Single Sign-On

Previous page
Table of content
Next page

Single sign-on is both a security solution and a usability solution. It was conceived because in today’s world of computer applications, people tend to have too many identifiers (usernames) and too many authenticators (passwords) for too many applications.

Why Single Sign-On Exists

There is no technical security reason for single sign-on to exist; it exists because people’s behavior forces it to exist. If the identities are different and the passwords are different for every application or database, the users have to have excellent memories to be able to use them all. The security risk arose because people felt the only way to maintain all the usernames and passwords was to write the usernames and passwords on a piece of paper that would be conveniently placed by their computer.

One solution to the problem would be to make all the usernames and/or passwords the same. While this alleviates the problem of having to remember many usernames and passwords, it leaves the computing environment less usable. Typing in a username and password over and over can be a bothersome task especially when done for strong passwords that consist of many characters combining symbols, numbers, and letters.

Thus, single sign-on, as the name implies, was created to make the computing environment more usable because users only need to authenticate themselves once regardless of the number of applications they want to access. Security can also be maintained because the users have a single username and password. Password administration is also easier because the password only has to be changed once regardless of the number of applications.

There are many implementations for single sign-on, and they vary in the way the user’s identity is represented as well as how they accomplish the task of single sign-on. Kerberos, DCE, and PKI-based solutions are among the most popular in use today. The essence of single sign-on is consistent regardless of how it’s implemented. The goal is to securely propagate the user’s identity from application to application without bothering the user each time. When used correctly, single sign-on is both a usability and a security solution.

Challenges to Single Sign-On

Single sign-on is not without its challenges. The challenge to implementing practical single sign-on arises when you try to mix products and platforms by different vendors. Using de-facto or industry standards, such as Kerberos and PKI, helps to mitigate the interoperability issues.

A single sign-on security risk is created when a user logs on to their single sign-on environment and then walks away leaving an open and authenticated terminal. This can be disastrous if a malicious person, or even a curious co-worker, decide to exploit this open, authenticated terminal. This person will not only be authenticated to a single application, they will be authenticated to all applications.

This problem can be solved several ways. First, users should consciously lock their computers before leaving them unattended. Additionally, the computer should be set to lock itself automatically when idle for some period of time. Finally, the single sign-on server can timeout inactive sessions. Using all three of these measures provides a defense in depth approach to ensuring that this security risk doesn’t create an actual security incident.

Just as important to authenticating users is the ability to de-authenticate them. Giving the user the capability to log out of the system is important to ensuring that another user will not be able to walk up to the unattended computer and reuse the authenticated sessions. Instructing users to log out of the single sign-on environment is an easy and effective way to ensure that a deployed single sign-on solution doesn’t facilitate unauthorized access, theft, or destruction of data.

A centralized single sign-on server will also be a high priority target for data theft. If this server is stolen or otherwise compromised, then a hacker may get a lot of sensitive and valuable information about the users. Protecting access to this server and within this server as well as deploying it to meet high-availability requirements are the critical factors in ensuring an effective and successful single sign-on deployment.


Previous page
Table of content
Next page
Effective Oracle Database 10g Security by Design
Effective Oracle Database 10g Security by Design
ISBN: 0072231300
EAN: 2147483647
Year: 2003
Pages: 111
Authors: David Knox, McGraw-Hill
BUY ON AMAZON
Cisco CallManager Fundamentals (2nd Edition)
Persuasive Technology: Using Computers to Change What We Think and Do (Interactive Technologies)
InDesign Type: Professional Typography with Adobe InDesign CS2
What is Lean Six Sigma
Comparing, Designing, and Deploying VPNs
Microsoft Visual Basic .NET Programmers Cookbook (Pro-Developer)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy