What is Single Sign-On?
- IAM Glossary
- What is Single Sign-On?
Single Sign-On (SSO) is an authentication technology that allows a user to access multiple applications and services with one set of login credentials. The primary goals of SSO are to reduce the number of times a user has to enter their credentials and make it easier for users to access all the resources they need without having to log in multiple times.
SSO platforms play an integral role in most organisational Identity and Access Management (IAM) systems. Additionally, whenever a consumer uses a social media account to log in to another website – i.e., “Sign in with Facebook” – they’re using SSO.
How does single sign-on work?
SSO systems work by establishing a trust relationship between a user, an Identity Provider (IdP), and the websites and apps that use the SSO login, which are known as service providers. Here's a high-level overview of the process:
The user logs in to the identity provider. The user provides their username and password to the IdP, which verifies the user's identity and authenticates the session.
The identity provider generates a token. Think of this token as a temporary digital ID card that contains information about the user's identity and session. This token, which is stored either in the user's browser or within the SSO service's servers, will be used to pass the user's identity information from the IdP to the service provider.
The user accesses a service provider. When the user tries to access a website or app, that site or app requests authentication from the IdP.
The IdP sends the token to the website or app. The IdP securely sends an encrypted one-time token to the application or website the user wishes to log into.
The website or app uses the information in the token to verify the user's identity. Upon successful verification, the service provider grants access to the user, and the user can start using the site or app.
Is single sign-on secure?
Yes. In fact, single sign-on is generally considered to be more secure than traditional username and password authentication systems because SSO reduces the number of passwords that users have to remember, which dissuades users from adopting poor password security practices such as creating weak passwords and reusing passwords across multiple accounts.
However, as with any other technology, SSO systems must be properly configured and maintained to achieve optimal security. Additionally, SSO systems must be used alongside other IAM tools and protocols, including multi-factor authentication, a comprehensive enterprise password manager and role-based access controls.
Types of single sign-on
All SSO systems have the same end goal: Allow users to authenticate once and access multiple applications and systems without having to log in again. However, specific protocols and standards can vary from system to system. Here are some of the most common terms you’ll encounter when working with SSO:
- Federated SSO is common in very large organisations that have multiple applications and systems spread across different departments and locations. It provides single access to multiple systems across different organisations.
- Web-based SSO is often used by “digital native” organisations whose employees work entirely with cloud-based applications and services.
- Security Assertion Markup Language (SAML) isn’t a “type” of SSO, but a standard data format for exchanging authentication and authorisation data between parties. SAML is commonly used in web-based SSO systems.
- Kerberos is a network authentication protocol that provides secure authentication for network services using a digital “ticketing” system. In contrast to SAML, which is used to authenticate to web apps, Kerberos is a back-end technology that’s found in enterprise Local Area Networks (LANs).
- Lightweight Directory Access Protocol (LDAP) is a directory service protocol used to store and retrieve data about users and resources. LDAP-based SSO solutions allow organisations to use their existing LDAP directory service to manage users for SSO. However, since LDAP was not designed to work natively with web applications, organisations generally use their LDAP server as an authoritative “source of truth” – in other words, as an identity provider – in conjunction with SAML-based SSO.
Advantages and disadvantages of single sign-on
The primary advantages of SSO include:
Convenience and improved user-experience: SSO eliminates the need for users to remember multiple usernames and passwords, so they can access the services they need faster and more easily.
Enhanced security: SSO gives IT administrators centralised management over user identities, which helps improve security by giving admins better visibility and control over who has access to what. This can help prevent unauthorised access to sensitive information.
Improved productivity: Administrators can spend less time managing user identities, and users don’t have to waste time fumbling with passwords. An SSO solution can also dramatically reduce or even eliminate help desk tickets for forgotten passwords.
The primary disadvantages of SSO include:
Single point of failure: If the SSO system goes down, users will not be able to access any of the services that rely on it, which can result in significant disruption. Similarly, if the SSO system is compromised, threat actors get access to all of the included service providers. This is why it’s critical to secure SSO credentials with multi-factor authentication.
Complexity: Implementing an SSO system can be complex and requires a significant investment of time and resources.
Vulnerability: If the SSO system is not properly maintained, threat actors can potentially compromise it and gain access to multiple services.
Limitations: Not all apps support SSO, particularly legacy Line-of-Business (LOB) apps that perform critical back-end business functions, and are not easily refactored or replaced. A robust enterprise password manager fills in this gap.
How to implement single sign-on
Implementing a single sign-on solution is a major IT project that must be carefully undertaken. Here are the main steps to follow.
Remember to avoid using email, text messages or phone calls as an authentication factor unless the site or app doesn’t support other methods.
Define your requirements: Determine what services and applications will be included in the SSO implementation, as well as the security and access control requirements for each one. Don’t forget about your security requirements, like multi-factor authentication, password management and role-based access control.
Choose an SSO solution: Select an SSO solution, or a combination of solutions, to meet your requirements.
Configure your identity provider: Set up the IdP component of the SSO solution. Your IdP will be responsible for authenticating users and providing their identity information to the included service providers.
Integrate service providers: Integrate each website and app with the SSO solution. This involves configuring each service provider to communicate with the IdP to receive user identity information and verify the authenticity of the SSO session.
Test the SSO implementation: Select a small test group of users and make sure they can still access needed services and applications with a single set of credentials.
Deploy the SSO solution enterprise-wide: Depending on your needs and data environment, this may involve deploying the IdP and service provider components on separate servers or integrating them into existing infrastructure.
Monitor and maintain the SSO solution: Regularly monitor the SSO solution to ensure that it is functioning correctly and to address any issues that arise.
It's important to keep in mind that implementing SSO requires a significant investment of time and resources, and it may take several months to complete the process. It is also important to work with experienced IT professionals who have expertise in SSO solutions and security best practices to ensure a successful implementation.