Reduced Sign On
Many organizations are interested in reducing the burden of repeated login prompts for users. Eliminating some or all of these login prompts is referred to as "single sign-on" though more accurately it is "reduced sign-on."
There are several classes of reduced sign-on technology:
- Kerberos / Integrated Windows Authentication:
Users sign into a Kerberos domain -- typically using a Windows client signing into Active Directory. Their PC is issued a ticket which is passed to other server on the network when the user needs to authenticate to those systems.
Microsoft's adoption (and extension) of this technology has led many to refer to it as Integrated Windows Authentication (IWA) but the technology was actually originally developed at MIT and is underpinned by public standards.
- Enterprise Single Sign-on:
Client software is deployed to user PCs (typically Windows). This detects login prompts displayed by various applications and automatically populates login IDs and passwords in those dialogs and screens. Application credentials are typically stored in some sort of a secure "wallet" -- on the filesystem, in a database or in a directory.
Enterprise single sign-on (E-SSO) systems are attractive to many organizations because they provide a single mechanism for both legacy applications (client/server, terminal based) and applications with a web user interface.
- Web Single Sign-on / Access Management:
Web single sign-on (WebSSO) systems intercept user attempts to access web applications. A cookie in the user's web browser is checked to see if the user has already been authenticated. If the user has not yet signed on, the web browser is redirected to a login application where the user signs in. The user is then redirected back to the application login page and automatically signed into the web application.
Two common architectures of WebSSO systems are available, often in the same product.
In one approach, a web proxy server is used, which signs users into applications by retrieving application login credentials for every user, on every application, from a secure directory or database. These credentials are injected into the HTTP data stream between the WebSSO system and the application the user wishes to access. In this scenario, nothing is installed directly on the target application ("agentless architecture"); the user is not able to access the application URL directly, without going through the proxy; and a database of credentials must be maintained.
In a second approach, an agent is installed on each web application server. This requires a variety of agents to be developed -- one for each type of supported application. Using this architecture, the agent intercepts user access attempts and notifies the application where it is installed of the authenticated user's identity. In this architecture, there is no database of user credentials.
- Federated Authentication:
Federated access management means that users sign into a web site in one domain -- say the on the Intranet of their own corporation -- and are able to follow a URL link to a web site on another domain -- say a SaaS-hosted application. A trust relationship is defined between the two servers, such that the first server (in the user's domain of origin) vouches for the identity, authentication status and authorizations of the user to the second server. The most common mechanism for vouching for user data is to issue an assertion, using a standard protocol such as security assertions markup language (SAML).
Federated access management is also only applicable (in practice) to web applications. Its main advantage is that authentication and authorization information about users can be exchanged between systems under the control of different organizations, eliminating both redundant login prompts and user administration.
Hitachi ID Login Manager, a module included with Hitachi ID Password Manager, is an enterprise single sign-on solution. It automatically signs users into applications where the ID and/or passwords are the same ones users type to sign into Windows on their PC.
Login Manager leverages password synchronization instead of stored passwords. This means that it does not require a wallet and that users can continue to sign into their applications from devices other than their corporate PC -- such as a smart phone or tablet -- for which a single sign-on client may not be available.
Login Manager does not require scripting or a credential vault, so has a much lower total cost of ownership (TCO) than alternative single sign-on tools.