When it comes to selecting a single sign-on (SSO) solution for your organization, not all solutions are created equal. Choosing the best workforce SSO solution depends on your IT environment and user base. Some SSO solutions control authentication for users accessing resources from desktops in a single security domain. Others provide universal SSO across complex hybrid environments that include legacy on-premises, cloud-based and software-as-a-service (SaaS) applications. There are also SSO solutions capable of acting as an authentication authority across multiple identity types and broad use cases from cloud to on-premises.
IBM’s Cost of a Data Breach Report 2021 found that data breach costs rose from $3.86 million to $4.24 million, an increase of 10% from the prior year. Compromised credentials were the most common initial attack vector and responsible for 20% of breaches, at an average breach cost of $4.37 million.
According to Accenture’s 2021 Cyber Threat Intelligence Report, data migration to the cloud and the advance of internet-connected devices, such as Internet of Things (IoT) objects, switches and routers control data flowing in and out of the organization, increase the risk of cyberattacks. The report also highlights that in multiple ransomware attacks in 2020, data was destroyed rather than encrypted.
We’ll walk you through the basics of SSO and provide you with criteria for selecting the right SSO solution for your enterprise.
What is Single Sign-On?
Single sign-on (SSO) is an authentication solution that allows users to login to their applications and services with a single set of credentials. Without SSO, employees have to create sign-on credentials for every app, sign in multiple times, and remember numerous passwords. SSO streamlines the process by giving employees secure, one-click access from any device. This reduces the number of usernames and passwords they need to remember, provides a better overall user experience and increases data security.
How Does Single Sign-On Work?
With users signing on from a variety of devices to access on-premises, cloud and/or SaaS applications, enterprises need to provide secure single sign-on to trusted service providers, even when those apps and services are outside their firewalls or owned by third parties.
The foundation of single sign-on is the trust relationship between user, identity provider (IdP) and service provider (SP). The user has an account with the IdP, like an employer or telecommunications provider, which has a directory of users and an authentication mechanism. The SP can be a website, application or service.
The first time the user signs on, the username and password are sent to the IdP for authentication. Its authentication server checks the user’s credentials against the data in the directory, then initiates an SSO session on the user’s browser. When the user requests access to websites, apps and other SPs, the user’s identity is verified behind the scenes. Using identity standards, such as Security Assertion Markup Language (SAML), OAuth and OpenID Connect (OIDC), encrypted tokens are transmitted securely between the IdP and SP to indicate the user has already been authenticated and has permission to access their services.
Many enterprises have trust relationships with numerous service providers that employees need to access. They may also have multiple identity providers that business units or partners use to sign on. For large enterprises, a flexible federation hub to provide SSO between IdPs and SPs, no matter how they’re configured or what standards they use, can be appropriate.
Examples of Single Sign-On
SSO solutions go beyond workforce applications. SSO can also be used for customers and partners.
When an employee logs into their corporate email account using their email address and password, they can also access other applications without providing additional credentials. This streamlines access to internal and external applications needed to complete their work, such as instant messaging, sales data and the intranet, which improves productivity and reduces frustration.
A retailer with a network of vendor and distribution partners can grant its partners secure access to data by requiring them to log into an application dock once, then allowing access to all the apps and services the retailer has enabled for their use without additional logins.
A credit card customer can log into their account to check the balance, review prior statements, pay the bill, check their credit score and use accumulated points for travel, even if those services are on separate applications on the backend. By not forcing customers to log into each application separately, customer satisfaction is increased.
Choosing the Best Single Sign-On Solution for your Enterprise
An organization’s needs and budget can be used to determine the best single sign-on solution. A holistic approach balances user expectations, IT objectives and business objectives. A sample of evaluation criteria by group includes:
What is the overall user experience? Is the login experience consistent?
Can users access the portal via an application on their phone or tablet?
Does the solution offer a strong/multi-factor authentication (MFA) solution that is easy to use?
Does the vendor offer self-service registration and account management mechanisms?
Can the SSO solution support hybrid deployments (on-premises and cloud-based)?
Is it a cloud services (IDaaS offering) or on-premises SSO offering?
Does the solution support all of the relevant standards including SAML, OAuth and OpenID® Connect?
Does the vendor support multiple second-factor and MFA solutions?
How do the vendor and solution rank with analysts such as Gartner, Forrester and KuppingerCole?
Does the vendor’s technology platform and pricing support a simple upgrade path from workforce SSO to support additional enterprise IAM use cases for employees, partners and customers?
Is the vendor considered a thought leader that is driving the identity market toward open standards?
What is the vendor’s customer satisfaction rating (independently verified)?
Download our Decision-making Checklist for SSO Solutions
For a complete list of questions to consider, Ping developed a decision evaluation checklist for workforce SSO solutions. This Buyers Guide provides you with the questions you should be asking as you evaluate providers. Download it today.