My company's employees need to access their employee benefit information on an external Web site. What are the...
advantages and disadvantages of using traditional single sign-on products, like RSA ClearTrust or SiteMinder, versus federated identities?
Single sign-on (SSO) and federated identity management seem very similar on the surface. And, in fact, a federated identity management system may use SSO for logon. But the similarity ends there.
SSO allows a single authentication credential--user ID and password, smart card, one-time password token or a biometric device--to access multiple or different systems within a single organization. A federated identity management system provides single access to multiple systems across different enterprises.
While SSO deployments can be involved and tricky, they are within a single company, which may already have a common IT architecture throughout the enterprise. Federated identity management deployment across organizations with different IT architectures, however, requires more work. A third party must then set a neutral standard that is accepted by all participants.
Because it requires agreement across various companies with disparate systems, federated identity management hasn't been widely accepted. The technology calls for member companies to agree, among other things, on a unified directory structure for housing authentication credentials--not an easy task, especially for competing companies in the same industry that might need to share a federated system.
There have been initiatives by Microsoft and IBM, as well as Liberty Alliance, OASIS and others, in developing federated identity management standards. But such systems are still tricky, at best, partly because the standards are still evolving, due to shifting alliances among the various players, and partly because the technology isn't mature enough for enterprise use.
Unless your company and the company hosting the external Web site are both part of the same federated identity management system, it would be best to stick with traditional SSO, which has an excellent track record and a long history of successful implementation.
It's also important, particularly with SSO, to make sure that there are adequate safeguards for authentication credentials, especially if employees will be accessing high risk data, such as employee benefit information. Remember, SSO is a great convenience, but it's also a single key to the store. If it's compromised, then everything it allows access to is also compromised.
Consider adding two-factor authentication, or some other strong authentication, to your SSO mix. This is another reason to implement SSO over federated identity management. Today's SSO systems are flexible and work well with two-factor authentication.
For more information:
- In this expert Q&A, Joel Dubin discusses the federated identity managment basics.
- Discover the dangers associated with turning off pre-boot authentication (PBA).
Dig Deeper on Single-sign on (SSO) and federated identity
Related Q&A from Joel Dubin
Learn about the purpose of CAPTCHA challenges that enable websites to differentiate bots from authentic users to stop spammers from hijacking forums ... Continue Reading
Proper planning is at the top of the list for single sign-on best practices, but it's important to get enterprise SSO implementations off to a good ... Continue Reading
After a server room door has been compromised, finding a more secure solution is of utmost importance. Learn how to choose a server room door that ... Continue Reading