Identity And Access Management

How Does Single Sign-On Work?

We know what it does, but how does it work? Read on for an in-depth look at how Single Sign On works, its benefits, and its disadvantages.

Article thumbnail image

What Is Single Sign-On?

Single sign-on (SSO) is a user authentication service that allows for one set of login credentials to be used to access multiple applications at once. Users enter their credentials at the start of their session once with a “home domain” (i.e., the application they already have an account set up for) and can then move to other applications without having to re-enter any credentials.

SSO is designed to mitigate the management of numerous passwords by users, who may be experiencing password fatigue – that feeling you get when you need to remember an excessive number of passwords for both work and personal life. Password fatigue can lead to users reusing passwords across multiple platforms, using short, easy-to-guess passwords, or storing passwords somewhere unsafe.

Businesses can deploy a single sign-on solution to streamline workflows so employees only need to sign in once to use all the authorized apps and websites needed to do their work without interruption. It also provides greater control to admins, who are able to more easily manage which users have access to which accounts.

How Does Single Sign-On Work?

We know what SSO does, but how does it actually work? For a seemingly straightforward action, the process is a little complex. For SSO to function, it requires quite a lot of software working in the background. 

Single sign-on is part of a federated identity management (FIM) arrangement. FIM is the network of multiple domains that allow end-users to use one single set of user credentials to access multiple applications. Called trust domains, these domains maintain their own identity management but are linked by mutual trust of each other. These domains will be connected by a third-party service that will store the users’ access credentials (it must be noted that these are different from the user’s login credentials). This third-party service is often referred to as the identity provider.

There are number of SSO solutions that act as the identity provider for organizations looking to implement SSO. We’ll cover these in more detail later in this guide. 

FIM works in conjunction with open authorization (OAuth). OAuth is the standard protocol that allows for the end user’s information to be used by third-party services without giving away the user credentials. It provides the identity provider with an access token that allows for some account information to be shared, known as an authorization flow. The token is just a piece of data with information about the user – usually an email address – and some details about the system sending it. When the user accesses an application from the identity provider, this provider will make a request for authentication, which it will then verify with the trust domain before authenticating the user’s identity and allowing access .

The SSO framework falls under the umbrella concept of FIM, as does Open Authorization 2.0 (OAuth2). OAuth2 is a protocol that can request domain access on behalf of a user and acquire authentication tokens. However, OAuth2 can’t actually give any information about the user to the service provider. This is where OpenID Connect (OIDC) comes in. OIDC is a feature of OAuth2 that enables SSO, adding an identity layer that allows for identification and authorization.

“True” single sign-on means the user signs in just once at the start of a session, without having to re-enter login details or reconfirm their identity with authentication factors at any point during the session.

Single sign-on mustn’t be confused with same sign-on—while they share the same acronym, they’re distinctly different. Same sign-on requires the end user to log into each application with the exact same credentials for each application they use, whereas Single sign-on uses software to allow the user to navigate various applications that have different credentials but have been accessed at one point with one set of credentials.

SSO Implementation: Step By Step

So, for businesses looking to implement SSO, how does the system work in practice? Here’s how the single sign-on function works step by step:

  1. A user will be on a site or application that is part of a trust domain that is linked to their home domain where they have an account. The user is presented with an option to log in to this domain using credentials from their home domain.
  2. The domain will send a token request to the user’s browser before reaching the identity provider. This token will contain some information on the user with a request for the provider to authenticate.
  3. The identity provider will check whether or not the user has been authenticated. If the user has not previously logged into the home domain, the user will be required to do so. If so, the user will be granted access to the domain. 
  4. If they haven’t logged into their home domain already, the user will login with those credentials. The identity provider will then verify the credentials given, before sending a token back to the domain confirming authentication.
  5. After the token is received by the domain, the user is then granted access.

Types Of Single Sign-On Configurations

SAML

An acronym for security assertion markup language, SAML is an open standard for exchanging authentication and authorization information between systems. Usually this will be between an identity provider and a service provider. It helps to provide a framework for deploying single sign-on, along with any other FIM systems. SAML creates user authentication and user authorization. 

SAML grants secure access to various applications and websites to users after a single login step. It’s more geared towards businesses, as it allows for users to log in once to a network before being granted access to all applications on that particular network. Using SAML the user logs in once with standard credentials (usually a username and password), and a multi-factor authentication extension can be added to heighten security.

SAML was created to resolve the issue faced by IT admins when trying to connect their identity providers to web applications through lightweight directory access protocol (LDAP). Lightweight directory access protocol is an authentication protocol that is highly effective in user authentication but struggles to connect to web applications. SAML bridges this gap.

Smart Card

Smart card SSO uses a physical card to authenticate a user. Not as popular as SAML or Kerberos, but frequently seen in banking, smart card SSO will require a user to sign in with the credentials stored to the card for the first time they log in. After that step is complete, no credentials will have to be re-entered at any point during the session.

For the user to log in, the card will need to connect to a reader. This can be done with a magnetic stripe reader or through a short-range contactless method like through a wireless connection. While more commonly used for online payments, they can have another use as a step in multi-factor authentication.

Kerberos

Once user credentials are entered, this SSO configuration will provide users with a ticket granting ticket (TGT). This ticket contains data that is used to request service tickets from applications the user visits, allowing the user to navigate multiple applications without having to sign in again, creating seamless access. 

These tickets are temporary with time stamps that are only for one particular session, meaning TGTs have to be renewed after the session is over. The short lifespan of a TGT is to reduce the chance for a hacker to access the data.

The Advantages Of Single Sign-On

There are many benefits to organizations who decide to implement single sign-on. 

  1. Better admin control: As all this information is stored in a single place, IT admins have access to a comprehensive list of all users’ accesses and privileges. From there, admins can change, revoke, and remove access as and when it is needed.
  2. Reduces password fatigue: End users are no longer required to remember a myriad of login details with multiple passwords that are often long and complex. Instead, only one set of credentials is necessary, along with any additional easy-to-use verification steps. Forgotten passwords and password resets happen more infrequently.
  3. Potentially improved security: The temptation of reusing passwords or using simple, easy to guess passwords is removed, as is storing passwords somewhere unsafe. 
  4. Ease of use: SSO removes the interruptions when accessing new domains with requests for passwords, streamlining user access. It enables users to access documents and data faster, as and when they need to.
  5. Easy to install: Single sign-on software is usually easily deployable as an add on.

And The Disadvantages

No solution is 100% perfect and, for every perk, the solution will have a drawback. Here’s some of the things to consider with SSO:

  1. SSO Has Limitations In What It Can Be Applied To: For the most part, SSO can only really be applied towards web applications. This is fantastic, sure, but the average user’s workload isn’t usually confined solely to web applications. They also have a range of other accounts and applications they need to access where SSO can’t touch, which includes VPNS, on-premise apps, file servers, and literally anything else. So when it comes to reducing password fatigue, it can only do it for a small subset of work resources.
  2. Initial Setup Is Complicated And Time Consuming: Like with any good security tool worth its salt, it takes a lot of work during implementation and configuration to get it up and running. SSO can be challenging and time consuming for IT teams to install and configure, especially as all applications needed for the solution need to be configured into that solution.
  3. It Can Be Costly: Largely stemming from its learning curve and time needed to install, SSO can end up proving quite costly–both in terms of purchasing the product and also the costs from configuration and installation on the IT team’s part.

Is Single Sign-On Secure?

One of the major concerns about single sign-on is its fallibility—many see it as just another potential attack vector that can lead to irreparable harm to businesses. Here are some of the security concerns you should be aware of if you’re considering implementing SSO for your organization.

Data Breaches

While SSO is appealing with its ease of use and streamlining of online activities (especially with your average employee using 13 or more work-related applications a day), it runs the risk of a user’s login details being easily compromised. Removing passwords needed reduces the misplacement and misuse of storing passwords, which is often a leading factor when it comes to data breaches. However, instead of a hacker being faced with separate applications to access individually, acquiring one set of credentials allows them to access everything. These are usually not too difficult to acquire, as the standard set of credentials are often a password and the user’s email address.

Other disadvantages of SSO include the loss of productivity if an employee loses their credentials. Loss of credentials means they lose access to every platform required to do their job, involving time and effort in regaining access to everything.

Identity Spoofing

Having a complex technological process also opens attack vectors for more advanced attacks. While it hasn’t been researched much, use of v. Identity providers of web-based SSO systems can be spoofed, granting hackers access to multiple apps and, therefore, data.

Identity spoofing can be achieved by implementing a malicious identity provider that creates fake authentication tokens, which contains identifiers that the original identity provider does not have control of, provided the attacker has some information on the user’s account and knows what identifiers the user is using on their service provider. From there, it can “spoof” authentication tokens, tricking the service provider into granting the attacker access to the user’s account.

Session Hijacking

Accounts can also be compromised through session hijacking; this entails a hacker “hijacking” a user’s web session to gain access to their account.  Web servers need a way of recognizing users and their connections. The most common way this is done is by the web server sending a session token to the client browser after client authentication. Session hijacking can compromise this by stealing or guessing a token to gain access to the user’s session. From there, they’ll have access to all the user’s applications they would have access to during a session.

Account hijacking, once successful, can be near impossible to remedy for an individual if they are locked out of their account. It is possible for security teams to remove a hijacker. It can take some effort and usually by that point the damage is already done.

How To Secure Single Sign-On

Organizations that consider implementing SSO need to be aware of, and mitigate against the risk of data leaks, data loss, and financial loss. With a single set of credentials to access multiple apps and more technological processes that have the chance to be compromised. 

If you choose to use SSO, it is ideal for tailored security measures to be installed alongside the service so it can mitigate any potential malicious activity.

Identity Governance

To safeguard data against malicious actors, implementing identity governance alongside the SSO service is ideal.

What is it? Identity governance is a policy-based initiative that centralizes identity management and access control. It essentially offers admins an in-depth yet widespread overview of employee population and use. This centralized visibility gives a comprehensive view to admins of which employees have access to what, helping them detect weak credentials, inappropriate access, and policy violations. From there, admins can respond to and mitigate risks as they emerge, allowing them to change, revoke, or remove varying levels of access to various users should they feel as though a user has been compromised.

Identity governance systems can also automate access certifications, password management, and access requests. This helps reduce workloads for often overstretched IT departments, allowing them to focus on other tasks.

You can read more about the top identity governance solutions here:

Top 10 Identity Governance And Administration Solutions

Multi Factor Authentication

Having multi-factor authentication (MFA) or two-factor authentication (2FA) alongside SSO is a great way to keep domains secure. MFA (or, indeed, 2FA) is an authentication method that requires users that are signing in to verify their identity in another way, in addition to the user’s SSO credentials.

Verification steps will request users to provide some extra information, always falling under one (or more) of these three categories:

  • Something you know: Usually the user will have to provide another password or answer a security question.
  • Something you have: Often this will be a one-time code from an authentication app that the user will have downloaded during account set up.
  • Something you are: This will be biometric information, such as a face or fingerprint scan.

All this information is either difficult or almost impossible for a hacker to acquire, rendering them unable to access applications and data even after login details have been acquired.

MFA is easily deployable across all the accounts linked by SSO. The effort on part of the end-user is minimal, only needing to confirm their identity with MFA at the start of their session before continuing to use their applications as normal.

Some of the best SSO providers will have MFA or 2FA tools built in, although many will need MFA installed as an add-on. Some SSO providers even contain adaptive behavioral policies that can detect any unusual behavior and flag it before asking for further verification, preventing unauthorized access and enhancing security.

You can read more about multi-factor authentication and a guide on various MFA solutions for business here:

The Top 11 Multi-Factor Authentication (MFA) Solutions For Business

Top Single Sign-On Solutions

SSO solutions hold appeal for businesses for its potential to enhance productivity and streamline workflows. It can remove the need for password managers and helps to streamline applications used by staff.

There are a lot of business-friendly SSO solutions on the market, though not all may be the best option for your company. Check out our buyer’s guide for the best Single sign-on solutions for business here:

The Top 10 Single Sign-On Solutions For Business

Summary:

Single sign-on can be a contentious topic. Depending on who you ask, some will praise it for its potential heightened security and ease of use, others will say they see it as a potential avenue for data breaches and financial loss. 

If you wish to implement SSO for your business to help improve user experience and increase productivity, then having extra security measures installed alongside reduces compromise via attack vectors. We recommend working with a trusted SSO provider which will mitigate against many of the risks we outline in this article. 

Deploying identity governance and multi-factor authentication working in tandem alongside SSO helps for admins to have greater view and control of what is happening and who is doing it, and securing against data loss and breaches at the point of sign in.