Enterprise Single Sign-On - Part1 , Starting point
Single sign-on (SSO) is a method of access control that enables a user to authenticate once and gain access to the resources of multiple software systems. [Wikipedia]
As you can see from the definition the Method helps in the Authentication Level, not in the Authorization Level, which is a completely different level.
The basic occurrence, thus most common, is in one of the following:
- a homogeneous IT infrastructure
- a single user entity authentication scheme exists
- a user database is centralized
In short where a user credentials is stored on a LDAP Database, Like Active Directory, or on a Rational Database, like ASP.NET Membership provider DB, for user authentication and authorization, which in turn means single sign-on has been achieved organization wide.
One of the most common example of SSO in the E-Commerce is Amazon an PayPal , which in both cases centralize consumer financial information on "one" server, not only for the consumer's convenience but also to offer increased security by limiting the number of times credit card numbers or other sensitive information must be entered.
Thus, Single sign-on (SSO) is method with which using a single action the user gets his current session authentication and authorization access permission to all computers and systems where he has access permission, without the need to enter multiple time the authentication token.
Enterprise single sign-on (E-SSO / ENTSSO) systems are designed to minimize the number of times that a user must type their ID and password to sign into multiple applications. The E-SSO solution automatically logs users in, and acts as a password filler where automatic login is not possible. Each client is typically given a token that handles the authentication, on other E-SSO solutions each client has E-SSO software stored on their computer to handle the authentication. On the server side is usually an E-SSO authentication server that is implemented into the enterprise network. [Wikipedia]
Enterprise single sign-on (E-SSO / ENTSSO) is one of the current quests of the major companies - One is Microsoft with it's LiveID for the which is part of the Via Windows Live , and the other is Google within it's realm. The concept of SSO quite useful in large companies, which usually have heterogeneous systems - This is one of the main reasons that Biztalk 2004 has a build-in system which support SSO out-of-the-box. Not only that, but, Sharepoint 2003 was one of the more known Microsoft application which supported SSO out-of-the-box (there were others, but this one is one of the most known ones at the time).
Microsoft has decided that it's about time to integrate two product / technologies together - Windows Live ID adds Beta support for Information Cards with Windows CardSpace!. The last time i've checked the release date was due this November, but due to the fact that even the release date of Visual Studio has moved to the beginning of 2008, I guess this one did as well.
We all know that we have sample of implementations of integration of CardSpace ( which has a new BLOG at MSDN Windows CardSpace Team Blog ) with ASP.NET membership providers
- One which was created by Mike Jones - Microsoft released CardSpace HTML & ASP.NET 2.0 Kits
- and the other one was done by Dominick Baier - ASP.NET CardSpace Control
Benefits of CardSpace are well known from previous post Can CardSpace be Federated? Yes, using WS-Federation. Benefits ? Yes, SSO ! which is possible due to the use of :
- Federation is a new approach, also for web applications, which uses standards-based protocols to enable one application to assert the identity of a user to another, thereby avoiding the need for redundant authentication. Standards to support federation include SAML and WS-Federation . [Wikipedia-Single Sign-On]
- SAML Security Assertion Markup Language (SAML) is an XML standard for exchanging authentication and authorization data between security domains, that is, between an identity provider and a service provider. SAML is a product of the OASIS Security Services Technical Committee. [Wikipedia-Single Sign-On]
As well as a new post from Vittorio Bertocci - WS-Trust with Chianti that reassures us that Windows CardSpace will work without HTTPS, too - thus simplifying the use of CardSpace.
On the other hand we have LiveID, which BTW has it's own space.
On 15-Aug-2007 the LiveID Team announced Windows Live ID Web Authentication SDK for Developers Is Released which has it's own Web Authentication software development kit (SDK) (or from MSDN) which includes a QuickStart sample as Documentation
This adds Microsoft to the SSO solutions from major internet companies:
For developers and architects, it should be good to develop a SSO wrapper for self use and includes those worldwide SSO providers for applications.
Does it all stop here ? no way - According to Ani Babaian (XAML Chick): Enterprise (E-SSO) with Mobile Devices :
Microsoft, Avaya, Sprint and Ping Identity come together to discuss E-SSO (Enterprise Single Sign-On) over Mobile Devices. In this panel each discussed the importance of having a mobile solution for identity. Frank Chang also demonstrated a scenario of what Microsoft might be looking at as a solution. This was a great panel with over 40 people present it was one question after the next from the audience about how Avaya, Ping, Sprint and Microsoft would solve the mobile identity issue.
In many ways people wanted to know how the multiple devices and one identity problem would be solved? Which really was a great place for Windows CardSpace, but we do Federated CardSpace Cards exist asked Avaya from Microsoft. The notion of being able to have one identity that can be used by many and remote-ing identity is a pain that we all really need to look at more closely was pointed out by the audience.
But then came the question about enterprise. For most enterprises they are the center of their own universe, is what Avaya said.
So how all of this possible ? well hopefully you've heard about the wonders of securely storing configuration data in Enterprise Single Sign-On Server (Ent SSO), but there's never exactly been an easy, convenient way to load SSO with your data. Richard Seroter tackled this issue and came up with his very own SSO Data Storage Tool.
Get it here: http://seroter.wordpress.com/2007/09/21/biztalk-sso-configuration-data-storage-tool/
Hoping that next article will shade some light on SmartCard in SSO.
BTW here's a nice article on Live.com development: The Windows Live SDK and Passport Opens Up