What Is SSO and Why Do You Need It?
This article provides a complete guide on SSO to find its pros, cons, and other aspects. We explain the SSO meaning, what SSO stands for, how secure SSO is, etc.
Join the DZone community and get the full member experience.Join For Free
What Is Single Sign-On (SSO)?
Single sign-on (SSO) is a method of authentication enabling users to access different applications with one set of credentials, such as a login and a password. SSO login is widely used by corporations, smaller companies, and users who want to make the authentication process more accessible and convenient.
SSO is an integral part of many solutions designed to manage access control. For example, decisions over which permissions should be granted to a user are based on identity verification.
How Single Sign-On Works
SSO functionality is built on a trusting relationship between the service provider (an application, website, etc.) and the identity provider. This relationship usually needs a certificate that the two sides exchange. This certificate enables signing identity data transmitted from the identity provider to the service provider so that the latter knows for sure it comes from a reliable source. In SSO, the identity data is presented in authentication tokens with user identifying information like a username or e-mail address.
What Are the Advantages and Disadvantages of SSO?
Besides being more convenient for users, Single-Sign-On authentication is considered more secure. This idea may seem contradictory as one may wonder how the same password can be more secure than several passwords for different services. Supporters of SSO offer the following reasons.
- Passwords are not repeated. When a user has to sign in many times in various places, "password fatigue" may occur when the same password is used for different services. This may be a more significant security threat as it means that the security level of a user account is as strong as the service with the weakest protection. If there is a database leak, hackers can gain access to passwords and, as a result, to all other user's services. The risk decreases when you sign in with SSO, as only one service is used for authentication.
- Better password management. When there is a single point to enter a password, password management and security rule enforcement are easier to implement. For example, some companies recommend changing passwords regularly. When SSO login is used, users have to reset only one password instead of many. The same can be applied to multi-factor authentication: users don't have to use other identity factors several times.
- Safer credential storage. SSO allows storing passwords in a safer environment under the IT department's control.
- The less time-consuming process of password recovery. SSO allows recovering one password and re-signing into all the necessary services faster with its help instead of recovering the password for every service you use.
Still, there are some disadvantages of SSO, which include the following.
- SSO may not meet all the security requirements that different services may need.
- If a password is lost, users lose access to systems connected to SSO.
- If a user's credentials are lost or stolen and passed to unauthorized users, the latter can get access to all the services the victim used.
How Does an SSO Login Work?
When a user signs in to a service with the help of SSO, the system checks the verification status. If the user is not logged in yet, they will be offered to do so with the help of SSO.
As SSO is not designed to store user identity, it is unable to remember who a user is. Most SSO services function by comparing user credentials with a particular identity management service. SSO is like a link that can confirm if a user's credentials are relevant to the identity data stored in the database without managing it.
What Is an SSO Authentication Token, and How Does It Work?
An SSO token is a data set transited between the systems during the SSO process. This data can include information such as a user's login or e-mail address. In addition, tokens need a digital sign so that their receiver can check and determine they are coming from a reliable source. Such "trust" between two systems is built on the basis of a certificate that is exchanged during the initial configuration.
The crucial element of any SSO process is its ability to pass an authentication token to external services and apps. It separates identity verification from other cloud services and makes SSO possible.
Types of SSO Configurations
Some SSO services are built on the basis of configurations which may be the following.
- Federated Identity Management (FIM) is a trust relationship between two or more domains or identity management systems. SSO is a feature available within FIM. That is why SSO is sometimes called a federated SSO.
- OAuth 2.0 protocol is also considered a part of FIM architecture which makes sharing identity information across the domains possible.
- OpenID Connect is an identity layer created on the OAuth 2.0 protocol. It allows verification of the identity of the end-user.
- Being an extensible markup language (XML) standard, Security Assertion Markup Language (SAML) makes the exchange of user authentication and authorization data between security domains possible. SAML-based SSO services organize communication between the user, identity provider (manager of the user directory), and service provider.
- In a Kerberos-based configuration, when the user provides their credentials, a ticket-granting ticket (TGT) is issued. This ticket grants service tickets for the applications the user wants to gain access to without requiring the user to reenter their credentials.
- Smart card-based SSO requires you to use a sign-in data card for the first authorization. Once it is done, the user will not need to enter their login and password again. An SSO smart card stores certificates or passwords.
- Active Directory (AD), a type of SSO, is a centralized directory service by Microsoft in which the users are added for central management. AD works with authentication protocols like Kerberos. It allows users to authenticate from their devices and access the systems integrated with AD.
- Lightweight Directory Access Protocol (LDAP) is a standard that is designed to organize and query directory data. LDAP is also used for the central management of resources like users and systems. But it doesn't define the actual authentication protocols. Still, LDAP is widely used for access control. For example, when a user wants access to a particular resource, LDAP may assess that user and decide whether they have the necessary permissions.
Security Risks and SSO
Although it is convenient, SSO can be a risk to corporate security. A cybercriminal who gains control over a user's sensitive data like SSO credentials will access all the applications the users have the right to operate. This may lead to serious damage. In order to avoid such situations of malicious access and improve security, it is of utmost importance that SSO implementation is combined with identity governance and supplementary algorithms of authentication.
How Does SSO Fit Into an Access Management Strategy?
SSO is only one element in an access management strategy. To be considered effective, it must be combined with other elements, such as access and permission control, activity logs, and other means of tracking user behavior within corporate networks and systems.
Still, SSO is crucial for access management. If a system cannot tell the difference between its users, it will not be able to restrict their actions.
What Is SSO Software as a Service?
When you outsource authentication for a website or an app to a third-party identity provider, SSO can be considered Software as a Service (SaaS). In this case, identity providers allow their clients to manage user accounts without needing to develop their solutions.
A SaaS approach to SSO is crucial for big companies, especially for their security and IT departments, which have to limit access to online resources very fast. Sometimes they have to do it the very moment the employee leaves the company instead of wasting time logging out from all their corporate portals. To cut a long story short, SSO is a basic net security requirement.
What Is App-to-App SSO?
App-to-App or Application-to-Application SSO is a process of identity transition between applications within one ecosystem. But it is not an industry-standard protocol yet, which limits its implementation.
The number of vendors that offer single sign-on solutions and are well known is big. They provide different services for SSO integration. Here is a list of some providers with short descriptions.
Duo Single Sign-On
Duo Single Sign-On is a cloud service that securely allows users to access all their apps via a single dashboard. The management console enables access to policy customization and configuration at an app level. After assessing contextual login data like user location, role, and device, Duo creates a risk score for each login. If the risk is high, it is necessary to add supplementary steps for authentication to ensure that only trusted users can gain access.
Ping Identity SSO solution is federated and enables its users to access corporate applications from any device with one set of credentials with the help of a centralized dock. In addition, it supports OpenID Connect and SAML tokens. The platform also uses artificial intelligence for the assessment of suspicious login attempts.
Thales SafeNet Trusted Access
This technology company offers a Smart SSO solution that enables users to sign in to their accounts and apps via one identity on a centralized portal. Admins can configure access policies for all the applications and define the required authentication level for each login attempt. Smart SSO also collects contextual data concerning different aspects of the sign-in process.
Published at DZone with permission of Anastasiia Komendantova. See the original article here.
Opinions expressed by DZone contributors are their own.