AuthenticationWorld.com
The business of authentication
- Authentication Categories
- Password Authentication
- Single Sign On Authentication
- SSO and LDAP
- SSO Strategy and Policies
- SSO Business Case
- SSO Software
- SSO Management
- SSO Federation
- Enterprise Single Sign On
- Access Control Authentication
- Authentication - Enterprise Security
- Authentication Strength
- Authentication Transaction
- Authentication Management
- User Authentication
- Authentication Federation
- Biometric Authentication
- PKI Authentication
- Token Authentication
- Wireless Authentication
- Document Authentication
- Authentication -Outsourcing
SSO Federation
SSO Federation has come of age the last four years. The emergence of widely adopted federation protocols such as Security Assertion Mark-up Language (SAML), Liberty Alliance, WS Federation and Shibboleth has see wide spread enterprise adoption. The adoption has been spurned on by the inter-operability of these protocols with each other.
Therefore, today it is possible to federate identities and single sign on with some degree of technical ease. This assumes that you have in place a single sign on system capable of supporting these protocols.
Slowing down adoption has been the legal contracts that must be created to use federated identities. Liberty Alliance has published guides to doing this. As the years progress, the legal contract issues for each enterprise will lessen as enterprise adopt this in their existing contracts with customers, business partners, suppliers, vendors, contractors, consultants, temporary agencies and research partners.
Example of SSO Federation
Large enterprise with several separate business units
It is quite common to have several separate business units in large enterprise each running their own single sign on systems. It is quite easy, using a product link Ping, to quickly accept levels of trust for authentication from one business unit and pass the user on to applications and/or information managed by another business unit without requiring re-authentication and/or the need for additional ids and passwords. This achieves single or reduced sign on for the user while reducing enterprise user management costs. This requires little additional hardware and software and can be done quite quickly.
Between your enterprise and business partners or customers
Often times your enterprise will have many customers or business partners who are accessing one or many of your internal applications. Depending on the degree of trust you have with these other enterprises, you can use federated authentication with them.
For example, Susan, a business partner's employee will logon to the business partner's systems. When she clicks on a link to an application in your enterprise, the business partner's single sign on system creates a security assertion and passes this to your enterprise. Your enterprise's single sign on system then takes the assertion, reviews it, and if accepted grants Susan access to the application without requiring her to logon.
This reduces your overall user management costs by not having to grant Susan with a id and password. It makes Susan's work life easier by not having to remember another id and password.
Further, the single sign on system can be used to require stronger authentication. For example, Susan may be granted access to low risk applications. However, when she clicks on a high risk application, the SSO system may require her to re-authenticate using a stronger authentication mechanism such as a digital certificate, security token, smart card, biometric or combinations thereof.
Between your enterprise and outsourced providers
It is quite common for enterprises today to have outsourced portions of their internal processes. Examples include inventory management, benefits, 401k management, training etc.
When your employee clicks on a link to one of these functions, say their benefits plan, your enterprise SSO system prepares a security assertion and sends this to your benefits supplier. Their internal SSO system reviews the assertion and if accepted grants your employee immediate access to their information without having to login in using a id and password issued from the benefits supplier.
This provides your employees with ease of use. It also reduces the benefits supplier's management costs in issuing ids and passwords.
Ping Identity federation is an excellent product to use to quickly build federated authentication trust between disparate SSO and identity systems. Other identity product vendors also have identity federation products in their product suites.
A more detailed discussion about federation protocls can be in Authentication Federation.
Enterprise Single Sign On
Password Authentication Single Sign On Authentication Access Control Authentication Authentication-Enterprise Security Authentication Strength Authentication Transaction
Authentication Management User Authentication Authentication Federation Biometric Authentication PKI Authentication Token Authentication Wireless Authentication Document Authentication Authentication - Outsourcing
