Single-sign-on

What is this Single-sign-on? It is nothing but the ability for an end user or application
to access other applications within a secure environment. It has to be done without needing
to be validated by each application. The most common example of single-sign-on technology
is in web-based corporate intranet applications.

What is the use of this environment? In this setting, the users may want to use various
applications that allow access to their timetable, Project schedule, expense reports and
health benefits. If each user of the application need to be authenticated individually then the
following may occur such as in convenienence, slow, and limiting the value of the intranet
site. The single sign on is one of the solution which allows access to all applications without
additional intervention after the initial sign on, using a profile that defines what the user is
allowed to do.

Many companies provide products for web-based, single-sign-on authentication and
authorization, including companies such as Netegrity, Securant (now a part of RSA), Oblix,
and Verisign. These products with the help of an intermediary process which controls and
manages the passing of user credentials from one application to another. Users are assigned
a permit that carries their rights information and simultaneously allows them to access
many applications without the need to authenticate each one. This permit allows applications
within the secure environment to shift the burden of authentication and authorization to a
trusted third party, leaving the application free to focus on implementation of business
logic.

The single-sign-on concept is easily extended to web services. Web services can be
given a permit (placed in an XML/SOAP message) that can be used to validate the service
with other web services. However, the secure use of web services will depend on the
ability to exchange user credentials on a scale never seen before. Individual services will
reside in a variety of protected environments, each using various security products and
technologies. Providing a way to integrate these environments and enable their interoperability
is critical for the secure and effective use of these services.

Based on XML, the Security Assertion Markup Language (SAML) is an almost
complete specification proposed by the Organization for the Advancement of Structured
Information Standards (OASIS). The primary goal of SAML is to enable interoperability
between different systems that provide security services. The SAML specification does
not define new technology or approaches for authentication or authorization. Rather, it
defines a common XML language that describes the information or outputs generated by
these systems.