ra2 studio - Fotolia
When single sign-on technology is a good fit for VDI
As more VDI shops deliver virtual desktops separately from applications, single sign-on provides a way for IT to reduce users' burdens when it comes to multiple logins and remembering passwords.
Single sign-on technology has recently gained popularity due to the widespread adoption of cloud services, but it can also help IT balance security and user experience in VDI deployments.
Single sign-on (SSO) comes in many different forms, but in the simplest sense, SSO is an authentication process that allows a user to access multiple resources using a single login. VDI shops that use cloud apps likely also require some sort of authentication to access applications outside of a virtual desktop. SSO allows users to enter their credentials once to access their virtual desktops and external resources, which reduces the security burden on end users and can even help with VDI adoption.
One of the arguments against using single sign-on technology is that it weakens security. If a user's account becomes compromised, the intruder also gains access to the resources tied to the account. There is an element of truth to that, but there's also a compelling argument in favor of SSO.
Control access outside of Active Directory
About four years ago, users primarily accessed resources linked to the organization's Active Directory. SSO is unnecessary in that case, because Windows handles access control. IT can set access control lists in AD and attach specific users with read or write privileges.
Today, users access Active Directory resources, cloud resources and even resources within an Active Directory forest. An AD forest includes groups of users, machines and endpoints -- known as Active directory domains -- and groups of domains, referred to as an AD tree. For access beyond the local Active Directory environment, users are typically required to supply a set of credentials for each external resource that they access. SSO allows users to access both local and external resources with one login.
VDI single sign-on boosts security, user experience
Providing users with access to external resources without using SSO can sometimes weaken an organization's security. Let's be realistic: There is a limit to the number of passwords a user can remember. Users' ability to memorize passwords decreases when a company requires that they include complexities such as numbers and capital letters, or if they have to frequently change passwords.
It's now commonplace for users to write down their passwords or use the same password for each resource they access. In an effort to increase security, IT inevitably pushes workers into using techniques that can nullify an organization's protective measures.
Single sign-on technology can reduce the burden on employees by allowing them to remember just one password. In that case, the organization can realistically require users to use much stronger password combinations or even two-factor authentication. Additionally, each protected resource continues to maintain its own authentication credentials, which is different than using the same password for every resource.
SSO is especially beneficial in updated VDI implementations, because it's increasingly common for apps to reside outside of virtual desktops. For example, some applications may live in a software as a service cloud, or Windows apps may exist as Microsoft Azure remote apps. For the latter, admins can extend Active Directory to the cloud with Azure AD. Even if security isn't a major issue, users probably don't want to enter a password every time they launch an application.
How Citrix and VMware handle SSO
Citrix and VMware shops can both enable SSO using those companies' virtualized computing platforms.
Citrix enables SSO -- which it refers to as pass-through authentication -- through the StoreFront enterprise app store, which communicates with the Receiver client software on users' endpoints. StoreFront serves as a central repository for users to access their resources connected to the company's XenApp and XenDesktop virtualization platforms. IT can enable pass-through authentication to all resources delivered using Citrix's ICA remote display protocol.
VMware added a new feature in version 7 of its Horizon end-user computing suite that it calls True SSO. VMware's SSO previously only supported Microsoft Active Directory (AD) credentials, but True SSO adds two-factor authentication and supports technologies such as RSA SecurID, Kerberos and RADIUS authentication.
Smart cards and biometric single sign-on
Some organizations have found that SSO works best when it is tied to biometric or smart card authentication. Those two methods allow users to log in without passwords, simultaneously improving security and making the authentication process more seamless for the user.
Using biometric single sign-on or smart card authentication allows users in certain work environments to be more productive. Unlike PCs, virtual desktops are not limited to specific network endpoints. Users might access the same virtual desktop from multiple physical devices as a part of their regular workflow. For example, a clinician might move between an office and exam or lab rooms throughout the day. SSO using biometric or smart card authentication would allow such a person to effortlessly move from one physical device to another.
Although this type of security works well for some organizations, it is sometimes better for an organization to continue to use passwords with SSO. The reason for this is simple: Not every device that supports VDI has the hardware to also support smart card authentication or biometric single sign-on.
SSO is useful for organizations with a layer of separation between virtual desktops and applications, but shops whose users access resources solely from within AD probably won't benefit significantly from SSO.