Enterprise single sign-on, as the name suggests, aims to integrate all authentication into one, taking a user's...
network login and using that as the key to allow access to other services. However, the concept of enterprise SSO has become increasingly difficult to accomplish with the growing number of applications that organizations are deploying and the different methods by which they are accessed.
The challenge for enterprise SSO now is not only to integrate a user's network logon with local applications, but also integrate it with mobile and software as a service (SaaS) cloud offerings. Without the ability to integrate all of an organization's services, SSO will not provide the single solution that it promises.
Traditional enterprise SSO on a Microsoft Windows domain works by storing encrypted user credentials, allowing staff to log in to the network once and have access to many different resources without needing to enter their password again. A number of "affiliate applications" can be selected by the administrator to use these credentials to allow seamless access. Both the credentials and the applications that can use them are stored in a central SQL database. SSO servers are then able to access and use these credentials to perform the authentication, allowing the user to access servers on the network. The infrastructure is completed with a "master secret" server, which stores the encrypted master secret in a registry, according to Microsoft, and allows decryption of the credentials.
Cloud complicates enterprise SSO
However, the standard enterprise SSO product is no longer sufficient for a modern enterprise with mobile applications and cloud-based SaaS services. The requirement to integrate with these additional services has driven the need for alternatives. The latest identity services, known as identity as a service (IDaaS), bridge the gap between traditional enterprise SSO and cloud offerings. Vendors include OneLogin, Okta and Microsoft's Azure Active Directory, which use identity services such as Security Assertion Markup Language, WS-Federation and OpenID. Accounts can be imported from Active Directory, and then the products can be configured to allow seamless access to thousands of supported SaaS products. This is achieved by either sending a token using a federation service or by submitting the encrypted credentials to the form-based login of the application.
These SaaS products support popular applications such as Office 365, Dropbox and Google's extensive collection of apps. Access can even be granted outside of Active Directory -- for example, if temporary access is required for a contractor or another third party, the user can be created solely within the IDaaS tool and granted access only to the applications that are required. Multifactor authentication (MFA) can be enforced, or an administrator can allow access to certain applications from specific IP address ranges -- useful if you want the most sensitive business applications to only be accessible from the office.
What enterprise SSO needs now
With the increasingly blurred lines of the traditional organization perimeter, SSO needs to be able to handle a multitude of different cases. IDaaS is ideal for enterprises looking to integrate and truly gain control over all their services.
In order to take advantage of IDaaS, an organization needs to gain a better understanding of what applications its staff is using, which will be beneficial in the long run. As only those SaaS services that are known can be included in the SSO implementation, it helps IT staff to discover shadow cloud services, and either integrate them or ban their use. Uncontrolled and unsanctioned use of SaaS is a major concern for information security departments, and by integrating these services with enterprise SSO, organizations can determine what data is leaving the network and apply security policies and controls like MFA.
This story in context: About the early evolution of SSO
Need healthcare-specific SSO? Read this.
Learn more about how to strengthen authentication methods