With the use of Single Sign-On (SSO) technology, users are able to identify themselves with the authentication server only once to access a variety of applications, including both internal and external systems. Users can enjoy the benefit of choosing one password to access multiple applications, instead of memorising many different passwords. However, compromise of one authentication event could result in the compromise of all resources that the user has access rights to.
Implementing SSO requires the following worth noting security considerations:
As one single authentication controls access to all resources, it is important that the authentication process is secure enough to protect those resources. This protection should satisfy the requirements of the most critical application. The single authentication process should not be weaker than the original authentication method used by the various applications, otherwise, the result is a downgrade in security level.
A second factor of authentication, such as a security token and smart card, can be used to strengthen the authentication process.
Relevant password restrictions, such as the minimum password length, the password complexity, the maximum number of trial attempts and the minimum time for renewal, and so on, should be imposed.
As the authentication server may become an attractive target for attack, it should be well protected so that intruders cannot access authentication information which could then be used for unauthorised access to all the systems.
Auditing and logging functions should be used to facilitate the detection and tracing of suspicious unsuccessful login attempts.
Encryption should be used to protect against authentication credentials transmitted across the network.