I saw this query on one of user groups
We are looking to move to a SSO solution, but were wondering what everyone else is doing? we have 5K + employees that all need access to various platforms (Sun Solaris, VMS, AIX, SCO, HP-UX, Windows, Citrix, AD, Web, etc).
Is there some sort of app or some such thing that will do a cross-reference of userid's? Or do we even need to worry about that (the 8-character limitation on the Unix boxes)if we implement LDAP or AD?
and I thought that this reply should give a starting point to the complete domain of Identity Management for solving the issue.
Well my suggestion would be that you should consider the various approaches available to you and probably should implement something that suits your requirements. The various approaches available to you are
- Consolidation of Authentication repositories well this refers to the basic idea of setting up an enterprise directory which all the products can tie into for authentication purpose and to some extend authorization too. This would essentially mean that there is one id and password that has to be typed by people to login to all the integrated applications (which has its own pros and cons in terms of ease of usage vs security of systems)
- Consolidation of Authentication entry-point - Most of the web applications can be consolidated to use web single sign-on system which can be tied to directory server if needed. This would allow the applications that do not provide interface to integrate with LDAP for authentication to be tied together by off-loading the authentication and authorization to a single entry point (the SSO solution). This would also help build the starting point for federated sign-on infrastructure.
- Consolidation of Administration This is where the Identity Management solutions like SIM (look below for other possible products) can be set up to integrate with rest of the infrastructural components that can not be consolidated (for what ever reasons) to be provisioned through a single provisioning and administration system. Please note that implementation of Identity Management solution is a very complex undertaking and is very expensive in terms of licensing and in-house training and is not for faint hearted. In addition to that it comes with a lot of features (that may not even work properly or suit your needs) like approval workflow (to approve creation of new accounts), provisioning workflow, rules, password and account data synchronization and compliance management.
- Consolidation of Synchronization A lighter version of the Identity management product is the Meta-directory and Password synchronization products which can be used to synchronize the account (and password) information across multiple environments without the overhead of workflows, etc.
- Reduced Sign-On A set of products that run on client desktop and track the system that client is trying to access and automatically supply the password.