 |
» |
|
|
 |
|
| HP IceWall SSO is a joint development product of HP Japan and SCC, Ltd. |
|
|
|
(Last Update : 2007.02.21)
|
|
|
|
|
|
Single Sign-On technology is actually in use all around us. Microsoft Windows domain authentication and the UNIX-based Kerberos are both examples.
With Kerberos, once you login for domain access, you don’t need to login again to access other server resources in the same domain, a kind of Single Sign-On function. |
|
|
|
|
|
Single Sign-On solutions for the Web have gained the most attention within the Single Sign-On field. There are four main reasons for this, which are explained in more detail below. |
|
The Four Factors
|
|
|
|
| 1. |
Security |
|
Authentication technologies were originally developed one by one, as part of the function of enterprise applications.
With the increased sophistication of the technology used in security attacks today, however, this function is seen as too critical to leave in the hands of application developers alone. |
| 2. |
Compliance |
|
With the implementation of the Personal Information Protection Act, and the expected enactment of Japanese SOX Act, it is increasingly critical that companies protect personal and confidential data from theft and tampering, by integrating management of key information such as who is allowed access to applications (access management), and who has accessed which content (auditing). |
| 3. |
Explosive growth in Web applications and users |
|
In the pursuit of improved usability and shorter development times, many applications, including host computers, are making the move to the Web.
As more and more convenient, sophisticated services become available on the Web, the number of Web applications requiring authentication, and the number of users accessing them, is growing dramatically. At the same time, this is also creating some new problems:
- Applications that are actually less convenient to use, due to increased user authentication requirements.
- Poorer security as systems become more complex
- Ballooning user numbers
- Growing system complexity and massive user management costs |
| 4. |
Problems associated with increased virtualization of companies and services |
|
Recent years have seen a growing trend across all industries for companies to use more contract workers, form more alliances with partner companies, create more partnerships and subsidiaries, and make greater use of outsourcing. All of these contribute to the blurring of the line between “internal” and “external” corporate functions.
This change in the shape of the enterprise means that what may look like a single company or service on the outside, may actually be more of a virtual organization or service involving the efforts of people from a wide variety of companies.
This is why Web Single Sign-On is gaining attention as the way to solve the difficult problem of delivering both “a safe environment”, and “convenient and effective business solutions”.
| Web Single Sign-On solutions enable consolidated management of security (authentication, authorization, access control, and audit trails) and private information, while delivering greater business efficiency and end user convenience. |
|
|
|
|
|
|
|
Using Web Single Sign-On as the foundation of an authentication platform can deliver the following benefits:
- The “Four A’s” of access control required for legal compliance can be delivered in an integrated environment.
Authentication, Authorization, Administration, and Auditing
- Overall improvement in system security
- Improvements in business efficiency and convenience (Single Sign-On)
- Cost reductions
- Reduction in enterprise application development costs (authentication functions do not need to be built into each application)
- Reduction in operational costs due to more efficient operations (integrated management of user IDs and access permissions)
|
|
Agent Type
|
|
|
|
Agent type SSO is designed with the SSO module built right into the Web server itself. (Figure 2)
Requests are taken directly by the Web server, which requests the SSO module to check the user's login status and access permission with the certification server, returning the result to the originally requested Web server. The Web server then either delivers the result in the form of content or by displaying an error page.
Because the Web server itself is visible to the client, no firewall function is provided. Also, the fact that the content is held by the Web server itself makes this type significantly different from the reverse proxy type.
The product you choose will determine which of the above two types you use (some products offer both types). Because each type has its strengths and weaknesses, you should choose the one best suited to your particular objectives.
Below is a list of the relative advantages and disadvantages of each type.
| |
Agent Type |
Reverse Proxy Type |
| Advantages |
-Fewer bottlenecks when accessed from a browser, resulting in better performance. |
-No restrictions on type of platform (Web server)
-Nothing needs to be changed on the backend Web server
-More secure, because the backend Web server cannot be accessed directly by the client. |
| Disadvantages |
-The agent module (plug-in) needs to be installed on every Web server, creating more work.
-Some agent modules may not work with certain types of Web servers. |
-All browser access must be routed through the SSO server,
resulting in high loads on the SSO server. |
Single Sign-On for non-Web systems is achieved either through normal customization or in combination with the client distribution method described below. |
|
Client Distribution Method
|
|
|
|
This method involves a module installed on the client side, which keeps the password and automatically performs authentication when the application isstarted.
The password can either be kept in the form of a token, or stored on a management server.
While mainly more convenient for the user, this method doesn’t provide any increase in security, but this type can provide Single Sign-On for client-server applications without customization. |
|
|
Printable version
