True Single Sign-On

My customer really liked something I had said the other day while discussing strategy around Identity and Access Management. The concept of SSO kept coming up, in dialog as well as in industry briefs on the topic, which we were reviewing, and I basically said,

“SSO isn’t a product you buy, it’s the by-product of a well architected Identity and Access Management strategy.”

That statement has begun to resonate and for good reason. While even I cannot deny that SSO products have their place, I disagree that it should be the first stop in your decision making process. Use an SSO product when you simply have no other choice. There are other options that can reduce complexity as well as the number of logon prompts.

Federating FIM 2010 using UAG/ADFS and KCD - Identity.Junkie() - Site Home - TechNet Blogs

Identity Junkie is back on the air with it’s first post, check it out! It covers the concepts of using UAG to publish the FIM portal using a Federated model. To be clear, this isn’t “how do I authenticate to FIM without an AD account”, it’s “how do I authenticate to the FIM portal when my request is originating from an extranet”. To quote Chris:

Where is this applicable? Say you have a resource forest where FIM resides so how do you provide access to the portal from autonomous security realms without having to create a bunch of NT trusts or maintaining secondary credentials. Because shadow accounts exist within the resource forest as security principals for dependent services (for example BPOS or O365), you can leverage UAG, ADFS, and KCD together to provide secure access. UAG is claims-aware and supports Kerberos protocol extensions for (1) protocol transitioning and (2) constrained delegation.

Federating FIM 2010 using UAG/ADFS and KCD - Identity.Junkie() - Site Home - TechNet Blogs