What do you mean SSO?

Ask three people in technology what they mean by single sign-on and you are likely to get three different answers.  Single sign-on encompasses a variety of business problem.  When discussing single sign-on solutions, it is important to make sure everyone is on the same page.  Here is my list of key terms to help center the conversation.

Single logon:  Multiple web sites/applications that use the same user id and password to gain access.  For example, a web site may prompt you for your user id and password but they will be the same as your windows user id and password.

Seamless sign-on:  most people agree that this means not getting prompted repeatedly for user id and password.  Once you have logged into one site, you expect to be able to move to a different site without being prompted again to login.

Federated Identity:  This usually means that two or more sites, each one under the control of a separate company or organization, have worked out a way for users to login to one site, and then link to another site with seamless sign-on.  Note that this doesn’t necessarily require single logon.  Users may use different user ids in the different organizations but the solutions will map between the ids.

Identity Provider (IDP):  This is the system/web-site where the user will be prompted for their user id and password.  Before the user can participate in single sign-on, they need to login somewhere.  The Identity Provider is where they log in.  Sometimes people refer to this as the Secure Token Service (STS).

Service Provider (SP):  After the user logs in at the IDP, they may then click a link to another web site and expect to be seamlessly logged in.  This web site is called a Service Provider (SP) or a Relying Party (RP).

Authentitication:  The act of proving who you are.  The most common method on is to enter a user id and password.  Less common methods are to swipe a fingerprint reader or use a digital certificate.

Authorization:  The act of deciding what you are allowed to do.  After authentication, most web sites need make a decision about what data you are authorized to access and what pages you are authorized to see.  Most single sign-on technology does not address authorization (except OAuth).

SAML, WS-Federation, OpenID, OAuth, Kerberos:  These are various technology standards that are used to provide single sign-on.  They are generally not compatible with each other.

Identity Management: A broad term usually covering, the creation and destruction of user ids, the provisioning of user ids onto computers and web sites, single sign-on, authentication and authorization.  Many vendors sell complete identity management solutions that are comprehensive but often quite expensive both to purchase and implement.

Provisioning:  The act of getting a user id onto a system or web site.  Removing the id is called de-provisioning.  Successful provisioning is a prerequisite of most single sign-on solutions.

Auto-ProvisioningProvisioning a user “on the spot” when they first come into a system.  Auth provisioning commonly involves asking a first time user additional for information such as e-mail and phone number.  Most single sign-on technology does not address auto-provisioning but it is a complementary technology that can make managing users across multiple sites much easier.

This list is really just the tip of the iceberg.  But agreement on a few key terms can go a long way to preventing confusion when discussing SSO strategies and solutions.

Learn More