Understanding Federated Single Sign-on

Federated single sign-on allows authentication among multiple internet domains using multiple authentication authorities — with one authority asserting the identity of the user to the other. OpenSSO Enterprise supports the following federation specifications:

• Liberty Alliance Project Identity Federation Framework (Liberty ID-FF) 1.2 Specifications

• WS-Federation 1.1 Metadata

• Security Assertion Markup Language (SAML)

Here are some general rules to follow when deciding which federation option will work best in your environment.

• Use SAML v2 whenever possible as it supersedes both the Liberty ID-FF and SAML v1.x specifications.

• The Liberty ID-FF and SAML v1.x should only be used when integrating with a partner that is not able to use SAML v2.

• SAML v1.x should suffice for single sign-on basics.

• The Liberty ID-FF can be used for more sophisticated functions and capabilities, such as global sign-out, attribute sharing, web services.

• When deploying OpenSSO Enterprise with Microsoft Active Directory with Federation Services, you must use WS-Federation.

For more information, see Chapter 11, Choosing a Federation Option, in Sun OpenSSO Enterprise 8.0 Technical Overview.

The proprietary OpenSSO Enterprise single sign-on mechanism, due to its dependency on browser cookies, is limited to single sign-on within a single internet domain only. The proprietary OpenSSO Enterprise cross domain single sign-on (CDSSO) mechanism uses a single authentication authority which means only one user identity can exist in the entire system. If the situation fits, CDSSO may be a solution worthy of further evaluation.

1. Only Sun products (OpenSSO Enterprise and agents) are involved.

2. All policy agents are configured to use the same OpenSSO Enterprise instance where multiple instances are available.

3. Multiple instances of OpenSSO Enterprise, configured for high-availability, must all reside in a single DNS domain.

Only policy agents can reside in different DNS domains. For more information on these proprietary features, see Part II, Access Control Using OpenSSO Enterprise, in Sun OpenSSO Enterprise 8.0 Technical Overview.