What is Single Sign-on (SSO)?
Single sign-on (SSO) allows a user to sign on with one set of credentials and gain access to multiple applications and services. SSO increases security and provides a better user experience for customers, employees and partners by reducing the number of required accounts/passwords and providing simpler access to all the apps and services they need.
How many apps do you access every day? In the first hour of your day?
From social media to online shopping, collaboration tools to specialized business applications, it's becoming an impossible task to remember so many unique usernames and passwords. Many of us are probably guilty of choosing weak passwords that are easier to remember or writing our passwords down, and more than 80 percent of people ages 18 and up reuse the same password across multiple accounts.
Repeated sign-on requests are also a hassle, for both customers and employees. An online business might require separate passwords for different parts of its website. An employer might require an employee to sign on to each business application individually. Talk about a time suck!
When it comes to providing the most simple, secure experience across all channels, single sign-on goes a long way toward reducing frustration while also decreasing the chance of a security breach.
Single sign-on replaces the frustration of signing on to each app individually and remembering multiple sets of credentials with the convenience of single-click access. Employees can be more productive, and customers and partners get a frictionless experience that makes it easier to do business. SSO on mobile devices also offers a key advantage at a time when customers use their phones for everything and 72% of organizations allow or plan to allow "bring-your-own-device."
By requiring a single sign-on, an organization reduces the heavily targeted attack surface of user credentials down to one. And that one set of credentials can be more carefully secured. For example, single sign-on helps keep user data more secure by using tokens to authenticate, rather than forwarding passwords or storing credentials on user devices.
Password resets can costs enterprises an average of $179 per employee per year, according to a Forrester Research study. Multiply that by the number of users and the IT costs get high, fast. Fewer passwords means fewer resets and less time and money spent on user administration.
In the past, when all applications were on-premises, the requirements for single sign-on solutions were simpler. An employee would sign on to an SSO session, be authenticated against the single directory and gain access to multiple apps that were all within the same domain, without needing to re-enter a username and password each time.
Today's business environments are much more complex. The proliferation of on-premises, cloud and SaaS applications require more robust single sign-on solutions--but make SSO exponentially more valuable. Many enterprises today employ federated SSO to enable authentication across domains. This means they can provide secure single sign-on to a trusted group of applications or "service providers," even when the apps are owned by third parties or sit outside their firewalls.
To enable SSO, an organization known as the Identity Provider must implement a centralized authentication server that all apps can use to confirm a user's identity. This server can validate user identities and issue access tokens, the encrypted bits of data that confirm the identity and privileges of a user.
The first time a user signs on, the username and password is directed to the identity provider for verification. The authentication server checks the credentials against the directory where user data is stored and initiates an SSO session on the user's browser.
When the user requests access to an application within the trusted group, instead of requesting a password, the service provider requests the identity provider authenticates the user's identity.
The identity provider provides an access token, and the service provider grants access without ever showing the sign-on screen to the user.
What makes this exchange possible is the use of identity standards such as SAML, OAuth, and OpenID Connect. Standards enable the secure sharing of identity data among multiple service providers and identity providers. Without standards, each connection would require customized development, which would quickly become cumbersome and unsupportable.
There are a few different standards, because newer standards have been established over the years that are more suited for web-based and SaaS-based apps than older standards that work better with older apps. They each have their own strengths, so any enterprise SSO system should support the full set.
As IT environments get more complex and user experience expectations get higher, organizations that invest in single sign-on will have a leg up over the others. With single sign-on, they can improve security by reducing the number of required passwords, decrease IT costs associated with password management, and provide a seamless experience. They're empowering employees to be more productive, and giving customers effortless access to all their applications--sometimes without the users even knowing it!
To learn more about single sign-on and how it works, check out our Ultimate Guide to Single Sign-On.