it presents risks to the enterprise security. An attacker who gains control over a user’s SSO credentials will be granted access to every application the user has rights, increasing the amount of potential damage. In order to avoid malicious access, it is essential that every aspect of SSO implementation be coupled with identity governance. Organizations can also use two factor authentication (2FA) or multifactor authentication (MFA) with SSO to improve the security.

Conclusion

SSO authentication is here, decentralized systems are becoming more and more common and authentication is an essential aspect of all of them. SSO solves a big problem such as how to manage the increasing number of users across a whole ecosystem of applications and services. If you are implementing authentication for a new application or a service, consider integrating SSO from the get-go.

WHAT IS PYTHON? WHAT ARE THE BENEFITS OF USING PYTHON? WHAT DO YOU UNDERSTAND OF PEP 8?

What Is Python? What are the benefits of using Python? What do you understand of PEP 8?

Python is one of the most successful interpreted language. When you write a Python script, it doesn’t need to get compiled before execution. Few other interpreted languages are PHP and Javascript.

Benefits Of Python Programming:

Python is a dynamic-typed language, this means that you don’t need to mention the date type of variables during their declaration. It allows to set variables like var1=101 and var2 =” You are an engineer.” without any error.

Python supports object orientated programming as you can define classes along with the composition and inheritance. It doesn’t use access specifiers like public or private.

Functions in Python are like first-class objects. It suggests you to assign them to variables, return from other methods, and pass as arguments.

Developing using Python is quick but running it often is slower than compiled languages. Luckily, Python enables to include the “C” language extensions so that you can optimize your scripts.

Python has several usages like web-based applications, test automation, data modeling, big data analytics, and much more. Alternatively, you can utilize it as “glue” layer to work with other languages.

PEP 8:

PEP 8 is the latest Python coding standard, a set of coding recommendations. It guides you to deliver more readable Python code.

EXPLAIN THE ANDROID APPLICATION ARCHITECTURE?

Explain the Android application Architecture?

Following is a list of components of Android application architecture:

Services: Used to perform background functionalities.

Intent: Used to perform the inter connection between activities and the data passing echanism.

Notification: light, sound, icon, notification, dialog box and toast.

Content Providers: It will share the data between applications.

CI/CD CASE STUDY

CI/CD Case Study

CICD Case Study

INTRODUCTION

Continuous Delivery is mainly related with the DevOps movement and the practice of continuous deployment. There are many case studies that fall into this sweet spot. If you want to see more companies talk about their journey, check out the videos from the DevOps Enterprise Summit. It’s important to note that continuous delivery has been widely adopted by many web companies, the techniques described in this article can be used in all sorts of domains—essentially, anywhere where your software development capability is considered as a strategic asset.

CASE STUDY

Like many companies, “Company A” has also used the cloud since day one. The company has always used the cloud as a flexible way to spin up the servers and to store the data. The targets set by the company leadership were to improve developer productivity by a factor of 10, so as to get material off the critical path for product development and can reduce the expenses. The company has three high-level goals:

  • Creating a single platform to support all the devices.
  • Increasing the quality and reducing the amount of stabilization required prior to release.
  • Reducing the amount of time spent on planning.
  • The key elements in achieving these goals was implementing continuous delivery, with a particular focus on:
  • The practice of continuous integration.
  • Significant investment in test automation.
  • Creating a hardware simulator so that tests could be run on a virtual platform

THE BENEFITS

Developers now have consistent environments in which deploy code for the company’s applications. By using Amazon Cloud, the team has saved money and improved the end-user experience. With Amazon Cloud the company has better access to data, more agile, and they can get feedback on product performance in days

SECURITY: NEW METASPLOIT EXTENSION

Security: New Metasploit Extension

Metasploit Extension

Enterprise security teams and penetration testers now have a new tool for evaluating the risks posed to their networks from Internet of Things (IoT) devices that are operating on radio frequencies outside the standard 802.11 specification. Explore this article and know more about Metasploit extension for testing IoT device security.

Rapid7, the owner of the Metasplot Project, has released an extension to its recently introduced Hardware Bridge API for conducting pen tests on network-connected hardware.

The new RFTransceiver extension for the Metasploit Hardware Bridge is designed to let the companies detect and evaluate the security state of multi-frequency wireless devices operating on their networks more effectively than current tools permit.

The RFTransceiver gives security and pros the ability to craft and monitor different RF packets for identifying and accessing the organizations wireless systems beyond Ethernet-accessible technologies. It also allows the pen testers to create and direct “short bursts of interference” to some devices to see how they respond from a security standpoint.

Many organizations already have devices and systems operating on radio frequencies outside 802.11 on their networks, examples include RFID readers, smart lighting systems using the Zigbee communication protocol and network-enabled alarms, surveillance, and door control systems.

The RFTransceiver extension is designed to help the organizations with such devices answer to vital questions, such as the operating range of the devices, whether they are encrypted or not, how they respond to outside interference, and how they fail.

Many RF-enabled devices fail to serialize, this makes them vulnerable to issues such as replay attacks where an attacker records a command sent out over RF and then plays it back. With organizations expected to connect a constantly growing range of wireless IoT devices to the network over the next few years, RF testing capabilities have become vital.

HOW TO USE RFTRANSCEIVER

Using the new RFTransceiver extension requires the purchase of an RfCat-compatible device such as Yard Stick One. Download the latest RfCat drivers, included with those drivers you can find rfcat_msfrelay. This is the Metasploit Framework relay server for RfCat. Run this on the system with the RfCat compatible device attached.

Then you can connect with the hardware bridge:

RFTranceiver Usage
$ ./msfconsole -q
msf > use auxiliary/client/hwbridge/connect
msf auxiliary(connect) > run
[*] Attempting to connect to 127.0.0.1…
[*] Hardware bridge interface session 1 opened (127.0.0.1 -> 127.0.0.1) at 2017-02-16 20:04:57 -0600
[+] HWBridge session established
[*] HW Specialty: {“rftransceiver”=>true} Capabilities: {“cc11xx”=>true}
[!] NOTICE: You are about to leave the matrix. All actions performed on this hardware bridge
[!] could have real world consequences. Use this module in a controlled testing
[!] environment and with equipment you are authorized to perform testing on.
[*] Auxiliary module execution completed
msf auxiliary(connect) > sessions

Active sessions

Id  Type Information  Connection

— —- ———– ———-
1 hwbridge cmd/hardware rftransceiver 127.0.0.1 -> 127.0.0.1 (127.0.0.1)

msf auxiliary(connect) > sessions -i 1
[*] Starting interaction with 1…

hwbridge > status
[*] Operational: Yes
[*] Device: YARDSTICKONE
[*] FW Version: 450
[*] HW Version: 0348