SSO – what it is and how it benefits your organisation
In an ideal world of seamless ICT user experience (UX), users log in once and access everything. There is no visibility or thought to the architecture handling any of the additional authorisations needed when moving from one service or system to another. This is what’s known as SSO (single sign-on). In this first post of our Authentication Series, let’s explore what it is and how it can benefit your organisation and its users.
SSO definition
Single sign-on (SSO) is a session and user authentication service that permits a user to use one set of login credentials — for example, a name and password — to access multiple applications. SSO can be used by enterprises, smaller organisations and individuals to ease the management of various usernames and passwords.
Explore Catalyst Integration Services
The issue for ICT professionals and architects is that organisations adopt an increasingly diverse range of cloud solutions, while also retaining on premise critical business applications, the range of possible username and password combinations increases dramatically. For example, a user might log into their PC first thing in the morning, authenticating via Azure AD, which is hosted in Microsoft Azure. Using their credentials, these users can access SharePoint, Teams and their Email, and anything within the Microsoft domain requires no additional authentication challenge. However, that user might use a variety of software-as-a-service applications from vendors such as Salesforce, Google or Amazon.
In some cases, what was once a simple process of logging in once can now see users having to log in upwards of ten times to access what they need. This is frustrating and cumbersome for users, resulting in a deterioration in engagement. For cyber risk and compliance teams it is a security nightmare.
This short 2.5 minute video gives an overview of SSO and the benefits it delivers
How SSO enhances the UX
Technologists knew they had a problem with the sign-on process even when enterprise ICT architectures were simpler, as many organisations had multiple directory services (lists of authorised users) within the business that their users needed to authenticate to. Very few organisations were running on a single solution, such as Microsoft Windows Active Directory. In fact, Active Directory was introduced after some of the previous directory services providers were long established, such as those provided by Novell or DEC. Almost immediately there was a need to find a way to federate these directories into a single view of the enterprise, so that authorisation was consistent (and security policies could be universally applied across all assets).
The term federation represents one kind of SSO architecture, where directories trust each other and hence trust the authenticated user to access resources they control. This early version of single sign-on relied on an organisation having control over the directories and largely retaining responsibility for the systems they resided on – Windows servers, Novell servers, etc.
Today’s enormous growth in SaaS applications has changed the game; to maintain the same level of seamless user experience across a heterogeneous environment, as well as securing access to RESTful APIs, is driving newer SSO requirements. As a consequence, implementations are becoming more complicated than ever, as the plethora of use cases burgeons and security architecture standards require additional integrated technologies, such as multi-factor authentication (MFA) and identity analytics.
How SSO supports security management
A major concern for IT security managers comes from this proliferation of authentication solutions, especially where users with multiple logins are more prone to breaking the rules – writing down passwords, making them easy to remember, and looking for new ways to bypass security services that would otherwise protect them and their organisation.
SSO solutions don’t just make the UX better, they allow the security team to consistently apply their rules across all service provisions and set the bar for evaluating vendors and suppliers: if they can implement single sign-on then the solution gets a tick in the box.
The lifecycle management of user accounts is always tricky where you have multiple directory services providers to maintain. A new user needs to be set up in each system, and when they change roles or leave the organisation, their access needs to be changed or revoked. Mistakes can easily happen when changes of this nature are conducted using manual processes, which could again pose a major security risk to the organisation.
Multiple authentications can make auditing user access history incredibly difficult (sometimes impossible) and monitoring in real-time for threats is significantly hampered. For all these reasons, enterprise security architectures are adopting consolidated sign-on solutions to mitigate cyber security risks, enhance their user experience and reduce the management burden.
Considerations for implementation
Solution architects will need to identify the technical authentication and integration capabilities of each system they need to interoperate with, such as external SaaS offerings, internal commercial-off-the-shelf software, and in-house written applications that may run on Oracle or SAP (for example). The next step is to select a common method to authenticate and authorise users, which is the role of the single sign-on application. It is likely they will be – so they may be looking for solutions that use standards such as OAuth or OIDC. SAML is another commonly used standard, that is a considered a good fit for on-premises applications. The team at Catalyst has created a plugin that helps system administrators to set up single sign-on without a technical understanding of SAML.
Explore the Moodle SAML2 Plugin
The benefits for your organisation
Streamlined access obviates the need for users to sign into each system separately; it integrates with additional security functions such as MFA to provide a secure, highly resilient identity and access management (IAM) solution.
Single sign-on solutions that integrate with software as a service (SaaS) applications, such as Moodle running in the cloud, are important components of an enterprise security architecture. Organisations that use a cloud hosted learning management systems (LMS) want their students to still feel like they are learning in a single, seamless environment. The capability becomes an enabler for many aspects of the organisation.
In short, think of SSO solutions as the glue that hold your enterprise ICT systems together, translating machine readable identity from one service to another, and bridging gaps into proprietary applications using a carefully crafted interface that accesses system APIs.
Integration services to help streamline user access
The team at Catalyst has in-depth expertise in providing SSO enabled learning management systems (LMS), such as Moodle and Totara. If you’d like help with reducing your organisation’s technical debt of having to manage disparate systems and would like to know more about simplifying access, we’d love to hear from you.