Manage Learn to apply best practices and optimize your operations.

Best practices for deploying enterprise single sign-on (SSO)

In this expert response, Joel Dubin discusses some enterprise single sign-on (SSO) best practices and common obstacles.

I am trying to deploy single sign-on within our bank. What are some common obstacles to such deployments? What...

are some best practices for deploying SSO in an enterprise, on the Web, or in a federated or transactional system?

The most important part of single sign-on (SSO) deployments is planning. There are a number of options available, depending on the size of your company and the scope of your implementation. Banks should also consider compliance with regulations, such as SOX and the FFIEC.

Since your SSO deployment will probably span multiple and diverse systems and platforms, you should first determine which systems to enroll. The choice should be based on the systems your employees use most, like email or the corporate Intranet--if it requires a logon. Second, decide the type of product that best fits your organization's IT architecture and infrastructure.

The biggest obstacle is planning which systems to include in the installation and how to simultaneously synch them up with the SSO technology. SSO is rarely a simple deployment that can be done quickly. It should be carefully planned and implemented in stages with different groups of enterprise users.

It's also important to ensure that the SSO system meshes with your organization's existing IT infrastructure. SSO can be implemented in hardware or software; in either case, a gateway authenticates to the member applications. In other words, the user authenticates to the SSO gateway, which turns around and then authenticates on behalf of the user, employing the stored credentials for each member application. The SSO system is the master store for the applications' log-on credentials.

Software SSO systems consist of modules, which usually sit on a dedicated server. The modules require quite a bit of configuration and tuning, and there may be additional development effort when connecting them to home-grown applications. Products in this space include IBM's Tivoli Access Manager, Citrix Password Manager and Entrust GetAccess. Because of the requirement for dedicated hardware and the configuration involved, these systems are geared toward larger enterprises.

On the hardware side, a product that requires fewer configurations is Imprivata's OneSign Single Sign On. The appliance has a Web-based front end for easy enrollment of member applications. Imprivata is geared toward mid-market companies and organizations that may not have the staff or expertise for extensive software configurations. And, since it's self-contained in its own server, a smaller company doesn't have to make the investment in a dedicated one, as might be required for a software SSO module.

For a Web-based SSO product, the Microsoft Passport Network allows a user to register once for multiple Web site access. In this case, Passport acts as an online SSO gateway.

Since SSO can be a single point of authentication failure, all components of the SSO system need to be secured within the enterprise. If a malicious user gets hold of the SSO log-on credentials, all applications registered with the system will be at risk.

Since SSO provides a centralized point of access, it can be used to more closely monitor user access; regulations like the Sarbanes-Oxley Act require such careful observation. In addition, because SSO installations are complex, they call for extensive documentation about authentication. That's something else that your auditors and regulators may want to look at.


This was last published in October 2007

Dig Deeper on Single-sign on (SSO) and federated identity



Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.