Single sign-on (SSO) is a method of access control that enables a user to log in once and gain access to the resources of multiple software systems without being prompted to log in again. Single sign-off is the reverse process whereby a single action of signing out terminates access to multiple software systems.

As different applications and resources support different authentication mechanisms, single sign-on has to internally translate to and store different credentials compared to what is used for initial authentication.

Benefits of Single Sign-On

Benefits of single sign-on include:

• Reducing password fatigue from different user name and password combinations ¹
• Reducing time spent re-entering passwords for the same identity ²
• Can support conventional authentication such as Windows Credentials (i.e., username/password)
• Reducing IT costs due to lower number of IT help desk calls about passwords ³
• Security on all levels of entry/exit/access to systems without the inconvenience of re-prompting users
• Centralized reporting for compliance adherence.

SSO uses centralized authentication servers that all other applications and systems utilize for authentication purposes, and combines this with techniques to ensure that users do not actively have to enter their credentials more than once.

Criticisms

The term enterprise reduced sign-on is preferred by some authors who believe single sign-on to be impossible in real use cases.

As single sign-on provides access to many resources once the user is initially authenticated ("keys to the castle"), it increases the negative impact in case the credentials are available to other persons and misused. Therefore, single sign-on requires an increased focus on the protection of the user credentials, and should ideally be combined with strong authentication methods, e.g., smart cards⁴

Common Single Sign-On Configurations

Kerberos based

• Initial sign on prompts the user for credentials, and gets a Kerberos ticket-granting ticket (TGT.)
• Additional software applications requiring authentication, such as email clients, wikis, revision control systems, etc, use the Ticket Granting Ticket to acquire Service Tickets, proving the user's identity to the mailserver / wiki server / etc. without prompting the user to re-enter credentials.

Windows environment - Windows login fetches TGT. Active directory-aware apps fetch service tickets, so user is not prompted to re-authenticate.

UNIX/Linux environment - Login via Kerberos PAM modules fetches TGT. Kerberized client applications such as Evolution, Firefox, and SVN use service tickets, so user is not prompted to re-authenticate.

Smart card based

• Initial sign on prompts the user for smart card.
• Additional software applications also use the smart card, without prompting the user to re-enter credentials.
• Smart card based single sign-on can either use certificates or passwords stored on the smart card

OTP Token

Also referred to as One-time password Token. Two factor authentication with OTP tokens ⁵ follows industry best practices for authenticating users⁶. This OTP token method is more secure and effective at prohibiting unauthorized access than other authentication methods. ⁷

Integrated Windows Authentication

Integrated Windows Authentication is a term associated with Microsoft products that refers to the SPNEGO, Kerberos, and NTLMSSP authentication protocols with respect to SSPI functionality introduced with Microsoft Windows 2000 and included with later Windows NT-based operating systems. The term is used more commonly for the automatically authenticated connections between Microsoft Internet Information Services and Internet Explorer.

Client Certificate Based

Shared Authentication Schemes which are not Single Sign-On

Single sign on requires that users literally sign in once to establish their credentials. Systems which require the user to log in multiple times to the same identity are inherently not single sign on. For example, an environment where users are prompted to log in to their desktop, then log in to their email using the same credentials, is not single sign on. Shared authentication schemes like OpenID, which require additional sign-on for each web site, are also not single sign on.

Enterprise Single Sign-On

Enterprise single sign-on (E-SSO) systems are designed to minimize the number of times that a user must type their ID and password to sign into multiple applications. The E-SSO solution automatically logs users in, and acts as a password filler where automatic login is not possible. Each client is typically given a token that handles the authentication, on other E-SSO solutions each client has E-SSO software stored on their computer to handle the authentication. On the server side is usually an E-SSO authentication server that is implemented into the enterprise network.

General Requirements for E-SSO

• The solution needs to be highly available.
• The solution needs to provide interfaces for backup, 24x7 monitoring and operations, etc.
• The solution needs to be able to scale to many thousands of users accessing enterprise software.
• The solution should be able to support the company-internal standards defined for efficient operations and integration without problems (e.g., directory server standards, authentication standards, etc.).
• The solution should be able to easily integrate in related IT solutions, for example existing identity management solutions, security event management solutions, application management solutions, or desktop software distribution solutions.⁸

See also

• Central Authentication Service (CAS)
• CoSign
• Enterprise Sign On Engine
• Global Login System
• identity management
• Java Authentication and Authorization Service (JAAS)
• Lightweight Directory Access Protocol (LDAP)
• OpenSSO
• JBoss SSO
• password fatigue
• Athens access and identity management
• SAML
• Shibboleth
• smart card
• Secure Network Communications

References

External links

• Single Sign-on Intro with Diagrams