What is the best single sign-on solution?

Q: What is the best single sign-on solution?
We have a few website products that use different sign-on applications with different requirements (account# versus username).

Single sign-on definitely looks like the way to go. What are some of the solutions we should be looking at? I've seen OpenID, and it looks very promising (http://openid.net/).

Thanks
...............


A: Hi ......,
As you already know, the best single sign on solution (SSO) is the one that fits best on your existing infrastructure.

There are 2 main SSO approaches: SSO at the back office and SSO managed by the end-user.

So if you are in charge of multiple systems that utilize different authentication systems (user silos) and you want to integrate all sign-on process to these systems you need SSO with the back-office. Users authenticate to one system and then all systems are synchronized about the credentials…

If you are an end-user and you'd like to use your stored identity with different systems, you are looking at user-centric digital identities. If you are looking at OpenId, I assume that you want user-centric SSO architecture. You can get more information on cross-domain identity management with searching “identity federation”. With OpenId, you can look at personal identity providers (IdP) and relevant initiatives such as Liberty Alliance, WS-Federation, IGF, LID, SXIP, Inames, Yadis, Higgins, Bandit, Shibboleth etc... If you need more information on this area please let me know.

But, if you are looking at implementing SSO at your back office for your systems, a good start would be looking at your
- Existing application types/development environments (web based, java based, client/ server, .NET vs. J2EE, Ajax, LAMP, MS vs. *nix etc),
- Application architecture (server platform, application servers, XML gateways...etc)
- User repositories (Internal proprietary, Active Directory, Radius, LDAP, Novell, Mainframe etc),
- Back office Integration (SAP, Siebel, Oracle etc)...
- End user type (technical/non-technical, internal/external, public/controlled etc)
- End user platform (mixed browsers, mobile browsers, PDAs, IE only, VB client, Java Client etc)

I do recommend that you do set the scope first before choosing the platform. That way, you will have a better decision tree. Sometimes a structured password synchronization policy delivers partial SSO functionality.

Single sign-on usually integrates with entitlements management and so the identity management (IdM) systems. I do recommend checking SSO subsets of existing Identity Management systems

You will notice a lot of “product” solutions in SSO IdM area. All of them are nice and they serve to a specific niche. If you need a larger solution set that you may extend the SSO functionality in the feature, the solution provider name list is narrower (not the price tag). I have worked with CA; CA family includes all single sign on solutions integrated with other pieces of identity management. Esp., the netegrity family integration with policy based management is a well established solution. But I see good solutions from all major identity management providers (CA, IBM Tivoli, BMC, Novell, EMC (RSA), SUN, Oracle and Microsoft)...You can also check other SSO solution providers if they are not acquired by one of the big shops named above (ping identity, imprivata, passlogix, courion etc)

Let me know if you have a specific question,
- yinal