Authentication is part of a single sign-on solution because it
identifies who a user is and then proves it, typically based on a user name
and password.
The process of authentication is different from the process of authorization,
in which an entity or a person is granted or denied access to a network or
system resource.
A single sign-on environment streamlines the process and management of
authentication for users and administrators. Because of the way single sign-on
is implemented on your system, not only do users need to supply fewer IDs
and passwords but, if you choose to, they do not even need to have a IBM® i passwords. Administrators
need to troubleshoot identity and password problems less often because users
need to know fewer identities and passwords to access the systems that they
use.
Interfaces that are enabled for single sign-on require the use of Kerberos
as the authentication method. Network authentication service is the
IBM i implementation of the Kerberos
authentication function. Network authentication service provides a distributed
authentication mechanism through the use of a Kerberos server, also called
a key distribution center (KDC), which creates service tickets that are used
to authenticate the user (a
principal in Kerberos terms)
to some service on the network. The ticket provides proof of the principal's
identity to other services that the principal requests in the network.
Note: If
you are an application developer, it is possible to make use of other types
of authentication methods as you enable your applications to work in a single
sign-on environment. For example, you can create applications that use an
authentication method, such as digital certificates, in conjunction with EIM
APIs to enable your application to participate in a single sign-on environment.