SSO with YubiKey two-factor authentication
Many systems are moving away from independent logins to Single-Sign-On solutions, where a single authentication unlocks access to multiple applications or services. With each additional system being tied to a single authentication event, it becomes more and more crucial that the authentication is secure. Two-factor authentication adds the necessary security by pairing a physical token with other credentials, such as a username and password. The security and ease of use of the YubiKey makes it an ideal solution for Single Sign On authentication, allowing them to carry the key to their virtual office on their keychain.
Security Assertion Markup Language (SAML) is an XML-based open standard for exchanging authentication and authorization data between security domains, that is, between an identity provider (a producer of assertions) and a service provider (a consumer of assertions). Yubico partners with third party online SAML identity services to be able to offer several YubiKey enabled SAML providers for our customers. We also encourage various free software projects to implement support for YubiKey in their SAML packages.
Third party SAML providers
Enterprise class SAML servers and services supporting the YubiKey include:
simpleSAMLphp is a simple PHP application to perform authentication which supports several federation protocols, including SAML.
Shibboleth is the leading SAML implementation used in higher education federations around the world. YubiKey authentication is possible with the Yubico JAAS module found in the Yubico Java client:
Multifactor authentication with Shibboleth is possible with the multifactor login handler contributed to the community by Yubico:
How to implement support for OpenID for your site
Join the global OpenID initiative and turn your online service, web mail, blog, etc. into a safe and easy place to visit. Download implementations to get started:
How to use YubiKey + OpenID as a user
1. Insert the YubiKey in your computer’s USB port
2. Enter your OpenID URL into the OpenID URL prompt on any website that supports OpenID.
3. You will be redirected to the OpenID server you have chosen where you will need to authenticate yourself using the YubiKey.
4. Next you are redirected back to the website, properly authenticated.
Yubico OpenID Server
For demonstration purposes, Yubico provides an OpenID server that is easy to use if you have a YubiKey. Go to our OpenID server, login, and follow the instructions there on how to use it.
The source code for our OpenID server is open source. It is based on JanRain’s example OpenID server.
Clavid.com provide YubiKey enabled OpenID: