Single sign-on (SSO) is an authentication service that allows users to enter their credentials, such as username and password, once to access multiple applications. In the same vein, SSO includes Single Log Out, meaning if the user logs out of one app, the other apps will also be logged out.
How Does it Work?
SSO is based on trust between the application or service and an external service provider, or Identity Provider (IdP).
This trust is established via communication between the app and a centralized SSO service that the app relies on when a user tries to log in. The SSO service typically runs on its own dedicated SSO policy server.
A user enters their credentials and attempts to sign into the application. The app then generates an SSO token, a digital file containing user-identifying information to authenticate the user between the app and the SSO service.
Next, an authentication request is sent to the SSO service, and it checks if the user has been previously authenticated. If it has, access is granted to the app. If not, the SSO service redirects the user to the central login page to enter the information again.
A successful login lets the user into the app. A failed login will show an error message. After enough failed attempts, the user may be locked out of their account for a period of time.
Advantages of Using SSO
- Using SSO means remembering fewer usernames and passwords, leading to less password fatigue. Also, employees are more likely to create one strong password rather than use multiple weak ones or one easy-to-remember repeatable one.
- Because many applications will lock out a user after numerous failed login attempts, IT departments often get flooded with requests to reset passwords and unlock accounts. Implementing SSO reduces the workload for IT helpdesk employees.
- One set of credentials means fewer targets for cybercriminals, reducing the chance of being phished.
Disadvantages of Using SSO
- Some applications require stricter password requirements than others; SSO doesn't always address this issue.
- If the SSO policy server becomes unavailable, every app that uses SSO is also inaccessible until connectivity is restored.
- If unauthorized access is gained to one app via a cyber-attack, then access to any of the other apps is also available to the attacker. Many security professionals recommend refraining from using social SSO services, such as those associated with Google, Apple, Twitter, and Facebook, because of the risk of exploitation if one set of credentials is compromised.
Every network is different and is presented with varying levels of risk. For extra protection, organizations should pair SSO with identity governance and multifactor authentication to improve their security footprint.
References: