Think about your usual work day where you invariably require authenticated logging in to various applications like your work station, checking your mails, etc. All these require you to put in your log in details to allow you access. It’s quite cumbersome, isn’t it? A single sign on would be a great solution to this in the sense that single login takes you to all the application you visit in a day at work. A proactive step ahead to this would be implementing it in a cloud environment where a user can log in once to a cloud and can access the entire system of applications without having to log in separately.
In this blog we shall first discuss about generic implementation of Single Sign-On aka SSO.Then we would take the concept forward by extending the use of SSO in a cloud environment.
Let’s start with what is SSO?
Basically SSO is a centralized access control mechanism used for multiple applications which could be independent and may or may not be interrelated. User authentication is done only once and further user requests to multiple applications are handled seamlessly.Know more about SSO here.
An appropriate analogy to help you visualize this would be iGoogle login where user once logged in can access multiple applications like Gmail/Google docs/Orkut accounts without having to login to each individual applications. Hasn’t this made our lives simpler?
Generic Implementation of SSO
There are various security mechanisms e.g. Kerberos TGT, Smart Card, One Time Password Token OTP, Integrated Windows Authentication a re few of them. We would not go in to the implementation details of these security mechanisms but in general the basic set of implementation considerations would include the following:
• SSO should know what all applications it would be catering to and accordingly it would be using the encryption/decryption keys for handling the authentication requests.
• Using different keys across applications is recommended as these keys are shared between SSO and Client applications. Securing these keys is equally important to make sure the credibility of encryption mechanism is not compromised.
• SSO would manage a central user Database which contains user roles along with the authentication parameters. These roles could be queried by the serving application to decide the user privilege/grants.
SSO Implementation in Cloud
Currently, , there are two approaches available for using SSO in Cloud:
1. Self implementation of SSO adapters based on the exposed APIs from the Cloud Service Providers, which would include writing the code to integrate with cloud applications.
2. Another approach, a simpler one would be to use Out-of-Box SSO Products available in the market or use the SSO as a service (SaaS) from Cloud itself
Once in place, it would simplify things from the user perspective as user would have to login only once either on the machine or a web portal depending on design and then user can access various applications and resources seamlessly. By leveraging Single Sign-On capabilities an organization can merge their IT infrastructures and Cloud in a seamless manner and enable a user to access both the user’s desktops and any Cloud Services via a single password.
Some of the Benefits to mention:
• Users get convenience of single user-id/password which is easier to manage/remember.
• Saves on user time by avoiding re-entering password while switching between applications.
• Stronger security and Easier for System Admin as the management of user accounts is centralized.
• Helpful for the provisioning and de-provisioning of passwords. If a new employee joins or leaves the organization there is only one single account to activate or deactivate rather than having multiple accounts to deal with.
• In addition to preventing security issues, there are significant costs savings to this approach.
For example, Single Sign-On users are less likely to lose passwords reducing the assistance required by IT helpdesks.
• Allows anywhere, anytime seamless access.
Benefits usually come with some tradeoffs like:
• Security threat due to password leak/misuse could affect multiple applications/resources.
• SSO System should be Highly Available (HA) as failure is critical for multiple applications.
We know that SSO is not a new concept, but it is now finding new horizon for connecting organizations to Cloud service providers like Google, Amazon, Oracle. It is an evolving concept providing potential for enabling users to experience seamless access to their corporate applications along with email/social-network accounts, documents/files/photos and shared resources. Big Organizations have been using SSO systems to manage internal applications/resources since a long time but extending the SSO to cloud would be a major step ahead. Do write in your views so that we can share this important information in an interactive manner.