Implementing single sign-on (SSO) - either on a standalone basis or integrated into an IdM system - solves these password-related problems and reduces IT support costs, improves enterprise security, and simplifies password management. An SSO system enables users to access all their applications through a single authentication event. Depending on the solution selected, the SSO could also enable the network administrator to assign and control passwords from a single console, eliminating the need to personally set passwords at each user's workstation. There are several variations on SSO available.
Web Single Sign-On A Web based access management solution can include an SSO capability for Web-based applications. With Web-based SSO, the user supplies a credential. The Web server then validates the password with a central credential server. If a match is found, then the user is granted access to the Web-based application or system. With users accessing more and more applications over the internet from application service providers and other sources, Web-based SSO is critical. However, Web-based SSO does not cover password sign-on for non Web based applications such as mainframe and client/server applications. A separate ESSO is often needed for such applications. Password Synchronization Some IdM solutions offer password synchronization, where all applications that the IdM supports share the same password. In password synchronization, a change to a password on a connected system is automatically replicated to all other integrated or supported systems. For end users, synchronization does provide some simplification for their password issues. Even though they still have to type in their user credentials for each application, they can for some applications use the same password. However, relatively few enterprise applications have the interfaces needed to support synchronization. Another weakness of synchronization is that the password to which the applications are synchronized must be set at the weakest capability among all the supported applications. Therefore, all supported applications are susceptible to a security breach based on exploiting this weak password. Hackers can choose to attack the system with the weakest security controls, knowing that the password they obtain can be used on all other synchronized systems, regardless of their security controls. Thus, the security controls of all synchronized applications are reduced to that of the weakest system. In addition, applications that lack the necessary interfaces or are hosted on other networks cannot be supported. Users are still required to log on to all unsupported applications.