sso provides attribution?


I come across with this phrase, "Authentication, Authorization and Attribution are the three most vital properties sought for by service providers on the web"

I know SSO provides authentication and authorization but my question is that what about attribution? Does SSO provide attribution? Can you give me an example?

LVL 12
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

The correct phrase is Authentication Authorization and ACCOUNTING

SSO does not add or remove any of those properties. It is indifferent if you ask password each time or once a month.
btanExec ConsultantCommented:
yap, it is accounting not attribution in the security parlance. An extract
Authentication, authorization, and accounting (AAA) is a term for a framework for intelligently controlling access to computer resources, enforcing policies, auditing usage, and providing the information necessary to bill for services. These combined processes are considered important for effective network management and security.
Largely to do with access control as a whole. I see it simply as

Authentication - Identity: Who is this?
Authorisation - Access to Protected Asset: What is available for such access? What actions are allowed only?
Accounting  - Audit on activities revolving the asset access: What and How is it done? Where/When did it occurred?

Eventually it tell as story which hopefully summed up to attribution of the "accused" of activity trail of evidence....
Basic SSO is just authentication (ctrl-alt-del, enter password)
Authorisation is like file and share permissions
Accounting is logs kept from either (like security event log)

There is a lot of variety between products, bus SSO does not add per se access auditing/accounting, it is just modification of authentication.
btanExec ConsultantCommented:
in strict sense, SSO is not perceived as security centric. It serves more as "friendly" needs such that the authenticated user identity is being uniformly used across service that the  user is requesting. Most may allude SSO to like "sign-through" all services. E.g.

a) the user attempt authentication - via form based, web login, kerberos Windows login etc - the session established creates an unique identity token (like "passport") assigned for that user binded to unique session id (like authority "stamp" into that visiting country). These adds up as user's  "stamped passport".
b) the user attempt authorisation checks to access available service and resource (like "location of interest" in that visiting country) that are hosted in backend system mostly. It can be a web portal listing the possible authorised services or those default laundry list (for poor codes that do not checks blacklist user etc).
c) the user trails will be accounted in the use of "stamped passport" in (a) in all "sign through" for any mentioned resources in (b). The audit trail via the service will be (supposedly) logged, (supposedly) archive and (supposedly) piped to central log server for (supposedly) monitoring and alerting. Any anomalies are (supposedly) can be flagged through (supposedly) constant review or audit of activities and accounts.
d) the user may be attributed as "man-behind-the-scene" if positive elements confirmed in (c) leads to (a) + (b). Of course the integrity of the investigated compromise detected /reported or potential incident or breach prone indicator need to warrant such attribution trace back with chain of custody.

However, SSO "sign-through" not necessary leads to (always) the "true" user esp when the authentication at the first place cannot be trusted due to badly guarded infra and/or use of weak auth means e.g. single vs multi-factor login, reused/default password vs stronger passphrase ...

Sidenote - Just for sharing info, I wrote in the past on asking savvy qns in hope to better start off the attribution cycle and triage the investigation when (not 'if') incident happens...

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jazzIIIloveAuthor Commented:
Reminds me old days of EE. Enthusiasts :)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.