Ask the Expert

How single sign-on works

How does single sign-on work? Do I have to create the privileges and roles for each application, or do I create the roles and privileges only once?

    Requires Free Membership to View

The definition for single sign-on from The Open Group is, "Single sign-on (SSO) is a mechanism whereby a single action of user authentication and authorization can permit a user to access all computers and systems where he has access permission, without the need to enter multiple passwords. Single sign-on reduces human error, a major component of systems failure, and is therefore highly desirable but difficult to implement."

How single sign-on systems work is implementation dependent. For example, in a Windows NT (or 2000) network, applications can use integrated Windows NT authentication mechanisms. If set up to require particular users or groups of users, anyone who is allowed access that has already been authenticated to that domain will be granted access. They do not need to sign on again.

Novell takes a different approach. All applications still have their own usernames and passwords, but they are stored in what they call SecretStore. According to their Web site, "Once you authenticate to NDS, SecretStore automatically collects and encrypts your application passwords the first time you use them. When you next attempt to use an application, the application's client will try to verify that you are authenticated to NDS. If NDS responds that you are authenticated, the client requests your application password from the SecretStore. NDS retrieves your encrypted password from the SecretStore and sends it to your workstation, where it is decrypted and used to give you access to the desired application. This entire process takes only seconds and is completely transparent: Once you authenticate to NDS, Single Sign-on manages the rest of your logon processes."

There are other methods of implementing single sign-on as well.

What this means in any case, is that you need to define who has access to each application and to what level, on a per application basis. However, if you define standard groups or roles, it should be easy use the same definitions from application to application.

Implementing single sign-on in a secure way is not trivial and needs to be well thought out before beginning implementation.

This was first published in May 2001

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: