Re: single sign-on strategies

[Herrera Reyna Omar <omar_herrera () BANXICO ORG MX>]

I have not installed single-sign-on solutions myself, but I've seen
these solutions implemented in some organizations around here (not
universities though).

There is one comment I would like to make regarding the architecture of
single-sign on solutions. I've seen two approaches: 
1) Agent based solutions that provide access to applications and systems
2) Centralized interface solutions that are kind of a remote GUI for the
user while the centralized system actually logs to the
application/system itself for you (or has the application locally
installed).

Approach 1) would require a centralized server to do authentication and
maintain credentials only (once authenticated, each client might access
the system directly); however, you might need to develop agents for some
applications and systems. Also, deploying and maintaining agents could
be costly and time consuming, but if one of them gets down the rest of
the applications/systems will be up most probably.

Approach 2) Requires one big (or several) central servers that actually
process data and interact with the application (this mean more resources
are needed and the likelihood of one of these servers going down is
higher than the central authentication server failing in approach 1)),
however, interaction with clients is faster (since it is only an
interface). Also, with this approach it is easier to incorporate host
based applications that were not designed to be accessed remotely
through single-sign-on.

If you are going to develop your own system, approach 1) is definitely
easier and faster to develop; approach 2) is much more complicated since
you would require to develop a huge application (something like Citrix),
however, on the long term, I see more advantages in approach 2) (remote
access for campus applications, for example) and it is easier to
maintain once you have it deployed and configured (at least this is what
I've seen).

Hopefully this will help.

Regards,
Omar Herrera

> -----Mensaje original-----
> De: Craig Blaha [mailto:blaha () TCNJ EDU]
> Enviado el: Viernes, 30 de Enero de 2004 07:41 AM
> Para: SECURITY () LISTSERV EDUCAUSE EDU
> Asunto: [SECURITY] single sign-on strategies
>
> The College of New Jersey is in the process of developing our single
> sign-on strategy as we prepare to integrate our first enterprise
> application - HRMS - into our portal.
>
> We are considering using a partial single sign-on strategy: a user
logs
> into what I'm calling the "casual" portal which gives them access to
the
> news, their e-mail, navigation and (perhaps) self-service. If the user
> tries to access an administrative screen of an enterprise application
> such as HR or Finance, they are prompted to re-enter their password.
The
> enterprise applications would each have their own time out, and
> username/password would be handled by LDAP.
>
> The goal is to strike a balance between security and ease of use that
is
> closer to the secure side of the continuum than a true SSO solution.
>
> Has anyone else done this or something similar? I would be interested
in
> any thoughts/lessons learned.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.