Single Sign On (SSO) is the ability for a user to enter the same id and password to logon to multiple applications within an enterprise. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them. This is typically accomplished using the Lightweight Directory Access Protocol (LDAP) and stored LDAP databases on servers.
The term is actually a little ambiguous. Sometimes it’s used to mean that (1) the user only has to provide credentials a single time per session, and then gains access to multiple services without having to sign in again during that session. But sometimes it’s used to mean (2) merely that the same credentials are used for multiple services; the user might have to login multiple times, but it’s always the same credentials. So beware, not all SSO’s are the same in that regard. Most people only consider the first case to be “true” SSO.
The main reason to justify its adoption is probably not the one most of us would guess. While the easy guess would be to improve user acceptance and experience (since nobody likes to remember multiple account names and passwords, even less when many of which expire every 3 months such as most best practices require), reality is that today company choose SSO solutions with the primary purpose of saving costs and improving security.
This latter part may be counter-intuitive. In fact, if an account is stolen by a malicious user, this user will be able to access a multiplicity of applications, with an increased damage potential vs. a situation in which that stolen credential would grant access to just one application or storage area. However, nowadays one of the most frequent reasons for which credentials are stolen by hackers is that the password chosen by the user is too weak (either too short or easy to guess), which happens to be a consequence of the aversion of users to remember many usernames and passwords. At the end of the day, there are only so many noteworthy dates, old pets’ names and memorable combinations of numbers and letters we can all keep track of. And constantly having your staff reset passwords—either by policy or because they frequently forget— costs your business time and money. With SSO is somehow simpler to ask users to choose a strong password, under the reassurance that it is the only one they have to remember (at least until expiration). The help desk calls to request password resets are reduced and overall everybody is expected to be happier: users are less frustrated and companies save money.
Since passwords are the least secure authentication mechanism, single sign on has now become taken the form of a Reduced Sign On (RSO), since more than one type of authentication mechanism is used according to enterprise risk models. For example, in an enterprise using SSO software, the user logs on with his unique id and password. This grants him immediate access to low risk information and applications such as the enterprise portal. However, when the user tries to access higher risk applications and information, like a payroll system, the single sign on software requires them to use a stronger form of authentication. This may include digital certificates, security tokens, smart cards, biometrics or combinations thereof. In other words, Reduced Sign On (RSO) provides a way to reduce the number of authentication processes for users (generally to maximum of 2 factors of authentications only).
SSO and RSO can also take place between enterprises using federated authentication. A federated identity management system provides single access to multiple systems across different enterprises. This is an example of how it works:
- An employee of a business partner of your enterprise may successfully log on to their enterprise system.
- When he clicks on a link to your enterprise’s application, the business partner’s single sign on system will provide a security assertion token to your enterprise.
- Your enterprise’s SSO software receives the token, checks it, and then allows the business partner’s employee to access your enterprise application without having to sign on. End.
And it may also work 2-ways depending on the agreements among business partners: the employees of your enterprise may be allowed to access the enterprise system of that business partner without the need to authenticate again.
With enterprises relying more and more on Cloud Service Providers for a large set of their business functions, the need of SSO or RSO is only expected to increase.
For those of you wanting to go more in depth in this topic, I recommend reading the Whitepaper below (click on the image to download the whitepaper in pdf version) produced by Ping Identity Inc, a company which offers, as you’d expect, federated identity management and single sign-on (SSO) services on a subscription basis.
5-reasons-its-time-for-secure-sso-white-paper
The paper highlights an important difference between Federation and Cloud-based SSO.
Federation has one major advantage over most cloud-based SSO products: the user’s identity and password is stored in a single place controlled by the user’s organization. Federation is based on the notion users can authenticate once with their organization and that authentication is good for all other applications that the users are authorized to access. Rather than storing and forwarding many usernames and passwords like most cloud-based SSO products, Federation uses standard encrypted tokens to share the users’ authentication status and identity attributes to facilitate access to applications.
The paper also provides enterprises with five reasons to consider moving to secure single sign-on (SSO)–and to urge application vendors to move to a secure, standards based approach too.
1. Enhance customer engagement:
This is the reason that probably requires the least explanation. The survey behind the whitepaper reveals, for example, that:
- 27% of organizations require that their employees remember six or more passwords
- The average corporate user maintains 15 passwords within both the private and
corporate spheres - 60% of people say they cannot memorize all of their passwords
- 61% of consumers reuse passwords among multiple websites
2. Answer BYOD (Bring Your Own Device) and mobile access demands:
As smartphones and tablets become the de facto devices used to access the Internet, users will expect secure and seamless mobile access to business-critical applications and resources anytime, anywhere.
If a company’s existing identity and access management solution cannot accommodate mobile devices, or if its customers and employees can’t access apps from any location or device, a key revenue and productivity opportunity is being missed.
- Federated SSO keeps corporate data secure. Removing authentication and access from mobile applications allows IT to centralize access control as well as streamline audit and reporting to ease governance and compliance requirements.
- All users get access with one identity, regardless of device. If your identity and access management system takes a standards-based approach, users can leverage one identity to access your apps and services. Your workforce, customers or partners can use their personal devices and tablets to gain access to business apps.
3. Lower costs
How Federated SSO translate to savings? It will:
- Reduce the annual volume of inbound password reset requests from the workforce and decrease staffing and resource requirements for the helpdesk. According to Ping Identity, non-automated password resets cost on
average $30 per employee per reset. - Decrease administrative costs due to automated Internet user account management.
4. Improve security
When the number of applications running outside of an organization’s firewall increases, so does the risk of password theft. The more unique usernames and passwords a user must memorize, the higher the chance they will choose easy-to-guess passwords (“password fatigue”). Also, the chance is greater that they will store those passwords in places they can easily be stolen.
Username and password management is an employee burden that also impacts IT. If your IT department manages user access manually (and that happens more frequently than you may think…), there’s a chance that there are “zombie accounts” in your enterprise. Zombie accounts are active user accounts that belong to users who have been otherwise deactivated. At best, this presents a problem for IT security and compliance, but also a cost since many cloud-based applications’ pricing models are per user per month.
Federated SSO solves this challenge by centralizing user access management. When a user is deactivated in the enterprise, access to all apps is deactivated.
And let’s not forget this infographic which joins together cost and security, which is only to be expected:
5. Increase productivity
With Federated SSO, users can reduce the amount of time spent on redundant login attempts across applications, increasing available capacity for conducting more critical business activities.
- For your workforce, SSO means that they have only one set of credentials to manage. With mobile and Internet SSO, employees can do more work when away from their desks.
- For IT departments, centralizing access control means one place to manage andmonitor app access. In addition, less calls to the help desk for password issues also boosts productivity for IT and general staff.
- For your partners, SSO means that they can securely and conveniently do business with your organization.
For those of you who have not had enough yet about this topic, I recommend reading also this document enlisting no less than 101 Things to Know About Single Sign On.
Also, for those wanting to know more about SSO and LDAP authentication, here is another article worth reading: SSO And LDAP Authentication
IT SECURITY FOR MANAGERS AND EXECUTIVES 