Identity Management for Active Directory in its current state is not complete without thinking about a credentials management solution. There are 2 major options available as solution:

  • Single Sign On: log-in only once on Active Directory. After succesful login, all applications and services requiring additional credentials are managed automatically. The user will not see log-in dialogs.
  • Single Log On: log-in on Active Directory and all other applications and resources using the same username and password. The user will see log-in dialogs for each individual application or service requiring additional credentials.
When working with Single Sign On solutions, you will have to think about managing the following scenarios:
  • Login: initial login using username, password and optionally other choices like database, default context etc.
  • Bad password: how to handle when the specified username and password combination is not accepted by the application or service.
  • Change password: what if the application or service requires you to change your password periodically?
  • Application support: Enterprise SSO solutions should be able to support every application and service. Most newer solutions use methods like screen scraping, window detection, button pressing, checkbox state manipulation and window message sending.
  • Web application: if you have services running as web pages requiring authentication, you will need to support this in an SSO solution.
  • Local credential caching: what if the connection from your workstation to the SSO agent is down? Professional solutions support local credential caching to make sure end-users can still authenticate to applications and services while the SSO agent is down.
  • Delegation: what if you need a colleague to take over while you are on leave? Enterprise SSO solutions support delegation of authentication.
  • Card-reader support: Most SSO solutions support card-readers as primary source for authentication. Optionally you should be able to specify if the card should be in the reader at all times, or that you allow the card to be removed after single succesful authentication.
A Single Log On solution basically only requires you to automatically synchronize passwords to all applications and services. This solution requires you to choose a leading directory service, preferably Active Directory, and make sure the solution supports real-time synchronization.