Single sign on (SSO) allows a user to sign on with one set of credentials and gain access to multiple applications and services. SSO increases security and provides a better user experience for customers, employees and partners by reducing the number of required accounts/passwords and providing simpler access to all the apps and services they need.
How Does Single Sign-on Work?
To enable SSO, an organization known as the identity provider (IdP) must implement a centralized authentication server that all apps can use to confirm a user’s identity. This server can validate user identities and issue access tokens, the encrypted bits of data that confirm the user’s identity and privileges.
The first time a user signs on, the username and password are directed to the identity provider for verification. The authentication server checks the credentials against the directory where user data is stored and initiates an SSO session on the user’s browser.
When the user requests access to an application within the trusted group, instead of requesting a password, the service provider requests that the identity provider authenticates the user’s identity.
The identity provider provides an access token, and the service provider grants access without ever showing the sign-on screen to the user.
Types of Single Sign-on
In the past, when all applications were on-premises, the requirements for single sign-on solutions were simpler. An employee would sign on to an SSO session, be authenticated against the single directory and gain access to multiple apps that were all within the same organization, without needing to re-enter a username and password each time. This is single sign-on at its most basic.
But today’s business environments are much more complex. The proliferation of on-premises, cloud and SaaS applications requires more robust single sign-on solutions—but makes SSO exponentially more valuable. Many enterprises today employ federated SSO to enable authentication with a single set of credentials across multiple organizations and security domains. This means they can provide secure single sign-on to a trusted group of applications or “service providers,” even when the apps are owned by third parties or sit outside their firewalls.
Standards for Single Sign-on
What makes this exchange possible is the use of identity standards such as SAML, OAuth and OpenID Connect. Standards enable the secure sharing of identity data among multiple service providers and identity providers. Without standards, each connection would require customized development, which would quickly become cumbersome and unsupportable.
There are a few different standards because newer standards have been established over the years that are more suited for web-based and SaaS-based apps than older standards that work better with older apps. They each have their own strengths, so any enterprise SSO system should support the full set.
Repeated sign-on requests are also a hassle, for both customers and employees. An online business might require separate passwords for different parts of its website. An employer might require an employee to sign on to each business application individually. Talk about a time suck!
When it comes to providing the most simple, secure experience across all channels, single sign-on goes a long way toward reducing frustration while also decreasing the chance of a security breach.
Single sign-on replaces the frustration of signing on to each app individually and remembering multiple sets of credentials with the convenience of single-click access. Employees can be more productive, and customers and partners get a frictionless experience that makes it easier to do business. SSO on mobile devices also offers a key advantage at a time when customers use their phones for everything and 72% of organizations allow or plan to allow “bring-your-own-device.”
By requiring single sign-on, an organization reduces the heavily targeted attack surface of user credentials down to one. And that one set of credentials can be more carefully secured. For example, single sign-on helps keep user data more secure by using tokens to authenticate, rather than forwarding passwords or storing credentials on user devices.
Password resets can cost enterprises an average of $179 per employee per year, according to a Forrester Research study. Multiply that by the number of users and the IT costs get high, fast. Fewer passwords mean fewer resets and less time and money spent on user administration.
Single Sign-on Examples
To illustrate how helpful single sign-on can be, here are a few real-world examples:
An employee signs on to their company email account in the morning, using their email address and password. For the rest of the day, they access all their applications—instant messaging, the intranet site, sales data, IT help desk and their timesheet—without ever needing to provide another password.
A banking customer signs on to their bank to check their savings balance. They then seamlessly transition over to the mortgage application, check their credit score and alert customer service about an upcoming trip. On the backend, each of these services is a separate application, but the customer never has to provide another password.
A retailer has an extensive network of supply chain and distribution partners. These partners can log into the application dock once, and then access all the applications and services the retailer has enabled for their use from one place, without further logins.
Is Single Sign-on the Best Security Approach?
Although single sign-on has many benefits, some might still question whether it’s the best approach to security for their employees and customers. If you allow users to rely on one set of credentials to access everything, you’d better be sure those users (and your systems) are protecting their credentials properly. Once a hacker gets their hands on them, their access will extend to all the user’s apps and services. Unfortunately, even if you have the best security technology in the world, a user’s password can still be compromised through phishing scams, reuse on a hacked site or other unsafe behavior.
Securing one strong set of credentials is still much easier than managing many, and smart organizations are implementing multi-factor authentication to beef up security at the point of sign in. This requires users to provide an additional piece of evidence beyond a password to prove they are who they say they are. Advanced solutions can even use intelligence to assess the risk level of a given user or their actions to decide whether to step up security or not.
SSO Gives Users the Experience and Security They Expect
As IT environments get more complex and user experience expectations get higher, organizations that invest in single sign-on will have a leg up over the others. With single sign-on, they can improve security by reducing the number of required passwords, decrease IT costs associated with password management, and provide a seamless experience. They’re empowering employees to be more productive, and giving customers effortless access to all their applications—sometimes without the users even knowing it!