What Is SSO and How Does it Work?
The chances are, you have logged into something through single sign-on this week, but are still wondering ‘what is SSO and how does it work?’
Or better still, ‘why should my business use SSO?’
Well keep reading, this blog has the answers.
When it comes to your business, having a strong security system in place is essential, and this all starts with how users log onto the network.
Cyber hackers are always lurking, waiting to find a weakness or gap in your existing system. Usually they are looking for personal data such as names, addresses, emails, and passwords – any details about a user’s identity that can be used for phishing scams and ransomware attacks.fver
This makes securing passwords and other log in details an absolute priority.
Whilst no business is 100% safe from a security breach, there are ways you can make your passwords and sign-on method more secure.
Introducing: SSO, or single sign-on as it is also known.
In this blog post, we’ll be discussing how SSO works and why it is important for your business.
What Is SSO?
SSO stands for ‘single sign-on’ and is an authentication method that allows users to enter their login credentials (username, password, etc.) one time on a single page to access all of their SaaS applications.
There are many advantages to using SSO (which we’ll explore in more detail below), but one of the most important advantages is ease.
For instance, let’s compare this situation to going into a bar and trying to buy an alcoholic drink.
You’ve already shown the bartender your proof of age once, but every time you go back to the bar, they keep asking to see if it is again.
Can you imagine how frustrating that would be?
The same concept applies to computer users who are trying to access different applications.
Therefore, the idea behind an SSO system is to establish a user’s identity once and from that point onwards, they can access several different services.
What Are the Components of SSO?
Before we dive into how SSO works, we thought it might be helpful to outline some of the key components within this process.
Hopefully this will help you better understand how it works and will provide some added context.
User Identity information is stored and managed by a system called Identity Provider (or IdP).
This system verifies the user and provides access to the service provider. The identity provider can directly authenticate the user by validating a username and password or by validating an assertion about the user’s identity as presented by a separate identity provider.
The identity provider manages user identities to free the service provider from this responsibility.
A service provider provides services to the user.
They rely on identity providers (above) to state the identity of a user, and often certain attributes about the user are managed by the identity provider.
An identity broker is the middleman who connects multiple service providers with different identity providers.
Using Identity Broker, you can perform single sign-on over any applications without worrying about the protocol it follows.
There is no need for you to understand or implement complex SSO protocols such as SAML, OpenID, OAuth, or CAS.
Instead, you can simply call the HTTP endpoints and access identities. The key reason why we should use an Identity Broker is that it supports Cross Protocol i.e. configuring Service Provider following a particular protocol with an Identity Provider following some different protocol.
How Does An SSO Login Work?
When a user signs in to an SSO service, the service creates an authentication token that remembers that the user is verified.
An authentication token is a piece of digital information stored in the user’s browser or within the SSO service’s servers. It works like a temporary ID card that is issued to the user.
Any app the user accesses will check with the SSO service. The SSO service passes the user’s authentication token to the app and the user is allowed in. However, if the user has not yet signed in and been verified, they will be prompted to do so through the SSO service.
It’s important to remember that an SSO service does not necessarily remember who a user is, since it does not store user identities. Instead, most SSO services work by checking user credentials against a separate identity management service before granting access.
Think of an SSO as a go-between that can confirm whether a user’s login credentials match with their identity in the database, without managing the database themselves.
Let’s look at another example to put this into context…
Think of an SSO as a librarian.
A librarian will search for a book on the behalf of someone else based on the title of the book.
Whilst they do not have the whole library catalog memorised, they can access it when they wish.
And the same applies to an SSO when it comes to verifying a user’s identity.
To break this down step-by-step, the login flow usually looks like this:
- A user browses to the application/ website that they want access to.
- The Service Provider sends a token that contains some information about the user, such as their email address, to the SSO system (the Identity Provider) as part of a request to authenticate the user.
- The Identity Provider checks to see whether the user has already been authenticated, and if so, they will grant the user access to the Service Provider application and move to step 5.
- If the user hasn’t logged in and hasn’t already been authenticated, they will be prompted to do so by providing their log in details required by the Identity Provider. This could be their username and password or it might include some other form of authentication like a One-Time Password (OTP) which is sent to their mobile.
- Once the Identity Provider validates the login credentials provided, it will send a token back to the Service Provider confirming that the authentication has been successful.
- This token is passed through the user’s browser to the Service Provider.
- The token that is received by the Service Provider is confirmed according to the trust relationship that was initially set up between the Service Provider and the Identity Provider during the configuration.
- The user is granted access to the Service Provider.
How Does An SSO Token Work?
The ability to pass an authentication token to external apps and services is a key part of the SSO process as this is what enables identity verification to take place.
If you think of an exclusive, VIP event where only a few people are allowed in, one way to prove to the guards that each guest has been checked and is allowed to enter, is to stamp each guest’s hand.
This is an easy way for all event staff to simply check that each person is allowed to be there without the time consuming process of checking who each individual is.
However, it’s not just any random stamp that is used on each guest’s hand. Event staff will know the exact colour, shape, and size of the stamp used by the guards at the entrance.
Just as each stamp has to look the same in this scenario, authentication tokens have their own communication standards to ensure that they are correct.
The key authentication token standard is called SAML which stands for Security Assertion Markup Language. Similar to how webpages are written in HTML (Hypertext Markup Language), authentication tokens are written in SAML.
What Are the Benefits of SSO?
As well as being more convenient for users, SSO is widely considered to be more secure.
This might initially seem confusing, due to the fact users are only signing in once with a single password, insead of using multiple passwords.
However, there are certain proponents of SSO which make it very secure:
- Stronger passwords – As users only have to use one password (instead of several) SSO makes it easier for them to create better, stronger passwords. Now you might be wondering, “What makes a password “strong”? Usually, a strong password is something that cannot be easily guessed as it contains random numbers and digits. For example, ‘TK2:g”18h$!@ is a fairly strong password. On the flip side, ‘password123’ or using your company name, is not.
- No repeated passwords – We can all admit to this one! When users have to remember several different passwords for several different devices, something known as “password fatigue” is likely to set in. This leads to users re-using the password across multiple services which posts a huge security risk. Essentially, if one service’s password database is compromised, cyber attackers can use the password to hack all of the user’s other services too.
- Better password policy enforcement – As there is only one place for password entry, SSO provides an easier way for IT teams to enforce password security rules. For instance, some companies require users to reset their passwords on a regular basis to maintain a high level of security. With SSO, password resets are easier to implement as users only have one password to reset instead of multiple passwords across a number of different services.
- Multi-factor authentication – Multi-factor authentication (also known as MFA) refers to the use of more than one identity factor to authenticate a user. For example, instead of just entering a username and password to gain access to a service, a user might be asked to enter a code that appears on their mobile device. The use of this second “factor” authentication helps confirm that the user is who they say they are. SSO makes it possible to activate MFA at a single point instead of having to activate it for several services.
- Single point for enforcing password re-entry – Administrators can force the user to re-enter their login credentials after a certain amount of time to confirm that the same user is still active on the signed-in device. With SSO, they have a central place from which to do this for all apps, instead of having to enforce it across multiple different apps which is more difficult.
- Internal credential management instead of external storage – User passwords are often stored in an unmanaged fashion by applications/ services that are not always very secure. However with SSO, passwords are stored internally in an environment that an IT team can control.
- Less time wasted on password recovery – The final benefit is that SSO reduces any wasted time for internal team members. It means that IT can spend less time on helping users recover and reset multiple passwords, and similarly users spend less time signing into various apps. This is better for productivity all-round.
Is SSO Secure?
As we mentioned earlier in the blog, SSO is widely believed to be very secure.
However, like any sign-on system, there are some drawbacks which businesses need to be aware of before implementing this across their internal infrastructure.
So, the answer to the above question really is, “It depends.”
Firstly, there are many reasons why SSO can improve security, some of which we have already covered. For example, a single sign-on solution makes it more convenient for users as they only have one set of login credentials to remember.
As a result, username and password management is simpler which reduces the likelihood of users forgetting (and therefore having to reset) their passwords.
With SSO, users no longer have to keep track of different sets of credentials and can access applications much faster.
However, Single Sign-On does have some negatives as there might be some applications that you want to have a bit more ‘locked down’.
As such, it would be wise to combine SSO with multi-factor authentication (MFA) which requires users to provide two or more verification factors.
This method would prevent users from accessing certain applications unless they are connected to a secure network, which is another way to protect your security network.
Conclusion: What Is SSO and How Does it Work?
Hopefully after reading this blog, you understand how SSO works and the benefits it can bring to both users and your business.
Whilst no organisation can be 100% safe from a cyber attack, it’s important to put measures in place that make your security system more difficult to penetrate.
SSO is one solution that can help improve your level of security. Because you don’t host a whole load of login details, cyber criminals have less incentive to attack your network.
You’re also reducing the likelihood of having lots of users with weak passwords which will be weakening your site’s overall security.
Due to these reasons, many businesses have implemented SSO in their own organisation. However, as mentioned above, SSO is more effective when used in combination with multi-factor authentication.
At TLR, we are committed to helping businesses remain cyber offensive. Our team of experts work directly with you to implement a robust cyber security solution that can future-proof your business. We don’t use fancy jargon or technical terms, but explain clearly and transparently how you can better protect your business.
To find out more, simply get in touch with our experts!