Types of SSO:
• Enterprise SSOEnterprise SSO is designed to provide single sign on to practically all the applications that an end user would need. This includes web apps, Windows executables (thick clients), Java apps and mainframe apps. It works by capturing the user ID and password for the application when the user logs in. The next time the application is launched, Enterprise ESSO will detect it and automatically enter the credentials on the user’s behalf and log them in. ESSO does not really authenticate the user to the application – it simply automates credential submission. Typically, Enterprise SSO systems provide a protected password store, and a client application is used to automatically provide these to applications when the credential is requested. The user credentials can be managed from a centralized SSO Server whose main functionality is to distribute and synchronize credentials with the local agent store. For such applications, whenever a user tries to access an application, the SSO agent on the desktop retrieves the credentials based on user profile and populates them to the login screen of the application. • Web SSO provides SSO capabilities to wider user base employees, business partners and customers accessing the applications. It is a browser-based mechanism, with single sign-on to applications deployed on web servers (domain).The drawback is that the solution is limited to web based applications.
It can be deployed in 2 types of configurations: Proxy Based Configuration: Proxy based configuration is typically used for centralized access management. Agent based deployment: Agent based configuration is typically used for distributed access management.
• Federated SSOis targeted at both employees and business partners, but like Web SSO, is limited to browser based technology. In afederated SSO environment, a user is able to obtain a single sign-on to not only web applications, but the applications of business partners by providing identity assertions using a protocol like SAML. The remote system can then validate the assertion and provide access if the assertion is trusted.
CA Siteminder can be used to provide Single Sign On facility to web applications hosted on some webservers.
1. A user tries to access a web page eg. index.html from a web browser http://www.simpletute.org/sitemap/index.html
2. The Web Agent installed on the webserver intercepts this request and checks with the policy server whether this web page (index.html) is protected or unprotected.
3.If this web page is un-protected the webserver returns the page to the web browser
which in turn displays it to the user.If the web page is protected than the policy server asks the web browser to ask the user to provide valid credentials to authenticate the user.
4. The users enters the credentials which are sent to the policy server by the web browser.The policy server sents a request to the policy store to confirm the validity of the credentails submitted by the user.
5. If the credentials are incorrect the policy server sents a insufficent access message to the web bowser.If the credentials are correct the policy server returns the web page to the web browser.
These is the very basic request flow.If we go indepth there are many more steps that are completed in this authentication process.