Article

How single sign-on (SSO) works

Access ManagementSecurity
Time to read: 12 minutes

What is single sign-on?

Single sign-on, sometimes referred to as SSO, is a type of authentication that allows users to use a single set of login credentials (e.g., username and password) to access multiple applications, websites, or services. Unlike other access control options, single sign-on can be used by small, medium, and enterprise organizations to eliminate the need to log in multiple times or remember numerous passwords.

How single sign-on works

Single sign-on is based on a federated identity management arrangement (sometimes referred to as identity federation) between multiple trusted domains (e.g., an organization that allows its users to use the same identification data to access all resources). Trusted domains are used by local systems to authenticate users.

Single sign-on uses open standards, such as Security Assertion Markup Language (SAML), OAuth, or OpenID, to allow users’ account information to be used by third-party services (e.g., websites, applications) without exposing their passwords. The identity information is forwarded as tokens that contain information about users, such as their email or username.

Following is a summary of the single sign-on process.

  1. The user opens the website or application, and if they are not logged in, they are presented with a login prompt with a single sign-on option.
  2. The user enters their login credentials (e.g., username and password) into the sign-in form.
  3. The website or application generates a single sign-on token and sends an authentication request to the single sign-on system.
  4. The single sign-on system checks the trusted domain to determine if the user has been authenticated.
  5. If the user has not been authenticated, they will be sent to a login system to authenticate using login credentials.
  6. If the user has been authenticated, a token is returned to the website or application to confirm the successful authentication and grant the user access.

If a user enters incorrect credentials, they will be prompted to reenter them. Usually, multiple failed attempts result in the user being blocked for a certain period of time or locked out entirely after too many attempts.

Single sign-on tokens

A single sign-on token is a digital file used to pass a collection of data or information between systems during the single sign-on process. It contains user-identifying information, such as a username or email address, and information about the system that sends the token.

To ensure that tokens originate from a trusted source, they must be digitally signed. During the initial single sign-on configuration process, the digital certificate is exchanged.

Single sign-on and security

Single sign-on is widely used because it simplifies access and eliminates proliferating usernames and passwords that cause headaches for users and administrators—especially in enterprises with hundreds or thousands of applications. However, single sign-on is not without risks.

Organizations that implement single sign-on need to account for and mitigate risk, since a single set of credentials can provide unauthorized access to multiple applications and processes. Commonly security concerns cited regarding single sign-on include:

  1. Account hijacking
  2. Data breaches that cause can result in data leaks, data loss, and financial loss
  3. Identity spoofing
  4. Session hijacking

Two effective security measures that can be implemented alongside of single sign-on to provide protection exploitation are identity governance and multi-factor authentication.

Identity governance

Identity governance is a policy-based initiative that helps administrators better manage and control single sign-on access. Identity governance provides admins with comprehensive visibility into which employees have access to what systems and data, as well as to detect weak credentials, inappropriate access, and policy violations.

Admins use identity governance tools to change, revoke, or remove varying levels of access if there is suspicion (or proof) that a user’s single sign-on credentials have been compromised.

Multi-factor authentication (MFA)

Implementing multi-factor or two-factor authentication (2FA) with single sign-on helps keep trusted domains secure. This is because additional identity verification beyond single sign-on credentials is required to gain access. Multi-factor authentication can be deployed across all accounts linked by single sign-on to provide maximum protection.

How to implement single sign-on

  1. Establish objectives for the single sign-on implementation.
  2. Determine users and requirements.
  3. Assess existing capabilities and identify gaps.
  4. Define access control and other requirements.
  5. Be sure that the organizations’ IT architecture can support single sign-on and make adjustments to address deficiencies.
  6. Create a list of solutions that meet the core criteria.
  7. Perform an evaluation of options to identify the optimal solution.
  8. Work with IT and security teams to ensure that the single sign-on implementation meets both user and IT requirements.

Types of SSO

Enterprise single sign-on

Sometimes referred to as E-SSO, enterprise single sign-on is implemented in enterprise application integration (EAI) environments. Enterprise single sign-on allows users to access all applications, whether they are on-premises or cloud hosted, with a single set of sign-in credentials.

With enterprise single sign-on, administrators procure credentials when users initially log in and automatically use them to authenticate subsequent logins to other applications and systems. By centralizing usernames and passwords, enterprise single sign-on frees administrators from time-consuming username-password management tasks. Depending on controls set by administrators, users can grant access to applications for certain amounts of time without admin support.

Federated single sign-on

Federated single sign-on uses industry-standard SSO protocols to grant users to gain access to websites without authentication barriers. It expands standard single sign-on by uniting multiple groups under a centralized authentication system. Federated single sign-on can be used to provide access to multiple systems within a single enterprise or disparate enterprises.

Mobile single sign-on

With mobile single sign-on, a single identity can provide access to multiple connected mobile applications. Access tokens are stored in a mobile device operating system’s keychain, allowing active sessions to be recognized.

Smart card single sign-on

Rather than relying on digital tokens and software, smart card single sign-on uses a physical card for user authentication. Smart card single sign-on requires a user to use the credentials stored on the card for their initial login. To get information from the card, a reader is required, and cards need to either have a magnetic strip or a contactless method of data transfer.

Web single sign-on

With web single sign-on, users can access multiple connected websites with one login. Once a user logs into one property, they can move from one to another, and they will be recognized, authenticated, and trusted.

Web single sign-in is commonly used for applications that are accessed from websites. There are two primary techniques for setting up web single sign-on.

  1. Single sign-on is managed within the web application or agents in protected applications. A significant challenge to this method is that it requires applications to be modified for the single sign-on agent, and the application must be visible from the user’s web browser.
  2. Single sign-on uses a reverse proxy to manage authentication data in the application to allow single sign-on processes to function independently of the web servers. In this case, the reverse proxy acts as an intermediary, managing access and enabling the single sign-on process.

Selecting a single sign-on solution

Considerations when selecting a single sign-on solution will vary by organization and use cases, but the following are some basics to factor into the evaluation process.

Organizational considerations

  1. Does the single sign-on solution address the organization’s use cases?
  2. Does the solution support IT resources requiring single sign-on (e.g., applications, devices, networks)?
  3. Is this an appropriate short-term single sign-on solution that can be replaced with an acceptable amount of disruption and burden on IT?
  4. Will the single sign-on solution be able to scale to meet forecasted requirements?
  5. Will the single sign-on solution work well with other security systems?

Single sign-on functionality considerations

  1. Authentication options, such as support for multi-factor authentication, adaptive authentication, automatic forced authentication, and via lightweight directory access protocol (LDAP)
  2. Behavioral analytics and response, such as blacklisting or whitelisting internet protocol (IP) addresses, setting responses to counter brute force attempts, and provisions for re-authenticating users
  3. Compliance with security standards, such as ISO 27017, ISO 27018, ISO 27001, SOC 2 Type 2, and laws (e.g., General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA))
  4. Federation capabilities to enable deployment using preferred identity providers, such as Microsoft Active Directory and Google Directory
  5. Flexible password validation options, such as customizable password expiration limit, password complexity, and expiration notifications
  6. Mobile-ready single sign-on capabilities to enable out-of-the-box support for mobile devices
  7. Pre-built and custom connections to Security Assertion Markup Language (SAML) applications
  8. Authentication using open standard protocols, such as JSON Web Token (JWT), Kerberos, Open Authorization (OAuth), OpenID Connect (OIDC), and SAML
  9. Support for developers, such as adequate lifecycle management application programming interface (API) support and software development kits (SDKs) for major platforms

Single sign-on benefits

  1. Centralizes the process of access to websites, applications, and other accounts, including provisioning and decommissioning
  2. Enhances productivity by streamlining access to resources
  3. Expands adoption of company-promoted applications by making them more easily accessible
  4. Facilitates user access auditing by providing robust access control to all types of access-related data
  5. Frees users from the struggle of choosing strong passwords for multiple accounts
  6. Helps organizations comply with data security regulations
  7. Improves security posture by minimizing the number of passwords per user
  8. Maintains secure access to applications and websites
  9. Makes it possible for applications to have other services authenticate users
  10. Minimizes the risk of poor password habits
  11. Prevents shadow IT by allowing IT admins to improve monitoring of user activities on workplace servers
  12. Provide a better customer experience
  13. Reduces costs by cutting down on outreach to IT help desks regarding password issues
  14. Removes login credentials from servers or network storage to reduce cyber risk
  15. Strengthens password security

SSO protocols

Single sign-on validates and authenticates users’ credentials using different open standards and protocols, including the following.

JSON web token (JWT)

JSON Web Token, or JWT, is a single sign-on protocol widely used in consumer-facing applications. This open standard (RFC 7519) is used to transmit information for single sign-on as JSON objects securely.

Kerberos

A ticket-based authentication system, Kerberos enables multiple entities to mutually verify their identity using encryption to prevent unauthorized access to the identification information. Using Kerberos for single sign-on capabilities, after credentials are validated, a ticket-granting ticket is issued and is used to retrieve service tickets for other applications that the authenticated users need to access.

Open authorization (OAuth)

With OAuth, or Open Authorization, applications can access user information from other websites without providing a password. OAuth is used in place of passwords to gain permission to access password-protected information. Instead of requesting user passwords, applications use OAuth to gain user permission to access password-protected data.

OpenID connect (OIDC)

Standardized by the OpenID Foundation and based on the OAuth 2.0 framework, OpenID Connect (OIDC) is authentication that provides a decentralized approach to single sign-on. With OIDC, the website or application authenticates user credentials. Rather than passing a token to a third-party identity provider, OpenID Connect has the website or application request additional information to authenticate users.

Security assertion markup language (SAML)

SAML, or Security Assertion Markup Language, is a protocol websites and applications use to exchange identification information with a single sign-on service using XML. SAML allows users to log in once to a network before being granted access to all applications on that network.

With SAML-based single sign-on services, applications do not need to store user credentials on their system, making it more flexible and secure than other options. It also addresses issues that IT administrators have when trying to implement single sign-on with lightweight directory access protocol (LDAP).

Single sign-on use cases

Single sign-on with multi-factor authentication

Used in conjunction, single sign-on and multi-factor authentication make authentication simple and secure. This combination maintains enhanced security while increasing accessibility to applications and websites and reducing the time admins must spend providing and controlling access.

Single sign-on and LDAP

Commonly used to store users’ credentials, LDAP’s single sign-on functionality can be used to manage LDAP databases across multiple applications.

Single sign-on for remote teams

The widespread adoption of remote work has expanded the use of single sign-on to nearly all IT resources. Single sign-on is widely used because it transcends other identity and access management systems. It offers an operating system / platform agnostic, protocol-driven, cloud-based approach to access authentication and authorization.

Single Sign-One Makes Authentication Easier for Users and Admins

Single sign-on is a technology that has streamlined workflows and improved productivity for users and admins. With multiple deployment options, single sign-on can fit nearly any use case. By eliminating the headaches and vulnerabilities of password sprawl, single sign-on has proven to be a popular tool in IT security.

Take control of your cloud platform.

Learn how SailPoint integrates with authentication providers.

Mark and Sumit

S1 : E2

Identity Matters with Sumit Dhawan, Proofpoint CEO

Join Mark McClain and Sumit Dhawan to understand the future of cybersecurity and how security teams can support CISO customers in the midst of uncertainty.

Play podcast
Mark and Ron

S1 : E1

Identity Matters with Ron Green, cybersecurity fellow at Mastercard

Join Mark McClain and Ron Green to understand the future of cybersecurity and the critical role identity security plays in safeguarding our digital world.

Play podcast
Dynamic Access Roles

Dynamic Access Roles

Build the next generation role and access model with dramatically fewer role and flexibility

View the solution brief