Simply put, single sign-on (SSO) gives you the ability to login to any permitted systems within your organisation with just one set of identity credentials.
SSO enables users to securely authenticate with multiple applications and websites by logging in only once with just one set of credentials. In the past this referred to username and password, although under identity management and access rules (IDM) the user needs to prove identity. This could be by answering, at least 2 out of 3 questions, something you have, something you are and something you know or by utilising biometric sign on – fingerprints typically, or in some cases retina scanning.
Once this is established you have authenticated token-based access to multiple applications, systems, etc. SSO adds security and convenience when users sign-on to applications, and the same applies to signing off, just one sign off is needed.
The main benefits of SSO include:
- Mitigates risk for access to third-party sites.
- Easy adoption, users do not have to remember different username and password combinations or regularly update passwords.
- Reduces time spent re-entering passwords or credentials for the same identity.
- Decreases IT costs due to reduction of password related support calls.
How does SSO work?
SSO shares centralised authentication servers that all other applications and systems use for authentication purposes and combines this with techniques to ensure that users do not have to actively enter their credentials more than once. Therefore, to enable SSO your applications need to be configured correctly by your internal IT or technology partner.
It’s important to apply role-based user access, rather than individual access. Meaning that access to personal data should only be supplied to workers as a result of their role. Basically, you need to ensure that all stored personal data, for example in a CRM can only be accessed by the relevant people according to their job role and for the explicit purpose why the data was collected in the first place.
Also, the rights of roles need to be determined as read-only, read-write and read-write-delete.
Setting up Single Sign On
There are many solutions for providing SSO, which essentially exchange tokens to validate continued use. For example, in Azure Active Directory (Azure AD), which is the Microsoft product that provides centralised management for IT resources, has a number of options regarding the single sign-on methods.
To help you choose the most appropriate SSO method when configuring your applications, you will need to ask whether cloud only, cloud and on-premise or on-premise only is needed.
Microsoft has published a useful workflow to assist your single sign on decision.
About Active Directory Federation Services (ADFS)
There are alternative solutions. Microsoft is big on identity-driven security. It’s product Active Directory Federation Services (ADFS) provides secure sharing of identity information between federated business partners.
It uses a claims-based access control authorisation model to maintain application security and implement federated identity.
Claims-based authentication is the process of authenticating a user based on a set of claims about its identity contained in a trusted token.
ADFS enables trust relationships to be set up between Active Directory domains and forests to allow sharing of network resources. For example, if a user in Company X wants to access a web app hosted by Organisation Y then Company X authenticates its own user under set protocols and trust relationships with Organisation Y.
How can subscription apps enable SSO?
This is where a multi-tenant application is developed. A multi-tenant application is a shared resource that allows separate users either “customers” or “tenants,” to view the application as though it is their own.
An example of a system that lends itself to a multi-tenant application, often called a white label system, is where all users of the application have the ability to tailor their user experience. For example, implementing brand colours and logo but otherwise have the same basic business requirements and inbuilt functionality.
From the customers point of view, SSO provides greater control and improved security.
From a software development/application provider’s perspective, the benefits of multi-tenancy mostly relate to operational and cost efficiencies.
This way, one version of your application can meet the needs of many tenants/customers, allowing consolidation of system administration tasks such as monitoring, performance tuning, software maintenance, and data backups.
Other content you may be interested in…