Definition of Single Sign-On

A Single Sign-On system is a set of software components, usually distributed over a network, which allow a User to log into his workstation once, and thereafter start applications and network Login Session's without any further Authentication. The initial Login may be carried out using Credentials, such as a User ID and Password, or another technology, such as a Public Key Infrastructure or a Smart Card.

A Single Sign-On system normally works as follows:

The User logs into his workstation.
A component of the Single Sign-On system installed on the workstation intercepts and stores the User's Credentials.
The Single Sign-On software displays a menu listing applications that the User may access.
The User selects a menu option or icon to start an application.
The Single Sign-On software retrieves the User's Credentials for the application from a central database. The Credentials used by this user to log into the workstation in the first place are normally used to access the central database.
A script is used to launch the application, and type the User's User ID and Password into it automatically.

This technology addresses some common support problems:

Users tend to forget their passwords. With Single Sign-On, they only actively use one password, so are less likely to forget it.
Users don't like to enter their Credentials multiple times.

Unfortunately, this technology also has some deployment and security problems:

The Password server is an attractive target for Intruder's, since it contains Plaintext or decryptable Credentials for many users and systems.
If the Password server is damaged, then many applications become unavailable. This constitutes a major Denial of Service problem.
Scripts used to launch applications are quite fragile.
The entire system is complex and difficult to install.
The software tends to be quite expensive.

An alternative technology, which resolves some of the same issues, but is not subject to the same problems, is Password Synchronization.