Sun OpenSSO Enterprise 8.0 Developer's Guide

Understanding Federated Single Sign-on

Federated single sign-on allows authentication among multiple internet domains using multiple authentication authorities — with one authority asserting the identity of the user to the other. OpenSSO Enterprise supports the following federation specifications:

Here are some general rules to follow when deciding which federation option will work best in your environment.

For more information, see Chapter 11, Choosing a Federation Option, in Sun OpenSSO Enterprise 8.0 Technical Overview.

Note –

The proprietary OpenSSO Enterprise single sign-on mechanism, due to its dependency on browser cookies, is limited to single sign-on within a single internet domain only. The proprietary OpenSSO Enterprise cross domain single sign-on (CDSSO) mechanism uses a single authentication authority which means only one user identity can exist in the entire system. If the situation fits, CDSSO may be a solution worthy of further evaluation.

  1. Only Sun products (OpenSSO Enterprise and agents) are involved.

  2. All policy agents are configured to use the same OpenSSO Enterprise instance where multiple instances are available.

  3. Multiple instances of OpenSSO Enterprise, configured for high-availability, must all reside in a single DNS domain.

Only policy agents can reside in different DNS domains. For more information on these proprietary features, see Part II, Access Control Using OpenSSO Enterprise, in Sun OpenSSO Enterprise 8.0 Technical Overview.