Single authentification

The single authentification (or single identification; in English Individual Sign or SSO is) a method allowing a user to proceed only to only one Authentification to reach several data-processing applications (or sites protected Web).

Objectives

The objectives are multiple:

• to simplify for the user the management of his passwords: the more the user must manage passwords, the more it will tend to use passwords similar or simple to memorize, lowering occasion consequently the security level which these passwords offer;
• to simplify the management of the personal data held by the various online services, by coordinating them by mechanisms of the type Méta-directory;
• to simplify the definition and the implementation of security policies.

There exist three big classes of approaches for the implementation of systems of single authentification: centralized approaches, federative approaches and co-operative approaches.

Structure

Approaches centralized

The basic principle is here to have of a Database total and centralized of all the users or a Annuaire. That also makes it possible to centralize the management of the security policy. An example of implementation is the free software LemonLDAP, another example is the free software Vulture.

This approach is mainly intended for services depending all on the same entity, for example inside a company within their management of the Middleware.

Federative approach

In this approach, whose system Liberty Alliance is the principal example, each service manages part of the data of a user (the user can thus have several accounts), but division information which it has on the user with the services partners.

This approach was developed to meet a need for decentralized management of the users, where each service test wishes to preserve the control of its own security policy, such as for example a whole of trader sites independent from a commercial and organisational point of view.

Approaches co-operative

The co-operative approach, whose systems Shibboleth and Central Authentication Service are the principal representatives, leaves the principle which each user depends on one of the entities partners. Thus, when he seeks to reach a service of the network, the user is authenticated by the partner on which it depends. As in the federative approach, however, each service of the network manages independently its own security policy.

This approach meets in particular the needs for institutional structures in which the users are dependant on an entity, such as for example the universities, the research laboratories, administrations, etc

Standards and tools for the single authentification

Various protocols were proposed to exchange related informations with safety, and in particular for the implementation of systems of single authentification within a framework of sites independent from/to each other:

• SAML was developed by the consortium OASIS and is an open protocol;
• WS-Federation, proposed by Microsoft, constitutes a concurrent solution;
• NuFW, based on free software and which makes it possible to set up a solution independent of the protocol.

See too

• LDAP
• Kerberos
• OpenID
• Central Authentication Service
• Shibboleth
• Liberty Alliance
• Windows Live ID
• NTLM
• SAML
• strong Authentification
• OpenSSO
• JOSSO
• ACEGI

External bond

• Presentation on the SSO by the VINTAGE
• One white paper of Evidian on the stakes, the myths and realities of the SSO

• Apache V2.x Cookie Authentication Modulates with memcached

Random links:

Roinville-under-Dourdan | Roman troop | Saint M3edard's Day (Two-Sevres) | White Laura | Highly next Sunday | Mouvement_de_Democrats_socialistes

© 2007-2008 speedlook.com; article text available under the terms of GFDL, from fr.wikipedia.org