SSO, also known as Single Sign-On, is an authentication mechanism that allows a user to access multiple websites and SaaS applications with one set of login credentials. If you have stakeholders within your organization that go through multiple login processes and sessions during the day to access applications and servers, SSO essentially allows you to streamline the process of accessing those services securely. That way, your project participants can focus on the tasks at hand rather than trying to remember multiple login credentials.
SSO is something that we often use in our daily lives without noticing it. For example if you’ve ever used services like Google’s Gmail, Drive, Analytics or YouTube, you’ll notice that once you’ve signed into any one of these services, you’re actually signed into and can access all of them. Apple also offers enterprise level SSO using an Apple ID to help reduce security risks, as do many other companies that we’ll outline in this article. So whether your routine working day involves services such as Zoom, Slack, Asana, Google Workspace or other applications, SSO removes any friction related to accessing them securely.
For businesses, SSO can serve a number of advantages for infosec (information security) and the overall security of your network, however it also comes with its own set of complexities and challenges, which can have security implications. So, in this article, we’ll have a look at how SSO works, what role it can play in your organization, and key security implications you need to be aware of.
How Does SSO Work?
With SSO, when a user is trusted by one system, they are given access to all other systems that have a trusted relationship with that user. Common protocols used for SSO include OpenID Connect - which is an open standard and decentralized authentication protocol used by the likes of Google for its services. Another well known protocol is SAML, which is an XML-based protocol for exchanging authorization and authentication data between Identity Providers (IdPs) and service providers to verify any given user's identity and service permissions. SAML is more often used in work environments and typically allows users to access services such as Salesforce and Workday.
The SSO Login and Authentication Process
When a user signs into an SSO service, an authentication token is generated that remembers that this is a verified user. This allows the service to verify that a user is who they say they are. Here is a high-level view of the login process without and with SSO:
Authentication Without SSO
- You attempt to log into an application or service.
- The website or application checks to see whether you have previously been authenticated.
- If you have been authenticated, you get access - if not, it asks you log in and checks your credentials against what’s in the database
Authentication With SSO
- You attempt to log into an application or service.
- The application or service will check the SSO service for your authentication token.
- The SSO service will then pass the token to the app or service.
- If you have been authenticated, you get access - if not, you will be prompted to go through the SSO service.
It’s important to note that the SSO service does not store user identities, so it does not know who you are. Typically the SSO service will check user credentials against a totally separate identity provider.
Is SSO Secure?
As with just about any information security strategy, using SSO is most secure when best practices are followed and secure credential management tools are used. That said, SSO can assist you in doing any of the following to increase the overall security of your organization and its data:
- Provide verified security protocols and service at scale and protect users across the organization with consistent security policies.
- Using multifactor authentication (MFA), organizations can oversee user access rights and privileges, which helps ensure that only authorized users have access to sensitive data.
- SSO forces organizations to implement secure password policies, and the risk of repeat passwords is also avoided.
Osterman Research, a market research firm that gives insight on cybersecurity, once reported that the average organization has been reported to give employees access to as much as 15 applications. The more applications stakeholders in your organization need to use, the more attack vectors there are for hackers to make their way into your network. So using a good SSO solution coupled with cybersecurity best practices will help mitigate any risks to your network or your data.
The Challenges and Complexities of SSO
So far we’ve seen that Single Sign-On has many security and procedural advantages, especially when being used for multiple applications or at scale within an organization. But there are some challenges and complexities that come along with it as well - so we’ll highlight some key ones in this section.
Single Point of Failure: Obviously, if a hacker gains access to an account controlled by SSO login credentials, there is a higher risk that all systems and applications associated with the credentials will be at risk as well. As such, addressing this possibility up front with your system’s architectural planning is advantageous. You’ll also want to include things like multifactor authentication.
Redundancy and Reliability: If an SSO system goes down, this could halt any operations with connected applications and services. A plan for redundancy should be put in place, as well as a fallback plan in case all SSO options are ever suddenly off the table.
Insecure Passwords: this is where using a password manager is important as
SSO and password managers are two distinct things, and password managers can in fact make your SSO process much more secure.
Potential vulnerabilities: There have been known vulnerabilities with SSO including those found by Duo. These vulnerabilities were found in a number of SSO applications, so when you choose your SSO provider, you’ll want to ensure they’ve addressed any known vulnerabilities.
Compatibility with Apps You Use: Because SSO will interact with so many apps within your organization, you run the risk that a specific application provider does not have SSO compatibility.
The Advantages of Using SSO
Beyond any initial complexities, when used effectively, the advantages of using SSO can far outweigh any initial set up challenges or supposed risks. From increased productivity to a higher level of InfoSec stability, it’s all possible with a good SSO architecture. Here we’ll look at some key advantages of using SSO within your organization.
SSO has security advantages such as reducing the risk of phishing attacks by eliminating the possibilities of unsafe passwords and cyber fatigue. Users can focus on remembering one strong password for their password manager, for instance, and that password management tool can do the heavy lifting for all other passwords needed within the SSO architecture.
One of the initial advantages for organizations when SSO is properly implemented is the increased productivity from users. Quick and seamless access to critical applications with the click of a button allows users to focus more on work than on granular levels of security.
Better Access Control and Auditing
With SSO, network administrators can more easily ensure the right people have access to certain kinds of information, which can be configured by department or role. Additionally, IT teams can easily enforce policies related to security such as password reset rules, MFA requirements and time-out policies that force users to re-authenticate themselves periodically.
As cybersecurity threats evolve, your SSO architecture will allow you to easily deploy security protocols across your organization to better protect users and information, as well as more easily stay in compliance where needed.
SSO Providers: What to Look For
There are a number of SSO service providers you can consider using, including:
- Okta - Provides a full suite of cloud-based identity platform solutions and also has MFA integration, web and mobile apps and a host of other features.
- Microsoft Azure - One of the most widely used SSO applications, Azure allows users to access multiple apps using their Office 365 credentials. Developers can also use Azure to add SSO onto their apps.
- Duo - This SSO provider focuses on user-friendliness and is hosted on Duo servers. Here you’ll find familiar features such as MFA integration and an easy framework for scaling its use throughout your organization.
There are other SSO server provider options, however, when choosing one that best fits your needs, be sure to note if they have addressed known SSO vulnerabilities, and include features such as an MFA integrator, customization, and good tools for monitoring and troubleshooting.
You’ll also want to be sure you have the good tools to effectively manage connected apps, users, and identify and resolve any critical issues in a timely manner. And if you want more information on how to effectively integrate SSO in your organization and protect your users and data, be sure to reach out to our cybersecurity experts at [email protected].