Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Implementing Single Sign On (SSO) for application

Posted on 2010-11-13
4
Medium Priority
?
477 Views
Last Modified: 2012-05-10
Hi

We are running AD 2003 in our environment. We have multiple domains in one forest.

There is a finance application (FinanceApp) that we use on most users' desktops. At the moment, their usernames/passwords for AD and for FinanceApp are two seperate entities. That is, they log on to their PC's with their AD credentials, and when they launch FinanceApp they need to enter a seperate set of credentials.

We'd like to look into some sort of SSO functionality, whereby once users log onto their PC via AD, these same credentials can log them onto the FinanceApp.

Does anyone know how we can make this work? FinanceApp runs on Windows 2003 Servers and our clients are Windows XP.
0
Comment
Question by:smith1974
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 400 total points
ID: 34128460
Do you know if FinanceApp can be integrated with AD?   Out of the box natively without an identity management solution for SSO you would have to have an app that can use AD credentials (integrate) to get a single sign on solution for that app.



Thanks



mike
0
 
LVL 9

Expert Comment

by:Lance_P
ID: 34130451
What MK says :)

Microsoft products support SSO OOTB. For other applications, the developer will have to integrate it with AD for SSO to work.
0
 

Author Comment

by:smith1974
ID: 34130822
Thanks both.

So if we do integrate the app with AD, would that still be SSO we're using, or an AD integrated app?

I'm having trouble visualising how SSO can work if there isn't any AD integration?
0
 
LVL 4

Accepted Solution

by:
kareejb earned 1600 total points
ID: 34131261
SSO usually refers to a trusted external application/website performing user authentication which in turn usually generates a cookie or token that can be provided to other apps to prove you have already successfully authenticated (this is how the Kerberos protocol that AD utilizes, works at the 10,000 ft level). The application will simply log you in without prompting for a password.  

An AD integrated app uses AD services transparently and can use your current login credentials to authenticate or can prompt for your AD username and password to login (no user database specific to the application). No need to setup an external app or web site to handle authentication as AD has already done all that for you.

A common setup that i have had to implement in the past for 3rd party applications that weren't AD aware (e.g. Java applications, Linux web apps) was installing a basic web service on an intranet running Windows Server 2k3/2K8 and IIS setup to do integrated authentication. AD Group policy was already defined that configured IE on all the clients to automatically send credentials for sites in the intranet zone making authenticating to these websites transparent to the end user. IIS would have an ASP or ASP.NET app installed that would to generate this cookie or token and redirect you to the 3rd party website, which would then log you in without prompting. Since IIS natively handles the AD authentication portion it makes for a fairly reliable setup.

If this isn't done properly it can present a pretty large security hole however so tread carefully. You have to investigate how the cookie/token is generated, passed, and expired, if at all. A recently piloted 3rd party app at my company had an out of the box SSO implementation that the sales team touted as a key feature. I found, once I dissected it, that it just basically converted your username to base64 with some extra garbage (always the same garbage) to pad out the parameter and passed in that to the web app. So basically if you knew someones username, you could easily login as them. They came back and said we should simply implement SSL to hide the token exchange. I told them that was insufficient and to go back to the drawing board.
0

Featured Post

Fill in the form and get your FREE NFR key NOW!

Veeam® is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question