Mike Spenceley is an Associate Services Consultant at our partner company Securience. In this article he talks about the benefits of Single Sign-on and why every organisation should be looking at this.
Starting the working day can be tedious enough dealing with congestion, train delays or merely leaving a warm bed on those crisp, cold winter mornings. After tackling all these issues, you still manage to arrive at the office, but another predicament awaits with open arms – the arduous task of logging into all applications and websites to commence work. The time spent in logging in can be quite substantial especially with complex password policies and strict security controls. On a day to day basis, the cumulative amount of time lost in the login process can be quite significant. Time which could have been otherwise spent in productive tasks. This is where Single Sign-On or SSO comes into play to save the day.
SSO and Its Benefits
SSO is a way to securely access multiple independent software systems using a single set of credentials. The primary motive behind implementing SSO is to reduce the number of times a user needs to enter their credentials and the number of credentials they need to remember, thereby simplifying their experience. An example of an efficient SSO setup is using Microsoft applications, like Office 365 (O365). Once logged into one application using your O365 account, you will automatically be logged into participating SSO applications like SharePoint, JIRA, SAP, etc. thus saving time logging into all these applications separately.
There are two primarily used standards within SSO – OAuth and SAML. SAML is an open standard, used to securely exchange authentication and authorisation information between systems. It is the most commonly used standard to achieve SSO. OAuth is also an open standard, but it is used for access delegation, commonly used by web applications to grant access to users without asking their passwords. For example, sign-in with Google or sign-in with Facebook links in applications to seamlessly login.
Let’s discuss the benefits an SSO implementation brings to an organisation.
Login Once, Save Money – SSO enables users to sign in only once thus saving substantial time that they could be spending on being more productive. A study at a hospital revealed they could be saving upwards of $3 million by implementing SSO across their 19 facilities. The hospital staff had to remember between 8 to 20 passwords which were reduced to just one password using the SSO implementation.
Reduction in IT helpdesk costs – It is predicted that 20% of calls to helpdesks refer to forgotten passwords or password resets. With SSOs, the number of credentials needed to be remembered is drastically reduced to just one. If they do however forget that, they can always contact helpdesk but the overall result of implementing an SSO would mean that helpdesks personnel can focus on more important tasks.
Increased malicious detection – Through the implementation of SSO, malicious activities could be identified and acted upon, thereby increasing the overall organisational security. An example of this would be a configuration within OAuth called Anomaly Detection, which can detect and stop malicious activities such as brute force attacks by sending notifications to the individual or team that manages the SSO or by blocking immediately after a certain number of attempts within a set period.
Cross-Domain SSO & Federated Identity
SSO generally operates within a single domain. For example, when you log into your Google account, you are automatically signed into other Google applications such as YouTube or Gmail as they belong to the same domain (“.google.com”). Now if you also want to log into your Facebook account at the same time you will have to enter your credentials because of the difference in the domain (“.facebook.com”). However, there is a way to enable SSO across multiple domains which can be accomplished with federated identities.
Federated identity enables multiple independent systems to obtain access to identity information by enabling a trusted relationship between the requesting system and the system which is holding the identity. By combining a federated identity with SSO, the user can practically log into multiple domains at once thanks to the federated identity being shared across the domains, saving time and being incredibly convenient.
Using SSO by itself without any other authentication systems, such as multifactor authenticator (MFA) and identity management (IDM), can be quite risky. If an attacker manages to get access to a user’s primary credentials in an SSO setup, they could have complete reign over all the application. I won’t go into the details with how devastating and destructive that can be for a single user let alone an entire organisation.
However, there can be a great improvement to the security of SSO. With the combination of MFA or two-factor authentication (2FA), the initial login would be secure and shall mitigate the issue of an attacker obtaining access to the resources protected with SSO. Even if the attacker knows the username and password, adding an extra authentication method would prevent further damage except for other applications where the user has the same password without an MFA/2FA setup.
Access to applications can be further restricted by implementing Identity and Access Management (IAM) solutions and integrating with SSO. With this setup, users will only be able to access applications explicitly approved by their line managers or business owners. Even if the applications participate in the SSO environment, access will always be explicitly denied if a user doesn’t have the necessary approvals.
SSOs can also provide an increase in the security landscape, including shorter session timeouts which logs out the user after a configurable period of inactivity. This security measure provides the ability to mitigate session hijacking attacks, which if performed successfully, enables an attacker to take control over a user’s session. Another measure such as input validation to protect from cross-site scripting (XSS) attacks is also recommended by security pundits. The XSS-based attack is listed in 7th place in the OWASP top 10 list of most critical web application vulnerabilities.
But how does all this Improve Productivity?
We’ve briefly discussed SSO, its potential benefits, cross-domain federation, IAM and SSO integration, but how could this improve productivity? With SSOs, as previously mentioned, the idea of gaining access to everything in one place with a single login would save copious amounts of time which means more time solving a networking issue for a client or finalising a presentation for a big pitch or simply having enough time to grab another coffee to keep the brain toiling hard. Additionally, user experience is vastly improved with seamless login across multiple systems, leading to a less frustrated and happier workforce ready to take on the world.
Thanks for reading.
Able+ Cloud is a cost effective, flexible and scalable Identity and Access Management Solution, which offers organisations of any size the chance to implement robust and secure IAM.