Single sign-on
Single sign-on ( SSO , sometimes also translated as " single sign-on ") means that after a one-time authentication at a workstation , a user can access all computers and services for which he is locally authorized ( authorized ) from the same workstation. without having to log in to the individual services each time. If the user changes his workplace, authentication and local authorization are no longer necessary.
For the user, this option has certain advantages, especially with portals . Within portals, it is also possible for the identity of the logged-in user to be passed on to the layers that constitute the portal without this having been made known to the view of the user himself.
An SSO system is based on the fact that a user always has exactly one single physical identity (which is copied from the real world). Within a system, however, the user can be saved as an individual under different user names (logical identity). These are merged and linked in the SSO system - it is therefore impossible to appear under a pseudonym (without disclosing the other user IDs).
The aim of single sign-on is that the user only has to identify himself once with the help of a single authentication process (e.g. by entering a password ). The SSO mechanism then takes over the task of authenticating the user (confirming the recognized identity). The use of SSO is prohibited if a user acts on behalf of different people who should not be linked to one another.
Another requirement for single sign-on is that it must not be weaker than the authentication process itself.
Advantages and disadvantages of single sign-on
General restriction for mobile work
- If the user changes workstation while working on the move, he or she has to log on to the next workstation anyway.
- If the user leaves the workplace while working on the move, he is usually separated from the accesses already gained by a time limit. In order to avoid this during pauses in action, the time limits are usually quite generous. The inevitable result is that unattended workstations give unauthorized third parties sufficient time and opportunity to continue to use unauthorized access that has already been granted to the authorized user.
advantages
- Time savings, as only a single authentication is required to access all systems
- Increased security, as the password only has to be transmitted once
- Security gain, since the user only has to remember one instead of a large number of mostly insecure passwords, so this one password can be chosen in a complex and secure manner
- Phishing attacks are made more difficult because users only have to enter their username and password in one place and no longer in numerous, scattered places. This one point can be checked more easily for correctness (URL, SSL server certificate, etc.)
- Awareness is created where you can enter your username and password with a clear conscience. Users of a single sign-on system are more likely to be tempted to trust unfamiliar sites with their (possibly multiple) password.
disadvantage
- The availability of the service depends not only on its own availability, but also on the availability of the single sign-on system.
- If an equivalent sign-off solution is not defined, access remains open until a "time-out" period is exceeded.
Possible solutions
Media solution
The user uses an electronic token that contains the entire password information or at least one authentication factor and automatically transfers this to the workplace:
- electronic key display with manual keyboard entry
- electronic key with contact transfer ( USB , 1wire etc.)
- wireless key ( bluetooth token - mobile phone or other device with bluetooth function)
Portal solution
The user can log into a portal for the first time, where he is authenticated and authorized across the board. This means that it is given a feature that uniquely identifies it to the applications integrated within the portal. In the case of portals based on web protocols, this can be done, for example, in the form of an HTTP cookie . On the portal, the user then has access to several web applications that he no longer needs to log in to separately. Examples are Yahoo or MSN ( Passport ).
Ticketing system
Alternatively, a network of trustworthy services can be set up. The services have a common identification for one user that they exchange with each other, or a virtual ticket is assigned to the logged-in user. The first login takes place on a system from this “Circle of Trust”, access to the other trustworthy systems is made possible by the system addressed first. Examples are Kerberos and the Liberty Alliance Project .
Local solution
Users can also install a client on their regularly used workstation , which automatically fills in the login masks that appear immediately with the correct username and password. This weakens the authentication as long as no further factors are queried.
To do this, the mask must have been trained or defined beforehand. When training the mask, it must be ensured that it is assigned unequivocally. It must be ensured that a counterfeit or similar mask is not used incorrectly, otherwise sensitive login data could be "tapped" in this way. Today, this unambiguous recognition is often implemented using additional features such as call paths, creation date of a mask, etc., which make it difficult to forge a mask.
The usernames and passwords can be used as factors
- in an encrypted file locally on the PC,
- on a chip card ,
- or on single sign-on applications or on single sign-on servers in the network
be kept. It is also possible to transfer this data to a directory service or a database . Examples are the “ password managers ” integrated in many modern browsers , Microsoft's Identity Metasystem, and many commercial products. This approach is mostly followed for company or organization-internal single sign-on solutions, since proprietary applications often cannot be used with ticketing or portal solutions.
PKI
A public key infrastructure can only be viewed in a certain sense as a single sign-on system; a PKI represents the basis for authentication for all PKI-enabled applications. This means that the one-time login process, the actual single sign-on, not covered, but the digital certificate is the common feature for authentication in different places. The same certificate is often used for primary authentication for ticketing or local SSO solutions.
See also
- Single sign-out
- superordinate: identity management , password management
- Registration services
- Liberty Alliance Project (decentralized solution for a business initiative; ended in 2009)
- Shibboleth (Internet) (decentralized solution)
- OpenID , decentralized protocol in information technology
- Security Assertion Markup Language , single sign-on protocol for web services
- Kerberos , distributed authentication service (network protocol)
- IDpendant Single Sign On , supports many types of authentication, enables multi-user and session forwarding
- Central Authentication Service (CAS) , a servlet-based SSO solution for web applications
- Lightweight Third-Party Authentication (LTPA) is used in the IBM Websphere and Lotus Domino products.
Individual evidence
- ^ Jens Fromm: No Government . In: Mike Weber (Ed.): ÖFIT trend show: Public information technology in the digitized society . Competence Center Public IT, Berlin 2016, ISBN 978-3-9816025-2-4 ( oeffigung-it.de [accessed on October 12, 2016]).
- ↑ http://msdn.microsoft.com/de-de/security/aa570351.aspx