Blog Post View


What is Single Sign On Authentication?

In the most rudimentary explanation, Single Sign-On authentication allows a single user to access multiple applications using the same credentials. Single Sign-On is also commonly referred to as "SSO". SSO is commonly used in Enterprise level systems that require access to multiple applications within the same Local Area Network, which is now expanded to include Wide Area Network.

This, in most cases, is implemented using LDAP (Lightweight Directory Access Protocol). The SSO mechanism being incorporated varies based on the applications. A lot of times, SSO is used along with several additional authentication techniques such as Smart Cards or One-Time password tokens.

When to use SSO?

Single Sign-On does have its own benefits and hence is adopted by several enterprise-level businesses. SSO is commonly used when you have several different internal applications that need to be accessed by a single user.

This is one of the reasons it is so popular in the enterprise-level business, where a single user can have access to multiple internal applications. These applications traditionally only worked over a VPN or a Local Area Network, but with the popularity of its usefulness, it has been expanded over the Internet. In such large organizations, SSO helps improve productivity and minimize the maintenance of authentication for different applications. Apart from this, SSO can also be implemented over the Web.

While this is popular amongst most organizations, several third-party vendors such as Google, which provides a list of applications are also adopting SSO. According to Gartner, 30% of help desk services are related to password issues, and the cost for single password resetting is estimated at roughly $70. SSO makes this entire process simplified and cost-effective.

How does Single sign-on (SSO) Work?

SSO requires a common identity provider which is responsible for authenticating the users. In this case, the SSO Identity Provider sends the target application a signal that the user has been authenticated successfully.

In a scenario without SSO, if a user wants to access two applications: App1 and App2. Typically, both of these applications would have different usernames and passwords and the user would have to use respective credentials to access these applications.

With SSO, the applications determine if they can provide access to the user based on the information available with the SSO Identity Provider. SSO Identity Provider gives assertions to applications based on protocols such as SAML, JWT, or OpenID Connect.

SSO maintains a user repository to authenticate users. This repository could be an Active Directory (AD), LDAP, custom database, or Stormpath. Repositories and the underlying protocol play a key role in the user management process.

In many cases, SSO is confused as being the same as a Centralized System. However, both of these are slightly different. A centralized system purely focuses on user access management. Using a centralized system, if a user wishes to access two applications App1 and App2, then this would require separate logging into both these applications with the same set of username and password. So the user would not be automatically logged into App2 in case the user has already logged in once for App1. Whereas with SSO, this happens automatically.

A centralized authentication focuses on ease of user credential management. However, SSO focuses on enriching the user experience.

Similarly, with centralized authentication, one can share user data across multiple applications. However, SSO is a poor solution in case you require the sharing of user data across multiple applications. This means even though the SSO provider sends an assertion to the application about the authentication, still the application needs to create and lookup in its local repository. This is a redundant activity for all applications integrated with SSO.

Many implementations such as Stormpath provide an integrated solution that uses Centralized authentication and SSO.

Pros of SSO:

SSO provides several benefits not only to organizations but also to users. A few of these are:

  • User Convenience: Maintaining multiple credentials for different applications is tedious. The situation becomes even worse when a user needs to reset a password for one of the applications. With SSO, users no longer have to remember multiple login credentials. And since you can outsource this to the best SSO providers, there is no need to worry about cooking up your own in-house tools to provide convenience for end users. This means it is doubly advantageous to businesses seeking simplicity in security.

  • Reduce Risk: In most cases, organizations build internal SSO systems and hence this reduces the risk of storing passwords with external systems. SSO helps in reducing the risk of accessing third-party sites.

  • Cost and Time effective: With SSO you do not have to log in every time to access each application. SSO is a one-time investment and provides a high ROI by reducing the number of calls made to the service help desk for resetting passwords.

  • Less Work: With SSO less manual intervention is required since it's just a single user and single password which needs to be maintained. All the authentication and password management is being handled by a centralized trusted authenticator.

  • More Business: SSO allows easy signup and less tedious user-built efforts. This would see more users signing up for your applications. In other words, user trust increases and thereby your conversion.

  • Prevents Phishing attacks: Using an SSO-based architecture prevents phishing attacks since this has a single-point authentication. Users often become victims of phishing attacks induced by password reset requests.

  • Better compliance and reporting: SSO provides better security compliance due to its architecture. This enables detailed reporting of the users and can be monitored for any malicious users. Since this is a single-point entry, monitoring the system is less tedious.

Cons of SSO:

While there are several benefits of using SSO, it has a few downsides that should be considered. A few of these are:

  • Single Point Failure: SSO has a single trusted authenticator and in case this fails at any point, then this would make all applications dependent on this to stop functioning. This happens to be the biggest risk for SSO.

  • Security: A security breach of any sort can make all the applications vulnerable. To prevent this, several applications recommend multi-factor authentication.

Conclusion

A strong SSO implementation can improve user experience, strengthen security, and streamline access to different applications. For a more robust authentication mechanism, one can implement two-factor authentication (2FA) where one of the authentications is over SSO.

Finally, the credential data stored by the authenticator should be maintained in a secure and remote environment.


Share this post

Popular Articles

Email Delivery Problems Explained

November 12, 2006

With ever growing number of spam emails flooding the Internet, more and more ISPs tighten their email filtering system to prevent spams delivered to their clients. It is virtually impossible to block even 50% of the spams arriving in a mail server, and there will always be false positives (legitimate emails filte [...]

Learn more 

What is an IP Address?

February 16, 2007

The Internet Protocol Address (or IP Address) is a unique address that computing devices such as personal computers, tablets, and smartphones use to identify themselves and communicate with other devices in the IP network. Any device connected to the IP network must have a unique IP address within the network.

Learn more 

What is a Subnet Mask?

February 22, 2007

address and the host address. A subnet mask separates the IP address into the network and host addresses (<network><host>). Subnetting further divides the host part of an IP address into a subnet and host address (<network><subnet><host>) if additional subnetwork is needed. Use the Learn more 

What is a MAC Address?

March 18, 2007

MAC, Media Access Control, address is a globally unique identifier assigned to network devices, and therefore it is often referred to as hardware or physical address. MAC addresses are 6-byte (48-bits) in length, and are written in MM:MM:MM:SS:SS:SS format. [...]

Learn more 

What is a TCP/IP?

April 8, 2007

TCP/IP, Transmission Control Protocol/Internet Protocol, is the suite of two protocols, TCP and IP, used to interconnect network devices on the Internet. The TCP performs the handshake between the network devices to establis [...]

Learn more 

Comments (0)

    No comment

Leave a comment

All comments are moderated. Spammy and bot submitted comments are deleted. Please submit the comments that are helpful to others, and we'll approve your comments. A comment that includes outbound link will only be approved if the content is relevant to the topic, and has some value to our readers.


Login To Post Comment