Single Sign-On (SSO) is a user and session authentication service that permits a user to use a set of login credentials — for example, a username and a password — to access multiple applications. Individuals, small organizations can use SSO and Enterprises to ease the management of usernames and passwords. data
A web SSO service is an agent module on the application server that retrieves specific authentication credentials for a single user from a dedicated SSO server while authenticating the user against a user treasury, such as LDAP (Lightweight Directory Access Protocol) DIrectory. SSO eliminates future password prompts for different applications to which the user has given rights.
How Single Sign-On Works?
Single Sign-on is a Federated Identity Management Arrangement (FIM), and the use of such an Arrangement system is called Identity Federation. The framework that enables a user’s information to be used by third-party services without exposing the user’s password is OAuth (Open Authorization).
OAuth acts as a mediator between the user and the third-party services, providing them with an access token that only authorizes sharing of specific account information. When a user attempts to log in to an application, the service provider requests the identity provider (FIM) for authentication. The service provider will then verify the authentication and log the user in.
Types Of SSO Protocols
There are different SSO protocols that services use, some use Kerberos, and some use Security Assertion Markup Language (SAML).
- SAML is an extensible markup language (XML) standard that aids the user authentication and authorization of data across secure domains. SSO based on SAML involves communications among the user and the identity provider that maintains a user directory and a service provider.
- A ticket is issued by TIcket-Granting Ticket (TGT) once the user credentials are provided in a Kerberos-based SSO setup. The TGT feature also fetches tickets for other applications the user wishes to access, with or without permission for certificates.
- Smart card-based SSO asks the user to use a card that holds the sign-on credentials to log in the first time. Once that card is used, the user would not have to enter the credentials. SSO smart cards only store either the credentials or the certificates.
Security Risks And SSO
Single SIgn-on is convenient for individuals, but it presents risks to enterprise security. If any Cybercriminal gains access to a user’s SSO credentials, he will have access to every application the user has rights to, increasing potential damage. To avoid malicious access, every aspect of SSO implementation must be coupled with 2FA, or Multi-Factor Authentication (MFA), or any kind of Identity governance to improve security.
Services like Google, Linkedln, Facebook, and Twitter offer popular SSO services that enable users to log in to any third-party application with their social media authentication credentials. Although single social is convenient to users, it presents risks because it creates a single point of failure that any cybercriminal can exploit.
Many security experts recommend not to use Social SSO services altogether. Reasons being that once a cybercriminal gains control over a user’s SSO credentials, the hacker can access all other applications that use the same credentials.
Apple has unveiled its own single sign-on service and is positioning it as a more secure alternative to the SSO options provided by Google, Facebook, Twitter and Linkedln. The new service is called Sign in with Apple. The service is expected to limit what data the third-party services can access. Apple’s SSO enhances security by requiring users to use 2FA on all Apple ID accounts and supports integration with Face ID and Touch ID on iOS devices.
Enterprise Single Sign-On (eSSO) software products and services are Password Managers with clients and server components that log the user on to target applications by replaying user credentials. Target applications do not need to be modified to work with the eSSO system, and eSSO system credentials are always a username and password.
Advantages Of SSO
- SSO enables users to manage and remember passwords and usernames for each application.
- SSO helps the process of signing in and using applications without entering passwords.
- SSO lessens the chances of Phishing attacks.
- SSO leads to fewer complaints about passwords for IT help desks.
Disadvantages Of SSO
- SSO does not address some levels of security breaches that some applications sign-on may need.
- If SSO’s is not available, then users would be locked out of the multiple systems connected to the SSO.
- If any cybercriminal gains access to your SSO, they could gain access to more than one application.
Single Sign-on saves the end-user time and the energy to remember the passwords, but if a cybercriminal breaches your SSO, then all of your linked accounts would be exposed.