A single sign-on (SSO) service enables users to access multiple applications using the same login credentials. SSO is a tool that can be used by organizations regardless of their size to enable them to securely access their applications more quickly and easily.
So, how does it generally work whilst remaining secure? It becomes clear with a simple, non-technical example. Imagine that your organization uses Microsoft 365 to conduct most of its work via a range of apps such as PowerPoint, Word and SharePoint.
As a Microsoft 365 user, you might start your day by accessing your emails via the Outlook app. There, you will be asked to submit your login credentials to access the MS 365 platform according to an access policy; once your account is authenticated by an identity server hosted by Microsoft, this enables wider access to the other apps that are hosted within your organization’s MS 365 business account, without needing to login multiple times.
How single sign-on works
Open Authorization, otherwise known as OAuth, is a framework that enables third-party services such as social media websites, to access a user’s account information without exposing their password.
OAuth acts as a verifying intermediary between the end-user and the service they are accessing. Whenever a user attempts to access an application from the service provider, they are redirected to OAuth to verify their login credentials. If they are entered correctly, OAuth provides an access token that enables the user to login to the service.
In the case of SSO, what occurs is that a credential is verified for access to a range of apps that are hosted jointly within a single service provider. In the earlier example, this would be Microsoft.
Types of SSO configurations
Protocols used by some SSO services include Kerberos and Security Assertion Markup Language (SAML), which work in varying ways. For the purposes of this piece, we will briefly explore SAML and Kerberos.
SAML is an extensible markup language (XML) standard for exchanging authentication and authorization data between secure domains. In SAML-based SSO services, a user, an identity provider, and a service are involved in the authentication process. SAML is a fairly common technique that cross-verifies assertions between the authenticator and service provider, assertions are details about the user’s identity and attributes.
SAML is used in cross-domain authentication, meaning that it can be used to verify credentials across multiple organizations and platforms. Alternatively, Kerberos is often used in a single-domain setting, such as within one platform or organization.
When Kerberos is used, a ticket-granting ticket (TGT) is issued after the user credentials have been provided, enabling the user to use a single ticket to access multiple applications within a shared network. In effect, a TGT is quite like a golden ticket that enables the user to access multiple other services using one authenticated access token, without needing to re-enter their login credentials.
Security risks and SSO
Whilst convenient for users, SSO can compromise enterprise security if it is not complented by other measures. By gaining control of a user's SSO credentials, an attacker can access every application the user has access to, which increases the potential damage.
As a result, SSO implementation is best coupled with identity governance to prevent malicious access. SSO can also be enhanced with two-factor authentication (2FA) or multifactor authentication (MFA).
Social SSO
Platforms such as Google, LinkedIn and Meta offer SSO services that enable users to login to a third party application with the same credentials that they use for social media authentication. While this is very convenient, doing this also creates a singular point of vulnerability that attackers can exploit.
Many cybersecurity professionals recommend that users refrain from using social SSO services altogether, as once an attacker gains control of a user's SSO credentials, they will be able to access all of the other applications that use those credentials as well.
Enterprise SSO
With enterprise single sign-on (eSSO), users can log on to target applications by replaying their credentials using client and server components.
eSSO works by securely storing user credentials and automatically populating them when they are accessing authorized applications. Users only need to authenticate once, typically during the login to their workstation or device, and eSSO takes care of the rest.
Compared to social SSO, eSSO improves security by enforcing strong password policies, reducing the risk of weak or reused passwords. It also enables centralized management and monitoring of user access, enhancing compliance and auditability which presents a much miore secure and manageable alternative to organizations seeking to stay away from using Social SSO.
6 Key Advantages of Single Sign-On
1. SSO improves the user experience
SSO eliminates the need for employees to repeatedly enter login information, saving time, enhancing productivity, as well as their employee experience. It can be frustrating to repeatedly enter and attempt to remember different passwords. With SSO, this becomes much easier for employees, enabling them to work more efficiently and smoothly.
2. SSO saves time
Its human to forget login credentials from time to time; it can be frustrating when this happens, going through the cycle of creating a password, forgetting it, resetting it, and potentially forgetting it again! SSO saves users from this trouble, intelligently enabling them to enter their credentials without compromising their security.
With SSO, employees can access the organization’s resources using a shared portal. With one-click logins to company resources, the seconds will add up to minutes and hours of added productivity.
3. Single sign-on improves speed where it matters the most
SSO is especially useful in high-stakes industries like finance and healthcare, as well as in large enterprises with numerous departments and employees requiring access to the same applications/services.
Delays in access, password misappropriation, or compromised access to shared tools or resources can literally mean the difference between life and death in environments like these.
4. SSO helps with regulatory compliance
Many organizations face important regulatory and compliance burdens, which if they are not followed can have serious consequences such as hefty fines and legal action. SSO can help with regulatory compliance in a few key ways:
Centralized Access Control: SSO allows organizations to centrally manage user access to various applications and systems. This centralized control enables consistent enforcement of access policies and ensures that users have appropriate access permissions based on their roles and responsibilities, preventing an unnecessary degree of risk to sensitive data.
Strong Authentication: SSO systems often support multifactor authentication (MFA) or other strong authentication methods. These additional layers of security enhance user authentication beyond just a username and password.
Auditability and Logging: SSO systems provide robust logging and auditing capabilities. They can track user access activities, including logins, application accesses, and system interactions.
5. Cuts down IT Helpdesk costs
As single sign-on reduces the number of login credentials an individual must juggle, users are less likely to contact IT for password resets.
These requests are remarkably common; about 20%-50% of IT helpdesk requests involve user credentials. By introducing SSO, these requests can become less common, saving time for IT teams to do more valuable work that enhances value-creation across the organization, with the help of technology.
6. SSO revamps security
Ah, security. Single sign-on and security go hand in hand—they are almost inseparable.
For example, the authentication token that is used to verify sensitive user credentials is not hosted in the application or service that the user is trying to access, the token and credentials are separately held in a central SSO server or database. This enables continued anonymity and security, alongside a streamlined and easier login process for users.
Your Experts for Managed IT Services
AsiaCloud Solutions provides high-quality, reliable and cost-effective Managed IT services to help your organisation succeed with IT. We offer a combination of enterprise-grade technology along with a fast, scalable, personalized service. We provide world-class IT support that you can rely on at affordable prices, with our specialists supporting you with a proactive service from right here in Singapore.