Home > Ask the Security Experts > Identity Management and Access Control Questions & Answers > How to test an enterprise single sign-on login
Ask The Security Expert: Questions & Answers
EMAIL THIS

How to test an enterprise single sign-on login

Joel Dubin, past SearchSecurity.com expert EXPERT RESPONSE FROM: Joel Dubin, past SearchSecurity.com expert

Pose a Question
Other Security Categories
Meet all Security Experts
Become an Expert for this site


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


>
QUESTION POSED ON: 23 April 2007
How can we test whether our enterprise single sign-on (SSO) login is working properly?


BROWSE BY TAG
Identity Management and Access Control,   Enterprise Single Sign-On (SSO),   Enterprise Identity and Access Management,   User Authentication Services,   Expert Archive: Identity Management and Access Control,   VIEW ALL TAGS

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   



RELATED CONTENT
Identity Management and Access Control
Is Identity Management as a Service (IDaaS) a good idea?
How to log in to multiple servers with federated single sign-on (SSO)
How to confirm the receipt of an email with security protocols
Learn about enterprise strategy for server virtualization single sign-on
Employee information security awareness training for new IAM systems
Can you combine RFID tag technology with GPS to track stolen goods?
Is there a free enterprise-caliber password-management tool?
Cryptosystem attacks that do not involve obtaining the decryption key
Can any firm or organization get a digital signature certificate?
Should the CTO have domain administrator access?

Enterprise Single Sign-On (SSO)
How to log in to multiple servers with federated single sign-on (SSO)
Security on a budget: How to make the most of authentication tools
Best Identity and Access Management Products
Changing times for identity management
Kerberos configuration as an authentication system for single sign-on
How to use single sign-on for Web access control to prevent malware
Learn about enterprise strategy for server virtualization single sign-on
Enterprise single sign-on: Easing the authentication process
Exploring authentication methods: How to develop secure systems
User provisioning and SSO for PeopleSoft- and Unix-based products
Enterprise Single Sign-On (SSO) Research

Expert Archive: Identity Management and Access Control
Enterprise password management policy: Finding the balance
How to conduct a periodic user access review for account privileges
Options for a mechanical door security system on a server room door
Comparing access control mechanisms and identity management techniques
User provisioning and SSO for PeopleSoft- and Unix-based products
Could someone place a rootkit on an internal network through a router?
Should a new user have to confirm an email address to gain access?
Can home PCs provide a way for viruses and spyware to enter a corporate LAN?
What should an enterprise look for in a password token and a vendor?
Using batch files for temporary user access to the local admin group

RELATED GLOSSARY TERMS
Terms from Whatis.com − the technology online dictionary
onboarding and offboarding  (SearchSecurity.com)
single sign-on  (SearchSecurity.com)

RELATED RESOURCES
2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary


In short, testing an enterprise single sign-on (SSO) implementation is done by logging in using the SSO system and then trying to log on to separate applications accessed by the system.

Enterprise SSO implementations use either a hardware or software module to authenticate individual applications. When using a software module, the SSO application may sit on a dedicated server. In that case, the software module resembles a hardware device. Either way, the SSO system sits between the user and the applications. Before SSO, there was nothing between the user and the applications; the user logged directly on to each application separately.

The difference with SSO is that this module completes the authentication done previously by the user. The module establishes a trust relationship with each application after the user logs in. The module must create and maintain an authenticated session as long as the user is logged on. That session must be active and able to log on to each application registered with the SSO system.

To test the SSO system, the user logs into their desktop per usual, but this time, he or she is actually logging into the SSO module. After login, the user should be able to access each application registered with the system separately without providing a username and password.

The same goes for testing enterprise single sign-on for a Web application. The user should be able to log on to the Web application acting as the SSO gateway, and then log on to any other registered Web application without being prompted for credentials.

Conversely, the SSO system should extinguish credentials when the user logs out. This is testing in reverse. If the user logs out of the system, he or she shouldn't have immediate or unauthenticated access to member applications.

This is a very high-level overview of testing an SSO system. In reality, you should have a set of test user IDs and passwords, or other log-in credentials, and set up a series of scripts with different log-on scenarios. The scenarios should test for logon, logoff and logging into the registered applications within the system.

If access to each application can be done without being prompted, or without an error, then your SSO system is working properly.

For more information:

  • Read about your options when accessing multiple applications through a remote Citrix server.
  • Learn how single sign-on can improve productivity, save money and protect corporate information.




    • Search and Browse the Expert Answer Center
    Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.
    Browse our Expert Advice



    Find Security Solutions for Your Business
    TechTarget Security Media
    Information Security View this month\\'s issue and subscribe today.
    Information Security Decisions Apply online for free conference admission.
    		SearchSecurity.com
    HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us
    SEARCH :     Site Index Powered by: Search Powered by Google

    About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
    TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

    TechTarget Corporate Web Site  |  Media Kits  |  Site Map




    All Rights Reserved, Copyright 2003 - 2009, TechTarget | Read our Privacy Policy     		  TechTarget - The IT Media ROI Experts