Single sign-on
Encyclopedia : S : SI : SIN : Single sign-on
Single sign-on (SSO) is a specialized form of software authentication that enables a user to authenticate once and gain access to the resources of multiple software systems.
There are at least five major types of SSO or reduced sign-on systems in common use at the time of this writing (2005):
- CoSign, an open-source project originally designed to provide the University of Michigan with a secure single sign-on web authentication system. [CoSign] authenticates users on the web server and then provides an environment variable for the users' name. When the users access a part of the site that requires authentication, the presence of that variable allows access without having to sign-on again. Cosign is part of the [National Science Foundation Middleware Initiative] (NMI) software release.
- Enterprise single sign-on (E-SSO), also called legacy single sign-on, after primary user authentication, intercepts login prompts presented by secondary applications, and automatically fills in fields such as a login ID or password. E-SSO systems allow for interoperability with applications that are unable to externalize user authentication, essentially through "screen scraping."
- Web single sign-on (Web-SSO), also called Web access management (Web-AM), works strictly with applications and resources accessed with a web browser. Access to web resources is intercepted, either using a web proxy server or by installing a component on each targeted web server. Unauthenticated users who attempt to access a resource are diverted to an authentication service, and returned only after a successful sign-on. Cookies are most often used to track user authentication state, and the Web-SSO infrastructure extracts user identification information from these cookies, passing it into each web resource.
- Kerberos is a popular mechanism for applications to externalize authentication entirely. Users sign into the Kerberos server, and are issued a ticket, which their client software presents to servers that they attempt to access. Kerberos is available on Unix, Windows and mainframe platforms, but requires extensive modification of client/server application code, and is consequently not used by many legacy applications.
- Federation is a new approach, also for web applications, which uses standards-based protocols to enable one application to assert the identity of a user to another, thereby avoiding the need for redundant authentication. Standards to support federation include SAML and WS-Federation [link].
- Light-Weight Identity and OpenID, under the YADIS umbrella, offer distributed and decentralized SSO, where identity is tied to an easily-processed URL which can be verified by any server using one of the participating protocols.
See also
- Central Authentication Service
- Enterprise single sign-on
- Global Login System
- Identity management
- Kerberos
- Liberty Alliance
- Microsoft Passport
- NTLM
- SAML
- Shibboleth (Internet2)
- Light-Weight Identity
External links
- [SSO for PHP]
- [E-SSO, pw reset, pw synchronization]
- [ActivIdentity's SecureLogin Single Sign-On]
- [i-Sprint's AccessMatrix Universal Sign On]
- [CoSign project page]
- [Cafésoft Cams Web Single Sign-On]
- [Passlogix v-GO Sign-On Platform]
From Wikipedia, the Free Encyclopedia. Original article here. Support Wikipedia by contributing or donating.
All text is available under the terms of the GNU Free Documentation License See Wikipedia Copyrights for details.