Single sign-on (SSO)
SSO means: to have ONE primary login, giving transparent access to all protected resources (of same or lower protection level) without subsequent logons.
Types of SSO:
- Enterprise SSO
- Web SSO
- Federated SSO
• Enterprise SSO
Enterprise SSO is designed to provide single sign on to practically all the applications that an end user would need. This includes web apps, Windows executable (thick clients), Java apps and mainframe apps.
It works by capturing the user ID and password for the application when the user logs in. The next time the application is launched, Enterprise ESSO will detect it and automatically enter the credentials on the user’s behalf and log them in.
ESSO does not really authenticate the user to the application – it simply automates credential submission.
Typically, Enterprise SSO systems provide a protected password store, and a client application is used to automatically provide these to applications when the credential is requested.
The user credentials can be managed from a centralized SSO Server whose main functionality is to distribute and synchronize credentials with the local agent store. For such applications, whenever a user tries to access an application, the SSO agent on the desktop retrieves the credentials based on user profile and populates them to the login screen of the application.
• Federated SSO
It is targeted at both employees and business partners, but like Web SSO, is limited to browser based technology. In a federated SSO environment, a user is able to obtain a single sign-on to not only web applications, but the applications of business partners by providing identity assertions(declaration) using a protocol like SAML. The remote system can then validate the assertion and provide access if the assertion is trusted.
• Web SSO
It provides SSO capabilities to wider user base employees, business partners and customers accessing the applications.
It is a browser-based mechanism, with single sign-on to applications deployed on web servers (domain).
The drawback is that the solution is limited to web based applications.
It can be deployed in 2 types of configurations:
Agent based Configuration and Proxy based Configuration: Agent based configuration is typically used for distributed access management and Proxy based configuration is typically used for centralized access management.
Agent based Configuration: In the agent-based approach to managing access to web-based applications and resources
- Agent based configuration is typically used for distributed access management
- An agent is installed on a web or application server. The agent provides high security on the local server by mediating all HTTP/HTTPS traffic and granting access to resources on that server.
- The agents provide a local policy enforcement point on each server and can be tightly integrated with the applications running on that local server. This distributed model allows for fine-grained access control and personalization in the protected applications.
- The agent-based deployment is better suited for heterogeneous environments with multiple application platforms and/or a wide variety of user types.
- It is also easier to delegate policy and user administration in a large, complex enterprise with multiple applications.
Proxy based Configuration: In the proxy-based approach to managing access to web-based applications and resources
- Proxy based configuration is typically used for centralized access management.
- A server configured as a reverse proxy acts as a gateway for all user requests to various backend servers.
- User requests are routed to backend servers through a set of configurable proxy rules.
- It is easier to administer because it is a single control point for all backend applications.
- This centralized access control model is typically used in applications that have a single entry point for a relatively homogeneous user group (e.g., a consumer portal).
An SSO agent can be configured on a Reverse Proxy, placed between the user and all the web applications. This agent intercepts any access requests and performs authentication with the help of an SSO server that uses a centralized credential store.