Single Sign-On (SSO) 101
In the world of web security, it’s easy to drown in a sea of acronyms. Every time a new approach or protocol is introduced, it includes a whole host of abbreviations to remember. Believe it or not, there’s one security acronym that’s designed to make everything a lot simpler: SSO.
Single sign-on, most commonly referred to as SSO, allows users to access multiple systems using one login and password, with the credentials managed by an independent system. With SSO in place, your network can short-circuit some of the most common security threats, and users won’t have to deal with the headache or risk that comes with managing multiple logins.
Let’s dive in to the basics of SSO: how it works, the benefits of using it, and how you can begin the process of deploying SSO.
Single Sign On: Overview
There are several different ways to approach SSO — you may have heard of OpenID Connect, SAML, or even Facebook Connect. Fundamentally, they’re each variations on the same basic concepts. Here’s how they work:
When a user needs to access a system in an SSO environment — for example, if they want to log in to their corporate VPN — they’re redirected to log in to their authentication server. The authentication server is in charge of validating the user’s credentials and providing access to all of the systems the user has access to. This means once a user has logged in to the authentication server, they don’t need to do anything extra if they want to access another system in the same domain (for example, their Salesforce account), — they’re already logged in by virtue of SSO.
A strong SSO implementation will save users some frustration but the benefits go well beyond that. Let’s look at why single sign-on is good for your users, and even better for the admins in charge of your network infrastructure.
User Benefits of SSO
Although it can be difficult to get users excited about security updates, there’s a lot for them to love about single sign-on. If you’re planning on rolling out SSO, start by talking to users about how much easier it will make their lives. Highlight benefits like:
Users are only required to remember one password. This is a big win for a lot of users. In an SSO environment, the user is only responsible for one set of credentials. They don’t have to manage a ton of different usernames and passwords. In addition to the convenience, SSO also saves a lot of time. If you’ve ever had to rack your brain for a password you only use once a year, you know the struggle of losing hours to password management is real.
Password updates become standard, centralized procedures. In an environment without SSO, users aren’t just required to remember multiple passwords — they’re also typically responsible for periodically updating each one. Using this model for passwords just isn’t scalable. It causes tremendous amounts of wasted time as admins try to ensure that every user has updated their passwords to every relevant system. With SSO, administrators can set password expiration dates that help users maintain good password hygiene, and keeping passwords fresh is a lot simpler for them when there’s only one password to manage.
Getting access to new internal applications and resources is easy. As new applications and systems get added to a network environment, in most cases it’s fairly simple to integrate them with an SSO system — so users can gain access by virtue of their SSO login. The next time you’re rolling out an application or service to your users, consider how much time you spend managing access, and how much time you could save by implementing SSO.
Collectively, the user benefits of SSO drive buy-in, and eventually change the relationship between administrators and users. The service-oriented relationships of the past evolve into partnerships, where it’s easy for users to be active participants in keeping your network secure.
System Administrator Benefits of SSO
In addition to front-end benefits for users, implementing SSO also resolves long-standing system administration issues and makes day-to-day management simpler. Consider that with an SSO:
Phishing (and similar scams or attacks) are less effective. With SSO, all of the credential interactions are with an authentication server, and passwords aren’t cached by any of your applications. That makes phishing attacks — which typically try to fool a user into divulging a password from a specific service — nearly irrelevant. Similarly, if an application or service is compromised, access data for that application or service is still safely maintained by the authentication server.
Help desk costs for user administration evaporate, and management of user logins requires only one system. With SSO, the authentication server is more than “just” a gatekeeper. It also is a one-stop shop for user management. In traditional environments, administrators are forced to deal with user changes one at a time — whether that’s a “reset my password” request or terminating access after an employee has moved on from the business. With SSO, administrators don’t have to waste time wading through esoteric systems and processes. Instead, they can make changes that impact the necessary systems from a single, unified interface.
SSO can be used for both cloud and on-premises apps. It doesn’t matter if you’re a business that maintains its own data or a service that runs in the cloud: SSO works for both. This is particularly important when it comes to evolving and moving your apps and services to the cloud. SSO can continue to work for users before and after the transition, so that the changes are practically invisible on the front-end.
SSO can help define user access. You can set up SSO so each user’s unique login will work across apps and services — but only on the apps and services they have access to. In other words, when you establish SSO, your users only see what they are supposed to see. This eliminates any confusion or issues that might arise from a user seeing content that wasn’t intended for them.
SSO can be used in parallel with other web security protocols. SSO solves many key problems — but not all of them. A strong security posture typically includes multiple approaches. As such, SSO is an essential web security tool — one that becomes even more secure when used in combination with other tools. For example, if you’re migrating toward a zero-trust security model, you can use SSO in concert with things like multi-factor authentication (MFA), continuous authentication, and even local access policies. Best of all, that means that users won’t have to give up the convenience of SSO when it comes time for implementing additional protocols to keep the network secure.
Getting Started with SSO
There are multiple approaches to single sign-on. The method you choose will depend on your unique network environment and application requirements. For Duo customers, SSO is built into the Duo Admin Panel, so it’s easy to implement with specific applications while still coordinating with your existing security policies and multi-factor authentication requirements.
When you’re ready to roll it out, consider these best practices:
Establish a test group of typical users. A test group will let you assess how your SSO implementation might work under real conditions, and make adjustments before rolling out system-wide changes. Your test users can give you crucial feedback — and, if you choose influential testers, their buy-in can go a long way toward building trust with other users.
Enable SSO to one application at a time. There’s no need to set up SSO for everything, all at once. Start with your least mission-critical system or application and gradually expand your deployment as you get successful results. If you do run into any technical issues, they’ll be easier to fix in a single instance (and not system-wide).
Communicate frequently with users ahead of time. Rolling out SSO to your network is likely to be a home run with your users — you’re solving a lot of problems for them and simplifying their lives! Even so, change management can be challenging. It’s important to talk to your users, in plain terms, about why you’re moving to an SSO framework and how it will benefit them. The more you get in front of the change, the more likely you are to recruit allies who can help manage any concerns.
Single sign-on hits the sweet spot of web security — system administrators love that it’s a robust tool that’s easy to implement, and users love that it reduces their security burden. If you’re ready to dig deeper, or you’re just ready to get rid of a few security acronyms, you can learn more here.