SSO with YubiKey two-factor authentication


Many systems are moving away from independent logins to Single-Sign-On solutions, where a single authentication unlocks access to multiple applications or services. With each additional system being tied to a single authentication event, it becomes more and more crucial that the authentication is secure. Two-factor authentication adds the necessary security by pairing a physical token with other credentials, such as a username and password. The security and ease of use of the YubiKey makes it an ideal solution for Single Sign On authentication, allowing them to carry the key to their virtual office on their keychain.

Background


Security Assertion Markup Language (SAML) is an XML-based open standard for exchanging authentication and authorization data between security domains, that is, between an identity provider (a producer of assertions) and a service provider (a consumer of assertions). Yubico partners with third party online SAML identity services to be able to offer several YubiKey enabled SAML providers for our customers. We also encourage various free software projects to implement support for YubiKey in their SAML packages. 

Required


YubiKey Hardware
SAML server/implementation
 

Third party SAML providers


Enterprise class SAML servers and services supporting the YubiKey include:

• OneLogin
• Clavid
• ForgeRock
• Svensk e-identitet

simpleSAMLphp


simpleSAMLphp is a simple PHP application to perform authentication which supports several federation protocols, including SAML.

• simpleSAMLphp
• Yubico’s SAML administration tool

Shibboleth


Shibboleth is the leading SAML implementation used in higher education federations around the world. YubiKey authentication is possible with the Yubico JAAS module found in the Yubico Java client:

• Java Client

Multifactor authentication with Shibboleth is possible with the multifactor login handler contributed to the community by Yubico:

• Multifactor login handler

How to implement support for OpenID for your site


Join the global OpenID initiative and turn your online service, web mail, blog, etc. into a safe and easy place to visit. Download implementations to get started:

Openid.net
Openidenabled.com

Required


YubiKey Hardware
OpenID support

How to use YubiKey + OpenID as a user


1. Insert the YubiKey in your computer’s USB port
2. Enter your OpenID URL into the OpenID URL prompt on any website that supports OpenID.
3. You will be redirected to the OpenID server you have chosen where you will need to authenticate yourself using the YubiKey.
4. Next you are redirected back to the website, properly authenticated.

 

Yubico OpenID Server 


For demonstration purposes, Yubico provides an OpenID server that is easy to use if you have a YubiKey. Go to our OpenID server, login, and follow the instructions there on how to use it.

• openid.yubico.com

The source code for our OpenID server is open source. It is based on JanRain’s example OpenID server.

• Google Code “yubico-openid-server” Project

Partners


Clavid.com provide YubiKey enabled OpenID:

• clavid.com

Yubico

Go to top EV SSL