Security

New single sign-on initiatives announced


Microsoft has signed another patent cross licensing deal with a Linux distributor, Turbolinux. In addition, Microsoft and Turbolinux are working on a system that will allow a single sign-on to authenticate the user on both platforms. Turbolinux, a company with a large market in Japan and China, will also incorporate Microsoft's Live Search Service to Linux desktops that already include Windows Media Player for multimedia playback.

Microsoft, Turbolinux to push single sign-on (InfoWorld)

Single sign-on, one component of "Enterprise 2.0," is an initiative that has been undergone by hundreds of companies and pushed by dozens of vendors, each of whom tout their solutions as the one that can centralize authentication information. Oracle has added new tools to its Identity Management suite with the acquisition of Bharosa, a firm that "claimed more than 25 million online users of its authentication and fraud prevention products." One major single sign-on initiative has been undertaken in England, with the National Health Service and National Library for Health using an offshoot of XML called SAML, or Security Assertion Markup Language.

The state of Enterprise 2.0 (ZDNet)

Oracle adds authentication to access management (CBR)

NHS knowledge base goes for single sign-on (ITPro)

Sometimes, I feel like I am in the dark ages with all of the different login information I have to provide. I have a network ID, a student information system ID, a WebCT ID, and several administrative IDs -- and that is just at work. When you throw in the dozens of login accounts I have out there (banks, Passport, Google, Yahoo, at least 10 online forums, etc.), I might end up logging in 20 or more times per day (with many of the actual logins handled by passwords stored in Windows).

I see "single sign-on" as one of those pie-in-the-sky type initiatives, at least if you apply the term strictly. I suspect that I will only have to log on to one or two services each day at work in the next couple of years, as we have a couple of initiatives towards that goal, but I don't see any help on the horizon for all of the login information that nobody wants to centralize except the consumers. What are your experiences with single sign-on? Do you think it is possible that one day you might log on to your computer and not have to authenticate again in that session?

3 comments
Tig2
Tig2

While I can't speak to authenticating across OSes, I can speak to SAML and the challenges in deploying it. SAML forces the IT group to divide between authentication and authorization- an often new concept and difficult to enable. In many applications, the authorizing body is simply different to the authenticating body. This spells re-write. I don't disagree that a SSO solution will enable better compliance to password regulation. But I don't see it being utilized for that purpose. Instead, I see the consideration more focused on simplifying the end user experience. I probably have about 60 or so passwords. They speak to everything from web sites that I visit to logging on to my home pcs. I use the complex password rules- alpha-numeric, upper and lower case, symbols. I generally use a generator that gives me a 12 character string of random characters. Here's the difference- I store them in clear text in a program that has its own encryption. If I ever forget the password to THAT program, I will lose my passwords. The business return on investment needs to be proven before SSO can be implemented. It can be argued that SSO is a timesaver. OK, I can see that. It can also be argued that it would aid in compliance to password change and complexity guidelines. I don't see that. If your employees are disregarding complexity guidelines, you have failed to emphasize them and there is likely to not be a level of accountability for violation. SSO will not improve that. Simplification can be a good thing. However, over-simplification may be tossing the baby with the bathwater. There is such thing as too much of a good thing.

Jaqui
Jaqui

security wise. linuxquestions.org went with openid logon as an option a while back, I refuse to join such a single sign on idea. In my opinon, they are a bad idea, since you wind up having to trust the capabilities of people you don't know to secure your confidential information, or worse yet, trust MS to protect confidential data, with their track record of not being able to protect anything but their source code. I'll never use a single sign on technology, it is flawed in it's concept. edited for typo

Andy Moon
Andy Moon

how long do you think it will be before logon is a once a day event?

Editor's Picks