As IT systems proliferate to support business processes, users and system administrators face an increasingly complicated interface. Users typically have to sign on to multiple systems, with multiple sign-on dialogs that might involve different user names and authentication information. System administrators must coordinate and manage user accounts within each system to maintain the integrity of security policy enforcement.

The goal of the vCloud Director 5.1 Web Single Sign-On (SSO) feature is to simplify the sign-on process to provide an authentication service that can be used by service providers and enterprise customers.

Access control is a key security model component because it restricts unauthorized users. It is part of what is known as the triple A process of authentication, authorization, and accountability. Authentication systems have traditionally been based on passwords, and many organizations now use more advanced technologies such as tokens or biometrics. Some organizations enforce two-factor authentication.

Although knowing who should be authenticated serves as a basis of access control, authorization is also an issue. Authorization defines what access the user has and what capabilities are available. A vCloud administrator is normally authorized to perform more functions than an ordinary user. To control access to the end tenant’s vCloud organization, limit authorization to only the required functions.

Single sign-on addresses a problem common to all service providers and enterprise customers. Various systems within the service provider and enterprise likely require the user to log on to each system with different credentials. Single sign-on addresses this problem by authenticating users once to a single authentication authority and then providing access to all other protected resources without re-authenticating. Kerberos and directory services are examples of authentication systems that can implement single sign-on. Before implementing single sign-on, consider security implications. For example, if an attacker can authenticate as a given individual, that attacker can then access multiple systems.

Compliance requires that identities be controlled. Risk management involves event identification, analysis, and response mechanisms faced by a service provider or enterprise. Risk management is not only a defensive operation to minimize risk effects, but it is also proactive, enabling the service provider or enterprise to take advantage of the triggering of a risk event. Compliance is the process of implementing procedures to meet the governance policy. Compliance requires a level of monitoring, analysis, and reporting. These elements are tied to identity management. Governance policies establish who has access to which functions in the service provider or enterprise and the conditions that are imposed on that access.

Service providers and enterprises typically request single sign-on functionality because they want end tenants to log in to their own portals and be redirected to the vCloud Director portal without re-authenticating. Service providers also encourage single sign-on because it significantly decreases administrative costs by reducing password-related tasks and support. Handling authentication can be done on a centralized basis rather than a per-application basis. Single sign-on additionally enhances security and compliance for service providers and enterprises by providing a central facility to log all system and application access.

vCloud Director and its single sign-on feature must be interoperable and work with the existing service provider and enterprise infrastructures. Providing interoperability greatly increases the use of the vCloud Director single-sign on functionality and reduces the inconvenience users experience when asked to re-authenticate.

Service providers and enterprises can offer a vCloud Director web-based portal application to enable vCloud end tenants to administer and troubleshoot identity information and perform self-service requests to add, remove, or change user roles.