Single Sign On confusion
By wyllys on Sep 16, 2004
Single-Sign On is fast becoming one of the most overloaded phrases in software security. For some it means accessing lots of web pages without entering a name/password every time (regardless of how secure or insecure the mechanism that enables this feature is). For others it means accessing all of your network resources (web sites, internal utilities, logging into other hosts with ssh/rlogin/telnet, reading mail, etc) without reentering passwords.
When you read high level information like the above article, it rarely specifies what technology is being used to provide the SSO features and it leaves the curious engineer hungry for real details. Coming from the network security area, I am wondering if this SSO involves Kerberos, GSSAPI, and SASL to enable secure access to the LDAP directories or if it means using something else entirely. I know that for Solaris 10 we have improved the Kerberos and GSSAPI technology that is bundled in the OS to make it more up-to-date with respect to both MIT Kerberos and Active Directory.
We have always interoperated with Microsoft's Active Directory as a Kerberos client, and Solaris 10 now has support for the RC4-HMAC encryption keys that AD prefers to use. So, doing Kerberos (GSSAPI) based SSO with Microsoft has never been a problem in the past, but it all depends on the definition of "SSO" and the apps that you wanted to access.
Most large enterprise networks today are a mix of operating systems and platforms, getting Single-Sign On to work seamlessly across all of the platforms available is a very challenging task. I'm not sure what this new arrangement involves or how it builds upon or compliments what we've done in the past, but I'm hoping it is an improvement that takes us closer to the goal of having secure SSO become the norm for all platforms.