SSO, which stands for single sign-on, has many benefits. The primary advantages are that it limits the number of passwords a user needs to create and remember, while also eliminating the need for service providers to manage accounts.
How Does SSO Work?
SSO relies on two components: an identity provider and a service provider. For SSO to function properly, the application or service being configured for authentication must have a trusted relationship configured between it and the identity provider(s). As with many trust-based concepts in technology, this relationship relies on a signed certificate that’s shared between the two entities. The certificate provides integrity of the user information sent from the identity provider to the service provider or application.
While the signed certificate is required to configure the connection and validate the communication between the identity provider and application, the authentication uses SSO tokens to transmit and validate the user information.
What Are SSO Tokens?
SSO tokens are what contain user data required to authenticate a user to an SSO application, which is most often a user ID or email address and password. These tokens are passed from the service provider to the identity provider so the collected authentication information (input by the user) can be validated against the identity provider’s account directory.
SSO Authentication Process
- The end-user browses to the SSO application (i.e. the service provider).
- Upon requesting to login, which is done by inputting username details, the service provider sends a token containing this information to the identity provider.
- The user will be redirected to the identity provider’s login website where they can enter their credentials.
- Once the user inputs the correct credentials, the identity provider will send a response token to the service provider that validates the authentication was successful.
- Upon receipt, the service provider will validate the sent token against the signed certificate used to set up the trusted relationship.
- Provided that authentication to the identity provider is successful and the trusted relationship between the two entities is intact, the user will be logged in to the application.
Typically, once this process is complete, a session cookie is created in the browser session, which then preserves the authenticated session. The period of time the session is valid depends on the SSO configuration, though most sessions will be valid for hours or days within the same browser session. When the user exits their existing browser session, the session cookie clears and they will need to re-authenticate to their identity provider the next time they attempt to access the application.
Benefits of SSO
- Streamlined sign-on process for the user
- Fewer passwords for users to remember, thereby reducing the risk of weak passwords
- Self-service capabilities for password resets and account lockouts
- Easier account management and access control for IT teams
As mentioned previously, there are numerous benefits of SSO with the most obvious one being the convenience to end-users. For service providers and applications that use SSO, users no longer have to create different accounts to access and use the service. Instead, they can opt to authenticate to the service using an existing identity, like Google, Facebook or Apple.
This feature indirectly results in security benefits, as the ability to use one account for multiple services reduces the chances of reusing weak passwords. Often, the more passwords a user has to keep track of, the less complex the passwords become. SSO enables us to use one or two accounts to access multiple applications, thereby limiting the number of passwords we need to remember and (hopefully) increasing the chances users will create more complex passwords.
SSO offers benefits to the IT teams as well. Between password reset requests, account lockout issues and endless access requests to various applications, IT staff can spend a lot of time provisioning accounts and resolving access issues when SSO isn’t in place. SSO enables quick provisioning of access to apps, and can even proactively assign users to applications based on their role assignments. Additionally, many SSO providers offer self-service password reset and account unlock capabilities, both of which significantly reduce the amount of users calling into a service desk for assistance.
Risks of SSO
- Lack of adherence to security principles can lead to extensive levels of access
- Users can be locked out of multiple systems connected to SSO
- Little control over the sessions once user gains access
- Considered very insecure if it’s configured without MFA (multi-factor authentication)
If done carelessly, SSO can lead to extensive immediate access that can pose a security threat if a user’s credentials are compromised. IT teams should use security concepts like the principle of least privilege and role-based access to ensure no user receives more permissions than they need or extensive access to apps they don’t use. Alternatively, if a user’s account is locked out for one reason or another, they will be unable to access all systems or applications that use the SSO account.
In many cases, once access is granted, there is little control over the sessions. Enterprises using SSO should consider using conditional access policies that can provide an added layer of security to SSO. Conditional access allows an organization to use other attributes of a logon. For example, from where is the login occurring and from what type of device? This helps the provider determine the level of risk the login presents. If the request differs significantly from previous successful logins (e.g. if the location of a recent login attempt is different from one that occurred an hour ago) the system may raise a flag. This capability can help IT and security staff proactively identify a potential breach.
Finally, the use of multi-factor authentication (MFA) with SSO is a must. MFA provides an added layer of authentication that makes it more difficult for a malicious individual to successfully login to SSO services using stolen credentials. This significantly reduces the risk of an unauthorized user gaining access to multiple services or applications using a single account.
While SSO is primarily used in the corporate world, many use it for personal accounts as well. When shopping online, many retailers may allow you to create an account or login to their platform with an Apple ID, Gmail or Facebook account. This is SSO in action, as you’re using an existing identity to authenticate to another service or application.
In the business world, IT teams configure employees’ enterprise accounts to access various business applications. For example, a company may use their enterprise accounts to sign into the Office 365 suite of applications (Outlook, Word, PowerPoint) as well as the corporate network, the intranet and cloud applications like Salesforce, Concur, Dropbox and more.