Gourt Home::Gourt :: Single sign-on
Single sign-on (SSO) is a specialized form of software authentication that enables a user to authenticate once and gain access to the resources of multiple software systems.
There are at least five major types of SSO or reduced sign-on systems in common use at the time of this writing (2005):
- CoSign, an open-source project originally designed to provide the University of Michigan with a secure single sign-on web authentication system. CoSign authenticates users on the web server and then provides an environment variable for the users' name. When the users access a part of the site that requires authentication, the presence of that variable allows access without having to sign-on again. Cosign is part of the National Science Foundation Middleware Initiative (NMI) software release.
- Enterprise single sign-on (E-SSO), also called legacy single sign-on, after primary user authentication, intercepts login prompts presented by secondary applications, and automatically fills in fields such as a login ID or password. E-SSO systems allow for interoperability with applications that are unable to externalize user authentication, essentially through "screen scraping."
- Web single sign-on (Web-SSO), also called Web access management (Web-AM), works strictly with applications and resources accessed with a web browser. Access to web resources is intercepted, either using a web proxy server or by installing a component on each targeted web server. Unauthenticated users who attempt to access a resource are diverted to an authentication service, and returned only after a successful sign-on. Cookies are most often used to track user authentication state, and the Web-SSO infrastructure extracts user identification information from these cookies, passing it into each web resource.
- Kerberos is a popular mechanism for applications to externalize authentication entirely. Users sign into the Kerberos server, and are issued a ticket, which their client software presents to servers that they attempt to access. Kerberos is available on Unix, Windows and mainframe platforms, but requires extensive modification of client/server application code, and is consequently not used by many legacy applications.
- Federation is a new approach, also for web applications, which uses standards-based protocols to enable one application to assert the identity of a user to another, thereby avoiding the need for redundant authentication. Standards to support federation include SAML and WS-Federation *.
- Light-Weight Identity and OpenID, under the YADIS umbrella, offer distributed and decentralized SSO, where identity is tied to an easily-processed URL which can be verified by any server using one of the participating protocols.
The term enterprise reduced sign-on is preferred by some authors because they believe single sign-on to be a misnomer: "no one can achieve it without an homogeneous IT infrastructure"*.
See also
- Central Authentication Service
- Enterprise single sign-on
- Global Login System
- Identity management
- Kerberos
- Liberty Alliance
- Microsoft Passport
- NTLM
- SAML
- Shibboleth (Internet2)
- Light-Weight Identity
External links
- SSO for PHP
- E-SSO, pw reset, pw synchronization
- ActivIdentity's SecureLogin Single Sign-On
- i-Sprint's AccessMatrix Universal Sign On
- CoSign project page
- Cafésoft Cams Web Single Sign-On
- Passlogix v-GO Sign-On Platform
Single Sign-On | Single Sign-On | Authentification unique | SSO | SSO | 单点登录
"Single sign-on"