An Efficient, Robust, and Secure SSO Architecture for Cloud Computing Implemented in a Service Oriented Architecture

1. Introduction

Cloud Computing enables a method of on-demand convenient network access to a shared pool of configurable computing resources (Jaeger & Schiffman, 2010). According to IBM, it is a new utility computing model based on consumption and delivery, where the user only sees services and has no need to know anything about the underlying technology or implementation (Breiter & Behrendt, 2009). With pools of computation, network, information and storage resources the Cloud offers a collection of services, applications, information and infrastructure. With the promising potential of computing functions as a utility, customers are both excited and nervous. The excitement comes from the chance of disassociating themselves from infrastructure management, and being able to focus on core competencies with an emphasis on the business logic that should be implemented through IT rather than management of IT. On the other hand, customers are nervous with the security risks associated with Cloud Computing which have not been completely addressed yet (Hubbard, et al., 2010, March). However, today’s aggressive adoption of immature Cloud Computing services by enterprises creates the need for a strong Cloud-based Identity and Access Management (IAM) system that supports business needs ranging from secure collaboration with global partners to secure access for global employees consuming sensitive information using a range of devices from any location world-wide at any time of day. This strong IAM invariably requires users to enter credentials and login for each application accessed and hence it is quite cumbersome. In order to deliver a unified and seamless migration from one application to another inside a Cloud, an SSO would be a great solution. Implementing SSO in a Cloud environment will require a user to login once to a Cloud and be provided with access to all authorized applications without re-login.

Many enterprises exercise identity management to integrate applications into different domains through an application portal giving users an opportunity to hop among applications without the need for re-authentication. However, this feature cannot be extended to the Cloud Computing architecture. Existing identity management approaches work well for enterprise applications within a corporate data centre or within the same domain while services in Cloud Computing are typically external to the data centre and located within a different domain and hence a new SSO architecture is needed for the Cloud.

For multiple applications, SSO is a centralized authentication mechanism which could be independent and may or may not be interrelated. Here, a user is authenticated once and then all of the user’s subsequent service access requests via other applications within the enterprise system are handled seamlessly until the user’s login session is terminated. iGoogle login is the best appropriate analogy to visualize this concept where the user once logged in can access multiple applications like Gmail, Google Docs, Google+ accounts etc. without having to re-login to each individual application. SSO provides a few advantages: 1) In SSO users utilise a single username and password which is easier to manage and remember; 2) Additionally, the system administrator can manage user accounts centrally and thus it is easier to provision or de-provision passwords; 3) As SSO users are less likely to lose passwords it reduces the assistance provided to users by the IT helpdesk and hence reduces costs; and 4) The service provider manages a single access mechanism rather than developing and maintaining several identity modules for different applications. However, there are some drawbacks or constraints that need to be traded-off in order to get the benefits. A few of them are: 1) Due to password leaks or misuse, security breaches could affect multiple applications and resources; and 2) Due to the constraint of a single point of failure, there is a need for SSO IAM high availability.