How does single sign on work? An In-Depth Explanation Single Sign-On
Basic Knowledge of SSO, Which Stands For Single Sign-On: Functionality and Types of SSO
In recent years, the number of services and websites that use SSO has been increasing, and it is important to know how SSO works in order to use it safely. In this article, we will explain the basic structure and benefits of SSO. Please refer to this article for reference.
SSO stands for Single Sign On. Single Sign On (SSO) occurs when a user logs in to one application and is then signed in to other applications automatically, regardless of the platform, technology, or domain the user is using.The user signs in only one time hence the naming of the feature (Single Sign On).
Normally, user authentication is performed to identify the user in each system.With Single Sign-On (SSO), if a user is authenticated by the SSO service, which acts as a user authentication service, the user is granted access to multiple applications without requiring additional logins, provided that the user has the appropriate access control privileges.
In a basic web Single Sign On service, an agent module on the application server retrieves the specific authentication credentials for an individual user from a dedicated SSO policy server, while authenticating the user against a user repository , such as a Lightweight Directory Access Protocol ( LDAP ) directory.
What is an SSO or non SSO login credentials?
SSO allows users to use one secure password for logging into a website, a user must log on to each account they use every time.
Non SSO is the property whereby a single action of signing out terminates access to multiple software systems.
Main Authentication Methods
There are four main types of Single Sign On.
They are the proxy authentication method, the reverse proxy method, the agent method, and the SAML authentication method.
Alternate Authentication Method
In the proxy authentication method, an agent installed in the client monitors the login screen in the system and authenticates on behalf of the client when the login screen is accessed. This method has few system restrictions and is relatively easy to implement. However, it is necessary to install an agent on the client so that the agent can monitor the system at all times, and it is also necessary to have access to a database of account information.
reverse proxy method
The reverse proxy method achieves SSO by authenticating at a relay server called a reverse proxy server and accessing the system used via this reverse proxy server. In this method, all accesses are through the reverse proxy server, which may become a bottleneck. Also, it is necessary to construct the network so that the system is accessed via the reverse proxy server. On the other hand, since there is no need to install an agent directly on the system, verification can be performed without affecting the existing system.
In the agent method, agents are installed in each system and SSO is achieved through cookies. Compared to the reverse proxy method, this method is less likely to cause bottlenecks due to access concentration and does not require network modifications.
The SAML scheme uses SAML, which stands for Security Assertion Markup Language, a standard for user authentication between different Internet domains. The scheme consists of two things: an user's identity Identity Provider (IdP) that performs authentication and a Service Provider (SP) that provides services; if the SP supports SAML, it can use the user credentials authentication information of the IdP that supports SAML.
Transition of SSO provider | SSO solutions
The first SSO implemented in a distributed computing environment was Kerberos, developed at MIT in 1986. In this method, authentication information was centrally managed in a key management center, and tickets were distributed as authentication information after authentication using a common key.
In the early 1990s, the Open Group's DCE established the authentication infrastructure technology as the foundation for the UNIX distributed environment. This combined the Lightweight Directory Access Protocol (LDAP) and Kerberos mechanisms to form an authentication infrastructure to achieve SSO. This technology was also introduced into the Windows server operating system and is still in use today.
The need for SSO in the Web environment emerged in the late 1990s. In response, ISV's WEB SSO package products were launched around 2000, and SSO on the Web began to be used mainly for corporate intranets.
Subsequently, as web services have become more extensive, specifications for federated SSO, which enables SSO between different domains, have been developed and continue to be used today.
Benefits of SSO
There are three main benefits of SSO.
Reduce login hassle
The first is that it reduces the time and effort required to log in. Traditionally, users had to log in for each service, but SSO allows users to log in once and then use other services.
Easy password management
Second, password management becomes easier. In the past, each service required its own password, etc., so it was necessary to manage as many user passwords as the number of services. Now, only one password is needed. This is useful, for example, when an employee leaves the company and needs to delete his/her account.
Third, it is an effective security measure. When the number of passwords is large, each password tends to be easy. If this is the case with one, it can be a complex password.
Risks of SSO
There are three major risks of SSO.
Risk of leakage of login information
The first is that there is a greater risk if login information is leaked. With the previous method, it was only for that service, but if SSO information is leaked, all services that use SSO could be accessed.
Impact of SSO system outage
Second, if the SSO system is shut down, all systems will be unavailable. Therefore, when the system that authenticates the SSO is shut down for maintenance or other reasons, the impact will be significant.
Some services are unavailable
Third, there are some services that are not available. Some services only support a particular method of SSO, while others do not support SSO at all. Therefore, depending on the type of service, some modifications may be necessary.
Key points of SSO implementation
First, it is necessary to check whether SSO is available for the system you are trying to implement, and if so, which methods are supported.
If not, you will need to modify the system, which will cost a lot of money.
In addition, there will be running costs when SSO is implemented. It is important to fully compare these costs with the benefits of implementing SSO.
SSO can increase security, but if you try to centrally manage all services with SSO, the services available to your employees will be limited.
Be sure to introduce an appropriate system in consideration of the balance between business efficiency and security.
Frequently Asked Questions
How Does SSO Work?
Dive into the complex yet elegant system that simplifies user access across multiple apps by replacing the need for multiple passwords. Unveil the role of authentication token as they serve as the linchpin between the user and the access to multiple applications. Understand how SSO stands as a robust alternative to traditional password managers, offering a streamlined approach to secure, seamless access across a variety of services. Learn the key advantages and potential pitfalls of this ubiquitous technology that aims to simplify your digital life while bolstering security.
Steps to Empower Your IT Team for Corporate Growth
Amplify Knowledge Sharing
If you find our resources beneficial, consider amplifying their impact. Share these informative articles across your social networks - Twitter, Facebook, or LinkedIn. Together, let’s foster a community of empowered IT leaders driving corporate growth.
Discover Admina’s Impact
Ready to take your IT team’s growth to the next level? Discover how Admina’s cutting-edge solutions can optimize your SaaS management, enhance security, and streamline processes. Explore Admina today and unlock new dimensions of success for your IT endeavors.