Not all applications are created equal. For some corporate apps, everyone should be able to access them. Some should be restricted to certain users, groups and roles. Some even more sensitive applications should be restricted to certain users, groups and roles and have a higher standard of authentication. We call this adaptive authentication.
Let's use examples:
- Corporate holiday calendar: everyone should be able to access this just using their corporate logon.
- Salesforce.com app: only users in the sales group or role should be able to access this.
- Financials ERP app: only users in the finance group or role should be able to access this but you want two factor authentication and/or identity proofing before letting them in.
Single sign-on can and should accomplish all of these tasks. For number one, it's a simple federation with the app (scenario # 3 in the whitepaper "Top 5 Federated Single Sign-on Scenarios"). For number two, it's scenario 1, corporate login to cloud application, pretty simple to do with SAML or OAuth.
Number 3 is the fun one that requires adaptive authentication for single sign-on.
This diagram shows the workflow used to accomplish this. You set a level of application security in the SSO systems inventory. Any application that is over level 5, for example, needs to have two factor authentication integrated into the login. The user is logging in to the ERP financials system, the workflow checks that they have access and then before allowing authentication, it executes a second factor authentication (something you have to have, not just something you know like a password).
This second factor can be an SMS message, an RSA security token, and even be identity proofing from within the directory (what was your previous job title, what was your hire date, etc.). Single sign-on is there to make your users' lives easier, but it should also improve security.
Schedule a demonstration of how EmpowerID can accomplish adaptive authentication or read the whitepaper on the "Top 5 Federated Single Sign-on Scenarios" now.
Tags: Single Sign-on (SSO)