We are getting pressure from management to find an enterprise solution. We are not all Web-based. We have OS390, Lotus Notes, PeopleSoft, etc.
Without all the vendor sell, we need an expert opinion on the viability of SSO. Does everyone have it? Does infrastructure work or will it be a scripting nightmare? Which do you recommend? Thank you.
Cutting to the chase, no, everyone does not have Single Sign-On. In fact, almost no one does. Single Sign-On is the holy grail that every CIO and sysadmin wants, which is one reason why you're getting pressure from management to "implement" it, as if you could just go out and sign a check and poof there it would be.
Let's step back for a moment and look at what the problem is. Anytime you deal with security, it's good to do this, because it's too easy to get sucked into solutions rather than problems.
Ideally, as users, we would like to walk into the office and poof, all the stuff we need to use is there for us to use. Failing that, we should type *a* password or use *a* smartcard or whatever. If we leave the office for a cup of coffee, a meeting, lunch or -- shock horror -- going home for the evening, things should automatically turn themselves off.
As systems people, we want to have a central place where we can authorize users for systems, resources like printers, building access and so on.
Unfortunately, there are many things that make gestures towards it. There are standards for doing it -- RADIUS and Kerberos are both ways to do it. NIS is there for Unix systems. Microsoft has incorporated Kerberos into their domains, but alas enhanced it so that you can only use it with their stuff.
CA has an SSO system. So does Entrust. So do lots of other people. And guess what -- none of them let you do what I described above. Various vendors have also tried to turn SSO on its head by saying essentially, "Buy everything from us, and then you won't need SSO."
So what do you do when management pressures you to "implement" it?
List the resources that are important. You mentioned PeopleSoft, Lotus Notes and OS390. Talk to people who use those or the vendors themselves. Talk to your own users. See if you can find something that's most important. For example, I'll just suggest that maybe it's PeopleSoft and Lotus. Find an SSO system that works for those -- better yet, find more than one. See which ones work with OS390. If you find one, you've succeeded. If not than you're just stuck. I can assure you, too, that you're going to get stuck before you support all the things you would like to.
Let's face it, everyone wants SSO, and if there were a solution, we'd all just go buy that. It is a hard problem for which there's no broad-based solution.
This was first published in July 2002