Identity Management Solutions 101: Enterprise Single Sign-On
Posted by Ash Motiwala on Thu, Dec 11, 2008
So, you're an IT Manager and need the low down on a new buzzword in the realm of Identity Management, and you need it quick...You've come to the right place! This series is designed especially for you.
This entry is about Enterprise Single Sign-On. Enjoy!
If you need more details on this and other disciplines in the world of Identity Management, or you'd like to get some other folks from your staff to join in on the fun, you might be interested in an on-site Identity Management Workshop.
Alias | ESSO, Enterprise SSO, SSO |
Function | To provide single sign-on capabilities to the entire organization for all types of applications, including client server apps and applications accessed over terminal emulator. |
Misc. Facts |
- Healthcare institutions love ESSO, usually because physicians can't stand logging into 20 different applications every day.
- Implementation cycles are relatively short, and can usually roll out the solutoin and integrate 3-5 applications in under a month.
- Biometrics and other 2-Factor Authentication forms are popular integration points, and can compensate for security concerns associated with SSO.
|
Business Benefits |
- Happy users! Users sign on to the network in the morning, and never again (until the next morning).
- Believe it or not, some companies have performed analyses on how much time is wasted for end users logging in and out of applications throughout a day, in order to perform an ROI analysis for implementing this technology. Run the numbers, it may surprise you!
- Reduction in Password Reset calls to helpdesk
|
Use Case |
- An end-user logs onto the network in the morning, clicks on an app, and gets automagically signed in! Clicks another app, the same.
- A user signs onto application, which prompts the end user to change their password since 90 days passed. The ESSO solution automates the password reset to a randomly generated password. The user never needs to know it since they are automatically signed in using the ESSO solution!
|
High Level Architecture | Each workstation has a client loaded on it that learns the sign-on behavior to various application the first time a user authenticates to it. The authentication profile along with the credentials are then stored in a backend data store. The next time the user attempts to log on to an application, the ESSO agent recognizes the sign-on screen and populates the credentials and automates the sign-on process. Some architectures utilize an additional piece of middleware and store credential sets there, while others use a directory (AD, for example) to store all of their data. |
Caveats | - Each workstation requires an agent to be loaded on it for this solution to work, which could pose some challenges for access from non-managed machines.
- Solutions that do not use a "middleware" piece might require schema modifications to your active directory environment.
|