My company's employees need to access their employee benefit information on an external Web site. What are the
advantages and disadvantages of using traditional single sign-on products, like RSA ClearTrust or SiteMinder, versus federated identities?
Single sign-on (SSO) and federated identity management seem very similar on the surface. And, in fact, a federated identity management system may use SSO for logon. But the similarity ends there.
SSO allows a single authentication credential--user ID and password, smart card, one-time password token or a biometric device--to access multiple or different systems within a single organization. A federated identity management system provides single access to multiple systems across different enterprises.
While SSO deployments can be involved and tricky, they are within a single company, which may already have a common IT architecture throughout the enterprise. Federated identity management deployment across organizations with different IT architectures, however, requires more work. A third party must then set a neutral standard that is accepted by all participants.
Because it requires agreement across various companies with disparate systems, federated identity management hasn't been widely accepted. The technology calls for member companies to agree, among other things, on a unified directory structure for housing authentication credentials--not an easy task, especially for competing companies in the same industry that might need to share a federated system.
There have been initiatives by Microsoft and IBM, as well as Liberty Alliance, OASIS and others, in developing federated identity management standards. But such systems are still tricky, at best, partly because the standards are still evolving, due to shifting alliances among the various players, and partly because the technology isn't mature enough for enterprise use.
Unless your company and the company hosting the external Web site are both part of the same federated identity management system, it would be best to stick with traditional SSO, which has an excellent track record and a long history of successful implementation.
It's also important, particularly with SSO, to make sure that there are adequate safeguards for authentication credentials, especially if employees will be accessing high risk data, such as employee benefit information. Remember, SSO is a great convenience, but it's also a single key to the store. If it's compromised, then everything it allows access to is also compromised.
Consider adding two-factor authentication, or some other strong authentication, to your SSO mix. This is another reason to implement SSO over federated identity management. Today's SSO systems are flexible and work well with two-factor authentication.
For more information:
- In this expert Q&A, Joel Dubin discusses the federated identity managment basics.
- Discover the dangers associated with turning off pre-boot authentication (PBA).
Dig deeper on Enterprise Single Sign-On (SSO)
Related Q&A from Joel Dubin, past SearchSecurity.com expert
The security of RFID chips and smart cards may not be fully mature, but there are best practices to keep facilities safe. Identity and access ...continue reading
Picture passwords for mobile device security aren't a new idea, but they have been recently improved. Identity and access management expert Joel ...continue reading
Hacked smart cards are a large potential threat to enterprises that utilize them. Learn how to thwart smart card hackers.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.