Can single sign-on (SSO) provide authentication for remote logons?

If you're accessing multiple applications through a remote Citrix server, you have two options. Identity management and access control expert Joel Dubin explains both in this SearchSecurity.com Q&A.

I am accessing multiple applications through a remote Citrix server, which has three or four applications that I use regularly. Can I use enterprise single sign-on (SSO) to provide authentication for the remote application as well?

There are two ways to implement enterprise single sign-on (SSO) for remote logons. One is to use Citrix itself, which you already have, and the other is to set up an SSL VPN with another provider.

Citrix Password Manager lets users sign on whether they're already in the network and behind the corporate firewall, or whether they're off-site and remotely logging in from outside the firewall. The product uses the Citrix Presentation Server to manage passwords, and users can access their accounts with the Citrix Web Interface. Password Manager has been enhanced for SSO, too, and integrates with Active Directory.

Password Manager is fully automated, and users can set themselves up and reset passwords on their own without having to call the help desk.

Another approach for remote user authentication is an SSL VPN. An SSL VPN allows specific remote users to connect to particular internal applications, which is what you're trying to do here. This contrasts with a traditional IPsec VPN, which connects a workstation to a network.

As for combining SSO with an SSL VPN, Aventail Corp. now offers SSO access in its beefed- up ST2 platform. Aventail is a leading vendor in the SSL VPN market and integrates with Active Directory, LDAP and RADIUS, an authenticating server for remote users.

Another top player in the SSL VPN arena is Juniper Networks Inc. Juniper joined forces with RSA Security (which is now owned by EMC Corp.) to add SSO functionality to its SSL VPN offering. The RSA Federated Identity Manager handles the SSO side of the application and integrates into existing corporate directories.

The key point to remember with SSO is that it cuts both ways. With a single user ID and password for multiple applications, it provides real ease of use for your employees. That ease of use, however, extends equally to malicious users trying to get into your system. In one stroke, an entire network can be compromised.

Whichever SSO solution you choose, make sure it's secure, harden all SSO hardware and software and educate users in safe password handling practices.

More information:

  • Set up endpoint security features on a Juniper SSL VPN.
  • Learn more about VPNs in our Network Access Control Learning Guide.

Dig Deeper on Identity and access management