Single Sign On
This is a discussion on true single sign on. Not OpenID SSO, which is halfway between shared credentials and real SSO... let me explain:
- Shared Credentials - this is typical of most ISPs etc. You can log into a browser with your name and password. Then when you go to Jabber you can use that same name and password. You may even have your details on other sites you can log into - each time entering your name and password.
- OpenID - is half way to SSO, it has the ability to enter your login name and password just once. But each new web site you go to, you ahve enter your name (by entering a URL). So sure, we have protected remote sites from knowing password, but we have not signed on only once. It is not black & white - some people describe SSO as entering password once... but.
- SSO - you enter your name and password only once. Each new site you go to does not ask you anything, it already knows who you are.
What about non-Web
LAN based systems authenticating of Kerberos style auth mechanisms such as that used by Active Directory, do allow non-Web based systems to authenticate. However this does not work over internet connections.
What do we want to Sign On to ?
The list is long, but here are some basics:
- Proxy - yes web proxies are still used and useful
- Local web applications - trusted by proxy or LAN, so easy but still necessary
- Internet based applications - including non-trusted. If I got to slashdot.org - It should know who I am.
- Instant Message applications - e.g. Jabber
- Email - both SMTP & IMAP (POP would also be nice)
- File Sharing - SMB, WebDAV etc
Web Based Solutions
There are some web based solutions.
- Passport - Microsoft did passport, and it works... well kind of, if you use Windows & IE and trust Microsoft for all federations,
- and hope they don't charge in the future, or give away data, or allow non-Windows systems into the federation... It works by setting a cookie/header across sites - which requires a hack on the browser. It does not fix any other HTTP or non-HTTP access, only sites within IE.
- Shibboleth - also known as SAML - this works by redirecing your un-authenticated request to a known central point (called the WAYF - Where Are You From - server). This server remembers what you entered last time and redirects you to your identity provider (e.g. your work, or institution, school etc). After checking who you are the identitiy provider redirects you back to the original site. New sites will go through these two or three hops without you noticing, simulating nicely SSO.
- But which Federation ? How do we know which central point (WAYF) to send to?
- What about internet cafes or laboratories? Either it remembers what institution/work/IdP you came from, or you have to tell it each session. This means you are entering yet another step.