Information Technology Reference
In-Depth Information
Single Sign-On
Single sign-on (SSO) refers to a single authentication that provides access
across all network resources and is sometimes considered the “holy grail of
networking.” In a SSO solution, a central authentication source provides
authentication to each element within the extended enterprise. By using a
central authentication solution, each element of the network must address
only authorization and authorization limitations within its resources.
Central Authentication Services
Central authentication solutions can be implemented using a range of
technologies, including the Central Authentication Service (CAS) stan-
dard, Microsoft's Windows Live ID (formerly known as .NET Passport),
or Security Assertion Markup Language (SAML) implementations pro-
vided through the Liberty Alliance or the Internet2 Middleware project
known as Shibboleth. Central authentication systems rely on an identity
provider for authentication, returning validation responses to the request-
ing CAS-enabled application. While legacy solutions may be coupled to
a specific authentication mechanism, this type of authentication can pro-
vide access to a wide range of resources, provided they all share the same
central authentication mechanism.
Federated Authentication
A federated identity management solution can also be used for single-
sign-on authentication. These solutions are populated with authentication
credentials, coupled to a single authentication against the identity man-
agement system. When a user or service requests resources from within
an authentication boundary, the identity management system provides
the appropriate set of credentials from its encrypted store on behalf of
the already-authenticated identity. Because of this caching of credentials,
the user has to enter log-on credentials only once for each authentication
boundary. After the initial entry, the identity management system asserts
credentials on behalf of the authenticated identity.
This solution is very effective when coordinating a single log-on with
resources from a wide range of authentication locales. Legacy systems can
be provided with credentials automatically, so a user needs to log-on only
once to a central authority or information aggregation site to gain access
