A Beginner's Guide to SSO

Most of today's jobs require employees to use multiple online accounts, and the trend has accelerated as more people work remotely during the COVID-19 pandemic. At The Ascent, for example, I have access to nine applications, including Slack and Microsoft Outlook for communications, Trello for project management, and Google Drive for shared documents and other files.

Some applications I use every day, while some I rarely use. Either way, logging in daily to multiple individual accounts is time-consuming and can lead to bad password habits, such as using easily remembered but weak passwords and reusing passwords.

A single sign-on (SSO) service application addresses these issues. We'll go over SSO basics, strengths and weaknesses, and benefits to show how it can increase security and productivity at your small business.

Overview: What is SSO?

SSO lets users employ a single set of login credentials to access multiple online or networked third-party websites and applications. SSO is like a shopping mall. Without a mall, you'd drive to multiple locations to buy a pair of shoes, grab a quick lunch, and get a haircut. At a mall, however, you go through one set of main doors and have everything you need in the same place.

The Okta dashboard below is a good example of a user interface after logging in via an SSO portal. Left-hand menu options filter available applications, or you can add apps from a catalog, and your accounts are displayed in a grid. The Okta mobile app also lets you access your SSO dashboard on your smartphone.

The best SSO software provides dashboard access via your desktop and mobile devices. Image source: Author

Large organizations often use enterprise-level SSO, but smaller businesses and individuals can also use it to facilitate identity and access management (IAM). SSO is not, however, an all-in-one security solution.

Instead, especially in larger organizations with a security operations center (SOC), it's an integral part of the overall security infrastructure that addresses advanced persistent threats, creates network diagrams, and enforces zero trust protocols.

How SSO works

Without SSO, employees log in separately to multiple accounts to access applications. With SSO, a single login process, typically provided by a third-party identity provider (IdP), creates a security token to access these accounts. An SSO server becomes the single point of entry to allow greater security before users launch service provider (SP) applications or websites.

Using SSO simplifies the process to access multiple third-party applications. Image source: Author

Companies can use SSO protocols to check login credentials against a company database of user information, but using third-party IdPs, such as Okta, LastPass, or OneLogin, is more common.

While SSO is more convenient because employees log in once instead of multiple times each day, it also creates other benefits, including more robust security, increased productivity, and reduced workloads for information technology (IT) departments.

1. Enhanced security

Robust password policies are the first step to prevent cyberattacks. Instead of relying on employees to create multiple, strong passwords -- which most people don't do because it's a hassle -- your SSO portal allows you to enforce customized password policies for improved security.

SSO does have inherent risks because one set of login credentials provides access to multiple applications. The most common solution to increased SSO security is multi-factor authentication (MFA). This adds another step to the login process, such as answering a security question, responding to a push notification on a smartphone, or inputting a one-time password (OTP) sent via email or text.

2. Increased productivity

SSO also increases employee productivity with its time savings. Sure, each individual login only takes 15-30 seconds, but multiple employees doing this repeatedly during the day adds up.

A recent study showed that in healthcare settings, implementing SSO for use by clinicians across 19 hospitals led to more than $3.2 million in annual savings.

3. Reduced IT help desk workload

Up to 50% of help calls are due to password reset requests, at an average cost of $70 each. Beyond these savings, SSO frees up your IT team to work on higher-level issues and projects.

SSO also allows you to set up automatic application provisioning for new hires. Based on a new employee's job, department, and level of required access, their SSO dashboard is populated with the appropriate apps from the first time they log on.

4 types of SSO configurations

While your non-IT employees only see SSO's end product via login screens and their personal dashboards, multiple SSO configurations define different relationships between a user, IdP, and SP. The "right" one for your business depends on your exact needs, so research these options to maximize return on investment (ROI).

1. Kerberos authentication

In Greek mythology, Kerberos (aka, Cerberus) is a three-headed guard dog at the gates to the underworld. Its client-server model uses a mutual authentication ticketing system in which users and servers verify each other's identity.

Kerberos’ benefits include:

• Supports multiple operating systems and platforms.
• Sends only encrypted passwords over a network.
• Enforces a limited time frame for ticket validity.

Limitations include vulnerabilities from weak or reused passwords, and only clients and servers are authenticated.

2. Smart-card authentication

Unlike online logins, smart cards are physical cards with microchips embedded in them that authenticate users upon being read by a device.

Smart card benefits include:

• Easy to update.
• Supports multiple uses, such as employee identification and building access.
• Difficult to duplicate or clone.

Smart card disadvantages range from their cost to produce compared to online authentication and the need for employees to physically carry them for use.

3. Integrated Windows Authentication

On its own, Integrated Windows Authentication (IWA) is not an authentication protocol and doesn't initially ask users for login credentials. Instead, the client computer's web browser provides user information. If this fails, then the user is prompted to enter a username and password.

IWA benefits include:

• Compatible with most web browsers.
• Employs existing user logins.
• Uses a centralized user account database in Active Directory (AD).

A significant IWA disadvantage is that it's specific to Windows machines. It also doesn't work over some HTTP proxy servers, so its best use is on intranets where users are in the same domain.

4. Security Assertion Markup Language

Security Assertion Markup Language (SAML) is an XML-based open standard that transmits identity data between an IdP and an SP. Unlike IWA, a major SAML advantage is that it's platform-agnostic.

Other SAML benefits include:

• Uses a single database instead of synchronizing across multiple ones.
• Employs Public Key Infrastructure (PKI) to protect against attempted attacks.
• Assigns identity management responsibility to the IdP.

One SAML disadvantage, however, is that logon access is impossible if the IdP is unavailable.

Increase security and productivity with SSO

No matter what the industry sector, many of a company's most valuable assets -- financial records, customer information, and proprietary knowledge -- are digital. Implement the best identity management software with SSO for your business to enhance network security and increase employee productivity.