Single sign-on
From Wikipedia, the free encyclopedia
It has been suggested that Enterprise single sign-on be merged into this article or section. (Discuss) |
Single sign-on (SSO) is a method of access control that enables a user to authenticate once and gain access to the resources of multiple software systems. Single sign-off is the reverse process whereby a single action of signing out terminates access to multiple software systems.
The term enterprise reduced sign-on is preferred by some authors because they believe single sign-on to be a misnomer: "no one can achieve it without a homogeneous IT infrastructure".[1]
In a homogeneous IT infrastructure or at least where a single user entity authentication scheme exists or where a user database is centralized, single sign-on is a visible benefit. All users in this infrastructure would have a single set of authentication credentials; e.g. in an organization which stores its user database in a LDAP database. All information processing systems can use such an LDAP database for user authentication and authorization, which in turn means single sign-on has been achieved organization-wide.
Benefits of single sign-on include reducing the amount of internal fraud by malicious employee contact, convenience of password access, security on all levels of entry/exit/access to systems, and centralized reporting for compliance adherence.
Script-Based Single Sign-On There are different ways that SSO can be implemented. An older method that is not very much used today is the script-based method of doing single sign-on. This is where you log into a primary network operating system and the NOS stores your passwords and authentication mechanism for other systems. When you log on, the network operating system passes your authentication credentials to all other systems. The major drawback to the method is the lack of encryption of sensitive information, userIDs, and passwords. Any attacker running a network sniffer can uncover the authentication credentials and bypass the access control system in place.
Host-Based Single Sign-On The SSO method that is more commonly used currently is host-based single sign-on. Host-based SSO uses a centralized authentication server that all other applications and systems utilize for authentication purposes. One of the major problems with any type of host-based single sign-on is you create an SPF, a Single Point of Failure. If that authentication server goes down, your network becomes nonfunctional. Because no authentication can take place it is as if all systems were lost on the network. A second security concern is what happens if that userID and password get compromised by an attacker? Does the attacker get access to only one system? No, the attacker gets access to everything. It’s the keys to the access control kingdom.
[edit] See also
- Identity Management
- Password Fatigue
- Lightweight Directory Access Protocol (LDAP)
- Java Authentication and Authorization Service (JAAS)
- Central Authentication Service (CAS)
- CoSign
- OpenID
- OpenSSO
- Shibboleth
- Windows Live ID
- NTLM
- SAML
- Kerberos