Secure Internet Single Sign-On 101

white paper
Secure Internet Single Sign-On 101
OverviewWith the success of single sign-on (SSO) inside the enterprise, users are calling for interoperability outside of the enterprise's security domain to outsourced services, including business process outsourcing (BPO) and software as a service (SaaS) providers, and trading partners, as well as within the enterprise to affiliates and subsidiaries.While the business demands that employees are able to traverse the Internet with highly-sensitive data, the connection has to be secure to protect the user, enterprise and service provider-enter secure Internet SSO. Written for anyone interested in understanding how secure Internet SSO works, this white paper explores the limitations of current SSO implementations outside of a single security domain (including identity and access management systems and open source development) and introduces standalone secure Internet SSO as a solution.white paper
BackgroundConnecting organizations with their external services over the Internet is critical in today's age of real-time information sharing and collaboration. Organizations are no longer isolated: key services outside of the organization's domain (including outsourced employee services and electronic exchanges with trading partners) have to be easily accessible and interoperable.Collaboration is blurring the lines between enterprises and their service providers. With employees traversing the Internet with highly-sensitive data, the connection has to be secure to protect the user, enterprise and service provider. Users are also demanding direct access to external resources and improved ease of use with single sign-on (SSO). As a result, organizations are faced with a myriad of challenges when providing SSO for many different use cases including:. Outbound SSO for users to access software as a service (SaaS) and business process outsourcing (BPO) providers, and to connect with trading partners. Inbound SSO for service providers, such as BPOs and managed services, to access the enterprise's resources. Internal SSO for the enterprise and its acquisitions, affiliates, subsidiaries and joint ventures. SSO to a third party, hosted hub for users to share information among industry organizationsWith many options to consider for delivering SSO that works over the Internet, making the right technology decision is crucial to successfully implementing federated identity management and mitigating long deployment times.
Proprietary SSO (Web Agents)With the success of Web SSO inside the enterprise, many IT organizations looking to provide SSO over the Internet tried to reuse their existing proprietary Web SSO. In order for employees to access external Web sites and for external partners to access internal Web sites, organizations provided a proprietary Web agent to their external partners. Each time access was needed for a different partner, a different proprietary Web agent was implemented, thus for each connection organizations needed to support different software for each of their business partners. Over time, the growing number of different Web agents became difficult to manage due to their lack of reusability, and the ability to scale new connections was limited.As one IT staffer at a Fortune 50 company said, "We need to do single sign-on with fifty external partners. We have fifty different ways of doing it." With each partner connection taking over two months to implement with proprietary SSO methods, IT organizations needed a better way to implement SSO over the Internet; otherwise, it would take years to connect all their partners.
Standards-Based SSO: Federated IdentityTo overcome the limitations of proprietary implementations, organizations wanting to implement SSO over the Internet turned to federated identity standards such as Security Assertion Markup Language (SAML) and WS-Federation. These standards allow organizations to share credentials and attributes for authentication and authorization, reducing the need to maintain
white paper
user credentials in multiple systems and eliminating the re-authentication of users to external resources. By utilizing standards, organizations can deliver secure Internet SSO, which reduces security gaps by creating trusted connections between enterprises providing identities (called identity providers or IdPs) and organizations providing the target applications or resources (called service provide... [download for more]