Exploring Single Sign-On (SSO).

Intro

Single sign-on (SSO) is related to access control of multiple related but independent software systems. A user will be authenticated by one resource, and then when the same user accesses other resources, those resources will check with the authenticating resource.

In access control, there are 3 parts:

  1. Authentication. Verifying that a user is who they claim they are. This is the primary conern of SSO; OpenID deals with authentication.
  2. Authorization. Administering which users and groups of users get access to which resources with what permissions. SSO is sometimes involved with authorization; OAuth deals with authorization.
  3. Auditing. Tracking which users did what to which resources when. SSO rarely deals with authentication.

Identity management has to do with managing authentication and authorization data. Identity management and access control may be used for:

Open SSO

OpenID is an open standard concerned with decentralized authentication. OpenID is decentralized in the sense that OpenID authentication can be provided by a variety of Identity Providers. It is also notable that in OpenID the authentication method is not fixed and can range from the common user name and password to multi-factor such as smart cards, SMS to cell phones, and biometrics.

Here is a typical OpenID scenario:

  1. An OpenID Identity Provider (OIP) has users that it authenticates and does identity managment. The OIP provides its users an OpenID URL or XRI. EG: georgelhernandez.myopenid.com.
  2. A service provider that needs authenticated users is a Relying Party (RP). A RP may use multiple OIPs. A RP usually handles its own authorization and auditing.
  3. Once a user has been set up at an OIP, then he or she can either authenticate at the OIP and then visit RPs, or visit RPs who will then check with the OIP.

Security Assertion Markup Language (SAML) is conceptually the same as OpenID except that SAML is an XML-based open standard from OASIS that deals with authentication and authorization. In SAML-speak you have an Identity Provider (IdP) and a Service Provider (SP). Just from the terminology you can hear that OpenID is less stuffy than SAML. OpenID is to SAML, as REST is to SOAP.

SSO Implementations

There are SSO implementations (open and proprietary) that build upon open and proprietary code. See List of single sign-on implementations [W].

The SSO implementations vary in degree of implementation.

Here are some SSO implementations that I've personally looked into:

Links

Off-site links related to Single Sign-On (SSO).

Wikipedia on SSO

OpenID

Google on SSO. As of 2011-08 they're emphasizing OpenID for authentication and OAuth for authorization.

Miscellany.

Page Modified: (Hand noted: ) (Auto noted: )