The pace at which our number of usernames and passwords increase
every year is enormous. With each new account we have a new dimension of
security associated with it. On the organizations perspective, multiple
accounts cause security problems and huge storage and management issues too. With
cloud infrastructures increasingly becoming popular, these problems are
escalated. Single Sign on (SSO) is therefore a popular infrastructure for organizations
today. If you see Google, with one login, you can access Gmail, Google
Drive, Youtube, Google Calendar, Blogger and other services that it offers. The
latest one is the browser Google Chrome’s cool support which enables you to sync your
bookmarks, extensions and even live pages all using just the same account.
Benefits of using SSO:
1. SSO reduces password fatigue which is caused due to entering different username and password combinations.
2.It provides a centralized infrastructure for managing and storing of account details. This in turn reduces IT related costs.
3.It also reduces the cost for setting up IT help desks for password losses. It provides easier access to resources.
4.It makes security management much easier by having a single layer of security which is more generalized for each service or application.
5.Tracking users and tracking their access to resources becomes easier.
1. SSO reduces password fatigue which is caused due to entering different username and password combinations.
2.It provides a centralized infrastructure for managing and storing of account details. This in turn reduces IT related costs.
3.It also reduces the cost for setting up IT help desks for password losses. It provides easier access to resources.
4.It makes security management much easier by having a single layer of security which is more generalized for each service or application.
5.Tracking users and tracking their access to resources becomes easier.
There are different single sign on configurations that
exists.
- One time
Password (OTP): OTP is one of the most secure ways to do a Single Sign On.
There is a two factor authentication using special OTP tokens which is one of
the best practices in the industry today.
- Kerberos based SSO: Kerberos has ticket granting servers. The initial sign on grants you access to the Kerberos system. Other different services are all accessed by requesting for tickets for that particular service.
- Security Assertion Markup Language (SAML): SAML is a XML-based solution for exchanging user security information between your organization and a service provider. It supports W3C XML encryption and service provider initiated web single sign-on exchanges. The user is called the subject in the SAML based Single Sign On. The identity provider is the one which provides the user credentials. The service provider trusts the identity provider on the user information to provide access to its services or resources.
More on SAML:
A transaction from an identity
provider to service provider is called SAML assertion. SAML assertion structure
is defined using an XML schema which is specified under the OASIS SAML
standard. It contains header information, the subject and attributes for the subjects
which are the statements for the subject and conditions. The identity provider
sends a certificate to the service provider on Login. This certificate is a
proof that the data entered by the user is valid and based on this certificate
the service provider grants the user access to the service. The certificate
usually contains the signature of the identity provider and other attributes
which were setup during setting up of the Single Sign On feature which were decided
by the Service provider. Force.com uses SAML for Single Sign On. It is a very modular way to implement SSO.