Skip navigation
Product & Engineering

Top 5 Considerations for Single Sign-On (SSO)

Why You Need Single Sign-On (SSO)

Today’s workforce leverages many applications. The average employee has access to 35 unique apps, while some organizations manage hundreds. Organizations of all sizes must manage multiple usernames and passwords due to the widespread usage of Software as a Service (SaaS) applications. This can be frustrating for employees and taxing on Information Technology (IT) teams. 

According to a recent global survey Duo conducted of IT professionals and end users spanning thousands of respondents, 51% of end users forget or reset a password every week, 57% respondents noted that they reuse passwords across multiple sites, and 78% of respondents create new passwords by adding a number or symbol to the end of an old password. Each of these password-related challenges can exacerbate the security risk of compromised credentials which play a role in the majority of breaches, according to the Verizon Data Breach Investigations Report.

SSO can help users and IT teams work more efficiently. It not only reduces the burden placed on the end user to create and manage multiple passwords, but also alleviates the hassle of remembering and resetting passwords for all the apps being accessed for work. Essentially, SSO reduces password fatigue.

Users only need one set of credentials, such as their corporate email and password, to log in the first time (during a session) to the SSO portal and subsequently gain access to internal applications as policy permits. Security admins can create flexible security policies for any app. Plus, helpdesk teams can significantly reduce time spent helping users reset passwords as often, or at all, for many apps. This saves IT departments time and money and allows them to focus on other high-priority business initiatives. 

5 Things To Look For in a SSO Solution

There are five key factors you should consider when researching and evaluating single sign-on solutions:

Security Focused 

In addition to enabling an easy login experience for users, SSO serves as a key point for enforcing security policies. The security administrator should be able to build and enforce application access policies based on user group, location and device trust (whether the device is managed or unmanaged, certain security features enabled or disabled, etc.) from a simple, intuitive administrative dashboard. The administrator should also be able to generate reports and analytics of anomalous user behavior. Furthermore, the SSO application dashboard for end users should be protected with multi-factor authentication (MFA) to reduce risks of phishing and other identity attacks that could compromise credentials.

Fast and Easy to Deploy, Administer and Manage

SSO must be fast and easy to deploy so that organizations can rapidly and constantly reap the benefits of user productivity and cost savings. Because users no longer have to manage multiple passwords and get help resetting them, the help desk should save time or at least be contacted less frequently. As a result, SSO can also contribute to lower help desk costs. If the solution is easy to administer and manage whenever new applications are onboarded, and if there are self-service options such as Active Directory (AD) password reset, it saves time and reduces administrative burden.

Works with Various Identity Providers and Applications

The SSO service should integrate with any Identity Provider (IdP) that the organization has invested across their user base, such as Microsoft, Okta and Ping. Organizations are very unlikely to switch their IdP just to adopt SSO. As such, SSO should work seamlessly with any existing IdP.

Many organizations also have environments with more than one independent user directory (also known as a forest). This can be for a variety of reasons, including the result of a merger or

acquisition. The SSO solution should support multiple untrusted forests so that organizations can deploy SSO to all users while improving the security posture.

Because the modern workforce relies on many different web applications (e.g., Microsoft 365, Google Workspace, Workday, Box, Salesforce, etc.), homegrown and customer apps, on-premise apps and virtual desktops, the SSO should work with them either through native integration or a custom configuration by the administrator. In particular, Security Assertion Markup Language (SAML) is one of the most widely adopted protocols used to perform federated SSO from the IdP to the application service provider. It’s optimal that your SSO solution supports any application that follows the SAML version 2.0 standard and others such as OpenID Connect.

Provides the Best User Experience and Customization

SSO should be easy to use. There should be a centralized application dashboard (web-based portal) with icons and names of the applications that users can simply navigate — no time wasted trying to remember or search for individual web site links. Also, SSO should integrate with remote access solutions for simplified, secure access to sensitive internal applications.

End users (employees, contractors, and vendors) expect that any time they interact with their company’s website, internal apps and services, and web portals, each entity’s look and feel will be familiar and trustworthy. Therefore, the SSO solution should allow the administrator to customize the SSO login page and application dashboard that users see.

Builds Toward the Future 

The SSO solution must also keep pace as new cyber threats emerge and adversary tactics evolve. When migrating applications to SSO, you should expect to see continuous improvements in support and capabilities. SaaS offerings are meant to be easy and seamlessly provide more value to any application already integrated through granular access policies, adaptive authentication, or a truly passwordless experience.

Simple, Secure Single Sign-on from Duo

In 2015, Duo launched an on-premises SSO solution, Duo Access Gateway, used by thousands of organizations to enable secure access to on-premises and cloud-based applications. In 2020, we launched Duo Single Sign-On (SSO), a cloud-hosted SAML identity provider (IdP) that provides users with an easy and consistent login experience for any and every application (on-premises or cloud-based). Duo SSO is easy to set up and manage and enables users to log in to a single, MFA-protected dashboard, Duo Central, to gain access to all their apps. Furthermore, Duo SSO integrates seamlessly with Duo Network Gateway, a VPN-less solution for zero-trust access to on-premise internal applications. Duo SSO is used by thousands of large and small organizations globally. Learn more about Duo Single Sign-On.

Try Duo For Free

With our free 30-day trial, see how easy it is to get started with Duo and secure your workforce from anywhere, on any device.