Single sign-on

Single sign-on (SSO) is a specialized form of software authentication that enables a user to authenticate once and gain access to the resources of multiple software systems.

There are at least five major types of SSO or reduced sign-on systems in common use at the time of this writing (2005):

  • Enterprise single sign-on (E-SSO)

    E-SSO, also called legacy single sign-on, after primary user authentication, intercepts login prompts presented by secondary applications, and automatically fills in fields such as a login ID or password. E-SSO systems allow for interoperability with applications that are unable to externalize user authentication, essentially through "screen scraping."

  • Web single sign-on (Web-SSO)

    Web-SSO, also called Web access management (Web-AM), works strictly with applications and resources accessed with a web browser. Access to web resources is intercepted, either using a web proxy server or by installing a component on each targeted web server. Unauthenticated users who attempt to access a resource are diverted to an authentication service, and returned only after a successful sign-on. Cookies are most often used to track user authentication state, and the Web-SSO infrastructure extracts user identification information from these cookies, passing it into each web resource.

  • Kerberos

    Kerberos is a popular mechanism for applications to externalize authentication entirely. Users sign into the Kerberos server, and are issued a ticket, which their client software presents to servers that they attempt to access. Kerberos is available on UNIX, Windows and mainframe platforms, but requires extensive modification of client/server application code, and is consequently not used by many legacy applications.

  • Federation

    This is a new approach, also for web applications, which uses standards-based protocols to enable one application to assert the identity of a user to another, thereby avoiding the need for redundant authentication. Standards to support federation include SAML and WS-Security.

  • OpenID

    This is a distributed and decentralized SSO process, where identity is tied to an easily-processed URL which can be verified by any server using the protocol.

SSO