BT

Your opinion matters! Please fill in the InfoQ Survey!

Single Sign-On beyond the firewall

| by Gavin Terrill Follow 0 Followers on Nov 05, 2007. Estimated reading time: 1 minute |

It seems like only yesterday that developers were coming to grips with implementing Single Sign-On (SSO) across the enterprise. Now, organizations are concerned with how they can extend that thinking to beyond the corporate firewall. John Dunn wrote about the basic tenants of Federated Identity Management (FIM) in a recent Techworld article:

The first thing to say about FIM is that it is not really a technology as such – despite what some vendors will appear to claim - more a concept for understanding how technologies such as web services can be used to make possible a goal that has started to obsess forward-thinking IT die-hards: how can users at different organisations share or ‘federate’ data and conduct transactions using each other’s networks?

SAML (Security Assertion Markup Language) 2.0 is the standard endorsed by OASIS to facilitate SSO in FIM. John discusses three important SAML features that make it appropriate for FIM projects:

First, it requires no ongoing synchronisation, and sets up connections on the basis of a particular request at a particular moment in time. This makes it simple and auditable. Second, it allows the communication of privacy settings and manages sessions better once the person has logged out of a federated resource. Perhaps most critically, it is an abstraction layer that can unite otherwise different authentication systems from different vendors, something that has thus far tended to cause a mountain of problems for FIM projects.

John then discusses a checklist of issues for companies starting to investigate FIM. These include:

  • Ensuring your company has robust authentication in place. Your users will be accessing partner sites, and vice-versa.
  • Evaluating the security implications of employees accessing multiple systems
  • Compliance concerns
  • Determining who is responsible in the event of a failure

The vision of Federated Identity invokes exciting possibilities, however John concludes the article with some sobering advice:

Longer term, it has the potential to transform even the humblest IT operation into something quite new. But as a concept, federation surely represents the future of networks, so that they become not as islands of digital power, but overlapping ‘networks of networks’. It is happening already. But it will force companies to re-examine their own security processes before they jump into its whirlpool of potential difficulties.

More InfoQ coverage of SAML is available here.

Rate this Article

Adoption Stage
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Discuss

Login to InfoQ to interact with what matters most to you.


Recover your password...

Follow

Follow your favorite topics and editors

Quick overview of most important highlights in the industry and on the site.

Like

More signal, less noise

Build your own feed by choosing topics you want to read about and editors you want to hear from.

Notifications

Stay up-to-date

Set up your notifications and don't miss out on content that matters to you

BT