I'm interested in deploying enterprise single sign-on (SSO) in my organization. What is the state of SSO technology...
today in terms of features and functionality? What must-have capabilities have evolved or matured in the past few years?
Single sign-on (SSO) is the process of authenticating once and accessing other applications without requiring additional authentication events based on trust relationships between applications. There are two types of SSO: enterprise SSO (eSSO) and federation. For this particular use-case, let's focus on eSSO.
Enterprise SSO has been around for many years and unfortunately its functions haven't changed much. On the user workstation side, eSSO products require a small password vault be placed on the workstation in order to store credentials used by the eSSO software. On the enterprise side, application profiles are created, either on an eSSO hardware server or within a group policy identity repository. These profiles are where the magic happens.
For each system that will utilize eSSO, the eSSO administrator must work with the application owner to determine which application pages require credentials, and what fields are required to authenticate -- this sometimes involves "screen scrapping" the application pages to determine where the authentication fields are located. Once collected, the application information is loaded within the eSSO application. When the user opens one of these pages, the workstation password vault is accessed and the credentials are automatically entered in the right place on the user's behalf, along with any additional required information which then grants the user access to the protected areas of the application.
The real maturity has been in moving from server-based eSSO to group policy-based eSSO. Since identity repositories are typically replicated throughout the organization, throughput isn't a problem. Older server-based eSSO stored the profiles for the applications, so workstations had to periodically sync this information or directly access the eSSO service. This could cause bottlenecks and synchronization issues.
With the multitude of Web browsers and operating systems available for end users today, organizations should look for an eSSO product that has the widest support for these applications and workstations.
Enterprise SSO is still a very viable process, but keep in mind that with the expansion and increased functionality of federation technologies, the walls between internal enterprise access and external provider access are rapidly coming down and this could eliminate the need for any eSSO.
What's your question?
Got a question about identity and access management technology and strategy in your organization? Submit your question via email today and our experts will answer it for you. (All questions are anonymous.)
Check out our handbook on how to make single sign-on simple and secure
Learn some best practices for deploying enterprise SSO
Dig Deeper on Single-sign on (SSO) and federated identity
Related Q&A from Randall Gamby
Learn how to create account lockout policies that detail how many unsuccessful login attempts are allowed before a password lockout in order to ... Continue Reading
When it comes to minimum password length, 14-character passwords are generally considered secure, but they may not be enough to keep your enterprise ... Continue Reading
Enterprises need a full understanding of the FIDO authentication framework before switching to its technology. Expert Randall Gamby looks at the most... Continue Reading