Re: SSO (Single Sign On)

[Peter Choi <pchoi () WTC-INC NET>]

Melissa,

It is a noble effort to achieve the Holy Grill of SSO.  I can tell you 
this though...that your battle will be fought in political landscape 
rather then in technology. 

Of all the SSO programs  and initiatives I've seen (both in major 
financial institutions and military programs), I have never seen SSO 
program that scales to enterprise solution covering all aspect of 
authentication.  I've seen military try to deploy enterprise wide SSO 
system (you know with their funny "Army of One" concept) but the cost of 
implementing it became prohibitive even for the Department of Defense. 

Does it mean that I think there are no successful SSO program?  Absolutely 
not.  I also seen many successful SSO programs but only with the condition 
that SSO limitations  and boundaries are clearly stated and controlled. 
There are various form of XML, biometrics, PKI, token based systems that 
will enable you to do all kinds of things as I am sure you are aware of. 
But I think your true assurance for success will be in being able to 
achieve the organizational consensus on the meaning of SSO.  Once you can 
achieve this objective, you can go through basket full of technology 
solutions that you can pick and choose from and convincing people of the 
solution you recommend.

Be absolutely certain that you define the limitations of your SSO program 
and scope.  Draw the boundary line, put a stake in it and do not weaver 
from your initial claims of intention. 

Regards

Peter


=======================================
S. Peter Choi, Ph D., CISSP
Senior Information Security Consultant
WTC, Inc.
801 South Grand Avenue, Suite 700
Los Angeles, CA 90017

(213) 689-5327
=======================================
Please visit our web site @ http://www.wtc-inc.net






Melissa Guenther <mguenther () COX NET> 
Sent by: The EDUCAUSE Security Discussion Group Listserv 
<SECURITY () LISTSERV EDUCAUSE EDU>
09/24/2003 02:11 PM
Please respond to
The EDUCAUSE Security Discussion Group Listserv 
<SECURITY () LISTSERV EDUCAUSE EDU>


To
SECURITY () LISTSERV EDUCAUSE EDU
cc

Subject
[SECURITY] SSO (Single Sign On)






We are researching the benefits to achieving consistent, simple, and 
secure access, and protecting an enterprise commitment and investment to 
applications, through SSO solutions. 
Single Sign-On was once thought of as a security-decreasing product. 
Today’s SSO can actually increase security with the appropriate 
implementation, countering weak, transferable passwords, with 
user-transparent, consistent, and strong logon principles.
We are chartered with ensuring that application access is quick, easy and 
consistent.  This objective continues to be a moving target. Not only are 
the numbers of applications and platforms (Windows, Novell, web, etc.) 
increasing, the user populations are getting larger, and more distributed. 
While most IT departments have long known that there are substantial 
support ramifications for supporting multiple applications natively, 
"logging on" has now become one of the greatest challenges to user 
satisfaction and effectiveness. 
I would appreciate any lessons learned from anyone that has explored or 
implemented Single Sign On, in any part.  Security and privacy are our 
biggest considerations at this point.
I also would be happy to share findings.  Although my email is not an edu 
extension, I am working with a large, decentralized university in Arizona.
Thank you in advance for any information
Melissa Guenther
Increasing Awareness to Improve Security
480-786-6034
********** Participation and subscription information for this EDUCAUSE 
Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.