Guide: SSO

Single Sign-On (SSO) for SaaS

What Is SSO (Single Sign-On)?

Single sign-on (SSO) is a form of authentication that allows users to access multiple applications using a single set of login credentials, such as names and passwords. Organizations use SSO to manage a portfolio of applications across one or more websites, and enable convenient and secure access to them.

In a typical SSO service, when a user connects for the first time, an agent running on the application server retrieves user credentials from an SSO policy server, and authenticates the user against a user directory such as Lightweight Directory Access Protocol (LDAP). From that point onwards, the SSO service can authenticate end users for all applications it has rights to, and the user does not need to authenticate again with every subsequent application.

This is part of an extensive series of guides about network security.

In this article:

How Does SSO Authentication Work?

Whenever a user logs in to the SSO service, the service generates an authentication token to remember the user for subsequent connection attempts. An authentication token is a piece of digital information stored in a user’s browser, or in the SSO service. Any application the user accesses queries the SSO service—the service passes the user’s authentication token, and the application allows the user to log in. If the user is not already logged in, they are prompted to authenticate via the SSO service.

The SSO service typically does not store user IDs. Most SSO services work by matching a user’s credentials with other identity management services. Thus, the SSO service is an intermediary that verifies a user’s login credentials match a known identity in a user directory, without having to manage that directory itself.

Learn more in our detailed guide about SSO authentication

SSO Benefits and Challenges

The benefits of single sign-on are:

  • Password fatigue—reducing the need to remember different usernames and passwords.
  • Faster login—reducing the time to re-enter passwords whenever the same user logs in.
  • Third-party risk—mitigating the risk associated with accessing third-party websites (i.e., federated authentication) and avoiding the external storage and management of user passwords.
  • IT costs—reducing the number of calls to the IT help desk, thus lowering costs.
  • Simple admin—SSO processes are transparent and involve the same tools used for other admin tasks. 
  • Control—all network management data is in one repository, providing a unified source to control user privileges. Admins can easily modify access privileges throughout the network. 
  • Productivity—users avoid disruptions and delays due to multiple logins or managing multiple passwords. They can access protected network areas easily and get back to work immediately. 
  • Network security—complex password management is a common cause of security breaches because users often write down the passwords. By consolidating the network access data, admins can confidently disable user accounts. 
  • Network consolidation—admins can connect separate networks to consolidate their management efforts and oversee all diverse, distributed environments. 

Single sign-on uses the same authentication server as the other systems and applications involved in the authentication process. It combines standard authentication with a configuration that allows users to reuse credentials across the network. 

However, there are also challenges to consider when using SSO:

  • Global Access — SSO allows users to access many network resources easily after the initial authentication. This global access also makes it easier for malicious actors to cause damage if they manage to compromise a user’s credentials. SSO techniques require strong measures to protect user credentials, ideally with OTP tokens or smart cards for initial authentication. 
  • Dependence on the Authentication System — With SSO, any loss in an authentication system’s availability can disrupt the network’s performance and block access to network resources. The SSO configuration should include failover measures to keep the system operational. This risk makes single sign-on unsuited for critical systems that require high availability (e.g., security systems).
  • Social Media Blocking — SSO techniques that utilize social networking services like Facebook can make third-party websites unusable in a workplace or school that blocks access to social media websites (often to increase productivity). It also creates difficulties for organizations in countries with Internet censorship, like China, which blocks social media logins. 

How Secure Is SSO?

Single sign-on is not a perfect solution for all use cases. Some challenges involved in SSO implementation include managing costs, standardization (OAuth or SAML), control, and security. Authentication vulnerabilities (i.e., the “Sign In with Apple” and Microsoft OAuth flaws) allow attackers to sign into a web service or site, posing as the target user. 

It is also important to consider how SSO platforms integrate into an organization’s overall IT architecture. Organizations must carefully configure their SSO solutions to maintain their security posture. In some cases, SSO systems block the ability of security solutions to detect a user’s origin IP address when attempting to log in to the system. 

On the other hand, single sign-on can provide stronger security than some alternatives used to control access to an organization’s services. For example, some companies require users to keep separate logins for each service, introducing other security issues. 

SSO helps reduce the IT infrastructure’s attack surface. Users don’t have to remember multiple passwords, and they don’t have to enter credentials several times a day. The centralized admin approach allows administrators to implement stronger security measures like MFA and good password practices. SSO does not make the infrastructure less secure and often helps increase security.

5 SSO Protocols and Standards

When identifying and operating SSO, you need to be aware of the different protocols and standards. These include:

1. Security Access Markup Language (SAML)

SAML is an open standard for encoding text into machine language and exchanging identifying information. It has become one of the core standards for SSO and is used by many application providers to validate authentication requests. SAML 2.0 is optimized for web applications and can send information through a web browser.

2. Open Authorization (OAuth)

OAuth is an open standard authentication protocol that encrypts identity information and transmits it securely between applications. This allows users to access data from other applications without having to manually verify their identity. This is especially useful for native mobile applications.

3. OpenID Connect (OIDC)

OIDC is an extension of OAuth 2.0, which adds information about users and enables SSO. This allows multiple applications to use one login session. For example, users can log into a service using their Facebook or Google account instead of entering their credentials.

4. Kerberos

Kerberos is a ticket-granting protocol that allows mutual authentication, enabling a user and a server to authenticate each other over an insecure network connection. It is commonly used for authentication in Windows environments and for software applications like email clients.

5. Physical Token Authentication

In addition to traditional SSO, many organizations use physical tokens to allow users to securely connect to applications. The token typically requires the user to input a PIN, to enable two-factor authentication. Software on the computer interacts with the encryption key on the smart card to authenticate the user. Smart cards are considered very secure, but they can still be obtained by attackers (for example, if the user loses the card), and are expensive to deploy.

Learn more about SSO providers that implement one or more of these standards:

Social Logins vs. Enterprise SSO

Many popular social media services, including Google, LinkedIn, Twitter, and Facebook, provide SSO services. These services allow end-users to log into third-party applications using their social media authentication credentials. While social single sign-on is convenient for users, it can also pose a security risk, by creating a single point of failure that attackers can exploit.

Many security experts say that social logins are not appropriate for enterprise access control, because if an attacker compromises the user’s social credentials, they can use those credentials to access multiple organizational systems. 

Enterprise SSO is a single sign-on solution that gives end users secure one-click access to all enterprise applications, validating users against a trusted identity provider controlled by the organization. This allows the organization to implement more stringent measures to prevent identity theft. For added security, businesses can also implement multi factor authentication (MFA) or adaptive MFA.

Best Practices for Implementing and Managing SSO Solutions

Here are some best practices to help organizations choose and configure a single sign-on solution.

Learn more in our guides about: 

Identify Infrastructure Points Requiring SSO Intervention

Organizations must investigate all third-party services and applications they use, including the services exposed to external partners. Admins must assess this information to determine which applications require SSO-enabled access. Considerations such as who uses the service, the frequency of access, and each asset’s criticality will determine the need for SSO. 

Determine the Application’s Compatibility with the SSO Solution

Not every application integrates well with every SSO solution. Organizations should choose applications that support SSO functionality regardless of the protocol packaging user data (i.e., OAuth, SAML, Kerberos). 

Some organizations have an architecture heavily based on tunneling technologies like web proxies or VPNs. In these cases, SSO solutions can mask the original IP address from which users attempt to sign in. A VPN server can usually only access specific users, so placing an SSO server in front of it might create confusion regarding the IP addresses. 

Establish User Privilege and Access Policies

SSO unifies access to multiple services and applications into one authentication process, so it is essential to ensure users only have access to what they need. Organizations must set user and application groups and configure policies to implement access control to help close security gaps.

The SSO platform must allow administrators to set different access policies for different users and applications. Most organizations achieve this with an identity and access management (IAM) system coupled with SSO technology. SSO solutions often come prepackaged with IAM capabilities.

Prioritize Central Administration

SSO makes password management easier and prevents password fatigue from obstructing users’ access to network services. While this helps increase productivity, it places the burden of managing access control squarely on the administrators. The SSO solution should have a unified dashboard providing access to all services and applications, whether in the cloud or on-premises. 

Admins can leverage real-time access logs and reports to identify and troubleshoot threats. This information allows them to analyze users’ behavior to prevent the misuse of access privileges. 

Ensure the SSO Implementation Supports Compliance 

Many industries are subject to data privacy and other security regulations. For instance, the healthcare industry has HIPAA regulations that apply to all hospitals, medical labs, and research centers. Organizations must secure user data and other sensitive information and provide audit trails. 

An SSO solution must therefore retain all details about user sessions and activity. and session details. Properly implemented, SSO can help companies comply with data privacy and access regulation requirements.

Use Multiple Authentication Mechanisms

Multi-factor authentication is probably the most critical security practice for ensuring safe single sign-on. SSO provides a single access point, making it crucial to protect. SSO solutions must support integration with multiple forms of authentication. MFA prevents hackers from compromising and exploiting an organization’s system by stealing user credentials. 

Ideally, the SSO page should have username and password fields and at least one other authentication method. Attackers find it much harder to breach the added authentication layer provided by a one-time password, automatically generated key token or biometric identification.

SSO with Frontegg 

Once you integrate Frontegg’s self-served user management solution, your customers can configure their SSO completely on their own with just a few lines of code. The single sign-on can be integrated with IDPs with commonly-used protocols like OIDC and SAML. Yes, you can implement social login SSOs as well. The front end has been taken care of as well. You can leverage all of Frontegg’s SSO components and personalize your SaaS offering with a customizable login box. This embeddable box reduces in-app friction and allows users to authenticate smoothly and gain quick access to the app. A true end-to-end SSO solution.