How to log in to multiple servers with federated single sign-on (SSO)

Single sign-on is a rapidly evolving technology that, when partnered with federation tools, can offer a greater and greater level of granularity for access control. Learn how from expert Randall Gamby.

I'm looking for a technology that allows a user to securely log in to multiple servers (with different domains and possibly even different LANs) simultaneously. Do you have any suggestions?

There are two technologies that come to mind. The first consists of commercially available enterprise single sign-on (eSSO) proprietary products. These are readily available, and many of the major identity and access management vendors have these products in their respective portfolios. However, since you mentioned different domains and LANs, you may have to supplement these tools with a standards-based technology, such as a federation tool.

Federation tools (such as IBM's Tivoli Identity Federation, Oracle Corp.'s Oracle Identity Federation, Ping Identity Corp.'s PingFederate, Courion Corp.'s Access Assurance, etc.) work by predefining the access rights that you or your partner's users will have. This is done first through legal negotiations to establish the constituent classes and rights that the constituents will have on the remote systems. Then, within each federation tool, the token, or assertion, data is defined to express these rights that will be passed during the authorization communications between the clients and end points. Once the federation technologies are installed on both sites, the tools pass along tokens based on these predefined access rights, rather than just passing user authentication data.

While federation is still evolving, the feasibility of using federation technologies within an organization, or even between business partners, is growing daily and has already been in use for several years.

For more information:

This was last published in September 2009

Dig Deeper on Single-sign on (SSO) and federated identity