What Is Single Sign-On (SSO)?
Single sign-on (SSO) is a user authentication tool that enables users to securely access multiple applications and services using just one set of credentials. Whether your workday relies on Slack, Asana, Google Workspace, or Zoom, SSO provides you with a pop-up widget or login page with just one password that gives you access to every integrated app. Instead of twelve passwords in a day, SSO securely ensures you only need one.
Single sign-on puts an end to the days of remembering and entering multiple passwords, and it eliminates the frustration of having to reset forgotten passwords. Users can also access a range of platforms and apps without having to log in each time.
How does SSO work?
SSO is built on the concept of federated identity, which is the sharing of identity attributes across trusted but autonomous systems. When a user is trusted by one system, they are automatically granted access to all others that have established a trusted relationship with it. This provides the basis for modern SSO solutions, which are enabled through protocols like OpenID Connect and SAML 2.0.
When a user signs in to a service with their SSO login, an authentication token is created and stored either in their browser or in the SSO solution’s servers. Any app or website the user subsequently accesses will check with the SSO service, which then sends the user’s token to confirm their identity and provide them with access.
Types of SSO
There are a variety of protocols and standards to be aware of when identifying and working with SSO. These include:
- Security Access Markup Language (SAML): SAML is an open standard that encodes text into machine language and enables the exchange of identification information. It has become one of the core standards for SSO and is used to help application providers ensure their authentication requests are appropriate. SAML 2.0 is specifically optimized for use in web applications, which enables information to be transmitted through a web browser
- Open Authorization (OAuth): OAuth is an open-standard authorization protocol that transfers identification information between apps and encrypts it into machine code. This enables users to grant an application access to their data in another application without them having to manually validate their identity—which is particularly helpful for native apps.
- OpenID Connect (OIDC): OIDC sits on top of OAuth 2.0 to add information about the user and enable the SSO process. It allows one login session to be used across multiple applications. For example, it enables a user to log in to a service using their Facebook or Google account rather than entering user credentials.
- Kerberos: Kerberos is a protocol that enables mutual authentication, whereby both the user and server verify the other’s identity on insecure network connections. It uses a ticket-granting service that issues tokens to authenticate users and software applications like email clients or wiki servers.
- Smart card authentication: Beyond traditional SSO, there is also hardware that can facilitate the same process, such as physical smart card devices that users plug into their computer. Software on the computer interacts with cryptographic keys on the smart card to authenticate the user. While the smart cards are highly secure and require a PIN to be operated, they have to be physically carried by the user—running the risk of being lost—and they can be expensive to operate.
The history of SSO
SSO technology has its roots in the on-premises identity tools that helped organizations securely connect their computers, networks, and servers together in the mid-to-late 1990s. At this time, organizations began to manage their user identities through dedicated systems like Microsoft’s Active Directory (AD) and Lightweight Directory Access Protocol (LDAP), then secured access through on-premises SSO or Web Access Management (WAM) tools.
And as IT has continued to evolve by moving to the cloud, dispersing across multiple devices, and facing more sophisticated cyber threats, these traditional identity management tools are struggling to keep pace. IT teams now need a solution that provides users with quick, secure single sign-on access to any application or service.
SSO myths, busted
There are plenty of misconceptions surrounding SSO, but these are continually dispelled by modern solutions. Common SSO myths include:
SSO Myth 1: SSO slows down IT teams and adds to their workloads
SSO actually helps IT teams be more effective by increasing automation, providing enhanced security and visibility, and enabling better workflows. It directly addresses IT teams’ core mission of smoothly, securely, and quickly connecting employees to the tools they need to get their job done. SSO also allows for faster scaling, better insight into application access, and reduced helpdesk tickets and IT costs.
SSO Myth 2: SSO is difficult to deploy
Legacy tools may have been complex in their day, but modern SSO is quick and simple to deploy. Today’s SSO tools have pre-built connectors to thousands of popular apps, which saves IT teams from having to manually build integrations. Organizations can also connect users and import from existing directories without having to configure, install, or support their hardware or make changes to their firewall. SSO is easy to deploy, centralizes the onboarding of new users and apps, is highly available, and minimizes costs, ensuring simple yet secure access.
SSO Myth 3: SSO creates a single point of failure, so it’s less secure
It can be tempting to think that by requiring only one password, SSO leaves an appealing attack vector open to cyber threats. But the reality is that a single point of failure already exists, and it’s the user. When forced to juggle different credentials, users often resort to recycling passwords and bad password hygiene, creating a security risk for companies. By eliminating the need for multiple sets of credentials, SSO allows IT teams to set password policies that standardize regular security protocols, while monitoring application, user, device, location, and network context for each access request.
SSO Myth 4: SSO is the same as a password manager
SSO and password managers enable users to access multiple apps with one login, but that’s where the similarities end. Password managers are vaults that store and remember users’ credentials for various apps or websites protected by one primary password. However, they focus on protecting passwords, which account for over 80% of all security breaches and offer hackers a potential entry point into an organization or identity. SSO solutions, on the other hand, manage access through trust and leverage existing relationships to create a single domain where authentication takes place.
The benefits of SSO
Organizations that deploy SSO reap a wide range of benefits, from avoiding the risks presented by password recycling to delivering a seamless user experience. Key benefits of single sign-on include:
- Decreased attack surface: SSO does away with password fatigue and poor password practices, meaning your business is immediately less vulnerable to phishing. It enables users to focus on memorizing one strong, unique password and reduces time-consuming and costly password resets.
- Seamless and secure user access: SSO provides real-time insight into which users accessed applications when, and where from, allowing enterprises to protect the integrity of their systems. SSO solutions also address security risks such as an employee losing their corporate device, enabling IT teams to immediately disable the device’s access to accounts and critical data.
- Simplified user access auditing: Ensuring the right people have the right level of access to sensitive data and resources can be tricky in an ever-changing business environment. SSO solutions can be used to configure a user’s access rights based on their role, department, and level of seniority. This ensures transparency and visibility into access levels at all times.
- Empowered and productive users: Users increasingly demand quick and seamless access to the applications they need to get their jobs done. Managing requests manually is a painstaking process that only serves to frustrate users. SSO authentication removes the need for manual oversight, enabling immediate access to up to thousands of apps with a single click.
- Future-proofing: SSO is the first step in securing your company and its users. On the foundation of SSO, your organization can implement other security best practices such as deploying multi-factor authentication (MFA) and hooking into identity proofing, risk ratings, and consent management tools to address compliance needs and mitigate fraud. Starting off on the right foot with SSO sets your business up for future security.
The challenges of SSO
While SSO is user-friendly and convenient, it can pose a security risk if it’s not well-managed or properly deployed. Challenges of SSO include:
User access risks: If an attacker gains access to a user’s SSO credentials, they also gain access to every app the user has the rights to. Thus, it’s crucial to deploy additional authentication mechanisms beyond just passwords.
Potential vulnerabilities: Vulnerabilities have previously been discovered within SAML and OAuth that gave attackers unauthorized access to victims’ web and mobile accounts. It’s therefore important to work with a provider that has accounted for these instances in their product and pairs SSO with additional authentication factors and identity governance.
App compatibility: It sometimes happens that an app isn’t set up to effectively integrate with an SSO solution. Application providers should have real SSO capability, whether via SAML, Kerberos, or OAuth. Otherwise, your SSO solution is just another password for users to remember and doesn’t provide comprehensive coverage.
Is SSO secure?
When single sign-on best practices are followed, a reliable SSO solution can hugely improve security. It ensures that:
- IT teams can leverage SSO to protect users with consistent security policies that adapt to their behavior, while simplifying the management of usernames and passwords.
- Built-in security tools automatically identify and block malicious login attempts, improving the safety of business networks.
- Organizations can deploy security tools like MFA in tandem with SSO, and can quickly oversee user access rights and privileges.
In addition, an SSO solution from a proven provider should give companies peace of mind through verified security protocols and service at scale.
SSO’s role in identity access management (IAM)
IAM helps organizations manage all aspects of user access, and SSO is one part of that broader identity landscape. SSO is crucial to verifying user identities and providing the right permission levels, and should be integrated with activity logs, tools that enable access control, and processes that monitor user behavior.
Identity-as-a-Service (IDaaS) solutions deliver all aspects of IAM—such as SSO, adaptive MFA, and user directories—in a single package. This simplifies security, provisioning, and workflows, enhances user experience, and saves organizations time and money.
What to look for in an SSO provider
Selecting an SSO provider means navigating the wide range of options in the market. Key capabilities to identify in a provider include:
Access to any application: The best SSO providers will support integrations with all key apps on the market. When assessing providers, focus on both the breadth of applications and depth of integrations they offer access to and whether they enable integration with everything from enterprise, Software-as-a-Service (SaaS), and web applications to network resources.
SSO customization: A modern SSO product must meet the specific needs of each user by providing them a dashboard that shows only the relevant apps that they have permission to access. The dashboard should also be customizable to meet the branding needs of the company and ensure brand consistency and continuity across all of their branded sites.
MFA integration: It’s important not to rely solely on usernames and passwords, so look for an SSO provider that integrates with any MFA solution and can capture a wide range of user contextual factors such as location, risk profile, and behavior. This strengthens security by requesting users provide additional information that confirms their identity.
Monitoring and troubleshooting: An effective SSO provider also needs to provide monitoring tools that help organizations quickly identify and resolve performance issues across their entire IT environment, whether it’s hybrid or fully on the cloud.
Discover how Okta Single Sign-On provides seamless integration to more than 6,000 popular apps, or check out our end-user experience to get started with SSO.