What Exactly is SSO and Why Does Your Business Need It?
Today’s world of complex daily workflows and Information Technology (IT) infrastructure operations, where personnel of any given enterprise must access several different computing systems and resources per day, the management and maintenance of hundreds of passwords and password systems required more efficiency in order to streamline operations and increase the effectiveness and productivity of employees. Single Sign On (SSO) is an access control, authentication mechanism allowing end-users to streamline the accessing of multiple IT systems that are interconnected and all allow a single username and password for authentication. Such a system has great advantages over a system where multiple usernames and passwords are required for accessing different, sensitive systems, in that once a user is logged into a set of interconnected systems with the pertinent username and password, SSO allows the user to maintain a session within - and have access to - all components of the system, without having to log into each one separately (which is often done with different authentication credentials).
Essentially, SSO presents a “log in once, access all pertinent systems” authentication mechanism, which increases the efficiency and productivity of an end-user, and decreases the overhead necessary for complex password management. It is also important to note that SSO, when implemented correctly, has the potential to be more secure than non-SSO authentication systems, since end-users only need to remember a single set of usernames/passwords, and are thus typically able to formulate and remember a stronger password, without the need to write it down or use third-party password storage applications, all of which helps to ensure that the authentication credentials will not be misplaced or stolen due to poor password storage practices.
Along with an OAuth token for authorization, SSO gives enterprises the ability to utilize a uniform, intra-enterprise authentication and authorization protocol for securely accessing all necessary systems without the need for authentication each time a different system is accessed. Before moving forward, let’s delineate the difference between Authentication (AuthN) and Authorization (AuthZ) in order to understand what SSO (an AuthN mechanism) does, and what it doesn’t do:
- Authentication: AuthN is the mechanism by which an end-user confirms his/her identity by inputting the pertinent credentials to access sensitive systems. Typically, this encompasses the use of a non-encrypted username, and a hashed password that is stored in the backend database. Some examples of authentication mechanisms (web security protocols) include API keys, SAML, OpenID, etc., while some examples of security best practices (revolving around authentication) include the use of multi-factor authentication, SSO, etc.
- Authorization: AuthZ is the mechanism by which an authenticated user gives different applications permission to make use of his/her user data associated with certain application systems. It is very important to note that only a user that has already been authenticated can authorize an application/system to use private data accordingly. One of the most well-known examples of an authorization mechanism is the Open Authorization system (OAuth tokens).
When it comes to authentication, it is also important to have a general understanding of how standard authentication/password usage works with regard to web applications and non-web systems. Initially, a user password (plain-text) is chosen, linked to a username, and saved in a backend database server after being hashed via a hash function such as SHA-256. Due to pre-image resistance, such saved, hashed passwords cannot be reversed to the original plain-text. Upon requiring authentication in a system or web application, a user inputs the plain-text password - the data of which is sent to the backend server - while the password is hashed by the system, parsed and compared to what is stored in the backend database. If the username and password match, then the user is authenticated, and is able to access the system. Once authenticated, a user can authorize the system to use his/her private data accordingly.
While AuthN and AuthZ mechanisms are both practices associated with Access Control, SSO focuses on streamlining Authentication workflows while ensuring that businesses can effectively decrease the overhead necessary to manage enterprise passwords.
Not the Same as a Password Storage App
It is important to note that SSO mechanisms do not equate with some popular password management/storage apps, and is only a general protocol allowing the use of one username/password to access multiple, linked systems. SSO can be implemented using a variety of web security protocols. Password managers act as management suites that produce strong passwords, store user passwords, and only require the user to remember the password to the manager itself. This helps in the modern workplace where users subscribe to, and utilize, a number of different services which require complex passwords. To negate “password fatigue” - which often results in the use of weak passwords or the recycling of old passwords - password storage apps streamline password management. However, while password storage apps are used to store and access passwords, SSO uses a username/password to access a system.
Not the Same System That Allows Movement Through an Intranet
As an authentication mechanism, SSO is simply the protocol that end-users utilize to access a number of systems using one set of login credentials. SSO does not equate with the mechanisms by which personnel “move” through an enterprise’s intranet in order to access and utilize different components of the IT infrastructure. That is, while SSO is the mechanism by which a user is granted access to a variety of IT systems, after that access is granted (via authentication), it is not the platform or software by which a user moves through the intranet in order to execute different applications and utilize system resources.
SSO Allows Your Staff to Safely Use a Single Password and Username
According to a study by Verizon, roughly 63 percent of data breaches occur due to the use of weak, non-secure passwords (2016). Additionally, according to NetworkWorld, 80 percent of data breaches can be mitigated with the use of multi-factor authentication. In line with other studies, as noted by Gartner, Verizon’s 2015 Data Breach Report indicated that 95 percent of web attacks occur due to stolen passwords (authentication credentials). Thus, the creation, storage, management and utilization of user credentials is of utmost importance. Consequently, in order for an enterprise to sufficiently ensure complete data security, there are several best practices that should be followed. While SSO only deals with the practice associated with credential utilization to access a system, due to the centralized method by which SSO parses credentials and translates them to authentication/protocol-specific services and systems, enterprises using SSO are able to safely use a single username and password to access a set of systems.
The Actual Passwords and Usernames for Applications Are Not All the Same
When setup and implemented correctly, SSO systems utilize a central SSO server that requires a single username and password combination. The SSO server is then linked to a number of different applications and systems, each of which has different usernames and passwords. Unlike traditional systems where a user must input his/her (system-specific) credentials each time they access different systems in the infrastructure, SSO allows a single username/password to be provided to the central authentication point - the SSO server - where they are then translated to the specific credentials associated with each system to allow a single login to each system. This is due to the fact that different applications/services utilize different authentication mechanisms, and, typically, different usernames and passwords. This helps to prevent cached passwords from being stolen, and helps to mitigate some forms of phishing, and other methods of service-specific password cracking such as brute forcing, rainbow table attacks, etc.
The SSO System Will Allow Them to Remain Authenticated During Their Entire Session
When a user logs into a set of systems via a centralized SSO authentication server mechanism, he/she is able to stay logged into the pertinent systems during the associated session based on generated cookies (that are created by the user upon logging in). SSO allowing streamlined and efficient collaboration, and the secure movement through different applications without taking time to authenticate for each system (or creating/remembering different, complex credentials), would not be efficient without the ability to maintain a logged-in state across different applications/platforms for an entire session. As noted by Auth0, when multiple/different domains need to access cookie/session information for a single user’s session (i.e. sharing session information across domains), the web application security protocol known as same origin policy does not allow different domains to access cookies created by only one domain (to prevent session hijacking, etc.). Auth0 notes that “different SSO protocols share session information in different ways, but the essential concept is the same: there is a central domain, through which authentication is performed, and then the session is shared with other domains in some way.”
What Does Remaining Authenticated Mean?
Due to the nature of SSO protocols, a logged in user is able to remain authenticated during an active session with regard to all associated systems using the SSO login. This means that the user does not need to re-input his/her credentials every time he/she needs to access a different part of the system or another application. Essentially, a single sign in is used to allow the end-user to access and utilize all portions of the system that have been implemented to use the SSO login. The convenience of using a single login to remain authenticated within a set of systems - without having to login again or provide additional credentials (i.e. PINs, additional passwords, etc.) - allows businesses to streamline all applications and services (by reducing the time required to access multiple sets of crucial data/applications), while giving personnel unprecedented project/data collaboration, account management, and identity management - all requiring only one username and password/credential set.
What Exactly is a Session?
Over an IP network, when a user interacts with a server, he/she establishes a communication session with the server - a temporary interchange of data between two communicating devices. With regard to web applications, a session’s information is usually stored in the form of browser cookies, which helps to track a single user’s interaction, authentication, session time, etc. Good session management typically utilizes session timeout so that an inactive session automatically logs the user out to prevent malicious activity from occurring.
How Does an SSO System Work?
Though SSO may be implemented in any number of ways (i.e. with OpenID, JSON Web Tokens, OAuth tokens, SAML, etc.), it typically works via a central, authenticating domain that a user provides his/her initial credentials to. All connected domains (applications/systems) may utilize different authentication mechanisms, so the initial credentials must be translated accordingly to the specified credentials associated with each connected system/application. For instance, an authentication token may be produced (after the initial authentication is complete), which may be signed/encrypted, passed to the client, and associated with the user when he/she tries to access any connected application. When the user does try to access another application/service, a redirect to the authentication domain may pass the token on to the application in question, resulting in direct access without the user having to re-authenticate.
One System To Control all Access and Permissions
One of the most critical aspects of a correctly implemented SSO system is the use of a centralized SSO server for all authentication - and authorization - needs. Such a server parses the initial authentication credentials and handles all subsequent authentication needs, while passing the necessary authentication token(s) to the applications that the user tries to access. Additionally, in conjunction with an OAuth Token, an SSO system can effectively handle all user preferences with regard to data permissions (authorization), all while utilizing the central SSO system for authentication needs as well.
When it comes to management, the centralized system can also be used to effectively manage all system/application access and permissions for specific users, greatly streamlining all personnel and management workflows.
One System to Record Credentials for All Users (LDAP Database on a Directory Server)
SSO systems often utilize an LDAP database system on a directory server, and can store the credentials associated with different users. While LDAP is a client/server model-based directory service system to modify internet directories, LDAP authentication is usually used via an LDAP server, which works with the user’s authentication credentials to complete the SSO process in conjunction with the central SSO/authentication server. As an application protocol sitting above the TCP/IP stack, LDAP is used to substantiate authentication data on the backend, server-side. To that end, a single LDAP database system can be implemented and deployed in order to store and manage all user credentials to allow for SSO authentication processes.
One System to Authenticate a User and Retrieve Credentials When Needed
As noted above, an SSO system allows for a centralized authentication server to produce an authentication token that can allow a user to access multiple systems without having to re-authenticate. When used with an LDAP database system, the retrieval of the user’s stored credentials allow the user to have access to all pertinent systems so long as his/her entered credentials match the retrieved credentials in the LDAP database. Additionally, the centralized authentication system is able to retrieve the credentials associated with all connected applications and services based on the initial authentication process, allowing the user to access all connected applications.
SSO Will Allow Your Employees to Work More Efficiently
SSO systems can greatly increase collaborative efforts associated with having to access different key enterprise applications and services on a daily basis, while helping to define specific roles and identities within an enterprise. As noted by Patecco, SSO “provides a simple, clear interface for identity management and permissions across all integrated systems. It also allows you to set up roles to cover access rights across multiple systems and multiple user groups.” Additionally, password creation and management - and the mitigation of most issues associated with lost passwords and requisite password resets - are more feasible and allow for decreased overhead requirements. Automatic logins to different applications also help to optimize user experiences and thus can increase an enterprise’s productivity. The secure, streamlined ability to switch to all necessary applications for daily workflows and projects - while only authenticating once and increasing the security associated with password utilization - allows for much greater business efficiency.
Less Time Trying to Remember or ‘Crack’ Passwords
A common issue associated with standard password/authentication systems is the requirement that personnel remember multiple different passwords for different applications and systems. Additionally, in order to remember said passwords, it isn’t uncommon for personnel to write such passwords down or store such credentials in an insecure location, which can result in stolen passwords. If passwords are completely lost or forgotten, security personnel may try to “crack” the password to gain entry into the system without having to use valuable time and resources resetting the password. SSO helps to mitigate such issues by using a single username/password for all business applications, ensuring that the correct password is easily remembered.
Less Time Resetting Passwords
As noted above, resetting personnel passwords is a common occurrence. A significant amount of time can potentially be saved by utilizing SSO systems, as using a single username/password set can greatly mitigate - if not eliminate - the occurrences of forgotten passwords which require technicians’ attention, time and resources.
Smooth and Seamless Access to Everything They Need
SSO allows personnel to easily switch between platforms/applications with a single login in order to quickly collaborate on projects, communicate effectively with colleagues, and work in a streamlined environment, all of which can greatly increase productivity and workplace efficiency.
SSO Allows You To Keep a Much Tighter Rein on Security
Due to utilizing a single username/password set, both personnel and management can benefit from a correctly implemented SSO system with regard to data security. SSO has several benefits, including the mitigation of some forms of phishing attacks, and the ability for management to better implement an identity management protocol.
No Longer Have Passwords Shared Between Multiple People
Due to password fatigue, it is very easy for the same passwords to be used by different personnel in an organization. Additionally, under a standard password system, different personnel needing to access the same system would often share passwords, or would be required to communicate the password in some way, which can easily result in a data breach via insecure password management. When utilizing an SSO protocol, there is generally no need for the single password to be communicated or verbally “shared” among personnel.
The Ability To Track Usage
As noted above, effectively managing who has access to what (account management) can not only help to establish roles, but can help management effectively visualize personnel access to different systems, while giving them the ability to implement a proper access control protocol. When managing the integrated systems associated with the SSO system, management can control different permissions associated with certain personnel, all via a more streamlined, centralized system that allows such management workflows to be completed in a more feasible manner.
The Ability to Lock a User Out of Everywhere With a Single Action
Malicious insider threats and external threats present a situation where a user - or set of users - needs to be locked out of an enterprise’s business systems with a single action. Due to the nature of an SSO system, management can effectively lock a user or set of users out of an entire system with a simple change to the system credentials, or by using the centralized system to alter the user’s access/permissions with regard to all interconnected applications that the user had access to. In contrast to this, the use of a standard, non-SSO authentication system would require management to lock the user/users out of the system by having to manually alter permissions on each system or by changing each system’s credentials.
SSO Can Bring Greater Efficiency and Security to Your Organization
SSO is a very important step forward in the realm of business IT authentication protocols. SSO not only allows for increased security, but also increases collective, business collaboration, user experience, and overall productivity, while cutting down on required password management workflows and overhead. SSO ultimately streamlines all internal, business-wide operations, and helps personnel to better understand their roles in the organization via access control policies, while allowing management to better track who has access to which IT systems and resources. Ultimately, one of the most significant aspects of SSO mechanisms is the more feasible creation, management and utilization of passwords that helps to ensure data security, while helping to mitigate security threats that can result in costly data breaches.