“One ring to rule them all…” J.R.R. Tolkien had it right! Simple is better. Why would I want a handful of rings when I could accomplish everything with just one? Likewise, why would I want to have countless usernames and passwords when one would suffice? That’s the idea behind Single Sign-on or SSO.
In the online world, SSO is the magic behind features like social logins, which let users log in to multiple portals and service providers, make online purchases, stream media content, and read articles all with just one username and password. In the workplace, the combination of Identity Management and SSO is helping companies manage the authorization and verification protocols, which determine what employees have access to what software products.
In both instances, and in all applications of SSO, there’s one main advantage: it eliminates the need to log into each new service again and again. Here’s how it works!
SSO Standards and Configurations
There are three commonly used technology standards for Single Sign-on implementation. SAML, OAuth 2.0, and OpenID Connect. Whereas SAML is primarily used for enterprise SSO (to authenticate a user and authorize access permissions within a closed company system), OAuth 2.0 (for authorization) and OpenID Connect (for authentication) are generally used in conjunction with Internet and web-based applications.
In simple terms, when you log in to your company’s Intranet, SAML SSO is responsible for authenticating you (verifying that you are who you say you are, generally with a password, but perhaps also with a hardware token), and then authorizing you to use the specific software and systems that you have been given permission to access. However, if you want to play a game of Candy Crush without creating a separate user account, you can choose to use your Facebook account to verify your identity. This so-called social login is facilitated by SSO based on an OpenID Connect and OAuth 2.0 framework. In this case, the OpenID Connect verifies your identity for Candy Crush and OAuth 2.0 authorizes Candy Crush to access specific data about you which is stored by Facebook.
Types of SSO configuration
There are three common SSO configurations: local, portal, and circle of trust. Which configuration is employed depends entirely on where and how SSO is being used.
- As its name would suggest, a local configuration indicates SSO in a local setting: like a personal computer. When you store passwords on your computer so you don’t have to repeatedly type them in each time you use software or an online platform, this is a local configuration.
- A portal configuration is an opposite. Your method of verification is not locally stored (e.g. on your computer) but is provided by an SSO server. Social logins are an example of a portal configuration. In the example outlined above, Facebook would be the SSO server, which manages authorization and authentication controls for Candy Crush.
- The circle of trust configuration is ideal for a scenario in which one company/service provider offers multiple products. Using the circle of trust configuration, a user can be verified and authorized to access all connected (in the circle of trust) products with one set of user credentials (i.e. a username and password or a token). This SSO configuration should be familiar to anyone working with Microsoft or SAP software products. One login grants access to various different software products. However, this same configuration is also used for many social logins. For example, logging in to Google gives you access to YouTube, Gmail, and the Google Office Suite.
The Pros and Cons of SSO
We already know that username and password security can be compromised by weak and reused passwords. This is part of the major allure of SSO. If users only have to remember one username and one password, they are less likely to resort to easily crackable and hackable passwords. Furthermore, companies that integrate SSO often see a drop in the costs and downtime resulting from the need to reset lost and forgotten passwords. Companies and service providers are also far less susceptible to the risks (financial, security, and reputational) associated with lost and stolen passwords, and ultimately lost and stolen data.
However, SSO is not foolproof. If a password is indeed cracked, the risk to personal data and company information becomes far greater. Because the very feature of SSO that is so appealing, easy and fast accessibility to multiple services, suddenly becomes its weakness. That is why it is essential to take added precautions during the initial authorization and authentication process. This can best be accomplished with two-factor authentication. By requiring users to verify their identity through additional security processes (like a single-use pin or biometric features), the risk of unauthorized access is minimal to none. Thus ensuring that quick and easy access remains a customer advantage rather than a security threat.
Simple and universal access is an attractive product feature. And having the right safeguards in place will keep that universal access in the right hands.