Ask three people in technology what they mean by single sign-on and you are likely to get three different answers. Single sign-on encompasses a variety of business problem. When discussing single sign-on solutions, it is important to make sure everyone is on the same page. Here is my list of key terms to help center the conversation.
Single logon: Multiple web sites/applications that use the same user id and password to gain access. For example, a web site may prompt you for your user id and password but they will be the same as your windows user id and password.
Seamless sign-on: most people agree that this means not getting prompted repeatedly for user id and password. Once you have logged into one site, you expect to be able to move to a different site without being prompted again to login.
Federated Identity: This usually means that two or more sites, each one under the control of a separate company or organization, have worked out a way for users to login to one site, and then link to another site with seamless sign-on. Note that this doesn’t necessarily require single logon. Users may use different user ids in the different organizations but the solutions will map between the ids.
Identity Provider (IDP): This is the system/web-site where the user will be prompted for their user id and password. Before the user can participate in single sign-on, they need to login somewhere. The Identity Provider is where they log in. Sometimes people refer to this as the Secure Token Service (STS).
Service Provider (SP): After the user logs in at the IDP, they may then click a link to another web site and expect to be seamlessly logged in. This web site is called a Service Provider (SP) or a Relying Party (RP).
Authentitication: The act of proving who you are. The most common method on is to enter a user id and password. Less common methods are to swipe a fingerprint reader or use a digital certificate.
Authorization: The act of deciding what you are allowed to do. After authentication, most web sites need make a decision about what data you are authorized to access and what pages you are authorized to see. Most single sign-on technology does not address authorization (except OAuth).
SAML, WS-Federation, OpenID, OAuth, Kerberos: These are various technology standards that are used to provide single sign-on. They are generally not compatible with each other.
Identity Management: A broad term usually covering, the creation and destruction of user ids, the provisioning of user ids onto computers and web sites, single sign-on, authentication and authorization. Many vendors sell complete identity management solutions that are comprehensive but often quite expensive both to purchase and implement.
Provisioning: The act of getting a user id onto a system or web site. Removing the id is called de-provisioning. Successful provisioning is a prerequisite of most single sign-on solutions.
Auto-Provisioning: Provisioning a user “on the spot” when they first come into a system. Auth provisioning commonly involves asking a first time user additional for information such as e-mail and phone number. Most single sign-on technology does not address auto-provisioning but it is a complementary technology that can make managing users across multiple sites much easier.
This list is really just the tip of the iceberg. But agreement on a few key terms can go a long way to preventing confusion when discussing SSO strategies and solutions.