Wednesday, February 3, 2010

LDAP Authentication and Single Sign On(SSO)

When implementing my Workflow Management System, I have to implement Single Sign On. Following are the facts I gathered about SSO and LDAP during my research.
  • SSO is the ability for a user to enter the same id and password to logon to multiple applications within an enterprise.
  • Single sign on benefits are:
  • Ability to enforce uniform enterprise authentication and/or authorization policies across the enterprise
  • End to end user audit sessions to improve security reporting and auditing
  • Removes application developers from having to understand and implement identity security in their applications
  • Usually results in significant password help desk cost savings
  • Since the internet is stateless, this means that the single sign on software must check every request by the user's browser to see if there is an authentication policy pertaining to the resource or application the user is trying to access.
  • In a medium to large enterprise, this means that every time the user clicks on a different URL, there is traffic between the user's browser, the web or application servers and the security server.
  • Therefore, most modern single sign on systems use LDAP (Lightweight Directory Access Protocol) directories to store the authentication and authorization policie
  • The LDAP directories are made for high performance lookups thus addressing the high traffic load.
  • Further, the LDAP directories are often the source for the single sign on system to authenticate against.
  • The above are the reasons why LDAP directories and authentication have taken on such a dominant role in enterprise authentication. LDAP directories offer the following features:
  • They are very quick for doing identity reads against as compared to traditional databases
  • They are low cost - in fact some LDAP directories are available for free
  • Virtual LDAP directories enable quick linkage between multiple databases and multiple LDAP directories
  • LDAP directories are excellent for doing rapid LDAP authentication against for any digitized authentication
  • LDAP directories have a universal protocol enabling quick interaction and exchange of identity information between enterprises
  • LDAP directories can be easily partitioned to place the directory close to the end user, thus improving performance and reducing network load
Single Sign On (SSO) systems mostly use LDAP authentication. The enterprise user logs on in the morning and sees normally a form based enterprise login screen. The user enters in their id and password. The SSO software then takes the information and sends it to the security server using an encrypted connection. The security server in turn then logs on to the LDAP server on behalf of the user by providing the LDAP server with the user's id and password. If successful, the security server then proceeds with any authorization and/or lets the user proceed to the application or resource they require.

LDAP Authentication Implementation

Often times a simple LDAP directory authentication project hits trouble. These can be because of:
  • Poor authoritative sources
  • Poor identity data
  • No unique global id's
  • Poor synchronization between the authoritative source and the LDAP directory
  • Poor design of the LDAP and SSO authentication strength
  • Poor design of the LDAP and SSO failover and disaster recovery

No comments:

Post a Comment