“One ring to rule them all…” J.R.R. Tolkien had it right! Simple is better. Why would I want a handful of rings when I could accomplish everything with just one? Likewise, why would I want to have countless usernames and passwords when one would suffice? That’s the idea behind Single Sign-on or SSO.
In the online world, SSO is the magic behind features like social logins, which let users log in to multiple portals and service providers, make online purchases, stream media content, and read articles, all with just one username and password. In the workplace, the combination of Identity Management and SSO is helping companies manage the authorization and verification protocols, which determine what employees have access to what software products.
In both instances, and all applications of SSO, there's one main advantage: it eliminates the need to log into each new service repeatedly. Here's how it works!
SSO Standards and Configurations
There are three commonly used technology standards for Single Sign-on implementation. SAML, OAuth 2.0, and OpenID Connect. Whereas SAML is primarily used for enterprise SSO (to authenticate a user and authorize access permissions within a closed company system), OAuth 2.0 (for authorization) and OpenID Connect (for authentication) are generally used in conjunction with Internet and web-based applications.
In simple terms, when you log in to your company’s Intranet, SAML SSO is responsible for authenticating you (verifying that you are who you say you are, generally with a password, but perhaps also with a hardware token) and then authorizing you to use the specific software and systems that you have been permitted to access. However, if you want to play a game of Candy Crush without creating a separate user account, you can choose to use your Facebook account to verify your identity. SSO facilitates this so-called social login using an OpenID Connect and OAuth 2.0 framework. In this case, OpenID Connect verifies your identity for Candy Crush, and OAuth 2.0 authorizes Candy Crush to access specific data about you that Facebook stores.
Types of SSO configuration
There are three common SSO configurations: local, portal, and circle of trust. Which configuration is employed depends entirely on where and how SSO is being used.
- As its name would suggest, a local configuration indicates SSO in a local setting: like a personal computer. This is a local configuration when you store passwords on your computer, so you don’t have to repeatedly type them in each time you use software or an online platform.
- A portal configuration is the opposite. Your verification method is not locally stored (e.g. on your computer) but is provided by an SSO server. Social logins are an example of a portal configuration. In the example outlined above, Facebook would be the SSO server, which manages authorization and authentication controls for Candy Crush.
- The circle of trust configuration is ideal for a scenario where one company/service provider offers multiple products. Using the circle of trust configuration, a user can be verified and authorized to access all connected (in the circle of trust) products with one set of user credentials (i.e. a username and password or a token). This SSO configuration should be familiar to anyone working with Microsoft or SAP software products. One login grants access to various different software products. However, this same configuration is also used for many social logins. For example, logging in to Google gives you access to YouTube, Gmail, and the Google Office Suite.
The Pros and Cons of SSO
We already know that weak and reused passwords can compromise username and password security. This is part of the major allure of SSO. If users only have to remember one username and one password, they are less likely to resort to easily crackable and hackable passwords. Furthermore, companies that integrate SSO often see a drop in costs and downtime resulting from the need to reset lost and forgotten passwords. Companies and service providers are also far less susceptible to the risks (financial, security, and reputational) associated with lost and stolen passwords and, ultimately, lost and stolen data.
However, SSO is not foolproof. If a password is cracked, personal data and company information risk become greater. Because the very feature of SSO that is so appealing, easy and fast accessibility to multiple services, suddenly becomes its weakness. That is why taking added precautions during the initial authorization and authentication process is essential. This can best be accomplished with two-factor authentication. By requiring users to verify their identity through additional security processes (like a single-use pin or biometric features), the risk of unauthorized access is minimal to none. Thus ensuring that quick and easy access remains a customer advantage rather than a security threat.
Simple and universal access is an attractive product feature. And having the right safeguards in place will keep that universal access in the right hands.