In the most rudimentary explanation, Single Sign-On authentication allows a single user to access multiple applications using the same credentials. Single Sign-On is also commonly referred as "SSO". SSO is commonly used in Enterprise level systems which require access to multiple applications within the same Local Area Network, which is now expanded to include Wide Area Network.
This, in most cases, is implemented using LDAP (Lightweight Directory Access Protocol). The SSO mechanism being incorporated varies based on the applications. A lot of times, SSO is used along with several additional authentication techniques such as Smart Cards or One-Time password tokens.
Single Sign-On does have its own benefits and hence is adopted by several enterprise level businesses. SSO is commonly used when you have several different internal applications which need to be accessed by a single user.
This is one of the reasons it is so popular in the enterprise level business, where a single user can have access to multiple internal applications. These applications traditionally only worked over a VPN or a Local Area Network, but with the popularity of its usefulness, it has been expanded over the Internet. In such large organizations, SSO helps in improving the productivity and minimizing the maintenance of authentication for different applications. Apart from this, SSO can also be implemented over the Web.
While this is popular amongst most organizations, several third-party vendors such as Google, which provides a list of applications are also adopting SSO. According to Gartner, 30% of help desk services are related to password issues and the cost for single password resetting is estimated at roughly $70. SSO, makes this entire process simplified and cost-effective.
SSO requires a common identity provider which is responsible for authenticating the users. In this case, the SSO Identity Provider sends the target application a signal that the user has been authenticated successfully.
In a scenario without SSO, if a user wants to access two applications: App1 and App2. Typically, both of these applications would have different username and passwords and the user would have to use respective credentials to access these applications.
With SSO, the applications just determine if they can provide access to the user based on the information available with the SSO Identity Provider. SSO Identity Provider gives assertions to applications based on protocols such as SAML, JWT or OpenID Connect.
SSO maintains a user repository to authenticate users. This repository could be Active Directory (AD), LDAP, custom database or Stormpath. Repositories and the underlying protocol play a key role in the user management process.
In many cases, SSO is confused as being same as a Centralized System. However, both of these are slightly different. A centralized system purely focuses on user access management. Using a centralized system, if a user wishes to access two applications App1 and App2, then this would require separate logging into both these applications with the same set of username and password. So the user would not be automatically logged into App2 in case the user has already logged in once for App1. Whereas with SSO, this happens automatically.
A centralized authentication focuses on ease of user credential management. However, SSO focuses on enriching the user experience.
Similarly, with centralized authentication, one can share user data across multiple applications. However, SSO is a poor solution in case you require the sharing of user data across multiple applications. This means even though the SSO provider sends an assertion to the application about the authentication, still the application needs to create and lookup in its local repository. This is a redundant activity for all applications integrated with SSO.
Many implementations such as Stormpath provides an integrated solution which uses Centralized authentication and SSO.
SSO provides several benefits not only to organizations but also to users. Few of these are:
While there are several benefits of using SSO, it has few downsides which should be considered. Few of these are:
A strong SSO implementation can improve user experience, strengthen security and streamline access to different applications. For a more robust authentication mechanism, one can implement a two-factor authentication where one of the authentications is over SSO.
Finally, the credential data stored by the authenticator should be maintained in a secure and remote environment.