Mar 25, 2024
Table of contents
Employees often need to log in to multiple apps to do their daily work. In the past, simple username and password combos were adequate for accessing the small number of apps that an enterprise might use. These days, enterprise app sprawl has increased the average number of SaaS apps used by organizations to 130. This multitude of apps has made single sign-on (SSO) a necessity for any enterprise. SSO improves the employee experience and increases productivity.
What is SSO?
SSO is a form of centralized authentication management. Once a user has successfully logged in to an app or a website, they don't need to go through a further login process to access other registered apps or websites. They need to present their credentials only once.
SSO has revolutionized credential management — it’s a seamless way for employees to authenticate themselves across multiple apps and websites. SSO works remotely and within the confines of a corporate network. It simplifies the user experience, as employees and other users don't need to remember multiple usernames and passwords.
Administrators of an SSO system can configure the service to limit the life of session tokens, depending on security needs. Once a token has expired, the user must again log in again to gain access.
The lexicon of SSO
A good first step to understanding SSO is learning the language of this centralized or linked authentication method.
These are some of the elements of SSO:
Federated identity: SSO is part of a federated identity system. SSO is responsible for the authentication aspect of federated identity.
SSO token: The SSO process generates an authentication token that allows access to federated apps and websites. SSO tokens are essentially digital authentication credentials used to authenticate access to multiple applications and websites.
Authentication service or SSO service: This is a service that handles the login credentials and issues SSO tokens.
Protocols supporting SSO
The SSO token is handled using a protocol. SSO is always a layer built on top of certain protocols. The following protocols are typically used to handle SSO:
SAML (Security Assertion Markup Language) tokens
SAML is a well-established open standard authentication protocol. One of the main reasons for developing SAML was to offer provision for cross-domain SSO.
OIDC (OpenID Connect)
OIDC is an identity layer built on the OAuth 2.0 framework. OIDC uses JSON Web Tokens (JWTs) to exchange data between an identity provider (IdP) and a service provider (SP). OIDC can be implemented to handle SSO.
How does SSO work?
SSO can be implemented in several ways, depending on your security and user needs. However, the general flow of an SSO exchange begins when a user attempts to log in to a supported app or service website.
During login, a redirection to the authentication server (SSO service) occurs, and what occurs next depends on whether: .
The user is still logged in to an SSO session: The service checks to see whether the user is already logged in to a SSO session. If they are, then the service issues an access token to access the app (the app must have an account with the authentication server).
The user has yet to log in: If the user is not logged in, they will be asked to present their login credentials, and an access token will be issued.
The following flows happen:
Classic SSO flow
Most SSO services check user credentials against a separate identity management service. The session token is typically stored as a cookie or in the user's browser.
What about single logout (SLO)?
When you’re implementing SSO, it’s important to also configure SLO. This way, when a user logs out of one app, the SSO token is destroyed, improving the security of the overall ecosystem.
Benefits of SSO
Some of the most important benefits of using SSO are:
Better user experiences
Faster login and fewer passwords to remember lead to better employee and non-employee experiences.
Improved productivity
A better employee experience and less time spent logging in to apps and websites improve productivity.
Less credential sprawl and password fatigue
Remembering multiple passwords for myriad apps causes password fatigue. SSO removes the need to remember dozens of passwords. SSO also reduces the likelihood of poor password hygiene, such as writing passwords down on paper. On the administrator side, SSO helps to alleviate password sprawl and reduces password management overhead.
Reduced IT support costs
SSO reduces the time support staff has to spend on helping users recover or reset passwords. Since many organizations use dozens, if not hundreds, of apps, password recovery can become onerous.
What is the SSO Tax?
Recently, the idea of an "SSO tax" has been discussed. This is the practice of SaaS vendors charging more for access to their SSO capabilities. The argument goes that any company with five or more employees should have the benefits of SSO. However, vendors offering identity management tools often provide SSO only in a higher-tier, much more expensive version, effectively levying a burdensome “tax” on smaller organizations that also need SSO.
SSO and security
The security of an SSO service is dependent on its implementation. However, several aspects of SSO help improve enterprise security:
App or website legitimacy: When a user wants to access a service or an app, a digitally signed authentication request is generated. The authentication server then verifies that the request is legitimate. Only when the app has been authenticated does the authentication service check to find out whether the user is logged in (or needs to go through the login process), and then an access token is issued.
MFA (multi-factor authentication): SSO supports MFA, but MFA enforcement can be based on risk level. For example, apps that contain sensitive information may require an MFA during login, whereas other, less sensitive operations will use SSO auto-login.
Risk-based SSO: The re-entering of credentials can be enforced after a specific time period. SSO centralizes this control and enforces the policy across multiple federated apps.
Do social logins support SSO?
Many social logins can act as a form of SSO. Social logins are provided by platforms such as Facebook and LinkedIn, as well as platforms like Apple. Services and websites that support the various social login providers allow users to log in to cross-domain accounts that support social SSO. Social logins like LinkedIn’s can reduce the friction between customer and employee onboarding and access to resources.
Who provides SSO?
Many vendors supply SSO as a feature of an IdP. Some vendors offer SSO via SAML; others offer it using OIDC. Whichever protocol underpins an IdP’s SSO offering, these should still be considered full SSO solutions. Some of the better-known SSO vendors include:
Okta enterprise SSO solution.
OneLogin: covers customers and the workforce and has good SecOps features.
Ping Identity: a full range of identity capabilities, including SSO.
Microsoft Entra ID (previously Active Directory): Microsoft's ubiquitous identity service offers SSO for Windows and SaaS environments.
Read more about the limitations of SSO.