Single sign-on (SSO) is a user and session service that enables users to login with one set of credentials, for example their username and password. This allows them to access more than one application with just one menu. SSO can be used by enterprises, smaller organizations and individuals in order to develop ease of management when it comes to user authentication.
With a basic web SSO service, an agent module on the application server retrieves specific authentication credentials for each individual user from a dedicated SSO policy server. The credential retrieval happens when authenticating the user against their personal database – such as an LDAP (Lightweight Directory Access Protocol) directory- and then authenticates them to all of their other applications in one session! This also eliminates any future password prompts for applications during that session.
Single sign-on is, essentially, a federated identity management (FIM) system, and the use of said system is sometimes referred to as identity federation. O-Auth, which is an abbreviation for Open Authorization, is the framework that allows an end user’s account information to be safely used by third party services or applications like Instagram and Facebook, without exposing their password.
This visualization shows how single sign-on works
O-Auth serves as an intermediary on behalf of an end user by providing the service or application with an access token that grants the authority to share their specific account information.
Certain SSO services utilize protocols, like Security Assertion Markup Language (SAML) and Kerberos.
Although Single Sign-On is convenient for users, it also presents risks to enterprise security. A hacker who gains access to a user’s SSO credentials will be granted access to every application that the user has rights to, increasing the potential mayhem that will ensue. To prevent malicious actors from gaining access, it’s essential that each aspect of SSO implementation is coupled with identity governance. Most organizations use two-factor authentication (2FA) or multifactor authentication (MFA) in unison with SSO to ensure optimal security.
Facebook, Google and LinkedIn are platforms offering popular SSO services that enable end users to login to third-party applications with only their social media credentials. Despite creating more convenience for users, Social SSO may be more of a liability as it creates a single point of failure that can easily be exploited by malicious actors.
End users should be aware that if they use social SSO services, and an attacker gains control over their credentials then the attacker will have access to all of their online accounts. This could lead to identity or money being stolen so it’s advised not to take any chances by using a more secure authentication service like 2FA.
Apple has announced the release of their own single sign-on service, i.e., Sign in with Apple. This will be a more private alternative to other SSO options by Google and Facebook that have been revealed recently. The new product is expected to limit what data third party services can access while also enhancing security measures for iOS users through 2FA requirements on all accounts linked up via Face ID or Touch ID.
Enterprise Single Sign On (eSSO) software and services work as password managers with client and server components; they log the user onto target applications by repeating user credentials. These credentials almost always consist of a username and password, and target applications that don’t usually require any modifications for seamless integration with the eSSO system.
Some advantages of Single Sign On include:
Some disadvantages of Single Sign On include:
Some of the most well-known and popular SSO vendors include:
Single sign-on (SSO) is a way for users to authenticate themselves to multiple systems with one set of credentials. SSO has many benefits, but can also pose some security risks if not implemented correctly.
Mpire Solutions offers a variety of services including social and enterprise SSO solutions that will make it easy for you to integrate the technology into your existing infrastructure without compromising on data protection standards or user experience. For more information about our offerings, reach out to us today!