Educause Security Discussion mailing list archives
Re: single sign-on strategies
From: Herrera Reyna Omar <omar_herrera () BANXICO ORG MX>
Date: Fri, 30 Jan 2004 10:07:19 -0600
I have not installed single-sign-on solutions myself, but I've seen these solutions implemented in some organizations around here (not universities though). There is one comment I would like to make regarding the architecture of single-sign on solutions. I've seen two approaches: 1) Agent based solutions that provide access to applications and systems 2) Centralized interface solutions that are kind of a remote GUI for the user while the centralized system actually logs to the application/system itself for you (or has the application locally installed). Approach 1) would require a centralized server to do authentication and maintain credentials only (once authenticated, each client might access the system directly); however, you might need to develop agents for some applications and systems. Also, deploying and maintaining agents could be costly and time consuming, but if one of them gets down the rest of the applications/systems will be up most probably. Approach 2) Requires one big (or several) central servers that actually process data and interact with the application (this mean more resources are needed and the likelihood of one of these servers going down is higher than the central authentication server failing in approach 1)), however, interaction with clients is faster (since it is only an interface). Also, with this approach it is easier to incorporate host based applications that were not designed to be accessed remotely through single-sign-on. If you are going to develop your own system, approach 1) is definitely easier and faster to develop; approach 2) is much more complicated since you would require to develop a huge application (something like Citrix), however, on the long term, I see more advantages in approach 2) (remote access for campus applications, for example) and it is easier to maintain once you have it deployed and configured (at least this is what I've seen). Hopefully this will help. Regards, Omar Herrera
-----Mensaje original----- De: Craig Blaha [mailto:blaha () TCNJ EDU] Enviado el: Viernes, 30 de Enero de 2004 07:41 AM Para: SECURITY () LISTSERV EDUCAUSE EDU Asunto: [SECURITY] single sign-on strategies The College of New Jersey is in the process of developing our single sign-on strategy as we prepare to integrate our first enterprise application - HRMS - into our portal. We are considering using a partial single sign-on strategy: a user
logs
into what I'm calling the "casual" portal which gives them access to
the
news, their e-mail, navigation and (perhaps) self-service. If the user tries to access an administrative screen of an enterprise application such as HR or Finance, they are prompted to re-enter their password.
The
enterprise applications would each have their own time out, and username/password would be handled by LDAP. The goal is to strike a balance between security and ease of use that
is
closer to the secure side of the continuum than a true SSO solution. Has anyone else done this or something similar? I would be interested
in
any thoughts/lessons learned.
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- single sign-on strategies Craig Blaha (Jan 30)
- <Possible follow-ups>
- Re: single sign-on strategies Herrera Reyna Omar (Jan 30)
- Re: single sign-on strategies Bruhn, Mark S. (Feb 23)