Hitachi

Definition of Single Sign-On

Definition of computer security terms: Single Sign-On


A Single Sign-On system is a set of software components, usually distributed over a network, which allow a User to log into his workstation once, and thereafter start applications and network Login Session's without any further Authentication. The initial Login may be carried out using Credentials, such as a User ID and Password, or another technology, such as a Public Key Infrastructure or a Smart Card.

A Single Sign-On system normally works as follows:

  • The User logs into his workstation.
  • A component of the Single Sign-On system installed on the workstation intercepts and stores the User's Credentials.
  • The Single Sign-On software displays a menu listing applications that the User may access.
  • The User selects a menu option or icon to start an application.
  • The Single Sign-On software retrieves the User's Credentials for the application from a central database. The Credentials used by this user to log into the workstation in the first place are normally used to access the central database.
  • A script is used to launch the application, and type the User's User ID and Password into it automatically.

This technology addresses some common support problems:

  • Users tend to forget their passwords. With Single Sign-On, they only actively use one password, so are less likely to forget it.
  • Users don't like to enter their Credentials multiple times.

Unfortunately, this technology also has some deployment and security problems:

  • The Password server is an attractive target for Intruder's, since it contains Plaintext or decryptable Credentials for many users and systems.
  • If the Password server is damaged, then many applications become unavailable. This constitutes a major Denial of Service problem.
  • Scripts used to launch applications are quite fragile.
  • The entire system is complex and difficult to install.
  • The software tends to be quite expensive.

An alternative technology, which resolves some of the same issues, but is not subject to the same problems, is Password Synchronization.