A sound SSO strategy will give users fewer reasons to write down passwords. However, one password providing access to all in-scope systems can lead to compromised access to those systems.
"Organizations implementing SSO, particularly to systems that hold sensitive data, should implement risk-appropriate authentication methods with the SSO system," said Gregg Kreizman, research vice president at Gartner. "Solutions are not 'one size fits all,' and solutions that provide SSO to all target systems may be deemed too expensive. Therefore, a best practice is to identify the tactical and strategic approaches that reduce enough of the problem space over time and within budget."
Mobile devices can pose further challenges for SSO. "The proliferation of mobile phones and tablets with a variety of operating systems has created the latest and greatest challenges to authentication and SSO," said Mr. Kreizman. "Web-architected applications can often be supported with existing access management tools, such as Web access management (WAM) and federation, because smartphones and tablets have Web browsers. Native mobile resident applications can create a gap in SSO support, and market offerings to resolve the issues are currently immature, proprietary, or not comprehensive enough to support multiple device and operating system variants."
Gartner has identified the following steps and framework that should be used to appropriately scope the target solution set.
Assess the current environment and pain points
The first step is to scope the problem space by identifying the user population and use cases that require a solution, and to inventory the target systems, their architectures and the anticipated lifetimes.
- User population: Identify whether a solution set should cover employees, contractors, external business partners or consumers/constituents.
- Use cases and applications: Identify the logical location of users and the target systems that must be accessed — for example, internal users accessing internally managed applications and software as a service (SaaS) applications, or external consumers and business partners accessing internally managed applications. Identify the applications and use cases that are currently used the most and generating the most calls to the help desk for authentication-related issues.
- Applications and their architectures: Determine the application architecture for each application deemed to be in scope for an SSO initiative.
It's important to determine whether the applications used today will still be in scope over the next few years. If an application will be retired or replaced or have its user base significantly reduced within one to two years, then it can possibly be removed from consideration and, therefore, reduce the problem space. Approaching commercial application vendors to ask whether there are any plans to provide authentication options that can leverage the enterprise standards is also a good idea. A matrix with the inventory results should be drawn up to help identify common architecture and use case patterns.
Leverage currently owned services or solutions to reduce the in-scope applications
Identifying existing tools that could help reduce the problem is essential. Their use may be isolated to one business unit or application set when they could be more broadly deployed. Sometimes reduced sign-on (RSO), enabled by an established password synchronization tool or authentication to a common LDAP-accessible directory, will provide good-enough reduction in the problem space. When multiple directories are used for authentication, directory synchronization or virtual directories may be brought to bear to join disparate identity sources and to expose one standardized view of identity to multiple applications or authentication services, such as a WAM tool. This can provide RSO or SSO, depending on the configuration.
Select solutions to resolve the remaining requirements
Application designs are moving toward Web architectures. As soon as currently owned directories, Kerberos and password synchronization tools have been leveraged, it is likely that tool or service selection will be based on the need to support SSO to Web-architected applications. Furthermore, SaaS adoption has been driving the need for federated Web SSO. Therefore, the solutions that support these needs should be presented first, with less prevalently needed solutions following.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.