What is single sign-on (SSO)?
Single sign-on (SSO) is an authentication capability that lets users access multiple applications with one set of sign-in credentials. Enterprises typically use SSO to provide simpler access to a variety of web, on-premises, and cloud apps for a better user experience. It can also give IT more control over user access, reduce password-related help desk calls, and improve security and compliance.
Why use single sign-on?
Today, applications are deployed across data centers and clouds, and being delivered as SaaS. Every business application requires users to be authenticated before they are given access to a resource. In the pre-SSO days, every time a user needed to move between applications, they had to sign in with a set of credentials. Most of the time, every application had a separate set of credentials, and it resulted in poor user experience, failed sign-ins as a result of forgotten credentials, inconsistent access control policies, and higher cost to support these applications.
SSO has simplified the way users interact with and access their applications. With SSO, users can save time by accessing all their VDI, enterprise, web and SaaS applications, as well as other corporate resources like network file shares with only one set of credentials.
How does single sign-on work?
Single sign-on is a component of federated identity management (FIM), an arrangement between enterprises that lets subscribers use the same identification data to access each enterprise’s network. FIM is often referred to as identity federation.
The user’s identity is linked across multiple security domains, each with its own identity management system. When the domains are federated, the user can authenticate to one and access resources in another without having to sign in again.
The framework that allows third parties, like LinkedIn or Facebook, to use someone’s account information to sign them in without exposing their password is called OAuth. It acts as an intermediary by providing the service with a token allowing only specified account information to be shared. When a user accesses an application, the service sends an authentication request to the identity provider, which then verifies the request and grants access.
There are other authenticating protocols, like Kerberos and the Security Assertion Markup Language (SAML). Kerberos-based SSO services issue a time-stamped authentication ticket, or ticket-granting ticket (TGT), which gets service tickets for other applications without prompting the user to enter new credentials. SAML-based SSO services exchange user authentication and authorization data across secure domains, and manage communications between the user, an identity provider with a user directory, and a service provider.
What are the benefits of single sign-on?
SSO offers benefits to both users and IT. From a user perspective, SSO alleviates password fatigue, making it easier and faster to access applications.
For IT, SSO can help reduce the number of password-related support calls. And automated credential management alleviates the burden of manually managing employees’ access to apps and services. SSO also makes it easier for IT to quickly provision and roll out SaaS applications to employees.
Additionally, from a security perspective, SSO can reduce the threat of cyberattacks, like phishing, by reducing the number of credentials at risk. It’s critical, however, to also implement multi-factor authentication as a backup in case passwords do become compromised.
Single sign on best practices
When searching for an SSO solution, it’s important to keep the following best practices in mind.
- Access to any application. Some SSO solutions are limited in the scope of application landscape they cover. Some on-premises solutions provide SSO to web and enterprise applications but cannot do the same for VDI or SaaS applications. On the other hand, some of the IDaaS vendors provide SSO to cloud and SaaS applications but not for on-premises applications. When evaluating an SSO solution, you should prioritize the capability to not only provide SSO experience across all VDI, enterprise, web, and SaaS applications, but also network access to other corporate resources like network file shares.
- Secure user identity when accessing SaaS applications. SaaS applications are outside of the data center network. To achieve SSO to these applications, many solutions require customers to move their user directory to cloud. This, to many enterprise customers, is a concern and a high-risk task, which is why your solution should provide the option to keep your user directory on premises.
- Integration with multi-factor authentication mechanisms. It’s crucial to quickly and rightfully identify any user and authorize their access to corporate resources. Enterprise customers, therefore, should not rely on just user names and passwords but should also look for a solution that provides flexibility to use authentication schemes based on the state of end user device, user location, application they are trying to access, etc. This makes it important to select an SSO solution that supports any authentication mechanism as well as authentication protocols like RADIUS, Kerberos, Microsoft NTLM, Certificate Services, etc.
- Monitoring and troubleshooting tools. Your SSO solution should include monitoring tools that look for performance issues for all applications irrespective if they are in a data center, cloud or delivered as SaaS, so you can resolve issues quickly.