Since your SSO deployment will probably span multiple and diverse systems and platforms, you should first determine which systems to enroll. The choice should be based on the systems your employees use most, like email or the corporate Intranet--if it requires a logon. Second, decide the type of product that best fits your organization's IT architecture and infrastructure.
The biggest obstacle is planning which systems to include in the installation and how to simultaneously synch them up with the SSO technology. SSO is rarely a simple deployment that can be done quickly. It should be carefully planned and implemented in stages with different groups of enterprise users.
It's also important to ensure that the SSO system meshes with your organization's existing IT infrastructure. SSO can be implemented in hardware or software; in either case, a gateway authenticates to the member applications. In other words, the user authenticates to the SSO gateway, which turns around and then authenticates on behalf of the user, employing the stored credentials for each member application. The SSO system is the master store for the applications' log-on credentials.
Software SSO systems consist of modules, which usually sit on a dedicated server. The modules require quite a bit of configuration and tuning, and there may be additional development effort when connecting them to home-grown applications. Products in this space include IBM's Tivoli Access Manager, Citrix Password Manager and Entrust GetAccess. Because of the requirement for dedicated hardware and the configuration involved, these systems are geared toward larger enterprises.
On the hardware side, a product that requires fewer configurations is Imprivata's OneSign Single Sign On. The appliance has a Web-based front end for easy enrollment of member applications. Imprivata is geared toward mid-market companies and organizations that may not have the staff or expertise for extensive software configurations. And, since it's self-contained in its own server, a smaller company doesn't have to make the investment in a dedicated one, as might be required for a software SSO module.
For a Web-based SSO product, the Microsoft Passport Network allows a user to register once for multiple Web site access. In this case, Passport acts as an online SSO gateway.
Since SSO can be a single point of authentication failure, all components of the SSO system need to be secured within the enterprise. If a malicious user gets hold of the SSO log-on credentials, all applications registered with the system will be at risk.
Since SSO provides a centralized point of access, it can be used to more closely monitor user access; regulations like the Sarbanes-Oxley Act require such careful observation. In addition, because SSO installations are complex, they call for extensive documentation about authentication. That's something else that your auditors and regulators may want to look at.
For more information:
This was first published in October 2007