11.3 How CloudAccess Stores Credentials Securely with Basic SSO

Basic SSO describes a level of authentication that CloudAccess supports. Basic SSO records and stores users’ login credentials to be replayed when users authenticate to the destination site. Users must enter their credentials once, and then CloudAccess is able to capture and store them for replay. Only the user who stores the credentials can access the various user names and passwords for Basic SSO websites that are stored for that user’s account in the credential store. No other users can access the information in its unencrypted format, including administrators.

CloudAccess protects user credentials through an SSL connection and AES-256 encryption on the appliance. Figure 11-1 depicts how CloudAccess stores the credentials securely.

Figure 11-1 Basic SSO Security

Basic SSO connectors work with the Basic SSO extension running on the user’s computer to securely collect, store, retrieve, and replay the user credentials for a destination website. Users must log in to the website once in order for the extension to capture and store the credentials in the CloudAccess credential store. The user can choose whether to store the credentials for each destination website. If the user does not allow credentials to be saved for a website, the user must enter the site’s credentials for each session.

Figure 11-2 depicts the user experience when the user clicks the appmark for a Basic SSO application.

Figure 11-2 User’s First-Time Login to the Website with Basic SSO

The following describes the experience for Basic SSO the first time the user accesses the application:

  1. In a supported browser, the user logs in to the CloudAccess login page using their corporate credentials.

  2. The user sees the available applications on the landing page.

  3. The user clicks the appropriate application icon.

    If the Basic SSO extension is not installed on the computer:

    1. The connector prompts the user to install the Basic SSO extension.

    2. The user accepts the prompt, and follows the onscreen instructions to install the extension.

    3. The user returns to the landing page and clicks the appropriate application icon again.

  4. A new tab opens for the login page of the application.

  5. The user enters their user name and password for the destination website.

    The user must enter this separate user name and password once.

  6. The extension asks if the user wants the credentials to be saved by CloudAccess, and the user allows the credentials to be saved.

    1. The extension captures the user name and password, and sends them to CloudAccess over an SSL connection.

      The extension obfuscates the user name and password with Base64 encoding before transmission.

    2. CloudAccess encrypts the site-specific credentials with AES-256 encryption, and then stores the encrypted data in the credential store that is part of the appliance.

      The appliance encrypts the user name and password with an encryption key that is unique per user.

  7. The website returns a success or failure indicator for the login.

    If the login succeeds, the browser opens to the application's website over an SSL connection.

    If the login fails, the browser returns the user to the website's login page to try again.

After the user allows the password to be stored securely, the user experiences single sign-on access to the application in subsequent sessions. Figure 11-3 depicts the user experience when the user clicks the appmark for a Basic SSO application and the user’s credentials are available in the credentials store.

Figure 11-3 User’s Single Sign-On Access to a Website with Basic SSO

The following describes the experience for Basic SSO after the user stores credentials:

  1. The user logs in to the CloudAccess login page using their corporate credentials.

  2. The user sees the available applications on the landing page.

  3. The user clicks the appropriate application icon.

  4. A new tab opens for the login page of the application.

  5. The Basic SSO extension requests that CloudAccess retrieve the user’s user name and password for the site from the credential store.

  6. CloudAccess retrieves the site-specific encrypted credentials from the credential store, decrypts them, and then sends the user name and password over an SSL connection, and replays their entry in the browser.

    CloudAccess obfuscates the user name and password with Base64 encoding before transmission.

  7. If the replayed username and password are valid, the browser opens to the application's website over an SSL connection. To the user, the retrieval and replay gives a single sign-on experience.

    If the user’s login credentials are invalid, the browser displays the login page with the failed login error, prompting the user to log in again. The new credentials are stored using the same process as for the initial setup.

  8. The website returns a success indicator for the login, and the browser opens to the application's website over an SSL connection.