I used to have an issue just about every other time I tried to log into a website or application. Sometimes I’d forget my password. Other times I failed to save the right version of the password in my password manager.
The password reset process became a regular occurrence in my everyday life — that is, until I discovered single sign-on (SSO).
Single sign-on, or SSO, is a way for people to log into multiple services and applications with just one set of login credentials. The process works by using an authentication scheme that gives you a master set of keys to every one of your applications, eliminating the need to remember multiple sets of login credentials.
What does all this mean? Imagine a world where you can access your cloud storage, work email, and blogging platform with one username and password, and those login credentials are actually more secure than having hundreds of passwords memorized or written down on paper.
I’ll explain the premise of SSO below, along with how it can help with everything from password fatigue to online security.
-
Navigate This Article:
How Single Sign-On Works
Often described as an authentication process, single sign-on actually acts as a complementary part of authentication, more akin to a middleman that speeds up the login process.
Instead of what we’re used to — going right to a login page to type in a username and password — SSO redirects you to what’s called a central authentication service, which confirms your identity so you can log in.
That central authentication service does the same thing for every other website and app you try to access. It essentially vouches for you to enter all the other apps and services, since the authentication service has already checked your identification.
SSO is like a security guard at the front gate of a music festival. He checks your ID once. After that, you receive a wristband that lets you go to all the vendors and stages without ever having to pull out your ID card again.
Authentication Flow
From your perspective, SSO should look as seamless as possible. However, the SSO authentication process is actually highly logistical, occurring within a matter of seconds in the background.
Here’s the flow of authentication with SSO:
- You (the user) go to an application or website or service.
- The service or application notices you’re not actively logged in. Therefore, it redirects you to the identity provider.
- The identity provider requests authentication from you, the user. This usually means you must type in a master username and password.
- After authentication, the identity provider generates a ticket or token that tells other apps you’ve been authenticated.
- The identity provider sends that token or ticket back to the application or service you’re attempting to access.
- The application or service takes the token and verifies it with the identity provider.
- If the application or service successfully verifies your token with the provider, you’re given access to the app, website, or service.
This seems like it could take a long time, right? Luckily, there’s nothing time-consuming about it. SSO happens in milliseconds. The longest part involves typing in your master username and password.
Key Components
Although it all happens very quickly for you, single sign-on requires a carefully choreographed dance between multiple components. These complex relationships happen between:
- Identity providers (IdP): This is the security guard at my metaphorical music festival. The identity provider handles authentication as you try to access your first app, website, or service. After that, you can tap into other apps without having to type in your username and password. IdPs issue you security tokens for apps and services to verify your identity.
- Service providers (SPs): These are the websites, applications, and services you’re trying to access using SSO. They allow you to log in with single sign-on, but only because they turn to the IdP (identity provider) for verification. Essentially, the service providers are constantly turning to the IdP for a thumbs up.
- Tokens and credentials: I consider these the VIP wristbands to your digital world. Tokens and tickets and other credentials (issued by the IdP) tell service providers you’ve already gone through authentication.
So, you go to an SP — something like your email client or WordPress website — and use SSO to receive a token or ticket from the IdP. When you show the SP your token, the SP verifies your identity with the IdP to let you into the SP. If the IdP can’t verify your token, the SP won’t let you in.
Underlying Technologies
SSO uses digital communication to authenticate users between service providers and identity providers. As with just about any type of digital communication, that means SSO uses certain protocols and technologies for recognizing and sending those communications.
Here are the most common protocols used in SSO:
- OAuth: You’ll usually see OAuth used as an authorization method for web and mobile apps.
- SAML: An acronym for Security Assertion Markup Language, SAML is a common protocol for enterprise apps and software.
- OpenID Connect: This is a more modern protocol built on top of OAuth 2.0 to make it more secure and efficient.
The combination of OAuth, SAML, and OpenID ensures that a wide range of apps, websites, and other systems can communicate with one another without any security issues. These three protocols make SSO possible.
Benefits of Single Sign-On
SSO is easier. It’s more efficient. And it helps all types of users regardless of experience level. Anyone can wrap their mind around a master key, especially when it means getting rid of the endless barrage of passwords needed in today’s world.
The benefits of SSO are plentiful, so keep reading as I explain them all.
Enhanced User Experience
SSO is the universal remote for all your applications, websites, and online services. You only need that one set of credentials to tap into all your applications.
Perhaps the main benefit of this universal remote is the improved user experience. One click gets you into all your apps. It saves time, makes you more productive, and minimizes frustration about passwords.
I used single sign-on with a company I previously worked for and it made my mornings seamless. Instead of having to log into nearly 10 different platforms to start my day, I simply signed in once and was ready to go.
Plus, I didn’t stress about forgotten passwords since I only had to remember one.
Enhanced Security
The first time I learned about SSO, I thought it was a security nightmare. It certainly sounds like putting all my eggs in one basket, right? If someone gets a hold of that one password, doesn’t that mean they can access all my apps?
I soon learned, however, it’s quite the opposite. Single sign-on enhances security in many ways.
Authentication becomes centralized, allowing organizations to turn on security measures across multiple apps. This lets you use one password for all your accounts.
It’s also easier for people to remember one username and password, meaning they can make one strong password instead of a bunch of weak ones.
I’ve found that users are more open to things like multifactor authentication and complex password policies, too, all thanks to not having to mess with so many passwords.
Increased Productivity
I used to waste so much time logging into applications. I’d forget passwords, have to reset my credentials, or have to search for wherever I wrote down my credentials in the first place.
In short, having multiple passwords made me less productive.
SSO means you don’t have to log in every time you want to access an app. You also eliminate the need to reset passwords or dig through password managers.
Second by second, minute by minute, my productivity has improved, all thanks to single sign-on.
Simplified IT Management
If you work on an IT team, you should consider SSO to reduce password-related help desk calls and streamline the user account management process.
I’ve read about IT managers who implemented SSO only to find their password requests decreased by 50%.
The idea is to free up resources for your IT team. You can spend more time on helping users with other tasks. It’s also possible to focus on more strategic tasks instead of the thousandth password reset of the week.
And trust me, your IT team will thank you. No one wants to spend their precious time resetting passwords when they could be using their skills for better things.
Challenges and Risks of Single Sign-On
Thus far, I’ve spoken about SSO as if it’s an absolute godsend. I can’t deny its ease of use and ability to streamline your productivity and efficiency, but you’ll still encounter risks and challenges along the way.
I’ll outline those so you can prepare for the worst and be ready when challenges arise.
Implementation Complexity
Unless you’re launching a new business, your organization probably already has an IT infrastructure with existing systems, apps, and services. That makes it tricky to configure an SSO without causing issues with the current IT infrastructure.
Adding SSO to a current system is like renovating your home while living in it. You’re making drastic changes to a fully operational entity, so you need to be careful to minimize disruptions.
To mitigate issues with implementation complexity, I recommend assessing your needs long before trying to add a single sign-on solution. Is it necessary to add SSO to all your apps and services, or just a few?
It’s also wise to pick the right SSO solution, one that offers onboarding and easy installation, and preferably a no downtime guarantee with assistance from a dedicated representative.
Single Point of Failure
I mentioned this concern before. It’s a concern that probably everyone has about holding one master password for every single app they use. You’ve heard the phrase “don’t put all of your eggs into one basket,” and that’s exactly what you’re doing here.
SSO has one single point of failure. If someone discovers your master login credentials, they can log into all your apps.
Luckily, you’re far more likely to have a password hacked when using dozens of duplicate or weak passwords. Master passwords are also rarely compromised because they’re either memorized or stored locally.
Regardless, it’s best to implement extra security measures like multifactor authentication and continuous monitoring to prevent issues with this single point of failure.
Vendor Dependence
Vendor lock-in is a real concern for just about every type of technology. That’s particularly true for single sign-on because you’re relying on a third-party provider for a high-security operation. That brings up many risks.
With vendor dependence, you’re often stuck with what is provided in terms of features, customer support, and pricing. The solution? Carefully vet the SSO provider you intend to choose. And always have a contingency plan in case it doesn’t work out.
Regulatory Compliance
Although it seems like a huge pain to comply with regulations, these regulations protect your organization and its customers. Some examples include PCI-DSS, HIPAA, and GDPR.
If, for example, your business needs to comply with PCI-DSS for proper payment processing security and storage, SSO adds an entirely new level of complexity to your compliance efforts.
My suggestion is to first outline all compliance efforts you’ve already put forth. When evaluating SSO providers, be sure to find ones that meet regulatory requirements — the ones relevant to your industry or location.
Types of Single Sign-On Solutions
Much like a physical master key — which may come in key fob, passcode, or traditional key form — there’s no one-size-fits-all solution for SSO. One business may need an enterprise solution, while others might rather have a web-based or federated SSO. I’ll explain each type below.
Enterprise SSO
An enterprise SSO, one used for internal organizational applications, is what I consider the workhorse of the SSO world. The goal with an enterprise SSO is for employees to have access to a wide range of apps and systems that reside within the organization. And that’s all with just one set of credentials.
Some enterprise SSO providers include:
- Okta
- OneLogin
- CyberArk
- Ping Identity
- Microsoft Entra ID
Remember, enterprise SSO is all about keeping things inside one organization. So, an enterprise SSO comes in handy for small to large businesses, especially those with multiple departments and various apps and services.
As long as the systems remain inside the organization, employees can access them without using multiple user accounts.
Web-Based SSO
An enterprise SSO allows for logging into internal systems, most often local software and hardware. Yet, the world has made a drastic shift to cloud-based apps and software. Therefore, you may need a web-based SSO that helps you log into several web-based applications.
My favorite web-based SSO providers include:
- LastPass SSO
- Duo by Cisco
- AWS Single Sign-on
There’s also plenty of crossover, like how some enterprise SSO solutions fall under the web-based SSO category. Examples include OneLogin, Okta, and Microsoft Entra ID.
Overall, you’re most likely to consider a web-based SSO if your business already relies heavily on web or cloud-oriented systems.
Federated SSO
A federated SSO comes into play when you need to access applications across organizational boundaries.
This might involve accessing services that belong to another business, like a contractor or partner, or integrating resources across large-scale organizations with multiple locations — like how a school may have multiple departments in various locations.
Reputable federated SSO providers include:
- IBM Security Verify
- Shibboleth
- Centrify
- PingFederate
Again, you’ll find that federated SSO solutions cross over into the other categories. Some providers like Ping have multiple solutions, one of which offers federated SSO. Okta and OneLogin and Microsoft Entra ID either have a federated feature or a complementary solution for federated SSO.
Best Practices for Implementing SSO
I’ve made many mistakes in the past when it comes to passwords, login security, and SSO. But I’d like to use those mistakes to ensure that you have the best knowledge possible when implementing your version of single sign-on.
My best practices below will help you make your SSO as secure and streamlined as possible.
Strong Password Policies
With one set of master login credentials, you’re left with a single point of failure. It’s far more secure than multiple weak passwords, but you still have to create strong password policies so all the people in your organization keep their logins secure.
Here are my tips for creating and enforcing strong password policies:
- Don’t allow any reuse of passwords on other applications.
- Require password changes regularly. I recommend a policy of password changes every three months.
- Enforce password complexity requirements like making people use special characters, both uppercase and lowercase, and numbers.
- Require a minimum length for all passwords, ideally 12 characters or more.
Every SSO password serves as the master key to your entire organization. It makes life significantly easier for everyone in the building, so you should take the extra steps to make it as secure as possible, even if that means adding a few inconveniences.
Anything is better than having to remember dozens of sets of login credentials.
Multifactor Authentication (MFA)
Multifactor authentication, or MFA, offers an added security measure that asks for two or more levels of authentication, most often a password then a code that’s sent to something like your smartphone or email inbox. You must then type in that code to get into the desired app.
Some MFA goes beyond simple codes. It may require a fingerprint scan, or possession of a physical item you need to plug into your device. These are overkill for the average user, but critical for certain high security applications.
SSO definitely simplifies the entire process of logging into an application, but you’re best off adding a little time to the login just to be safe. Yes, MFA makes logging in more tedious, but it’s perhaps one of the simplest ways to secure your SSO system, especially if you’re concerned about it leaving you with one point of failure.
Monitoring and Auditing
Although I wish I could say SSO is more of a “set and forget it” type configuration, that’s far from the truth. Sure, it makes signing in to apps easier, but you still want to audit and monitor all your organizational SSO activities to ensure the highest level of security.
Here’s what I recommend monitoring:
- Any modifications to access rights or user permissions
- Logins from unusual locations or at strange times
- Multiple failed login attempts
If you just bought a new home with the best lock on the market, you’d still want a security camera to keep an eye on how it all works. That’s how the process of monitoring and auditing helps maintain the most secure SSO system.
Employee Training
A solid SSO system is only as good as the weakest password. Your employees need to understand the simplicity of SSO when compared to using dozens of usernames and passwords.
Even if that means using things like multifactor authentication, SSO is still a better option in terms of user experience. Training helps you communicate how to use SSO and its benefits.
SSO training should include information on:
- How to use the SSO system to log into accounts
- Why they need to keep their SSO credentials secure
- The process they should follow if their SSO account is comprised
Without training, you’re unleashing a new technology on people who already probably have numerous complaints about logging into applications. Training helps show that this is a solution to those issues, and it shows that you’re willing to answer any questions.
Real-World Use Cases of SSO
I can talk about SSO all day, but it’s often easier to understand its capabilities when you look at real-world use cases. In this section, I explain some common use cases that have helped organizations solve real problems.
Corporate Environments
The corporate world is filled with dozens, if not hundreds or thousands, of internal systems and applications, many of which reside in different locations and departments.
Large corporations need SSO, not only to keep their employees sane, but also to maintain a streamlined login process to the hundreds of systems.
Imagine a corporate employee walking into the office and having to log into their email, expense reporting system, and customer relationship management software with three different usernames and passwords.
Then, what if they forgot one of the passwords? That’s potentially 15 minutes or more of wasted time each morning. In addition, SSO allows IT to keep security centralized, like being able to disable an account the second someone leaves the company.
Educational Institutions
Picture a university with multiple satellite schools, departments spread throughout the state, and even extra campuses for things like hospitals and health centers.
Staff and students need easy access to these spread-out systems. With a simple password and username process, you’re bound to encounter countless security issues.
Single sign-on works to help students and staff log into learning platforms with ease. It also alleviates the numerous ticket requests for the school’s IT staff for password changes.
Whether a staff member needs to tap into a digital research library, or a student simply wants to log into their email, SSO is there to streamline the entire process.
Consumer Applications
Consumer applications — think social networks, online storage, eCommerce apps, and messaging apps — handle millions of users, all of whom need to log into their accounts regularly.
Because people use these apps so much (apps like Facebook, Google, and Amazon) it makes sense that these services have created SSO services for logging into other apps with your password from places like Amazon or Google or Microsoft.
Nowadays, I regularly see buttons like “Log in With Apple” or “Log in With Google” or “Log in With Amazon.” Those are examples of consumer applications functioning as single sign-on tools.
For instance, you might use your Apple or Facebook login credentials to log into dozens of other unrelated apps, making it so you only have to remember and secure the one set of credentials.
Future Trends in Single Sign-On
Sign sign-on has made significant advancements to help you improve efficiency and security for logging into accounts. Those advancements aren’t slowing down. In the future, I expect new trends like biometric integration, zero-trust security models, and AI in authentication.
Biometric Integration
Biometrics involve logging into accounts using physical cues like fingerprints, eye scans, or facial recognition. I’ve seen biometrics become popular for logging into some devices like iPhones, but there’s still more room for improvement in terms of SSO.
It’s not hard to imagine a near future where you log into all your devices and apps with your unique fingerprint or iris scan, instead of having to generate a token through an identity provider.
Zero-Trust Security Models
A zero-trust security model says, “never trust anyone.” That means the system always verifies, no matter how trustworthy you appear as a user.
Combining a zero-trust model with SSO may get rid of the “one-time authentication” process and instead complete a continuous verification as the user remains in session.
AI in Authentication
I assume that just about every SSO provider will eventually add artificial intelligence features to its authentication process. Features may include detection tools for preventing unauthorized access, or even an AI that learns your usual login behaviors for speedier authentication.
I see the use of AI in SSO as having a smarter doorman who can identify you by very specific attributes, like the device you use or applications you access or the times you access them.
Single Sign-On: Improve Your Relationship with Passwords
From streamlining your personal login process (with SSO from consumer applications) to improving corporate IT environments, single sign-on providers offer a combination of simplicity and security for accessing apps and services.
In my experience, SSO is a lifesaver. But I encourage you to pick an SSO provider based on significant research.
And don’t just forget about security after all that. It’s essential to implement strong password requirements, use multifactor authentication, and train your employees on this exciting new technology.