Single Sign-on (SSO)
What Is Single Sign-on?
Single sign-on (SSO) is an identification method that enables users to log in to multiple applications and websites with one set of credentials. SSO streamlines the authentication process for users. It takes place when a user logs in to an application and is automatically signed in to other connected applications, regardless of the domain, platform, or technology they are using. This eases the management of multiple usernames and passwords across various accounts and services.
A good example is when a user logs in to Google and their credentials are automatically authenticated across linked services, such as Gmail and YouTube, without having to separately sign in to each individually.
How Does SSO Work?
A common question is what does SSO stand for? It stands for single sign-on and is a federated identity management (FIM) tool, also referred to as identity federation. It performs identity verification, a crucial identity and access management (IAM) process, which is a framework that allows organizations to securely confirm the identity of their users and devices when they enter a network. This is critical to assigning user access permissions and ensuring users only have the right level of access that they need to carry out their role effectively.
SSO works by sharing and verifying login credentials between service and identity providers. A service provider (SP) is typically a vendor who provides products, solutions, and services to users and organizations, such as an application or website. An identity provider (IdP) is a system that creates, manages, and maintains user identities and provides authentication services to verify users. These trusted providers enable users to use SSO to access applications and websites and improve user experience by reducing password fatigue.
SSO services do not store user information or identities. Instead, they typically work by checking and matching a user’s login credentials with information stored in an identity management service or database.
Single sign-on solutions use the following steps to ensure a user's credentials are redirected from an SP to an IdP:
- The user accesses an SP, such as a website or application.
- The SP sends an authentication token to the IdP, such as the SSO system.
- The IdP sends an SSO response back to the SP.
- The user will be prompted to log in.
- When the user’s credentials are validated, they will be able to access other websites and applications from the SP without having to log in separately.
What Is an Authentication Token?
When a user signs in to an SP using an SSO service, an authentication token that identifies the user is verified is created. An authentication token is digital information stored within the user’s browser or the SSO service’s servers.
Every application the user accesses will then check with the SSO service, which passes the token to the application to approve the request. Authentication tokens are passed back and forth between SPs and IdPs to share, confirm, and verify user identification information, such as their username, email address, and password. This is crucial to SSO protocols, which enable identity verification to occur away from other cloud services.
How Are SAML and OAuth Used with SSO?
Authentication tokens use communication standards to ensure they are valid. The main standard is Security Assertion Markup Language (SAML), which is the language used to write authentication tokens. The SAML standard uses Extensible Markup Language (XML) to enable user authentication and authorization to be exchanged over secure domains. When used in SSO, SAML communicates between the user, an SP, and the IdP.
The process of securely providing users access to multiple services with just one login requires the user’s information to be authorized. This happens through open authorization (OAuth), which is a framework that enables a user’s account information to be used by various third-party services. When a user requests access to an application, the SP sends a request to the IdP, which then verifies and authenticates the request to grant the user access. A good example of this is choosing to use a Facebook account to sign in to a website instead of entering a username and password.
OAuth and SAML are separate protocols that can both be used in conjunction with SSO. OAuth is used to authorize users while SAML authenticates users.
Benefits of SSO
There are many benefits for organizations that use SSO to verify user identities. The process is simple and convenient for users, and also highly secure.
SSO ensures that users only have to enter one password to access multiple applications or services. This helps avoid password fatigue, whereby people struggle to remember different passwords for different accounts and can lead to them recycling credentials across multiple services. This presents a major security risk because attackers exploit commonly used passwords to hack into additional accounts.
Signing in only once means users spend less time signing in to applications. This, in turn, lowers the risk of them using weak passwords or forgetting their login credentials and improves productivity levels.
Fewer Help Desk Tickets
Because users only have to log in once to access multiple services, they are less likely to forget their password and ask the IT help desk to reset their credentials. This means IT professionals spend less time handling help desk tickets for password resets. Instead, they have more time to focus on meaningful tasks that add value to the organization.
SSO encourages users to deploy stronger passwords on their accounts. It also helps them avoid repeating the same password on multiple accounts. Only requiring one login password for several services makes it easier for users to remember their password. This also reduces organizations’ risk of cyberattacks because websites have to store less user credential information.
However, passwords should, at the minimum, be supported by two-factor authentication (2FA), which provides extra certainty that the user is who they say they are. When a user logs in using their username and password, 2FA requires them to provide an additional verification factor, such as their fingerprint or a code from an authenticator application on their phone. Requiring additional authentication factors before granting a user access to an application, service, or website enhances security levels compared to relying on usernames and passwords alone.
Less Shadow IT Risks
Shadow IT occurs when users circumvent their organization’s security policies to use applications, devices, services, or software that have not been sanctioned for official use. SSO helps organizations avoid this by monitoring which applications employees are using, which reduces the chances of identity theft or data loss and enforces compliance rules.
How Single Sign-on Solutions Improve Network Security
Centralized authentication services like SSO are crucial elements to establishing a zero-trust approach. Zero-trust security ensures that only the right people have the right level of access to the right resources, while simplifying the access process for users. SSO delivers exactly that, ensuring users sign in once and gain access to multiple services, all while increasing security by removing password reliance and building in additional security factors like multi-factor authentication (MFA).
The Fortinet FortiAuthenticator is an access management solution that helps organizations prevent data breaches through effective security policies. It allows organizations to incorporate SSO across their internal and cloud-based environments and networks. It also enables seamless, secure 2FA across organizations in tandem with FortiToken, an event- and time-based one-time password (OTP) generator application for mobile devices.
FortiAuthenticator prevents unauthorized access to corporate networks and resources by providing a centralized authentication process to the Fortinet Security Fabric. This can be through SSO as well as other options like certificate management and guest access management. Using FortiAuthenticator, organizations can identify network users and implement identity-driven policies on Fortinet-enabled enterprise networks.