A Taxonomy of Single Sign-on Systems

A Taxonomy of Single Sign-On Systems

Andreas Pashalidis and Chris J. Mitchell

Royal Holloway, University of London, Egham, Surrey, TW20 0EX, United Kingdom {A.Pashalidis, C.Mitchell}@rhul.ac.uk http://www.isg.rhul.ac.uk

Abstract. At present, network users have to manage one set of authentication credentials (usually a username/password pair) for every service with which they are registered. Single Sign-On (SSO) has been proposed as a solution to the usability, security and management implications of this situation. Under SSO, users authenticate themselves only once and are logged into the services they subsequently use without further manual interaction. Several architectures for SSO have been developed, each with different properties and underlying infrastructures. This paper presents a taxonomy of these approaches and puts some of the SSO schemes, services and products into that context. This enables decisions about the design and selection of future approaches to SSO to be made within a more structured context; it also reveals some important differences in the security properties that can be provided by various approaches.

1

Introduction

Network users typically maintain a set of authentication credentials (usually a username/password pair) with every Service Provider1 (SP) they are registered with. The number of such SPs with which a typical user routinely interacts has grown beyond the point at which most users can memorize the required credentials. The most common solution is for users to use the same password with every SP with which they register2 — a tradeoff between security and usability in favour of the latter. A potential solution for this security issue is Single Sign-On (SSO), a technique whereby the user authenticates him/herself only once and is automatically logged into SPs as necessary, without necessarily requiring further manual interaction. SSO thereby increases the usability of the network as a whole and at the same time...