Want to learn what SSO is and how you can use an SSO machine to your advantage? In this article, we provide a full guide on SSO for you to find out its pros, cons, and other important aspects. We explain the SSO meaning, what SSO stands for, how secure single sign-on is, and elaborate on an SSO ID.
What Is Single Sign-On (SSO)?
Single sign-on (SSO) is a method of authentication enabling users to get access to different applications with one set of credentials, such as a login and a password. SSO login is widely used by corporations, smaller companies, and users who want to make the authentication process easier and more convenient.
SSO is an integral part of many solutions which are designed to manage access control. Decisions over which permissions should be granted to a user are made on the basis of identity verification.
How Single Sign-On Works
SSO functionality is built on the basis of a trust relationship that is set between the service provider (an application, website, etc.) and the identity provider. This relationship usually needs a certificate that the two sides exchange. This certificate enables signing identity data that is being transmitted from the identity provider to the service provider so that the latter knows for sure it comes from a reliable source. In SSO, the identity data is presented in the form of authentication tokens with user identifying information like a username or e-mail address.
What Are the Advantages and Disadvantages of SSO?
Besides being more convenient for users, Single-Sign-On authentication is considered more secure. This idea may seem a little bit contradictory as one may wonder how one and the same password can be more secure than several passwords for different services. Supporters of SSO offer the following reasons.
- Passwords are not repeated. When a user has to sign in many times in various places, “password fatigue” may occur: this happens when one and the same password is used for different services. This may be a greater security threat as it means that the security level of a user account is as strong as the service with the weakest protection. If there is a database leak, hackers can gain access to passwords and, as a result, to all other user’s services. When you sign in with SSO, the risk decreases as only one service is used for authentication.
- Better password management. When there is a single point to enter a password, password management and security rule enforcement are easier to implement. For example, some companies recommend changing passwords regularly. When SSO login is used, users have to reset only one password instead of many. The same can be applied to multi-factor authentication: users don’t have to use other identity factors several times.
- Safer credential storage. SSO gives an opportunity to store passwords in a safer environment that is under the control of the IT department.
- Less time-consuming process of password recovery. SSO gives an opportunity to recover one password and re-sign into all the necessary services faster with its help instead of recovering the password for every service you use.
Still, there are some disadvantages of SSO, which include the following.
- SSO may not meet all the necessary security requirements that different services may need.
- If a password is lost, users lose access to systems connected to SSO.
- If a user's credentials are lost or stolen and passed to unauthorized users, the latter can get access to all the services the victim used.
How Does an SSO Login Work?
When a user signs in to a service with the help of SSO, the system checks the verification status. If the user is not logged in yet, they will be offered to do so with the help of SSO.
As SSO is not designed to store user identity, it is unable to remember who a user is. Most SSO services function by comparing user credentials with a particular identity management service. SSO is like a link that can confirm if a user’s credentials are relevant to the identity data stored in the database without managing it.
What Is an SSO Authentication Token and How Does it Work?
An SSO token is a data set that is transited between the systems during the SSO process. This data can include information such as a user's login or e-mail address. Tokens need a digital sign so that their receiver can check and determine they are coming from a reliable source. Such “trust” between two systems is built on the basis of a certificate that is exchanged during the initial configuration.
The crucial element of any SSO process is its ability to pass an authentication token to external services and apps. It separates identity verification from other cloud services and makes SSO possible.
Types of SSO Configurations
Some SSO services are built on the basis of configurations which may be the following.
- Federated Identity Management (FIM) is a trust relationship between two or more domains or identity management systems. SSO is a feature available within FIM. That is why SSO is sometimes called a federated SSO.
- OAuth 2.0 protocol is also considered a part of FIM architecture which makes sharing of identity information across the domains possible.
- OpenID Connect is an identity layer created on top of the OAuth 2.0 protocol. It allows verification of the identity of the end user.
- Being an extensible markup language (XML) standard, Security Assertion Markup Language (SAML) makes the exchange of user authentication and authorization data between secure domains possible. SAML-based SSO services organize communication between the user, identity provider (manager of the user directory), and service provider.
- In a Kerberos-based configuration, when the user provides their credentials, a ticket-granting ticket (TGT) is issued. This ticket grants service tickets for the applications the user wants to gain access to without the necessity for the user to reenter their credentials.
- Smart card-based SSO requires you to use a card containing the sign-in data for the first authorization. Once it is done, the user will not need to enter their login and password again. An SSO smart card stores certificates or passwords.
- Active Directory (AD), which is a type of SSO, is a centralized directory service by Microsoft in which the users are added for central management. AD works with authentication protocols like Kerberos. It gives users an opportunity to authenticate from their devices and access the systems which are integrated with AD.
- Lightweight Directory Access Protocol (LDAP) is a standard that is designed to organize and query directory data. LDAP is also used for the central management of resources like users and systems. But it doesn’t define the actual authentication protocols. Still, LDAP is widely used for access control. For example, when a user wants to get access to a particular resource, LDAP may assess that user and decide whether he or she has the necessary permissions.
Security Risks and SSO
Although it is convenient, SSO can be a risk to corporate security. A cybercriminal who gains control over a user’s sensitive data like SSO credentials will get access to all the applications the users have the rights to operate. This may lead to serious damage. In order to avoid such situations of malicious access and to improve security, it is of utmost importance that SSO implementation is combined with identity governance and supplementary algorithms of authentication.
How Does SSO Fit into an Access Management Strategy?
SSO is only one element in an access management strategy. To be considered effective, it must be combined with other elements, such as access and permission control, activity logs, and other means of tracking user behavior within corporate networks and systems.
Still, SSO is crucial for access management. If a system cannot tell the difference between its users, it will not be able to restrict their actions.
What Is SSO Software as a Service?
When you outsource authentication for a website or an app to a third-party identity provider, SSO can be considered Software as a Service (SaaS). In this case, identity providers allow their clients to manage user accounts without needing to develop their own solutions.
A SaaS approach to SSO is crucial for big companies, especially for their security and IT departments, which have to limit access to online resources very fast. Sometimes they have to do it the very moment the employee leaves the company instead of wasting time logging out from all their corporate portals. To cut a long story short, SSO is a basic net security requirement.
What Is App-to-App SSO?
App-to-App or Application-to-Application SSO is a process of identity transition between applications within one ecosystem. But it is not an industry standard protocol yet, which limits its implementation.
SSO Vendors
The number of vendors that offer single sign-on solutions and are well known is big. They provide different services for SSO integration. Here is a list of some providers with short descriptions.
Duo Single Sign-On
Duo Single Sign-On is a cloud service giving its users an opportunity to securely access all their apps via a single dashboard. The management console enables access to policy customization and configuration at an app level. After the assessment of contextual login data like user location, role, and device, Duo creates a risk score for each login. If the risk is high, it is necessary to add some supplementary steps for authentication to make sure that only trusted users can gain access.
Ping Identity
Ping Identity SSO solution is federated and enables its users to access corporate applications from any device with one set of credentials with the help of a centralized dock. It supports OpenID Connect and SAML tokens. The platform also uses artificial intelligence for the assessment of suspicious login attempts.
Thales SafeNet Trusted Access
This technology company offers a Smart SSO solution that enables its users to sign in to their accounts and apps via one identity on a centralized portal. Admins can configure access policies for all the applications and define the required authentication level for each login attempt. Smart SSO also collects contextual data concerning different aspects of the sign-in process.