SSO, Single Sign-On: obvious choice or bad idea?

Publié :

06/2020

| Mis à jour le

-
Articles
>
Cybersecurity
Single sign-on, a great promise: simplicity for users and security for IT, but is it the miracle solution to identification?

Summary

As business applications proliferate within companies, SSO is gaining momentum. It must be said that the promise is appealing: to provide user convenience by centralizing the management of the authentication system. It is a way for the IT department to rationalize and maintain control over the applications that are flourishing in each business unit.

What is a Single-Sign-On system?

SSO, Single Sign-On, is an authentication system that allows a user to connect to multiple applications or sites with a single password that they will have entered at their first connection. SSO therefore offers secure access to company applications.

SSO operation

How does a single sign-on system work?

SSO functions through the establishment of a trust relationship between an "identity provider" on the one hand and the applications on the other. The applications concerned can be hosted in cloud mode (SaaS) or proprietary (if they are developed internally for example) or even installed on your internal infrastructure ("on premise").

There are many identity providers. The best known (and one of the first on the market) is Active Directory. Initially designed for internal applications (MS Exchange, etc.), its functionalities have been extended with the arrival of Azure, which allows providing SSO to hosted applications. Other online providers have also recently appeared: Auth0, Okta, oneLogin, etc.

A study conducted by Vanson Bourne for LastPass shows that 92% of companies struggle to manage their identities. Single Sign-On is a good solution to address this problem, but let's examine the advantages and disadvantages of this identification system.

What are the advantages and disadvantages of SSO?

As we have already begun to see, an SSO system has strengths such as memorizing a single password for users and is of interest to companies' security related to authentication. Let's look in more detail at the strengths and weaknesses of a single sign-on system.

The advantages of an SSO

The advantages are numerous and can be seen from two points of view: that of the user and that of the company.

For the user:

  • The first major advantage that we have already mentioned is that there is no longer a need to remember all your passwords. The system is designed to use a single password, which we recommend being strong, consisting of numbers, upper and lower case letters, and special characters. As it is a single password, it is acceptable (from the end user's point of view) to impose strong constraints in terms of complexity.
  • With Single Sign-On, there is no longer a need to enter a password each time a software is used, which is really appreciated when regularly using multiple applications. This generates a considerable time saving, especially in environments where the number of business applications is high.
  • SSO also allows focusing attention on a single password, thus avoiding the proliferation of "weak" passwords. The more passwords a user has to manage, the more likely they are to make them "memorable," and therefore weak from a cybersecurity point of view.
Simplified authentication with SSO

For the company, the IT service:

  • The strong interest in SSO for IT services is, of course, the security of user access to different software and applications. A single password = a lower risk of weak, multiple passwords spread across all users' personal and professional sites and applications.
  • With Single Sign-On, IT departments can centralize information much more easily. There is only one password per user, which facilitates the management of password-related security rules and account creation.
  • The IT department is also able to have traceability of the operations carried out with the unique identifier. This provides an overview of connections to applications and software, and therefore their usage.
  • If there is one time-consuming task that all IT departments would gladly do without, it's: password resets. SSO considerably limits reset requests due to having only one password to remember.

The disadvantages of SSO

  • A single password is very convenient until it is hacked... It's a bit like having a key for each room in a castle, which made moving around complicated and sometimes impossible if you were missing a key. Today, you have a single key that gives you access to the entire castle, which is convenient, but if someone seizes it or copies it... it's an open door to the entire castle! To compensate for this disadvantage, it is recommended to implement two-factor authentication (2FA or MFA), which is not always feasible because this system has some prerequisites, for example, each user having a mobile phone. Today, many SSO solutions require MFA to ensure the security of connections.
Single key for all accounts
  • SSO on paper is really THE solution, yes, but in practice only certain applications and compatible sites accept the use of SSO, which leaves a very large number of incompatible software. It will therefore be necessary to continue providing a password for all other applications and we return to square one: several passwords to remember and a higher risk of loss, fraud...
  • A single password makes the system strong through the power of technology, but also weak because if the SSO system is rendered inoperative for a few hours, the entire company is paralyzed.

Here are some misconceptions about single sign-on...

Single Sign-On is a truly powerful system for single user authentication; however, several things should not be confused, such as single identification and identity and access management. SSO is not an IAM (identity access management) system.

  • SSO does not allow managing authorization levels within the company. It is not designed to define a user rights policy, which must be managed on each application. For rights management, it is preferable to use an identity and access management tool.
  • If you hope to have an overview of your tools, software and applications thanks to SSO, it is a utopia because, as we have seen, not all software is compatible.
  • Similarly, a single sign-on tool will not give you a global view of your employees and the people who work with you without being employees of your company, such as service providers, temporary staff, etc., because these SSO systems are generally not connected to HRIS.
  • Finally, from a strictly technical point of view, the implementation and especially the maintenance of the SSO system are extremely time-consuming for IT teams. Redundancy must be ensured, and responsiveness must be guaranteed for SSO support because it is a single point of access which, if blocked, completely paralyzes the company.

Single Sign-On: yes for authentication, no for identity and access management

SSO is often a basic building block for identity management in companies but only addresses a small portion of the problem.

SSO is a good complement to the implementation of an Identity and Access Management (IAM) system connected to the HRIS.

Besoin d'évaluer le coût d'un projet d'IAM ?

Téléchargez ce livre blanc sur le coût de l'inaction dans l'IAM :

Nous n'avons pas pu confirmer votre demande.
Votre demande de livre blanc est bien prise en compte.

Recommended Articles

That moment when cybersecurity depends on a post-it note
Shadow IT: The challenges of using unregulated software
Manage departures: the hacker is your former user.