Single Sign-On

Single sign-on (SSO) is a specialized form of software authentication that enables a user to authenticate once and gain access to the resources of multiple software systems.

Many free and commercial SSO or reduced sign-on solutions are currently available. A partial list follows:

• The JA-SIG Central Authentication Service (CAS) is an open single sign-on service (originally developed by Yale University) that allows web applications the ability to defer all authentication to a trusted central server or servers. Numerous clients are freely available, including clients for Java, .Net, PHP, Perl, Apache, uPortal, Liferay and others.
• CoSign, an open-source project originally designed to provide the University of Michigan with a secure single sign-on web authentication system. CoSign authenticates users on the web server and then provides an environment variable for the users' name. When the users access a part of the site that requires authentication, the presence of that variable allows access without having to sign-on again. Cosign is part of the National Science Foundation Middleware Initiative (NMI) software release.
• Enterprise single sign-on (E-SSO), also called legacy single sign-on, after primary user authentication, intercepts login prompts presented by secondary applications, and automatically fills in fields such as a login ID or password. E-SSO systems allow for interoperability with applications that are unable to externalize user authentication, essentially through "screen scraping."
• Web single sign-on (Web-SSO), also called Web access management (Web-AM), works strictly with applications and resources accessed with a web browser. Access to web resources is intercepted, either using a web proxy server or by installing a component on each targeted web server. Unauthenticated users who attempt to access a resource are diverted to an authentication service, and returned only after a successful sign-on. Cookies are most often used to track user authentication state, and the Web-SSO infrastructure extracts user identification information from these cookies, passing it into each web resource.
• Kerberos is a popular mechanism for applications to externalize authentication entirely. Users sign into the Kerberos server, and are issued a ticket, which their client software presents to servers that they attempt to access. Kerberos is available on Unix, Windows and mainframe platforms, but requires extensive modification of client/server application code, and is consequently not used by many legacy applications.
• Federation is a new approach, also for web applications, which uses standards-based protocols to enable one application to assert the identity of a user to another, thereby avoiding the need for redundant authentication. Standards to support federation include SAML and WS-Federation.
• Light-Weight Identity and OpenID, under the YADIS umbrella, offer distributed and decentralized SSO, where identity is tied to an easily-processed URL which can be verified by any server using one of the participating protocols.

The term enterprise reduced sign-on is preferred by some authors because they believe single sign-on to be a misnomer: "no one can achieve it without an homogeneous IT infrastructure".

In a homogeneous IT infrastructure or at least where a single user entity authentication scheme exists or where user database is centralized, single sign-on is a visible benefit. All users in this infrastructure would have one or single authentication credentials. e.g. say in an organization stores its user database in a LDAP database. All Information processing systems can use such a LDAP database for user authentication and authorization, which in turn means single sign-on has been achieved organization wide.