Single Sign-on

Single Sign -on (English single sign-on, SSO for short, sometimes as, single sign-on ' translated) means that a user is authenticated at one setting at a workplace to all hosts and services for which it locally entitled ( authorized), the can access the same workplace, without having to log in each time. If the user switches the workplace, the authentication, as well as the local authorization lapsed.

Especially in view of today's portals, this possibility is provided from the user perspective. Within portals, it is also possible that the logged-on user's identity is passed on to the portal constituent views, without this would have made ​​the point of view of the user itself known. A user always has exactly one physical identity as in the real world. Within a system, the user can be saved as an individual but under different user name ( logical identity ). The aim of the single sign -on is that users identify themselves only once with the help of an authentication process (eg, by entering a password ). After the SSO mechanism takes over the task to authenticate the user ( to confirm the detected physical identity ). A further requirement of the single sign -on is that it may not be weaker than the authentication method itself

  • 2.1 media solution
  • 2.2 portal solution
  • 2.3 Ticketing System
  • 2.4 Local solution

Pros and Cons of Single Sign -on

Overall limitation in mobile work

  • If the user switches in mobile work the job, he has to log in again at the next workstation anyway.
  • If the user leaves the workstation for mobile work, it is usually separated by a time bound of the already gained access. To avoid this in action breaks, the time limits are usually designed quite generous. The result is inevitably that unattended workstations provide unauthorized third parties adequate time and facilities, without authorization to continue to use already granted to the authorized user accesses.

Benefits

  • Time savings, since only a single authentication is required to access all of the systems can
  • Safety benefit, since the password must be transmitted only once
  • Safety benefit, since only one user account must be considered when removing or updating a user.
  • Safety benefit, since the user only has to remember one instead of numerous mostly insecure passwords. It can thus be chosen complex and certainly this is a password for it.
  • Phishing attacks are difficult because user userid and password only need to enter at a single location and not more numerous, scattered sites. This one point can be easier for correctness (URL, SSL server certificate, etc. ) must be checked.
  • It creates awareness, where you can enter in good conscience UserID and password. Users of a single sign- ons are harder enticed foreign sides to trust her (possibly jointly used ) password.

Disadvantages

  • If an attacker has stolen the identity of a user, he shall immediately all systems to which this user has access, are available. However, this can also occur if the user for most of the services already using the same password.
  • A differentiation of access rights depending on the context (place, time, order, role ) does not occur.
  • A provider that only uses single sign- on that will not attract potential customers who do not accept the system used.
  • Service availability depends not only on its own availability, but also on the availability of single sign -on system.
  • Is an equivalent sign-off solution is not defined, then the account will remain open until a time-out to take effect.
  • Through fault of the user or the SSO process, the user can manually unlock depending on the security settings to be locked for the system and needs.

Solutions

Media solution

The user uses an electronic token that contains the entire password information or at least one authentication factor and partner (s ) will automatically transfer to the workplace ( electronic key with manual keyboard entry, electronic key with contact transfer (USB, 1wire etc. ), wireless key ( Bluetooth tokens. cellular phone with Bluetooth function, etc. ) ).

Portal solution

The user can log in for the first time on a portal and is authenticated and authorized a flat rate there. That is, it gets a feature which clearly identifies him compared to the integrated applications within the portal. At portals, based on web technology, this can be done for example in the form of an HTTP cookie. On the portal then the user obtains access to multiple Web applications, in which he no longer has to log in separately. Examples are Yahoo or MSN (Passport).

Ticketing System

Alternatively, a network can be constructed from trusted services. The services have a common identification for a user, they exchange each other, respectively. the logged-in user is a virtual ticket to itself. The first application is performed on a system of this ' circle of trust ', the access to the other trusted systems is made possible by the first -mentioned system. One example is Kerberos, and the Liberty Alliance Project.

Local Solution

Users can also install on their regularly used a client workstation, which appears automatically fills login forms immediately with the correct username and the correct password. Thus, the authentication will be weakened, unless other factors are queried.

For this purpose, the mask must have been previously trained or defined. During training, the mask must be taken to ensure that this is also assigned unequivocally. It must be ensured that a counterfeit or similar mask is not erroneously operated, otherwise sensible could in this way credentials are " tapped ". This unequivocal recognition is realized today often have additional features such as call paths, creation of a mask, etc., make it difficult to forging a mask.

The user names and passwords can be factors

  • In an encrypted file locally on the PC,
  • On a chip card,
  • Or single sign-on appliances or single sign-on servers within the network

Are kept. It is also possible to outsource these data in a directory service or database. Examples are integrated in many modern browsers ' password manager ', Microsoft's identity metasystem, as well as many commercial products. This approach is usually followed in a company or organization internal single sign -on solutions, as often proprietary applications can not be used with ticketing or portal solutions.

PKI

A Public Key Infrastructure can only be regarded in some respects as a single sign -on system, a PKI provides a basis for authentication for all PKI-enabled applications dar. Thus, the one-time registration process, the actual single sign-on, not covered, but the digital certificate is the " single- tool " for authentication at various locations. Often just such a certificate to the primary authentication for ticketing or local SSO solutions is used.

Kerberos (protocol) Client (computing) Smart card OpenID Central Authentication Service IBM Lightweight Third-Party Authentication
731769
de