Single sign-on (SSO) is a session and user authentication service that permits a user to use one set of login credentials (e.g., name and password) to access multiple applications. SSO can be used by enterprises, smaller organizations, and individuals to mitigate the management of various usernames and passwords.
In a basic web SSO service, an agent module on the application server retrieves the specific authentication credentials for an individual user from a dedicated SSO policy server, while authenticating the user against a user repository such as a lightweight directory access protocol (LDAP) directory. The service authenticates the end user for all the applications the user has been given rights to and eliminates future password prompts for individual applications during the same session.
How single sign-on works
Single sign-on is a federated identity management (FIM) arrangement and the use of such a system is sometimes called identity federation. OAuth, which is pronounced "oh-auth," is the framework that allows an end user's account information to be used by third-party services, such as Facebook, without exposing the user's password.
OAuth acts as an intermediary on behalf of the end user by providing the service with an access token that authorizes specific account information to be shared. When a user attempts to access an application from the service provider, the service provider will send a request to the identity provider for authentication. The service provider will then verify the authentication and log the user in.
Types of SSO configurations
- SAML is an XMLstandard that facilitates the exchange of user authentication and authorization data across secure domains. SAML-based SSO services involve communications between the user, an identity provider that maintains a user directory, and a service provider.
- In a Kerberos-based setup, once the user credentials are provided, a ticket-granting ticket (TGT) is issued. The TGT fetches service tickets for other applications the user wishes to access, without asking the user to re-enter credentials.
- Smart-card-based SSO will ask an end user to use a card holding the sign-in credentials. Once first used, a user will not have to re-enter usernames or passwords. SSO smart cards will store either certificates or passwords.
Security risks and SSO
Although single sign-on is a convenience to users, it presents risks to enterprise security. An attacker who gains control over a user's SSO credentials will be granted access to every application the user has rights to, increasing the amount of potential damage. In order to avoid malicious access, it's essential that every aspect of SSO implementation be coupled with identity governance. Organizations can also use two-factor authentication (2FA) or multifactor authentication (MFA) with SSO to improve security.
Google, LinkedIn, Twitter and Facebook all offer popular SSO services that allow an end user to log into a third-party application with their social media authentication credentials. Although social single sign-on is a convenience to users, it can present security risks because it creates a single point of failure that can be exploited by attackers. Many security professionals recommend that end users refrain from using social SSO services altogether because once an attacker gains control over a user's SSO credentials, they will be able to access all other applications that use the same credentials.
Apple recently unveiled its own single sign-on service and is positioning it as a more private alternative to the SSO options provided by Google, Facebook, LinkedIn and Twitter. The new offering, which will be called Sign In with Apple, is expected to limit what data third-party services can access. Apple's single sign-on (SSO) will also enhance security by requiring users to use two-factor authentication on all Apple ID accounts to support integration with Face ID and Touch ID on iOS devices.
Enterprise single sign-on (eSSO) software products and services are password managers with client and server components that log the user on to target applications by replaying user credentials. These credentials are almost always username and password, and target applications do not need to be modified to work with the eSSO system.
Advantages and disadvantages of SSO
Advantages of SSO include:
- Allows users to remember and manage less passwords and usernames for each application.
- Streamlines the process of signing on and using applications—no need to re-enter passwords.
- Lessens the chance of phishing
- Less complaints or trouble about passwords for IT helpdesks.
Disadvantages of SSO include:
- It does not address certain levels of security each application sign-on may need.
- If availability is lost, then users are locked out of the multiple systems connected to the SSO.
- If an unauthorized user gains access, then access could gain access to more than one application.
There are multiple SSO vendors that are well known, some provide other services and SSO is an additional feature. SSO Vendors include:
- Rippling- which allows users to sign into cloud applications from multiple devices.
- Avatier Identity Anywhere- which is an SSO for Docker container-based platforms.
- OneLogin- which is a cloud-based identity and access management platform which supports SSO.
- Okta- which is a tool with an SSO functionality. Okta also supports two-factor authentication and is primarily utilized by enterprise users.
Check out this buyer's guide for healthcare organizations considering an SSO technology purchase and explore the various options available, including federated SSO.