researchHQ’s Key Takeaways:
- Single sign-on (SSO) allows users to automatically log into multiple websites or applications after entering their login credentials just once.
- While SSO can streamline user experience and improve analytics, companies are often slow to adopt them because of security concerns and technical challenges.
- Combining SSO with strong authentication protocols, such as contextual multi-factor authentication (MFA), can help companies mitigate security risks.
- The suite of tools offered by identity-as-a-service (IDaaS) providers allows organisations to implement secure SSO while circumventing the technical challenges of building it from scratch.
Everyone who uses the internet agrees that life would be better with fewer logins. For users, logging in is a hassle that interrupts whatever they were trying to do and forces them to remember their password. What’s bad for user experience is doubly bad for businesses, because a frustrated user is more likely to walk away from a transaction or browse a website without logging in.
The solution for a world with fewer logins is single sign-on (SSO), which allows a user to log in once and automatically gain access to a suite of connected applications. Companies that implement single sign-on properly benefit from improved user experience and heightened security. Below, we’ll explain how single sign-on works and the differences between a good SSO policy and a bad one.
What Is Single Sign-On?
Single sign-on is a method of logging in that lets a user enter in their login credentials (usually a username and password) just once and automatically be logged into multiple websites or applications. Single sign-on is one element of identity and access management (IAM), which is the entire set of tools and protocols governing how users log in and gain access to data.
An SSO solution is like a library card. A library card lets you check out books from every branch in a library system instead of having to get a separate card and a separate account for each one. This makes life easier for patrons, who can now access books from all of the local branches instead of just one. And it makes things easier for the organization because they know how people are using their services (and who owes late fees). SSO operates according to the same principle, except instead of uniting the different library branches in a city, it unites different digital properties used by a single company.
The most widely known customer-facing example of single sign-on is Google’s G Suite. Users log in to their Gmail accounts, and when they navigate to Google Docs or YouTube, they’re automatically logged in. While end-user authentication is the most widely known use case for SSO, its also used in business-to-employee (B2E) settings.
Some companies also use SSO for their employees, so a single set of credentials grants access to a set of applications. For instance, if an employee logs into their employee portal, they’ll be immediately logged into Slack and Zoom with their employee ID.
SSO is a part of the broader concept of federated identity management, which allows for someone to use a single identity across multiple different systems. SSO refers specifically to a single login giving a user access to multiple properties that are still part of a single organization.
Federated identity, meanwhile, means using the same identity to log in to properties owned by multiple organizations. It’s possible to have a federated identity that isn’t a single sign-on. For instance, an app could enable social login (logging in with something like Facebook, Google, or Apple ID) but still only use that login for a single property.
How Does Single Sign-on Work?
On a technical level, SSO works by having users give their credentials to the SSO solution instead of logging in directly to a website or app. The SSO solution, in turn, checks these user credentials with the company’s authentication server (a database of credentials) or identity provider.
An identity provider is a service that stores and manages user identities on behalf of an application. For end users, common identity providers include Google and Facebook. Enterprise identity providers include Microsoft Active Directory, Azure AD, LDAP, and G Suite. Users can log in using an account they’ve already created with a separate identity provider, which saves them from filling out a new registration form. Using an outside identity provider saves businesses from having to store this information themselves on an authentication server. That’s a security advantage for businesses because having databases full of passwords can make them targets for hackers.
When the SSO solution confirms that a user is logging in with the correct credentials, it issues them a token. Then, when they go to a new page, the token confirms that they’re already logged in and don’t need to do so again. There are multiple ways this interaction can take place using Security Assertion Markup Language (SAML) or Open Authorization (OAuth). For our non-developer purposes, the primary difference between these two is that SAML is used to verify a user’s identity (authentication), whereas OAuth controls what resources users are allowed to access (authorization).
Most SSO solutions also include single log-out (SLO), which means that logging out of one site automatically logs you out of the rest.