Geekflare
Geekflare is supported by our audience. We may earn affiliate commissions from buying links on this site.
In Security  |  Last updated: April 3, 2023
Share on:
Invicti Web Application Security Scanner – the only solution that delivers automatic verification of vulnerabilities with Proof-Based Scanning™.

What Is Single Sign-On and How Does It Work? Benefits And Drawbacks

By
Single Sign-On

Single Sign-On (SSO) is an authentication service where a user logs in to a service or account and then gains access to multiple applications. The technology eliminates the need for multiple logins by providing automatic authentication after the initial sign-on. 

Ideally, authenticated users do not have to log in to individual applications or services whenever they need access. Typical areas where a single sign-on is applicable include cloud services, online portals, intranets, and other environments where users need to access and navigate between several applications.

YouTube video

Other areas where it is applicable include e-commerce, banking, and other customer-facing apps and websites. In this case, the SSO allows the users to seamlessly access several enterprise and third-party applications without having to log in to each of them individually.

Google, Microsoft, and other enterprise platforms are some major companies that use SSO. For example, once you log in to your Gmail account, you can access Google drive, Google docs, AdSense, YouTube, Google Analytics, Google Search Console, and all the apps associated with the email address.

Why Is Single Sign-On Important?

Organizations are using multiple applications and services to improve workflows and performance. The deployment on the cloud and/or on-premise environments often results in fragmentation which can be a challenge for IT teams and users.

For example, managing fragmented apps requires more time and skills for the IT staff. Also, users must rely on many applications and services to do their work. Traditionally, this requires logging in to multiple applications and switching between them several times daily.

SSO eliminates the need to keep entering login credentials every time there is a need to access a different application or service. This allows them only to provide one set of credentials to access the services and seamlessly switch between applications without logging in again.

Besides improving user experience, it enhances security while reducing costs and workload on the IT staff, which would traditionally spend most time sorting out login issues.

How Does Single Sign-On Work?

The SSO process is based on a trust relationship between the identity provider, such as a server, and the application a user is trying to access. The two exchange a certificate that the application or service verifies is from a trusted source.

A typical flow looks like the one below but may differ depending on the protocol and whether the application is on-premise or cloud-based.

  1. A user attempts to access the service provider who refers to the service, website, or application.
  2. The application sends a token to the identity provider or SSO service to authenticate the user.
  3. The SSO system checks if the user is already authenticated. If so, the user is granted access to the application. If not, the user is prompted to provide the credentials.  
  4. Once authentication is verified, the Identity Provider sends a token to the service or application, and the user can now access it.
image-9
Source: microsoft.com

Once a user logs in to an app or website that relies on a Single sign-on, the SSO service connects to the primary identity provider server. The system then creates an authentication token that acts as a temporary identity showing the user has been verified. This is stored in the application server or the user’s web browser.

Whenever the user accesses another app, the new application checks the SSO service to find if there is an active authentication token. If the user has logged into another app, the SSO service confirms this and then passes the token to the application. Consequently, the user automatically logs in to a different app without providing the credentials.

If the user has not logged in, the SSO service prompts for the username and password. 

Benefits of Single Sign-On

Single sign-on authentication delivers benefits such as improving security and compliance for the applications, users, and data. It also delivers better user experience and satisfaction since there are fewer disruptions and the need to remember different credentials for each service or app.

Other benefits are as follows:

#1. Reduced Password Fatigue

Naturally, in today’s digital world, an individual must remember several passwords to access different services and applications. However, most people dread having to remember different passwords.

Reduced-Password-Fatigue

Instead, someone will use one easy-to-remember password to access the different services, which is a big security risk. For example, a criminal with the password for one application can also access and compromise all the other services that use the same.

Although the SSO uses one common set of credentials, it relies on a stronger password and is mostly used with multi-factor authentication.

Also read: Most Common Passwords You Should Stop Using

#2. Easier to Integrate Multi-factor Authentication

Since SSO runs and is managed from a central place, it allows easy integration of MFA. In this case, users only need to activate the MFA once instead of several times based on the number of applications and services.

#3. Reduced Password Recovery Time

Reduces the time it takes to recover or resolve forgotten passwords. Most often, IT teams spend a lot of time resolving password issues for the staff. However, SSO reduces the number of passwords required hence the time it would take to reset them.

#4. Improved Productivity

Improved-Productivity

By eliminating the need to log in to each application or service, the SSO authentication saves the time employees would need to access multiple applications, improving productivity.

Users only need to log in once, after which they can seamlessly navigate across multiple applications without prompting for the username and password again.

#5. Enhances Regulatory Compliance

Regulated industries such as the medical, financial, and others have strict requirements to comply with standards such as HIPAA, PCI DSS, and others. By using SSO, companies can comply easily since they only need to secure one set of credentials for all services and resources.

Drawbacks of SSO Authentication

Although Single Sign-On authentication delivers a better user experience and other benefits, it has some drawbacks.

These include:

#1. Security Risks 

Security-Risks-

The SSO service may have higher security risks. Flaws in the SSO system and insecure SSO practices can potentially expose the credentials that attackers can exploit and compromise multiple applications. Additionally, the SSO may not address all the security requirements of some sensitive or critical applications.

Despite the challenges, organizations are deploying the SSO due to its many benefits, especially when using low-risk applications such as chats. To enhance security, they can add other authentication technologies, such as the MFA. 

#2. Complex Deployment

Configuring SSO components such as Identity provider and digital certificates and then integrating them with the applications (service provider) is a complex and challenging exercise that requires high expertise and time. 

Once set, the SSO service must be available at all times. It, therefore, requires a high-availability infrastructure to ensure reliability and access to organization applications. Otherwise, downtime leads to the inability to access the applications and services. 

Additionally, loss of credentials such as the password or inability to log into the main account means inability to access any applications. However, most Single Sign-On solutions provide a self-service password reset that most users can access and reset the passwords.

#3. Not All Applications Support Single Sign-on Login

Although most enterprise cloud and on-premise support SSO, some are not. As such, even with the SSO in place, users may still need to use credentials for unsupported services and applications.

SSO Authentication Standards and Protocols

An SSO authentication process must reliably and securely pass the authentication token to the other services and applications the user can access. For this to happen, the authentication tokens have specific protocols or standards to ensure their legitimacy and accuracy.

For example, for cloud applications, you can deploy federation-based SSO authentication methods such as OAuth, OpenID Connect, or SAML.

There are several SSO authentication methods and protocols, and the choice depends on the environment, level of security requirements, and more.

Federated SSO 

Federated identity management (FIM) provides a trusting relationship between applications and vendors, trusted third parties, and external service providers.

For example, after logging in to Gmail or Apple account, a user may have access to other apps such as Twitter and others without prompting additional login. However, it may prompt for verification, such as a phone number, if accessing the external app for the first time on the device.

Twitter-SSO-login

Adaptive Single Sign-On

The adaptive SSO authentication will initially prompt for a username and password to access the primary account. However, accessing a sensitive or highly secure app may require additional authentication, such as credentials or an MFA code. This may also happen when accessing an application or service from a new device or location.

Social SSO Authentication

This allows users to log in to third-party services, applications, and websites using their social media accounts, such as Twitter, Facebook, Apple, Google, or LinkedIn.

Smart Card SSO Authentication

To log in with this authentication, a user must have a physical smart card and use it to sign in to the computer that holds the primary account. Afterward, the user can access multiple other applications and services. Ideally, this is one of the most secure SSO solutions. Since unless the attackers obtain the physical card and PIN, they cannot sign in to the applications.

Smart card Single Sign-On is not very popular but is more secure. These are used for banks and online payments as multi-factor authentication options. 

Kerberos Authentication Single Sign-On

The SSO authentication system prompts a user to provide their primary credentials. The identity provider, such as Active Directory, then issues a ticket-granting ticket (TGT). Afterward, the TGT provides service tickets for the other services, websites, and applications the user wants to access.

In Kerberos authentication, the TGT tickets are usually temporary and only for a specific session. They have a short lifespan to reduce the risks of an attacker accessing or hijacking the session. 

Security Assertion Markup Language (SAML) Protocol

SAML is one of the open standard protocols that support the exchange of encrypted authentication and authorization data between the primary identity provider and several applications or services.

Compared to other protocols, SAML provides higher security controls and is ideal for critical and protected applications in governments and enterprises.

SAML enables user authentication and authorization. Besides the username and password, organizations can add the multi-factor authentication option to enhance security.

Open Authorization OAuth Protocol

OAuth is also an open standard protocol that enables applications to securely exchange authorization information. It allows different applications to communicate without exposing user passwords. 

Using the Auth0 authentication, businesses can integrate applications while integrating SSO options such as SAML, LDAP, AD, and more.

OpenID Connect (OIDC) Single Sign-On Protocol

OpenID Connect (OIDC) is a Single Sign-On authentication protocol for consumer-facing applications. The open standard authentication protocol runs on top of OAuth.

It uses an identity provider with JSON Web Tokens to authenticate the users. For example, it can use social login to permit users to access a shopping cart or other third-party application.

Final Words

Deploying Single Sign-On authentication improves the way users navigate across different applications or services. Once you log in through SSO, you have permission to access all the approved services or applications without having to log in to each of them individually. Consequently, it delivers a better user experience and productivity.

Next, you can check out user authentication platforms [Auth0, Firebase alternatives].

  • Amos Kingatua
    Author
    Amos Kingatua is an ICT consultant and technical writer who assists businesses to set up, secure, and efficiently run a wide range of in-house and virtual data centers, IT systems and networks.
Thanks to our Sponsors
More great readings on Security
Power Your Business
Some of the tools and services to help your business grow.
  • Invicti
    Invicti uses the Proof-Based Scanning™ to automatically verify the identified vulnerabilities and generate actionable results within just hours.
    Try Invicti
  • Brightdata
    Web scraping, residential proxy, proxy manager, web unlocker, search engine crawler, and all you need to collect web data.
    Try Brightdata
  • Monday
    Monday.com is an all-in-one work OS to help you manage projects, tasks, work, sales, CRM, operations, workflows, and more.
    Try Monday
  • Intruder
    Intruder is an online vulnerability scanner that finds cyber security weaknesses in your infrastructure, to avoid costly data breaches.
    Try Intruder