Friday, December 5, 2008

Access Control and SAAS: a comparison of OpenID and SSO

A SAAS-application can be seen as a B2B-ecosystem of different stakeholders.
For usability every stakeholder should have a method of access control allowing him to gain access to the different areas of the SAAS-ecosystem.
How is this possible and what are the risks?

Here authorization and authentication play a key role. As is seen on Wikipedia authorization (deciding whether to grant access) is a separate concept to authentication (verifying identity), and usually dependent on it.

Both concepts can be seperately tested in a SAAS-application.
In my next blog-entries I will illustrate this by comparing two ways of access control for a SAAS-application: OpenID and SSO
Both access-control mechanisms are different and have to be tested differently.
The key question here is: Can a user login in a webapplication, which acts as a access control-gateway, and have access to other registered member-webapplications without being prompted or causing errors?
And, not less important, when this user logs out of the system, does he or she still have any access to the other member-webapplications?

See you on my next blog-entry which will discuss the testing of SSO .

For now, good luck with making a quality SAAS-application!

And don't forget, feedback on my blog-posts are welcome.

2 comments:

Peter said...

Always interesting, authorization and authentiacation. Many people don't know there is a difference!

I am curious what you have to say about testing the SSO principle!

regards

Pitufo Cerveza

Cordny Nederkoorn said...

I'll try to keep it simple for you pitufo cerveza! :-)

Regards,

pitufo humor