What is Single Sign-On (SSO)?
Single sign-on, or SSO, is an authentication method where users only need to enter their login credentials (usually username and password) once to access multiple services or applications.
Many platforms, such as Google, use SSO to enable users to access affiliated sites and applications without having to create separate identifications and input login credentials on each one.
While large platforms like Google and Facebook use SSO, most smaller-scale organisations do not have their own SSO systems in place. There are companies that offer bespoke SSO services for organisations or individuals who want to utilise SSO.
How does SSO work?
SSO is an aspect of Federated Identity Management, or FIM. FIM is an arrangement between multiple services (such as websites and applications) where a single user identity (verified by authentication via login credentials) can be used to access each service in the federation.
SSO uses authentication protocols such as SAML or OAuth to exchange authentication credentials between an IdP and an SP.
An IdP, or Identity Provider, is a piece of software used to carry out authentication of a user. An IdP is usually represented visually by a login screen (some services also provide a dashboard with data statistics and metrics) that asks for the user's username and password. Some IdPs also use two-factor authentication (2FA) or multi-factor authentication (MFA). In these authentication methods, users are required to provide an extra factor or factors (e.g., a one-time password sent via email or text message) to authorise their identity. This adds an extra layer of security and is becoming standard practice in many industries.
An SP, or Service Provider, is the name given to the application or service that the user is attempting to access. This could be a particular webpage, database, file, or piece of software.
SAML does not share a user's password with an SP—it simply communicates to the SP that the user's identity has been verified by the IdP and possibly sends extra information in the form of attributes (such as first name, last name, email address etc). The data that is exchanged between the IdP and the SP is known as an SSO authentication token. A token is usually comprised of data such as the user's email address and which IdP they have used to authenticate. The assertion of a user's identity is sent over HTTP and is known as a SAML Assertion.
Think of an IdP as being like a bouncer at a festival, and each SP as being a different stall at the festival. Instead of each stall having its own bouncer, a visitor simply presents their ticket to the single bouncer, who gives the visitor a stamp or wristband that grants them access to every stall at the festival!
Why use SSO?
Using SSO has various benefits. One of the most obvious advantages of implementing an SSO system is that it saves time—instead of users having to sign in to many different applications every day, they only need to log in once at the start of each session. You may not think that logging in takes that long, but think of how many applications many organisations use daily and how many users there are repeatedly logging in to different SPs! These frequent logins can really add up and have a significant effect on an organisation's efficiency as well as the user experience. Streamlining operations can benefit organisations from commercial businesses seeking profit to public services and education providers.
It is not just the time taken to log in that is saved with SSO. SSO can also drastically reduce the volume of calls to IT Support requesting simple password reminders or resets! This lightens the workload of an organisation's technicians and enables them to work on more important tasks.
SSO can also increase sales and profit for many commercial enterprises such as online stores. A study by the Baymard Institute found that almost 19% of account holders on the online retail sites Amazon and ASOS ended up abandoning their online shopping carts because of forgotten passwords or issues resetting passwords. While having unique passwords for each application that you use is recommended by many cybersecurity professionals, having too many passwords to remember is an extremely common source of stress for many people. Some companies may be losing almost a fifth of their sales, which can be remedied by using SSO!
Difficult or protracted sign-up or sign-in processes can also result in a loss of potential customers. You have probably given up on signing up for a new service at some point due to an inconvenient or frustrating system of access. Using SSO can streamline this and increase user adoption of new software and services.
Are there risks to using SSO?
Despite the potential loss of sales, many organisations may still choose to use a traditional authentication system involving multiple passwords as a method of maintaining strong security. It seems to make sense that if a single password is used for various accounts, the chances of accounts being accessed by cybercriminals are increased, as only one password needs to be compromised to grant access to all accounts.
However, the theory that SSO weakens system security is actually a misconception. In fact, SSO can actually lessen the chances of passwords becoming compromised! This is because users are more likely to develop a stronger password if they only need to remember one. When forced to create new passwords for different services constantly, people often end up choosing passwords that are easy to remember, and therefore easier for others to guess. They are also more likely to write down passwords on notes (physical or electronic) that can fall into the wrong hands.
SSO can also boost security by allowing administrators to centrally control and manage a user's access privileges quickly by applying changes to a single username and password rather than multiple different accounts. This can be useful when, for example, a user or employee leaves an organisation. Granular access management controls can also be used to apply more custom authentication requirements to particular apps or services and place limitations or extra access privileges on individual users.
Any potential risks of using SSO can be mitigated by using a 2FA or MFA system alongside the simple login and also by developing a robust security policy for your organisation. In any cybersecurity system, the most common "weak link" is human error or negligence, such as making your password the name of your favorite sports team, or simply "password"!
MFA and SSO
Multi-factor authentication is an integral part of a robust security system and is recommended by most cybersecurity professionals. Passwords are actually the easiest form of authentication to compromise, so adding an extra authentication factor (e.g., a one-time-password, security questions, or even a fingerprint or facial recognition scan) is essential if you want to keep your organisation's data safe in today's world.
Unfortunately, many services that offer SSO solutions do not include MFA! If you are looking to implement an SSO solution, it is important to choose a service that offers MFA.
Combining MFA and SSO also considerably reduces the risk of that single set of credentials being compromised as an attacker would need to know the password but also have access to the users MFA tokens.
How are SSO solutions implemented?
SSO solutions can be implemented in different ways depending on the solution and the specifics of an organisation's systems. There are several factors to consider if you are looking to implement SSO on your system. These factors include:
- How many users (individual and concurrent) will be using the system
- What the specific requirements of individual users are
- What particular systems need to be integrated
- Whether or not API access is needed
- Whether or not the solution needs to be scalable
- Whether or not you want to implement security features such as MFA, Device Trust, IP Address Whitelisting, Adaptive Authentication, etc
- Whether you want the solution to be onsite or hosted on a Cloud service
Skilled and reputable SSO services like Overt Software Solutions have knowledgeable and experienced technicians who will be able to discuss these factors with your IT department to work out the best way to implement an SSO solution for your organisation's needs. Overt Software Solutions can provide all of the key components of a secure and powerful SSO system, such as a dedicated IdP, MFA, integration between different federation services, and qualified tech support.
What are the different types of SSO?
There are various types of open standards and authentication protocols that can be part of an SSO system:
- SAML: SAML is short for Security Assertion Markup Language. SAML is an open standard covering identity and access management, federations of services, and authentication.
- OAuth: OAuth, or Open Authorisation, is an open standard for authorisation and deals with users' access (temporary or permanent) to resources. OAuth 2.0 is the version most frequently used these days.
- OpenID Connect: OpenID Connect, or OIDC, is an extra layer of identity over OAuth 2.0. OIDC gives web clients the ability to verify a user's identity based on the IdP's authentication and to view that user's basic profile information.
- Kerberos: Kerberos is an authentication protocol that requires a trusted third party to authorise a user's identity.
- JWT: JWT, or JSON Web Token, is a standard of transmitting information between parties that offers the options of encryption and signatures. Tokens are signed and access granted with the use of public or private keys.
- Federated SSO: Federated SSO is when SSO authentication tokens are used not just to enable a user access to different resources within the system of one organisation, but to enable access to the resources of multiple organisations. A group of organisations who have agreed to share access to resources is known as a federation.
- Same Sign-On: Same Sign-On is often also known as SSO, however it is not quite the same thing as Single Sign-On. Unlike Single Sign-On, Same Sign-On does not involve trust between different parties—it is simply the duplication of login credentials. Compared to Single Sign-On, Same Sign-On is notably less secure.
Social SSO vs Enterprise SSO
Social SSO is a system where users can log in to various applications using their login credentials for social media sites such as Facebook. For example, applications like Instagram and many others enable users to log in using their Facebook account, which they may already be signed in to. The number of sites and applications that are using this integration with Facebook is growing rapidly. Google also uses Social SSO to eliminate the need for logging in to sites like YouTube. Sites like LinkedIn and Twitter also use Social SSO to allow integration with chosen third-party sites.
Apple has also recently developed its own SSO solution called Sign in with Apple, designed to be a more private and security-conscious alternative to other Social SSO systems. The systems used by Facebook, Google, Twitter, and LinkedIn have been criticised by many cybersecurity professionals, who have advised consumers against using them due to their security weaknesses.
Enterprise SSO, also known as eSSO, is a type of password management software that stores users' login authentication credentials on a server component that automatically logs the user into different applications.
Both Social SSO and eSSO are used widely by many services and users. However, they are often not as secure as traditional SSO solutions.
What is True SSO?
You may have also heard the term "True" SSO. But what is it that separates "True" SSO from less complete forms of SSO?
The term SSO is often used simply to mean the use of a single set of credentials to sign in to cloud-based applications. However, that alone does not make a system True SSO, as your devices, network, and locally-hosted applications still require a separate login!
A solution that can be accurately described as True SSO is one where a single login from the desktop is all that the user needs to access the entire network and every resource and application, whether cloud-based or hosted locally.
A True SSO solution would require an automatic simultaneous login to every resource from the desktop. The use of password vaults or password managers is not technically True SSO, as separate logins are still carried out at different times. True SSO is also secure and does not include a user's password being sent to a website, application, or any other resource other than the IdP.
How does SSO fit into an Identity and Access Management strategy?
A secure and efficient Identity and Access Management (IAM) strategy is vital for organisations of all types and all sizes. An effective SSO solution is an incredibly useful component of an IAM strategy, as it increases operational efficiency, improves user experience, and can strengthen network security.
SSO works best alongside MFA, a qualified IT support team, and a well-implemented and robust data security policy. An IAM strategy that includes all of these components is one that is likely to be successful. If you are looking to develop or improve your organisation's IAM strategy, Overt Software Solutions can help.