Single sign-on
Encyclopedia
Single sign-on is a property of access control
of multiple related, but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them. Single sign-off is the reverse property whereby a single action of signing out terminates access to multiple software systems.
As different applications and resources support different authentication mechanisms, single sign-on has to internally translate to and store different credentials compared to what is used for initial authentication.
SSO uses centralized authentication server
s that all other applications and systems utilize for authentication purposes, and combines this with techniques to ensure that users do not actively have to enter their credentials more than once.
SSO users need not remember so many passwords to login to different systems or applications.
As single sign-on provides access to many resources once the user is initially authenticated ("keys to the castle"), it increases the negative impact in case the credentials are available to other persons and misused. Therefore, single sign-on requires an increased focus on the protection of the user credentials, and should ideally be combined with strong authentication methods like smart card
s and one-time password
tokens.
Single sign-on also makes the authentication systems highly critical; a loss of their availability can result in denial of access to all systems unified under the SSO. SSO can thus be undesirable for systems to which access must be guaranteed at all times, such as security or plant-floor systems.
Windows
environment - Windows login fetches TGT. Active Directory
-aware applications fetch service tickets, so user is not prompted to re-authenticate.
UNIX
/Linux
environment - Login via Kerberos PAM
modules fetches TGT. Kerberized client applications such as Evolution, Firefox, and SVN use service tickets, so user is not prompted to re-authenticate.
. Additional software applications also use the smart card, without prompting the user to re-enter credentials. Smart card-based single sign-on can either use certificates or passwords stored on the smart card.
token. Two-factor authentication
with OTP tokens follows industry best practices for authenticating users. This OTP token method is more secure and effective at prohibiting unauthorized access than other authentication methods.
is a term associated with Microsoft
products and refers to the SPNEGO
, Kerberos
, and NTLMSSP
authentication protocols with respect to SSPI
functionality introduced with Microsoft Windows 2000
and included with later Windows NT
-based operating systems. The term is used more commonly for the automatically authenticated connections between Microsoft Internet Information Services
and Internet Explorer
. Cross-platform Active Directory integration vendors have extended the Integrated Windows Authentication paradigm to UNIX, Linux and Mac systems.
Related concepts
Access control
Access control refers to exerting control over who can interact with a resource. Often but not always, this involves an authority, who does the controlling. The resource can be a given building, group of buildings, or computer-based information system...
of multiple related, but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them. Single sign-off is the reverse property whereby a single action of signing out terminates access to multiple software systems.
As different applications and resources support different authentication mechanisms, single sign-on has to internally translate to and store different credentials compared to what is used for initial authentication.
Benefits
Benefits include:- Reduces phishingPhishingPhishing is a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT...
success, because users are not trained to enter password everywhere without thinking. - Reducing password fatiguePassword fatiguePassword fatigue, also known as password chaos or identity chaos, is the feeling experienced by many people who are required to remember an excessive number of passwords as part of their daily routine, such as to logon to a computer at work, undo a bicycle lock or conduct banking from an ATM.The...
from different user name and password combinations - Reducing time spent re-entering passwords for the same identity
- Can support conventional authentication such as Windows credentialsWindows credentialsWindows Credentials refers to the conventional username and password process when trying to access the Windows operating system....
(i.e., username/password) - Reducing IT costs due to lower number of IT help desk calls about passwords
- Security on all levels of entry/exit/access to systems without the inconvenience of re-prompting users
- Centralized reporting for compliance adherence.
SSO uses centralized authentication server
Authentication server
Authentication servers are servers that provide authentication services to users or other systems via networking. Remotely placed users and other servers authenticate to such a server, and receive cryptographic tickets...
s that all other applications and systems utilize for authentication purposes, and combines this with techniques to ensure that users do not actively have to enter their credentials more than once.
SSO users need not remember so many passwords to login to different systems or applications.
Criticisms
The term enterprise reduced sign-on is preferred by some authors who believe single sign-on to be impossible in real use cases.As single sign-on provides access to many resources once the user is initially authenticated ("keys to the castle"), it increases the negative impact in case the credentials are available to other persons and misused. Therefore, single sign-on requires an increased focus on the protection of the user credentials, and should ideally be combined with strong authentication methods like smart card
Smart card
A smart card, chip card, or integrated circuit card , is any pocket-sized card with embedded integrated circuits. A smart card or microprocessor cards contain volatile memory and microprocessor components. The card is made of plastic, generally polyvinyl chloride, but sometimes acrylonitrile...
s and one-time password
One-time password
A one-time password is a password that is valid for only one login session or transaction. OTPs avoid a number of shortcomings that are associated with traditional passwords. The most important shortcoming that is addressed by OTPs is that, in contrast to static passwords, they are not vulnerable...
tokens.
Single sign-on also makes the authentication systems highly critical; a loss of their availability can result in denial of access to all systems unified under the SSO. SSO can thus be undesirable for systems to which access must be guaranteed at all times, such as security or plant-floor systems.
Kerberos based
- Initial sign-on prompts the user for credentials, and gets a Kerberos ticket-granting ticket (TGT).
- Additional software applications requiring authentication, such as email clients, wikiWikiA wiki is a website that allows the creation and editing of any number of interlinked web pages via a web browser using a simplified markup language or a WYSIWYG text editor. Wikis are typically powered by wiki software and are often used collaboratively by multiple users. Examples include...
s, revision controlRevision controlRevision control, also known as version control and source control , is the management of changes to documents, programs, and other information stored as computer files. It is most commonly used in software development, where a team of people may change the same files...
systems, etc., use the ticket-granting ticket to acquire service tickets, proving the user's identity to the mailserver / wiki server / etc. without prompting the user to re-enter credentials.
Windows
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
environment - Windows login fetches TGT. Active Directory
Active Directory
Active Directory is a directory service created by Microsoft for Windows domain networks. It is included in most Windows Server operating systems. Server computers on which Active Directory is running are called domain controllers....
-aware applications fetch service tickets, so user is not prompted to re-authenticate.
UNIX
Unix
Unix is a multitasking, multi-user computer operating system originally developed in 1969 by a group of AT&T employees at Bell Labs, including Ken Thompson, Dennis Ritchie, Brian Kernighan, Douglas McIlroy, and Joe Ossanna...
/Linux
Linux
Linux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of any Linux system is the Linux kernel, an operating system kernel first released October 5, 1991 by Linus Torvalds...
environment - Login via Kerberos PAM
Pluggable Authentication Modules
Pluggable authentication modules are a mechanism to integrate multiple low-level authentication schemes into a high-level application programming interface . It allows programs that rely on authentication to be written independent of the underlying authentication scheme...
modules fetches TGT. Kerberized client applications such as Evolution, Firefox, and SVN use service tickets, so user is not prompted to re-authenticate.
Smart card based
Initial sign on prompts the user for the smart cardSmart card
A smart card, chip card, or integrated circuit card , is any pocket-sized card with embedded integrated circuits. A smart card or microprocessor cards contain volatile memory and microprocessor components. The card is made of plastic, generally polyvinyl chloride, but sometimes acrylonitrile...
. Additional software applications also use the smart card, without prompting the user to re-enter credentials. Smart card-based single sign-on can either use certificates or passwords stored on the smart card.
OTP Token
Also referred to as one-time passwordOne-time password
A one-time password is a password that is valid for only one login session or transaction. OTPs avoid a number of shortcomings that are associated with traditional passwords. The most important shortcoming that is addressed by OTPs is that, in contrast to static passwords, they are not vulnerable...
token. Two-factor authentication
Two-factor authentication
Two-factor authentication is an approach to authentication which requires the presentation of two different kinds of evidence that someone is who they say they are. It is a part of the broader family of multi-factor authentication, which is a defense in depth approach to security...
with OTP tokens follows industry best practices for authenticating users. This OTP token method is more secure and effective at prohibiting unauthorized access than other authentication methods.
Integrated Windows Authentication
Integrated Windows AuthenticationIntegrated Windows Authentication
Integrated Windows Authentication is a term associated with Microsoft products that refers to the SPNEGO, Kerberos, and NTLMSSP authentication protocols with respect to SSPI functionality introduced with Microsoft Windows 2000 and included with later Windows NT-based operating systems...
is a term associated with Microsoft
Microsoft
Microsoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...
products and refers to the SPNEGO
SPNEGO
SPNEGO is a GSSAPI "pseudo mechanism" that is used to negotiate one of a number of possible real mechanisms....
, Kerberos
Kerberos protocol
Kerberos is a computer network authentication protocol which works on the basis of "tickets" to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. Its designers aimed primarily at a client–server model, and it provides mutual...
, and NTLMSSP
NTLMSSP
NTLMSSP is a binary messaging protocol used by the Microsoft Security Support Provider Interface to facilitate NTLM challenge-response authentication and to negotiate integrity and confidentiality options...
authentication protocols with respect to SSPI
Security Support Provider Interface
Security Support Provider Interface is an API used by Microsoft Windows systems to perform a variety of security-related operations such as authentication....
functionality introduced with Microsoft Windows 2000
Windows 2000
Windows 2000 is a line of operating systems produced by Microsoft for use on personal computers, business desktops, laptops, and servers. Windows 2000 was released to manufacturing on 15 December 1999 and launched to retail on 17 February 2000. It is the successor to Windows NT 4.0, and is the...
and included with later Windows NT
Windows NT
Windows NT is a family of operating systems produced by Microsoft, the first version of which was released in July 1993. It was a powerful high-level-language-based, processor-independent, multiprocessing, multiuser operating system with features comparable to Unix. It was intended to complement...
-based operating systems. The term is used more commonly for the automatically authenticated connections between Microsoft Internet Information Services
Internet Information Services
Internet Information Services – formerly called Internet Information Server – is a web server application and set of feature extension modules created by Microsoft for use with Microsoft Windows. It is the most used web server after Apache HTTP Server. IIS 7.5 supports HTTP, HTTPS,...
and Internet Explorer
Internet Explorer
Windows Internet Explorer is a series of graphical web browsers developed by Microsoft and included as part of the Microsoft Windows line of operating systems, starting in 1995. It was first released as part of the add-on package Plus! for Windows 95 that year...
. Cross-platform Active Directory integration vendors have extended the Integrated Windows Authentication paradigm to UNIX, Linux and Mac systems.
Shared authentication schemes which are not single sign-on
Single sign on requires that users literally sign in once to establish their credentials. Systems which require the user to log in multiple times to the same identity are inherently not single sign on. For example, an environment where users are prompted to log in to their desktop, then log in to their email using the same credentials, is not single sign on.See also
Related concepts
- Central Authentication ServiceCentral Authentication ServiceThe Central Authentication Service is a single sign-on protocol for the web. Its purpose is to permit a user to access multiple applications while providing their credentials only once. It also allows web applications to authenticate users without gaining access to a user's security credentials,...
- Identity managementIdentity managementIdentity management is a broad administrative area that deals with identifying individuals in a system and controlling access to the resources in that system by placing restrictions on the established identities of the individuals.Identity management is multidisciplinary and covers many...
- Password fatiguePassword fatiguePassword fatigue, also known as password chaos or identity chaos, is the feeling experienced by many people who are required to remember an excessive number of passwords as part of their daily routine, such as to logon to a computer at work, undo a bicycle lock or conduct banking from an ATM.The...
- OpenIDOpenIDOpenID is an open standard that describes how users can be authenticated in a decentralized manner, eliminating the need for services to provide their own ad hoc systems and allowing users to consolidate their digital identities...