Single Sign-On Security
For users of the .NET UI in a Windows environment, you have the option of enabling application single sign-on. Single sign-on lets users log in to the Windows environment and start the .NET UI without being prompted for their user credentials, after an initial authentication.
Application single sign-on process works like this:
1 The system administrator enables single sign-on using Security Control (36.3.24).
2 The .NET UI client queries the authentication service (on each login) to determine whether single sign-on is enabled.
• If single sign-on is not enabled, the .NET UI prompts for the user ID and password.
• If single sign-on is enabled, the .NET UI determines whether the user’s credentials are stored in cache. If so, the credentials are decrypted and authenticated, allowing the user access to the system. If not, the system prompts for user ID and password, then caches the encrypted credentials for use in subsequent login.
When a user changes password, on the next login the system prompts for user name and password; if single sign-on is enabled, it caches the new credentials.
Before choosing to implement single sign-on, you should carefully weigh the advantages of improving the ease of user access against the security considerations of having a single point of failure.
Note: If your system users employ the character interface, using single sign-on is not an option—users are required to sign on to their Windows environment and system separately.