Information Technology Reference
In-Depth Information
The answer is yes, and modern Access Management systems do exactly this.
Delegating the challenge for user credentials is done as follows. The
application needs to
redirect
the browser, on initial access, to a centralised
component (the SSO server), which performs the challenge and validation
steps before redirecting the browser back (transparently) to the application.
If the user credentials are not valid, the SSO server will essentially block this
access. The application now trusts the identity of the user that is passed in,
because this has been vetted by a trusted system.
Fig 12: Basic Single Sign-On (SSO)
This delegation provides true “Single Sign-On”, and we will shortly explain
why a second login is not required for subsequent accesses to other
applications. However, enforcement of access control is still left to the
application, and the delegation of this function is typically addressed using a
dedicated security “interceptor”.
The interceptor is a component that sits in front of an application and
redirects access to the SSO server. It may also perform the access control
(authorisation) function based on the user identity and any other user
attributes sent back by the SSO server. The application is then completely
agnostic to the presence of the authentication and authorisation functions
that are being performed
14
. A specialised interceptor component not only
14
In practice, the application will still perform
fine-grained
authorisation
(“i.e., Can the user perform this function?”) based on the user attributes
