Single sign on (SSO) is a tool used for user authentication. It enables users to access multiple services and applications securely using a single set of user credentials.
Think of different applications like Zoom, Slack, or Asana. You could access all of them using one login page or a pop-up widget enabled by SSO. This page will use one password and provide access to all the applications that you have integrated.
Think of twenty applications or sites you visit daily which all require different login information or passwords, with SSO, you will only securely use one.
SSO saves users the trouble of storing, remembering, and inputting different passwords. It also saves users the trouble of memorising passwords and the frustration of password resets after forgetting them.
With SSO, users can access different platforms and applications without needing to log in each time. You might wonder how all this works, right? Well, this is how a SSO makes life easier.
How SSO Works
The single sign on and single logout features make use of sessions. A user using SSO can have a maximum of three different sessions namely:
- The local session which is maintained by the application.
- Authorisation server session which is SSO enabled.
- Identity provider session which is when the user logs in through an identity provider service like Facebook or Google workspace.
For SSO to be possible for all the sessions, the central domain shares a session with other domains after performing authentication. However, how the session is shared can differ depending on the SSO protocols but the general concept is the same.
SSO relies on a concept known as federated identity. This is sharing identity attributes across autonomous systems that are trusted. If a user is trusted by one system, then they are automatically given access to other systems that they have made a trusted relationship and connection with. Such connections rely on protocols like SAML 2.0 and OpenID Connect. This makes them form the modern SSO solutions.
Once a user signs in to a platform using their SSO login details, the authentication token created is stored in the SSO solution service provider servers or the users’ browser. If the user wants to access another website or application, they will be sent the token to authenticate their identity to be provided access. This is after checking with the SSO service.
Security of SSO
Although there are many ways SSO can improve security, its overall security depends on the situation.
SSO has several advantages since the user can use one complex password that they can remember. The password management process becomes easier for both the administrators and the users. The tiring process of password resets after forgetting them is also simplified.
This means that the IT helpdesk in your business will spend more time on other important tasks because users won’t require frequent password resets. Your IT administrators will also be able to centrally control multi factor authentication and password complexities.
The exit process will be easier for employees and system administrators since the process of disabling user privileges of one account is easier.
However, a Single Sign On also has some disadvantages. Some applications and platforms require prioritised security over others. Such applications may require complex authentication features which SSO may not provide. You may also require that such platforms require the user to be connected to a more secure network which might be limited by SSO.
Common Configurations
Smart-card based
With this Single Sign On (SSO), the first sign-in attempt prompts the user to enter the smart card credentials. In addition, other software will use the smart card without prompting for user details. Single sign on that is based on smart cards works through passwords that are stored on the smart cards or certificates.
Kerberos based
The first sign-in prompts for user login credentials and issues a Kerberos ticket granting ticket. Other platforms and additional software will not require the user to re-enter their credentials. They will acquire the user’s identity through the ticket granting ticket (TGT) which will provide service tickets.
In a Linux environment, the login through Kerberos PAM will fetch the TGT. Other client applications that use service tickets include Firefox, SVN, and Evolution. The user will be required to re-authenticate. In a windows environment, the login will fetch the TGT. Applications that are aware of the active directory will fetch the service tickets meaning the user will not be required to re-authenticate.
Security Assertion Markup Language
Security Access Markup Language is a method based on XML. It is used for exchanging a user’s security information between a SAML service provider and a SAML identity provider. It supports service provider-initiated web browsing and XML encryption which is a single sign-in exchange.
A web browser which is the user wielding agent is the subject in SAML based single sign on. When the user requests for a web resource that is protected by the SAML service provider, the service provider issues a request for authentication to know the identity of the user.
The SAML identity provider will then issue the requested identity which is in form of user credentials. The user information generated allows the service provider to provide access to its resources and different services.
Integrated Windows Authentication
This configuration is common in Microsoft products. It refers to the SPNEGO, NTLMSSP, and Kerberos authentication protocols. These protocols are in respect to the SSPI functionality which began in Windows 2000 and other Windows NT operating systems. It is used for automatically authenticated connections between internet explorer and Microsoft Internet Information Services.
Protocols Used
- WS Federation and SAML
- lightweight directory access protocol
- AD/LDAP
- Inbound SSO
- OpenID Connect
- Outbound SSO
Advantages of SSO
- Secure user access which is also seamless – The SSO provider ensures easy access management since the admin can keep track of all logins which is more secure.
- Future proofing – With SSO, all your users and the multiple applications they use will be well secured.
- User access auditing is simplified – When users gain access to systems, it is easier to audit since the traffic logs are simplified through minimal logins.
- Empowered users – when users rely on an SSO system, they can carry out activities quickly and seamlessly. This is because the user’s SSO credentials are similar and easier to remember.
Disadvantages of SSO
- There are risks of potential security vulnerabilities.
- There can be issues with app compatibility.
- User access risk brings the importance of additional authentication techniques to block attackers if they get access to the user’s SSO credentials.
SSO will provide seamless experiences for your company when your users are using different services and applications.
It is however crucial for business owners to ensure their operations are secure and that if they are compromised, other services are not affected and their data is not breached.
How cyber-secure is your business? Find out with our free cybersecurity health check.
It’s a 30-minute Zoom call that walks through a checklist to assess your current cybersecurity levels and provide a short report with some advice and recommendations.