Other shared authentication schemes include OAuth, Open ID, Open ID Connect and Facebook Connect.
Unix/Linux environment - Login via Kerberos PAM modules fetches TGT.
Kerberized client applications such as Evolution, Firefox, and SVN use service tickets, so the user is not prompted to re-authenticate.
The authors found 8 serious logic flaws in high-profile ID providers and relying party websites, such as Open ID (including Google ID and Pay Pal Access), Facebook, Janrain, Freelancer, Farm Ville, and
Because the researchers informed ID providers and relying party websites prior to public announcement of the discovery of the flaws, the vulnerabilities were corrected, and there have been no security breaches reported. Active Directory-aware applications fetch service tickets, so the user is not prompted to re-authenticate.
Single sign-on also makes the authentication systems highly critical; a loss of their availability can result in denial of access to all systems unified under the SSO.
SSO can be configured with session failover capabilities in order to maintain the system operation.
Conversely, single sign-off is the property whereby a single action of signing out terminates access to multiple software systems.
As different applications and resources support different authentication mechanisms, single sign-on must internally store the credentials used for initial authentication and translate them to the credentials required for the different mechanisms.
To be precise, OAuth is not strictly an authentication scheme but an authorization protocol: it provides a way for the users to grant access on their own behalf to websites or applications to other websites or applications using some access keys.
The main purpose of the protocol is to exchange the access credentials required for the authentication and not the authentication itself.
A user wielding a user agent (usually a web browser) is called the subject in the SAML-based single sign-on.