My company would like to integrate a training website with an external business partner's training site. We've already agreed on the data that we will need to share, and we would like to have all users authenticate once, possibly using certificates. What would be the best way to authenticate our employees on their system?
In this situation, using a single sign-on (SSO) system that covers the two websites would be the best option. The hitch here is that unlike setting SSO for two applications or websites within a corporation, the arrangement will mean implementing SSO across two organizations.
The stock answer in that case would be to use federated identity management. Federated identity management is similar to SSO -- both allow the use of a single set of logon credentials for access to multiple systems. But the difference is that SSO is within a single organization, while federated identity management is between two or more different organizations.
Although federated identity management is the obvious way to provide single access to the two websites, there are some reason why certain organizations shouldn't implement it. Federated identity management might be overkill for an organization with simple set up. In this case, all an organization needs is a single logon for two websites, one within your organization and the other outside of it.
Also, federated identity management, which has become more sophisticated in recent years, is still in a state of evolution. SSO is setup within a single organization, which controls its own authentication architecture. But federated identity management requires agreements between different organizations on standards for transmission, encryption and handling of authentication credentials between themselves. This requires the agreement of neutral third parties to set up mutual standards, which is not an easy task.
In this case, since only single access is needed to access two websites, a simple SSO product might suffice. There are several options to consider, many of which offer SSO access to websites only, rather than for traditional distributed, client-server or mainframe applications. They include CA Inc.'s SiteMinder, RSA Security's Access Manager (formerly ClearTrust) or Microsoft Passport. These products can be deployed both for SSO use internally or across partners, as in an extranet.
Digital certificates would also be an adequate, lightweight technology option. Organizations can set up self-signed DCs for use only within and between two networks. But a true Web-based SSO product is stronger and only slightly more difficult to implement and deploy.
The main risk of linking two websites with a single set of authentication credentials is a single point of security failure. Malicious access to one system would allow access to both systems.
Regardless of the authentication option, before beginning any project an organizations should conduct a thorough risk analysis of its partner's website to check for security vulnerabilities. The level of authentication, SSO or otherwise, should be commensurate with the risk level of the systems.
Dig Deeper on Single-sign on (SSO) and federated identity
Related Q&A from Joel Dubin
Learn about the purpose of CAPTCHA challenges that enable websites to differentiate bots from authentic users to stop spammers from hijacking forums ... Continue Reading
After a server room door has been compromised, finding a more secure solution is of utmost importance. Learn how to choose a server room door that ... Continue Reading
In the IAM world, what's the difference between access control and identity management. This IAM expert response explains how the two relate as well ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.