Articles/SSO vs SSI

From Authentication Tools for Joomla! (JAuthTools)

Jump to: navigation, search

A while back I blogged on the new GMail authentication plugin. Recently I have had a few questions about my work with LDAP integration (and I've also done work with Kerberos - but thats not for the feint hearted admin). So I've decided to write this clarifying post on SSO (Single Sign On) versus SSI (Single Sign In).

Note: This is my take on what the two items mean and how I apply my definition, other people might work things a different way.

To me we have three systems of authenticating users in a system. We can use a standalone login framework (such as what Joomla! uses by default), a Single Sign In interface (examples being LDAP and now GMail) and Single Sign On (examples being LDAP and Kerberos). For a large number of sites the builtin Joomla! authentication system is great as it allows them to control their users in an independant manner. When we move into sites with a large community user base the ability to use their GMail credentials to validate their login (and email) or perhaps with an existing LDAP system implemented for address book. The final one is a medium to large corporate environment running perhaps Microsoft Active Directory (Kerberos SSO) or Novell Netware/eDirectory (LDAP SSO). In both cases (SSO and SSI) I have used LDAP as an example - so whats the difference?

When a user sits down at their computer and logs in the the morning and their credentials are then used to validate them during that ENTIRE session, this is called single sign on. With one sign on they have validated themselves. Systems that support this are Kerberos (namely a Windows environment) and LDAP (using IP address validation). The side effect of this to users will be their perceived in ability to 'signout' of a managed site - they will always be signed in. For my own reasons I have this disabled for administrator and only enabled on the front end. This is a single sign on event, the user enters their username and password in once.

Single Sign In is used to determine that the same credentials are used with many systems but eadh system will typically require the user to re-enter their details. GMail is my best example of this now in Joomla when the appropriate plugin is enabled. While your username and password remain the same for logging into your GMail/GTalk/GServiceNameHere, you still have to re-enter it again into the Joomla! site(s). You aren't automagically assigned priviledges like in SSO, but your details are the same for each distinct system.

Within Joomla! 1.5 at the moment there is GMail and LDAP support in addition to the default Joomla! user table authentication (keep in mind that in 1.5 the user has to exist in this table for any other form of authentication to work, but that will be fixed in later releases to make this more flexible.). These plugins provide a Single Sign In interface to Joomla! allowing for example a community site to use a very common and popular system (GMail) to handle secondary authentication or larger more structured organizations to use their LDAP data (which can be easily synchronized with Active Directory or Netware and who knows what else).

So that is the difference between SSO (Single Sign On) and SSI (Single Sign In) - but which one is for you? For most people, I would say that SSI is all that most people will need. Its an inconvenience but atleast its synchronized to a point. Change your password in AD, etc and it changes magically for Joomla! SSO is useful for those companies who have a lot of employees access a corporate intranet portal as it absolves the users of having to sign in. These places are perhaps more likely to have the extra infrastructure required to fully leverage that platform - as well as the technical skills to implement (LDAP SSO is by far the easiest for those using Netware/eDirectory, Kerberos SSO requires a lot of configuration for Linux servers).

I hope that this has been informing and gives you a clue as to some of the things I work on behind the scenes. I hope to release the instructions required to set up and configure Kerberos SSO and at present a Joomla! 1.5 version of the LDAP SSO bot for Novell eDirectory is available under the LDAP tools project. In addition I am presently working on a synchronization manager to mitigate for the limitation of Joomla!'s requirement on users existing within the system to log in.

Best of luck, Sam :)

P.S. My logic behind placing the GMail plugin in the core is that it provides not only an example on how to develop this technology but provides community sites with a very useful tool that they can enable. Since the process proves that the email address is valid and the person has access to it - automatic user creation can be done seamlessly.

Update: There is now a JAuthTools wiki with information about how to configure various LDAP implementations with Joomla!

Retrieved from "http://sammoffatt.com.au/jauthtools/Articles/SSO_vs_SSI"
Personal tools