What Is SSO?

Single sign-on (SSO) is a way for a user to have a single set of login credentials for multiple applications. This is different from reusing the same login credentials, i.e., name and password, for multiple sites, which is incredibly dangerous.

With SSO, you are using a single login system, which then allows you to access multiple other sites, so you are introducing vulnerability by sharing the same credentials across many platforms.

Opposite to SSO, there is SLO (single log-out, which is sometimes called single sign-off), which is a single action leading to the termination of access to many different systems.

TeamPassword is an accredited secure provider utilizing state-of-the-art encryption technology for its password manager. Whatever other security measures you have in place, make TeamPassword a part of your security protocols to facilitate secure and easy collaboration across your organization.

When you save new passwords, the data is hashed, salted, and encrypted locally on your computer before being uploaded to TeamPassword via an encrypted connection. This level of encryption makes it impossible for nefarious actors to intercept your passwords.

‏‏‎ ‎

Sign up today for a free 14-day TeamPassword trial and protect your company's digital assets from cybercriminals.

‏‏‎ ‎

How single sign-on works

SSO is a type of federated identity management (FIM) arrangement. FIM refers to the establishment of trusted relationships between an organization and third parties, e.g., application vendors or partners, which allows them to share identities and authenticate users across domains. OAuth (Open Authorization) is the framework that enables the user's account information to be used by third-party services, such as Facebook, without exposing the user's password.

The basic web SSO service works as follows: 

  1. The agent module on the application server retrieves the authentication credentials for a user from a dedicated SSO policy server.
  2. Then, the agent module authenticates the user against the user repository, e.g., a lightweight directory access protocol directory. 
  3. The service then authenticates the user for all applications for which the user has been given rights, thus eliminating the need for further password prompts during the session. This is done using SSO tokens.

‏‏‎ ‎

Types of SSO configurations

Many terms are used when discussing SSO, including Federated Identity Management (FIM), OAuth (nowadays OAuth 2.1), OpenID Connect (OIDC), Security Access Markup Language (SAML), and Same Sign-On (SSO).

SSO systems can be configured using different protocols. Two of them are Kerberos and SAML. They work as follows:

  • SAML: SAML is an extensible markup language (XML) standard that facilitates the exchange of user authentication and authorization data across secure domains. SAML-based SSO services require communications among the user, the identity provider that maintains the user directory, and the service provider.
  • Kereberos: In a Kerberos-based setup, a ticket-granting ticket (TGT) is issued when the user credentials are provided. The TGT then retrieves service tickets for any other applications the user tries to access so that the user does not need to personally provide further credentials.

Differently, a smartcard-based SSO requires the user to use a physical card holding the sign-in credentials for the first login. After using the information provided by the smartcard, the user will not have to enter any other usernames or passwords. Different SSO smartcards store either certificates or passwords.

‏‏‎ ‎

What are the most popular SSO solutions?

The following are some of the most popular SSO solutions available today:

  • Duo Single Sign-On (SSO)
  • Ping Identity
  • Ping Identity
  • CyberArk Workforce Identity
  • Lastpass Enterprise
  • LastPass Logo
  • Microsoft Azure Active Directory
  • Okta Single Sign-On
  • OneLogin Secure Single Sign-On
  • RSA SecureID Access
  • SecureAuth Identity Platform
  • Symantec VIP Access Manager SSO

In our quest to become more secure, passwords become less and less easy to remember. Let TeamPassword take care of securely remembering your passwords while you focus on growing a successful business! Using a third-party SSO service, such as your Gmail SSO, you can securely use TeamPassword.

‏‏‎ ‎

Sign up for a 14-day free trial to test TeamPassword with your team members today.

‏‏‎ ‎

What makes a true SSO system?

A true SSO system means you do not need to reenter credentials moving from site to site. Once you log in to the system, it submits all the credentials behind the scenes using SSO tokens for you as you move from one site to another. 

This is the key point of SSO as in single sign-on. It requires the trust relationship among the sites to be performed as a true SSO solution. 

So what is SSO (as in same sign-on), besides the frustrating reuse of the same abbreviation? Same sign-on is very similar to SSO, with the big difference being that you need to keep logging in as you move from site to site even though you use the same credentials. 

If you use your browser to save your passwords (and you shouldn’t if you currently are), then it likely types in the username and password fields for you as you enter a site, and then you need to click login all the same. Thus, you still need to log in to each website individually, even if it is accomplished with the same credentials as your browser.

If you are using the much more secure password manager system, then things are similar. As you navigate from page to page, you are prompted to log in with the same credentials—those of your password manager—which then fills in the specific username and password for the website you are trying to access. 

With SSO, meaning single sign-on as used throughout, you can log in to all applications for which you are approved once and with only one set of credentials, including cloud applications, on-premises applications, and web applications.

‏‏‎ ‎

What are some types of SSO?

Social SSO

Facebook, Google, LinkedIn, and Twitter all offer popular SSO services. While these services are convenient and simple to begin using, they can present security risks as they create a single point of failure that can be exploited by attackers.

More recently, Apple unveiled its own SSO service as part of its repositioning as a more privacy-conscious company. Sign-in with Apple offers enhanced security as it requires users to use two-factor authentication (2FA) on all Apple ID accounts to support integration with Face ID and Touch ID on iOS devices.

Enterprise SSO

Enterprise single sign-on (eSSO) software products and services are based on a client-server structure and are used to log in the user to target applications by replaying user credentials. One benefit is that target applications do not need to be modified to work with the eSSO system.

‏‏‎ ‎

Advantages of SSO

The advantages of SSO include the following:

  • It allows users to remember and manage fewer passwords and usernames.
  • The process of signing on and using applications is streamlined by no longer needing to reenter passwords.
  • It reduces the chance of a successful phishing attack.
  • The risks from third-party sites are mitigated by the federated system.
  • IT costs are reduced due to the decrease in the number of IT help desk calls about passwords.

‏‏‎ ‎

Disadvantages of SSO

Some disadvantages of SSO are the following:

  • Different sites may require different levels of security, but SSO offers a uniform level of security.
  • If the SSO system becomes unavailable, then users are locked out of all their services.
  • If unauthorized users gain access, then they could gain access to more than one application.
  • Since the risk of stolen or abused SSO credentials is higher, it necessitates a much higher level of security during the initial credentialing process.

‏‏‎ ‎

What is an SSO token?

The SSO token is a collection of data passed between systems during the SSO process. It contains the information required to log in to the system and proof of its veracity. The information could include an email address and must be digitally signed to be accepted.

‏‏‎ ‎

Is SSO secure?

As always, the answer to this question is “sometimes.” 

While SSO can improve security in many ways, like all security systems, it is not infallible. With a single username and password, the user is more likely to pick a long and secure password, as well as change it regularly. This reduced “password fatigue” also prevents users from recycling credentials. 

‏‏‎ ‎

Security risks and SSO

While SSO is convenient to use and does provide the opportunity for users to swap multiple passwords for one complex password, they may choose to have one simple password anyways. They may also reuse it for personal accounts, introducing risk to your enterprise. 

Since the risks of a compromised account are so much higher when that single account can grant access to all the applications used by an organization, organizations must be extra vigilant in how they grant, use, and manage their SSO system. 2FA or even multifactor authentication (MFA) is one way they can improve their overall security system.

Don't let your company fall victim to extortion emails, credential stuffing, and other password vulnerabilities. Let TeamPassword take care of security while you focus on growing a successful business!

‏‏‎ ‎‏‏‎ ‎

Sign up for a 14-day free trial to test TeamPassword with your team members today.