Tech topics

What is Single Sign-On?

Overview

Single sign-on (SSO) is an authentication methodology that allows users to access multiple resources with a single entry of their login credentials (claim and secret). SSO delivers this user experience across various systems and domains. To maintain frictionless access, SSO must extend across the various services running and resources residing within the data centers and platforms users consume. These platforms may exist as IaaS, PaaS, or as a full-service (SaaS), which may or may not support a trust model.

SSO initiatives often fall under the category of a directory server authentication: Each service uses the same credentials from a single directory, such as Active Directory, or environments pass the authentication token to configured applications. Teams also use credential injection and other technologies to deliver SSO. Regardless of the approach, any solution must also include a mechanism for single sign-out.

NetIQ Identity Management powers your business

OpenText™ NetIQ™ Advanced Authentication offers a comprehensive set of identity and access services, allowing workers to securely access resources from anywhere, on any device, at any location, and at the right time. NetIQ also empowers organizations to interact with their consumers effectively and securely.

Read the flyer

Single Sign-On

What role does SSO play in a security posture?

You can accomplish SSO through different technologies. A more secure approach is an implementation where users don’t know the credential of each service they consume, but rather only the master. Since users don’t know each credential, there’s no risk of circumventing your authentication center or sharing them across less secure platforms.

Organizations commonly deliver SSO through a trust model. A single identity provider (IdP) either holds the credentials or controls access to them. In this model, each service relies on the IdP to verify the identity of the accessing party. While this approach narrows the number of places that store the credential, users may or may not know the authentic credential to the service.

Any SSO design that synchronizes the credentials to each application or service is the least secure option and should rarely, if ever, be used. For security, organizations work to reduce the number of attack vectors, not increase them.

As a component of an advanced authentication environment, single sign-on can pair with multifactor authentication to strengthen the verification of a user’s identity while minimizing disruption. This approach helps organizations maximize usability and security, especially when paired with passive passwordless methods. While some passive authentication types may be weaker than others, you can use them with additional verification metrics for various digital resources. As part of risk service planning, security teams may organize their resources into sensitivity categories and assign corresponding authentication strengths.


How does SSO help improve internal processes?

The most common reason IT security teams expand their users’ single sign-on is to offer secure access to information quickly and simply. When organizations implement this level of convenience to their protected information, they achieve higher efficiency and productivity. SSO allows users to authenticate just once for the multiple applications and other digital resources they access throughout the day. Beyond user satisfaction, SSO reduces password fatigue, a foundational element of encouraging credential hygiene. Other benefits include measurable efficiency and productivity. It lowers access obstruction, which can sometimes be the root of procrastination in completing a business process. This may be especially true for remote and after-hour professionals, who often face higher security hurdles because of location. The convenience of simple access reduces friction for business processes conducted on mobile devices, enabling them to happen quickly while someone is on the go or working outside regular hours.


How does SSO help businesses compete?

Consumer engagement ranges all the way from simple personalization all the way up to high-risk transactions. These consumer platforms often use behavioral data to identify interests and look for clues to help confirm user identity. Consumers have come to expect that their trusted brands know them well enough to offer interesting information and allow them to conduct as much business as possible on mobile devices. This is where single sign-on comes into play.

Today’s mobile and online experience requires a robust platform, supported by multiple backend systems to deliver the increasingly sophisticated experience consumers expect. Typically, they do not tolerate verifying their identity multiple times on a smartphone. So, while it’s common for mobile apps to leverage various backend systems, they are not part of the user experience.

Beyond simple access, SSO plays a role in deeper and higher-stakes remote access. Allowing your consumers to accomplish more with your products and services continues to be a battleground of mobile app competition. As the digital economy evolves, mobile apps conduct more types of business interactions, including riskier ones. Offering more meaningful services than the competition is an effective way to differentiate. But it also places more requirements on your authentication infrastructure. The convenience of SSO is important, but so is identity verification that matches the risk to the organization. The more an organization can measure the contextual risk of an access request, the larger the range of mobile access to private and sensitive information. Ask yourself:

  • Is the user located where expected (GSM, geolocation, network)?
  • Is the device recognized?
  • Do the types of requests reflect past behavior?
  • What is the risk level of the data itself?

Based on these risk metrics, SSO can work in conjunction with advanced authentication types to match identity verification to that risk, using multifactor authentication when needed:

  • Offer multiple passwordless authentication options, such as fingerprint, facial recognition, voice recognition, out-of-band push, one-time password, etc.
  • Only interrupt the consumer with a verification request when needed.
  • Use one or more authentication types to achieve the necessary verification strength.

While single sign-on offers consumer convenience, it also balances convenience with security when used with other authentication methods.


What are the common mistakes in implementing SSO?

Both IT and the line of business should view the growing value of single sign-on as an accelerating curve. The more credentials a user has, the more difficult it is to remember them. When the business reduces the number of credentials, users are more likely to follow sound credential management.

That same aggressive value curve is driven by convenience. The less you interrupt users, the more productive (employee or contractor) and happy (consumer) they are. Ideally, there is an initial fingerprint, facial recognition, or some other claim when entering the application or starting a session and nothing more. Regardless of how many services or resources users draw from, they’re not interrupted from their tasks. In the same paradigm, the more the app or web service interrupts the user with an authentication prompt, the less satisfying and counterproductive it is. For these reasons, technical decisions or implementations that don’t accomplish SSO for commonly accessed resources are the most damaging.

Limiting authentication to Active Directory (AD)

While AD (as well as Azure AD) has become the primary identity provider, most organizations have essential resources that go beyond it. While younger or smaller organizations may find that AD supplemented with Microsoft’s federation solutions are enough to deliver single sign-on, the majority of them are more heterogeneous than that.

Depending exclusively on trust model technologies

The adoption of SAML and OIDC has been widespread. But complicated environments are usually unable to provide full coverage. Surprisingly, a number of SaaS-based services either don’t support federation or charge more for it than organizations are willing to pay. Conversely, record/play technologies or a centrally managed access gateway fill in the gaps of single sign-on coverage.

Misunderstanding your users’ authentication experience

Often, IT organizations don’t know the different personae of users who access throughout the week. Without a clear picture, they can’t prioritize which resource to add to their single sign-on infrastructure. Furthermore, services that departments or lines of business consume are not typically included in SSO planning.


How does NetIQ provide SSO?

OpenText NetIQ offers five different approaches to deliver SSO:

OpenText™ NetIQ™ Access Manager

Using a variety of technologies, NetIQ Access Manager has multiple ways to deliver SSO for any intranet or cloud-based service. Regardless of the interface your applications may or may not have, your users (employees, customers, etc.) get quick, convenient access. At the same time, NetIQ Access Manager gives you full access control using your current processes.
 
Beyond the advantages of SSO, NetIQ Access Manager offers one-click access to web apps through easy setup icons in the mini-portal. NetIQ Access Manager’s built-in mini-portal isn’t meant to replace what you already have, but rather an option for those who don’t have one. The portal is lightweight for administrators to turn on, configure, and maintain, as well as intuitive for any user. NetIQ Access Manager’s quick access interface enhances the single sign-on experience.

NetIQ Access Manager provides your organization with three options for implementing single sign-on (SSO) across all your cloud and intranet-based applications:

  • Access Gateway—the ultimate in access management for both access control and rendering single sign-on, Access Gateway is the best way to deliver a seamless user experience across multiple services and complex environments (cloud, off-cloud, hybrid).
  • Standards-based federation—SAML, OAuth, OpenID Connect, WS-Trust, and WS-Federation—NetIQ Access Manager supports these applications through a preconfigured connector catalog or toolkit from which you can configure your trust between an authentication provider and a service provider.
  • Single Sign-On Assistant—for the vast ocean of small or specialty apps that don’t support any type of federation, the SSO assistant services all of them.

NetIQ Access Manager Gateway

The Gateway is a reverse proxy you can place in front of any resource, regardless of whether it has its own security model or access controls. This allows you to leverage the same identity provider for credential management. Like the single sign-on assistant, the Gateway offers form-fill policies that can populate the HTML forms. Form Fill policies scan each login page, accelerated through the Access Gateway, to see if it can populate the credential information. No matter how many single sign-on technologies you employ, NetIQ Access Manager provides a central point of administration and control.

Single Sign-On through federation

For single sign-on through federation, NetIQ Access Manager lets you set up a trust relationship that can function as an identity provider or a service provider, based on your needs. You’ll also need to set up the type of federation (SAML, OAuth, OpenID Connect, WS-Trust, or WS-Federation). If you’re using SAML, you can choose one of the many preconfigured connectors. If the catalog doesn’t have a preconfigured SAML connector for the service you want, you can use the toolkit to set up your own.

Single Sign-On through the assistant

For cloud-based services that are too old, small, or primitive to support federation, the Single Sign-On Assistant delivers an SSO experience, with minimal effort. It prompts users to download the browser plugin that securely retrieves credentials when they are recorded. Once the assistant is set up, users experience SSO when they access the application. The first place to look for ready-built assistant connectors is the NetIQ Access Manager Connector Catalog. You can record your own if you cannot find the connector you need. NetIQ Access Manager automatically prompts the user to install the connector the first time, after which it retrieves and submits the user’s credentials from NetIQ Access Manager for automatic login. When configuring the Basic SSO connectors for the different applications, you define the connector for the specific site. Basic SSO captures users’ credentials through a browser plugin or extension. It securely stores user credentials on the Identity Server, never using the Access Gateway.

OpenText™ NetIQ™ Advanced Authentication

NetIQ Advanced Authentication delivers single sign-on for users on Windows clients. SSO support includes .NET, Java, native applications, and web applications on all popular browsers. It’s seamless for end users, helping them focus on their primary job. Even for remote users not connected to a centralized directory, single sign-on continues to work on isolated laptops without an internet connection. NetIQ Advanced Authentication also offers fast user switching, meaning that it swiftly delivers single sign-on for kiosks or shared workstations. It can be invoked with a badge or some other touchless method that is quick, simple, and highly secure.

NetIQ offers more single sign-on options for organizations than any other vendor.

Footnotes