Understanding Single Sign-On and How It Protects Your Environment

single sign on

Key Takeaways:

  • Single sign-on tools differ from enterprise password managers.
  • There are many compelling reasons to implement these tools, including ease of use.
  • Our article explains how to pick the right product for your particular needs.

 

One of the best ways to manage your password collection is to use a single sign-on (SSO) tool. These tools centralize the administration of user authentication services by having one login credential that can be used for multiple applications.

You might think this creates a security loophole. We all have been drilled into not sharing the same login across multiple apps, right? The way that SSO works is somewhat different. Yes, you have a single login to gain overall access to an SSO tool. But once that is accomplished, the tool then automatically sends out separate credentials to sign in so you can use each of your apps. In many cases, you don’t even know the details of each credential — they could be using very complex passwords that are created at random by the tool. The good news is that you don’t need to remember each one, because the SSO does it for you. The bad news is that implementing SSO can be confounding, costly and complex.

Over the years, SSO has taken on more sophistication and widened its functionality. Many of the tools have more flexible and powerful risk-based authentication policies, support a wider collection of multi-factor authentication (MFA) methods to further secure your credentials and integrate full-blown identity management solutions. Why go with this last approach? You add the ability to manage how users are on- and off-boarded, allow for federated identity (if you have multiple organizations that you need to coordinate) and have better integration with your cloud apps.

Many of the SSO vendors offer attractively-priced packages for the SMB world, which is helpful if you want to get started using one of them. Here are some of the leading SSO vendors, along with approximate price ranges and major features:

 

SSO Vendors Comparison Table

Vendor/Link Pricing Major Features
Duo/Cisco SSO Free to $108/User/Year Wide support for adaptive authentication and apps.
Idaptive (formerly Centrify) $20-$40/User/Year Wide support for authenticator apps, full line of identity governance tools.
MicroFocus/NetIQ Access Manager $47 Initially Plus $12/User/Year Wide support for various security protocols.
Okta SSO MFA $8000 or $16,000 Initially Plus $36-$72/User/Year Identity governance tools, many preconfigured apps.
OneLogin SSO  $24-$96/User/Year Many preconfigured apps, SIEM and VPN integration.
Ping Identity Ping One $36/User/Year Federated identity, many preconfigured apps, variety of MFA methods.
RSA SecurID Access Suite $1830/mo. for 500 Users Full identity governance tools, many identity providers, adaptive authentication.

 

SSO Alternatives

A baby step towards better password security might be to start with an enterprise password manager which just remembers passwords for you. These tools, such as 1Password and Lastpass, keep centralized vaults of all your credentials and insert them into the login process, either from your browser or from your laptop or smartphone. Another less-costly alternative is to deploy the open-source Authy.com service, which is available on a wide range of devices, including desktops and smartphones.

Speaking of Authy, another free alternative to a full-blown SSO is to make use of a smartphone authenticator app and just individually apply this as an additional authentication factor, whether you login from your phone or your laptop. The way this works is that when you try to login to your app (say Gmail), you are asked to type in the one-time password that is being shown at that moment on your smartphone authenticator.

There are any number of free smartphone authenticator apps (besides Authy there are ones from Google, Microsoft and Cisco/Duo, among many others). The downside here is that you depend on each of your individual users to install and maintain their passwords individually. And not all apps work with all of the smartphone authenticators.

single sign on tips

How to Choose the Right SSO Tool

If the password manager or authentication app aren’t rigorous enough, you probably should consider an SSO. Here are some questions to address to find the right product that meets your needs:

  • How many apps are typically supported by your IT department? Each SSO tool supports out-of-the-box (if it came in a box, most are cloud-based) a collection of pre-configured apps. Some support hundreds of apps, others (such as Okta and OneLogin) support thousands. If you make use of your own custom apps you will need to create the connection code (typically in Security Assertion Markup Language or SAML) to authenticate your users automatically. This isn’t a big lift but will take some effort to produce and debug the appropriate SAML code. Idaptive and MicroFocus both have a feature to make configuring new apps that aren’t in their catalogs a lot easier.
  • What authenticator smartphone app should you use? Given the number of different smartphone authenticator apps, it is hard to settle on a single corporate standard — especially if some of your users have already begun using their favorites. This means you may want to pick a tool that supports multiple phone authenticators, such as Idaptive. These apps all operate similarly but still, it can be confusing if users have to find the right app to complete their logins. Google and Authy seem to have the widest app catalogs for their smartphone authenticators.
  • Does your tool support adaptive (also called risk-based) MFA?  Most of the vendors mentioned in the table above support adaptive MFA logins. This means that a login isn’t just a single event, but something that is built into each application. When you are about to perform a more risky task (such as doing a funds transfer or sending someone’s private data across the Internet), the user is challenged for another authentication factor to prove themselves. Cisco and RSA are leaders in this arena.
  • What about FIDO? The Fast Identity Online Alliance has been around now for several years and continues to gain traction. It allows you to share a single credential — such as a USB hardware key — across multiple applications so that a user doesn’t have to keep track of multiple MFA methods. Three key supporters are Google, Microsoft and Apple. Most of the major players have rolled out FIDO support or will do so in the near future.

 

Single Sign-On Makes Your Life Easier

The right SSO tool will help you manage your password collection, while also providing secure authentication. By answering the questions above while choosing your SSO option, you’ll feel much more confident in your selection.

 

Images: Shutterstock