What is single sign-on (SSO)?

Single sign-on (SSO) is an authentication capability that lets users access multiple applications with one set of sign-in credentials. Enterprises typically use SSO authentication to provide simpler access to a variety of web, on-premises, and cloud applications for a better user experience. It can also give IT more control over user access, reduce password-related help desk calls, and improve security and compliance.

Explore additional SSO topics:  

Why use single sign-on solutions?

Today, applications are deployed across datacenters and clouds, and being delivered as software as a service (SaaS). Every business application requires users to be authenticated before they are given access to a resource. In the pre-SSO days, every time a user needed to move between applications, they had to sign in with a set of credentials. Most of the time, every application had a separate set of credentials, and it resulted in poor user experience, failed sign-ins as a result of forgotten credentials, inconsistent access control policies, and higher cost to support these applications.

SSO has simplified the way users interact with and access their applications. With SSO, users can save time by accessing all their SaaS, enterprise, web, and virtual applications, as well as other corporate resources like network file shares with only one set of credentials.

How does single sign-on work?

Single sign-on authentication is a component of federated identity management (FIM), an arrangement between enterprises that lets subscribers use the same identification data to access each enterprise’s network. FIM is often referred to as identity federation.

The user’s identity is linked across multiple security domains, each with its own identity management system. When the domains are federated, the user can authenticate to one and access resources in another without having to sign in again.

The framework that allows third parties, like LinkedIn or Facebook, to use someone’s account information to sign them in without exposing their password is called OAuth. It acts as an intermediary by providing the service with a token allowing only specified account information to be shared. When a user accesses an application, the service sends an authentication request to the identity provider, which then verifies the request and grants access.

There are other authenticating protocols, like Kerberos and the Security Assertion Markup Language (SAML). Kerberos-based SSO services issue a time-stamped authentication ticket, or ticket-granting ticket (TGT), which gets service tickets for other applications without prompting the user to enter new credentials. SAML-based SSO services exchange user authentication and authorization data across secure domains, and manage communications between the user, an identity provider with a user directory, and a service provider.

What are the benefits of single sign-on?

SSO offers benefits to both users and IT. From a user perspective, SSO alleviates password fatigue, making it easier and faster to access applications.

For IT, SSO can help reduce the number of password-related support calls. And automated credential management alleviates the burden of manually managing employees’ access to apps and services. SSO also makes it easier for IT to quickly provision and roll out SaaS applications to employees.

Additionally, from a security perspective, SSO can reduce the threat of cyberattacks, like phishing, by reducing the number of credentials at risk. It’s critical, however, to also implement multi-factor authentication as a backup in case passwords do become compromised.  

Single sign on best practices

When searching for an SSO solution, it’s important to keep the following best practices in mind.

Access to any application

Some SSO solutions are limited in the scope of application landscape they cover. Some on-premises solutions provide SSO to web and enterprise applications but cannot do the same for virtual desktop infrastructure (VDI) or SaaS applications. On the other hand, some of the IDaaS vendors provide SSO to cloud and SaaS applications but not for on-premises applications. When evaluating an SSO solution, you should prioritize the capability to not only provide SSO experience across all VDI, enterprise, web, and SaaS applications, but also network access to other corporate resources like network file shares.

Secure user identity when accessing SaaS applications

SaaS applications are outside of the data center network. To achieve SSO to these applications, many SSO solutions require customers to move their user directory to cloud. This, to many enterprise customers, is a concern and a high-risk task, which is why your solution should provide the option to keep your user directory on premises.

Integration with multi-factor authentication mechanisms

It’s crucial to quickly and rightfully identify any user and authorize their access to corporate resources. Enterprise customers, therefore, should not rely on just usernames and passwords but should also look for a solution that provides flexibility to use authentication schemes based on the state of end user device, user location, application they are trying to access, etc. This makes it important to select an SSO solution that supports any authentication mechanism as well as authentication protocols like RADIUS, Kerberos, Microsoft NTLM, Certificate Services, etc.

SSO monitoring and troubleshooting tools

Your SSO solution should include monitoring tools that look for performance issues for all applications irrespective if they are in a datacenter, cloud, or delivered as SaaS, so you can resolve issues quickly.

Citrix single sign-on solutions

Employees rely on a variety of applications to get work done, but managing access to them can be a big challenge. Citrix Secure Private Access provides adaptive authentication and SSO to all IT sanctioned apps in one place, with a single set of credentials for easy access to corporate resources. Security is improved with fewer passwords for users to manage, and employees can boost productivity with a unified digital workspace.