Jump to content Japan - English

Software(Japanese)  >  Security(Japanese)

IceWall SSO

What is IceWall SSO? > What is Single Sign-On?
»

IceWall SSO

What Is IceWall SSO?
» What is Single Sign-On?
» What is IceWall SSO?
» Benefits
» Basic Features
Product Specifics
» Basic Architecture Diagram
» Operating Environment
» Reference Price
» Options
» FAQ
» Case Studies
» White papers
» Online Demo
» Support
» Implementation Services
» Contact Us
Related Products
» IceWall Federation
» IceWall Remote Configuration Manager

IceWall’s Office 365cloud Federation
(Last Update : 2012.4.26)

What is Single Sign-On?

»What is IceWall SSO?

»Benefits

»Basic Features

Before exploring the specifics of IceWall SSO, this section provides an opportunity to take a look at what single sign-on is. If you are wondering how single sign-on works, this section is a good place to start.

» What is Single Sign-On?
» Two common methods of Web Single Sign-On
» Comparison of Reverse Proxy based and Agent based solutions

What is Single Sign-On?

"Single Sign-On (SSO)" provides the users with the ability to go through authentication process only once and then access separate systems and applications without need to login into each application.

What is Single Sign-On?
What is Single Sign-On?

Without single sign-on, the users will have to log in (authenticate) to an application or operating system before they can use it.

Such kind of authentication procedure often requires the users to type in a combination of a user ID and password which must be validated by the system before they can get "authenticated."

Unfortunately, these authentication and login processes often place a burden on the users.
Particularly in enterprises that are running a wide variation of applications on heterogeneous platforms, the users are very likely to be overburduned by the necessity to complete a login process for each system or application and manage multiple ID and password combinations.

Also, when faced with the complexity of managing multiple IDs and passwords, the users are more prone to write them down on their notebooks or piece of papers. This poses as a risky behavior which may compromise information security.

For the sake of strengthening security by stringently managing IDs and passwords, it results in adverse effects as it is too heavy burden on the users.

These situations are exactly where you can benefit from single sign-on.
Single sign-on relieves the users of the burden of memorizing multiple IDs and passwords. The users only have to remember a single password while stringent password management becomes a reality and a higher level of security can be achieved.

Today, single sign-on is a must-have for many enterprises.

No wonder it is a function that plays an essential role in protecting today's businesses from personal information leaks and security threats.

Two common methods of Web Single Sign-On

  Web single sign-on provides single sign-on across multiple Web servers that require authentication.
Web single sign-on can be functionally classified into two types: "Reverse Proxy based" and "Agent based."
Reverse Proxy Based
Reverse Proxy Based
Agent Based
Agent Based

Reverse Proxy based

Reverse Proxy single sign-on, which is implemented on the front end of Web servers, uses a reverse proxy server that accepts access requests from a Web browser (client) and then relays the requests to the Web server on the back end.

Structure of Reverse Proxy Single Sign-On
Structure of Reverse Proxy Single Sign-On

A reverse proxy server works in a reverse way, but shares the same structure as a forward proxy server.
In other words, you can think of reverse proxy single sign-on as an application protocol level gateway which can also be classified as a firewall.
Only the reverse proxy server is visible to the client while all Web servers that store contents are invisible to the client.

Every time the reverse proxy server receives a client request, it queries the authentication server to verify that the user who is currently logged in is allowed access to the requested Web server before relaying the request to the Web server.


Agent based

Agent based single sign-on relies on dedicated modules that are installed on Web servers.

Structure of Agent based Single Sign-On
Structure of Agent based Single Sign-On

A client request goes directly to the requested Web server, which in turn queries the authentication server for the user's login status and access permissions via the agent module installed on it.
Based on the information returned from the authentication server, the Web server either returns the requested content or returns an error (using an error page).

Since Web servers are visible to clients, the agent based method has no firewall functionality.
Also, the agent based method is significantly different from the reverse proxy based method in that Web servers storing content are responsible for access control.


Comparison between Reverse Proxy based and Agent based solutions

Characteristics of Reverse Proxy based and Agent based solutions

These two types each have their own drawbacks and advantages. You should carefully consider the suitability to your needs when choosing between them.
Each type is characterized as follows:

  Reverse Proxy Based Agent Based
Web application connectivity Configurable on the reverse proxy server. A simple reverse proxy (using agents and mod_proxy), however requires you to customize the applications in a similar manner as agent based method. You have to modify the applications by removing their own authentication functionality and reprogramming them to obtain authentication.
Web applications that can be supported Virtually any Web applications can be supported. OS / Web products supported by the agent modules.
Applications of which the authentication functionality can be removed or disabled.
Important considerations for deployment Changes to network settings Concentration of network load Resources on the servers where to install the agent modules
Performance Depends on each product’s specifications (Reverse Proxy based is not always low performance).
Security Secure because the clients cannot directly access the applications (except for applications whose information is cached on the reverse proxy). Same level of security as the applications (but may be less secure with applications that caches user information in an area accessible to the agents).
Suitable purposes Versatile Intranets (typically small scale systems)

Web application connectivity

Web application connectivity is one of the key considerations when you choose between Reverse Proxy based and Agent based solutions.

Some reverse proxy solutions provide functionality to emulate browser login credentials*1. This functionality allows connectivity without requiring customization on the Web application side.

*1. IceWall SSO provides support for 48 different login methods.

Reverse Proxy based solutions can connect to Web applications without customizing them
Reverse Proxy based solutions
can connect to Web applications without customizing them

On the other hand, agent based solutions require you to customize Web applications.
The following questions are useful when considering the adoption of an agent based solution. If all the answers are "Yes," then you can adopt an agent based solution:

  1. Does the solution provide agent modules that support the operating systems and Web severs used to run the applications?
  2. Can the applications' authentication mechanisms be removed or disabled?
  3. Are the agent modules quicker to respond than the applications?
  4. Can the applications be customized to obtain authentication information from HTTP headers?
Agent based solutions require you to customize Web applications.
Agent based solutions require you to customize Web applications.

Mixed use of Reverse Proxy based and Agent based solutions

You can mix reverse proxy based and agent based solutions as appropriate according to your needs.
The following diagram shows an example of a typical architecture. You can deploy single sign-on across a complex network by using either or both of the two types based on the system needs.

An example of mixed use of the two types of Single Sign-On solutions.
An example of mixed use of the two types of Single Sign-On solutions.
» Back to the top of this page
Printable version
Privacy statement Using this site means you accept its terms  
Please note: all of the links on this page navigate you to pages in Japanese.