Enterprise SSO products are designed for large companies with a heterogeneous, distributed computing environment consisting of many systems and applications.
A typical representative of enterprise SSO products is the IBM Global Sign-On for Multiplatforms product (hereinafter referred to as GSO). The GSO product provides a secure, simple solution that allows you to access networked computing resources using a single sign-on. GSO frees the user from having to enter different identifiers and passwords for all of his targets, which include the OS, shared software, databases or other kinds of applications.
It would be ideal if GSO could act as a universal, secure, reliable authentication mechanism for any target. Unfortunately, such a unified authentication solution cannot be created because most products that require an authentication service perform the authentication process in different ways. To make this ideal approach a reality, suppliers must modify their products to meet the requirements of the common X / Open Single Sign-On (XSSO) standard.
Therefore, GSO takes a real approach based on the fact that vendor products do not support trusted external authentication. These products most often require each user ID and password for authentication. GSO securely stores user IDs and passwords and provides them to targets when the user is prompted for a password upon login. This frees the user from having to remember and enter IDs and passwords every day for each target.
A GSO cell contains at least a GSO server and one user workstation, also called a GSO client. A GSO cell can have more than one GSO server and many clients.
The user interacts with his workstation and some target objects (applications) that can run on this workstation or on some other computer, such as a department server or application servers.
Before starting work, the user must log into his workstation. He presents the password to GSO, and not to the application or other servers. GSO performs authentication based on the user’s ID and password (sometimes supported by a smart card or fingerprint reader). The GSO server is included in the authentication process in order to verify the user’s password and retrieve his credentials.
The GSO then injects the user into the targets (applications or servers) that the user should work with. GSO uses the methods provided by the targets to log in the user. In most cases, GSO simulates user login by passing the user ID and password to the target as if the user were entering them. An important difference, obviously, is that the user no longer needs to remember these IDs and passwords, as the GSO takes care of them.
GSO is a client / server application. In addition to the GSO server, there is a client program (code segment) running on the user’s workstation that communicates with the GSO server.
Enterprise SSO products offer the following benefits:
- Allows the use of multiple target platforms with their own authentication mechanisms;
- Securely store user credentials (such as ID, password and some additional information) in the database for each target platform and each user;
- Drastically reduce the share of forgotten passwords, since user passwords are stored safely and securely;
- Use methods and means of secure authentication and communication; sensitive user information is stored and transmitted over the network only in encrypted form.
The disadvantages of enterprise SSO products are their relatively high cost and high requirements for the qualifications of service personnel.