Читать книгу The Official (ISC)2 SSCP CBK Reference - Mike Wills - Страница 148
Single Sign-On
ОглавлениеSingle sign-on (SSO) was the first outgrowth of needing to allow one user identity with one set of authenticated credentials to access multiple, disparate systems to meet organizational needs. SSO is almost taken for granted in the IT world—cloud-based service providers that do not support an SSO capability often find that they are missing a competitive advantage without it. On one hand, critics observe that if the authentication servers are not working properly (or aren't available), then the SSO request fails, and the user can do nothing. This may prompt some organizations to ensure that each major business platform they depend on has its own sign-on capability, supported by a copy of the central authentication server and its repository. SSO implementations also require the SSO server to internally store the authenticated credentials and reformat or repackage them to meet the differing needs of each platform or application as required. Because of this, SSO is sometimes called reduced sign-on.
SSO is an implementation of the federated identity concept, which focuses around four basic services: authentication, authorization, user attribute exchange, and user management. Authentication and authorization are the same familiar faces access control concepts. User attribute exchange provides a mapping of an authenticated and authorized user's identity into attributes or parameters that meet the unique needs of the different platforms, servers, and applications in your systems. This aspect of a federated identity management system also helps reduce redundancy by keeping one central edition of user data (such as their first and last names).
Multiple implementations of SSO are possible, using a variety of protocols and supporting software, including:
Kerberos-based ticket granting ticket (TGT) systems
Active Directory (which must be hosted on at least one system running Microsoft Windows Server)
Smart card based
Integrated Windows Authentication
SAML-based systems
A variety of protocols support SSO, such as Open ID Connect, Facebook Connect, SAML, and the Microsoft Account (which used to be known as Passport). A variety of frameworks can make implementing SSO for your organization less painful.