A very common scenario nowadays is to have a lot of passwords to access banks, social networks, online stores, Netflix, among thousands of other services. The same applies in the business context, since in our companies we also have to control access credentials for various systems such as email, ERP systems, ECM, Human Resources, etc. The problem is both for users and for IT administrators who have to manage all these password repositories.
Currently, for the personal context we have several alternatives for password control, such as the Google Chrome password manager, which, when synchronized with our Google user, allows us to store several passwords. In companies, the dream of users and system administrators is to have a single password authenticated in one place (the so-called Single Sign-on) that allows instant access to all the systems in the organization.
To assist in this process there are several integrated authentication mechanisms, which, as the name implies, integrate with the company various systems and guarantee the user’s identity without us having to enter it several times.
How do integrated authentication mechanisms work?
Basically these systems work as follows:
- The integrated authentication system is configured against a repository of users and passwords, which can be, for example, a password repository of your own or integrated with an Active Directory (repository of users and computers of a Windows domain).
- When a user accesses an application (in our example, the company ERP), the application checks whether the user is already logged in. If not, it asks the integrated authentication system “Which user is logged in?
- The integrated authentication system checks whether there is an authenticated user. If not, it requests the user’s credentials (user and password).
- Once the user is logged into the integrated authentication system, it tells the application which user is logged in.
- The ERP application in our example receives the user and proceeds to give access to the tool.
- In case the user accesses another company application, such as the HR system, this new application repeats step 2. However, since the user is already logged into the system, it goes straight to step 4.
We can see that the operation is relatively simple: the user accesses the system, the system accesses the integrated authentication, and the integrated authentication passes the logged-on user to the system (and if necessary, collects the user’s credentials).
Advantages of integrated authentication
Integrated authentication mechanisms also allow for a number of advantages, such as:
- User-friendly login interface, because the “login screen” will always be the same;
- Centralized password repository;
- Possibility to implement token authentication, multi-factor authentication (with SMS messaging for example) for all applications; and
- Implementation of policies (schedules, allowed stations, among others) that affect the routine access to the systems.
Integrated authentication systems and protocols
Here we will mention three:
CAS – Central Authentication Service
This is a single sign-on authentication protocol for the web, allowing users to access multiple applications by entering their credentials only once. It basically follows the script mentioned above: when the client accesses a system that requires authentication, it redirects to the CAS, which authenticates the user and returns the user to the application.
CAS was conceived and developed at YALE University and later became a project of the JASIG (Java in Administration Special Interest Group). Currently it is maintained by the APEREO Foundation. Among the main resources we can mention:
- Support for various authentication protocols (LDAP, SAML, and others);
- Multi-factor authentication (password and SMS for example);
- Password management and authentication policies.
SAML – Security Assertion Markup Language
Unlike CAS, SAML is an XML language for exchanging security information. It is mentioned here because it is used by many integrated authentication mechanisms (including CAS) to exchange information.
Basically it defines a standard XML message for the “conversations” between the application and the authentication service. For example, it defines the pattern of what information the IDP (Identity Provider) should return to the application according to what the application requests.
This language is widespread and can work with many integrated, single sign-on authentication systems such as CAS and Microsoft’s ADFS.
ADFS – Active Directory Federation Services
It is an integrated authentication system that can run on Windows servers and provides single sign-on for applications located in the organization. ADFS uses the Windows Active Directory as the identity provider and password repository and integrates with systems via various protocols such as LDAP, SAML and others.
In this article we have only mentioned a few protocols and systems that allow you to implement integrated, single sign-on authentication within organizations, but there are many other systems and protocols in the market.
It is important to reinforce that while these tools increase security – because we have a centralized repository and a specialized system for the purpose of authentication control – good management is required to avoid points of vulnerability. Restricted policies, password expiration, and multi-factor authentication are important items to increase security.
Implementing authentication systems has its complexities in the choice of tools and supported protocols, but their adoption solves a number of authentication-related problems while increasing security and making life easier for users.
For our customers, it is worth reinforcing that Fusion Platform supports all the mechanisms mentioned in this article, adhering to the policies of companies that adopt or wish to adopt them.
Try it for 15 days free right now! Or, if you prefer, request a demonstration from our consultants. Count on us to answer all your doubts and help your company!