What is Single Sign-on (SSO) Authentication?

Single Sign-on (SSO) allows users to access multiple applications and databases with the help of a single set of login credentials. This simplifies the use of multiple applications within businesses as users do not need to manually re-enter login credentials as you switch between use of different applications. This becomes increasingly helpful for users as it saves time in the areas that it matters most.

For example, if you are logged into Gmail, but then suddenly need to quickly hop onto a Google Meets video conference, you can do so quickly without needing to manually re-enter your login credentials. This is a clear example of SSO as it eases the process of using multiple applications.

Even further, there has been an increased need for security, which has led to many more passwords that users need to remember. Research from NordPass reveals that the average person has 25% more passwords now than prior to the pandemic. This is why SSO is not only important, but also helpful.

What makes businesses adopt SSO?

The reason is password overload. Yes, statistics showcase that password overload is a real issue that needs immediate attention because it increases operating costs and reduces the productivity of people. In fact,

  1. An average user maintains over 70 to 80 apps that require login credentials or passwords to access.
  2. 40% of help desk calls in medium-to-large scale organizations are about password resets.
  3. Most large-scale, US-based organizations allocate over $1 million annually towards password-related support. A recent survey revealed that the cost of password resetting may cost $5.2 million annually in the form of labor and productivity loss for organizations with 15,000 employees.

SSO authentication service can help organizations reduce these unwanted costs and improve productivity significantly. In this article, we’ll provide an in-depth overview of the advantages and disadvantages of SSO, how SSO works, and types of SSO configurations.

How Does SSO Work?

There are three essential components in the SSO authentication process: User, Service Provider, and Identity Provider.

  • User: A user is a person who needs access to an application or a database. 
  • Service Provider: A service provider is an application or a database a user wants to access.  Examples include Microsoft Outlook and Gmail.
  •  Identity Provider: An identity provider is a system that authenticates users and allows them to connect with an application or database. Examples include Okta, OneLogin, and Azure Active Directory.

The SSO process is driven by the trust relationship between the Service Provider and the Identity Provider. Here is a step-by-step procedure of how the SSO login mechanism works:

  1. A user attempts to access the service provider (an application or a database).
  2. The service provider sends a token that contains information about the user to the identity provider for authentication. The information could be an email address, username, or phone number.
  3. The identity provider checks whether the user has already been authenticated:
    1. If the user has already been authenticated, the identity provider sends the token back to the service provider confirming the user authentication immediately.
    2. If the user hasn’t been authenticated, the service provider requests the user to enter the login credentials (username and password) or sends a One-Time-Password (OTP) to the user. The identity provider validates the login credentials of the user and sends the token back to the service provider confirming the user’s authentication.
  4. The service provider validates the token received from the identity provider based on the trust relationship that was set up initially and allows the user to log in.

Pros and Cons of SSO 

SSO technology has its merits. Here is an in-depth overview of the pros and cons of the SSO service.

Pros

No repeated passwords

It eliminates password fatigue and enhances the productivity of employees by streamlining the process of accessing multiple applications with a single set of user credentials.

Multi-factor authentication (MFA)

SSO facilitates a secure login to applications through multi-factor authentication, a method that requires the user to undergo two or more verification factors to gain access to an application or a set of applications.

Single point for enforcing password re-entry

Password re-entry has always been a vital aspect in enhancing the security of an application. Administrators typically enforce re-entry of credentials to check if the same user is still active on the application. 

Without an SSO, it would be difficult for the administrator to enforce the re-entry of the user’s password as most applications may not support it.

SSO eliminates this hassle as it creates a single point for enforcing the password re-entry for all applications, instead of having to enforce it for each application individually.

Less time wasted on password recovery

An average user spends 12.6 minutes a week or 10.9 hours a year on entering, resetting, and recovering passwords. When SSO is in place, employees waste less time resetting and recovering passwords.

Cons

Doesn’t account for each application’s security levels

Organizations use different applications to streamline business processes. Each application has its security measures that prevent application data from being stolen. SSO functionality does not account for these security measures and gives access to all applications with a single set of credentials.

Users can be locked out of multiple systems connected to SSO

SSO creates a centralized server to which all applications would connect. If SSO is down or undergoing maintenance, the user will be locked out of all the systems or applications. This leads to a huge productivity loss for the organization.

Risk of unauthorized users gaining access to more than one application

SSO solutions may increase the risk of unauthorized users gaining access to more than one application when a security breach takes place. Just like how it creates a single point of entry to all applications, it can also make the organization vulnerable to the single point of failure.

Types of SSO Configurations 

Basic authorization

Basic authorization enables a user to gain access to an application with a combination of a username and password. The steps involved in the basic authorization are:

  1. The user attempts to access an application through SSO.
  2. The SSO asks the user to enter a username and password.
  3. The SSO grants the access or denies after validating the credentials.

The basic authorization configuration makes the SSO system vulnerable to cybersecurity issues such as hacking, brute force, credential stuffing, and phishing. 

OAuth 

OAuth or Open Authorization is a protocol that allows end-users to authorize third-party applications access to their accounts or applications without giving out credentials.

There are four components in OAuth authorization: Resource Owner, Client, Resource Server, and Authorization Server.

  • Resource Owner: A resource owner is a user that authorizes a client’s access to its account.
  • Client: A client is a third-party application that wants to access the user’s account.
  • Resource Server: A resource server is a centralized server that hosts users’ accounts.
  •  Authorization Server: An authorization server verifies the identity of the client and grants permission to access the user’s accounts. 

The steps involved in OAuth authorization are:

  1. The client (third-party application) requests access to the user’s account.
  2. The user grants authorization to the client.
  3. The client requests an authentication token from the authorization server by presenting its identity.
  4. The authorization server verifies the identity of the client and provides an access token to it.
  5. The client presents the access token to the resource server.
  6. If the resource server finds the token is valid, it authorizes the client access to the user’s account.

SAML

Security Assertion Markup Language (SAML) is an open standard for transferring data between the service provider and identity provider. The primary role of SAML 2.0 is to enable a user to access multiple web applications with a single set of credentials.

For instance, an employee can log in to the company’s dashboard with the work email address and get seamless access to various third-party applications like Salesforce and AWS that the company uses.

Here are various steps involved in the SAML’s use case of Web Browser Single Sign-on:

  1. The user logs in to the dashboard of an organization through an SSO enabled by an identity provider like Okta or OneLogin.
  2. The user attempts to access the service provider (Salesforce or AWS) on the company’s dashboard.
  3. The service provider sends a SAML request to the identity provider to authenticate the user.
  4. Since the user is already authenticated via SSO, the identity provider responds by confirming the identity of the user to the service provider.
  5. The service provider reads the response from the identity provider and grants access to the user.

Enhance Your Security System with Genea Security SSO 

Physical security threats may leave businesses vulnerable to data breaches that could be easily prevented through Identity and Access Management (IAM). In fact:

  1. 10% of malicious data breaches were caused by physical security compromise.
  2. The average cost of each data breach caused by the physical security compromise is around $3.54 million.

Genea’s Integrated Access Control and Identity Management powered by SSO can improve the security system and access control mechanism of an organization significantly. It can make an organization less vulnerable to physical security compromises by deactivating users within a couple of hours of their termination.

Genea Security integrated with Okta’s Identity Management automates access control workflows and improves the physical security of the organization in the following ways:

  1. Integrates SSO for user access to their mobile keys and admin access to the management dashboard.
  2. Deactivation of a user on Okta results in the deactivation of the user’s rights to all offices and applications on Genea.
  3. New users added on Okta will automatically be added to Genea’s platform.

Learn how Genea Security can help automate your access control workflows and improve your building’s physical security.