This topic describes the problems that a single signon solution is designed to alleviate and the benefits that you can attain by using single signon in your enterprise.
In traditional network environments, a user authenticates to a system or application by providing user credentials defined on and by that system or application. Traditionally, both authentication and authorization mechanisms use the same user registry when a user attempts to access a resource managed by the system or application. In a single signon environment, authentication and authorization mechanisms do not have to use the same user registry to enable users to resources managed by the system or application. Single signon environments use network authentication service (Kerberos authentication) as their authentication mechanism. In an single signon environment, the user registry used for authentication does not have to be the registry that the system or application defines. In a traditional network environment, this poses a problem for authorization.
In an single signon network environment, applications use Enterprise Identity Mapping (EIM) to solve this problem. EIM is a mechanism for mapping or associating a person or entity to the appropriate user identities in various registries throughout the enterprise. Application developers for i5/OS™ use EIM to build applications that use one user registry for authentication and another for authorization--without requiring the user to provide another set of credentials. The benefits of a single signon environment are numerous, and not just for users. Administrators and application developers can also benefit from the single signon solution.
The single signon solution reduces the number of sign-ons that a user must perform to access multiple applications and servers. With single signon, authentication occurs only once when users sign into the network. Using EIM reduces the need for users to keep track of and manage multiple user names and passwords to access other systems in the network. Once a user is authenticated to the network, the user can access services and applications across the enterprise without the need for multiple passwords to these different systems.
For an administrator, single signon simplifies overall security management of an enterprise. Without single signon, users may cache passwords to different systems, which can compromise the security of the entire network. Administrators spend their time and money on solutions to diminish these security risks. Single signon reduces the administrative overhead in managing authentication while helping to keeping the entire network secure. Additionally, single signon reduces the administrative costs of resetting forgotten passwords. Administrators can set up a single signon environment where a Windows® (for Windows 2000 and later releases) signon that allows access to the entire network, thus minimizing authentication and identification management.
For developers of applications that must run in heterogeneous networks, the challenge is to create multi-tiered applications where each tier is likely to be a different type of platform. By exploiting EIM, application developers are free to write applications that use the most appropriate existing user registry for authentication while using a different user registry for authorization. Not having to implement application specific user registries, associated security semantics, and application level security significantly lowers the cost of implementing multi-tiered, cross-platform applications.