Udostępnij za pośrednictwem


SSO Isn't Worth it!?

Hi All

Well it is officially done. I have participated in my first podcast. Check it out here:

https://channel9.msdn.com/Showpost.aspx?postid=193478

I did this podcast just prior to a roundtable session at the Microsoft National Architect Forum in Vail Colorado in April 2006. We discussed the challenges of Identity.

One person had some very interesting feedback during that roundtable while discussion Single Sign On. She noted that why have it, when it is more of a convenience. Efforts should be focused on Identity Management.

In another rag that I read a couple of weeks later, they stated that SSO is a bad term, and should be looked at as reduced sign on. Getting to SSO is a rather unrealistic goal.

All very interesting to me. Could we be in search of the Holy Grail? Is it worth it to focus on SSO?

What do you all think?

Comments

  • Anonymous
    June 22, 2006
    Maybe I am way off base on what Identity Management is, but I think of the ultimate ID management system as one that updates all other systems appropriately when an ID is added/changed/removed/etc..  The net effect is (at least almost) the same as SSO – the same ID/password (or other identification method, such as a smartcard) is used everywhere.   The only real difference might be that the user has to reenter the ID/password, but that could be avoided with some work.  Perhaps we call this Single ID or SID?

    As to “…why have it (SSO), when it is more of a convenience. Efforts should be focused on Identity Management.”?  I guess I agree that SSO maybe the All Too Holy Grail and SID should be the true Holy Grail.

    All that said, Kerberos (and by association AD) does come very close to SSO for the enterprise.  That is, it provides for Single Identification and Multiple Authentication (SIMA?).  As we move forward all systems could authenticate to Kerberos.  Some would require add-ons (like SAP) or perhaps added APIs.  But we would need to abandon the true legacy systems (e.g. certain mainframe applications).

    But none of all that address the real issue – IDs and authentication on the internet.  Efforts like MS Passport work, but are not universal.  The TCPA with TPM and/or Smartcards approaches a solution.  But ultimately I think we will not get there anytime soon.  Why not?  Pure and simple - competition and politics.  Case in point: a company I worked with had an enterprise wide effort to give every employee a Smartcard for login and authentication, but had no plans at all to use the Smartcards to authenticate SAP application access. So how would we get the likes of Microsoft, Google, Yahoo, etc. to agree.

    It is interesting!  It will be even more interesting to see things continue to unfold.  More interesting yet if we participate…
  • Anonymous
    June 22, 2006
    Maybe I am way off base on what Identity Management is, but I think of the ultimate ID management system as one that updates all other systems appropriately when an ID is added/changed/removed/etc..  The net effect is (at least almost) the same as SSO – the same ID/password (or other identification method, such as a smartcard) is used everywhere.   The only real difference might be that the user has to reenter the ID/password, but that could be avoided with some work.  Perhaps we call this Single ID or SID?

    As to “…why have it (SSO), when it is more of a convenience. Efforts should be focused on Identity Management.”?  I guess I agree that SSO maybe the All Too Holy Grail and SID should be the true Holy Grail.

    All that said, Kerberos (and by association AD) does come very close to SSO for the enterprise.  That is, it provides for Single Identification and Multiple Authentication (SIMA?).  As we move forward all systems could authenticate to Kerberos.  Some would require add-ons (like SAP) or perhaps added APIs.  But we would need to abandon the true legacy systems (e.g. certain mainframe applications).

    But none of all that address the real issue – IDs and authentication on the internet.  Efforts like MS Passport work, but are not universal.  The TCPA with TPM and/or Smartcards approaches a solution.  But ultimately I think we will not get there anytime soon.  Why not?  Pure and simple - competition and politics.  Case in point: a company I worked with had an enterprise wide effort to give every employee a Smartcard for login and authentication, but had no plans at all to use the Smartcards to authenticate SAP application access.  

    It is interesting!  It will be even more interesting to see things continue to unfold.  More interesting yet if we participate…