A Single Sign-On system is a set of software components, usually distributed over a network, which allow a User to log into his workstation once, and thereafter start applications and network Login Session's without any further Authentication. The initial Login may be carried out using Credentials, such as a User ID and Password, or another technology, such as a Public Key Infrastructure or a Smart Card.
A Single Sign-On system normally works as follows:
- The User logs into his workstation.
- A component of the Single Sign-On system installed on the workstation intercepts and stores the User's Credentials.
- The Single Sign-On software displays a menu listing applications that the User may access.
- The User selects a menu option or icon to start an application.
- The Single Sign-On software retrieves the User's Credentials for the application from a central database. The Credentials used by this user to log into the workstation in the first place are normally used to access the central database.
- A script is used to launch the application, and type the User's User ID and Password into it automatically.
This technology addresses some common support problems:
- Users tend to forget their passwords. With Single Sign-On, they only actively use one password, so are less likely to forget it.
- Users don't like to enter their Credentials multiple times.
Unfortunately, this technology also has some deployment and security problems:
- The Password server is an attractive target for Intruder's, since it contains Plaintext or decryptable Credentials for many users and systems.
- If the Password server is damaged, then many applications become unavailable. This constitutes a major Denial of Service problem.
- Scripts used to launch applications are quite fragile.
- The entire system is complex and difficult to install.
- The software tends to be quite expensive.
An alternative technology, which resolves some of the same issues, but is not subject to the same problems, is Password Synchronization.