November 16, 2010

The Case for Single Sign-On

If you asked system administrators what their favorite part of the job was, very few would put user administration in their top 10. But in many organizations, it's something that occupies a lot of time on the part of the IT department. If this is taking up an inordinate amount of time, the organization should consider single sign-on (SSO) to reduce the complexity and hassles of user management.

Too Many Stickies?

Take a walk around your organization after business hours and look at the monitors, keyboards, and around the cubes. If you see sticky notes on users' desks with usernames and passwords, you know you have a problem.

It might not be as blatant as all that (one hopes that the employees are a bit more surreptitious than that, but if you expect users to know different usernames and passwords for two, three, four, or more systems then you should expect they're going to have trouble memorizing their passwords.

And it's a big hassle for IT as well when accounts need to be created on separate systems. It's frustrating for users and frustrating for IT. Who hasn't been stymied by lack of access when trying to work on a project because a company has a fragmented set of user management systems? If you're an admin and have worked with a company that has a similar set-up, surely you remember the frustration users face and pass on to the IT staff.

Consider a business that requires sign-in to the workstation, email, Intranet, and a handful of other systems. If users aren't centrally managed, this means users have to juggle a bunch of different usernames and passwords, or they use the same password and username across the systems at their own choosing — but IT still has to handle account management in five, six, or more places. And what happens when those users leave the company?

The Ghosts of Users Past

Here's the biggest hassle, when users leave the company it's up to IT to shut down all their accounts. How do you know which systems the user has access to? Like the roach motels ("roaches check in, they don't check out,") users may check in to systems and not check out. Usually that's not a problem. But it can be a big deal if the wrong user has the access to the wrong (or, depending on your view, right) system.

Most users won't commandeer your network, but why take the risk? And why spend 20 minutes or more going through a list of systems to shut down access when you can simply turn an account off in one place, and be done with it?

And it can take days or weeks before IT gets around to clearing out accounts. Emergencies happen, and taking a user's permissions away doesn't seem like an urgent matter in most cases.

Up-front, it will require more work to set up SSO, but in the long run, it's well worth it.


What now? Well, it depends on the size of your network, what you have in place, and the solutions you need to support. Small shops and businesses with a fairly homogeneous network can choose solutions like OpenLDAP or Fedora's 389 Directory Server, which we've covered before on You could even use OpenLDAP or other solutions to support heterogeneous networks by using Kerberos and extend authentication to Windows, Mac OS X, and more. In short, organizations that are smaller and/or not a lot of money to spend can invest time in setting up open source solutions that will integrate fairly well.

Smaller organizations that are just starting to integrate Linux into a Windows environment may want to go the other way, and configure their Linux systems to authenticate against Active Directory.

Enterprises and larger organizations will probably turn to commercial solutions that not only offer authentication and identity management, but also offer reporting, auditing, and compliance features. In that case, you'll want to turn to companies like Centrify, Novell, Likewise, or other companies that offer single sign-on solutions that fit your business.

No matter what you choose, it's time to introduce single sign-on and reduce risk, and user and IT frustration.

Click Here!