7. vCloud Security Examples : 7.1 Single Sign-On (SSO) – Provider : 7.1.1 Background
7.1.1 Background
Support for single sign-on (SSO) in the vCloud environment is necessary as service providers and enterprise customers typically use many different management applications. Some of these applications are part of the platform, and others are delivered by third parties but should be integrated in the vCloud solution.
The identity and federation market has moved from a closed enterprise-centric view to an open federated view. Not only do service providers and enterprise customers expect single sign-on across applications within the client environments, but they also want the same identity to work across security boundaries in public vCloud setups as well as with SaaS applications. In a private and public vCloud setup, the authentication service must support multitenancy as well.
One of the cornerstones of achieving federation is the ability to make user identities transportable from one security domain to another relatively seamlessly. The industry has adopted standards such as WS-Trust and SAML to achieve this. VMware conforms to these standards and builds a Secure Token Service (STS) that generates SAML 2.0 tokens. These standards are also very important for supporting multisite use cases because this allows for vCloud components such as vCenter to be passed a SAML token from a previously authenticated secure session. As long as there is mutual trust between the vCloud environments the same authenticated SAML token is respected.