How to test an enterprise single sign-on login
In this SearchSecurity.com Q&A, identity management and access control expert Joel Dubin examines the best ways to test an enterprise single sign-on (SSO) login.
How can we test whether our enterprise single sign-on (SSO) login is working properly?
Continue Reading This Article
Enjoy this article as well as all of our content, including E-Guides, news, tips and more.
In short, testing an enterprise single sign-on (SSO) implementation is done by logging in using the SSO system and then trying to log on to separate applications accessed by the system.
Enterprise SSO implementations use either a hardware or software module to authenticate individual applications. When using a software module, the SSO application may sit on a dedicated server. In that case, the software module resembles a hardware device. Either way, the SSO system sits between the user and the applications. Before SSO, there was nothing between the user and the applications; the user logged directly on to each application separately.
The difference with SSO is that this module completes the authentication done previously by the user. The module establishes a trust relationship with each application after the user logs in. The module must create and maintain an authenticated session as long as the user is logged on. That session must be active and able to log on to each application registered with the SSO system.
To test the SSO system, the user logs into their desktop per usual, but this time, he or she is actually logging into the SSO module. After login, the user should be able to access each application registered with the system separately without providing a username and password.
The same goes for testing enterprise single sign-on for a Web application. The user should be able to log on to the Web application acting as the SSO gateway, and then log on to any other registered Web application without being prompted for credentials.
Conversely, the SSO system should extinguish credentials when the user logs out. This is testing in reverse. If the user logs out of the system, he or she shouldn't have immediate or unauthenticated access to member applications.
This is a very high-level overview of testing an SSO system. In reality, you should have a set of test user IDs and passwords, or other log-in credentials, and set up a series of scripts with different log-on scenarios. The scenarios should test for logon, logoff and logging into the registered applications within the system.
If access to each application can be done without being prompted, or without an error, then your SSO system is working properly.
- Read about your options when accessing multiple applications through a remote Citrix server.
- Learn how single sign-on can improve productivity, save money and protect corporate information.
Dig Deeper on Identity and access management
Related Q&A from Joel Dubin
How to use a public key and private key in digital signatures
Ensuring authenticity of online communications is critical to conduct business. Learn how to use a public key and private key in digital signatures ... Continue Reading
What's the purpose of CAPTCHA technology and how does it work?
Learn about the purpose of CAPTCHA challenges that enable websites to differentiate bots from authentic users to stop spammers from hijacking forums ... Continue Reading
Single sign-on best practices: How can enterprises get SSO right?
Proper planning is at the top of the list for single sign-on best practices, but it's important to get enterprise SSO implementations off to a good ... Continue Reading