My company would like to integrate a training website with an external business partner's training site. We've already agreed on the data that we will need to share, and we would like to have all users authenticate once, possibly using certificates. What would be the best way to authenticate our employees on their system?
In this situation, using a single sign-on (SSO) system that covers the two websites would be the best option. The hitch here is that unlike setting SSO for two applications or websites within a corporation, the arrangement will mean implementing SSO across two organizations.
The stock answer in that case would be to use federated identity management. Federated identity management is similar to SSO -- both allow the use of a single set of logon credentials for access to multiple systems. But the difference is that SSO is within a single organization, while federated identity management is between two or more different organizations.
Although federated identity management is the obvious way to provide single access to the two websites, there are some reason why certain organizations shouldn't implement it. Federated identity management might be overkill for an organization with simple set up. In this case, all an organization needs is a single logon for two websites, one within your organization and the other outside of it.
Also, federated identity management, which has become more sophisticated in recent years, is still in a state of evolution. SSO is setup within a single organization, which controls its own authentication architecture. But federated identity management requires agreements between different organizations on standards for transmission, encryption and handling of authentication credentials between themselves. This requires the agreement of neutral third parties to set up mutual standards, which is not an easy task.
In this case, since only single access is needed to access two websites, a simple SSO product might suffice. There are several options to consider, many of which offer SSO access to websites only, rather than for traditional distributed, client-server or mainframe applications. They include CA Inc.'s SiteMinder, RSA Security's Access Manager (formerly ClearTrust) or Microsoft Passport. These products can be deployed both for SSO use internally or across partners, as in an extranet.
Digital certificates would also be an adequate, lightweight technology option. Organizations can set up self-signed DCs for use only within and between two networks. But a true Web-based SSO product is stronger and only slightly more difficult to implement and deploy.
The main risk of linking two websites with a single set of authentication credentials is a single point of security failure. Malicious access to one system would allow access to both systems.
Regardless of the authentication option, before beginning any project an organizations should conduct a thorough risk analysis of its partner's website to check for security vulnerabilities. The level of authentication, SSO or otherwise, should be commensurate with the risk level of the systems.
This was first published in February 2008