Single sign-on (SSO) is an authentication capability that lets users access multiple applications with one set of sign-in credentials. Enterprises typically use SSO to provide simpler access to a variety of web, on-premises, and cloud apps for a better user experience. It can also give IT more control over user access, reduce password-related help desk calls, and improve security and compliance.
Today, applications are deployed across data centers and clouds, and being delivered as SaaS. Every business application requires users to be authenticated before they are given access to a resource. In the pre-SSO days, every time a user needed to move between applications, they had to sign in with a set of credentials. Most of the time, every application had a separate set of credentials, and it resulted in poor user experience, failed sign-ins as a result of forgotten credentials, inconsistent access control policies, and higher cost to support these applications.
SSO has simplified the way users interact with and access their applications. With SSO, users can save time by accessing all their VDI, enterprise, web and SaaS applications, as well as other corporate resources like network file shares with only one set of credentials.
Single sign-on is a component of federated identity management (FIM), an arrangement between enterprises that lets subscribers use the same identification data to access each enterprise’s network. FIM is often referred to as identity federation.
The user’s identity is linked across multiple security domains, each with its own identity management system. When the domains are federated, the user can authenticate to one and access resources in another without having to sign in again.
The framework that allows third parties, like LinkedIn or Facebook, to use someone’s account information to sign them in without exposing their password is called OAuth. It acts as an intermediary by providing the service with a token allowing only specified account information to be shared. When a user accesses an application, the service sends an authentication request to the identity provider, which then verifies the request and grants access.
There are other authenticating protocols, like Kerberos and the Security Assertion Markup Language (SAML). Kerberos-based SSO services issue a time-stamped authentication ticket, or ticket-granting ticket (TGT), which gets service tickets for other applications without prompting the user to enter new credentials. SAML-based SSO services exchange user authentication and authorization data across secure domains, and manage communications between the user, an identity provider with a user directory, and a service provider.
SSO offers benefits to both users and IT. From a user perspective, SSO alleviates password fatigue, making it easier and faster to access applications.
For IT, SSO can help reduce the number of password-related support calls. And automated credential management alleviates the burden of manually managing employees’ access to apps and services. SSO also makes it easier for IT to quickly provision and roll out SaaS applications to employees.
Additionally, from a security perspective, SSO can reduce the threat of cyberattacks, like phishing, by reducing the number of credentials at risk. It’s critical, however, to also implement multi-factor authentication as a backup in case passwords do become compromised.
When searching for an SSO solution, it’s important to keep the following best practices in mind.