Where cyber security meets efficiency and convenience, a Single Sign-On (SSO) service enables users to access multiple applications using a single set of login credentials. But how does it work while remaining secure? How do I use SSO in my business? Are there any risks? All will be answered!

Let’s take a quick example to visualise how SSO works in practice, before explaining how it does what it does while remaining secure. Imagine a business that uses the Microsoft 365 platform to do most of their work using a range of apps like Word, PowerPoint and Outlook for example. A user working for the business might begin their day by signing into Teams where they are asked to provide their login credentials. The user identity is authenticated by a server hosted by Microsoft, which then grants access to the other Microsoft 365 apps that are hosted by their employer’s business account without this user needing to sign into them again and again.

Quite simple, right? That’s the beauty of SSO, but how does it work behind the scenes? And why does it offer particular benefits to organisations?

How Does Single Sign-On (SSO) Work?

SSO uses a framework called Open Authorisation (commonly known as Oauth), which enables third-party services like social media websites, to access a user’s account information without exposing their password.

When a person tries to log in to a platform such as Microsoft 365, open authentication acts as a verifying intermediary between the user and the service they would like to access; that way, the storing and processing of sensitive credentials such as passwords, is not all with the service provider, which can be a security risk. The user is directed to Oauth (a login portal from the user’s viewpoint) to enter their credentials, which are then verified by Oauth. If they are correct, Oauth provides an access token that allows the user to log in to the service.

In the case of SSO, what occurs is that a credential is verified for access to a range of apps that are hosted jointly within a single service provider. In the earlier example, this was Microsoft.

Types of SSO configurations

Protocols used by some SSO services include Kerberos and Security Assertion Markup Language (SAML). But don’t worry! We won’t go too much into the technicalities. Kerberos and SAML work in different but important ways for businesses, depending on how they want to use SSO.

Kerberos is a popular SSO method. Like the Microsoft 365 example mentioned earlier, Kerberos is a way for organisations to verify a user’s credentials for one platform or network. Within this singular platform or network, the verified user has something of a ‘golden ticket’ that allows them to access other apps within the network without needing to sign in again.

SAML is a is an often used standard for exchanging authentication and authorisation data between different secure networks. A SAML-based SSO service is different to Kerberos in that it provides a single-sign-on for different platforms and networks. For example, a user logs into their company’s main work platform and then they try to log in to a third-party cloud software that the company uses and trusts. With SAML, it’s possible to give the user a ‘golden ticket’ that works with trusted third-party services as well, which distinguishes it from Kerberos.

Security risks and SSO

For cyber security purposes, it’s very important to combine SSO with other measures, particularly Multi Factor Authentication (MFA). Without MFA in place, if a cybercriminal for example gained access to a user’s login credentials and used them, they would have access to a wide range of apps and services within your organisation’s network.

With MFA in place, however, the unauthorised person would be required to provide a second form of proof of their digital identity, such as verifying a code that is sent to the user’s email or phone for example. With MFA combined with it, SSO can offer a very convenient login solution without compromising on security. Additionally, combining it with other cyber security measures such as endpoint (device) security and management solutions can be useful for ensuring that only authorised and trusted devices are being used to log in to your network, giving a further boost to security in the sign-on process.

Social SSO

You will likely have seen that many platforms such as Google, LinkedIn and Meta also offer SSO services that allow users to log in using the same credentials as their social media accounts. This is very convenient but also is another point of vulnerability that can be exploited by attackers.

It’s highly recommended that users refrain from using social media SSO services altogether for work, as this can raise a range of vulnerabilities and concerns, including access to other accounts, data privacy concerns, and depending on a third party for SSO without being able to configure it according to your needs and requirements.

Enterprise SSO

With enterprise single sign-on (eSSO), users can log on to supported applications by replaying their credentials.

eSSO works by securely storing user credentials and automatically populating them when the users is accessing authorised applications. Users will only need to authenticate once, often by logging into their workstation or device; then eSSO will take care of the rest for them.

Compared to social SSO, eSSO improves security by enforcing strong password policies, reducing the risk of weak or reused passwords. Another key feature is that it enables centralised management and monitoring of user access activity, which enhances compliance and vigilance over your IT environment and its security status.

5 Advantages of SSO For Businesses

1. SSO improves the user experience

Entering and remembering all of your passwords, all of the time, can be a somewhat frustrating experience for any person. With SSO, they have a secure way of signing into the applications that they need to undertake their work, in a convenient way.

2. SSO saves time

SSO saves time immediately by simplifying the user access process, but it also saves even more time indirectly by streamlining the need to manage and remember many different passwords. A user can lose time on occasion by needing to reset and create new passwords, forgetting them, resetting them again, and so on; but with SSO, the need to manage many different passwords is no longer needed.

3. SSO helps with regulatory compliance

The sophistication and prevalence of data protection regulations are growing for virtually all industries, while some industries also face particularly strong compliance burdens. SSO can help organisations with their compliance efforts in a few key ways:

Centralized Access Control: SSO allows organizations to centrally manage user access to various applications and systems. This centralised control enables consistent enforcement of access policies and ensures that users have appropriate access permissions based on their roles and responsibilities, preventing an unnecessary degree of risk to sensitive data.

Strong Authentication: SSO systems often support multifactor authentication (MFA) or other strong authentication methods. These additional layers of security enhance user authentication beyond just a username and password.

Auditability and Logging: SSO systems provide logging and auditing capabilities. They can track user access activities, including logins, application accesses, and system interactions.

4. Cuts down IT Helpdesk costs

Login-related requests are remarkably common, with about 20-50% of IT helpdesk requests involving user credentials. By introducing SSO, you can reduce the number of login-related tickets that make their way to your IT helpdesk, enabling them to allocate more time to either more complicated tickets or more strategic aspects of your IT.

5. SSO revamps security

SSO goes hand in hand with cyber security and is designed to maximise security and convenience at the same time. For example, the authentication token that is used to verify sensitive user credentials is not hosted in the application or service that the user is trying to access. The token and credentials are instead held separately in a central SSO server or database. This gives continued anonymity and security, alongside a streamlined and easier login process for users.

Maximising Value from Your Tools

BCNS make business easier and more cost-effective by guaranteeing that you and your team are always connected to each other and your clients. We can also guarantee that your team are using the latest version of every application you need to ensure that your systems are secure, and you are getting the best possible benefits from your tech. Our team of experts will assist you throughout the transition and beyond to be sure you achieve exactly what you desire. At the same time, we can reduce your expenses and improve your security as well as performance! Contact us now and find out how we can help you with your IT and move into a more productive future.