Problem solve Get help with specific problems with your technologies, process and projects.

How to enable SSO for several different systems

Expert Joel Dubin covers how to enable SSO integration to do away with multiple usernames and passwords.

Our company has several systems to access information for our staff on the Internet. Some are internal (for example webmail) and some are external. Assuming we're starting from scratch, what's the best way to set up security for all systems and give each user a single username and password? What are the potential ramifications of doing this?

What you are describing, in a nutshell, is a single sign-on (SSO) system for a set of Web applications, some inside your company, and others outside.

There are a number of well-known products on the market for Web-based SSO. CA Inc.'s SiteMinder and RSA Security's Access Manager, which used to be called ClearTrust (and now owned by EMC Corp.), are just two of many products available. Other SSO products can be adapted for Web access, such as IBM Tivoli Access Manager, OpenConnect Systems Inc.'s WebConnect and the eToken from Aladdin Knowledge Systems Inc. Depending on the size of the organization, a hardware-based SSO solution, like the one offered by Imprivata Inc., might also be an option.

There are two main ramifications to consider when deploying SSO for Web access. First, SSO is a single point of security failure. In other words, if a malicious user gains access to a single user ID and password or other authentication credential,, he or she basically will have full run of corporate systems. On the other hand, SSO implementations involve a lot of planning and integration of diverse systems. As a result, they tend to have more built-in security features than standard user ID and password systems do.

Another thing to consider with Web SSO is the different risk levels of the Web applications being joined together. Webmail, for example, can both bring in malware and send out confidential data. Websites and applications that require a login aren't as risky as webmail. Security professionals might want to consider implementing data loss prevention (DLP) and content-filtering products to protect their sites from malware and data leakage.

Once corporate systems are linked via a single authentication system, security pros should make sure that all Web servers are hardened with up-to-date patches and antimalware software. As for the external websites, do a thorough risk analysis of partners before connecting up to their systems to eliminate any serious security vulnerabilities.

Two other security considerations with any SSO implementation are to make sure all users have unique user IDs and passwords -- no sharing of credentials should be allowed -- and organizations should log and monitor all access via the SSO system. These features are not only required for compliance, but are also security best practices. If corporate systems are attacked through the SSO system, it'll help track down the source of the breach.

This was last published in February 2008

Dig Deeper on Single-sign on (SSO) and federated identity

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.