It’s a fact that no employee will dispute: passwords equal huge headaches - causing user frustration and hindering productivity – not to mention the burden on the IT Help Desk for password resets. Employees, while trying to keep pace with password policy, jot passwords on sticky notes, attach them to monitors or under keyboards – ironically creating significant security vulnerabilities and risk — quite simply, what the password policy was meant to negate.

Fortunately, creating secure and easy user access no longer is at odds with employee productivity and can be effectively managed as part of your security initiatives.

Single sign-on (SSO) is a method of access control that enables a user to authenticate once and gain access to the resources of multiple software systems. Single sign-off is the reverse process whereby a single action of signing out terminates access to multiple software systems.

The term enterprise reduced sign-on is preferred by some authors because they believe single sign-on to be a misnomer: "no one can achieve it without a homogeneous IT infrastructure".

In a homogeneous IT infrastructure or at least where a single user entity authentication scheme exists or where a user database is centralized, single sign-on is a visible benefit. All users in this infrastructure would have a single set of authentication credentials, e.g. in an organization which stores its user database in a LDAP database. All information processing systems can use such an LDAP database for user authentication and authorization, which in turn means single sign-on has been achieved organization-wide.

What SSO solutions should cover:

Built-in Support for Multiple Strong Authentication Options
The capabilities of Authentication Management are automatically available within SSO, providing native support for a broad range of authentication options such as passwords, ID tokens, active or passive proximity cards, Windows smart cards, national ID smart cards, USB tokens and finger biometrics – increasing security while leveraging the convenience of single sign-on.

Compliance Reporting - Trace, Track and Reporting Capabilities at Your Fingertips
SSO should records all application access events in a centralized database, even down to the application screen level. At the push of a button, administrators can run any number of pre-structured reports, including a report to see which users are sharing passwords.

Citrix Application Support
Single Sign-On should provide support for all Citrix or Terminal Services-hosted applications, without a agent on the user’s workstation. In addition, SSO should automatically roam the user’s Citrix or Terminal Services session when they log into SSO, and automatically lock the desktop of the user’s previous workstation when they roam to a different workstation.

Self-Service Password Reset
A convenient and secure process for users to reset their primary domain password alleviates burdensome and costly calls to the IT Help Desk for password reset while helping swiftly return users to productivity.

Shared Workstations & Fast User Switching
SSO should offer various workflow solutions for shared workstations including fast user switching between multiple, concurrent Windows desktops, as well as secure fast user switching on top of a generic Windows desktop. Workstation security and data privacy are increased with configurable “hot key” locking and inactivity lock/logoff policies.

Automated Password Changes
For maximum application security, SSO should be able to automatically generate strong, randomized passwords on behalf of end users during the application password change process. Thus eliminating the need for users to be aware of password reset events.

User Provisioning Interface
Third party provisioning systems should be able to provision and de-provision users and application credentials within SSO, eliminating the need to distribute application passwords to end-users.

Extend Single Sign-On Benefits to Non-Domain Users
Extend single sign-on benefits to users who do not exist in the organization’s corporate directory, such as temporary workers and partners, should be possible.