Ask the Expert

Traditional single sign-on (SSO) products versus federated identities

My company's employees need to access their employee benefit information on an external Web site. What are the advantages and disadvantages of using traditional single sign-on products, like RSA ClearTrust or SiteMinder, versus federated identities?

    Requires Free Membership to View

Single sign-on (SSO) and federated identity management seem very similar on the surface. And, in fact, a federated identity management system may use SSO for logon. But the similarity ends there.

SSO allows a single authentication credential--user ID and password, smart card, one-time password token or a biometric device--to access multiple or different systems within a single organization. A federated identity management system provides single access to multiple systems across different enterprises.

While SSO deployments can be involved and tricky, they are within a single company, which may already have a common IT architecture throughout the enterprise. Federated identity management deployment across organizations with different IT architectures, however, requires more work. A third party must then set a neutral standard that is accepted by all participants.

Because it requires agreement across various companies with disparate systems, federated identity management hasn't been widely accepted. The technology calls for member companies to agree, among other things, on a unified directory structure for housing authentication credentials--not an easy task, especially for competing companies in the same industry that might need to share a federated system.

There have been initiatives by Microsoft and IBM, as well as Liberty Alliance, OASIS and others, in developing federated identity management standards. But such systems are still tricky, at best, partly because the standards are still evolving, due to shifting alliances among the various players, and partly because the technology isn't mature enough for enterprise use.

Unless your company and the company hosting the external Web site are both part of the same federated identity management system, it would be best to stick with traditional SSO, which has an excellent track record and a long history of successful implementation.

It's also important, particularly with SSO, to make sure that there are adequate safeguards for authentication credentials, especially if employees will be accessing high risk data, such as employee benefit information. Remember, SSO is a great convenience, but it's also a single key to the store. If it's compromised, then everything it allows access to is also compromised.

Consider adding two-factor authentication, or some other strong authentication, to your SSO mix. This is another reason to implement SSO over federated identity management. Today's SSO systems are flexible and work well with two-factor authentication.

For more information:

  • In this expert Q&A, Joel Dubin discusses the federated identity managment basics.
  • Discover the dangers associated with turning off pre-boot authentication (PBA).
  • This was first published in October 2007

    There are Comments. Add yours.

     
    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: