SSO, or single sign-on, as a desired end-state for the user experience as they connect to a diverse set of applications reaps many advantages. There are multiple methods and architectures for achieving SSO, but one that should interest just about every customer is agentless SSO.
How Does Agentless SSO Work?
SSO is easily achieved in an environment where you are a domain-joined Windows client and access only Kerberos based resources that are a part of that same A.D. forest. However, even domain joined resources, like SQL Server have the ability to be its own directory silo—requiring an additional login. Inside the firewall, there may exist hundreds of applications, many requiring their own user account and password.
In the past, administrators and developers have compromised security by trying to enable ‘SSO’ scenarios by trying to allow the user to use their same password in disparate applications through a number of possible insecure ‘workarounds.’ To enable a more secure SSO experience inside the firewall, some software vendors would require their proprietary software agent to sit on one of the application servers (sometimes a domain controller) and intercept and channel the requests to their proprietary server/application for an SSO experience. The advent of internet web-based applications, extranet applications and mobile apps provide a challenge to the proprietary software agent model because the applications exist outside your firewall.
Each of your end-users authenticate to scores of web applications. Administration of thousands of end-users and their numerous accounts would be a prohibitory administrative burden. Decentralizing this administrative burden is one of the things that Federation Services offer.
How Federation Services Decentralize Administrative Burdens
Federation aware applications use a standards-based approach to enable SSO securely. Federation basically sets up an authentication handshake between a trusted authority, usually referred to as an Identity Provider (referred to as an IdP or sometimes as a ‘broker’) and a Service Provider (SP). This allows the user to leverage a single identity against numerous federation aware and supported applications (SPs). For the most part, modern federation aware applications, like web apps and SaaS apps require no software agents.
Non-Federation aware ‘legacy’ apps require some level of ‘intervention’ to support SSO. Most legacy applications inside your firewall can be made federation aware, and offer SSO convenience to your end-users. There are a couple ways to enable this scenario—only a few vendors support a clean, non-invasive agentless SSO solution.
Software agents in your network provide several challenges. Software agent-based solutions include additional deployment considerations, supportability ramifications to the application and the vendor of the proprietary software agents, versioning issues, the privilege model that the software agents usually need to run in, the fact that they access highly sensitive information and that they are closed solutions that you can’t see in to.
Optimal IdM Offers Solutions To Support Multiple Architectures
Optimal IdM offers a heterogeneous, vendor agnostic solution that supports multiple architectures—as an IdP, SP or even as a reverse proxy. We have enabled thousands of legacy applications to support an SSO model without a single software agent to be installed to support them. Done properly, SSO, especially combined with access policies and multifactor authentication (MFA), can give you a highly secure solution that provides nearly no administrative overhead or burden as well as the most productive end-user experience that both global enterprises and small businesses can leverage.
Instead of installing a software agent on the provider environment, customers of an agentless single sign-on system rely on already established communication protocols between the application and the Federation Broker. Therefore, there are no software agents to deploy or maintain and no changes to application servers. Now that’s a big deal!
Optimal IdM provides agentless solutions which save a tremendous amount of time and help ease the workflow of onboarding and supporting SSO for new applications. Contact us today to learn how we can help you.