Single sign-on is taking every existing authentication system used by an individual and changing it to a single authentication technology. So say a user has 12 disparate objects to access via passwords every day, they can reduce that to one password to access all 12.
However, it does mean there is a single point of failure if static passwords are used. But combined with other forms of more secure authentication, such as tokens, smartcards, biometrics, and so on, single sign-on is a very attractive option.
There are two main types of single sign-on concepts. The first is enterprise-wide single sign-on; the second is Web single sign-on or federated (usually via Web interfaces) single sign-on. Enterprise single sign-on is what every company, particularly ICT departments that havee been operating for more than a few years, is trying to pursue. Consider how many applications employees have to log in to every day just to do their work -- accounting systems, stock control systems, operating systems, CRM applications, e-mail systems, intranets, extranets, Internet proxies, even old legacy apps.
Most of these applications are somewhere in the grand scheme of lifecycles, and at the end of the day cannot be replaced in one fell swoop, or indeed ever, with a nice directory compliant application (X.500, LDAP or otherwise).
This is why a middle ground needs to be established to head towards true single sign-on and a balance of smart programming and compliant standards-based applications needs to be achieved.
Vendors, such as Citrix with its MetaFrame Password Manager Access Suite, have taken some of the heartache out of this by developing very powerful tools that enable administrators to capture and set many forms of password controls and even enforce quite complex password policies on legacy applications which never would have had these options in the past, and all without rewriting the application or the interfaces.
Federated single sign-on, however, is where multiple Web sites have an agreement to accept and trust authentication of a user at one Web site and carry it across to the others. This means the user only has to sign in at the first Web site it visits.
Computer Associates has the best of both worlds in both enterprise and federated single sign-on.
It has a truly enterprise-scale directory service in the form of its eTrust eDirectory, which has the options to run with its range of IAM (identity and access management) applications for enterprise single sign-on and with the recent acquisition Netegrity it now has a federated single sign-on product called eTrust SiteMinder.