What is single sign-on? How SSO improves security and the user experience
Password fatigue, cloud sprawl and developer simplicity are pushing the rise of SSO.
Single sign-on (SSO) is a centralized session and user authentication service in which one set of login credentials can be used to access multiple applications. Its beauty is in its simplicity; the service authenticates you one on one designated platform, enabling you to then use a plethora of services without having to log in and out each time.
Consumers might think of social sign-in through Google, Facebook or Twitter as strong SSO platforms, with each platform enabling access to a variety of third-party services. In the enterprise, an organization might use SSO to allow users to log into proprietary web applications (hosted on an internal server) or cloud hosted ERP systems, for example.
Implemented correctly, SSO can be great for productivity, IT monitoring and management, and security control. With one security token (a username and password pair), you can enable and disable user access to multiple systems, platforms, apps and other resources. You also reduce the risk of lost, forgotten or weak passwords.
A well thought out and well executed SSO strategy can eliminate password-related reset costs and downtime, mitigate the risk of insider threats, improve user experience and authentication processes, and put the organization firmly in control of user access
Why use single sign-on?
SSO’s rise coincides with other notable and interrelated trends, including the rise of public cloud, password fatigue, new developer methodologies, enterprise mobility, and web and cloud-native applications.
The move to cloud applications in particular is both an opportunity and a hinderance. According to recent research, enterprises in 2017 expected to use an average of 17 cloud applications to support their IT, operations and business strategies. So, it’s no surprise that 61 percent of respondents believe identity and access management (IAM) is more difficult today than it was two years ago.
Barry Scott, CTO at Centrify EMEA, sees two clear reasons to use SSO. “The first [reason] is that it improves the user experience by stopping the sprawl of different usernames and passwords which came about through the incredible rise in SaaS cloud-based applications. The second reason is improved security. The main cause of breaches is compromised credentials and the more usernames and passwords we have, the worse our password hygiene becomes. We start to use the same passwords everywhere and they often become less complex, making it easier for credentials to be compromised.”
Okta’s Director of Security Product Joe Diamond agrees that cloud applications are presenting IT teams with new challenges. “IT organizations are faced with questions such as how do you create/manage user accounts, ensure accurate entitlement (no unnecessary permissions), and ensure proper offboarding when an employee leaves the company.
“Having identity stores/silos across multiple solutions also becomes impossible to manage this proliferation,” Diamond adds. “Just because an organization adopts Office 365, Box and Slack doesn’t mean they also want three sets of logins and passwords for these services. SSO becomes, in a way, a prerequisite for organizations looking to adopt cloud solutions.”
Diamond also cites bring-your-own-device (BYOD) policies and the “always-on,” “work-from-anywhere” culture as SSO drivers. “People are working from devices that IT doesn’t control and on networks which IT has no visibility,” he says. “This leaves authentication as a critical device- and location-agnostic control point to invoke security controls such as continuous authentication, multi-factor authentication, context-aware access controls, user behavior analytics and so forth.”
What are the benefits of SSO?
The biggest advantage of SSO is arguably the scalability it provides. Automated credentials management means that the sysadmin is no longer required to manually take care of all the employees’ access to the services they want. This in turn reduces the human error factor and frees up IT time to focus on more important tasks.
Other benefits include rapid provisioning for cloud-first applications; if SSO supports the rise of open standards like Security Assertion Markup Language (SAML) 2.0, the application can be quickly provisioned by an SSO admin and rolled out to employees. SSO can also offer increased security (especially when combined with two-factor authentication [2FA]), productivity gains, and fewer IT help desk password resets.
Scott sees benefits for the IT team and the employee: “The primary benefit of SSO is the ease of use for users, which also results in a reduction in helpdesk calls for password resets. It improves security as there are less user credentials at risk, but there is a definite need for multi-factor authentication (MFA) as a backup for passwords in case they are stolen or guessed.”
Scott adds that Centrify’s customers find that SSO makes on-boarding people to new software-as-a-service (SaaS) applications faster and easier. “As IT can provide access more easily, there is less likelihood of ‘shadow IT’ developing. Good SSO (or identity as a solution [IDaaS]) solutions enable users to request access to new applications and for the approval workflow to be very straightforward.”
Francois Lasnier, SVP identity and access management at Gemalto, adds that in the past, remote access was offered through VPN onto the network, meaning SSO for on-premises apps was handled within the Windows ecosystem. That has changed through cloud adoption. SSO, he says, can “alleviate the pressure by providing control to the IT teams and convenience to employees. A successful SSO implementation enables IT to decide who can access which applications, when and where. It enables flexibility, allowing an organization to grant employees access to all applications when in the office, but only a select few when working remotely. It keeps the business safe, while enabling employees to work in a convenient manner. Overall, SSO, when combined with risk management mechanisms, improves access security and mitigates the risk of a breach.”
Okta’s Diamond offers this customer example: 20th Century Fox needed to find a way to improve its creative process and distribution across thousands of employees, contractors and partners, all while protecting intellectual property (IP) worth millions. By using Okta’s identity platform, Diamond says Fox was able to roll out a solution to all 22,000 employees, as well as hundreds of business partners, providing easy access to teams working on location on different types of devices. IT got visibility into who is logging in where, and user provisioning became simpler across both internal and external teams.
Single sign-on implementation
How do organizations implement SSO in an ever-moving IAM landscape, where technology stacks typically compromise public cloud and on-premises infrastructure? Scott says organizations should follow this process:
- Define a list of applications and decide which are in scope.
- If applications won’t support SSO, evaluate their future. Demand SSO of your vendors.
- Decide on the main identity source for users. (It is usually Microsoft Active Directory, but it could include LDAP, Google Directory or others.)
- Define the necessary applications and policies in the SSO solution.
- Determine who needs access to which applications.
- Based ideally on groupings of users rather than specifying individuals, grant access to applications. This should allow existing group management processes to determine access to applications going forward.
- Switch on the apps as project plans and change control allows.
Gemalto’s Lasnier adds that “Organizations have to consider their current authentication schemes. For some this could be mean multiple different schemes they have in place, usually per department or use case. All of that is irrelevant though, if the solutions that businesses implement can’t support all the applications they use, or the cost of implementation is too high. Ripping up existing solutions could be very costly, so businesses must look to combine these under one management solution, allowing them to expand the opportunity for use cases, while moving securely to the cloud.”
At the same time, Okta’s Diamond urges caution with legacy apps. “The key is providing flexibility without compromise. For many, the source of truth will remain as Active Directory (AD), but make no mistake: legacy applications are everywhere. You also need to be able to support RADIUS and LDAP, for example, to meet critical use cases that most enterprises will have.”
It would be wrong to suggest that SSO is a silver bullet. Challenges around implementing SSO include cost, control, standardization (SAML vs OAuth), and vulnerability. For example, earlier this year a validation bug with the SAML open protocol could allow an attacker to log into a site or service as though they were the victim they were targeting. A separate OAuth vulnerability, researchers found, could result in an attacker being able to sign into a victim’s mobile app account and take control of it.
Scott also sees issues around compatibility — apps that don’t support SSO. “Users must demand that their application providers have genuine SSO capability via SAML, Kerberos, etc., and don’t simply introduce yet another username/password for people to look after.” MFA and SSO also need to be put together side-by-side.
He is sure SSO has a bright future. “By taking a ‘zero trust’ approach to security, there will be more adoption of SSO to enable users to work in the same way wherever they are, and on whatever device they are using,” says Scott. “We will see more application providers including SSO in their applications and there will be increased adoption of MFA because of the potential exposure of only having one set of credentials.”