What Is Single Sign-On (SSO)? Definition, Process, and Best Practices - Spiceworks (2024)

Single sign-on (SSO) is defined as an authentication process where a user can log in to multiple applications from different devices using a single set of credentials. These credentials are usually a username and a password, sometimes supplemented by another mode of authentication such as one-time passwords (OTPs) and fingerprint scanning. Single sign-on is based on the concept of identity federation, which is the process of multiple trusted and independent parties sharing user identity information.

What Is Single Sign-On (SSO)?

Single sign-on (SSO) is an authentication process where users can log in to multiple applications from different devices using a single set of credentials. These credentials are usually a username and a password, sometimes supplemented by another mode of authentication such as one-time passwords (OTPs) and fingerprint scanning. Single sign-on is based on the concept of identity federation, which is the process of multiple trusted and independent parties sharing user identity information.

SSO services work by providing the user with a token in exchange for valid credentials. All other apps or website logins look for this token instead of individual credentials. A real-world equivalent is the use of identity cards provided by governments. The same ID card, for example, a driver’s license, can be used at a COVID-19 vaccine center to prove eligibility also at a pub to prove that a person is of the legal drinking age.

Single sign-on can be of two variations:

1. Social SSO: Facebook, Google, Twitter, and LinkedIn are often spotted in sign-in/sign-up pages of ecommerce, news, and media websites. Etsy and Medium use social SSO, relying on Google and Facebook to identify and verify users. Customer-facing businesses mostly use social SSO.
2. Enterprise SSO: In a typical enterprise, employees access email applications, collaboration tools such as G Suite, conferencing apps such as Zoom, and HR apps such as Workday and Successfactors. This is on top of role-specific applications such as Salesforce CRM. Enterprises can opt for an SSO system, either as part of an identity and access management (IAM) solution or by using third-party vendors such as Okta. This enables employees to use the same credentials across all these applications.

Today’s users depend on varied applications and websites for different uses and tasks. This means juggling multiple user credentials, with each governed by the password policies of the individual app. This is not a simple task. As a result, most people use simple passwords (e.g., 12345), reuse the same password across applications, or note them down in unsecured locations.

Passwords are the entry point to the entire infrastructure of any organization. According to Verizon’s 2020 data breach investigation report, 37% of reported data breaches begin with stolen or misplaced credentials. Over 80% of data hacking efforts involve using brute force to guess or steal passwords. One of the most found malware was password dumpers, which extract and dump passwords from the victim’s device. Within an enterprise, when one user falls prey, all of the organization’s assets are at the risk of exposure.

Such breaches can be avoided whenemployees follow proper password hygiene. This means routinely changing passwords, using complex passwords (a good mix of alphabets, numbers, and symbols) to withstand brute force attacks and storing these passwords in safe spaces. Individual password management is vital for security, but it also takes up mental space and time.

SSO provides a streamlined way of signing in and using multiple applications. Intuitively, it may seem like using a single point of entry is dangerous from a security standpoint. But SSO allows administrators to enforce password policies in a centralized manner. This decreases the attack surface. An SLA binds a trusted third-party identity provider to store, retrieve, and verify identities in a secure, encrypted manner. Single sign-on solutions also help with regulatory compliance audits.

SSO can be used by enterprises, small organizations, and individuals looking for an easy but secure way of managing passwords. That being said, SSO is not the same as a password manager. Password managers are vaults that store different application credentials. This vault itself can be accessed by a single set of credentials. SSO is an identification system through which all login requests from chosen and trusted apps are routed, and multiple passwords aren’t involved.

See More: 10 Best Password Managers for 2021

The Single Sign-On Process Explained

The single sign-on process has three main actors:

1. The service provider: The service provider (SP) is the entity that provides IT solutions and services to individual users or organizations. For example, Amazon provides cloud services (AWS), Microsoft provides email services (Outlook), and SAP provides ERP solutions.
2. The user: Users are individuals who try to access services by authenticating themselves.
3. The identity provider: The identity provider is the entity that creates, manages, and authenticates users when they try to access the services provided by the SP.

Without an SSO system in place, users need to log in to individual services using their login pages, connected to their own authentication services. With an SSO system, when users need to use an application service, they go through the following flow:

1. The user opens an app and sees a common sign-in page across multiple apps and services if not signed in.
2. The SSO username and password are typed in, along with any other extra authentication steps that the IT admin may have implemented.
3. If valid, the user is logged into the application.
4. When users try to access another application, even if seemingly unrelated to the first one, they are logged in automatically. A different login page does not appear. However, the common login screen does appear if the user session has timed out.

What happens behind the scenes?

When an organization decides to incorporate SSO into its infrastructure, it identifies trusted services, solutions, and partners to share user identities with. These service providers agree to rely on the identity provider to authenticate the users.

Every time a user tries to connect to a service provider, the sign-in request flows to the central server instead of the service provider. The central server is where the identity provider is hosted. The identity provider verifies the user credentials by checking against a separate identity management service or a user directory. If valid, the central server sends back an ‘authentication token’ to the service provider.

The authentication token is the backbone of the SSO process. It is a piece of digital user identity information required by application services to function. It serves as a temporary ID card. Authentication tokens are created by using SSO protocols. SSO protocols are specific, predefined structures that specify how the user information must be bundled, encrypted, and transported to the user’s device.

Some common SSO protocols include:

• Security access markup language (SAML): SAML is an XML-based open-standard for transmitting user information.
• Open Authorization (OAuth): OAuth is an open standard to transmit user information without revealing the password.
• Kerberos: Kerberos issues a ticket-granting ticket (TGT) for every valid user authentication. Both the user and server identify each other with tickets issued by the TGT. This makes it the ideal standard for untrusted networks.
• OpenID Connect: OpenID Connect is built on top of OAuth 2.0. It is fast gaining traction for being easier to implement than SAML. Since it works with restful application programming interfaces (APIs), it is an ideal choice for mobile applications.
• Smart card authentication: This involves smart cards loaded with cryptographic keys. When plugged into a computer, pre-loaded software interacts with it and authenticates the user. It is expensive and is usually used in addition to other modes of authentication.

The token has user and session information. A session is the allowed period when the user’s logged-in status is valid. This duration of validity can be anywhere from a few minutes to even a few weeks.

The identity provider redirects back to the service with the token. The service provider understands that the user has been authenticated and allows access to the application. If the user needs to use another service, the request is redirected to the central server again. If the token already exists and the session is still valid, the user can directly access the second application instead of logging in again.

SSO capabilities can be built from scratch within an organization, though using third-party SSO providers or other identity-as-a-service (IdaaS) solution providers makes more sense.

From the SSO process, it is clear that a single sign-on drastically improves user experience, thereby boosting productivity. In the enterprise setup, employees do not have to spend time on password management and save time daily by not encountering the login page every few minutes. B2C companies that incorporate SSO have reported a decrease in user registration drop-off rates. This is because new users do not have to spend time filling in forms during sign-up; they can just opt to use identity providers such as Facebook and Twitter.

Single sign-on is clearly beneficial on more than one front. However, introducing it within an infrastructure must be done with care since it also introduces a new set of security risks. The next section explains the 10 best practices one can follow to create an effective and secure SSO system.

See More: The Problem With Storing Passwords in Your Browser (and How to Fix It)

Top 10 Best Practices for Implementing and Managing Single Sign-On (SSO)

Single sign-on is often one of the first steps enterprises take when building a zero trust security network, even while improving the productivity and usability of its applications. Here are some best practices to make sure that SSO implementation is truly secure and comprehensive.

Best Practices for Implementing and Managing Single Sign-On (SSO)

1. Identify points in infrastructure that need SSO intervention

Organizations need to look into all the third-party applications and services they use, along with which services they expose to their partners. This information must further be examined to see which of these applications need to be accessed using SSO. This depends on the criticality of the assets underlying each service, who uses them, and how often they are used.

2. Check for compatibility while choosing SSO solutions

Some applications may not integrate well with certain SSO solutions. Every app chosen should have SSO capability, i.e., reading the user information no matter what protocol it is packaged in – be it SAML, OAuth, or Kerberos. Suppose the organization’s architecture is heavily based on web proxy, VPN, or other tunneling technology. In that case, the placement of the SSO solution may mask the actual IP from which the user tries to sign in. VPN servers are usually exposed only to a specific set of users. Placing an SSO server right before VPN access may cause IP address confusion.

3. Carefully construct user and access policies

Since SSO narrows down access to multiple applications into a single authentication process, it becomes important to ensure that each user gains access only to what they require. This is done by identifying user groups, application groups, and the policies that need to be followed to avoid security holes. The SSO solution must allow the provisioning of different access policies to different applications and users. Most organizations do this by using an identity and access management system in conjecture with SSO. However, in most cases, SSO comes prepackaged with IAM solutions.

4. Look for centralized administration

SSO avoids the clutter of passwords from hindering usability and productivity for the end-user. However, this means that the responsibility of keeping things straight falls on admins. A single dashboard with access to all configured applications and services, on cloud or on-premise, must come with the SSO solution.User access reports and real-time logs also allow admins to troubleshoot and spot potential threats. It even allows them to analyze user behavior patterns.

5. Make sure SSO implementation is compliance-friendly

Most industries today are bound by user data and privacy-related regulations. For example, HIPAA regulations govern all hospitals, labs, and medical research centers. Besides the mandate to secure sensitive user data, an audit trail must also be available. This means that the SSO solution needs to maintain all user activity and session details. SSO is also a way to comply with data access and antivirus regulatory requirements.

6. Deploy additional authentication mechanism

This is perhaps the most crucial practice to supplement SSO because of the singular access point that SSO provides. A secure SSO solution must always allow for integration with more than one form of authentication. Two-factor authentication (2FA) or multi-factor authentication (MFA) ensures that hackers cannot exploit the system, leading to user credentials falling into the wrong hands.Ideally, an SSO login page must have more than username and password authentication. An extra layer of authentication such as one-time passwords, auto-generated hardware or software key tokens, and biometric identification makes SSO almost impossible to breach.

7. Enforce session timeouts

It is easy to forget the small details while consolidating and managing so many applications under the umbrella of SSO. Session timeouts ensure that a user’s authentication token invalidates with time. They also ensure that there are no idle user sessions. This tiny detail has significant security implications if ignored. The duration of each session before it times out must be set based on the usage and application of every service that the user needs access to.

8. Ensure that end users have a self-service portal

While admin dashboards are important, a truly effective SSO solution empowers end users with a self-service portal. Users use this portal to manage passwords and raise access requests. Password management, of course, is bound by the password policies set at the admin level. The user portal also gives regular reminders regarding when a password change is due.

9. Examine the disaster recovery plan for SSO solution outages

SSO implementation creates a single entry point to several crucial services that need to keep an organization running. Downtime in the SSO server can have far-reaching effects. For example, in 2018, Amazon’s eastern U.S. region outage caused Capital One banking customers to be locked out of their accounts. Capital One developers who used Atlassian’s services couldn’t perform 100% of their work either.

Each service and application covered by SSO may have different risk levels to the company’s business continuity. While some applications can afford a few hours of downtime, others would need to be up and running in a matter of seconds. This calls for a complex disaster recovery plan surrounding SSO. It needs to be noted here that if the cost of a complex recovery plan considerably supersedes the financial benefits of SSO implementation, the entire SSO process must be relooked at and reconstructed.

10. Perform security audits before implementation

SSO does reduce the attack surface, but this also means that it sharpens the focus of cybercriminals to a narrow point. Security audits must be performed to evaluate the underlying SSO protocols and the level of encryption. Decisions such as using Kerberos on open networks must be made here. Once the SSO solution fulfills all security criteria, other security precautions such as compatibility with MFA must be considered.

See More: What Is Multi-Factor Authentication? Definition, Key Components, and Best Practices

Takeaway

Today’s IT infrastructure is no longer a standalone, on-premise monolith. Every aspect of the business is fulfilled by a well-oiled combination of multiple services and applications. Cybercriminals know this and are increasingly targeting users and devices for authentication details. Single sign-on is the first step toward securing a company, its users, and also its employees. Combined with IAM and MFA, SSO can provide a powerful electric fence around an infrastructure’s access points.

Did this article help you understand how SSO works? Tell us on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!