Martin Hatch published a tweet this morning which caught me in a philosophical mood. Very simply it was:
“fed up of people referring to “automatic logon with current user name and password” options in IE as being “Single Sign On” !”
This feature of IE is documented here.
This got me wondering as to why this is the case, i.e. why isn’t “automatic logon with current user name and password” a type of single sign-on? Martin’s justification was that because the browser is signing in more than once. Hence, the “single” part of SSO is violated, i.e. it’s not SSO. All perfectly logical.
However, even though that’s what is happening in the background, from the user’s perspective they have signed on exactly once (when they logged in to the machine). The user didn’t have to sign on to the remote service. They performed a single sign on, so it to them it is SSO.
Unfortunately, like many words in technology, there’s a lot of mud in the water because no-one owns the definition of “Single sign-on”. So, as a quick exercise in curiosity, I decided to look up definitions of SSO on Google and see what the most highly-ranked pages said:
| Open Group | Single sign-on (SSO) is mechanism whereby a single action of user authentication and authorization can permit a user to access all computers and systems where he has access permission, without the need to enter multiple password |
| Wikipedia | Single sign-on (SSO) is a property of access control of multiple related, but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them. |
| SearchSecurity | Single sign-on (SSO)is a session/user authentication process that permits a user to enter one name and password in order to access multiple applications. |
| OCLC Developer Network | Too long to repeat here, but a great read! |
| IST Knowledge Base | Single Sign On (SSO) is a session/user authentication process that allows a user to provide his or her credentials once in order to access multiple applications. |
| Authentication World | Single Sign On (SSO) (also known as Enterprise Single Sign On or “ESSO”) is the ability for a user to enter the same id and password to logon to multiple applications within an enterprise. |
I was really surprised by variations in these definitions: some define it in terms of what actually happens (i.e. it isn’t SSO) and some in terms of the user experience (i.e. it is SSO).
I think that from these results it is to be expected that people are confused by SSO. Like countless terms and phrases before it that get fed through the marketing-speak mangle, SSO will end up meaning different things to different people. But if I had to justify why I thought that passing user credentials to a third party service wasn’t SSO, I’d say this:
“SSO happens when when a user is authenticated once to access several services; as opposed to a user being automatically re-authenticated when connecting to other systems.”
Both look the same from the user’s perspective, but something very different is happening behind the scenes.