What is Single Sign On?
Single Sign-On (SSO) is an authentication service which lets a user log in to multiple applications and/or websites after only one prior login. Behind the scenes, that successful login is used to prove the user’s identity going forward. Therefore, SSO enables access to countless services without the need to repeatedly enter usernames and passwords. It’s pretty handy.
Chances are, you already use SSO in your work and personal life. A popular example is how Google uses SSO to authenticate users across their different G Suite applications like Gmail, YouTube, Drive etc.
SSO is not a new concept in the enterprise space. It has saved employees time and boosted their productivity at work by having their access easily managed. Nowadays, we are starting to see SSO become increasingly popular for external users too. In an enterprise, these external users can take the form of customers or suppliers who require access to internal resources.
How can SSO benefit me?
SSO offers a variety of benefits to both end users and service providers. This blog is going to focus on the benefits to users.
User experience
SSO is incredibly convenient for users since they don’t need to spend time logging in to each service they use, or even remember multiple sets of credentials. Not only does SSO make it easier to access existing applications, but it also makes it a lot easier to begin using new ones.
In Blissfully’s 2019 SaaS Trends report, companies in the smallest group of 0-50 employees were found to use 40 applications on average. As company size increases, application usage scales with it; the report shows that companies with over 1000 employees used 211 applications on average. This data gives us an insight into how valuable SSO can be – not just for massive enterprises but for smaller companies too.
Security
With SSO, there is only one point of trust i.e. users do not need to trust all of their service providers with their credentials. If a service provider is hacked, the damage to the user is minimised since their usernames and passwords were never stored. Also, by needing only one set of login credentials, users can focus on making one ultra-strong password.
How does it work?
One of the most common standards for exchanging user identity in enterprise authentication is Security Assertion Markup Language (SAML).
In SAML, an XML token called a SAML assertion is used to transfer unique, identifying information about a user from an identity provider to a trusted service provider. The identity provider verifies the user’s credentials, then tells the service provider who the user is, with the SSO solution acting as a middleman; this is done via encrypted messages written in SAML.
Let’s say you attempt to access a service that supports SSO. This might be a typical chain of events:
-
Firstly, checks are made to see if you have already been authenticated via SSO. If the answer is yes, you are given access. Simple as that!
-
If the answer is no, you are sent to log in using the chosen SSO solution. There will be one or more identity providers available to choose from.
-
Select an identity provider and enter your credentials. The SSO solution sends your credentials off to the chosen identity provider in an authentication request.
-
If the request is successful, the identity provider responds with data translating to your identity.
-
The SSO solution sends your identity data to the service provider and returns you to the application or site. You should now have access!
How Invotra deliver SSO
Our SSO solution is Invotra Auth, which is powered using the Cognito service by Amazon Web Services (AWS), combined with a variety of other AWS services to power a unified and available product. The new solution allowed us to introduce optional SMS Multi-factor Authentication which has been a big security win!
Invotra Auth can integrate with a range of social and enterprise identity providers to enable SSO. Some examples are Azure Active Directory, OneLogin, Salesforce, Okta and also internal corporate IDs, to name a few.
Feel free to get in touch with any questions around SSO, or other general enquiries.
