A Taxonomy of Single Sign-On Systems

At present, network users have to manage one set of authentication credentials (usually a username/password pair) for every service with which they are registered. Single Sign-On (SSO) has been proposed as a solution to the usability, security and management implications of this situation. Under SSO, users authenticate themselves only once and are logged into the services they subsequently use without further manual interaction. Several architectures for SSO have been developed, each with different properties and underlying infrastructures. This paper presents a taxonomy of these approaches and puts some of the SSO schemes, services and products into that context. This enables decisions about the design and selection of future approaches to SSO to be made within a more structured context; it also reveals some important differences in the security properties that can be provided by various approaches.

[1]  Chris J. Mitchell,et al.  Single Sign-On Using Trusted Platforms , 2003, ISC.

[2]  Birgit Pfitzmann,et al.  Privacy in Enterprise Identity Federation - Policies for Liberty Single Signon , 2003, Privacy Enhancing Technologies.

[3]  Anton Stiglic,et al.  Traffic Analysis Attacks and Trade-Offs in Anonymity Providing Systems , 2001, Information Hiding.

[4]  Lorrie Faith Cranor,et al.  The platform for privacy preferences , 1999, CACM.

[5]  John T. Kohl,et al.  The Kerberos Network Authentication Service (V5 , 2004 .

[6]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[7]  Daniela Gerd tom Markotten,et al.  Usability meets security - the Identity-Manager as your personal security assistant for the Internet , 2000, Proceedings 16th Annual Computer Security Applications Conference (ACSAC'00).

[8]  Andreas Pfitzmann,et al.  Anonymity, Unobservability, and Pseudonymity - A Proposal for Terminology , 2000, Workshop on Design Issues in Anonymity and Unobservability.

[9]  David Chaum,et al.  Untraceable electronic mail, return addresses, and digital pseudonyms , 1981, CACM.

[10]  Sebastian Clauß,et al.  Identity management and its support of multilateral security , 2001, Comput. Networks.

[11]  Jan De Clercq,et al.  Single Sign-On Architectures , 2002, InfraSec.

[12]  Jan Camenisch,et al.  Design and implementation of the idemix anonymous credential system , 2002, CCS '02.

[13]  Paul Syverson,et al.  Onion Routing for Anonymous and Private Internet Connections , 1999 .

[14]  Tuomas Sandholm,et al.  Automated negotiation , 1999, CACM.

[15]  Jeffrey I. Schiller,et al.  An Authentication Service for Open Network Systems. In , 1998 .

[16]  Oliver Berthold,et al.  Identity Management Based on P3P , 2000, Workshop on Design Issues in Anonymity and Unobservability.

[17]  Paul F. Syverson,et al.  Onion routing , 1999, CACM.

[18]  Owen Rees,et al.  Infrastructure Security: International Conference, InfraSec 2002 Bristol, UK, October 1-3, 2002 Proceedings , 2002 .