With the proliferation of business applications in the enterprise, SSO is on a roll. The promise is clear: to bring comfort to users by centralizing management of the authentication system. It's a way for IT Departments to rationalize and keep control of the applications that are springing up in every business department.
What is a Single-Sign-On system?
SSO, or Single Sign-On, is an authentication system that enables a user to connect to several applications or sites with a single password, which he or she enters on first login. SSO thus provides secure access to corporate applications.
How does a unique identification system work?
SSO works by establishing a relationship of trust between an "identity provider" (identity) on the one hand, and the applications on the other. The applications concerned may be hosted in cloud mode (SaaS) or proprietary (if developed in-house, for example), or even installed on your in-house infrastructure ("on premise").
There are many differentidentity providers. The best known (and one of the first on the market) is Active Directory. Initially designed for internal applications (MS Exchange...), its functionalities have been extended with the arrival of Azure, which can provide SSO for hosted applications. Other online providers have also recently appeared on the scene: Auth0, Okta, oneLogin....
A study carried out by Vanson Bourne for LastPass shows that 92% of companies find it difficult to manage their identities. Single Sign-On is a good solution to this problem, but let's take a look at the pros and cons of this identification system.
What are the advantages and disadvantages of SSO?
As we've already begun to see, an SSO system has a number of strengths, such as the ability to memorize a single password for all users, and is of interest to corporate security in terms of authentication. Let's take a closer look at the strengths and weaknesses of a single sign-on system.
The benefits of SSO
The benefits are numerous, and can be seen from two points of view: that of the user and that of the company.
For the user :
- The first major advantage, as already mentioned, is that you no longer need to remember all your passwords. The system is designed around the use of a single password, recommended to be a strong combination of numbers, upper and lower case letters and special characters. As this is a unique password, it is acceptable (from the end-user's point of view) to put strong constraints on its complexity.
- With Single Sign-On, you no longer need to enter a password every time you use a software application, which is a real advantage when you need to use several applications on a regular basis. This saves considerable time, especially in environments with a large number of business applications.
- SSO also focuses attention on a single password, thus avoiding the multiplication of "weak" passwords. The more passwords a user has to manage, the more likely he or she is to make them "memorable", and therefore weak from a cybersecurity point of view.
For the company, the IT department :
- For IT departments, SSO is of vital importance in securing user access to software and applications. A single password = lower risk of weak, multiple passwords, spread across all users' personal and professional sites and applications.
- With single sign-on, IT departments can centralize information much more easily. There is now just one password per user, making it easier to manage password security rules and create accounts.
- The IT department is also able to trace operations carried out with the unique identifier. This gives an overview of connections to applications and software, and therefore of their use.
- If there's one time-consuming task every IT department could do without, it's resetting passwords. SSO considerably reduces the number of password resets required, since you only have to remember one password.
Would you like to receive our white paper on identity and access management?
The disadvantages of SSO
- A unique password is very practical, until it's hacked... It's a bit like in a castle, where you used to have a key for each room, which made circulation complicated and sometimes impossible if you were missing a key. Today, you have a single key that gives you access to the whole castle, which is handy, but if someone gets hold of it or copies it... that's the door to the whole castle! To compensate for this inconvenience, it's advisable to implement two-factor authentication (2FA or MFA), which isn't always feasible because this system has a few prerequisites, such as the fact that each user must have a cell phone. Today, many SSO solutions impose MFA precisely to ensure connection security.
- On paper, SSO is THE solution, but in practice, only certain applications and compatible sites accept SSO, leaving a very large number of non-compatible applications. You'll still have to provide a password for all other applications, and you're back to square one: several passwords to remember and a higher risk of loss, fraud...
- A unique password makes the system strong because of the power of the technology, but also weak because if the SSO system is rendered inoperable for a few hours, the entire company is paralyzed.
Here are a few misconceptions about the single sign-on system...
Single Sign-On is a really powerful system for single user authentication, but you shouldn't mix things up like single sign-on and identity and access management. SSO is not an IAM (identity access management) system.
- SSO cannot be used to manage authorization levels within an enterprise. It is not there to define a policy of user rights, which in fact have to be managed for each application. For rights management, it is preferable to use an identity and access management tool.
- If you're hoping to have an overview of all your tools, software and applications thanks to SSO, that's a pipe dream, because as we've seen, not all software is compatible.
- In the same way, a single sign-on tool won't give you a global view of your employees, or of people who work with you but aren't employees of your company, such as service providers, temporary staff, etc., because these SSO systems are generally not connected to HRIS.
- Finally, from a strictly technical point of view, setting up and especially maintaining the SSO system is extremely time-consuming for IT teams. Redundancy must be ensured, and SSO support must be responsive, as it is a single point of access which, if blocked, paralyzes the entire company.
Single Sign-On: yes for authentication, no for identity and access management
SSO is often a basic building block for enterprise identity management, but only addresses a small part of the problem.
SSO is a good complement to the implementation of an Identity and Access Management (IAM) system connected to the HRIS.