Enter Single Sign-On!
Single sign-on is the capability of the system to authenticate a client in one domain and use the resources available in another domain with the same credentials. In other words, a client can access multiple resources in different domains without reauthenticating himself every time. This concept is illustrated in Figure 1.
Figure 1 Concept of single sign-on.
In the Web services world, these "resources" are nothing but services that are available from different applications in different domains across the network.
For successful single sign-on, the security credentials, verified by the first resource should be exchanged across several other resources, and subsequently accessed by the client. This necessitates some form of coordination, trust, and interoperability across the different resources involved. One way of achieving this is to evolve service federations, in which each participating member service can trust its peer with minimal or no verification.
Thus, the aim is to evolve an infrastructure that will enable single sign-on across diversified Web services available in the enterprise network. Going by the standards of Web services, this framework should be platform-neutral, language-independent, and based on open/XML technologies.
We see two promising technology candidates, in this arena:
SAML (Security Assertion Markup Language)
XACML (XML Access Control Markup Language)
As a concept, single sign-on is nothing newand already there are many proprietary solutions available to achieve this. But, as with any other Web service security technologies, the challenge lies in applying similar ideas to service-driven architectures, and in dictating common XML standards and solutions.