Single Sign On – How SSO Works
Setting up credentials for multiple accounts opens the space for users to re-use & create simple and weak passwords.
According to Microsoft, 40 million users were found to have reused passwords. And as per Google’s 2019 study, almost two-thirds of people use the same password across multiple accounts.
That’s where the need for Single Sign On arrives.
There are more than 199.7 million active sites in 2023. And the number is only rising. So, you can’t expect the end user to create unique passwords for all their online services.
So today, we’ll learn how SSO eliminates the need for multiple credentials—moreover, the types of SSO, how it works, and its advantages.
What’s Single Sign On
Single Sign-On (SSO) is an authentication method that allows users to securely log in to multiple apps and websites using a single set of credentials.
SSO advocates three things:
1. Improving security
2. Simplifying the user authentication experience
3. Securing user off-boarding so that there are no more active orphan accounts
SSO achieves these three factors by eliminating the need to remember multiple passwords and reducing multiple identity providers down to just a ‘single’ one.
Users can access multiple services using a single complex password, reducing password fatigue and eliminating the need to store or remember multiple passwords.
Modern identity and access management solutions enable enterprises to implement SSO for their applications. Open standards like OAuth 2.0 and OIDC facilitate authentication via any identity provider, even external to the organization.
Overall, Single Sign On centralizes authentication processes, making authentications easier to monitor and maintain.
Need of SSO
Imagine you have two websites. Let’s call them website X and website Y. You want people who are already logged in on website X to be automatically logged in when they visit website Y. This is where Single Sign-On (SSO) comes in.
Websites can’t securely share login information. But SSO solves this problem. How? You’ll learn about it later.
Social & Enterprise SSO
Social SSO allows users to log into third-party applications using their social media accounts, such as Google, LinkedIn, Twitter, or Facebook. It’s a convenient way to access multiple platforms with one set of credentials.
However, this convenience comes with a security risk. If an attacker gains control of a user’s social login, they can access all linked applications.
On the split side, enterprise single sign-on (eSSO) provides a more secure solution for businesses. It allows employees to access all enterprise applications with one-click authentication by validating them against a trusted identity provider controlled by the organization.
To enhance security further, businesses can implement multi-factor authentication (MFA) or adaptive MFA, adding an extra layer of protection.
What’s an SSO Token?
During the SSO process, the container carries the user’s information, like email address, password, etc. is called an SSO token. For an app to verify that the token is passed via a trusted source, the sender must digitally sign it.
Same Sign-On vs. Single Sign-On
Same Sign-On differs from Single Sign-On, requiring users to enter the same credentials for different apps manually. And there’s no shared authentication mechanism or centralized identity provider.
How Does SSO Work
To make SSO possible, a trust must be established between an application (service provider) and an identity provider or IDP (Vault Vision). The IDP provides a central authentication server to verify user identities.
Different Single Sign On protocols share session information in multiple ways. But the underlying concept is the same. There’s an authentication server through which the authentication is performed. And after that, the session is shared with other domains.
Let’s see the typical SSO flow:
1. User Initiates Login: A user attempts to get access to the service provider.
2. Service Provider Redirects to IDP: The application routes the user to the identity provider for authentication.
3. IDP Authenticates the User: Once the user gets verified by entering credentials, the identity provider passes a token to the SSO server, which’s given to the application via the web browser.
4. Token Validation: The service provider validates the token passed by the web browser using the trust relationship between the two parties in the initial configuration.
5. User is Granted Access: Finally, the user gets access to the service provider.
6. User Tries to Access Other Linked Services: When a user attempts to get access to other linked services, the same token is used to grant admission.
Types of SSO Configurations
Before we learn about different types of SSO configurations, let’s clarify one thing.
SSO is part of a broader concept called Federated Identity Management or FIM. To elaborate further, it belongs to its authentication part. FIM translates to the relationship set up between two or more identity management systems/domains.
Here’s a quick rundown of different SSO protocols:
OAuth
OAuth 2.0 is an open standard authentication protocol that securely shares user identity information between applications. It allows users to access data from other applications without manually verifying their identity, which is especially useful for mobile apps.
OAuth acts as an intermediary, providing an access token to authorize sharing of specific account information. When a user accesses an application, the service provider requests authentication from the identity provider, verifies it, and logs the user in.
OIDC
OpenID Connect (OIDC) is an extension of OAuth 2.0 that adds an identity layer, enabling Single Sign-on (SSO) functionality. It allows users to use one login session across multiple applications, such as logging in with their Facebook or Google account, instead of entering credentials for each service.
OIDC operates similarly to SAML but exchanges identity information in JSON format. It enhances OAuth2 with an identity layer for identification and authorization.
SAML
SAML (Security Assertion Markup Language) is an open standard that enables the exchange of authentication and authorization information between systems. It serves as a framework for implementing Single Sign-on (SSO) and allows secure access to multiple applications and websites after a single login.
With SAML, users log in once with their credentials, granting them access to all applications on a network. It addresses the challenge of connecting identity providers to web applications, bridging the gap between lightweight directory access protocols (LDAP) and web-based authentication.
Smart Card
Smart cards are physical tokens used for secure authentication in organizations. They provide an extra layer of protection by requiring users to input a PIN, adding two-factor authentication.
These cards store sign-in credentials, such as certificates or passwords, eliminating the need for users to enter usernames and passwords repeatedly. When logging in, the card is used, and software on the computer interacts with the encryption key on the smart card to verify the user’s identity.
Smart card-based SSO is commonly used in sectors like banking and can be used alongside other authentication methods for enhanced security.
Final Words
Single Sign-On addresses the challenges of managing multiple credentials and simplifies the user authentication experience. It allows users to:
- Securely log in to multiple apps and websites using a single set of credentials,
- Reduce password fatigue and the risk of weak passwords.
SSO can be implemented through various protocols, such as OAuth 2.0, OIDC, Smart Cards, and SAML.
Implementing SSO with an identity provider like Vault Vision enhances security and streamlines the login process. Sign-up today and start your free trial without entering your credit/debit card details.
https://www.techtarget.com/searchsecurity/definition/single-sign-on
https://www.cloudflare.com/learning/access-management/what-is-sso/
https://www.mailgun.com/blog/it-and-engineering/what-is-sso/#chapter-5
