Single Sign On

This article is part of the ongoing series discussing identity and access management (IAM).

What is Single Sign On?

Single Sign On (SSO) is the concept of using one set of login credentials per person for many resources. Those resources might be logging into a computer, a web site, your email or an installed application. It’s one username and password (one identity) for everything.

It requires all those resources to support the use of a central identity provider (an IdP). Examples of popular IdPs are Microsoft Active Directory and Azure Active Directory¹, Google Workplace, Ping, and Okta.

When that resource, (the computer or website, etc) needs to log the user in by checking their user name and password, they send that information to the central IdP. Then the IdP can check everything is correct before sending a response to the resource that the login can continue.

Why use SSO?

Summary: It’s easier to manage and there’s one set of credentials for the user to remember.

If the IdP system controlling that one identity has the appropriate processes and controls it’s one secure place for all your staff member’s credentials. When your staff numbers are growing, you don’t want them having to do things that aren’t helping your customers.

It should be able to log and audit all the authentication actions that it is asked to do. This means it can identify the unexpected and potentially take action. Like preventing more login attempts if someone has just failed five attempts in a short time.

With one IdP then there’s one platform to manage in terms of configuration, updates and security. This set of systems should be protected more than anything else in your company. Once an attacker gets hold here, they are going to be incredibly tough to remove.

Your IdP can also implement additional rules (usually called policies) when people are logging in. These can really help create a secure process that should include Multi-Factor Authentication (MFA) and limit access to only trusted devices or trusted networks.

It’s is very strongly recommended to use MFA from an app on your phone or a hardware token your user sign on process. Especially for those people with privileged access like administartors.

How can I use SSO?

There’s a strong case to be made for using a cloud provider’s IdP in that you can reduce some of your own workload. It may be that you won’t need any costly servers to support and the cloud services can provide much of the security required. But in all scenarios, you and your staff are responsible for making the most of those options. In cloud terms it’s often called “shared responsibility”, to highlight that the cloud provider is not doing everything.

Your applications and resources you access will help define the options you have to implement SSO. If your email and files are stored in Google Workplace or Microsoft Office 365 then those providers will likely be the easiest path to take.

For the other web sites or applications you use, there are a couple of technical names to look for.

SAML and OAuth

Without getting into technical detail, if an application supports these technologies (and your IdP must too), then setup is expected t be fairly straight forward. Both allow for that user authentication flow from the resource to the IdP and back again after the login process has completed. They’re the standardised ways for the process to happen when you login to a resource.

An example of what happens behind the scenes.

  graph TD;
  A[User visits the web app] -->|Submits their username and password| B(Identity Provider);
  B --> C{Username and \npassword validation};
  C -->|Success| D(Login to web app);
  C -->|Failure| E(Error in web app);
  D -->|Fetch user profile| B;

As the information between the resource and the IdP is probably beng exchanged across the internet, the connections have to be encrypted and the content being sent is also protected against manipulation. Often after a successful login process has compelted, the application/resource will then make another connection back again to find out more information about the user, like their name, email address and profile image.

Which technology should I use for SSO?

If your business already uses Microsoft or Google services, it might seem like an easy decision. But the devil is in the details of the devices and software you use, how many staff you have and how they use those things.

Do you have Microsoft Windows servers that store data in your office or in a data centre? Do you use Apple Mac devices with your servers? In these cases you may have an internal system that needs to be setup to synchronise your staff accounts to a chosen cloud provider’s IdP. Or have a plan to migrate your on-premises systems to cloud in parallel.

Or is all your information in cloud services already, but you have shared access to your staff with different user accounts?

There’s a helpful usability option with SSO and that’s an extra “s” for seamless. If you are already logged into your device or your browser, you should not have to log in again for an app on that machine or within that browser. Even with one username and password, you do not want to have to type that in for all the different apps you use each day.

The most important thing for SSO is the first part - Single. You must only have one way to login and you must manage that well and use the recommended options like MFA. You should require your software and services vendors to support SSO and to make it a default in all levels of their offerings.

What does it cost?

You shouldn’t need to pay more for enabling SSO for your business. But as always, there are incremental features that likely cost a little extra and they will take the form of subscription based licences. It may be another $5-10 per month per person for some options, which is disappointing when good security comes with additional cost from a vendor.

Summary

Single Sign On is a must-have for your business to be able to properly manage the access your staff have and to keep that access secure. It simplifies access when people join or leave and it can provide features like MFA and policies to better protect your information.