Home > Ask the Information Security Experts > Questions & Answers > Traditional single sign-on (SSO) products versus federated identities
Ask The Security UK Expert: Questions & Answers
EMAIL THIS

Traditional single sign-on (SSO) products versus federated identities

Joel Dubin EXPERT RESPONSE FROM: Joel Dubin

Pose a Question
Other Security UK Categories
Meet all Security UK Experts
Become an Expert for this site


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


>
QUESTION POSED ON: 02 September 2007
My company's employees need to access their employee benefit information on an external Web site. What are the advantages and disadvantages of using traditional single sign-on products, like RSA ClearTrust or SiteMinder, versus federated identities?

>
EXPERT RESPONSE
Single sign-on (SSO) and federated identity management seem very similar on the surface. And, in fact, a federated identity management system may use SSO for logon. But the similarity ends there.

SSO allows a single authentication credential--user ID and password, smart card, one-time password token or a biometric device--to access multiple or different systems within a single organization. A federated identity management system provides single access to multiple systems across different enterprises.

While SSO deployments can be involved and tricky, they are within a single company, which may already have a common IT architecture throughout the enterprise. Federated identity management deployment across organizations with different IT architectures, however, requires more work. A third party must then set a neutral standard that is accepted by all participants.

Because it requires agreement across various companies with disparate systems, federated identity management hasn't been widely accepted. The technology calls for member companies to agree, among other things, on a unified directory structure for housing authentication credentials--not an easy task, especially for competing companies in the same industry that might need to share a federated system.

There have been initiatives by Microsoft and IBM, as well as Liberty Alliance, OASIS and others, in developing federated identity management standards. But such systems are still tricky, at best, partly because the standards are still evolving, due to shifting alliances among the various players, and partly because the technology isn't mature enough for enterprise use.

Unless your company and the company hosting the external Web site are both part of the same federated identity management system, it would be best to stick with traditional SSO, which has an excellent track record and a long history of successful implementation.

It's also important, particularly with SSO, to make sure that there are adequate safeguards for authentication credentials, especially if employees will be accessing high risk data, such as employee benefit information. Remember, SSO is a great convenience, but it's also a single key to the store. If it's compromised, then everything it allows access to is also compromised.

Consider adding two-factor authentication, or some other strong authentication, to your SSO mix. This is another reason to implement SSO over federated identity management. Today's SSO systems are flexible and work well with two-factor authentication.

For more information:

  • In this expert Q&A, Joel Dubin discusses the federated identity managment basics.
  • Discover the dangers associated with turning off pre-boot authentication (PBA).


    • Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


    RELATED CONTENT
    Authentication and Authorization
    Economic downturn raises risk of security breaches, insider fraud
    Brits accept biometrics to prevent rise in identity theft
    Setting up a remote access security policy
    Integrating biometric authentication with Active Directory
    Single sign-on implementation lets South Manchester doctors work more effectively
    Identity management still eludes most companies
    Smart card overcomes static PIN
    Understanding multifactor authentication features in IAM suites
    Bank security chief explains how to avoid internal threats
    Malware infections down 60% at UK firms

    RELATED GLOSSARY TERMS
    Terms from Whatis.com − the technology online dictionary
    Chip and PIN  (SearchSecurityUK.com)
    UK Identity Cards Act  (SearchSecurityUK.com)

    RELATED RESOURCES
    2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
    Search Bitpipe.com for the latest white papers and business webcasts
    Whatis.com, the online computer dictionary



    Search and Browse the Expert Answer Center
    Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.
    Browse our Expert Advice

    About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
    SEARCH 
    TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

    TechTarget Corporate Web Site  |  Media Kits  |  Site Map




    All Rights Reserved, Copyright 2008 - 2009, TechTarget | Read our Privacy Policy     		  TechTarget - The IT Media ROI Experts