Single sign-on

From Wikipedia, the free encyclopedia

Single sign-on (SSO) is a specialized form of software authentication that enables a user to authenticate once and gain access to the resources of multiple software systems.

Many free and commercial SSO or reduced sign-on solutions are currently available. A partial list follows:

• Clickshare Service Corp. Developed starting in 1994 a federated-authentication, single-signon service which also facilitates transactions.
• The JA-SIG Central Authentication Service (CAS) is an open single sign-on service (originally developed by Yale University) that allows web applications the ability to defer all authentication to a trusted central server or servers. Numerous clients are freely available, including clients for Java, .Net, PHP, Perl, Apache, uPortal, Liferay and others.
• A-Select is the Dutch authentication system for higher education that was codeveloped by SURFnet (the Dutch NREN). A-Select has now become open source and is used by the Dutch Government, for instance, for DigiD, their authentication system. A-Select allows staff and students to gain access to several web services through a single on-line authentication. Institutions can use A-Select to secure their web applications in a simple fashion. They can use different means of authentication ranging from username/password to stronger (more secure) methods such as a one-time password sent to a mobile phone or Internet banking authentication.
• CoSign, an open-source project originally designed to provide the University of Michigan with a secure single sign-on web authentication system. CoSign authenticates users on the web server and then provides an environment variable for the users' name. When the users access a part of the site that requires authentication, the presence of that variable allows access without having to sign-on again. Cosign is part of the National Science Foundation Middleware Initiative (NMI) software release.
• Enterprise single sign-on (E-SSO), also called legacy single sign-on, after primary user authentication, intercepts login prompts presented by secondary applications, and automatically fills in fields such as a login ID or password. E-SSO systems allow for interoperability with applications that are unable to externalize user authentication, essentially through "screen scraping."
• Web single sign-on (Web-SSO), also called Web access management (Web-AM), works strictly with applications and resources accessed with a web browser. Access to web resources is intercepted, either using a web proxy server or by installing a component on each targeted web server. Unauthenticated users who attempt to access a resource are diverted to an authentication service, and returned only after a successful sign-on. Cookies are most often used to track user authentication state, and the Web-SSO infrastructure extracts user identification information from these cookies, passing it into each web resource.
• Kerberos is a popular mechanism for applications to externalize authentication entirely. Users sign into the Kerberos server, and are issued a ticket, which their client software presents to servers that they attempt to access. Kerberos is available on Unix, Windows and mainframe platforms, but requires extensive modification of client/server application code, and is consequently not used by many legacy applications.
• Federation is a new approach, also for web applications, which uses standards-based protocols to enable one application to assert the identity of a user to another, thereby avoiding the need for redundant authentication. Standards to support federation include SAML and WS-Federation [1].
• SAML Security Assertion Markup Language (SAML) is an XML standard for exchanging authentication and authorization data between security domains, that is, between an identity provider and a service provider. SAML is a product of the OASIS Security Services Technical Committee.
• Light-Weight Identity and OpenID, under the YADIS umbrella, offer distributed and decentralized SSO, where identity is tied to an easily-processed URL which can be verified by any server using one of the participating protocols.
• JOSSO or Java Open Single Sign-On, is an open source J2EE-based SSO infrastructure aimed to provide a solution for centralized platform neutral user authentication. It uses web services for asserting user identity, allowing the integration of non-Java applications (i.e: PHP, Microsoft ASP, etc.) to the Single Sign-On Service using the SOAP over HTTP protocol.

The term enterprise reduced sign-on is preferred by some authors because they believe single sign-on to be a misnomer: "no one can achieve it without an homogeneous IT infrastructure"[2].

In a homogeneous IT infrastructure or at least where a single user entity authentication scheme exists or where user database is centralized, single sign-on is a visible benefit. All users in this infrastructure would have one or single authentication credentials. e.g. say in an organization stores its user database in a LDAP database. All Information processing systems can use such a LDAP database for user authentication and authorization, which in turn means single sign-on has been achieved organization wide.

[edit] See also

• Acegi security framework (Java)
• Identity management
• JAAS
• Lightweight Directory Access Protocol (LDAP)
• NTLM
• OpenSSO
• password fatigue
• SAML

[edit] External links

• The identity Dictionary
• Atlassian Crowd SSO
• Apache V2.x Cookie Authentication Module with memcached
• A-Select
• Single Sign-on Article on AuthenticationWorld.com