Are You Lost?

by Dustin Puryear

So, I've been MIA for almost two weeks now. I'm sure you were pretty worried and possibly even losing sleep. But, it's okay. I'm fine and back. For now. But what happened?

Well, the whole "SSO" happened.

O'Reilly uses Single Sign-On (SSO) within its network between certain applications (apparently), and something wonky happened with my blogging account that prevented me from properly signing in. I don't have all the details, but I do know that while logging into the "O'Reilly SSO Site" works, that I can't then access the blog manager because I'm again prompted to login. Which fails.

So much for SSO.

But let's not be too critical on O'Reilly here. Sure, it's annoying, but it happens. Everywhere.

Why is SSO such a pain? When I work with clients on Identity and Access Management (IAM), the first acronym they usually bring up is SSO. And then I warn them that achieving true SSO is usually a long and difficult journey, and that you need to start small. Usually real small.

Typically, I see SSO develop over time using a progression such as:


  1. Implement a single username/password system for core services such as logins to servers. No SSO, but you do have Centralized Sign-On (CSO).

  2. Implement some type of identity management on top of the directory containing your single username/password.

  3. Begin thinking about SSO.



  4. The problem with SSO is that until you at least have a handle on where your username and password is STORED, you can't get very far with it. And most people don't have a handle on that.

    So stay focused!