How SSO enhances the UX
Technologists knew they had a problem with the sign-on process even when enterprise ICT architectures were simpler, as many organisations had multiple directory services (lists of authorised users) within the business that their users needed to authenticate to. Very few organisations were running on a single solution, such as Microsoft Windows Active Directory. In fact, Active Directory was introduced after some of the previous directory services providers were long established, such as those provided by Novell or DEC. Almost immediately there was a need to find a way to federate these directories into a single view of the enterprise, so that authorisation was consistent (and security policies could be universally applied across all assets).
The term federation represents one kind of SSO architecture, where directories trust each other and hence trust the authenticated user to access resources they control. This early version of single sign-on relied on an organisation having control over the directories and largely retaining responsibility for the systems they resided on – Windows servers, Novell servers, etc.
Today’s enormous growth in SaaS applications has changed the game; to maintain the same level of seamless user experience across a heterogeneous environment, as well as securing access to RESTful APIs, is driving newer SSO requirements. As a consequence, implementations are becoming more complicated than ever, as the plethora of use cases burgeons and security architecture standards require additional integrated technologies, such as multi-factor authentication (MFA) and identity analytics.
How SSO supports security management
A major concern for IT security managers comes from this proliferation of authentication solutions, especially where users with multiple logins are more prone to breaking the rules – writing down passwords, making them easy to remember, and looking for new ways to bypass security services that would otherwise protect them and their organisation.
SSO solutions don’t just make the UX better, they allow the security team to consistently apply their rules across all service provisions and set the bar for evaluating vendors and suppliers: if they can implement single sign-on then the solution gets a tick in the box.
The lifecycle management of user accounts is always tricky where you have multiple directory services providers to maintain. A new user needs to be set up in each system, and when they change roles or leave the organisation, their access needs to be changed or revoked. Mistakes can easily happen when changes of this nature are conducted using manual processes, which could again pose a major security risk to the organisation.
Multiple authentications can make auditing user access history incredibly difficult (sometimes impossible) and monitoring in real-time for threats is significantly hampered. For all these reasons, enterprise security architectures are adopting consolidated sign-on solutions to mitigate cyber security risks, enhance their user experience and reduce the management burden.
Considerations for implementation
Solution architects will need to identify the technical authentication and integration capabilities of each system they need to interoperate with, such as external SaaS offerings, internal commercial-off-the-shelf software, and in-house written applications that may run on Oracle or SAP (for example). The next step is to select a common method to authenticate and authorise users, which is the role of the single sign-on application. It is likely they will be – so they may be looking for solutions that use standards such as OAuth or OIDC. SAML is another commonly used standard, that is a considered a good fit for on-premises applications. The team at Catalyst has created a plugin that helps system administrators to set up single sign-on without a technical understanding of SAML.
Explore the Moodle SAML2 Plugin
The benefits for your organisation
Streamlined access obviates the need for users to sign into each system separately; it integrates with additional security functions such as MFA to provide a secure, highly resilient identity and access management (IAM) solution.
Single sign-on solutions that integrate with software as a service (SaaS) applications, such as Moodle running in the cloud, are important components of an enterprise security architecture. Organisations that use a cloud hosted learning management systems (LMS) want their students to still feel like they are learning in a single, seamless environment. The capability becomes an enabler for many aspects of the organisation.
In short, think of SSO solutions as the glue that hold your enterprise ICT systems together, translating machine readable identity from one service to another, and bridging gaps into proprietary applications using a carefully crafted interface that accesses system APIs.
Integration services to help streamline user access
The team at Catalyst has in-depth expertise in providing SSO enabled learning management systems (LMS), such as Moodle and Totara. If you’d like help with reducing your organisation’s technical debt of having to manage disparate systems and would like to know more about simplifying access, we’d love to hear from you.
Talk to the Catalyst Team Today