My company would like to integrate a training website with an external business partner's training site. We've...
already agreed on the data that we will need to share, and we would like to have all users authenticate once, possibly using certificates. What would be the best way to authenticate our employees on their system?
In this situation, using a single sign-on (SSO) system that covers the two websites would be the best option. The hitch here is that unlike setting SSO for two applications or websites within a corporation, the arrangement will mean implementing SSO across two organizations.
The stock answer in that case would be to use federated identity management. Federated identity management is similar to SSO -- both allow the use of a single set of logon credentials for access to multiple systems. But the difference is that SSO is within a single organization, while federated identity management is between two or more different organizations.
Although federated identity management is the obvious way to provide single access to the two websites, there are some reason why certain organizations shouldn't implement it. Federated identity management might be overkill for an organization with simple set up. In this case, all an organization needs is a single logon for two websites, one within your organization and the other outside of it.
Also, federated identity management, which has become more sophisticated in recent years, is still in a state of evolution. SSO is setup within a single organization, which controls its own authentication architecture. But federated identity management requires agreements between different organizations on standards for transmission, encryption and handling of authentication credentials between themselves. This requires the agreement of neutral third parties to set up mutual standards, which is not an easy task.
In this case, since only single access is needed to access two websites, a simple SSO product might suffice. There are several options to consider, many of which offer SSO access to websites only, rather than for traditional distributed, client-server or mainframe applications. They include CA Inc.'s SiteMinder, RSA Security's Access Manager (formerly ClearTrust) or Microsoft Passport. These products can be deployed both for SSO use internally or across partners, as in an extranet.
Digital certificates would also be an adequate, lightweight technology option. Organizations can set up self-signed DCs for use only within and between two networks. But a true Web-based SSO product is stronger and only slightly more difficult to implement and deploy.
The main risk of linking two websites with a single set of authentication credentials is a single point of security failure. Malicious access to one system would allow access to both systems.
Regardless of the authentication option, before beginning any project an organizations should conduct a thorough risk analysis of its partner's website to check for security vulnerabilities. The level of authentication, SSO or otherwise, should be commensurate with the risk level of the systems.
Related Q&A from Joel Dubin, past SearchSecurity.com expert
The security of RFID chips and smart cards may not be fully mature, but there are best practices to keep facilities safe. Identity and access ...continue reading
Picture passwords for mobile device security aren't a new idea, but they have been recently improved. Identity and access management expert Joel ...continue reading
Hacked smart cards are a large potential threat to enterprises that utilize them. Learn how to thwart smart card hackers.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.