In the most rudimentary explanation, Single Sign-On authentication allows a single user to access multiple applications using the same credentials. Single Sign-On is also commonly referred as "SSO". SSO is commonly used in Enterprise level systems which require access to multiple applications within the same Local Area Network, which is now expanded to include Wide Area Network.
This, in most cases, is implemented using LDAP (Lightweight Directory Access Protocol). The SSO mechanism being incorporated varies based on the applications. A lot of times, SSO is used along with several additional authentication techniques such as Smart Cards or One-Time password tokens.
When to use SSO?
Single Sign-On does have its own benefits and hence is adopted by several enterprise level businesses. SSO is commonly used when you have several different internal applications which need to be accessed by a single user.
This is one of the reasons it is so popular in the enterprise level business, where a single user can have access to multiple internal applications. These applications traditionally only worked over a VPN or a Local Area Network, but with the popularity of its usefulness, it has been expanded over the Internet. In such large organizations, SSO helps in improving the productivity and minimizing the maintenance of authentication for different applications. Apart from this, SSO can also be implemented over the Web.
While this is popular amongst most organizations, several third-party vendors such as Google, which provides a list of applications are also adopting SSO. According to Gartner, 30% of help desk services are related to password issues and the cost for single password resetting is estimated at roughly $70. SSO, makes this entire process simplified and cost-effective.
How does Single sign-on (SSO) Work?
SSO requires a common identity provider which is responsible for authenticating the users. In this case, the SSO Identity Provider sends the target application a signal that the user has been authenticated successfully.
In a scenario without SSO, if a user wants to access two applications: App1 and App2. Typically, both of these applications would have different username and passwords and the user would have to use respective credentials to access these applications.
With SSO, the applications just determine if they can provide access to the user based on the information available with the SSO Identity Provider. SSO Identity Provider gives assertions to applications based on protocols such as SAML, JWT or OpenID Connect.
SSO maintains a user repository to authenticate users. This repository could be Active Directory (AD), LDAP, custom database or Stormpath. Repositories and the underlying protocol play a key role in the user management process.
In many cases, SSO is confused as being same as a Centralized System. However, both of these are slightly different. A centralized system purely focuses on user access management. Using a centralized system, if a user wishes to access two applications App1 and App2, then this would require separate logging into both these applications with the same set of username and password. So the user would not be automatically logged into App2 in case the user has already logged in once for App1. Whereas with SSO, this happens automatically.
A centralized authentication focuses on ease of user credential management. However, SSO focuses on enriching the user experience.
Similarly, with centralized authentication, one can share user data across multiple applications. However, SSO is a poor solution in case you require the sharing of user data across multiple applications. This means even though the SSO provider sends an assertion to the application about the authentication, still the application needs to create and lookup in its local repository. This is a redundant activity for all applications integrated with SSO.
Many implementations such as Stormpath provides an integrated solution which uses Centralized authentication and SSO.
Pros of SSO:
SSO provides several benefits not only to organizations but also to users. Few of these are:
- User Convenience: Maintaining multiple credentials for different applications is tedious. Even worse is in case the user wants to reset one of the application's password. With SSO, users no longer have to remember multiple login credentials.
- Reduce Risk: In most cases, organizations build internal SSO systems and hence this reduces the risk of storing passwords with external systems. SSO helps in reducing the risk of accessing Third-party sites.
- Cost and Time effective: With SSO you do not have to log in every time to access each and every application. SSO is a one-time investment and provides a high ROI by reducing the number of calls made to service help desk for resetting the passwords.
- Less Work: With SSO less manual intervention is required since it's just a single user and single password which needs to be maintained. All the authentication and password management is being handled by a centralized trusted authenticator.
- More Business: SSO allows easy signup and less tedious user built efforts. This would see more users signing up for your applications. In other words, user trust increases and thereby your conversion.
- Prevents Phishing attacks: Using an SSO based architecture prevents phishing attacks since this has a single point authentication. In most cases, users become victims of phishing attacks induced over password reset requests.
- Better compliance and reporting: SSO provides better security compliance due to its architecture. This enables detailed reporting of the users and can be monitored for any malicious users. Since this is a single point entry, monitoring of the system is less tedious.
Cons of SSO:
While there are several benefits of using SSO, it has few downsides which should be considered. Few of these are:
- Single Point Failure: SSO has a single trusted authenticator and in case this fails at any point, then this would make all applications dependent on this to stop functioning. This happens to be the biggest risk for SSO.
- Security: A security breach of any sort can make all the applications vulnerable. To prevent this, several applications recommend two-factor authentication (2FA).
A strong SSO implementation can improve user experience, strengthen security and streamline access to different applications. For a more robust authentication mechanism, one can implement a two-factor authentication where one of the authentications is over SSO.
Finally, the credential data stored by the authenticator should be maintained in a secure and remote environment.