Single Sign-On (SSO) is an authentication service where a user logs in to a service or account and then gains access to multiple applications. The technology eliminates the need for multiple logins by providing automatic authentication after the initial sign-on.
Ideally, authenticated users do not have to log in to individual applications or services whenever they need access. Typical areas where a single sign-on is applicable include cloud services, online portals, intranets, and other environments where users need to access and navigate between several applications.
Other areas where it is applicable include e-commerce, banking, and other customer-facing apps and websites. In this case, the SSO allows the users to seamlessly access several enterprise and third-party applications without having to log in to each of them individually.
Google, Microsoft, and other enterprise platforms are some major companies that use SSO. For example, once you log in to your Gmail account, you can access Google drive, Google docs, AdSense, YouTube, Google Analytics, Google Search Console, and all the apps associated with the email address.
Why Is Single Sign-On Important?
Organizations are using multiple applications and services to improve workflows and performance. The deployment on the cloud and/or on-premise environments often results in fragmentation which can be a challenge for IT teams and users.
For example, managing fragmented apps requires more time and skills for the IT staff. Also, users must rely on many applications and services to do their work. Traditionally, this requires logging in to multiple applications and switching between them several times daily.
SSO eliminates the need to keep entering login credentials every time there is a need to access a different application or service. This allows them only to provide one set of credentials to access the services and seamlessly switch between applications without logging in again.
Besides improving user experience, it enhances security while reducing costs and workload on the IT staff, which would traditionally spend most time sorting out login issues.
How Does Single Sign-On Work?
The SSO process is based on a trust relationship between the identity provider, such as a server, and the application a user is trying to access. The two exchange a certificate that the application or service verifies is from a trusted source.
A typical flow looks like the one below but may differ depending on the protocol and whether the application is on-premise or cloud-based.
A user attempts to access the service provider who refers to the service, website, or application.
The application sends a token to the identity provider or SSO service to authenticate the user.
The SSO system checks if the user is already authenticated. If so, the user is granted access to the application. If not, the user is prompted to provide the credentials.
Once authentication is verified, the Identity Provider sends a token to the service or application, and the user can now access it.
Once a user logs in to an app or website that relies on a Single sign-on, the SSO service connects to the primary identity provider server. The system then creates an authentication token that acts as a temporary identity showing the user has been verified. This is stored in the application server or the user’s web browser.
Whenever the user accesses another app, the new application checks the SSO service to find if there is an active authentication token. If the user has logged into another app, the SSO service confirms this and then passes the token to the application. Consequently, the user automatically logs in to a different app without providing the credentials.
If the user has not logged in, the SSO service prompts for the username and password.
Benefits of Single Sign-On
Single sign-on authentication delivers benefits such as improving security and compliance for the applications, users, and data. It also delivers better user experience and satisfaction since there are fewer disruptions and the need to remember different credentials for each service or app.
Other benefits are as follows:
#1. Reduced Password Fatigue
Naturally, in today’s digital world, an individual must remember several passwords to access different services and applications. However, most people dread having to remember different passwords.
Instead, someone will use one easy-to-remember password to access the different services, which is a big security risk. For example, a criminal with the password for one application can also access and compromise all the other services that use the same.
Although the SSO uses one common set of credentials, it relies on a stronger password and is mostly used with multi-factor authentication.
#2. Easier to Integrate Multi-factor Authentication
Since SSO runs and is managed from a central place, it allows easy integration of MFA. In this case, users only need to activate the MFA once instead of several times based on the number of applications and services.
#3. Reduced Password Recovery Time
Reduces the time it takes to recover or resolve forgotten passwords. Most often, IT teams spend a lot of time resolving password issues for the staff. However, SSO reduces the number of passwords required hence the time it would take to reset them.
#4. Improved Productivity
By eliminating the need to log in to each application or service, the SSO authentication saves the time employees would need to access multiple applications, improving productivity.
Users only need to log in once, after which they can seamlessly navigate across multiple applications without prompting for the username and password again.
#5. Enhances Regulatory Compliance
Regulated industries such as the medical, financial, and others have strict requirements to comply with standards such as HIPAA, PCI DSS, and others. By using SSO, companies can comply easily since they only need to secure one set of credentials for all services and resources.
Drawbacks of SSO Authentication
Although Single Sign-On authentication delivers a better user experience and other benefits, it has some drawbacks.
#1. Security Risks
The SSO service may have higher security risks. Flaws in the SSO system and insecure SSO practices can potentially expose the credentials that attackers can exploit and compromise multiple applications. Additionally, the SSO may not address all the security requirements of some sensitive or critical applications.
Despite the challenges, organizations are deploying the SSO due to its many benefits, especially when using low-risk applications such as chats. To enhance security, they can add other authentication technologies, such as the MFA.
#2. Complex Deployment
Configuring SSO components such as Identity provider and digital certificates and then integrating them with the applications (service provider) is a complex and challenging exercise that requires high expertise and time.
Once set, the SSO service must be available at all times. It, therefore, requires a high-availability infrastructure to ensure reliability and access to organization applications. Otherwise, downtime leads to the inability to access the applications and services.
Additionally, loss of credentials such as the password or inability to log into the main account means inability to access any applications. However, most Single Sign-On solutions provide a self-service password reset that most users can access and reset the passwords.
#3. Not All Applications Support Single Sign-on Login
Although most enterprise cloud and on-premise support SSO, some are not. As such, even with the SSO in place, users may still need to use credentials for unsupported services and applications.
SSO Authentication Standards and Protocols
An SSO authentication process must reliably and securely pass the authentication token to the other services and applications the user can access. For this to happen, the authentication tokens have specific protocols or standards to ensure their legitimacy and accuracy.
For example, for cloud applications, you can deploy federation-based SSO authentication methods such as OAuth, OpenID Connect, or SAML.
There are several SSO authentication methods and protocols, and the choice depends on the environment, level of security requirements, and more.
Federated identity management (FIM) provides a trusting relationship between applications and vendors, trusted third parties, and external service providers.
For example, after logging in to Gmail or Apple account, a user may have access to other apps such as Twitter and others without prompting additional login. However, it may prompt for verification, such as a phone number, if accessing the external app for the first time on the device.
Adaptive Single Sign-On
The adaptive SSO authentication will initially prompt for a username and password to access the primary account. However, accessing a sensitive or highly secure app may require additional authentication, such as credentials or an MFA code. This may also happen when accessing an application or service from a new device or location.
Social SSO Authentication
This allows users to log in to third-party services, applications, and websites using their social media accounts, such as Twitter, Facebook, Apple, Google, or LinkedIn.
Smart Card SSO Authentication
To log in with this authentication, a user must have a physical smart card and use it to sign in to the computer that holds the primary account. Afterward, the user can access multiple other applications and services. Ideally, this is one of the most secure SSO solutions. Since unless the attackers obtain the physical card and PIN, they cannot sign in to the applications.
Smart card Single Sign-On is not very popular but is more secure. These are used for banks and online payments as multi-factor authentication options.
Kerberos Authentication Single Sign-On
The SSO authentication system prompts a user to provide their primary credentials. The identity provider, such as Active Directory, then issues a ticket-granting ticket (TGT). Afterward, the TGT provides service tickets for the other services, websites, and applications the user wants to access.
In Kerberos authentication, the TGT tickets are usually temporary and only for a specific session. They have a short lifespan to reduce the risks of an attacker accessing or hijacking the session.
Security Assertion Markup Language (SAML) Protocol
SAML is one of the open standard protocols that support the exchange of encrypted authentication and authorization data between the primary identity provider and several applications or services.
Compared to other protocols, SAML provides higher security controls and is ideal for critical and protected applications in governments and enterprises.
SAML enables user authentication and authorization. Besides the username and password, organizations can add the multi-factor authentication option to enhance security.
Open Authorization OAuth Protocol
OAuth is also an open standard protocol that enables applications to securely exchange authorization information. It allows different applications to communicate without exposing user passwords.
Using the Auth0 authentication, businesses can integrate applications while integrating SSO options such as SAML, LDAP, AD, and more.
OpenID Connect (OIDC) Single Sign-On Protocol
OpenID Connect (OIDC) is a Single Sign-On authentication protocol for consumer-facing applications. The open standard authentication protocol runs on top of OAuth.
It uses an identity provider with JSON Web Tokens to authenticate the users. For example, it can use social login to permit users to access a shopping cart or other third-party application.
Deploying Single Sign-On authentication improves the way users navigate across different applications or services. Once you log in through SSO, you have permission to access all the approved services or applications without having to log in to each of them individually. Consequently, it delivers a better user experience and productivity.