Page 984 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 984
subject.
The primary disadvantage to SSO is that once an account is
compromised, an attacker gains unrestricted access to all of the
authorized resources. However, most SSO systems include methods to
protect user credentials. The following sections discuss several
common SSO mechanisms.
LDAP and Centralized Access Control
Within a single organization, a centralized access control system is
often used. For example, a directory service is a centralized database
that includes information about subjects and objects. Many directory
services are based on the Lightweight Directory Access Protocol
(LDAP). For example, the Microsoft Active Directory Domain Services
is LDAP-based.
You can think of an LDAP directory as a telephone directory for
network services and assets. Users, clients, and processes can search
the directory service to find where a desired system or resource
resides. Subjects must authenticate to the directory service before
performing queries and lookup activities. Even after authentication,
the directory service will reveal only certain information to a subject,
based on that subject’s assigned privileges.
Multiple domains and trusts are commonly used in access control
systems. A security domain is a collection of subjects and objects that
share a common security policy, and individual domains can operate
separately from other domains. Trusts are established between the
domains to create a security bridge and allow users from one domain
to access resources in another domain. Trusts can be one-way only, or
they can be two-way.
LDAP and PKIs
A public-key infrastructure (PKI) uses LDAP when integrating digital
certificates into transmissions. Chapter 7 covers a PKI in more depth,
but in short, a PKI is a group of technologies used to manage digital
certificates during the certificate lifecycle. There are many times when
clients need to query a certificate authority (CA) for information on a
