(SSO) is a method of access control that enables a user to authenticate once and gain access to the resources of multiple software systems.
Many free and commercial SSO or reduced sign-on solutions are currently available. A partial list follows:
- The JA-SIG (CAS) is an open Single Sign-on service (originally developed by Yale University) that allows web applications the ability to defer all authentication to a trusted central server or servers. Numerous clients are freely available, including clients for Java, .Net, PHP, Perl, Apache, uPortal, Liferay and others.
- A-Select is the Dutch authentication system for higher education that was codeveloped by SURFnet (the Dutch NREN ). A-Select has now become Open Source and is used by the Dutch Government, for instance, for DigiD, their authentication system. A-Select allows staff and students to gain access to several web services through a single on-line authentication. Institutions can use A-Select to secure their web applications in a simple fashion. They can use different means of authentication ranging from username/password to stronger (more secure) methods such as a one-time password sent to a mobile phone or Internet banking authentication.
- CoSign , an open-source project originally designed to provide the University of Michigan with a secure single sign-on web authentication system. CoSign authenticates users on the web server and then provides an environment variable for the users' name. When the users access a part of the site that requires authentication, the presence of that variable allows access without having to sign-on again. Cosign is part of the National Science Foundation Middleware Initiative (NMI) software release.
- Enterprise Single Sign-on (E-SSO), also called legacy single sign-on, after primary user authentication, intercepts login prompts presented by secondary applications, and automatically fills in fields such as a login ID or password. E-SSO systems allow for interoperability with applications that are unable to externalize user authentication, essentially through " Screen Scraping ."
- (Web-SSO), also called Web access management (Web-AM), works strictly with applications and resources accessed with a web browser. Access to web resources is intercepted, either using a web proxy server or by installing a component on each targeted web server. Unauthenticated users who attempt to access a resource are diverted to an authentication service, and returned only after a successful sign-on. Cookies are most often used to track user authentication state, and the Web-SSO infrastructure extracts user identification information from these Cookies , passing it into each web resource.
- is a popular mechanism for applications to externalize authentication entirely. Users sign into the Kerberos server, and are issued a ticket, which their client software presents to servers that they attempt to access.
Kerberos is available on Unix , Windows and Mainframe Platforms , but requires extensive modification of Client/server application code, and is consequently not used by many Legacy Application s.
- is a new approach, also for web applications, which uses standards-based protocols to enable one application to assert the identity of a user to another, thereby avoiding the need for redundant authentication. Standards to support federation include SAML and WS-Federation {Link without Title} .
- '''Security Assertion Markup Language''' ('''SAML''') is an XML standard for exchanging Authentication and Authorization data between Security Domain s, that is, between an ''identity provider'' and a '' Service Provider ''. SAML is a product of the OASIS Security Services Technical Committee.
- is a standards-based, open source middleware software which provides Web Single SignOn (SSO) across or within organizational boundaries. It allows sites to make informed authorization decisions for individual access of protected online resources in a privacy-preserving manner.
- and ''' OpenID ''', under the ''' YADIS ''' umbrella, offer distributed and decentralized SSO, where identity is tied to an easily-processed URL which can be verified by any server using one of the participating protocols.
- JOSSO or Java Open Single Sign-On, is an open source J2EE-based SSO infrastructure aimed to provide a solution for centralized platform neutral user authentication. It uses web services for asserting user identity, allowing the integration of non-Java applications (i.e: PHP, Microsoft ASP, etc.) to the Single Sign-On Service using the SOAP over HTTP protocol.
- provides signature-based Web Single SignOn (SSO) across any boundaries. It does not require any common infrastructure but relies on a trust relationship from the SSO client applications to the SSO server (typically a web portal, but could also be a reverse proxy et al.)
The term ''enterprise reduced sign-on'' is preferred by some authors because they believe ''single sign-on'' to be a misnomer: "no one can achieve it without a homogeneous IT infrastructure" {Link without Title} .
In a homogeneous IT infrastructure or at least where a single user entity authentication scheme exists or where user database is centralized, single sign-on is a visible benefit. All users in this infrastructure would have one or single authentication credentials. e.g. say in an organization stores its user database in a LDAP database. All Information processing systems can use such a LDAP database for user authentication and authorization, which in turn means single sign-on has been achieved organization wide.
|
