BT

Single Sign-On beyond the firewall

by Gavin Terrill on Nov 05, 2007 |

It seems like only yesterday that developers were coming to grips with implementing Single Sign-On (SSO) across the enterprise. Now, organizations are concerned with how they can extend that thinking to beyond the corporate firewall. John Dunn wrote about the basic tenants of Federated Identity Management (FIM) in a recent Techworld article:

The first thing to say about FIM is that it is not really a technology as such – despite what some vendors will appear to claim - more a concept for understanding how technologies such as web services can be used to make possible a goal that has started to obsess forward-thinking IT die-hards: how can users at different organisations share or ‘federate’ data and conduct transactions using each other’s networks?

SAML (Security Assertion Markup Language) 2.0 is the standard endorsed by OASIS to facilitate SSO in FIM. John discusses three important SAML features that make it appropriate for FIM projects:

First, it requires no ongoing synchronisation, and sets up connections on the basis of a particular request at a particular moment in time. This makes it simple and auditable. Second, it allows the communication of privacy settings and manages sessions better once the person has logged out of a federated resource. Perhaps most critically, it is an abstraction layer that can unite otherwise different authentication systems from different vendors, something that has thus far tended to cause a mountain of problems for FIM projects.

John then discusses a checklist of issues for companies starting to investigate FIM. These include:

  • Ensuring your company has robust authentication in place. Your users will be accessing partner sites, and vice-versa.
  • Evaluating the security implications of employees accessing multiple systems
  • Compliance concerns
  • Determining who is responsible in the event of a failure

The vision of Federated Identity invokes exciting possibilities, however John concludes the article with some sobering advice:

Longer term, it has the potential to transform even the humblest IT operation into something quite new. But as a concept, federation surely represents the future of networks, so that they become not as islands of digital power, but overlapping ‘networks of networks’. It is happening already. But it will force companies to re-examine their own security processes before they jump into its whirlpool of potential difficulties.

More InfoQ coverage of SAML is available here.

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Discuss

Educational Content

General Feedback
Bugs
Advertising
Editorial
InfoQ.com and all content copyright © 2006-2014 C4Media Inc. InfoQ.com hosted at Contegix, the best ISP we've ever worked with.
Privacy policy
BT